Community:Splunk for IMAP

From Splunk Wiki

(Redirected from Apps:Splunk for IMAP)
Jump to: navigation, search

Splunk for IMAP

This application continually downloads mail from an IMAP account and sends it to a Splunk server for indexing. You can do cool things like see how often you get mail from someone, graph by size, time, etc. Each message is treated as a separate Splunk event.

Download the Splunk for IMAP application

Download the application from SplunkBase here: Splunk for IMAP.

Install Splunk for IMAP

1. Copy the IMAP application directory into $SPLUNK_HOME/etc/apps

2. Copy default/imap.conf to local/imap.conf and provide the required settings for connecting to your IMAP server (server, user, password). See the comments in the file for more details about all required and optional settings.

3. Restart the Splunk server.

Note: By default, the IMAP application will create a new index named "mail" in the file default/indexes.conf. If you want the IMAP output to go to the default Splunk index, remove index = mail in props.conf and delete index.conf.

Required input changes

Set:

  • server to be your mail server, for example "mail.spool.com" or "217.12.1.50"
  • port if you are using a non-standard port
  • user to be your login name
  • password to be your password in plain text.
  • xpassword to your encrypted password. To get an encrypted version of your password, run the genpassword.sh script in this application's bin directory. Copy and paste its output to xpassword.

Note: There are two ways to supply a password. password is plain text and xpassword is an encrypted password.

Optional input changes

The following input changes are optional:

  • maxsize = <number> By default we index messages no larger than 200k. You can change this by setting maxsize.
  • indexHeaders = True/False if you want full header info
  • indexBody = True/False if you want the entire body indexed.
  • match = <regex> This will only index messages that match this regex. For example, if you only wanted to index mail that had a certain subject, you could do so here.
  • filter = <regex> This will filter out and index only the content that matches the regex. Unlike match, which just passes the entire message on if it matches, filter will carve up the body and only pass on certain parts. This is useful if you want to pull out certain parts of the message.

Deployment notes

Message headers are indexed as key-value pairs, for example:

  From = "erik swan <erik@swan.com>
  Subject = "This is sooo cool"

This makes it easy to generate reports from the email indexed in Splunk. For example:

   index::mail | top From

Also, note the quotes around the field values. This makes it easy to perform searches 'where' or regexes. For example, if you want to find all your email that was sent by Will, do the following:

   index::mail | regex From = "Will"
If encrypted passwords are being used, the user needs to run the provided genpass.sh script, once for the mailbox password and once for the splunk server password. Cut/copy/paste the generated encrypted password and place it into the imap.conf.
Personal tools
Hot Wiki Topics


About Splunk >
  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk