Exporting Symantec Cloud SWG Logs to Splunk via Docker

This guide walks through the entire process of deploying Splunk in Docker, installing the Symantec Cloud SWG App and Add-on, configuring API access, and successfully ingesting Cloud SWG logs.


1. Prerequisites

  • A Linux host (Ubuntu 20.04/22.04 or similar)
  • Docker and Docker Compose installed
  • Access to the Symantec Cloud SWG portal (portal.threatpulse.com)
  • A valid API User and API Key

2. Install Docker

Run the following commands on Ubuntu:

# Install dependencies
sudo apt-get update
sudo apt-get install -y ca-certificates curl gnupg

# Add Docker’s official GPG key
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add repository
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

# Install Docker Engine
sudo apt-get update
sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Verify:

docker --version

3. Deploy Splunk with Docker

Bind-mount directories for persistence:

mkdir -p /srv/splunk/etc /srv/splunk/var

docker run -d --name splunk \
  -p 8000:8000 \
  -p 8089:8089 \
  -p 9997:9997 \
  -p 1514:1514 -p 1514:1514/udp \
  -p 8088:8088 \
  -e SPLUNK_GENERAL_TERMS=--accept-sgt-current-at-splunk-com \
  -e SPLUNK_START_ARGS=--accept-license \
  -e SPLUNK_PASSWORD='YourAdminPassword!' \
  -v /srv/splunk/etc:/opt/splunk/etc \
  -v /srv/splunk/var:/opt/splunk/var \
  splunk/splunk:9.0.5
  • Splunk Web: https://<host-ip>:8000
  • Admin username: admin
  • Password: as set above

4. Install the Symantec Cloud SWG Add-on and App

  • In Splunk Web:
    • Go to Apps > Manage Apps > Install app from file
    • Upload both .spl packages
    • Restart Splunk

5. Configure Cloud SWG Data Input

  1. In Splunk Web: Settings > Data Inputs > Symantec Web Security Service Rest Input Modular
  2. Create a new input with:
ParameterValue
NameCloudSWGLogs
Portal URLportal.threatpulse.com
API User NameCloud SWG API User Name
API KeyPaste your API key (twice)
Interval300 (for testing purpose)
  1. Save and restart Splunk.

6. Troubleshooting the “Invalid cross-device link” Error

By default, the Add-on downloads logs to:

/opt/splunk/etc/apps/TA-SymantecWebSecurityService/bin/

and moves them to:

/opt/splunk/var/spool/splunk/

In Docker, these directories often reside on different volumes, so os.rename() fails with:

root@HF-Ubuntu-02:~# docker exec -it splunk bash
[ansible@97657274e7e9 splunk]$ sudo -i
[root@19889267ec34 bin]# cd /opt/splunk/var/log/scwss/
[root@19889267ec34 scwss]# 
[root@19889267ec34 scwss]# cat scwss-poll.log 
2025-09-30 01:25:49,091 INFO 128290507106112 - Script starting invocation at 2025-09-30 01:25:49
2025-09-30 01:25:49,210 INFO 128290507106112 - SWSS: Starting data collection...
2025-09-30 01:25:49,210 INFO 128290507106112 - Invoking API Request at 2025-09-30 01:25:49
2025-09-30 01:25:53,977 INFO 128290507106112 - Response received with status code 200
2025-09-30 01:25:54,803 INFO 128290507106112 - File name is cloud_archive_250930012550_stash_ta_scwss_logs.zip, size is 35.6494140625 kilobytes
2025-09-30 01:25:54,803 INFO 128290507106112 - File cloud_archive_250930012550_stash_ta_scwss_logs.zip downloaded from the API in 5 seconds
2025-09-30 01:25:54,804 ERROR 128290507106112 - SWSS: Error while writing data into Splunk: [Errno 18] Invalid cross-device link: '/opt/splunk/etc/apps/TA-SymantecWebSecurityService/bin/cloud_archive_250930012550_stash_ta_scwss_logs.zip' -> '/opt/splunk/var/spool/splunk/cloud_archive_250930012550_stash_ta_scwss_logs.zip'
Traceback (most recent call last):
  File "/opt/splunk/etc/apps/TA-SymantecWebSecurityService/bin/scwss-poll.py", line 745, in run_script
    os.rename(download_file, destination_path)
OSError: [Errno 18] Invalid cross-device link: '/opt/splunk/etc/apps/TA-SymantecWebSecurityService/bin/cloud_archive_250930012550_stash_ta_scwss_logs.zip' -> '/opt/splunk/var/spool/splunk/cloud_archive_250930012550_stash_ta_scwss_logs.zip'

Solution: Patch the Add-on Script

Edit /opt/splunk/etc/apps/TA-SymantecWebSecurityService/bin/scwss-poll.py:

[root@19889267ec34 scwss]# cd /opt/splunk/etc/apps/TA-SymantecWebSecurityService/bin/
[root@19889267ec34 bin]# vi scwss-poll.py 


            token = x_sync_token.decode()

            # Edit Here!
            # os.rename(download_file, destination_path)
            import shutil
            shutil.move(download_file, destination_path)

            file_to_disk_end_time = time.time()

This replaces the default os.rename(...) with shutil.move(...), which transparently handles cross-filesystem moves.

Restart Splunk after editing:

docker restart splunk

Logs should now ingest successfully.


7. Verify Data

Search in Splunk:

index=main sourcetype="symantec:websecurityservice:scwss-poll" | head 20

If results appear, dashboards such as Security Overview, Web Threat View, and Client View will populate.


With this setup, you now have a working integration of Symantec Cloud SWG → Splunk, running entirely inside Docker.

Leave a Reply

Your email address will not be published. Required fields are marked *