Руководство Пользователя для Cisco Cisco Web Security Appliance S670
1-11
Cisco Advanced Web Security Reporting Installation, Setup, and User Guide
Chapter 1 Installation and Setup
Import and Index Historical Data
•
Know the folder structure. See
.
Step 1
Copy the historical log files into the folder structure for log files.
Step 2
On the Advanced Web Security Reporting Web page, log in as
admin
.
Step 3
Verify that data is being imported:
a.
Select Settings > Indexes.
b.
Scroll down to the summary row.
c.
Verify that the Earliest event and Latest event columns display reasonable dates. If the historical data
import was run under an evaluation license, install the Advanced Web Security Reporting default
license downloaded for the account, and remove any non-production licenses.
import was run under an evaluation license, install the Advanced Web Security Reporting default
license downloaded for the account, and remove any non-production licenses.
Tip
If you find that the Advanced Web Security Reporting application is not indexing files for any type of
configured input because of a checksum error, add the line
configured input because of a checksum error, add the line
crcSalt = <source>
to each input stanza in
the
inputs.conf
file. (The following section,
, describes editing the
inputs.conf
file.)
What to Do Next
•
(Optional) Configure the Advanced Web Security Reporting Application to Delete
Log Files After Indexing
Log Files After Indexing
Step 1
Navigate to your install directory and copy the file
/cisco_wsa_reporting/etc/apps//cisco_wsa_reporting/inputs.conf
to the directory
/cisco_wsa_reporting/etc/apps/cisco_wsa_reporting/local/
.
Step 2
Using a text editor, open
/cisco_wsa_reporting/etc/apps/cisco_wsa_reporting/local/inputs.conf
.
Step 3
Add a segment as below:
[batch:///home/logger/incoming/wsa176.wga/accesslogs/*]
host_segment = 4
disabled = false
sourcetype = wsa_accesslogs
move_policy = sinkhole
Where the first line is the Advanced Web Security Reporting FTP directory path where WSA logs are
sent. The second line is the part of the FTP path containing the host name. The third line enables this
FTP input. The fourth line specifies the source of this input. The final line,
sent. The second line is the part of the FTP path containing the host name. The third line enables this
FTP input. The fourth line specifies the source of this input. The final line,
move_policy = sinkhole
,
enables deletion of the original data once it is indexed.
Step 4
Save the
inputs.conf
file and then restart the application by navigating to Settings > Server controls
and clicking Restart Splunk.