Splunk® Supported Add-ons

Splunk Add-on for Cisco WSA

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure inputs for the Splunk Add-on for Cisco WSA

Configure your inputs on the part of your Splunk platform architecture that performs data collection for the add-on. Work with your Cisco WSA administrator to configure WSA log subscriptions to send data to the Splunk platform. Follow the instructions in the Cisco documentation to configure a push job for the logs so that you can collect them on your data collection node via FTP or SCP.

To use Splunk Connect for Syslog to collect syslog data, configure Cisco WSA log subscriptions to push data to the Syslog server using the SC4S instance as a destination. For SC4S configuration details see the readme file at https://github.com/splunk/splunk-connect-for-syslog/blob/develop/docs/sources/Cisco/index.md

You must configure Cisco WSA log subscriptions so that the Splunk software knows where the pushed logs are available. You do this by configuring file or folder monitoring inputs in the Splunk user interface or by creating data inputs or manually as described below:

  1. On your data collection node, create or edit the inputs.conf file at $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-wsa/local/ to specify the file path of the access/w3c/l4tm log files. For L4TM logs: 
    [monitor://<Cisco_Ironport_LOG_PATH>\tmon_misc.@20130507T012232.s]
sourcetype = cisco:wsa:l4tm

    For access logs in squid format: 

    [monitor://<Cisco_Ironport_LOG_PATH>\aclog.@20130316T120308.s]
sourcetype = cisco:wsa:squid

    For access logs in squid format with recommended key-value customisation: 

    [monitor://<Cisco_Ironport_LOG_PATH>\aclog.@20130316T120308.s]
sourcetype = cisco:wsa:w3c:recommended

    For access logs in W3C format: 

    [monitor://<Cisco_Ironport_LOG_PATH>\w3c_log@20130316T120308.s]
sourcetype = cisco:wsa:w3c
  2. If you are using forwarders, configure forwarding by [[Documentation:Splunk:For warding:Configureforwarderswithoutputs.confd|defining tcp outputs]] and then enabling a receiver.
  3. Restart the Splunk platform. If you have a distributed deployment, restart your forwarder and indexers.

If your data includes logs in W3C format, you may need to manually configure field extractions. See Customize log and field extractions for supported sourcetypes for details.

Alternatively, instead of pushing logs to remote FTP or SCP locations, it is possible to configure a subscription to push logs to a remote Syslog server. If a log subscription is configured for the recommended key-value format supported by cisco:wsa:w3c:recommended sourcetype it is still possible to configure an input monitoring destination syslog file. However, it is recommended to use SC4S for ingesting events pushed to syslog. Note that for position/delimenter-based sourcetypes (i.e. all sourcetypes other than cisco:wsa:w3c:recommended) SC4S is the only way to correctly ingest syslog formated events.

Last modified on 11 August, 2022
PREVIOUS
Upgrade the Splunk Add-on for Cisco WSA 		  NEXT
Customize SC4S for Cisco WSA

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters