Configure inputs for the Splunk Add-on for Cisco WSA
Configure your inputs on the part of your Splunk platform architecture that performs data collection for the add-on. Work with your Cisco WSA administrator to configure WSA to send data to the Splunk platform. Follow the instructions in the Cisco documentation to configure a push job for the logs so that you can collect them on your data collection node via FTP or SCP.
To use Splunk Connect for Syslog to collect syslog data, see the readme file at https://github.com/splunk/splunk-connect-for-syslog/blob/develop/docs/sources/Cisco/index.md
If you are unable to get complete data using FTP or SCP, then do not use this add-on. Instead, model the actual data using field extractions, event types, and transactions, as described in the Knowledge Manager Manual.
- On your data collection node, create or edit the
$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-wsa/local/to specify the file path of the access/L4TM log files. For L4TM logs:
[monitor://<Cisco_Ironport_LOG_PATH>\tmon_misc.@20130507T012232.s] sourcetype = cisco:wsa:l4tm
For access logs in squid format:
[monitor://<Cisco_Ironport_LOG_PATH>\aclog.@20130316T120308.s] sourcetype = cisco:wsa:squid
For access logs in W3C format:
[monitor://<Cisco_Ironport_LOG_PATH>\filename] sourcetype = cisco:wsa:w3c
- If you are using forwarders, configure forwarding by defining tcp outputs and then enabling a receiver.
- Restart the Splunk platform. If you have a distributed deployment, restart your forwarder and indexers.
If your data includes logs in W3C format, you need to manually configure field extractions. See Configure field extractions for W3C log formats for details.
Upgrade the Splunk Add-on for Cisco WSA
Field extractions for W3C formatted logs
This documentation applies to the following versions of Splunk® Supported Add-ons: released