Getting Data In

How do I install and configure the Splunk for IronPort Web app on Splunkbase?

Will_Hayes
Splunk Employee
Splunk Employee

How do I install and configure the Splunk for Cisco IronPort Web Appliance app on Splunkbase? http://www.splunkbase.com/apps/All/4.x/app:Cisco+IronPort+Web+Security+Application

Tags (3)

hheile
New Member

i know this is quite old, i have an actual instructionfile here:
/splunk_app_2.0_for_wsa_guide.pdf
from the cisco webpage cisco dot com

sorry my karma is not high enough to post external links.
if you need it i send it to you via email.

0 Karma

tidavids
Engager

FYI - these instructions are for the free SplunkforIronportWeb app that was offered from Splunkbase.

These instructions do not apply for the Splunk for Cisco Ironport Advanced Reporting application which is available for purchase from Cisco.

0 Karma

jg196976
New Member

I have no idea how to do any of this. Where are the step by step instructions? Not this mess.

0 Karma

tkropp
Path Finder

cs_username

c_ip

x_webcat_code_abbr

x_webroot_threat_name

x_wbrs_score

sc_bytes

cs_url

In addition to the above fields, as an FYI you will need to also have: s_hostname x_acltag

In order for the Ironport client profiler to work correctly

Tim

0 Karma

Will_Hayes
Splunk Employee
Splunk Employee

Getting Started

The reports and dashboards included in this app rely on eventtype="ironport_proxy" and all relevant fields in order to report on the IronPort Web data. By default, there is an ironport_proxy event type with: search = sourcetype=cisco_wsa*

If you already have IronPort web data in your Splunk index and are extracting the fields you can simply save an event type with the name ironport_proxy. You will still need to configure the lookups for your proxy logs. Instructions on how to do this can be found below under: Configuring and Modifying Lookup Values

If you already have IronPort web data in your Splunk index but do not have the fields extracted, you will find instructions on how to set up field extractions below under: Extracting Relevant IronPort Web Fields

Quick Start If you have not indexed any IronPort web data and the logs are already accessible to your Splunk server in the squid format, you can simply create a data input that monitors the directory containing the squid formatted logs and set the sourcetype to cisco_wsa_squid

Getting IronPort Web Data Into Splunk

Configure your IronPort Web Security Appliance to schedule an export of the access logs to a directory accessible by the Splunk Server in either the squid or w3c format. The recommended interval for this is 15 minutes. Please note that the squid logging option provides a fixed format and the app includes field extractions for this. For the w3c format you will need to supply the field header in order for the app to function - this simple step is explained later on this document

Once the data is in a directory accessible by the Splunk server, you will need to configure a data input to monitor that directory instructions on how to configure a data input can be found here:
http://www.splunk.com/base/Documentation/latest/Admin/WhatSplunkCanMonitor

When configuring the data input you will need to select manual and set cisco_wsa_squid or cisco_wsa_w3c as the sourcetype value.
Note: If you exported the IronPort Web access logs in the squid format and set the sourcetype to cisco_wsa_squid there is nothing more to configure at this point

* If you require an alternative name for the sourcetype due to naming conventions within your organization you will need to follow the steps below for configuring eventtypes and field extractions for already indexed IronPort web data

Extracting Relevant IronPort Web Fields

The Splunk for IronPort Web app contains field extractions for the squid formatted access logs
If you already indexed the squid access logs under a different sourcetype you will need to create sourcetype alias for the existing sourcetype OR map the field extractions and event type to your existing sourcetype

To create a sourcetype alias simply add the following entry to props.conf under the local directory of this app ($SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/local):



[put_ironport_web_squid_sourcetype_here]
rename = cisco_wsa_squid



If you prefer to map your existing sourcetype to the field extractions and eventtype, add the following entry to props.conf under the local directory of this app ($SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/local):



[put_ironport_web_squid_sourcetype_here]
KV_MODE = none
MAX_TIMESTAMP_LOOKAHEAD=19

REPORT-extract = squid
lookup_table = cat_lookup x_webcat_code_abbr



Add the following entry to eventtypes.conf under the local directory of this app ($SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/local):


[ironport_proxy]
search = sourcetype=put_ironport_web_squid_sourcetype_here

Extracting fields from w3c Format

If your IronPort Web access logs are in a w3c format you will need to create a DELIMS based extraction for this log format since this data is space delimited. The fields value for this extraction will be set to the header of your w3c logs. This is the order in which the fields were selected in the management interface. Alternatively the field values can be seen at the top of the w3c formatted log file

To create the field extraction add the following entry to props.conf under the local directory of this app ($SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/local):



[ironport-w3c]
DELIMS = " "
FIELDS = "time", "c_ip",field3",...,"field30"
*be sure to list all of the fields included in the log.



Required fields: (The reports require the following fields to function properly)

  • cs_username
  • c_ip
  • x_webcat_code_abbr
  • x_webroot_threat_name
  • x_wbrs_score
  • sc_bytes
  • cs_url

  • Reports and Dashboards

    Reports and dashboards are included to provide visibility into Acceptable Use/Compliance, Web Security Threats and Network Utilization. There are also form based reports for client profiling and analysis. Creating your own reports and dashboards is quick and easy in Splunk. Details on how to do this can be found here:
    http://www.splunk.com/base/Documentation/latest/User/AboutReportsAndCharts

    The reports rely on the search eventtype=ironport_proxy and all of the required fields listed below. The Acceptable Use dashboards require lookups on usage against the x_webcat_code_abbr field

    The following is a list of the usage fields used by the Acceptable Use dashboards and reports:

  • Business Usage (usage="Business")
  • Productivity Loss (usage="Personal")
  • Legal Liability (usage="Violation")
  • Internet Tools (usage="Borderline")

  • Instructions on how to modify lookup values can be found below



    There are three scheduled searches included in this app which create a cache for the dashboards. They will run every 3 hours with a Splunk enterprise license

    To change the schedule you can edit the following searches under the manager:


  • Cisco WSA - Acceptable Use - DataCube
  • Cisco WSA - Security - DataCube
  • Cisco WSA - Network Resources - DataCube

  • Configuring and Modifying Lookup Values

    You can modify the usage and severity value for a particular category by editing the following file in the lookups directory of this app:
    $SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/lookups/category_map.csv





    Get Updates on the Splunk Community!

    Enterprise Security Content Update (ESCU) | New Releases

    In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

    Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

    (This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

    Index This | What are the 12 Days of Splunk-mas?

    December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...