Cisco Cisco Web Security Appliance S190 Guía De Instalación
1-9
Cisco Web Security Appliance Advanced Reporting Installation, Setup, and User Guide
Chapter 1 Installation and Setup
Set Up Ongoing Data Transfers
•
Splunk version 5.0.10: Select Manager > Data Inputs > Files and Directories.
Step 2
Disable any inputs labeled CiscoWSA.
Step 3
Copy the file: $SPLUNK_HOME/etc/apps/CiscoforIronportWSA/default/inputs.conf
to the folder: $SPLUNK_HOME/etc/apps/CiscoforIronportWSA/local/
to the folder: $SPLUNK_HOME/etc/apps/CiscoforIronportWSA/local/
Step 4
Using a text editor, open $SPLUNK_HOME/etc/apps/CiscoforIronportWSA/local/inputs.conf.
Step 5
Locate the appropriate stanza for the input method and log source and edit the path.
Step 6
Within the same stanza, edit the value for disabled: disabled = false.
Step 7
For every additional Cisco Web Security Appliance added, create a separate input stanza.
Wildcards are not supported here.
Step 8
Save the file.
Step 9
Restart Splunk.
Step 10
In Splunk Web:
•
Splunk version 6.1.4: Select Settings > Data Inputs > Files and Directories.
•
Splunk version 5.0.10: Select Manager > Data Inputs > Files and Directories.
Step 11
In Splunk Web, verify that the inputs are listed, enabled, and have the correct path.
Step 12
In Splunk Web, for each input:
a.
Click the input name.
b.
Select the More settings check box.
c.
Set the Source Type to Manual,
d.
Set Source Type to wsa_accesslogs,
e.
Set the destination index to Default.
f.
Click Save.
Establish Log Transfers from Cisco Web Security Appliance
Before You Begin
•
Know the path to your log files:
•
Determine the frequency of transfers, no more than 60 minute increments.
Input Method
Stanza in inputs.conf File
More Information
Batch
sourcetype=wsa_accesslogs
interval=60
move_policy = sinkhole
This is the default. Reads and deletes the data.
Only add move_policy = sinkhole if you want the original data to
be deleted.
be deleted.
Do not use Splunk as the primary log storage with batch input
configuration.
configuration.
Monitor
[monitor://<path>]
Splunk monitors a file or directory for changes.
[batch:///data1/splunklogs/*] (folder that is being monitored.]