Configure inputs for the Splunk Add-on for Cisco WSA
Configure your inputs on the part of your Splunk platform architecture that is performing data collection for the add-on. If you have not already done so, work with your Cisco WSA administrator to configure WSA to send data to the Splunk platform. Follow the instructions in the Cisco documentation to configure a push job for the logs so that you can collect them on your data collection node via FTP or SCP.
Cisco WSA supports RFC3164 style syslog which is limited to 1,024 bytes per syslog packet from a WSA. The Splunk Add-on for Cisco WSA extractions for Squid-style logs assume that you want all the data.
If you are unable to get complete data using FTP or SCP, then do not use this add-on. Instead, model the actual data using field extractions, event types, and transactions, as described in the Knowledge Manager Manual.
- On your data collection node, create or edit the
$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-wsa/local/to specify the file path of the access/L4TM log files. For L4TM logs:
[monitor://<Cisco_Ironport_LOG_PATH>\tmon_misc.@20130507T012232.s] sourcetype = cisco:wsa:l4tm
For access logs in squid format:
[monitor://<Cisco_Ironport_LOG_PATH>\aclog.@20130316T120308.s] sourcetype = cisco:wsa:squid
For access logs in W3C format:
[monitor://<Cisco_Ironport_LOG_PATH>\filename] sourcetype = cisco:wsa:w3c
- If you are using forwarders, configure forwarding by defining tcp outputs and then enabling a receiver.
- Restart the Splunk platform. If you have a distributed deployment, restart your forwarder and indexers.
If your data includes logs in W3C format, you need to manually configure field extractions. See Configure field extractions for W3C log formats for details.
Upgrade the Splunk Add-on for Cisco WSA
Field extractions for W3C formatted logs
This documentation applies to the following versions of Splunk® Supported Add-ons: released