Cisco Cisco Web Security Appliance S670 User Guide

Copy the historical log files into the folder structure for log files.

On the Advanced Web Security Reporting Web page, log in as 

admin

.

Verify that data is being imported: 

Select Settings > Indexes. 

Scroll down to the summary row. 

Verify that the Earliest event and Latest event columns display reasonable dates. If the historical data 
import was run under an evaluation license, install the Advanced Web Security Reporting default 
license downloaded for the account, and remove any non-production licenses.

If you find that the Advanced Web Security Reporting application is not indexing files for any type of 
configured input because of a checksum error, add the line 

crcSalt = <source>

 to each input stanza in 

the 

inputs.conf

 file. (The following section, 

, describes editing the 

inputs.conf

 file.)

Navigate to your install directory and copy the file 

/cisco_wsa_reporting/etc/apps//cisco_wsa_reporting/inputs.conf

 to the directory 

/cisco_wsa_reporting/etc/apps/cisco_wsa_reporting/local/

.

Using a text editor, open 

/cisco_wsa_reporting/etc/apps/cisco_wsa_reporting/local/inputs.conf

. 

Add a segment as below:

[batch:///home/logger/incoming/wsa176.wga/accesslogs/*]

host_segment = 4

disabled = false

sourcetype = wsa_accesslogs

move_policy = sinkhole

Where the first line is the Advanced Web Security Reporting FTP directory path where WSA logs are 
sent. The second line is the part of the FTP path containing the host name. The third line enables this 
FTP input. The fourth line specifies the source of this input. The final line, 

move_policy = sinkhole

, 

enables deletion of the original data once it is indexed. 

Save the 

inputs.conf

 file and then restart the application by navigating to Settings > Server controls 

and clicking Restart Splunk.