All Apps and Add-ons

Cisco WSA sourcetype and logpath ?

teknet9
Path Finder

Hello Team,

I have installed Cisco WSA add on, receiving W3C syslogs from my WSA.
Trying to configure this app in Splunk as per:

http://docs.splunk.com/Documentation/AddOns/released/CiscoWSA/Configureinputsonforwarder

And documentation is not clear, what is "\filename" ? Could you please help me ?

I do also not understand where do i bind syslogs received from WSA to specific index/sourcetype/filename ?
How my splunk instance would know that specific syslog message has been received from WSA and should be processed by WSA application/dashboard ?

Thanks,

0 Karma
1 Solution

hunters_splunk
Splunk Employee
Splunk Employee

Hi teknet9,

In the following stanza, filename is the name of the log file you want to add as a monitor input.

[monitor://\filename]
sourcetype = cisco:wsa:w3c*

To capture syslog, you add TCP or UDP data inputs (rather than monitor file and directories) to configure Splunk to listen on a network port.

The add-on includes both index-time and search-time knowledge - field extractions, tags, field aliases, lookups ... - to enable Splunk to properly ingest, interpret, and present log data.

Hope this helps.
Best regards
Hunter

View solution in original post

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi teknet9,

In the following stanza, filename is the name of the log file you want to add as a monitor input.

[monitor://\filename]
sourcetype = cisco:wsa:w3c*

To capture syslog, you add TCP or UDP data inputs (rather than monitor file and directories) to configure Splunk to listen on a network port.

The add-on includes both index-time and search-time knowledge - field extractions, tags, field aliases, lookups ... - to enable Splunk to properly ingest, interpret, and present log data.

Hope this helps.
Best regards
Hunter

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...