Splunk® Supported Add-ons

Splunk Add-on for Cisco WSA

Release history for the Splunk Add-on for Cisco WSA

Latest release

The latest version of the Splunk Add-on for Cisco WSA is version 4.0.0. Please see Release notes for the Splunk Add-on for Cisco WSA for the release notes of this latest version.

Version 3.5.0

Splunk Add-on for Cisco WSA version 3.5.0 was released on August 9, 2022.

Version 3.5.0 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.3, 8.0, 8.1
CIM 4.18.0
Platforms Platform independent
Vendor Products Cisco Web Security Appliance 11.7, 11.8 and 12.5.

New features

Version 3.5.0 of the Splunk Add-on for Cisco WSA fixes bugs and provides the following features:

  • Support for Async OS 11.8, 12.5
  • Support for CIM 4.18
  • Modified datamodel mapping for cisco:wsa:squid:new by removing Intrusion Detection datamodel
  • Added a new recommended sourcetype - cisco:wsa:w3c:recommended
  • Added syslog support for cisco:wsa:w3c:recommended
  • Fixed positions of 'x_url' and 'x_avc_type' in cisco:wsa:squid:new sourcetype
  • Change in CIM field vendor_product from the name of Scanning Engine (McAfee, Sophos, Webroot) to Cisco WSA

Fixed issues

Version 3.5.0 of the Splunk Add-on for Cisco WSA has the following fixed issues.

Date resolved Issue number Description
2020-12-01 ADDON-31313 Field extractions are not in correct order for wsa_11.7 source.

Known issues

Version 3.5.0 of the Splunk Add-on for Cisco WSA has the following known issues. If no issues appear here, no issues have yet been reported.


Third-party software attributions

Version 3.5.0 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.4.0

Version 3.4.0 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.2, 7.3, 8.0
CIM 4.15.0
Platforms Platform independent
Vendor Products Cisco IronPort AsyncOS 7.1, 7.5, 7.7, 8.0, 8.0.6, 8.1.0, 8.5.0, 8.5.2, 8.5.3, 9.0, 10.0, 10.1, 10.1.0, 10.1.1, 10.5.0, 11.0,11.5 and 11.7.

New features

Version 3.4.0 of the Splunk Add-on for Cisco WSA fixes bugs and provides the following features:

  • Improved CIM mapping
  • New Splunk Connect for Syslog filter
  • Support for version 11.7 of Cisco Web Security Appliance

Fixed issues

Version 3.4.0 of the Splunk Add-on for Cisco WSA has the following fixed issues.


Known issues

Version 3.4.0 of the Splunk Add-on for Cisco WSA has the following known issue.

Date filed Issue number Description
2020-11-30 ADDON-31313 Field extractions are not in correct order for wsa_11.7 source.

Third-party software attributions

Version 3.4.0 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.3.1

Version 3.3.1 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 7.2, 7.3, 8.0
CIM 4.15.0
Platforms Platform independent
Vendor Products Cisco IronPort AsyncOS 7.1, 7.5, 7.7, 8.0, 8.0.6, 8.1.0, 8.5.0, 8.5.2, 8.5.3, 9.0, 10.0, 10.1, 10.1.0, 10.1.1, 10.5.0, 11.0 and 11.5.

New features

Version 3.3.1 of the Splunk Add-on for Cisco WSA fixes bugs and adds support for Cisco IronPort AsyncOS v10.x+

  • Support for AsyncOS 11.5 for Cisco WSA
  • Support for CIM 4.15.0

Fixed issues

Version 3.3.1 of the Splunk Add-on for Cisco WSA has the following fixed issues.


Known issues

Version 3.3.1 of the Splunk Add-on for Cisco WSA has the following known issue.


Third-party software attributions

Version 3.4.0 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.3.0

Version 3.3.0 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.6.x, 7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM 4.2 or later
Platforms Platform independent
Vendor Products Cisco IronPort AsyncOS 7.1, 7.5, 7.7, 8.0, 8.0.6, 8.1.0, 8.5.0, 8.5.2, 8.5.3, 9.0, 10.0, 10.1, 10.1.0, 10.1.1, 10.5.0 and 11.0.

New features

Version 3.3.0 of the Splunk Add-on for Cisco WSA fixes bugs and adds support for Cisco IronPort AsyncOS v10.x+

Fixed issues

Version 3.3.0 of the Splunk Add-on for Cisco WSA has the following fixed issues.

Date resolved Issue number Description
2018-05-02 ADDON-14426 Fixed field extraction for v9 log issues
2018-04-18 ADDON-10966 eventtype "ironport_proxy", "ironport_traffic_monitor", "cisco_wsa_threatfound" are tag expanded
2018-04-13 ADDON-13440 bytes field does not conform to CIM definition
2018-04-05 ADDON-8789 dest field would be set to unknown in some cases

Known issues

Version 3.3.0 of the Splunk Add-on for Cisco WSA has the following known issue.

Date Issue number Description
2014-11-24 ADDON-2350 Cisco Security Suite 3.0.3 compatibility issues. Cisco Security Suite is community supported, so add-on is compatible on a best-effort basis. File bugs for specific issues.

Third-party software attributions

Version 3.3.0 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.2.4

Version 3.2.4 of the Splunk Add-on for Cisco WSA has the same compatibility specifications as version 3.3.0.


Fixed issues

Version 3.2.4 of the Splunk Add-on for Cisco WSA has the following fixed issues.

Resolved Date Issue number Description
2015-12-03 ADDON-6749 Eventtypes cisco_wsa_squid, cisco_wsa_l4tm, cisco_wsa_block are required for Cisco Security Suite app. These have been added to eventtypes.conf.
2016-01-26 ADDON-7516 Warning message in splunkd.log: "Failed to parse timestamp" caused by bad header info.

Known issues

Version 3.2.4 of the Splunk Add-on for Cisco WSA has the following known issue.

Date Issue number Description
2014-11-24 ADDON-2350 Cisco Security Suite 3.0.3 compatibility issues. Cisco Security Suite is community supported, so add-on is compatible on a best-effort basis. File bugs for specific issues.

Third-party software attributions

Version 3.2.4 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.2.3

Version 3.2.3 of the Splunk Add-on for Cisco WSA has the same compatibility specifications as version 3.2.4.

New features

Version 3.2.3 of the Splunk Add-on for Cisco WSA has the following new features.

Date Issue number Description
2015-11-06 ADDON-6278 Support for Cisco WSA version 8.5.3 and 9.0.

Fixed issues

Version 3.2.3 of the Splunk Add-on for Cisco WSA has the following fixed issues.

Resolved Date Defect number Description
2015-11-06 ADDON-6315 Missing value for vendor_action in lookup.

Known issues

Version 3.2.3 of the Splunk Add-on for Cisco WSA has the following known issue.

Date Defect number Description
2014-11-24 ADDON-2350 Cisco Security Suite 3.0.3 compatibility issues. Cisco Security Suite is community supported, so add-on is compatible on a best-effort basis. File bugs for specific issues.

Third-party software attributions

Version 3.2.3 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.2.2

Version 3.2.2 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.2 or later
CIM 4.2 or later
Platforms Platform independent
Vendor Products Cisco IronPort AsyncOS 7.1, 7.5, 7.7, 8.0, 8.0.6, 8.1.0, 8.5.0, and 8.5.2.

New features

Version 3.2.2 of the Splunk Add-on for Cisco WSA has the following new features.

Resolved date Issue number Description
2015-09-24 ADDON-5055 Support for Cisco WSA version 8.5.

Fixed issues

Version 3.2.2 of the Splunk Add-on for Cisco WSA has no fixed issues.

Known issues

Version 3.2.2 of the Splunk Add-on for Cisco WSA has the following known issue.

Date Defect number Description
2014-11-24/ ADDON-2350 Cisco Security Suite 3.0.3 compatibility issues. Cisco Security Suite is community supported, so add-on is compatible on a best-effort basis. File bugs for specific issues.

Third-party software attributions

Version 3.2.2 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.2.1

Version 3.2.1 of the Splunk Add-on for Cisco WSA is compatible with the following software, CIM versions, and platforms.

Splunk platform versions 6.2 or later
CIM 4.2 or later
Platforms Platform independent
Vendor Products Cisco IronPort AsyncOS 7.1, 7.5, 7.7, 8.0, 8.0.6, and 8.1.0.

New features

Version 3.2.1 of the Splunk Add-on for Cisco WSA has the following new features.

Resolved date Issue number Description
08/17/15 ADDON-4025 Extract additional fields from Cisco WSA access log (sourcetype=cisco:wsa:squid) and map those fields to CIM.

Fixed issues

Version 3.2.1 of the Splunk Add-on for Cisco WSA has no fixed issues.

Known issues

Version 3.2.1 of the Splunk Add-on for Cisco WSA has the following known issue.

Date Defect number Description
11/24/14 ADDON-2350 Cisco Security Suite 3.0.3 compatibility issues. Cisco Security Suite is community supported, so add-on is compatible on a best-effort basis. File bugs for specific issues.

Third-party software attributions

Version 3.2.1 of the Splunk Add-on for Cisco WSA does not incorporate any third-party software or libraries.

Version 3.2.0

New features

Version 3.2.0 of the Splunk Add-on for Cisco WSA had the following new features.

Resolved date Issue number Description
05/01/15 ADDON-3799/
ADDON-3384/
ADDON-2774
Support for versions 8.0, 8.0.6, and 8.1.0 of Cisco WSA.
05/01/15 ADDON-3066 Malware detection support.

Fixed issues

Version 3.2.0 of the Splunk Add-on for Cisco WSA fixed the following issues.

Resolved date Defect number Description
04/30/15 ADDON-3901 Event type cisco_wsa_virusfound is not defined correctly.
01/20/15 ADDON-2913 kv_for_cisco_wsa_squid regex is unable to field extract

Known issues

Version 3.2.0 of the Splunk Add-on for Cisco WSA had the following known issue.

Date Defect number Description
11/24/14 ADDON-2350 Cisco Security Suite 3.0.3 compatibility issues. Cisco Security Suite is community supported, so add-on is compatible on a best-effort basis. File bugs for specific issues.

Third-party software attributions

Version 3.2.0 of the Splunk Add-on for Cisco WSA did not incorporate any third-party software or libraries.

Version 3.1.1

Fixed issues

Version 3.1.1 of the Splunk Add-on for Cisco WSA fixed the following issue.

Resolved date Defect number Description
11/16/14 ADDON-2292 Splunk_TA_cisco-wsa needs to provide backwards-compatible eventtypes as an option in the add-on. 3.0.1 version of this add-on defined the cisco-wsa-squid eventtype, which is used in most pre-built searches of the Cisco Security Suite.

Known issues

Version 3.1.1 of the Splunk Add-on for Cisco WSA had the following known issues.

Date Defect number Description
11/24/14 ADDON-2350 Cisco Security Suite 3.0.3 compatibility issues. Cisco Security Suite is community supported, so add-on is compatible on a best-effort basis. File bugs for specific issues.
12/04/14 ADDON-2511 Cisco WSA supports RFC3164 style syslog, not the more recent RFC5424 style syslog. Thus, you are limited to 1,024 bytes per syslog packet from a WSA. The Splunk Add-on for Cisco WSA extractions for Squid style logs assume that you want all the data and are using the SCP or FTP option to get your data. Alternatively, you may be able to configure a custom W3C format that drops enough fields to fit into a 1,024 byte packet, and manually alter props and transforms.

Third-party software attributions

Version 3.1.1 of the Splunk Add-on for Cisco WSA did not incorporate any third-party software or libraries.

Version 3.1.0

New features

Version 3.1.0 of the Splunk Add-on for Cisco WSA included the following new features:

  • Support for Cisco WSA 7.7.0 syslog (ADDON-1702)

Fixed issues

Version 3.1.0 of the Splunk Add-on for Cisco WSA fixed the following issues:

  • Splunk Enterprise should be able to extract user agent and category fields from WSA data (ADDON-1114)
  • Non communication events should not be tagged "communicate" (ADDON-1030)
  • Incorrect extraction due to regex syntax (ADDON-1029)
  • Add-on should include lookup for action based on vendor_action (ADDON-959)

Known issues

Version 3.1.0 of the Splunk Add-on for Cisco WSA had the following known issues:

  • Splunk_TA_cisco-wsa needs to provide backwards-compatible eventtypes as an option in the add-on. 3.0.1 version of this add-on defined the cisco-wsa-squid eventtype, which is used in most pre-built searches of the Cisco Security Suite. (ADDON-2292)
  • Cisco Security Suite 3.0.3 compatibility issues. Knowledge object updates needed in props and transforms to support CSS searches. (ADDON-2350)
  • Cisco Security Suite category widget produces: "Error in 'lookup' command: The lookup table 'cisco-wsa-category' does not exist." (ADDON-2349)
Last modified on 11 August, 2022
Release notes for the Splunk Add-on for Cisco WSA  

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters