Customize SC4S for Cisco WSA
In addition to BSD time and hostname, Cisco now includes the name of the log subscription and log level. At the moment SC4S does not expect these additional data. To mitigate this, make the following SC4S configurations:
Step 1
You may need to enable port 514 by mapping the WSA hostname to the SC4S vendor and product variables. By default SC4S enables port 514 for any hostname matching regex pattern ^cisco-wsa-
by defining the rule:
application app-vps-test-cisco_wsa[sc4s-vps] { filter { host('^cisco-wsa-') }; parser { p_set_netsource_fields( vendor('cisco') product('wsa') ); }; };
Step 2
You can either change Cisco the WSA hostname to match this above hostname pattern or adjust the SC4S rule regex to make it match your Cisco WSA hostname.
To update the SC4S rule:
- On the SC4S host, locate and edit the configuration file
/opt/sc4s/local/config/app-parsers/app-vps-cisco_wsa.conf
. - Change the regex pattern inside
host('^cisco-wsa-')
to whatever matchving your Cisco WSA hostname. - Save the file and restart SC4S.
Step 3
Assign the correct sourcetype to the Cisco WSA log subscription you have chosen to use as a source of events for Splunk.
- locate file
/opt/sc4s/local/config/filters/app-postfilter-cisco-wsa_postfilter.conf
at SC4S host. If it does not exist, create it. - Copy and paste the below rule to this file:
block parser app-dest-rewrite-cisco-wsa-postfilter-sourcetype() { channel { if { parser { regexp-parser( prefix(".tmp.") patterns('^(?:(?<log_report_name>YOUR_LOG_SUBSCRIPTION_NAME)\s+)?(?:(?<severity>\w+)\:)\s*(?<message>.+)') template("$MESSAGE") ); }; rewrite { set("${.tmp.message}" value("MESSAGE")); r_set_splunk_dest_default( sourcetype('YOUR_DESIRED_SOURCETYPE') template('t_msg_only') ); }; }; }; }; application app-dest-rewrite-cisco-wsa-postfilter-custom[sc4s-postfilter] { filter { match('cisco', value('fields.sc4s_vendor') type(string)) and match('wsa', value('fields.sc4s_product') type(string)) }; parser { app-dest-rewrite-cisco-wsa-postfilter-sourcetype() }; };
- Inside the rule text locate the placeholder
YOUR_LOG_SUBSCRIPTION_NAME
and replace it with the name of the desired log subscription. - Inside the rule text locate the placeholder
YOUR_DESIRED_SOURCETYPE
and replace it with the sourcename to be assigned to events coming from the desired log subscription. - Save SC4S config file and restart SC4S.
Below is an example of custom SC4S configuration mapping two log subscriptions generated at the same WSA instance to two different sourcetypes, i.e. access_log_w3c_recommended
and access_log_squid
log subscriptions are mapped to cisco:wsa:w3c:recommended
and cisco:wsa:squid
sourcetypes correspondingly:
block parser app-dest-rewrite-cisco-wsa-postfilter-w3c-recommended() { channel { if { parser { regexp-parser( prefix(".tmp.") patterns('^(?:(?<log_report_name>access_log_w3c_recommended)\s+)?(?:(?<severity>\w+)\:)\s*(?<message>.+)') template("$MESSAGE") ); }; rewrite { set("${.tmp.message}" value("MESSAGE")); r_set_splunk_dest_default( sourcetype('cisco:wsa:w3c:recommended') template('t_msg_only') ); }; }; }; }; block parser app-dest-rewrite-cisco-wsa-postfilter-squid() { channel { if { parser { regexp-parser( prefix(".tmp.") patterns('^(?:(?<log_report_name>access_log_squid)\s+)?(?:(?<severity>\w+)\:)\s*(?<message>.+)') template("$MESSAGE") ); }; rewrite { set("${.tmp.message}" value("MESSAGE")); r_set_splunk_dest_default( sourcetype('cisco:wsa:squid') template('t_msg_only') ); }; }; }; }; application app-dest-rewrite-cisco-wsa-postfilter-custom[sc4s-postfilter] { filter { match('cisco', value('fields.sc4s_vendor') type(string)) and match('wsa', value('fields.sc4s_product') type(string)) }; parser { app-dest-rewrite-cisco-wsa-postfilter-w3c-recommended(); app-dest-rewrite-cisco-wsa-postfilter-squid() }; };
Configure inputs for the Splunk Add-on for Cisco WSA | Customize log and field extractions for supported sourcetypes |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!