In this blog post, I will be detailing how I added WSA logs to my Splunk instance. There's a few ways you can do this but I'm doing to be uploading the logs to Splunk via FTP. You can also utilize SCP but I chose not to go that route.
Before you begin any configuration, please make sure to download the free Splunk Add-on for Cisco WSA from here and install it on your Splunk server.
The next thing I did was install vsftpd onto my Ubuntu server so I could FTP in. You can do this from the terminal by performing the following commands:
sudo apt-get update sudo apt-get install vsftpd
Since I will be using FTP to deposit the WSA logs into Splunk, I will need to enable write for FTP. In order to do this, you'll need to make some changes to the vsftpd.conf file and you'll need access to it. From terminal, issue the following command to change your permissions for the conf file:
sudo chmod 777 /etc/vsftpd.conf
Then open the file and look for the line write_enable=YES which will be probably commented out #write_enable=YES, uncomment it removing the # from the front and save the file.
After this is complete, restart the vsftpd service with the following command:
sudo service vsftpd restart
Now you will want to configure the WSA to send logs to Splunk. Log into your WSA and navigate to System Administration>Log Subscriptions
Under log subscriptions, choose Add Log Subscriptions to create a new log subscription that will be sent to the Splunk server.
There are quite a few types of log types you can send Splunk (squid, w3c, etc). In my lab, I'll be using squid format since it's probably the easiest one to configure and you don't need to configure any custom fields to the logs.
For the log type, choose Access Logs and for the log style, choose Squid.
Scrolling down the same window, I chose to FTP on Remote Server and filled in the following:
- FTP Host: <Splunk-IP-Address>
- Directory: /opt/splunk/ (Note: This needs to be a directory that Splunk can access. You probably don't want to put it directly into the Splunk directory if you're doing this in production and there's a massive amount of logs but I didn't really care much since it is my lab)
- Username: A username with privilege to write from FTP to that directory
- Password of that user
After that is done, click Submit and then Commit this change.
From the Log Subscriptions menu, you can check the box next to the new log subscription you just created and then click Rollover Now at the bottom of the screen to force the logs to immediately be sent to Splunk. FTP over to the directory that the files are being sent to in Splunk to verify you see squid files now there.
In Splunk, add a new data source. This time we will be defining the source as the directory we saved our log files in and click Next.
On the next page, define the source type as cisco:wsa:squid. I also decided to change the host to wsa instead of the Splunk server name. Click Review and then finish.
One last thing I would urge you to do is to navigate to /opt/splunk/etc/apps/Splunk_TA_cisco-wsa/default and create an inputs.conf file with the following in it:
[monitor://opt\splunk\] sourcetype = cisco:wsa:squid
Note: I didn't test this configuration without it but according to all the documentation, this is needed for the WSA add-on to function properly later.
To test that Splunk is now seeing logs from the WSA log files, you can do a search for the source type if you would like as shown below
Where you really get a lot of good use out of the WSA add-on is the Cisco Security Suite App which I will be covering in the next blog post.