Integrate Splunk with Umbrella Log Management Using S3 and Local Sync

Available Languages

Download Options

  • PDF     (298.8 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (384.9 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (283.6 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:September 3, 2025
Document ID:224767

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure Splunk to analyze DNS traffic logs from a Cisco-managed S3 bucket.

    Overview

    Splunk is a tool for log analysis. It provides a powerful interface for analyzing large chunks of data, such as the logs provided by Cisco Umbrella for your DNS traffic. This article describes how to:

    • Set up your Cisco-managed S3 bucket in your dashboard.
    • Ensure AWS Command Line Interface (AWS CLI) prerequisites are met.
    • Create a cron job to retrieve files from the bucket and store them locally on your server.
    • Configure Splunk to read from a local directory.

    Prerequisites

    Create a Cron Job on the Splunk Server

    1. Create a shell script named pull-umbrella-logs.sh with the provided contents, which runs on a scheduled cron job:

      #!/bin/sh
      cd <local data dir>
      AWS_ACCESS_KEY_ID=<accesskey> AWS_SECRET_ACCESS_KEY=<secretkey> aws s3 sync <data path> .
      Replace the placeholders with your actual values:

      • <local data dir> : Directory on disk to store the downloaded log files.
      • <accesskey> : Access key from the Umbrella dashboard.
      • <secretkey> : Secret key from the Umbrella dashboard.
      • <data path> : Data path from the log management UI (for example, s3://cisco-managed-<region>/1_2xxxxxxxxxxxxxxxxxa120c73a7c51fa6c61a4b6/dnslogs/ ).

    2. Save the shell script and set the run permission. The script must be owned by root.

      $ chmod u+x pull-umbrella-logs.sh

    3. Run the pull-umbrella-logs.sh script manually to confirm that the sync process is functional. Full completion is not required; this step confirms that credentials and script logic are correct.

    4. Add this line to your Splunk server crontab:

      */5 * * * * root root /path/to/pull-umbrella-logs.sh &2>1 >/var/log/pull-umbrella-logs.txt

      Make sure to edit the line to use the correct path to the script. This runs a sync every five minutes. The S3 storage directory updates every 10 minutes and the data remains on the S3 storage for 30 days. This keeps the two in sync.

    Configure Splunk to Read from a Local Directory

    1. In Splunk, navigate to Settings > Data Inputs > Files & Directories and select New.
      360002731126360002731126

      360002731146360002731146

    2. In the File or Directory field, specify the local directory where the S3 sync places files.
      360002731106360002731106

    3. Click Next and complete the wizard using the default settings.

    Once there is data in the local directory and Splunk is configured, the data can be available to query and report on in Splunk.

    Revision History

    Revision Publish Date Comments
    1.0
    04-Sep-2025
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products