Yes - you can get Cloud Web Security (CWS) data into Splunk! The Cisco CSW PM team worked with Splunk’s newly released AWS Add-on – which can gather log data from generic AWS S3 buckets – to enable users to pull CWS logs into Splunk in the newest CWS release. The AWS add-on is available at https://apps.splunk.com/app/1876/
Cisco's CWS engineers advise the below configuration change to the Splunk connector:
You can configure all input parameters through Splunk Web or manually in inputs.conf, with the exception of host_name and is_secure, which can only be configured in inputs.conf.
When you configure inputs manually in inputs.conf, create a stanza using the following template and add it to $SPLUNK_HOME/etc/apps/Splunk_TA_aws/local/inputs.conf. If the file or path does not exist, create it. If needed, the path to copy the default input.conf file is /opt/splunk/etc/apps/Splunk_TA_aws/default.
[aws_s3://]
disabled = 0
sourcetype = aws:s3
interval = 180
is_secure = True
host_name = vault.scansafe.com
bucket_name = [INSERT CWS ACCOUNT ID HERE]
Here is a unique stanza name, and can be any string. The bucket name will be the customer’s account ID so where bucket name is referenced please insert the CWS account ID.
Also, in the file
/opt/splunk/etc/apps/Splunk_TA_aws/bin/taaws/s3util.py
change the connect_s3 line to:
def connect_s3(key_id,secret_key,session_key,host="vault.scansafe.com",is_secure=True):
More information on the CWS Log Extraction capability can be found in the CWS Admin Guide or online help.
Please contact your Cisco account team for more details on CWS Log Extraction or, contact your Splunk account team for more information on the AWS S3 connector.
... View more