Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
918
Views
0
Helpful
8
Replies

Cisco WSA - not all traffic in logs?

hash2k2
Level 1
Level 1

‎11-21-2022 11:41 PM

Hi,

I have a Cisco WSA S390 cluster up and running.
On my monitoring system I have a Netflow sensor running for my ASA.
For last night I see the IP address of the active member of the WSA cluster transferring a lot of data (50GB) with xxx.amazonaws.com.
Now I want to see which client is downloading the data via the WSA, but if I filter for the specific time last night, I just see 2kb with 2 transactions during that time.

I already have seen that a couple of times. I seems like not all traffic is getting written to the logs.
Does it maybe have something to do if the connection is build by clients falling under a no authentication policy? We have some devices added to "no authentication".

Are there other known reasons why not all traffic is being logged?

Labels:
0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎11-21-2022 11:44 PM

based on the logs how you configured you can see in the dashboard what IP transfered that data

is this managed by SMA  ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

hash2k2
Level 1
Level 1
In response to balaji.bandi

‎11-21-2022 11:54 PM

Hi,
we do not have a SMA (you mean Security Management Appliance, right?) running. We are managing both members by itself.
If I filter for amazonaws.com for last night, I just see 2kb of data, not 50GB.

0 Helpful

Georg Pauwen
VIP
VIP
In response to hash2k2

‎11-22-2022 12:06 AM

Hello,

can you post the Netflow configuration of your ASA ?

0 Helpful

hash2k2
Level 1
Level 1
In response to Georg Pauwen

‎11-22-2022 04:55 AM

class-map netflow_inet
match any

policy-map global_policy
class netflow_inet
flow-export event-type all destination xx.xx.xx.xx

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to hash2k2

‎11-22-2022 03:27 AM

is is only 1 time, you can see on dashboard top clients ?

if the WSA it self trying to get some data it wont show there (but not that i am aware WSA try to get 50GB data).

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

hash2k2
Level 1
Level 1
In response to balaji.bandi

‎11-22-2022 05:23 AM

Hi,

that is strange. Now I can see the traffic in the logs. It took a couple of hours.
Is this a normal behaviour?

Traffic was between 0:45AM and 1:45AM Central European Time. I checked the dashboard at 8:30AM CET.
Now I looked up again at 13:30PM CET and I can see over 80GB of data loaded from cloudsink.net / amazonaws.

Turns out this was an update for Crowdstrike..

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to hash2k2

‎11-22-2022 05:26 AM

not that delay we expected. until it was ongoing took time to complete to report ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Georg Pauwen
VIP
VIP
In response to hash2k2

‎11-22-2022 11:04 AM

Hello,

I am pretty sure AWS adds its own timestamp, and somehow that overrides your local settings. How that can happen...we need to find out, if possible, how and where the Crowdstrike data is hosted exactly (e.g. S3 bucket). Is there a way for you to get that information ?

0 Helpful
Customers Also Viewed These Support Documents