Why is the Splunk Add-on for Cisco WSA not working...

watzson · ‎04-13-2015

Hi,

I have installed Cisco Security Suite 3.1.0 and Splunk Add-on for Cisco WSA (version 3.1.1). So far, the ESA is working fine, but not the WSA. My cisco is running asyncOS 8.0. Can you advise what changes need to be made to get the WSA add-on working ?

Below are sample syslog messages received:

Apr 12 23:59:03 155.69.95.23 ironport_access_logs: Info: 1428854337.186 14 155.69.88.82 TCP_MISS/200 868 GET http://livepassdl.conviva.com/lpconfig/cfg/c3.customerName=c3.Vimeo&c3.platform=JS&c3.dver=2.90.0.24... - DIRECT/livepassdl.conviva.com application/xml CMF:1 DCF:0 ERR:0 DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup  - "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36" "http://livepassdl.conviva.com/ConvivaCommunicationProxy.html" 68.232.44.187 - "Computers and Internet" 634

Apr 12 23:59:03 155.69.95.23 ironport_access_logs: Info: 1428854338.289 527 155.69.77.133 TCP_MISS/404 225 GET http://api.readdle.com/api/ppcloud/q/c/b/cbfc5eec-c763-11e4-819f-040101b47201 - DIRECT/api.readdle.com text/html CMF:1 DCF:1400 ERR:0 DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup IW_comp,0.0,0,"-",0,0,0,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_comp,-,"-","-","Unknown","Unknown","-","-",3.42,0,-,"Unknown","-",-,"-",-,-,"-","-"> - "Mozilla/3.0 (compatible; Indy Library)" - 198.211.102.164 - "Computers and Internet" 198

Apr 12 23:59:03 155.69.95.23 ironport_access_logs: Info: 1428854338.486 1337 155.69.67.110 TCP_MISS/403 306 GET http://www.timeapi.org/utc/now - DIRECT/www.timeapi.org text/html CMF:1 DCF:400000 ERR:0 DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup  - - - 50.16.239.160 - "Computers and Internet" 48

Apr 12 23:59:03 155.69.95.23 ironport_access_logs: Info: 1428854338.525 14 155.69.68.61 TCP_MISS/200 1900 GET http://www.espncricinfo.com/ci/content/rss/extension2.json - DIRECT/www.espncricinfo.com text/plain CMF:8 DCF:0 ERR:0 DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup  - "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" - 23.77.202.41 - "Sports and Recreation" 802

jcoates_splunk · ‎05-09-2015

Hi, we've just released version 3.2.0 with support for 8.0, 8.0.6, and 8.1. We're still working on version 8.5.6.
http://docs.splunk.com/Documentation/AddOns/latest/CiscoWSA/About

jcoates_splunk · ‎04-18-2015

It doesn't parse v8 format yet, there will be another release in the future that will do that. In the meantime, editing props and transforms to match the fields you see would be the best solution.

mchesmo3 · ‎04-22-2015

Is there any ETA on when this will be supported?

jcoates_splunk · ‎04-23-2015

within weeks.

Why is the Splunk Add-on for Cisco WSA not working?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25

Are you a member of the Splunk Community?

Why is the Splunk Add-on for Cisco WSA not working?

Can’t make it to .conf25? Join us online!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Unlock What’s Next: The Splunk Cloud Platform at .conf25