All Apps and Add-ons

How do I successfully populate Cisco Security Suite with syslog data from an ESA and WSA?

Explorer

I have configured two TA applications - the Cisco ESA and Cisco WSA add-on. I have enabled these add-ons within the initial setup of Cisco Security Suite and am using splunk version 6.2 and the new version of Cisco Security Suite (3.1) . Also the latest versions of the TAs.

I have copied the 'SplunkTACisco-wsa' and 'SplunkTACisco-esa' folder contents across to 'SA-cisco-wsa' and 'SA-cisco-esa' folders, respectively (within the 'SPLUNK_HOME/etc/apps' directory).

I have then customised the necessary files within the 'local' folder inside the 'SA-cisco-wsa' and 'SA-cisco-esa' folders, respectively - 'inputs.conf' to point to the local directory that my FTP server points to (and where syslog files in are pushed from the ESA and WSA respectively, using the recommended squid formatting). For the ESA I have also customised the 'props.conf' and the 'eventtypes.conf'.

The customisations I have for the WSA are detailed below:

'inputs.conf'

[monitor://C:/Program Files/Splunk/var/log/cisco-wsa/squid/]
source = cisco:wsa
sourcetype = cisco:wsa:squid
disabled = false

host = 127.0.0.1

'props.conf'

#access logs in squid format

[source::...wsa.access]
sourcetype = cisco:wsa:squid

[cisco:wsa:squid]
KVMODE = none
SHOULD
LINEMERGE = false
REPORT-extract = kvforciscowsasquid csurlhost

FIELDALIAS-src = srcip AS src
FIELDALIAS-signature = mcafee
virusname AS signature
FIELDALIAS-signature = webroot
threatname AS signature
FIELDALIAS-vendor
action = txnresultcode AS vendoraction
FIELDALIAS-bytes = bytes
in AS bytes
FIELDALIAS-CSScompatibility = wbrsscore AS xwbrsscore user AS csusername txnresultcode AS httpresult
LOOKUP-vendorinfoforciscowsa = ciscowsavendorinfolookup sourcetype OUTPUT vendor,product,idstype
LOOKUP-code
info = ciscowsacategorylookup xwebcatcodeabbr OUTPUT webcatcodefull AS vendorcategory, webcatcodefull AS xwebcatcodefull,usage,severity
LOOKUP-malwareaction = ciscowsamalwareactionlookup xwebrootscanverdict OUTPUT malwareaction
LOOKUP-proxyaction = ciscowsaproxyactionlookup vendoraction OUTPUT action
EVAL-malwareaction = case(wbrsscore>=6 AND wbrsscore<=10, "allowed", wbrsscore>=-10 AND wbrsscore<=-6, "blocked", wbrsscore = "-", "allowed")
EVAL-httpuseragent=coalesce(httpuseragent,vendorsuspectuser_agent)

#L4TM logs

[source::...wsa.l4tm]
sourcetype = cisco:wsa:l4tm

[cisco:wsa:l4tm]
KVMODE = none
SHOULD
LINEMERGE = false
REPORT-extract = kvforciscowsaFirewalll4tm,kvforciscowsaAddressl4tm,kvforciscowsaremovedl4tm
LOOKUP-vendor
infoforciscowsa = ciscowsavendorinfolookup sourcetype OUTPUT vendor,product,idstype
LOOKUP-vendortrafficaction = ciscowsatrafficactionlookup vendor_action OUTPUT action

#access logs in w3c format

[cisco:wsa:w3c]
KVMODE = none
SHOULD
LINEMERGE = false
REPORT-extract = autokvforciscowsaw3c
FIELDALIAS-src = c
ip AS src
FIELDALIAS-signature = xmcafeevirusname AS signature
FIELDALIAS-signature = x
webrootthreatname AS signature
FIELDALIAS-vendoraction = scresultcode AS vendoraction
FIELDALIAS-bytes = csbytes AS bytes
FIELDALIAS-status = sc
httpstatus AS status
FIELDALIAS-http
method = csmethod AS httpmethod
FIELDALIAS-url = csurl AS url
FIELDALIAS-user = cs
username AS user
FIELDALIAS-dest = sip AS dest
FIELDALIAS-http
contenttype = csmimetype AS httpcontenttype
LOOKUP-vendor
infoforciscowsa = ciscowsavendorinfolookup sourcetype OUTPUT vendor,product,idstype
LOOKUP-codeinfo = ciscowsacategorylookup xwebcatcodeabbr OUTPUT webcatcodefull AS xwebcatcodefull,usage,severity
LOOKUP-malwareaction = ciscowsamalwareactionlookup xwebrootscanverdict OUTPUT malwareaction
LOOKUP-proxyaction = ciscowsaproxyactionlookup vendoraction OUTPUT action

EVAL-malwareaction = case(xwbrsscore>=6 AND xwbrsscore<=10, "allowed", xwbrsscore>=-10 AND xwbrsscore<=-6, "blocked", xwbrs_score = "-", "allowed")

'transforms.conf'

Access logs in squid format

[kvforciscowsasquid]
REGEX = ([0-9.]) *[0-9] ([0-9.]) ([A-Z_])/([0-9]) ([0-9]) ([A-Z]) ([^ ]) "?([^ "])"? ([^/])/([^ ]) ([^ ]) ([^ ]+) <([^,]+),([^,]+),"([0-9]{0,2}|-|\w+)","([^"]+)",[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,"([^"]+)",[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,"([^"]+)",[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^,]+,[^>]+>\s-\s"?([^"]+)"?$
FORMAT = srcip::$2 txnresultcode::$3 status::$4 bytesin::$5 httpmethod::$6 url::$7 user::$8 servercontactmode::$9 dest::$10 httpcontenttype::$11 acltag::$12 xwebcatcodeabbr::$13 wbrsscore::$14 xwebrootscanverdict::$15 webrootthreatname::$16 mcafeevirusname::$17 malwarecategory::$18 vendorsuspectuser_agent::$19

[ciscowsacategorylookup]
filename = cisco
wsacategorymap_lookup.csv

[ciscowsavendorinfolookup]
filename = ciscowsavendor_lookup.csv

[ciscowsamalwareactionlookup]
filename = ciscowsamalwareactionlookup.csv

[ciscowsaproxyactionlookup]
filename = ciscowsaproxyactionlookup.csv

L4TM logs

[kvforciscowsaFirewalll4tm]
REGEX = [A-Za-z]* ([A-Za-z]* +[0-9]* [0-9:]* [0-9]) [A-Za-z]: Firewall ([A-Za-z]) ([A-Z]+). data from ([0-9a-z.])(:([0-9a-z])){0,1} to ([0-9a-z.]*)((([A-Za-z0-9 -\
]*))){0,1}(:([^.]+)){0,1}.
FORMAT = vendoraction::$2 transport::$3 src::$4 srcport::$6 dest::$7 destdomain::$9 destport::$11

[kvforciscowsaAddressl4tm]
REGEX = [A-Za-z]* ([A-Za-z]* +[0-9]* [0-9:]* [0-9]) [A-Za-z]: Address ([0-9.:]) [A-Za-z] [A-Za-z]* ([A-Za-z0-9.\
-])( ([A-Za-z0-9 ._-])){0,1} [A-Za-z]* [A-Za-z]* firewall ([A-Za-z ]*)
FORMAT = dest::$2 destdomain::$3 vendoraction::$5

[kvforciscowsaremovedl4tm]
REGEX = [A-Za-z]* ([A-Za-z]* +[0-9]* [0-9:]* [0-9]) [A-Za-z]: Address ([0-9.:]) [A-Za-z] ([A-Za-z0-9.-\
])( ([A-Za-z0-9 .-_])){0,1} ([A-Za-z]) [A-Za-z ]
FORMAT = dest::$2 destdomain::$3 vendoraction::$5

[ciscowsatrafficactionlookup]
filename = ciscowsatrafficactionlookup.csv

[csurlhost]
SOURCE_KEY=url

REGEX=\w+://(?[^/:]+)[:/]

The customisations I have for the ESA are detailed below:

'eventtypes.conf'

[ciscoesa]
search = sourcetype = cisco
esa

tags = cisco e-mail security

'inputs.conf'

[monitor://C:/Program Files/Splunk/var/log/cisco-esa/squid/]
disabled = false
followTrail = 0
sourcetype = cisco_esa

host = 127.0.0.1

'props.conf'

[cisco_esa]

REPORT-ironport = getmid, getto, getfrom, geticid, getdcid, getattachname, getattachsize, getsubject1, getsubject2, getsubject3

Log files are being received succesfully - I can see them in the FTP directory being pushed across from the WSA and ESA. I can also perform searches of the sourcetypes 'cisco:wsa:squid' within the WSA TA and 'cisco:esa:squid' within the ESA TA and these both return expected logs which correspond to test traffic pushed through and modifications made on both gateways.

The problem is, however, that nothing in the Cisco Security suite populates apart from 2 panes on the summary page: under ‘security events statistics by sourcetype’ and ‘security event statistics by host’ – This shows, respectively, the sourcetype ‘cisco:wsa:squid’ and the local host 127.0.0.1

If anyone has any ideas why this might be the case or is able to offer suggestions or point out errors in my configurations, I would be greatly appreciative.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Why did you copy the 'SplunkTACisco-wsa' and 'SplunkTACisco-esa' folder contents across to 'SA-cisco-wsa' and 'SA-cisco-esa' folders? Do you have both 'SA-cisco-esa' and 'SplunkTACisco-esa' folders in etc/apps?

View solution in original post

Splunk Employee
Splunk Employee

Why did you copy the 'SplunkTACisco-wsa' and 'SplunkTACisco-esa' folder contents across to 'SA-cisco-wsa' and 'SA-cisco-esa' folders? Do you have both 'SA-cisco-esa' and 'SplunkTACisco-esa' folders in etc/apps?

View solution in original post

Explorer

Thank you very much for this post - this got me thinking - I copied the 'SplunkTACisco-' folders across to the 'Splunk_CiscoSecuritySuite/appserver/addons' as per one of your earlier posts here 'http://answers.splunk.com/answers/125863/splunk-6-cisco-security-suite-3-0-app-config-files-needed.h...'. I then renamed them to 'TA-cisco-'. Just for good measure I then renamed them to the same within the apps directory although presumably they are not required in this directory? Are only 'SA-cisco-esa' and 'SA-cisco-wsa' are required within etc/apps ?

Anyhow this is now working and I can see data for the WSA on Security Suite! However, I still can't see data for the ESA - presumably this is something wrong with my configuration in the 'props.conf', the 'inputs.conf' or the 'eventtypes.conf' within the local directory inside the 'Splunk_CiscoSecuritySuite/appserver/addons/TA-cisco-' or within 'etc/apps/SA-cisco-' ?

My final question is, does the configuration need to be the same in both of these locations (for me the local folder within both of these locations contains the same configuration files) ?

0 Karma

Splunk Employee
Splunk Employee

With Cisco Security Suite 3.1, you no longer need the SA-cisco-* folders. Your setup should look like this:

$SPLUNK_HOME/etc/apps/Splunk_CiscoSecuirtySuite
$SPLUNK_HOME/etc/apps/Splunk_TA_Cisco-wsa
$SPLUNK_HOME/etc/apps/Splunk_TA_Cisco-esa

Explorer

Thank you. Do you have an idea of what the issue might be with the ESA configuration as I'm still to have this view populating with data.

0 Karma

Splunk Employee
Splunk Employee

Looks like your sourcetype is wrong for ESA. Check out the documentation here -> http://docs.splunk.com/Documentation/AddOns/released/CiscoESA/Configureinputsonasingleinstance

The Cisco Security Suite relies on certain eventtypes - which are based on the SplunkTACisco-esa eventtypes.conf - which are defined by the inputs.conf sourcetypes.

Explorer

The "single instance " doc was removed-- 17 Apr 2015

0 Karma

Explorer

Thank you very much, this is now working. I set the source correctly as per the link you send me - needed to be cisco:esa:mailtext; also I needed to change the source type inside the data inputs -> files and directories, and finally I copied the 'eventtypes.conf', 'transforms.conf', 'props.conf' and 'tags.conf' from default into local (once they had been generated with the corect source type).

I will now close of this question - however one last quick query - do you know whether the Cisco Security Suite has a built in view for monitoring syslog data pertaining to changes that have been made to policies on the WSA and ESA? - because the all the views I have founds are regarding web/email transactions, blocked messages/traffic, website categories etc, but I would like to have a panel which lists events concerning any alteration to the policies on the gateways.

Builder

I think you may mean: cisco:esa:textmail
Instead of what is written: cisco:esa:mailtext

Unless this has changed in the past year.

0 Karma