"Invalid cross-device link" while retrieving Cloud Secure Gateway (Cloud SWG) access log from Splunk.

search cancel

"Invalid cross-device link" while retrieving Cloud Secure Gateway (Cloud SWG) access log from Splunk.

book

Article ID: 412487

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

This would happen with Symantec Web Security Service (WSS) App for Splunk. (Symantec WSS App for Splunk)
When trying to move retrieved accsess log from Cloud SWG to /etc directory of the Splunk with the script file automatically running, following errors are encountered.

2025-09-30 01:30:51,502 ERROR 129082703279936 - SWSS: Error while writing data into Splunk: [Errno 18] Invalid cross-device link: '/opt/splunk/etc/apps/TA-SymantecWebSecurityService/bin/cloud_archive_250930013050_stash_ta_scwss_logs.zip' -> '/opt/splunk/var/spool/splunk/cloud_archive_250930013050_stash_ta_scwss_logs.zip'

Traceback (most recent call last):

File "/opt/splunk/etc/apps/TA-SymantecWebSecurityService/bin/scwss-poll.py", line 745, in run_script

os.rename(download_file, destination_path)

OSError: [Errno 18] Invalid cross-device link: '/opt/splunk/etc/apps/TA-SymantecWebSecurityService/bin/cloud_archive_250930013050_stash_ta_scwss_logs.zip' -> '/opt/splunk/var/spool/splunk/cloud_archive_250930013050_stash_ta_scwss_logs.zip'

Environment

Installed Splunk into Docker containers in Linux environment.

Cause

"Invalid cross-device link" error happens on copying files on different type of the file system between copy source and destination.
In this situation, "/opt/splunk/etc" and "/opt/splunk/var" is different volume and it recognizes different file systems from another applications such as python script and command.

# docker inspect splunk --format '{{json .Mounts}}' | jq

[

{

"Type": "bind",

"Source": "/srv/splunk",

"Destination": "/opt/splunk",

"Mode": "",

"RW": true,

"Propagation": "rprivate"

},

{

"Type": "volume",

"Name": "04ac263036fd62ae727c461fe2fddd4de964990a83cee3e2049996d6bb3de109",

"Source": "/var/lib/docker/volumes/04ac263036fd62ae727c461fe2fddd4de964990a83cee3e2049996d6bb3de109/_data",

"Destination": "/opt/splunk/etc",

"Driver": "local",

"Mode": "",

"RW": true,

"Propagation": ""

},

{

"Type": "volume",

"Name": "1d2a27be8b778487f8774e4159221d96f44fb8ae553bfa0f7f14feaa50adf504",

"Source": "/var/lib/docker/volumes/1d2a27be8b778487f8774e4159221d96f44fb8ae553bfa0f7f14feaa50adf504/_data",

"Destination": "/opt/splunk/var",

"Driver": "local",

"Mode": "",

"RW": true,

"Propagation": ""

}

]

"Destination": "/opt/splunk/etc"
"Source": "/var/lib/docker/volumes/04ac263036fd62ae727c461fe2fddd4de964990a83cee3e2049996d6bb3de109/_data",

"Destination": "/opt/splunk/var"
"Source": "/var/lib/docker/volumes/1d2a27be8b778487f8774e4159221d96f44fb8ae553bfa0f7f14feaa50adf504/_data",

os.rename(download_file, destination_path)

Resolution

In the script scwss-poll.py, actual copy file code is here.

os.rename(download_file, destination_path)

Python command os.rename expects both download_file and destination_path are the same file system. As far as describing above, os.rename command cannot be used. Workaround is here.
Change scwss-poll.py file.

1. Backup scwss-poll.py
2. Edit scwss-poll.py
Comment this line out
#os.rename(download_file, destination_path)

Insert two lines
import shutil shutil.move(download_file, destination_path)

3. Save the file

[Note]
shutil.move has an ability to move(rename) files to across different file systems between source and destination.

Feedback

thumb_up Yes

thumb_down No