How do I install and configure the Splunk for Cisco IronPort Web Appliance app on Splunkbase? http://www.splunkbase.com/apps/All/4.x/app:Cisco+IronPort+Web+Security+Application
The reports and dashboards included in this app rely on eventtype="ironport_proxy" and all relevant fields in order to report on the IronPort Web data. By default, there is an ironport_proxy event type with: search = sourcetype=cisco_wsa*
If you already have IronPort web data in your Splunk index and are extracting the fields you can simply save an event type with the name ironport_proxy. You will still need to configure the lookups for your proxy logs. Instructions on how to do this can be found below under: Configuring and Modifying Lookup Values
If you already have IronPort web data in your Splunk index but do not have the fields extracted, you will find instructions on how to set up field extractions below under: Extracting Relevant IronPort Web Fields
Quick Start If you have not indexed any IronPort web data and the logs are already accessible to your Splunk server in the squid format, you can simply create a data input that monitors the directory containing the squid formatted logs and set the sourcetype to cisco_wsa_squid
Configure your IronPort Web Security Appliance to schedule an export of the access logs to a directory accessible by the Splunk Server in either the squid or w3c format. The recommended interval for this is 15 minutes. Please note that the squid logging option provides a fixed format and the app includes field extractions for this. For the w3c format you will need to supply the field header in order for the app to function - this simple step is explained later on this document
Once the data is in a directory accessible by the Splunk server, you will need to configure a data input to monitor that directory instructions on how to configure a data input can be found here:
When configuring the data input you will need to select manual and set cisco_wsa_squid or cisco_wsa_w3c as the sourcetype value.
Note: If you exported the IronPort Web access logs in the squid format and set the sourcetype to cisco_wsa_squid there is nothing more to configure at this point
* If you require an alternative name for the sourcetype due to naming conventions within your organization you will need to follow the steps below for configuring eventtypes and field extractions for already indexed IronPort web data
The Splunk for IronPort Web app contains field extractions for the squid formatted access logs
If you already indexed the squid access logs under a different sourcetype you will need to create sourcetype alias for the existing sourcetype OR map the field extractions and event type to your existing sourcetype
To create a sourcetype alias simply add the following entry to props.conf under the local directory of this app ($SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/local):
rename = cisco_wsa_squid
If you prefer to map your existing sourcetype to the field extractions and eventtype, add the following entry to props.conf under the local directory of this app ($SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/local):
KV_MODE = none
REPORT-extract = squid
lookup_table = cat_lookup x_webcat_code_abbr
Add the following entry to eventtypes.conf under the local directory of this app ($SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/local):
search = sourcetype=put_ironport_web_squid_sourcetype_here
If your IronPort Web access logs are in a w3c format you will need to create a DELIMS based extraction for this log format since this data is space delimited. The fields value for this extraction will be set to the header of your w3c logs. This is the order in which the fields were selected in the management interface. Alternatively the field values can be seen at the top of the w3c formatted log file
To create the field extraction add the following entry to props.conf under the local directory of this app ($SPLUNK_HOME/etc/apps/SplunkforIronPortWeb/local):
DELIMS = " "
FIELDS = "time", "c_ip",field3",...,"field30"
*be sure to list all of the fields included in the log.
Required fields: (The reports require the following fields to function properly)
Reports and dashboards are included to provide visibility into Acceptable Use/Compliance, Web Security Threats and Network Utilization. There are also form based reports for client profiling and analysis. Creating your own reports and dashboards is quick and easy in Splunk. Details on how to do this can be found here:
The reports rely on the search eventtype=ironport_proxy and all of the required fields listed below. The Acceptable Use dashboards require lookups on usage against the x_webcat_code_abbr field
The following is a list of the usage fields used by the Acceptable Use dashboards and reports:
Instructions on how to modify lookup values can be found below
There are three scheduled searches included in this app which create a cache for the dashboards. They will run every 3 hours with a Splunk enterprise license
To change the schedule you can edit the following searches under the manager:
You can modify the usage and severity value for a particular category by editing the following file in the lookups directory of this app:
In addition to the above fields, as an FYI you will need to also have: s_hostname x_acltag
In order for the Ironport client profiler to work correctly
FYI - these instructions are for the free SplunkforIronportWeb app that was offered from Splunkbase.
These instructions do not apply for the Splunk for Cisco Ironport Advanced Reporting application which is available for purchase from Cisco.
i know this is quite old, i have an actual instructionfile here:
from the cisco webpage cisco dot com
sorry my karma is not high enough to post external links.
if you need it i send it to you via email.