All Apps and Add-ons
Highlighted

Splunk Add-on for Cisco WSA: How to configure inputs for Cisco Ironport WSA?

New Member

I have Splunk 6.1 and Splunk Add-on for Cisco WSA 3.0.1. Running on Linux. Not really sure what I'm supposed to do past this. A README says:

[monitor:///var/log/cisco-wsa/squid]
source = cisco:wsa
sourcetype = cisco:wsa:squid
host =

[monitor:///var/log/cisco-wsa/l4tm]
source = cisco:wsa
sourcetype = cisco:wsa:l4tm
host =

If you are collecting the Squid log files via syslog, use the following inputs.conf stanza:

[udp://<wsa-appliance-ip>:<port>]
source = cisco_syslog
sourcetype = cisco:wsa:squid
host = <wsa-appliance-name>
connection_host = none
acceptFrom = <wsa-appliance-ip>
disabled = false 

I will most likely have the IronPort sending logs to Splunk like it does already to out syslog-ng server. The README text seems much too vague for me. I assume this is to my lack of a greater experience with Splunk. Are there more details/hand-holding instructions for this?

0 Karma
Highlighted

Re: Splunk Add-on for Cisco WSA: How to configure inputs for Cisco Ironport WSA?

Splunk Employee
Splunk Employee

hi,

we just posted WSA 3.1.0, that has some bug fixes and moves the docs to the website. The first two stanzas in that snippet are how you'd collect the data by pointing at a network share on your existing syslog-ng server. (by the way, there are those who'd suggest this is a good infrastructure to keep using, since the syslog-ng server only does one thing and therefore almost never needs restarting, while a standalone Splunk server where you're doing lots of experimentation might be getting restarted all the time). The third stanza is how to open a listener port so you can redirect your IronPorts directly to Splunk.

The most important bit in all three of these is the sourcetype key. That's where you're saying "this data is Cisco WSA LTM and that is the knowledge management that should be applied to it". You can also then search using the sourcetype key to make sure that it's coming in properly: sourcetype=cisco:wsa:* for instance.

Once it's showing up in searches that way, you've got some choices. You can make your own searches (use the left hand bar to explore), you can download Common Information Model and then use Search -> Pivot to build useful panels, or try out some apps that are designed to do specific chores with the data, like Enterprise Security or Cisco Security Suite.

0 Karma
Highlighted

Re: Splunk Add-on for Cisco WSA: How to configure inputs for Cisco Ironport WSA?

Contributor

I am having some issues with this TA. Version 3.1.1. Using sourcetype cisco:wsa:squid

However, it seems that the combination of transforms.conf and props.conf is not extracting the desired fields. I am only seeing the defaults fields extracted by splunk form WSA logs and none of the fields defined in props.conf. TA is installed in heavy forwarder, indexer and the search head.

Any idea, what I may be doing wrong?

0 Karma
Highlighted

Re: Splunk Add-on for Cisco WSA: How to configure inputs for Cisco Ironport WSA?

Splunk Employee
Splunk Employee

Are your events too long for Cisco's syslog implementation to deliver?

0 Karma