All Apps and Add-ons

Cisco WSA sourcetype and logpath ?

Path Finder

Hello Team,

I have installed Cisco WSA add on, receiving W3C syslogs from my WSA.
Trying to configure this app in Splunk as per:

http://docs.splunk.com/Documentation/AddOns/released/CiscoWSA/Configureinputsonforwarder

And documentation is not clear, what is "\filename" ? Could you please help me ?

I do also not understand where do i bind syslogs received from WSA to specific index/sourcetype/filename ?
How my splunk instance would know that specific syslog message has been received from WSA and should be processed by WSA application/dashboard ?

Thanks,

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Hi teknet9,

In the following stanza, filename is the name of the log file you want to add as a monitor input.

[monitor://\filename]
sourcetype = cisco:wsa:w3c*

To capture syslog, you add TCP or UDP data inputs (rather than monitor file and directories) to configure Splunk to listen on a network port.

The add-on includes both index-time and search-time knowledge - field extractions, tags, field aliases, lookups ... - to enable Splunk to properly ingest, interpret, and present log data.

Hope this helps.
Best regards
Hunter

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Hi teknet9,

In the following stanza, filename is the name of the log file you want to add as a monitor input.

[monitor://\filename]
sourcetype = cisco:wsa:w3c*

To capture syslog, you add TCP or UDP data inputs (rather than monitor file and directories) to configure Splunk to listen on a network port.

The add-on includes both index-time and search-time knowledge - field extractions, tags, field aliases, lookups ... - to enable Splunk to properly ingest, interpret, and present log data.

Hope this helps.
Best regards
Hunter

View solution in original post

0 Karma