How do I install and configure the Splunk for Cisco IronPort Web Appliance app on Splunkbase? http://www.splunkbase.com/apps/All/4.x/app:Cisco+IronPort+Web+Security+Application
The reports and dashboards included in this app rely on eventtype="ironport_proxy" and all relevant fields in order to report on the IronPort Web data. By default, there is an ironport_proxy event type with: search = sourcetype=cisco_wsa*
Getting IronPort Web Data Into Splunk
Configure your IronPort Web Security Appliance to schedule an export of the access logs to a directory accessible by the Splunk Server in either the squid or w3c format. The recommended interval for this is 15 minutes. Please note that the squid logging option provides a fixed format and the app includes field extractions for this. For the w3c format you will need to supply the field header in order for the app to function - this simple step is explained later on this document
Extracting Relevant IronPort Web Fields
The Splunk for IronPort Web app contains field extractions for the squid formatted access logs
Extracting fields from w3c Format
If your IronPort Web access logs are in a w3c format you will need to create a DELIMS based extraction for this log format since this data is space delimited. The fields value for this extraction will be set to the header of your w3c logs. This is the order in which the fields were selected in the management interface. Alternatively the field values can be seen at the top of the w3c formatted log file
Reports and Dashboards
Reports and dashboards are included to provide visibility into Acceptable Use/Compliance, Web Security Threats and Network Utilization. There are also form based reports for client profiling and analysis. Creating your own reports and dashboards is quick and easy in Splunk. Details on how to do this can be found here:
Configuring and Modifying Lookup Values
You can modify the usage and severity value for a particular category by editing the following file in the lookups directory of this app:
answered 06 Jun '10, 18:37
Will Hayes ♦
In addition to the above fields, as an FYI you will need to also have: s_hostname x_acltag
In order for the Ironport client profiler to work correctly
answered 16 Aug '10, 17:57
I have no idea how to do any of this. Where are the step by step instructions? Not this mess.
answered 23 Aug '11, 09:56
FYI - these instructions are for the free SplunkforIronportWeb app that was offered from Splunkbase.
These instructions do not apply for the Splunk for Cisco Ironport Advanced Reporting application which is available for purchase from Cisco.
answered 28 Sep '11, 07:34