Hi,
Our Web Ironports are on Version 10, the add-on is not working for the logs, Does any one has success in parsing the logs from version 10? Below is the sample event?
1511370115.362 267 11.12.13.145 TCP_MISS_SSL/200 5034 GET https://www.yahoo.com:443/service-worker.js "kiran331@new" DIRECT/www.yahoo.com application/javascript DEFAULT_CASE_12-All_Internal-Employees-NONE-NONE-NONE-DefaultGroup - User-Agent = "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36", Destination-IP = 98.139.180.180, Threat-Reason = -
HI
Can you please try "Cisco Security Suite" app on Splunk base? I think extraction defined for WSA in this app will help you.
https://splunkbase.splunk.com/app/525/
Thanks
I also have the Cisco Security Suite installed. It seems to help with the dashboards but the event log imports are missing the additional fields that are being extracted on a V3.2.4 version of the IronPort WSA plug in.