All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is the Splunk Add-on for Cisco WSA not working?

watzson
New Member
‎04-13-2015 02:06 AM

Hi,

I have installed Cisco Security Suite 3.1.0 and Splunk Add-on for Cisco WSA (version 3.1.1). So far, the ESA is working fine, but not the WSA. My cisco is running asyncOS 8.0. Can you advise what changes need to be made to get the WSA add-on working ?

Below are sample syslog messages received:

Apr 12 23:59:03 155.69.95.23 ironport_access_logs: Info: 1428854337.186 14 155.69.88.82 TCP_MISS/200 868 GET http://livepassdl.conviva.com/lpconfig/cfg/c3.customerName=c3.Vimeo&c3.platform=JS&c3.dver=2.90.0.24... - DIRECT/livepassdl.conviva.com application/xml CMF:1 DCF:0 ERR:0 DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup  - "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.76 Safari/537.36" "http://livepassdl.conviva.com/ConvivaCommunicationProxy.html" 68.232.44.187 - "Computers and Internet" 634

Apr 12 23:59:03 155.69.95.23 ironport_access_logs: Info: 1428854338.289 527 155.69.77.133 TCP_MISS/404 225 GET http://api.readdle.com/api/ppcloud/q/c/b/cbfc5eec-c763-11e4-819f-040101b47201 - DIRECT/api.readdle.com text/html CMF:1 DCF:1400 ERR:0 DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup IW_comp,0.0,0,"-",0,0,0,-,"-",-,-,-,"-",-,-,"-","-",-,-,IW_comp,-,"-","-","Unknown","Unknown","-","-",3.42,0,-,"Unknown","-",-,"-",-,-,"-","-"> - "Mozilla/3.0 (compatible; Indy Library)" - 198.211.102.164 - "Computers and Internet" 198

Apr 12 23:59:03 155.69.95.23 ironport_access_logs: Info: 1428854338.486 1337 155.69.67.110 TCP_MISS/403 306 GET http://www.timeapi.org/utc/now - DIRECT/www.timeapi.org text/html CMF:1 DCF:400000 ERR:0 DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup  - - - 50.16.239.160 - "Computers and Internet" 48

Apr 12 23:59:03 155.69.95.23 ironport_access_logs: Info: 1428854338.525 14 155.69.68.61 TCP_MISS/200 1900 GET http://www.espncricinfo.com/ci/content/rss/extension2.json - DIRECT/www.espncricinfo.com text/plain CMF:8 DCF:0 ERR:0 DEFAULT_CASE_12-DefaultGroup-DefaultGroup-NONE-NONE-NONE-DefaultGroup  - "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" - 23.77.202.41 - "Sports and Recreation" 802
0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎05-09-2015 04:58 PM

Hi, we've just released version 3.2.0 with support for 8.0, 8.0.6, and 8.1. We're still working on version 8.5.6.
http://docs.splunk.com/Documentation/AddOns/latest/CiscoWSA/About

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎04-18-2015 08:17 AM

It doesn't parse v8 format yet, there will be another release in the future that will do that. In the meantime, editing props and transforms to match the fields you see would be the best solution.

0 Karma
Reply

mchesmo3
New Member
‎04-22-2015 10:08 AM

Is there any ETA on when this will be supported?

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎04-23-2015 04:09 PM

within weeks.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...