Splunk® Supported Add-ons

Splunk Add-on for Cisco WSA

Download manual as PDF

Download topic as PDF

Configure inputs for the Splunk Add-on for Cisco WSA

Configure your inputs on the part of your Splunk platform architecture that is performing data collection for the add-on. If you have not already done so, work with your Cisco WSA administrator to configure WSA to send data to the Splunk platform. Follow the instructions in the Cisco documentation to configure a push job for the logs so that you can collect them on your data collection node via FTP or SCP.

Cisco WSA supports RFC3164 style syslog which is limited to 1,024 bytes per syslog packet from a WSA. The Splunk Add-on for Cisco WSA extractions for Squid-style logs assume that you want all the data.

If you are unable to get complete data using FTP or SCP, then do not use this add-on. Instead, model the actual data using field extractions, event types, and transactions, as described in the Knowledge Manager Manual.

  1. On your data collection node, create or edit the inputs.conf file at $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-wsa/local/ to specify the file path of the access/L4TM log files. For L4TM logs:
    [monitor://<Cisco_Ironport_LOG_PATH>\tmon_misc.@20130507T012232.s]
    sourcetype = cisco:wsa:l4tm
    

    For access logs in squid format:

    [monitor://<Cisco_Ironport_LOG_PATH>\aclog.@20130316T120308.s]
    sourcetype = cisco:wsa:squid
    

    For access logs in W3C format:

    [monitor://<Cisco_Ironport_LOG_PATH>\filename]
    sourcetype = cisco:wsa:w3c
    
  2. If you are using forwarders, configure forwarding by defining tcp outputs and then enabling a receiver.
  3. Restart the Splunk platform. If you have a distributed deployment, restart your forwarder and indexers.

If your data includes logs in W3C format, you need to manually configure field extractions. See Configure field extractions for W3C log formats for details.

PREVIOUS
Upgrade the Splunk Add-on for Cisco WSA
  NEXT
Field extractions for W3C formatted logs

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Comments

@Arunsunny, we have replied to you by email. . For issues this specific, we suggest that you post the question to Splunk Answers (http://answers.splunk.com) so the broader community of Splunk customers and employees can help you. Alternatively, file a Support case via the Support portal (https://login.splunk.com/page/sso_redirect?type=portal) if you have an active Support entitlement.

Ccornell splunk, Splunker
September 12, 2019

Hi,
How to configure or set the rsyslog or syslog rules to filter out to 3 different types of events from the Cisco WSA in Rsyslog receiver?

Types of events

1. tmon_misc.@20130507T012232.s
2. aclog.@20130316T120308.s
3. filename


inputs.conf

[monitor://<Cisco_Ironport_LOG_PATH>\tmon_misc.@20130507T012232.s]
sourcetype = cisco:wsa:l4tm

[monitor://<Cisco_Ironport_LOG_PATH>\aclog.@20130316T120308.s]
sourcetype = cisco:wsa:squid

[monitor://<Cisco_Ironport_LOG_PATH>\filename]
sourcetype = cisco:wsa:w3c

Please help!.

Regards,
Arun

Arunsunny
September 10, 2019

I don't understand why syslog push of squid style records isn't supported with this app. There is a setting in the WSA syslog push for maximum message size. The documentation states:

Maximum message size
Valid values for UDP are 1024 to 9216.
Valid values for TCP are 1024 to 65535.
Maximum message size depends on the syslog server configuration.

It seems the syslog push could be configured to send all the data without truncating with this setting. What am I missing?

Steve Baker GRE
January 6, 2017

Hi Goofyziggy

In the documentation, it describes several limits when you configure inputs for the Splunk Add-on for WSA. This add-on can’t support RFC5424 style syslog or your data is larger than 1,024 bytes per syslog packet from a WSA. Are you in one of these two scenarios? I just confirmed with the developer currently we don’t have solution if you are in one of these scenario. If you don’t, can you please provide some sample data for us that we can have some further investigation?

Rwang splunk, Splunker
July 19, 2016

Hi there. I used to run this WSA add-on in a previous version using syslog. It worked great, yes I understand there are some limitations but it does the trick for general data. I just re-configured Splunk to quickly analyze WSA data and Splunk is getting the WSA logs via syslog UDP 514 without issue, but the logs are not getting parsed. I understand some logs via syslog may be incomplete but this is often the least intrusive and easiest way to get them. The WSA add-on page above merely kicks us out to the curb with the statement: "Instead, model the actual data using field extractions, event types, and transactions, as described in the Knowledge Manager Manual. ". When I go to the Knowledge Manager Manual that is a huge quagmire of a manual and it doesnt specifically address the needs to make _this_ WSA add-on work with syslog. Can you at least help those of us who need this to work via syslog, even if its limited, to make it work as it used to before? Thanks

Goofyziggy
July 5, 2016

Hi Amiguel,

Try searching the internal index for logs specific to this add-on to look for errors using the following search:.

index = _internal source=*cisco-wsa*

Also, this section of the doc has some general troubleshooting tips: http://docs.splunk.com/Documentation/AddOns/released/Overview/Troubleshootadd-ons

If you still can't solve the problem, try posting your question to Splunk Answers at https://answers.splunk.com or consider filing a support case.

Hjauch splunk, Splunker
March 14, 2016

Hello, I've configured the input as squid but not receiving data.

Please help!

Amiguel
March 11, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters