Cisco has developed, sells and directly supports a Advanced Reporting for WSA Application for Splunk.
Not only does the application properly extract the various fields in both access and trafmonlogs, but also directly emulates the functionality of on-box reporting while still allowing for additional Splunk searches.
Do you have any proper document for doing this. I downloaded the WSA from cisco and added in the splunk. But its not fetching the information from the ironport. Maybe i missed one or two steps. If you have any documents , please share it. it will be very helpful.
There are Install, User and Troubleshooting Guides posted to the Cisco Support portal. The "Install Guide" steps one through the process of importing logs, first time set-up, etc.
The "Troubleshooting Guide" will help diagnose any problems you may be having. In short, I would insure that the data is being properly indexed (search "*" in the logs and make sure fields are properly extracted, eg. acl_tag).
Next, with the fields being properly extracted, you may need a one-time run of the summary script if you have imported historical logs.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...