Related Answers
Download topic as PDF
Release history for the Splunk Add-on for Cisco WSA
Latest release
The latest version of the Splunk Add-on for Cisco WSA is version 4.0.0. Please see Release notes for the Splunk Add-on for Cisco WSA for the release notes of this latest version.
Version 3.5.0
Splunk Add-on for Cisco WSA version 3.5.0 was released on August 9, 2022.
Version 3.5.0 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.3, 8.0, 8.1 |
| CIM | 4.18.0 |
| Platforms | Platform independent |
| Vendor Products | Cisco Web Security Appliance 11.7, 11.8 and 12.5. |
New features
Version 3.5.0 of the Splunk Add-on for Cisco WSA fixes bugs and provides the following features:
- Support for Async OS 11.8, 12.5
- Support for CIM 4.18
- Modified datamodel mapping for cisco:wsa:squid:new by removing Intrusion Detection datamodel
- Added a new recommended sourcetype - cisco:wsa:w3c:recommended
- Added syslog support for cisco:wsa:w3c:recommended
- Fixed positions of 'x_url' and 'x_avc_type' in cisco:wsa:squid:new sourcetype
- Change in CIM field vendor_product from the name of Scanning Engine (McAfee, Sophos, Webroot) to Cisco WSA
Fixed issues
Version 3.5.0 of the Splunk Add-on for Cisco WSA has the following fixed issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2020-12-01 | ADDON-31313 | Field extractions are not in correct order for wsa_11.7 source. |
Known issues
Version 3.5.0 of the Splunk Add-on for Cisco WSA has the following known issues. If no issues appear here, no issues have yet been reported.
Third-party software attributions
Version 3.5.0 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.
Version 3.4.0
Version 3.4.0 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.2, 7.3, 8.0 |
| CIM | 4.15.0 |
| Platforms | Platform independent |
| Vendor Products | Cisco IronPort AsyncOS 7.1, 7.5, 7.7, 8.0, 8.0.6, 8.1.0, 8.5.0, 8.5.2, 8.5.3, 9.0, 10.0, 10.1, 10.1.0, 10.1.1, 10.5.0, 11.0,11.5 and 11.7. |
New features
Version 3.4.0 of the Splunk Add-on for Cisco WSA fixes bugs and provides the following features:
- Improved CIM mapping
- New Splunk Connect for Syslog filter
- Support for version 11.7 of Cisco Web Security Appliance
Fixed issues
Version 3.4.0 of the Splunk Add-on for Cisco WSA has the following fixed issues.
Known issues
Version 3.4.0 of the Splunk Add-on for Cisco WSA has the following known issue.
| Date filed | Issue number | Description |
|---|---|---|
| 2020-11-30 | ADDON-31313 | Field extractions are not in correct order for wsa_11.7 source. |
Third-party software attributions
Version 3.4.0 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.
Version 3.3.1
Version 3.3.1 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 7.2, 7.3, 8.0 |
| CIM | 4.15.0 |
| Platforms | Platform independent |
| Vendor Products | Cisco IronPort AsyncOS 7.1, 7.5, 7.7, 8.0, 8.0.6, 8.1.0, 8.5.0, 8.5.2, 8.5.3, 9.0, 10.0, 10.1, 10.1.0, 10.1.1, 10.5.0, 11.0 and 11.5. |
New features
Version 3.3.1 of the Splunk Add-on for Cisco WSA fixes bugs and adds support for Cisco IronPort AsyncOS v10.x+
- Support for AsyncOS 11.5 for Cisco WSA
- Support for CIM 4.15.0
Fixed issues
Version 3.3.1 of the Splunk Add-on for Cisco WSA has the following fixed issues.
Known issues
Version 3.3.1 of the Splunk Add-on for Cisco WSA has the following known issue.
Third-party software attributions
Version 3.4.0 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.
Version 3.3.0
Version 3.3.0 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x |
| CIM | 4.2 or later |
| Platforms | Platform independent |
| Vendor Products | Cisco IronPort AsyncOS 7.1, 7.5, 7.7, 8.0, 8.0.6, 8.1.0, 8.5.0, 8.5.2, 8.5.3, 9.0, 10.0, 10.1, 10.1.0, 10.1.1, 10.5.0 and 11.0. |
New features
Version 3.3.0 of the Splunk Add-on for Cisco WSA fixes bugs and adds support for Cisco IronPort AsyncOS v10.x+
Fixed issues
Version 3.3.0 of the Splunk Add-on for Cisco WSA has the following fixed issues.
| Date resolved | Issue number | Description |
|---|---|---|
| 2018-05-02 | ADDON-14426 | Fixed field extraction for v9 log issues |
| 2018-04-18 | ADDON-10966 | eventtype "ironport_proxy", "ironport_traffic_monitor", "cisco_wsa_threatfound" are tag expanded |
| 2018-04-13 | ADDON-13440 | bytes field does not conform to CIM definition |
| 2018-04-05 | ADDON-8789 | dest field would be set to unknown in some cases |
Known issues
Version 3.3.0 of the Splunk Add-on for Cisco WSA has the following known issue.
| Date | Issue number | Description |
|---|---|---|
| 2014-11-24 | ADDON-2350 | Cisco Security Suite 3.0.3 compatibility issues. Cisco Security Suite is community supported, so add-on is compatible on a best-effort basis. File bugs for specific issues. |
Third-party software attributions
Version 3.3.0 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.
Version 3.2.4
Version 3.2.4 of the Splunk Add-on for Cisco WSA has the same compatibility specifications as version 3.3.0.
Fixed issues
Version 3.2.4 of the Splunk Add-on for Cisco WSA has the following fixed issues.
| Resolved Date | Issue number | Description |
|---|---|---|
| 2015-12-03 | ADDON-6749 | Eventtypes cisco_wsa_squid, cisco_wsa_l4tm, cisco_wsa_block are required for Cisco Security Suite app. These have been added to eventtypes.conf.
|
| 2016-01-26 | ADDON-7516 | Warning message in splunkd.log: "Failed to parse timestamp" caused by bad header info. |
Known issues
Version 3.2.4 of the Splunk Add-on for Cisco WSA has the following known issue.
| Date | Issue number | Description |
|---|---|---|
| 2014-11-24 | ADDON-2350 | Cisco Security Suite 3.0.3 compatibility issues. Cisco Security Suite is community supported, so add-on is compatible on a best-effort basis. File bugs for specific issues. |
Third-party software attributions
Version 3.2.4 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.
Version 3.2.3
Version 3.2.3 of the Splunk Add-on for Cisco WSA has the same compatibility specifications as version 3.2.4.
New features
Version 3.2.3 of the Splunk Add-on for Cisco WSA has the following new features.
| Date | Issue number | Description |
|---|---|---|
| 2015-11-06 | ADDON-6278 | Support for Cisco WSA version 8.5.3 and 9.0. |
Fixed issues
Version 3.2.3 of the Splunk Add-on for Cisco WSA has the following fixed issues.
| Resolved Date | Defect number | Description |
|---|---|---|
| 2015-11-06 | ADDON-6315 | Missing value for vendor_action in lookup.
|
Known issues
Version 3.2.3 of the Splunk Add-on for Cisco WSA has the following known issue.
| Date | Defect number | Description |
|---|---|---|
| 2014-11-24 | ADDON-2350 | Cisco Security Suite 3.0.3 compatibility issues. Cisco Security Suite is community supported, so add-on is compatible on a best-effort basis. File bugs for specific issues. |
Third-party software attributions
Version 3.2.3 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.
Version 3.2.2
Version 3.2.2 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.2 or later |
| CIM | 4.2 or later |
| Platforms | Platform independent |
| Vendor Products | Cisco IronPort AsyncOS 7.1, 7.5, 7.7, 8.0, 8.0.6, 8.1.0, 8.5.0, and 8.5.2. |
New features
Version 3.2.2 of the Splunk Add-on for Cisco WSA has the following new features.
| Resolved date | Issue number | Description |
|---|---|---|
| 2015-09-24 | ADDON-5055 | Support for Cisco WSA version 8.5. |
Fixed issues
Version 3.2.2 of the Splunk Add-on for Cisco WSA has no fixed issues.
Known issues
Version 3.2.2 of the Splunk Add-on for Cisco WSA has the following known issue.
| Date | Defect number | Description |
|---|---|---|
| 2014-11-24/ | ADDON-2350 | Cisco Security Suite 3.0.3 compatibility issues. Cisco Security Suite is community supported, so add-on is compatible on a best-effort basis. File bugs for specific issues. |
Third-party software attributions
Version 3.2.2 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.
Version 3.2.1
Version 3.2.1 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.
| Splunk platform versions | 6.2 or later |
| CIM | 4.2 or later |
| Platforms | Platform independent |
| Vendor Products | Cisco IronPort AsyncOS 7.1, 7.5, 7.7, 8.0, 8.0.6, and 8.1.0. |
New features
Version 3.2.1 of the Splunk Add-on for Cisco WSA has the following new features.
| Resolved date | Issue number | Description |
|---|---|---|
| 08/17/15 | ADDON-4025 | Extract additional fields from Cisco WSA access log (sourcetype=cisco:wsa:squid) and map those fields to CIM. |
Fixed issues
Version 3.2.1 of the Splunk Add-on for Cisco WSA has no fixed issues.
Known issues
Version 3.2.1 of the Splunk Add-on for Cisco WSA has the following known issue.
| Date | Defect number | Description |
|---|---|---|
| 11/24/14 | ADDON-2350 | Cisco Security Suite 3.0.3 compatibility issues. Cisco Security Suite is community supported, so add-on is compatible on a best-effort basis. File bugs for specific issues. |
Third-party software attributions
Version 3.2.1 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.
Version 3.2.0
New features
Version 3.2.0 of the Splunk Add-on for Cisco WSA had the following new features.
| Resolved date | Issue number | Description |
|---|---|---|
| 05/01/15 | ADDON-3799/ ADDON-3384/ ADDON-2774 |
Support for versions 8.0, 8.0.6, and 8.1.0 of Cisco WSA. |
| 05/01/15 | ADDON-3066 | Malware detection support. |
Fixed issues
Version 3.2.0 of the Splunk Add-on for Cisco WSA fixed the following issues.
| Resolved date | Defect number | Description |
|---|---|---|
| 04/30/15 | ADDON-3901 | Event type cisco_wsa_virusfound is not defined correctly. |
| 01/20/15 | ADDON-2913 | kv_for_cisco_wsa_squid regex is unable to field extract |
Known issues
Version 3.2.0 of the Splunk Add-on for Cisco WSA had the following known issue.
| Date | Defect number | Description |
|---|---|---|
| 11/24/14 | ADDON-2350 | Cisco Security Suite 3.0.3 compatibility issues. Cisco Security Suite is community supported, so add-on is compatible on a best-effort basis. File bugs for specific issues. |
Third-party software attributions
Version 3.2.0 of the Splunk Add-on for Cisco WSA did not incorporate any third-party software or libraries.
Version 3.1.1
Fixed issues
Version 3.1.1 of the Splunk Add-on for Cisco WSA fixed the following issue.
| Resolved date | Defect number | Description |
|---|---|---|
| 11/16/14 | ADDON-2292 | Splunk_TA_cisco-wsa needs to provide backwards-compatible eventtypes as an option in the add-on. 3.0.1 version of this add-on defined the cisco-wsa-squid eventtype, which is used in most pre-built searches of the Cisco Security Suite.
|
Known issues
Version 3.1.1 of the Splunk Add-on for Cisco WSA had the following known issues.
| Date | Defect number | Description |
|---|---|---|
| 11/24/14 | ADDON-2350 | Cisco Security Suite 3.0.3 compatibility issues. Cisco Security Suite is community supported, so add-on is compatible on a best-effort basis. File bugs for specific issues. |
| 12/04/14 | ADDON-2511 | Cisco WSA supports RFC3164 style syslog, not the more recent RFC5424 style syslog. Thus, you are limited to 1,024 bytes per syslog packet from a WSA. The Splunk Add-on for Cisco WSA extractions for Squid style logs assume that you want all the data and are using the SCP or FTP option to get your data. Alternatively, you may be able to configure a custom W3C format that drops enough fields to fit into a 1,024 byte packet, and manually alter props and transforms. |
Third-party software attributions
Version 3.1.1 of the Splunk Add-on for Cisco WSA did not incorporate any third-party software or libraries.
Version 3.1.0
New features
Version 3.1.0 of the Splunk Add-on for Cisco WSA included the following new features:
- Support for Cisco WSA 7.7.0 syslog (ADDON-1702)
Fixed issues
Version 3.1.0 of the Splunk Add-on for Cisco WSA fixed the following issues:
- Splunk Enterprise should be able to extract user agent and category fields from WSA data (ADDON-1114)
- Non communication events should not be tagged "communicate" (ADDON-1030)
- Incorrect extraction due to regex syntax (ADDON-1029)
- Add-on should include lookup for action based on vendor_action (ADDON-959)
Known issues
Version 3.1.0 of the Splunk Add-on for Cisco WSA had the following known issues:
- Splunk_TA_cisco-wsa needs to provide backwards-compatible eventtypes as an option in the add-on. 3.0.1 version of this add-on defined the
cisco-wsa-squideventtype, which is used in most pre-built searches of the Cisco Security Suite. (ADDON-2292) - Cisco Security Suite 3.0.3 compatibility issues. Knowledge object updates needed in props and transforms to support CSS searches. (ADDON-2350)
- Cisco Security Suite category widget produces: "Error in 'lookup' command: The lookup table 'cisco-wsa-category' does not exist." (ADDON-2349)
|
PREVIOUS Release notes for the Splunk Add-on for Cisco WSA |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!