Virtualizing Splunk for use with Ironport S380 logs?

NPT_2 · ‎06-09-2014

We have around 1,000 users and have found the built in reporting on the Ironport Web to be lacking in functionality. I'm thinking the Splunk with the Advanced Web Reporting add-on might work better. In particular I would like to be able to do the following, and have these questions:

1. I would like to run reports on full departments via their active directory OU's for example for summaries of their Ironport Categories they accessed/etc. This doesn't appear possible in the built in reporting, you seem to have to run either a summary for all users or one user at a time. Is this something that Splunk and the advanced web reporting add on would let us do?

2. Can you now virtualize Splunk and the Advanced Web Reporting add-on for use with an Ironport S380 or does it still need a dedicated server?

3. What is a ballpark cost for the Splunk Serrver software? What about the Advanced Web Reporting software, does Cisco charge extra for that too?

Let me know what you think.

Jim

bmuthang · ‎07-22-2014

Hello Jim,

The Cisco Advanced Reporting for Web Security Appliance (WSA) is a Cisco-sold-and-supported tool to supplement Web Security Appliances. It only processes Web Security Appliance logs and has pre-built reports. Splunk Enterprise is an entirely different product, sold and supported by Splunk, that processes all kinds of data.

1. The Cisco Advanced Reporting for Web Security Appliance tool has directory-based group reporting.

2. Advanced Web Reporting needs a dedicated server, it cannot be virtualized.

3. A quote for Advanced Web Reporting can be provided by your sales rep/partner. It is generally about 5% of an overall Web Security order.

Thanks,

WSA Product Management