WSA - Splunk and the Cisco App

Unanswered Question

Is anyone using Splunk and the Cisco App to help monitor their WSA's?
http://www.splunk.com/apps/cisco

If so how are you doing it, ftp'ing logs to a sawmill server and splunk server? or getting the sawmill server to run splunk as well?
I can see the benefit of running splunk on the logs as it's a neat way of indexing the raw data when you are trying to debug an issue. but we generate a fair amount of logs and I don't want to keep copying it around the network and the poor old sawmill server is on it's last legs.

thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jeffrey Bollinger Mon, 12/21/2009 - 13:05

Copy your logs (SCP) from the WSA to an intermediate (syslog) server and then have Splunk pull from there.  I primarily use the access_log as it contains the most relevant data, and this is what the Splunk Cisco App is expecting I believe.  You can do your log management on the syslog server if there's a logfile size concern.

Actions

This Discussion