WSA - Splunk and the Cisco App

Unanswered Question

Is anyone using Splunk and the Cisco App to help monitor their WSA's?

If so how are you doing it, ftp'ing logs to a sawmill server and splunk server? or getting the sawmill server to run splunk as well?
I can see the benefit of running splunk on the logs as it's a neat way of indexing the raw data when you are trying to debug an issue. but we generate a fair amount of logs and I don't want to keep copying it around the network and the poor old sawmill server is on it's last legs.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jeffrey Bollinger Mon, 12/21/2009 - 13:05
User Badges:
  • Cisco Employee,

Copy your logs (SCP) from the WSA to an intermediate (syslog) server and then have Splunk pull from there.  I primarily use the access_log as it contains the most relevant data, and this is what the Splunk Cisco App is expecting I believe.  You can do your log management on the syslog server if there's a logfile size concern.


This Discussion