I configured log subscriptions on the WSA and ESA to FTP logs to separate directories on the splunk indexer.
Then I created a file data input for each, setting the sourcetype manually to cisco_esa for email and cisco_wsa_squid for the web filter.
I think that was all 😉
Hope that helps!
-Katherine
... View more