Configure monitor inputs for the Splunk Add-on for Cisco ESA

To configure the Splunk platform to monitor the Cisco ESA log files, you can use either Splunk Web to create the monitor inputs or configure inputs.conf directly.

Configure Monitoring through Splunk Web

Configure a file monitoring input on your data collection node for the Cisco ESA log files.

1. Log into Splunk Web.
2. Select Settings > Data inputs > Files & directories.
3. Click New.
4. Click Browse next to the File or Directory field.
5. Navigate to the log file generated by the Cisco ESA server and click Next.
6. For the Source type, click Select. Enter your Cisco log type.
   • "cisco:esa:authentication"
   • "cisco:esa:textmail
   • "cisco:esa:http"
   • "cisco:esa:amp"
7. Click Review.
8. After you review the information, click Submit.

Configure inputs.conf

You can create an inputs.conf file and configure the monitor input in this file instead of using Splunk Web.

1. Using a text editor, create a file named inputs.conf in the local folder of the add-on:
   • $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-esa/local on Unix based systems.
   • %SPLUNK_HOME%\etc\apps\Splunk_TA_cisco-esa\local on Windows systems.
2. Add the following stanza and lines, depending on the type of logs you are collecting.
   For text mail logs:

   [monitor://<Cisco_Ironport_LOG_PATH>\mail.@20130712T172736.s]
   sourcetype = cisco:esa:textmail
   

   For HTTP logs:

   [monitor://<Cisco_Ironport_LOG_PATH>\gui.@20130302T122618.s]
   sourcetype = cisco:esa:http
   

   For authentication logs:

   [monitor://<Cisco_Ironport_LOG_PATH>\authentication.@20130302T122552.s]
   sourcetype = cisco:esa:authentication
   

   For amp logs:

   [monitor://<Cisco_Ironport_LOG_PATH>\amp.@20180103T132842.s]
   sourcetype = cisco:esa:amp
   

3. Save the file.
4. Restart the Splunk platform in order for the new input to take effect.