Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4462
Views
0
Helpful
8
Replies

Can you have WSA send logs to a syslog server and still use a SMA for Centralized Reporting

rhnetworkteam
Level 1
Level 1

‎03-22-2019 08:02 AM

We are looking at getting our WSA logs into Splunk to create Dashboards and ease of access for our IT Manager to be able to look at Bandwidth utilization easier. I was wondering can we have the logs go to syslog as well as leverage Centralized Reporting to an SMA?

 

Any help would be appreciated.

 

Thanks,

Labels:
0 Helpful
8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

‎03-23-2019 02:48 AM - edited ‎03-23-2019 02:55 AM

here is the sample screen and config to send logs it  is old but still works.

 

http://www.balajibandi.com/2017/10/01/wsa-logs-to-syslog-server-for-kibana-logstash/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Josiane de Barros Silva
Level 1
Level 1

‎04-01-2019 10:42 AM

Hi  rhnetworkteam

You can also use Add-on to use the Splunk SIEM system.

https://www.splunk.com/pdfs/partner-briefs/splunk-and-cisco.pdf

 

 

Best regards,

Josiane

0 Helpful

rhnetworkteam
Level 1
Level 1

‎04-01-2019 11:16 AM

Yes, I understand on how to set it up to send to the syslog... but what I am asking is that do the logs still get sent to the SMA as well as the syslog server.

0 Helpful

Josiane de Barros Silva
Level 1
Level 1
In response to rhnetworkteam

‎04-01-2019 11:56 AM

Hi rhnetworkteam

I gave one a search and I did not find anything about it.
It would be interesting to open a case on the TAC, I believe that you would quickly have that answer.
And share your feedback with us

 

Best Regards,

Josiane

0 Helpful

Ken Stieers
VIP
VIP
In response to rhnetworkteam

‎04-01-2019 11:57 AM

I would leave the default log in place and then build a second log subscription that gets sent to syslog.

I'd have to test it, but my assumption would be that if you send to syslog, the log doesn't stay around for the SMA to pick it up.



0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to rhnetworkteam

‎04-01-2019 01:22 PM

yes you can do both places, that what i refered the before document in the post.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Todd Everett
Cisco Employee
Cisco Employee
In response to balaji.bandi

‎03-07-2023 10:47 AM

I can confirm that when you add a new log on the WSA (being rebranded as Secure Web Appliance - SWA), it runs independently of the other logging. The prior references in this thread and documentation cover connection options for the syslog server.

0 Helpful

amojarra
Cisco Employee
Cisco Employee

‎03-09-2023 02:54 AM

Hello @rhnetworkteam 

 

the main concerns is about Reports being in two place, which can not be done. Just in SWA or in one or two SMA(s) at the same time.

regarding the Logs, you dont have any limitation on creating log subscription and pushing/ forwarding the logs anywhere you want, On the SWA, on FTP, SCP, Syslog ,... . and multiple instance at the same time for the same log

Just please consider the load on the Network interface and Disk if you are configuring many log servers and consider the log levels please (in case device didn't get overload or busy ....)

 

 

Regards,

Amirhossein Mojarrad

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++   If you find this answer helpful, please rate it as such  ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

  

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
0 Helpful
Customers Also Viewed These Support Documents