sourcetype cisco:wsa:l4tm documented, but not working

[schose]

Hi all,

In the sc4s documentation cisco:wsa:l4tm is listed as a usable sourcetype. Splunk Docs also describe it: "to collect data for access logs, W3C logs, and L4TM logs for the Cisco Web Security Appliance, you must use Splunk Connect for Syslog."

In Cisco product documentation "Traffic Monitor Logs | Records sites added to the L4TM block and allow lists. | No | Yes" is listed as "Supports Syslog Push?" -> "No"

On recent v14.5.1-008 there is still no option to send l4tm logs using syslog:

can anybody help to clarify if this is a double documentation bug or any hints how to ingest cisco:wsa:l4tm using syslog?

Thanks for all in advance!

Andreas

[bparmar-splunk]

Hi @schose, To ingest Cisco WSA logs, please refer this docs which helps you to configure to route logs to Splunk using SC4S. Doc link: https://docs.splunk.com/Documentation/AddOns/released/CiscoWSA/Installationsteps

[schose]

Hi @bparmar-splunk ,

just to clarify, in Splunk docs it's stated that you can ingest Traffic Monitor Logs (cisco:wsa:l4tm) using syslog. The Vendor (Cisco) documents that this is not possible. I also try to show in the screenshot that ciscos documenation is right.

My question is: is this is an mistake in your documentation? How do you ensure that sourcestypes listed below "known vendors" are really working?

best regards,

Andreas

[adri8n]

@schose Did you sort any of this out? A bit long ago now I know. I've been dealing with WSA v12.5 and the add-on and it doesn't work quite as the documentation suggests or as expected. I can share my experience, and possibly help, but you may have already long since moved on.

I don’t believe traffic manager logs are ingestible through stalls or SC4S, but even access logs and others that are don’t quite work currently without workarounds.

[rjha-splunk]

Please open a support case for WSA TA team and they should be able to help.