cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1291
Views
5
Helpful
8
Replies

Can I add custom text in a Cisco WSA log subscription

PaulTThomas
Level 1
Level 1

I would like to add additional fixed text in a Cisco WSA log subscription.  Is this possible using the custom field.  I tried it, and it said 'invalid field'

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

You can add, but check the format.

 
 

cust.JPG

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thanks for the quick response.

 

I am trying to add an IP address into the log, and have used the format client_IP 10.2.2.2 in the custom field and it has rejected it.  Is there a specific format I should be using, for instance delimiters?

balaji.bandi
Hall of Fame
Hall of Fame

you need to use

 

client_IP %a

 

Web Proxy Information in Access Log Files

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa11-0/user_guide/b_WSA_UserGuide/b_WSA_UserGuide_chapter_010111.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,

 

I understand this, but we are trying to insert a different IP into the log.  We are testing a new solution and effectively want to spoof the IP written in the log with a custom one.

 

I hope this makes sense.

balaji.bandi
Hall of Fame
Hall of Fame

you can liverage the existing option available, you can not introduce any more syntax i am aware of.

 

spoofing IP address is differrent i guess.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ok, one other question, is there a separate field for the P1 and P2 interfaces on the Ironport.

 

 

balaji.bandi
Hall of Fame
Hall of Fame

P1 and P2 interface  used for ingress/egress traffic - you we all know what interface used in and out, we need always more information source and destination.

 

Not sure what is your Objective to get that interface information.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Unfortunately, a very simple problem.

 

We are conducting a proof of concept of the Cisco Stealthwatch product.

 

In order to ingest webproxy data, we set up a log subscription which Stealthwatch uses to stitch to netflow data received from the various switches and routers in the organisation.  Netflow shows traffic between P1 and the client, unfortunately, the webproxy logs show the conversation between M1 and the client.  We believed we could spoof the address of the P1 interface in the logs so that we didn't have to make any changes to the Ironport configuration.

 

I hope this is clear.  But we still do not have a solution unfortunately.