Upgrade the Splunk Add-on for Cisco WSA

Upgrade your syslog data in version 4.0.0

Splunk Add-on for Cisco WSA v4.0.0 introduces several breaking changes:

• The recommended format has changed to a key-value format based on WSA access logs, but the v3.5.0 format is still supported under cisco:wsa:w3c sourcetype. For example, field sequences expected by v3.5.0 cisco:wsa:w3c:recommended are now expected by cisco:wsa:w3c sourcetype. If another sequence is used, it should be updated either in the WSA log configuration or in the add-on input configuration by defining a custom field sequence.

• The following internal (non CIM) fields extraction have been removed for access and w3c logs: ** ta_cisco_wsa_proxy_action
  • vendor_action, txn_result_code
  • scanning_engine
  • cim_ids_types
  • http_result
  • acl_action
  • vendor_suspect_user_agent
  • hierarchy, contact_mode
  • result_code
  • cs_url_host
  • server_contact_mode.

Where possible these fields have been replaced with corresponding w3c log fields, for example, "hierarchy" was replaced with "s_hierarchy".

• As of version 4.0.0 of Splunk Add-on for WSA, all access and w3c logs are tagged with "network" and "communicate" tags in the Web:Proxy CIM data set, regardless of whether traffic is blocked due to malware, virus, or other thread detection. This is different from previous versions where these events were tagged for the Malware:Malware_Attack CIM data set. In v4.0.0 the logs are tagged for Web:Proxy with additional fields from Malware:Malware_Attack extracted: date, file_hash, file_name, file_path, and signature.

• Based on the changes described in this topic, the following cases may require additional configuration when upgrading TA to v4.0.0:
  • If you configure the add-on input to ingest events with the cisco:wsa:w3c sourcetype, make sure W3C logs are configured to include all required fields in the required order, otherwise you will redefine the list of the fields and their order.
  • If you configure the add-on input to ingest events as cisco:wsa:w3c:recommended sourcetype, after upgrade change the sourcetype to cisco:wsa:w3c in the corresponding input stanza. If, after the upgrade to 4.0 you want to keep using the cisco:wsa:w3c:recommended sourcetype, then change the Cisco WSA log subscription configuration from W3C logs to Access Log type, and modify Custom Fields configuration updated as described later in this topic.

Upgrade your syslog data in version 3.5.0

Upgrade from Splunk Add-on for Cisco WSA v3.4.0 to v3.5.0 requires no additional steps to be performed, however, to collect data for access logs, W3C logs, and L4TM logs for the Cisco Web Security Appliance, you must use Splunk Connect for Syslog. See Configure inputs for the Splunk Add-on for Cisco WSA.

Upgrade from 3.2.4 to 3.3.0 or later

Added extraction of "cs-bytes" field in w3c and squid logs

Starting with version 3.3.0, the Splunk Add-on for Cisco WSA expects the optional field bytes_out to be the last field in the access logs. If you are extracting this field, modify your access logs in Cisco WSA as shown in Customize log and field extractions for supported sourcetypes.

Modified column names in lookup files

In version 3.3.0 or later, the column names of below lookup files are modified to resolve conflicts in field extractions with other apps or add-ons.

The action and vendor_action columns in the lookup will be deprecated in future releases. If you are using the lookup directly in your apps or field extractions, change the input or output field names.