10-19-2020 07:54 AM
I would like to add additional fixed text in a Cisco WSA log subscription. Is this possible using the custom field. I tried it, and it said 'invalid field'
10-19-2020 08:06 AM
You can add, but check the format.
10-19-2020 08:10 AM
Thanks for the quick response.
I am trying to add an IP address into the log, and have used the format client_IP 10.2.2.2 in the custom field and it has rejected it. Is there a specific format I should be using, for instance delimiters?
10-19-2020 08:27 AM
you need to use
client_IP %a
10-19-2020 08:37 AM
Hi,
I understand this, but we are trying to insert a different IP into the log. We are testing a new solution and effectively want to spoof the IP written in the log with a custom one.
I hope this makes sense.
10-19-2020 08:55 AM
you can liverage the existing option available, you can not introduce any more syntax i am aware of.
spoofing IP address is differrent i guess.
10-19-2020 09:07 AM
Ok, one other question, is there a separate field for the P1 and P2 interfaces on the Ironport.
10-19-2020 09:14 AM
P1 and P2 interface used for ingress/egress traffic - you we all know what interface used in and out, we need always more information source and destination.
Not sure what is your Objective to get that interface information.
10-19-2020 09:36 AM
Unfortunately, a very simple problem.
We are conducting a proof of concept of the Cisco Stealthwatch product.
In order to ingest webproxy data, we set up a log subscription which Stealthwatch uses to stitch to netflow data received from the various switches and routers in the organisation. Netflow shows traffic between P1 and the client, unfortunately, the webproxy logs show the conversation between M1 and the client. We believed we could spoof the address of the P1 interface in the logs so that we didn't have to make any changes to the Ironport configuration.
I hope this is clear. But we still do not have a solution unfortunately.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide