All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Update of Splunk WSA Plugin to support WSA 10.x

tmayer
Explorer
‎01-06-2017 01:17 AM

Hi,

The current plugin is supporting WSA with 9.x logs. Cisco has already released 10.0 for some time now and is coming out with 10.5 release in two weeks. Logs from 10.x Appliances are not correctly parsed because there have been some changes in the accesslogs on the WSA. Is there a timeline when the Splunk Plugin for WSA will support WSA with 10.x logs?

Reply

bigjohnmax
New Member
‎11-04-2019 05:56 AM

mine worked with this regex:
^(?<timestamp>\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P<field2>[^\s]+)\s+(?P<x_elapsed_time>\w+\s+\d+\s+\d+:\d+:\d+)\s(?P<field4>\w+.\w+):\s+(?P<field5>\w+):\s(?P<field6>\d+.\d+)\s(?P<field7>\d+)\s(?<src_ip>[a-zA-Z0-9:.]*)\s+(?<txn_result_code>[A-Z_]*)\/(?<status>[0-9]*)\s+(?<bytes_in>[0-9]*)\s+(?<http_method>\w*)\s+(?<url>\S*)\s+["|']?(?<user>[^\s"']+)["|']?\s+(?<server_contact_mode>[^\/]+)\/(?<dest>\S*)\s+(?<http_content_type>\S*)\s+(?<acltag>\S*)\s+(?:<|&lt;)(?<x_webcat_code_abbr>[^,]+),(?<wbrs_score>[^,]+),["|']?(?<x_webroot_scanverdict>[0-9]{0,2}|\-|\w+)["|']?,["|']?(?<webroot_threat_name>[^,"']+)["|']?,(?<x_webroot_trr>[^,]+),(?<x_webroot_spyid>[^,]+),(?<x_webroot_trace_id>[^,]+),(?<x_mcafee_scanverdict>[^,]+),["|']?(?<x_mcafee_filename>[^,]+?)["|']?,(?<x_mcafee_scan_error>[^,]+),(?<x_mcafee_detecttype>[^,]+),(?<x_mcafee_av_virustype>[^,]+),["|']?(?<x_mcafee_virus_name>[^,]+?)["|']?,(?<x_sophos_scanverdict>[^,]+),(?<x_sophos_scancode>[^,]+),["|']?(?<x_sophos_file_name>[^,]+?)["|']?,["|']?(?<x_sophos_virus_name>[^,]+?)["|']?,(?<x_ids_verdict>[^,]+),(?<x_icap_verdict>[^,]+),(?<x_webcat_req_code_abbr>[^,]+),["|']?(?<x_webcat_resp_code_abbr>[^,]+?)["|']?,["|']?(?<x_resp_dvs_threat_name>[^,]+?)["|']?,["|']?(?<x_wbrs_threat_type>[^,"']+)["|']?,["|']?(?<x_avc_app>[^,"']+)["|']?,["|']?(?<x_avc_type>[^,"']+)["|']?,["|']?(?<x_avc_behavior>[^,"']+)["|']?,["|']?(?<x_request_rewrite>[^"',]+)["|']?,(?<x_avg_bw>[^,]+),(?<x_bw_throttled>[^,]+),(?<x_user_type>[^,]+),["|']?(?<x_resp_dvs_verdictname>[^,"']+)["|']?,["|']?(?<x_req_dvs_threat_name>[^,"']+)["|']?(,["|']?(?<x_amp_verdict>[^,"']+)["|']?,["|']?(?<x_amp_malware_name>[^"']+)["|']?,(?<x_amp_score>[^,]+),(?<x_amp_upload>[^,]+),["|']?(?<x_amp_filename>[^,]+?)["|']?,["|']?(?<x_amp_sha>[^"',]+)["|']?)?(,["|']?(?<x_file_verdict>[^"',]+)["|']?)?(,(?<x_archive_scan_verdict>[^,]+),["|']?(?<x_archive_scan_verdict_reason>[^"']+)["|']?),(?P<field42>[^,]+)(?:\>)\s(?:\")?(?P<field43>[^,]+)(?:\")?$

0 Karma
Reply

HomeGrownCoder
Engager
‎07-17-2017 09:10 AM

Here is a quick edit to hold you over until the application is patched. I added update place holders in for the new fields. I am working with cisco to try and get the correct field names for these values. It does not appear to be documented. The three capture groups before the last needs to added 

(?[0-9.]+)\s+(?[0-9]+)\s+(?[a-zA-Z0-9:.]*)\s+(?[A-Z_]*)/(?[0-9]*)\s+(?[0-9]*)\s+(?\w*)\s+(?\S*)\s+"?(?[^\s"]*)"?\s+(?[^/]*)/(?\S*)\s+(?\S*)\s+(?\S*)\s+(?:<|&lt;)(?[^,]+),(?[^,]+),"*(?[0-9]{0,2}|\-|\w+)"*,"(?[^"]+)",(?[^,]+),(?[^,]+),(?[^,]+),(?[^,]+),"(?[^,]+)",(?[^,]+),(?[^,]+),(?[^,]+),"(?[^"]+)",(?[^,]+),(?[^,]+),"(?[^"]+)","(?[^"]+)",(?[^,]+),(?[^,]+),(?[^,]+),(?[^,]+),"(?[^"]+)","(?[^,]+)","(?[^,]+)","(?[^,]+)","(?[^,]+)","(?[^,]+)",(?[^,]+),(?[^,]+),(?[^,]+),"(?[^,]+)","(?[^,]+)"(,(?[^,]+),"(?[^"]+)",(?[^,]+),(?[^,]+),"(?[^"]+)","(?[^"]+)"),(?[^"]+),(?[^"]+),"(?[^"]+)"?(?:>|&gt;)\s+(?"[^"]*"|-)?\s*.*$
0 Karma
Reply

Alliant
New Member
‎11-06-2017 06:01 PM

Any update on this? I'm not sure how or where to apply what was posted above.

Thanks

0 Karma
Reply

Yorokobi
SplunkTrust
SplunkTrust
‎03-01-2017 09:46 AM

I removed the last capture group from the scan_verdict_info_extract in transforms.conf in order to get that extraction to work properly (and the related automatic lookups to work), leaving the new(?) fields unaccounted for.

It looks like the x-result-code for WSA 10.x has three additional fields and the capture group at the end of the giant regex (?:>|&gt;) breaks the entire extraction.

<IW_infr,3.9,0,"-",0,0,0,1,"-",-,-,-,"-",1,-,"-","-",-,-,IW_infr,-,"Unknown","-","Unknown","Unknown","-","-",288.91,0,Local,"Unknown","-",-,"-",-,-,"-","-",-,-,"-">

Our Ironports are currently running on 10.1.0-204 for Web

0 Karma
Reply

knalla
Path Finder
‎10-31-2017 11:42 AM

we are having the same issue, Can you please paste the stanza from transforms.conf.

0 Karma
Reply

mplaksin
Engager
‎04-21-2017 10:32 AM

Hi, we are having some problem.
Where wich transforms.conf you edited:

./etc/system/local/transforms.conf
./etc/system/default/transforms.conf
./etc/apps/Splunk_TA_cisco-wsa/default.old.20170421-151119/transforms.conf
./etc/apps/Splunk_TA_cisco-wsa/default/transforms.conf
./etc/apps/maps/default/transforms.conf
./etc/apps/search/default/transforms.conf
./etc/apps/SplunkforCiscoIronportWSA/default/transforms.conf
./etc/apps/splunk_monitoring_console/default/transforms.conf
./etc/apps/cisco_wsa_reporting/etc/system/default/transforms.conf
./etc/apps/cisco_wsa_reporting/etc/apps/cisco_cws_addon/default/transforms.conf
./etc/apps/cisco_wsa_reporting/etc/apps/cisco_wsa_reporting/default/transforms.conf
./etc/apps/cisco_wsa_reporting/etc/apps/splunk_management_console/default/transforms.conf
./etc/apps/Splunk_TA_cisco-asa/default/transforms.conf

Can you give one example before and after?

Thanks!

0 Karma
Reply

Yorokobi
SplunkTrust
SplunkTrust
‎04-21-2017 11:18 AM

$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-wsa/local/transforms.conf

You may have to create the local/ directory then copy default/transforms.conf to local/ to edit. Afterwards, restart Splunk.

0 Karma
Reply

Yorokobi
SplunkTrust
SplunkTrust
‎10-31-2017 11:54 AM 
[scan_verdict_info_extract]                                                                                                                                           
SOURCE_KEY=scan_verdict_info                                                                                                                                          
REGEX= (?:<|&lt;)(?<x_webcat_code_abbr>[^,]+),(?<wbrs_score>[^,]+),"*(?<x_webroot_scanverdict>[0-9]{0,2}|\-|\w+)"*,"(?<webroot_threat_name>[^"]+)",(?<x_webroot_trr>[^
,]+),(?<x_webroot_spyid>[^,]+),(?<x_webroot_trace_id>[^,]+),(?<x_mcafee_scanverdict>[^,]+),"(?<x_mcafee_filename>[^,]+)",(?<x_mcafee_scan_error>[^,]+),(?<x_mcafee_det
ecttype>[^,]+),(?<x_mcafee_av_virustype>[^,]+),"(?<x_mcafee_virus_name>[^"]+)",(?<x_sophos_scanverdict>[^,]+),(?<x_sophos_scancode>[^,]+),"(?<x_sophos_file_name>[^"]+
)","(?<x_sophos_virus_name>[^"]+)",(?<x_ids_verdict>[^,]+),(?<x_icap_verdict>[^,]+),(?<x_webcat_req_code_abbr>[^,]+),(?<x_webcat_resp_code_abbr>[^,]+),"(?<x_resp_dvs_
threat_name>[^"]+)","(?<x_wbrs_threat_type>[^,]+)","(?<x_avc_app>[^,]+)","(?<x_avc_type>[^,]+)","(?<x_avc_behavior>[^,]+)","(?<x_request_rewrite>[^,]+)",(?<x_avg_bw>[
^,]+),(?<x_bw_throttled>[^,]+),(?<x_user_type>[^,]+),"(?<x_resp_dvs_verdictname>[^,]+)","(?<x_req_dvs_threat_name>[^,]+)"(,(?<x_amp_verdict>[^,]+),"(?<x_amp_malware_n
ame>[^"]+)",(?<x_amp_score>[^,]+),(?<x_amp_upload>[^,]+),"(?<x_amp_filename>[^"]+)","(?<x_amp_sha>[^"]+)")?(?:>|&gt;)
0 Karma
Reply

tmayer
Explorer
‎01-28-2017 01:08 AM

bumping up the question... Anyone has any insights?

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...