Splunk® Supported Add-ons

Splunk Add-on for Cisco WSA

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Customize SC4S for Cisco WSA

In addition to BSD time and hostname, Cisco now includes the name of the log subscription and log level. At the moment SC4S does not expect these additional data. To mitigate this, make the following SC4S configurations:

Step 1

You may need to enable port 514 by mapping the WSA hostname to the SC4S vendor and product variables. By default SC4S enables port 514 for any hostname matching regex pattern ^cisco-wsa- by defining the rule: 

application app-vps-test-cisco_wsa[sc4s-vps] {
    filter {
        host('^cisco-wsa-')
    };    
    parser {
        p_set_netsource_fields(
            vendor('cisco')
            product('wsa')
        );
    };
};

Step 2

You can either change Cisco the WSA hostname to match this above hostname pattern or adjust the SC4S rule regex to make it match your Cisco WSA hostname.

To update the SC4S rule:

  1. On the SC4S host, locate and edit the configuration file /opt/sc4s/local/config/app-parsers/app-vps-cisco_wsa.conf.
  2. Change the regex pattern inside host('^cisco-wsa-') to whatever matchving your Cisco WSA hostname.
  3. Save the file and restart SC4S.

Step 3

Assign the correct sourcetype to the Cisco WSA log subscription you have chosen to use as a source of events for Splunk.

  1. locate file /opt/sc4s/local/config/filters/app-postfilter-cisco-wsa_postfilter.conf at SC4S host. If it does not exist, create it.
  2. Copy and paste the below rule to this file: 
    block parser app-dest-rewrite-cisco-wsa-postfilter-sourcetype() {
    channel {
        if {
            parser {
                regexp-parser(
                    prefix(".tmp.")
                    patterns('^(?:(?<log_report_name>YOUR_LOG_SUBSCRIPTION_NAME)\s+)?(?:(?<severity>\w+)\:)\s*(?<message>.+)')
                    template("$MESSAGE")
                );
            };
            rewrite {
               set("${.tmp.message}" value("MESSAGE"));
               r_set_splunk_dest_default(
                    sourcetype('YOUR_DESIRED_SOURCETYPE')
                    template('t_msg_only')
            );
            };
        };
    };
};

application app-dest-rewrite-cisco-wsa-postfilter-custom[sc4s-postfilter] {
            filter {
                match('cisco', value('fields.sc4s_vendor') type(string))
                and match('wsa', value('fields.sc4s_product') type(string))
    };
    parser { 
        app-dest-rewrite-cisco-wsa-postfilter-sourcetype()
    };
};
  3. Inside the rule text locate the placeholder YOUR_LOG_SUBSCRIPTION_NAME and replace it with the name of the desired log subscription.
  4. Inside the rule text locate the placeholder YOUR_DESIRED_SOURCETYPE and replace it with the sourcename to be assigned to events coming from the desired log subscription.
  5. Save SC4S config file and restart SC4S.

Below is an example of custom SC4S configuration mapping two log subscriptions generated at the same WSA instance to two different sourcetypes, i.e. access_log_w3c_recommended and access_log_squid log subscriptions are mapped to cisco:wsa:w3c:recommended and cisco:wsa:squid sourcetypes correspondingly: 

block parser app-dest-rewrite-cisco-wsa-postfilter-w3c-recommended() {
    channel {
        if {
            parser {
                regexp-parser(
                    prefix(".tmp.")
                    patterns('^(?:(?<log_report_name>access_log_w3c_recommended)\s+)?(?:(?<severity>\w+)\:)\s*(?<message>.+)')
                    template("$MESSAGE")
                );
            };
            rewrite {
               set("${.tmp.message}" value("MESSAGE"));
               r_set_splunk_dest_default(
                    sourcetype('cisco:wsa:w3c:recommended')
                    template('t_msg_only')
            );
            };
        };
    };
};

block parser app-dest-rewrite-cisco-wsa-postfilter-squid() {
    channel {
        if {
            parser {
                regexp-parser(
                    prefix(".tmp.")
                    patterns('^(?:(?<log_report_name>access_log_squid)\s+)?(?:(?<severity>\w+)\:)\s*(?<message>.+)')
                    template("$MESSAGE")
                );
            };
            rewrite {
               set("${.tmp.message}" value("MESSAGE"));
               r_set_splunk_dest_default(
                    sourcetype('cisco:wsa:squid')
                    template('t_msg_only')
            );
            };
        };
    };
};


application app-dest-rewrite-cisco-wsa-postfilter-custom[sc4s-postfilter] {
            filter {
                match('cisco', value('fields.sc4s_vendor') type(string))
                and match('wsa', value('fields.sc4s_product') type(string))
    };
    parser { 
        app-dest-rewrite-cisco-wsa-postfilter-w3c-recommended();
        app-dest-rewrite-cisco-wsa-postfilter-squid()
    };
};
Last modified on 11 August, 2022
PREVIOUS
Configure inputs for the Splunk Add-on for Cisco WSA 		  NEXT
Customize log and field extractions for supported sourcetypes

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters