Customize SC4S for Cisco WSA

In addition to BSD time and hostname, Cisco now includes the name of the log subscription and log level. At the moment SC4S does not expect these additional data. To mitigate this, make the following SC4S configurations:

Step 1

You may need to enable port 514 by mapping the WSA hostname to the SC4S vendor and product variables. By default SC4S enables port 514 for any hostname matching regex pattern ^cisco-wsa- by defining the rule:

application app-vps-test-cisco_wsa[sc4s-vps] {
    filter {
        host('^cisco-wsa-')
    };
    parser {
        p_set_netsource_fields(
            vendor('cisco')
            product('wsa')
        );
    };
};

Step 2

You can either change Cisco the WSA hostname to match this above hostname pattern or adjust the SC4S rule regex to make it match your Cisco WSA hostname.

To update the SC4S rule:

1. On the SC4S host, locate and edit the configuration file /opt/sc4s/local/config/app-parsers/app-vps-cisco_wsa.conf.
2. Change the regex pattern inside host('^cisco-wsa-') to whatever matching your Cisco WSA hostname.
3. Save the file and restart SC4S.

Step 3

Assign the correct sourcetype to the Cisco WSA log subscription you have chosen to use as a source of events for Splunk.

1. locate file /opt/sc4s/local/config/filters/app-postfilter-cisco-wsa_postfilter.conf at SC4S host. If it does not exist, create it.

2. Copy and paste the below rule to this file:

   block parser app-dest-rewrite-cisco-wsa-postfilter-sourcetype() {
       channel {
           if {
               parser {
                   regexp-parser(
                       prefix(".tmp.")
                       patterns('^(?:(?<log_report_name>YOUR_LOG_SUBSCRIPTION_NAME)\s+)?(?:(?<severity>\w+)\:)\s*(?<message>.+)')
                       template("$MESSAGE")
                   );
               };
               rewrite {
                  set("${.tmp.message}" value("MESSAGE"));
                  r_set_splunk_dest_default(
                       sourcetype('YOUR_DESIRED_SOURCETYPE')
                       template('t_msg_only')
               );
               };
           };
       };
   };
   
   application app-dest-rewrite-cisco-wsa-postfilter-custom[sc4s-postfilter] {
               filter {
                   match('cisco', value('fields.sc4s_vendor') type(string))
                   and match('wsa', value('fields.sc4s_product') type(string))
       };
       parser {
           app-dest-rewrite-cisco-wsa-postfilter-sourcetype();
       };
   };
   

3. Inside the rule text locate the placeholder YOUR_LOG_SUBSCRIPTION_NAME and replace it with the name of the desired log subscription.

4. Inside the rule text locate the placeholder YOUR_DESIRED_SOURCETYPE and replace it with the sourcename to be assigned to events coming from the desired log subscription.

5. Save SC4S config file and restart SC4S.

Below is an example of custom SC4S configuration mapping two log subscriptions generated at the same WSA instance to two different sourcetypes, i.e. access_log_w3c_recommended and access_log_squid log subscriptions are mapped to cisco:wsa:w3c:recommended and cisco:wsa:squid sourcetypes correspondingly:

block parser app-dest-rewrite-cisco-wsa-postfilter-w3c-recommended() {
    channel {
        if {
            parser {
                regexp-parser(
                    prefix(".tmp.")
                    patterns('^(?:(?<log_report_name>access_log_w3c_recommended)\s+)?(?:(?<severity>\w+)\:)\s*(?<message>.+)')
                    template("$MESSAGE")
                );
            };
            rewrite {
                set("${.tmp.message}" value("MESSAGE"));
                r_set_splunk_dest_default(
                    sourcetype('cisco:wsa:w3c:recommended')
                    template('t_msg_only')
            );
            };
        };
    };
};

block parser app-dest-rewrite-cisco-wsa-postfilter-squid() {
    channel {
        if {
            parser {
                regexp-parser(
                    prefix(".tmp.")
                    patterns('^(?:(?<log_report_name>access_log_squid)\s+)?(?:(?<severity>\w+)\:)\s*(?<message>.+)')
                    template("$MESSAGE")
                );
            };
            rewrite {
                set("${.tmp.message}" value("MESSAGE"));
                r_set_splunk_dest_default(
                    sourcetype('cisco:wsa:squid')
                    template('t_msg_only')
            );
            };
        };
    };
};

block parser app-dest-rewrite-cisco-wsa-postfilter-syslog() {
    channel {
        if {
            parser {
                regexp-parser(
                    prefix(".tmp.")
                    patterns('^(?:(?<log_report_name>(?:audit|cli|gui)_logs)\s+)?(?:(?<severity>\w+)\:)\s*(?<message>.+)')
                    template("$MESSAGE")
                );
            };
            rewrite {
                set("${.tmp.message}" value("MESSAGE"));
                r_set_splunk_dest_default(
                    sourcetype('cisco:wsa:syslog')
                    template('t_msg_only')
                );
            };
        };
    };
};


application app-dest-rewrite-cisco-wsa-postfilter-custom[sc4s-postfilter] {
            filter {
                match('cisco', value('fields.sc4s_vendor') type(string))
                and match('wsa', value('fields.sc4s_product') type(string))
    };
    parser {
        app-dest-rewrite-cisco-wsa-postfilter-w3c-recommended();
        app-dest-rewrite-cisco-wsa-postfilter-squid();
        app-dest-rewrite-cisco-wsa-postfilter-syslog();
    };
};