Splunk® Supported Add-ons

Splunk Add-on for Cisco WSA

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Troubleshoot the Splunk Add-on for Cisco WSA

General troubleshooting

For helpful troubleshooting tips that you can apply to all add-ons, see "Troubleshoot add-ons" in Splunk Add-ons. For additional resources, see "Support and resource links for add-ons" in Splunk Add-ons.

Cannot launch add-on

This add-on does not have views and is not intended to be visible in Splunk Web. If you are trying to launch or load views for this add-on and you are experiencing results you do not expect, turn off visibility for the add-on.

For more details about add-on visibility and instructions for turning visibility off, see Troubleshoot add-ons in Splunk Add-ons.

Extracted fields contain incorrect values

The Splunk add-on for Cisco WSA expects Cisco WSA access logs in a specific format for all its field extractions to work. If your Cisco WSA environment does not generate the logs in the expected order, customize the event log format either in the add-on configuration or in Cisco WSA. See Customize log and field extractions for supported sourcetypes for details.

If you ingest WSA logs using SC4S, make sure you have applied the correct custom SC4S configuration that fully removes Syslog meta information from the beginning of the event.

If you are using a squid-styled Access Logs subscription it can happen that in a new WSA version Cisco makes some breaking changes to log format by re-ordering, adding, or removing fields. If by that time there is not an add-on version supporting this new format it is recommended to adjust the configuration as described in Adjusting TA configuration section

Events are not visible when using SC4S

Check if the "netproxy" index was created in Splunk according to SC4S documentation https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Cisco/cisco_wsa/

If the host of your Cisco WSA device is not starting with "wsa-" you must create a custom configuration for proper vendor assignment. Using the example from SC4S documentation you should create a configuration in SC4S matching your host name. You can also create a dedicated port in SC4S to collect Cisco WSA vendor events:

Variable default description
SC4S_LISTEN_CISCO_WSA_TCP_PORT empty string Enable a TCP port for this specific vendor product using a comma-separated list of port numbers.
SC4S_LISTEN_CISCO_WSA_UDP_PORT empty string Enable a UDP port for this specific vendor product using a comma-separated list of port numbers.


If your event log fields contain spaces, use the squid format instead of W3C format.

Last modified on 11 August, 2022
PREVIOUS
Customize log and field extractions for supported sourcetypes 		  NEXT
Lookups for the Splunk Add-on for Cisco WSA

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters