All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the Splunk Add-on for Cisco WSA not working?

watzson
New Member
‎04-13-2015 02:06 AM

Hi,

I have installed Cisco Security Suite 3.1.0 and Splunk Add-on for Cisco WSA (version 3.1.1). So far, the ESA is working fine, but not the WSA. My cisco is running asyncOS 8.0. Can you advise what changes need to be made to get the WSA add-on working ?

Below are sample syslog messages received:

Apr 12 23:59:03 155.69.95.23 ironport_access_logs: Info: 1428854337.186 14 155.69.88.82 TCP_MISS/200 868 GET http://livepassdl.conviva.com/lpconfig/cfg/c3.customerName=c3.Vimeo&c3.platform=JS&c3.dver=2.90.0.24... - DIRECT/livepassdl.conviva.com application/xml CMF:1 DCF:0 ERR:0 DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup  - "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36" "http://livepassdl.conviva.com/ConvivaCommunicationProxy.html" 68.232.44.187 - "Computers and Internet" 634

Apr 12 23:59:03 155.69.95.23 ironport_access_logs: Info: 1428854338.289 527 155.69.77.133 TCP_MISS/404 225 GET http://api.readdle.com/api/ppcloud/q/c/b/cbfc5eec-c763-11e4-819f-040101b47201 - DIRECT/api.readdle.com text/html CMF:1 DCF:1400 ERR:0 DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup IW_comp,0.0,0,"-",0,0,0,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_comp,-,"-","-","Unknown","Unknown","-","-",3.42,0,-,"Unknown","-",-,"-",-,-,"-","-"> - "Mozilla/3.0 (compatible; Indy Library)" - 198.211.102.164 - "Computers and Internet" 198

Apr 12 23:59:03 155.69.95.23 ironport_access_logs: Info: 1428854338.486 1337 155.69.67.110 TCP_MISS/403 306 GET http://www.timeapi.org/utc/now - DIRECT/www.timeapi.org text/html CMF:1 DCF:400000 ERR:0 DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup  - - - 50.16.239.160 - "Computers and Internet" 48

Apr 12 23:59:03 155.69.95.23 ironport_access_logs: Info: 1428854338.525 14 155.69.68.61 TCP_MISS/200 1900 GET http://www.espncricinfo.com/ci/content/rss/extension2.json - DIRECT/www.espncricinfo.com text/plain CMF:8 DCF:0 ERR:0 DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup  - "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" - 23.77.202.41 - "Sports and Recreation" 802
0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎05-09-2015 04:58 PM

Hi, we've just released version 3.2.0 with support for 8.0, 8.0.6, and 8.1. We're still working on version 8.5.6.
http://docs.splunk.com/Documentation/AddOns/latest/CiscoWSA/About

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎04-18-2015 08:17 AM

It doesn't parse v8 format yet, there will be another release in the future that will do that. In the meantime, editing props and transforms to match the fields you see would be the best solution.

0 Karma
Reply

mchesmo3
New Member
‎04-22-2015 10:08 AM

Is there any ETA on when this will be supported?

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎04-23-2015 04:09 PM

within weeks.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...