Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
5
Helpful
3
Replies

Cisco WSA Access Logs

Go to solution
kamensky@kronovision.sk
Beginner
Beginner

‎01-05-2023 10:37 PM

Dear community,

recently we had to redeploy our WSA due to ongoing authentication issues which I believe is fixed now.

However we were running old WSA for quite a long time now and it contained long history of users access logs.

I have copied files from "accesslogs" folder on old WSA to "accesslogs" folder on new WSA.

While I can see logs in cli - GREP I am not able to search these logs using "Web Tracking" GUI feature. It does not allow me to click on older dates when specifying start date.

Can you please help me on how to correctly transfer access logs from old to new WSA?

Thank you!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
fw_mon
Beginner
Beginner

‎01-06-2023 12:41 AM - edited ‎01-06-2023 01:32 AM

Hello kamensky@kronovision.sk 

while the grep command accesses log files, the "Web Tracking" feature accesses the reporting DB that built based on requests processed by the WSA appliance. As far as I know you cannot "rebuild" the DB using available access log, you can only delete or disable it. That means even by copying access log from other WSA the "Web Tracking" will not show any records from these logs. This is how it supposed to work. A SMA appliance would keep records from old WSA if a central reporting feature was enabled.

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
VIP Community Legend VIP Community Legend
VIP Community Legend

‎01-06-2023 12:18 AM

i do not believe that works, you can not simply copy old logs to new WSA and expect it to work.

as per I know the old logs need to achieve and retrieve from your any remote syslog server, the new WSA logs will start from the current date to moving forward.

If you have SMA to manage, that will manage all the logs and you can retrieve from SMA.

as per WSA concern that is Limitation as per I know.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
fw_mon
Beginner
Beginner

‎01-06-2023 12:41 AM - edited ‎01-06-2023 01:32 AM

Hello kamensky@kronovision.sk 

while the grep command accesses log files, the "Web Tracking" feature accesses the reporting DB that built based on requests processed by the WSA appliance. As far as I know you cannot "rebuild" the DB using available access log, you can only delete or disable it. That means even by copying access log from other WSA the "Web Tracking" will not show any records from these logs. This is how it supposed to work. A SMA appliance would keep records from old WSA if a central reporting feature was enabled.

Go to solution
kamensky@kronovision.sk
Beginner
Beginner
In response to fw_mon

‎01-06-2023 04:23 AM

Thank you for replies. We will focus on moving our reporting to SMA then.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents