Hello Team,
I have installed Cisco WSA add on, receiving W3C syslogs from my WSA.
Trying to configure this app in Splunk as per:
http://docs.splunk.com/Documentation/AddOns/released/CiscoWSA/Configureinputsonforwarder
And documentation is not clear, what is "\filename" ? Could you please help me ?
I do also not understand where do i bind syslogs received from WSA to specific index/sourcetype/filename ?
How my splunk instance would know that specific syslog message has been received from WSA and should be processed by WSA application/dashboard ?
Thanks,
Hi teknet9,
In the following stanza, filename is the name of the log file you want to add as a monitor input.
[monitor://\filename]
sourcetype = cisco:wsa:w3c*
To capture syslog, you add TCP or UDP data inputs (rather than monitor file and directories) to configure Splunk to listen on a network port.
The add-on includes both index-time and search-time knowledge - field extractions, tags, field aliases, lookups ... - to enable Splunk to properly ingest, interpret, and present log data.
Hope this helps.
Best regards
Hunter
Hi teknet9,
In the following stanza, filename is the name of the log file you want to add as a monitor input.
[monitor://\filename]
sourcetype = cisco:wsa:w3c*
To capture syslog, you add TCP or UDP data inputs (rather than monitor file and directories) to configure Splunk to listen on a network port.
The add-on includes both index-time and search-time knowledge - field extractions, tags, field aliases, lookups ... - to enable Splunk to properly ingest, interpret, and present log data.
Hope this helps.
Best regards
Hunter