Field extractions for W3C formatted logs
If your data includes logs in W3C format, follow these additional steps to define how the Splunk platform should extract the fields.
- Check that your log fields match the W3C log format. If you added custom fields to the default log, or if you used a W3C log to fully customize your field list, check the following fields to make sure that the format is correct.
Required format Description Log Field in W3C Logs Field name for extraction %t Timestamp in UNIX epoch (This gives you the date and time).
%e Elapsed time (duration)
%a Client IP Address
%w/%h Result code and the HTTP response code, with a slash (/) in between
%s Response size (header + body)
%2r %r is the Request first line which contains request method, URI, and HTTP version. %2r means it will show request method and uri if they are available.
%A cs-username which is the Authenticated user name.
%H/%d The code that describes which server was contacted for the retrieving the request content. (e.g. DIRECT/www.example.com)
%c Response body MIME type.
%D ACL decision tag
%Xr Result code
%?BLOCK_SUSPECT_ USER_AGENT, MONITOR_SUSPECT_ USER_AGENT?%<User-Agent:%!%-% Suspect user agent
%q Request size (headers + body) cs-bytes bytes_out
- Provide a value for FIELDS in the form of a comma-separated list of each field in your log file, using the values in the "Field name for extraction" column in the table above. For example:
[auto_kv_for_cisco_wsa_w3c] DELIMS = " " FIELDS = timestamp,x_elapsed_time,src_ip,result_code,bytes_in,http_method,url,user,contact_mode,http_content_type,x_acltag,scan_verdict_info,vendor_suspect_user_agent
- FIELDS is a comma seperated list of each field that needs to be extracted from the event.
- (Optional)To change the order of FIELDS according to the format of your WSA W3C format logs, copy the
$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-wsa/local/transforms.confand then modify the order in the value of FIELDS.
- Chosen field names should be organized according to the name specified in the "Field name for extraction" column in the table above.
- Save the file.
- Restart the Splunk platform for the changes to take effect.
Configure inputs for the Splunk Add-on for Cisco WSA
Configure syslog data for Cisco Web Security Appliance version 11.7 or later
This documentation applies to the following versions of Splunk® Supported Add-ons: released