Cisco Cisco Web Security Appliance S170 설치 가이드

Splunk version 5.0.10: Select Manager > Data Inputs > Files and Directories. 

Disable any inputs labeled CiscoWSA. 

Copy the file: $SPLUNK_HOME/etc/apps/CiscoforIronportWSA/default/inputs.conf 
to the folder: $SPLUNK_HOME/etc/apps/CiscoforIronportWSA/local/ 

Using a text editor, open $SPLUNK_HOME/etc/apps/CiscoforIronportWSA/local/inputs.conf.

Locate the appropriate stanza for the input method and log source and edit the path.

Within the same stanza, edit the value for disabled: disabled = false.

For every additional Cisco Web Security Appliance added, create a separate input stanza. 

Wildcards are not supported here. 

Save the file.

Restart Splunk. 

In Splunk Web: 

Splunk version 6.1.4: Select Settings > Data Inputs > Files and Directories. 

Splunk version 5.0.10: Select Manager > Data Inputs > Files and Directories. 

In Splunk Web, verify that the inputs are listed, enabled, and have the correct path. 

In Splunk Web, for each input: 

Click the input name. 

Select the More settings check box.

Set the Source Type to Manual, 

Set Source Type to wsa_accesslogs, 

Set the destination index to Default. 

Click Save. 

Know the path to your log files: 

Determine the frequency of transfers, no more than 60 minute increments.

Batch

sourcetype=wsa_accesslogs

interval=60

move_policy = sinkhole

This is the default. Reads and deletes the data. 

Only add move_policy = sinkhole if you want the original data to 
be deleted.

Do not use Splunk as the primary log storage with batch input 
configuration.

Monitor

[monitor://<path>]

Splunk monitors a file or directory for changes.

[batch:///data1/splunklogs/*] (folder that is being monitored.]