Troubleshoot the Splunk Add-on for Cisco WSA¶
General troubleshooting¶
For helpful troubleshooting tips that you can apply to all add-ons, see “Troubleshoot add-ons” in Splunk Add-ons. For additional resources, see “Support and resource links for add-ons” in Splunk Add-ons.
Cannot launch add-on¶
This add-on does not have views and is not intended to be visible in Splunk Web. If you are trying to launch or load views for this add-on and you are experiencing results you do not expect, turn off visibility for the add-on.
For more details about add-on visibility and instructions for turning visibility off, see Troubleshoot add-ons in Splunk Add-ons.
Extracted fields contain incorrect values¶
The Splunk add-on for Cisco WSA expects Cisco WSA access logs in a specific format for all its field extractions to work. If your Cisco WSA environment does not generate the logs in the expected order, customize the event log format either in the add-on configuration or in Cisco WSA. See Customize log and field extractions for supported sourcetypes for details.
If you ingest WSA logs using SC4S, make sure you have applied the correct custom SC4S configuration that fully removes Syslog meta information from the beginning of the event.
If you are using a squid-styled Access Logs subscription it can happen
that in a new WSA version Cisco makes some breaking changes to log
format by re-ordering, adding, or removing fields. If by that time there
is not an add-on version supporting this new format it is recommended to
adjust the configuration as described in Adjusting TA configuration
section
Events are not visible when using SC4S¶
Check if the “netproxy” index was created in Splunk according to SC4S documentation https://splunk.github.io/splunk-connect-for-syslog/main/sources/vendor/Cisco/cisco_wsa/
If the host of your Cisco WSA device is not starting with “wsa-” you must create a custom configuration for proper vendor assignment. Using the example from SC4S documentation you should create a configuration in SC4S matching your host name. You can also create a dedicated port in SC4S to collect Cisco WSA vendor events:
| Variable | default | description |
|---|---|---|
| SC4S_LISTEN_CISCO_WSA_TCP_PORT | empty string | Enable a TCP port for this specific vendor product using a comma-separated list of port numbers. |
| SC4S_LISTEN_CISCO_WSA_UDP_PORT | empty string | Enable a UDP port for this specific vendor product using a comma-separated list of port numbers. |
If your event log fields contain spaces, use the squid format instead of W3C format.
Events not into cisco:wsa:squid:new sourcetype¶
Changes in Sourcetype Behavior with Cisco WSA 5.0.0¶
Overview¶
With the release of Cisco WSA version 5.0.0, support for the cisco:wsa:squid:new sourcetype has been removed. Events previously categorized under the cisco:wsa:squid:new sourcetype will now appear under the cisco:wsa:squid sourcetype.
Accessing Data with the Old Sourcetype¶
To view data using the cisco:wsa:squid:new sourcetype, Use the _sourcetype field to query the original data. This approach references the old sourcetype without renaming it.
Restoring the cisco:wsa:squid:new Sourcetype¶
For users with previously configured dashboards or dependencies on the cisco:wsa:squid:new sourcetype, the following steps can be used to restore the original behavior:
-
Create or edit an existing props.conf file in
$SPLUNK_HOME/etc/apps/Splunk_TA_cisco-wsa/local -
Add the following code
[cisco:wsa:squid:new] rename = KV_MODE = none SHOULD_LINEMERGE = false EVENT_BREAKER_ENABLE = true MAX_TIMESTAMP_LOOKAHEAD = 17 pulldown_type = true category = Network & Security description = Access logs squid formatted output produced by the Cisco Web Security Appliance(WSA) TRANSFORMS-drop_log_file_header_lines = drop_log_file_header_lines # WSA W3C log fields extractions REPORT-extract = cisco_wsa_latest_delim_squid, common_regex_trim_scan_verdict_info, cisco_wsa_latest_delim_scan_verdict_info, common_delim_x_resultcode_httpstatus, common_delim_s_hierarchy_hostname, common_regex_dest_port, common_regex_acltag_decision, common_regex_referer_domain, common_regex_url_domain # deleting intermediate variables EVAL-scan_verdict_info_trimmed = null() # eventtype helper fields EVAL-virusfound = coalesce( \ if(in(x_sophos_virus_name,"-","\"-\""), null(), trim(x_sophos_virus_name, "\"")), \ if(in(x_mcafee_virus_name,"-","\"-\""), null(), trim(x_mcafee_virus_name, "\"")) \ ) EVAL-threatfound = coalesce( \ if(in(x_req_dvs_threat_name,"-","\"-\""), null(), trim(x_req_dvs_threat_name, "\"")), \ if(in(x_resp_dvs_threat_name,"-","\"-\""), null(), trim(x_resp_dvs_threat_name, "\"")), \ if(in(x_webroot_threat_name,"-","\"-\""), null(), trim(x_webroot_threat_name, "\"")) \ ) EVAL-malwarefound = if(in(x_amp_malware_name,"-","\"-\""), null(), trim(x_amp_malware_name, "\"")) # CIM fields extractions EVAL-vendor="Cisco" EVAL-product="WSA" EVAL-vendor_product="Cisco WSA" EVAL-dest=coalesce(if(in(s_computerName,"-","\"-\""), null(), trim(s_computerName, "\"")),s_hostname) EVAL-category=coalesce(if(in(x_wbrs_threat_type,"-","\"-\""), null(), trim(x_wbrs_threat_type, "\"")), "Network & Security") EVAL-user=if(in(cs_username,"-","\"-\""), null(), trim(cs_username, "\"")) # Malware:Malware_Attacks specific fields EVAL-date=if( \ isnotnull(coalesce( \ if(in(x_amp_malware_name,"-","\"-\""), null(), trim(x_amp_malware_name, "\"")), \ if(in(x_sophos_virus_name,"-","\"-\""), null(), trim(x_sophos_virus_name, "\"")), \ if(in(x_mcafee_virus_name,"-","\"-\""), null(), trim(x_mcafee_virus_name, "\"")), \ if(in(x_req_dvs_threat_name,"-","\"-\""), null(), trim(x_req_dvs_threat_name, "\"")), \ if(in(x_resp_dvs_threat_name,"-","\"-\""), null(), trim(x_resp_dvs_threat_name, "\"")), \ if(in(x_webroot_threat_name,"-","\"-\""), null(), trim(x_webroot_threat_name, "\"")) \ )), \ strftime(_time, "%m/%d/%Y"), \ null() \ ) EVAL-file_hash=if(in(x_amp_sha,"-","\"-\""), null(), trim(x_amp_sha, "\"")) EVAL-file_name=coalesce( \ if(in(x_amp_filename,"-","\"-\""), null(), trim(x_amp_filename, "\"")), \ if(in(x_sophos_file_name,"-","\"-\""), null(), trim(x_sophos_file_name, "\"")), \ if(in(x_mcafee_filename,"-","\"-\""), null(), trim(x_mcafee_filename, "\"")) \ ) EVAL-file_path=if( \ isnotnull(coalesce( \ if(in(x_amp_filename,"-","\"-\""), null(), trim(x_amp_filename, "\"")), \ if(in(x_sophos_file_name,"-","\"-\""), null(), trim(x_sophos_file_name, "\"")), \ if(in(x_mcafee_filename,"-","\"-\""), null(), trim(x_mcafee_filename, "\"")) \ )), \ if(in(cs_uri,"-","\"-\""), null(), mvindex(split(trim(cs_uri, "\""),"?"),0)), \ null() \ ) EVAL-signature=coalesce( \ if(in(x_amp_malware_name,"-","\"-\""), null(), trim(x_amp_malware_name, "\"")), \ if(in(x_sophos_virus_name,"-","\"-\""), null(), trim(x_sophos_virus_name, "\"")), \ if(in(x_mcafee_virus_name,"-","\"-\""), null(), trim(x_mcafee_virus_name, "\"")), \ if(in(x_req_dvs_threat_name,"-","\"-\""), null(), trim(x_req_dvs_threat_name, "\"")), \ if(in(x_resp_dvs_threat_name,"-","\"-\""), null(), trim(x_resp_dvs_threat_name, "\"")), \ if(in(x_webroot_threat_name,"-","\"-\""), null(), trim(x_webroot_threat_name, "\"")) \ ) # Web:Proxy specific fields EVAL-app = if(in(x_avc_app,"-","\"-\""), null(), trim(x_avc_app, "\"")) EVAL-bytes = case(isnull(sc_bytes), 0, in(sc_bytes,"-","\"-\""), 0, true(), sc_bytes)+case(isnull(cs_bytes), 0, in(cs_bytes,"-","\"-\""), 0, true(), cs_bytes) EVAL-bytes_in = if(in(sc_bytes,"-","\"-\""), null(), trim(sc_bytes, "\"")) EVAL-bytes_out = if(in(cs_bytes,"-","\"-\""), null(), trim(cs_bytes, "\"")) EVAL-dest_port = coalesce( \ case(isnull(s_port), null(), in(s_port,"-","\"-\""), null(), true(), trim(s_port, "\"")), \ dest_port, \ case(match(cs_url,"^https://"), 443, match(cs_url,"^http://"), 80) \ ) EVAL-duration = if(in(x_elapsed_time,"-","\"-\""), null(), trim(x_elapsed_time, "\"")) EVAL-http_content_type = if(in(cs_mime_type,"-","\"-\""), null(), trim(cs_mime_type, "\"")) EVAL-http_method = if(in(cs_method,"-","\"-\""), null(), trim(cs_method, "\"")) EVAL-http_referrer = if(in(cs_Referer,"-","\"-\""), null(), trim(cs_Referer, "\"")) EVAL-http_referrer_domain = cs_Referer_domain EVAL-status = if(in(sc_http_status,"-","\"-\""), null(), trim(sc_http_status, "\"")) EVAL-uri_path = if(in(cs_uri,"-","\"-\""), null(), "/"+ltrim(trim(cs_uri, "\""),"/")) EVAL-url = if(in(cs_url,"-","\"-\""), null(), trim(cs_url, "\"")) EVAL-url_domain = cs_url_domain EVAL-src_port = case(isnull(c_port), null(), in(c_port,"-","\"-\""), null(), true(), c_port) EVAL-uri_query = mvindex(split(if(in(cs_uri,"-","\"-\""), null(), trim(cs_uri, "\"")), "?"),1) EVAL-url_length = len(if(in(cs_url,"-","\"-\""), null(), trim(cs_url, "\""))) EVAL-cached = case( \ in(sc_result_code,"TCP_HIT","TCP_IMS_HIT","TCP_MEM_HIT","TCP_REFRESH_HIT"), 1, \ in(sc_result_code,"TCP_MISS","TCP_MISS_SSL","TCP_CLIENT_REFRESH_MISS", "TCP_CLIENT_REFRESH_MISS_SSL","TCP_DENIED","NONE"), 0 \ ) EVAL-http_user_agent = coalesce( \ if(in(cs_User_Agent,"-","\"-\""), null(), trim(cs_User_Agent, "\"")), \ if(in(x_suspect_user_agent_monitor,"-","\"-\""), null(), trim(x_suspect_user_agent_monitor, "\"")), \ if(in(x_suspect_user_agent_block,"-","\"-\""), null(), trim(x_suspect_user_agent_block, "\"")) \ ) EVAL-http_user_agent_length = len(coalesce( \ if(in(cs_User_Agent,"-","\"-\""), null(), trim(cs_User_Agent, "\"")), \ if(in(x_suspect_user_agent_monitor,"-","\"-\""), null(), trim(x_suspect_user_agent_monitor, "\"")), \ if(in(x_suspect_user_agent_block,"-","\"-\""), null(), trim(x_suspect_user_agent_block, "\"")) \ )) EVAL-src_ip = coalesce( \ if(in(cs_X_Forwarded_For,"-","\"-\""), null(), trim(cs_X_Forwarded_For, "\"")), \ if(in(c_ip,"-","\"-\""), null(), trim(c_ip, "\"")) \ ) EVAL-src = coalesce( \ if(in(cs_X_Forwarded_For,"-","\"-\""), null(), trim(cs_X_Forwarded_For, "\"")), \ if(in(c_ip,"-","\"-\""), null(), trim(c_ip, "\"")) \ ) # Remove verdict_info fields with '-' value EVAL-c_ip=if(in(c_ip,"-","\"-\""),null(),trim(c_ip, "\"")) EVAL-c_port=if(in(c_port,"-","\"-\""),null(),trim(c_port, "\"")) EVAL-cs_Referer=if(in(cs_Referer,"-","\"-\""),null(),trim(cs_Referer, "\"")) EVAL-cs_User_Agent=if(in(cs_User_Agent,"-","\"-\""),null(),trim(cs_User_Agent, "\"")) EVAL-cs_X_Forwarded_For=if(in(cs_X_Forwarded_For,"-","\"-\""),null(),trim(cs_X_Forwarded_For, "\"")) EVAL-cs_bytes=if(in(cs_bytes,"-","\"-\""),null(),trim(cs_bytes, "\"")) EVAL-cs_method=if(in(cs_method,"-","\"-\""),null(),trim(cs_method, "\"")) EVAL-cs_mime_type=if(in(cs_mime_type,"-","\"-\""),null(),trim(cs_mime_type, "\"")) EVAL-cs_uri=if(in(cs_uri,"-","\"-\""),null(),trim(cs_uri, "\"")) EVAL-cs_username=if(in(cs_username,"-","\"-\""),null(),trim(cs_username, "\"")) EVAL-cs_version=if(in(cs_version,"-","\"-\""),null(),trim(cs_version, "\"")) EVAL-ext_archivescan_blockedfiletype=if(in(ext_archivescan_blockedfiletype,"-","\"-\""),null(),trim(ext_archivescan_blockedfiletype, "\"")) EVAL-ext_archivescan_threatdetail=if(in(ext_archivescan_threatdetail,"-","\"-\""),null(),trim(ext_archivescan_threatdetail, "\"")) EVAL-ext_archivescan_verdict=if(in(ext_archivescan_verdict,"-","\"-\""),null(),trim(ext_archivescan_verdict, "\"")) EVAL-ext_wtt_behavior=if(in(ext_wtt_behavior,"-","\"-\""),null(),trim(ext_wtt_behavior, "\"")) EVAL-ext_youtube_url_category=if(in(ext_youtube_url_category,"-","\"-\""),null(),trim(ext_youtube_url_category, "\"")) EVAL-google_translate_enc_url=if(in(google_translate_enc_url,"-","\"-\""),null(),trim(google_translate_enc_url, "\"")) EVAL-s_computerName=if(in(s_computerName,"-","\"-\""),null(),trim(s_computerName, "\"")) EVAL-s_hierarchy_hostname=if(in(s_hierarchy_hostname,"-","\"-\""),null(),trim(s_hierarchy_hostname, "\"")) EVAL-s_port=if(in(s_port,"-","\"-\""),null(),trim(s_port, "\"")) EVAL-sc_bytes=if(in(sc_bytes,"-","\"-\""),null(),trim(sc_bytes, "\"")) EVAL-scan_verdict_info=if(in(scan_verdict_info,"-","\"-\""),null(),trim(scan_verdict_info, "\"")) EVAL-timestamp=if(in(timestamp,"-","\"-\""),null(),trim(timestamp, "\"")) EVAL-user_type=if(in(user_type,"-","\"-\""),null(),trim(user_type, "\"")) EVAL-x_acltag=if(in(x_acltag,"-","\"-\""),null(),trim(x_acltag, "\"")) EVAL-x_amp_filename=if(in(x_amp_filename,"-","\"-\""),null(),trim(x_amp_filename, "\"")) EVAL-x_amp_malware_name=if(in(x_amp_malware_name,"-","\"-\""),null(),trim(x_amp_malware_name, "\"")) EVAL-x_amp_score=if(in(x_amp_score,"-","\"-\""),null(),trim(x_amp_score, "\"")) EVAL-x_amp_sha=if(in(x_amp_sha,"-","\"-\""),null(),trim(x_amp_sha, "\"")) EVAL-x_amp_upload_indicator=if(in(x_amp_upload_indicator,"-","\"-\""),null(),trim(x_amp_upload_indicator, "\"")) EVAL-x_amp_verdict=if(in(x_amp_verdict,"-","\"-\""),null(),trim(x_amp_verdict, "\"")) EVAL-x_avc_app=if(in(x_avc_app,"-","\"-\""),null(),trim(x_avc_app, "\"")) EVAL-x_avc_behavior=if(in(x_avc_behavior,"-","\"-\""),null(),trim(x_avc_behavior, "\"")) EVAL-x_avc_type=if(in(x_avc_type,"-","\"-\""),null(),trim(x_avc_type, "\"")) EVAL-x_avg_bw=if(in(x_avg_bw,"-","\"-\""),null(),trim(x_avg_bw, "\"")) EVAL-x_bw_throttled=if(in(x_bw_throttled,"-","\"-\""),null(),trim(x_bw_throttled, "\"")) EVAL-x_elapsed_time=if(in(x_elapsed_time,"-","\"-\""),null(),trim(x_elapsed_time, "\"")) EVAL-x_icap_verdict=if(in(x_icap_verdict,"-","\"-\""),null(),trim(x_icap_verdict, "\"")) EVAL-x_ids_verdict=if(in(x_ids_verdict,"-","\"-\""),null(),trim(x_ids_verdict, "\"")) EVAL-x_mcafee_av_detecttype=if(in(x_mcafee_av_detecttype,"-","\"-\""),null(),trim(x_mcafee_av_detecttype, "\"")) EVAL-x_mcafee_av_scanerror=if(in(x_mcafee_av_scanerror,"-","\"-\""),null(),trim(x_mcafee_av_scanerror, "\"")) EVAL-x_mcafee_av_virustype=if(in(x_mcafee_av_virustype,"-","\"-\""),null(),trim(x_mcafee_av_virustype, "\"")) EVAL-x_mcafee_filename=if(in(x_mcafee_filename,"-","\"-\""),null(),trim(x_mcafee_filename, "\"")) EVAL-x_mcafee_scanverdict=if(in(x_mcafee_scanverdict,"-","\"-\""),null(),trim(x_mcafee_scanverdict, "\"")) EVAL-x_mcafee_virus_name=if(in(x_mcafee_virus_name,"-","\"-\""),null(),trim(x_mcafee_virus_name, "\"")) EVAL-x_req_dvs_scanverdict=if(in(x_req_dvs_scanverdict,"-","\"-\""),null(),trim(x_req_dvs_scanverdict, "\"")) EVAL-x_req_dvs_threat_name=if(in(x_req_dvs_threat_name,"-","\"-\""),null(),trim(x_req_dvs_threat_name, "\"")) EVAL-x_req_dvs_verdictname=if(in(x_req_dvs_verdictname,"-","\"-\""),null(),trim(x_req_dvs_verdictname, "\"")) EVAL-x_request_rewrite=if(in(x_request_rewrite,"-","\"-\""),null(),trim(x_request_rewrite, "\"")) EVAL-x_resp_dvs_scanverdict=if(in(x_resp_dvs_scanverdict,"-","\"-\""),null(),trim(x_resp_dvs_scanverdict, "\"")) EVAL-x_resp_dvs_threat_name=if(in(x_resp_dvs_threat_name,"-","\"-\""),null(),trim(x_resp_dvs_threat_name, "\"")) EVAL-x_resp_dvs_verdictname=if(in(x_resp_dvs_verdictname,"-","\"-\""),null(),trim(x_resp_dvs_verdictname, "\"")) EVAL-x_resultcode_httpstatus=if(in(x_resultcode_httpstatus,"-","\"-\""),null(),trim(x_resultcode_httpstatus, "\"")) EVAL-x_sophos_file_name=if(in(x_sophos_file_name,"-","\"-\""),null(),trim(x_sophos_file_name, "\"")) EVAL-x_sophos_scanerror=if(in(x_sophos_scanerror,"-","\"-\""),null(),trim(x_sophos_scanerror, "\"")) EVAL-x_sophos_scanverdict=if(in(x_sophos_scanverdict,"-","\"-\""),null(),trim(x_sophos_scanverdict, "\"")) EVAL-x_sophos_virus_name=if(in(x_sophos_virus_name,"-","\"-\""),null(),trim(x_sophos_virus_name, "\"")) EVAL-x_suspect_user_agent_block=if(in(x_suspect_user_agent_block,"-","\"-\""),null(),trim(x_suspect_user_agent_block, "\"")) EVAL-x_suspect_user_agent_monitor=if(in(x_suspect_user_agent_monitor,"-","\"-\""),null(),trim(x_suspect_user_agent_monitor, "\"")) EVAL-x_wbrs_score=if(in(x_wbrs_score,"-","\"-\""),null(),trim(x_wbrs_score, "\"")) EVAL-x_wbrs_threat_type=if(in(x_wbrs_threat_type,"-","\"-\""),null(),trim(x_wbrs_threat_type, "\"")) EVAL-x_webcat_code_abbr=if(in(x_webcat_code_abbr,"-","\"-\""),null(),trim(x_webcat_code_abbr, "\"")) EVAL-x_webcat_req_code_abbr=if(in(x_webcat_req_code_abbr,"-","\"-\""),null(),trim(x_webcat_req_code_abbr, "\"")) EVAL-x_webcat_resp_code_abbr=if(in(x_webcat_resp_code_abbr,"-","\"-\""),null(),trim(x_webcat_resp_code_abbr, "\"")) EVAL-x_webroot_scanverdict=if(in(x_webroot_scanverdict,"-","\"-\""),null(),trim(x_webroot_scanverdict, "\"")) EVAL-x_webroot_spyid=if(in(x_webroot_spyid,"-","\"-\""),null(),trim(x_webroot_spyid, "\"")) EVAL-x_webroot_threat_name=if(in(x_webroot_threat_name,"-","\"-\""),null(),trim(x_webroot_threat_name, "\"")) EVAL-x_webroot_trace_id=if(in(x_webroot_trace_id,"-","\"-\""),null(),trim(x_webroot_trace_id, "\"")) EVAL-x_webroot_trr=if(in(x_webroot_trr,"-","\"-\""),null(),trim(x_webroot_trr, "\"")) EVAL-action=case(x_acltag_decision=="DECRYPT_EUN_WBRS",if(tonumber(trim(sc_http_status, "\""))>=400,"blocked","allowed"),true(),action) LOOKUP-proxy_action = cisco_wsa_proxy_action_lookup acl_action AS x_acltag_decision OUTPUTNEW action -
Restart Splunk
- Restart the Splunk instance to apply the changes.
This will revert the behavior and restore the squid:new sourcetype for the configurations.