Configure monitor inputs for the Splunk Add-on for Cisco ESA¶

To configure the Splunk platform to monitor the Cisco ESA log files, you can use either Splunk Web to create the monitor inputs or configure inputs.conf directly.

Configure Monitoring through Splunk Web¶

Configure a file monitoring input on your data collection node for the Cisco ESA log files.

Log into Splunk Web.
Select Settings > Data inputs > Files & directories.
Click New.
Click Browse next to the File or Directory field.
Navigate to the log file generated by the Cisco ESA server and click Next.
For the Source type, click Select. Enter your Cisco log type.
- “cisco:esa:authentication”
- “cisco:esa:textmail’‘’
- “cisco:esa:http”
- “cisco:esa:amp”
Click Review.
After you review the information, click Submit.

Configure inputs.conf¶

You can create an inputs.conf file and configure the monitor input in this file instead of using Splunk Web.

Using a text editor, create a file named inputs.conf in the local folder of the add-on:
- $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-esa/local on Unix based systems.
- %SPLUNK_HOME%\etc\apps\Splunk_TA_cisco-esa\local on Windows systems.

Add the following stanza and lines, depending on the type of logs you are collecting. For text mail logs:

[monitor://<Cisco_Ironport_LOG_PATH>\mail.@20130712T172736.s]
sourcetype = cisco:esa:textmail

For HTTP logs:

[monitor://<Cisco_Ironport_LOG_PATH>\gui.@20130302T122618.s]
sourcetype = cisco:esa:http

For authentication logs:

[monitor://<Cisco_Ironport_LOG_PATH>\authentication.@20130302T122552.s]
sourcetype = cisco:esa:authentication

For amp logs:

[monitor://<Cisco_Ironport_LOG_PATH>\amp.@20180103T132842.s]
sourcetype = cisco:esa:amp

3. Save the file.
4. Restart the Splunk platform in order for the new input to take effect.