Cisco Cisco Web Security Appliance S360 User Guide

Click Manual and then enter 

wsa_syslog

 in the Sourcetype field.

Choose 

Cisco WSA - Advanced Reporting

 as the App Context.

In the Host section, click Custom as the Method field, and then enter the Advanced Web Security 
Reporting host name as the Host field value.

Choose Default as the destination Index.

Click Review and review the values you provided.

Click Submit.

Navigate to Settings > Data Inputs > TCP to confirm the new input entry.

With a multiple-appliance configuration, you must repeat these steps from the Advanced Web Security 
Reporting application for each appliance. However, you also can configure multiple appliances by 
editing the 

inputs.conf

 file.

Know the path to your log files: 

.

Determine the frequency of transfers, no more than 60-minute increments.

Open the web interface for the Web Security Appliance.

In the Web interface for the Web Security Appliance, navigate to System Administration > 
Log Subscriptions.

Click Add Log Subscription, or click the name of an existing subscription to edit it.

Configure the subscription (this example refers specifically to access, AMP engine and traffic-monitor 
logs): 

Log Type

Access

accesslogs

Traffic Monitor

trafmonlogs

AMP Engine

amp_logs

Log Name

Any one

Name for the log directory.

(Depending on your 
AsyncOS release)

Rollover by File Size 

Maximum File Size 

Any one

Recommend no more than 500 MB. 

(Availability of this option 
varies by AsyncOS release) 

Rollover by Time 

Any one

Recommend custom rollover interval of one hour 
(1h) or more frequent rollovers. For AMP logs, 
recommend one minute (1m).