Exporting Symantec Cloud SWG Logs to Splunk via Docker
This guide walks through the entire process of deploying Splunk in Docker, installing the Symantec Cloud SWG App and Add-on, configuring API access, and successfully ingesting Cloud SWG logs.
1. Prerequisites
- A Linux host (Ubuntu 20.04/22.04 or similar)
- Docker and Docker Compose installed
- Access to the Symantec Cloud SWG portal (portal.threatpulse.com)
- A valid API User and API Key

2. Install Docker
Run the following commands on Ubuntu:
# Install dependencies sudo apt-get update sudo apt-get install -y ca-certificates curl gnupg # Add Docker’s official GPG key sudo install -m 0755 -d /etc/apt/keyrings sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc sudo chmod a+r /etc/apt/keyrings/docker.asc # Add repository echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \ sudo tee /etc/apt/sources.list.d/docker.list > /dev/null # Install Docker Engine sudo apt-get update sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
Verify:
docker --version
3. Deploy Splunk with Docker
Bind-mount directories for persistence:
mkdir -p /srv/splunk/etc /srv/splunk/var docker run -d --name splunk \ -p 8000:8000 \ -p 8089:8089 \ -p 9997:9997 \ -p 1514:1514 -p 1514:1514/udp \ -p 8088:8088 \ -e SPLUNK_GENERAL_TERMS=--accept-sgt-current-at-splunk-com \ -e SPLUNK_START_ARGS=--accept-license \ -e SPLUNK_PASSWORD='YourAdminPassword!' \ -v /srv/splunk/etc:/opt/splunk/etc \ -v /srv/splunk/var:/opt/splunk/var \ splunk/splunk:9.0.5
- Splunk Web:
https://<host-ip>:8000
- Admin username:
admin
- Password: as set above
4. Install the Symantec Cloud SWG Add-on and App
- Download the TA-SymantecWebSecurityService (Add-on) and SymantecWebSecurityService (App).
- Download from: Symantec WSS App for Splunk

- In Splunk Web:
- Go to Apps > Manage Apps > Install app from file
- Upload both
.spl
packages - Restart Splunk
5. Configure Cloud SWG Data Input
- In Splunk Web: Settings > Data Inputs > Symantec Web Security Service Rest Input Modular
- Create a new input with:
Parameter | Value |
---|---|
Name | CloudSWGLogs |
Portal URL | portal.threatpulse.com |
API User Name | Cloud SWG API User Name |
API Key | Paste your API key (twice) |
Interval | 300 (for testing purpose) |

- Save and restart Splunk.
6. Troubleshooting the “Invalid cross-device link” Error
By default, the Add-on downloads logs to:
/opt/splunk/etc/apps/TA-SymantecWebSecurityService/bin/
and moves them to:
/opt/splunk/var/spool/splunk/
In Docker, these directories often reside on different volumes, so os.rename()
fails with:
root@HF-Ubuntu-02:~# docker exec -it splunk bash [ansible@97657274e7e9 splunk]$ sudo -i [root@19889267ec34 bin]# cd /opt/splunk/var/log/scwss/ [root@19889267ec34 scwss]# [root@19889267ec34 scwss]# cat scwss-poll.log 2025-09-30 01:25:49,091 INFO 128290507106112 - Script starting invocation at 2025-09-30 01:25:49 2025-09-30 01:25:49,210 INFO 128290507106112 - SWSS: Starting data collection... 2025-09-30 01:25:49,210 INFO 128290507106112 - Invoking API Request at 2025-09-30 01:25:49 2025-09-30 01:25:53,977 INFO 128290507106112 - Response received with status code 200 2025-09-30 01:25:54,803 INFO 128290507106112 - File name is cloud_archive_250930012550_stash_ta_scwss_logs.zip, size is 35.6494140625 kilobytes 2025-09-30 01:25:54,803 INFO 128290507106112 - File cloud_archive_250930012550_stash_ta_scwss_logs.zip downloaded from the API in 5 seconds 2025-09-30 01:25:54,804 ERROR 128290507106112 - SWSS: Error while writing data into Splunk: [Errno 18] Invalid cross-device link: '/opt/splunk/etc/apps/TA-SymantecWebSecurityService/bin/cloud_archive_250930012550_stash_ta_scwss_logs.zip' -> '/opt/splunk/var/spool/splunk/cloud_archive_250930012550_stash_ta_scwss_logs.zip' Traceback (most recent call last): File "/opt/splunk/etc/apps/TA-SymantecWebSecurityService/bin/scwss-poll.py", line 745, in run_script os.rename(download_file, destination_path) OSError: [Errno 18] Invalid cross-device link: '/opt/splunk/etc/apps/TA-SymantecWebSecurityService/bin/cloud_archive_250930012550_stash_ta_scwss_logs.zip' -> '/opt/splunk/var/spool/splunk/cloud_archive_250930012550_stash_ta_scwss_logs.zip'
Solution: Patch the Add-on Script
Edit /opt/splunk/etc/apps/TA-SymantecWebSecurityService/bin/scwss-poll.py
:
[root@19889267ec34 scwss]# cd /opt/splunk/etc/apps/TA-SymantecWebSecurityService/bin/ [root@19889267ec34 bin]# vi scwss-poll.py token = x_sync_token.decode() # Edit Here! # os.rename(download_file, destination_path) import shutil shutil.move(download_file, destination_path) file_to_disk_end_time = time.time()
This replaces the default os.rename(...)
with shutil.move(...)
, which transparently handles cross-filesystem moves.
Restart Splunk after editing:
docker restart splunk
Logs should now ingest successfully.
7. Verify Data
Search in Splunk:
index=main sourcetype="symantec:websecurityservice:scwss-poll" | head 20

If results appear, dashboards such as Security Overview, Web Threat View, and Client View will populate.

With this setup, you now have a working integration of Symantec Cloud SWG → Splunk, running entirely inside Docker.
Recent Comments