Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Splunk: Any way to fetch logs via ssh - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Splunk: Any way to fetch logs via ssh
Hello Experts,

I have a splunk server and ssh access to a server with read-only access to logs. I can ssh from the machine on which I have splunk server.

Is there a way with which I can fetch the logs and index them (and do further processing). It will be a hurdle to install splunk(https://goo.gl/MKkBU5) forwarder on the machine which has the logs (it's in production and hence under tight control)

Help me ont this!


Thanks
Anonymous

I would say that everything is possible with Splunk but it can be more complex than expected.
If you can't install a Splunk Forwarder, what are the type(s) of logs to collect? Binary? Text? Can you maybe export them via Syslog?
Xme

418 Posts
ISC Handler
It sounds like we are under similar restrictions for working with production servers. No chance of my getting the forwarder approved to run there in my environment either.

I do this with sftp via a .bat file (Windows). Splunk monitors a local directory. I have the sftp set to pull the (entire) file from the remote server every 10 minutes and place it in that directory. So there is a delay, but acceptable for my purposes.
Jack G.

7 Posts

Sign Up for Free or Log In to start participating in the conversation!