cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1181
Views
0
Helpful
1
Replies

WSA - Splunk and the Cisco App

john.phillips
Level 1
Level 1

Is anyone using Splunk and the Cisco App to help monitor their WSA's?
http://www.splunk.com/apps/cisco

If so how are you doing it, ftp'ing logs to a sawmill server and splunk server? or getting the sawmill server to run splunk as well?
I can see the benefit of running splunk on the logs as it's a neat way of indexing the raw data when you are trying to debug an issue. but we generate a fair amount of logs and I don't want to keep copying it around the network and the poor old sawmill server is on it's last legs.

thanks

1 Reply 1

Jeffrey Bollinger
Cisco Employee
Cisco Employee

Copy your logs (SCP) from the WSA to an intermediate (syslog) server and then have Splunk pull from there.  I primarily use the access_log as it contains the most relevant data, and this is what the Splunk Cisco App is expecting I believe.  You can do your log management on the syslog server if there's a logfile size concern.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: