Solved: WSA Advanced Web Reporting (AWR) Licensing and Docu

rick505d3 · ‎06-29-2016

Hi,

Having some issues first time configuring Advanced Web Reporting 5.0 for Cisco WSA appliances.

1. The release notes are not clear on whether it needs to be dedicated hardware or a VM. The previous AWR versions needed to be hardware based. Does AWR 5.0 has to be a hardware for the Cisco support to work or it can ba VM with equivalent specs to that of the hardware ?

2. Installed AWR 5.0 on a Windows 2012 server. By default it goes and install's under C:\Program Files\Cisco\CiscoWSAReporting. I needed to install it under F: drive. The way it worked was to edit the "install.bat" file and change the "LOC" variable to desired location. Just an info point.

3. I have the PAK code for "SMA-WSPL-HIGH-LIC=" license. Trying to fulfill the PAC on Cisco licensing portal, on the second screen, only appliance type Physical is available. There is no Virtual appliance type. In addition, it asks for mandatory “SN / Virtual Device Identifier”. In the AWR GUI, there does not seems to be any serial number or key or system ID available that I can reference and put into the Cisco Licensing Portal. How do I license AWR ?

4. Pretty limited documentation exist on AWR and that too limited to Release Notes, Install Guide and some sales material. Is there a configuration guide that talks about integrating WSA's with AWR ?

Regards,

Rick.

Tao Yang · ‎06-30-2016

Please refer to the following doc to configure AWR, especially "Create the Folder Structure for Access and Traffic Monitor Log Files" this part. Hope it helps.

http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/Advanced_Reporting/WSA_Advanced_Reporting_5/Advanced_Web_Security_Reporting_5.pdf

View solution in original post

Tao Yang · ‎06-29-2016

Basically AWR is an add-on to the existing Splunk reporting system. In WSA, you only need to configure log transfers for "accesslogs", "trafmonlogs" and "amp_logs" pushing them to Splunk server and the AWR in Splunk will be able to process them.

For licensing issue, please find the explanation of "SMA-WSPL-HIGH-LIC=" license from the following link. Do you have the license XML file now?

http://www.cisco.com/c/en/us/products/collateral/security/cloud-web-security/guide-c07-736675.html?cachemode=refresh

rick505d3 · ‎06-29-2016

Thanks Tao,

I don't have the license XML file. Just the PAK code for the license. Where do you get the system serial number from to full fill the PAK for AWR. The AWR running on Windows instance does not have any. Is it the serial number for the SMA appliance ? We have a Cisco M300V 9.6 instance of SMA appliance.

Tao Yang · ‎06-29-2016

Please try that SMA SN firstly. If it does not work, can you please create a case with our licensing team?

rick505d3 · ‎06-30-2016

Thanks Tao,

I have opened a support case with Cisco Licensing.

With regards to configuration, would the log transfers for accesslog, trafmonlogs, amp_logs be configured as a Syslog Push operation on the WSA ? On the AWR side, do you just configure a Local Input -> UDP 514 data input ? I have done this but still don't see any activity in AWR. Is there a document on the process ?

Regards,

Rick.

Tao Yang · ‎06-30-2016

Please refer to the following doc to configure AWR, especially "Create the Folder Structure for Access and Traffic Monitor Log Files" this part. Hope it helps.

http://www.cisco.com/c/dam/en/us/td/docs/security/wsa/Advanced_Reporting/WSA_Advanced_Reporting_5/Advanced_Web_Security_Reporting_5.pdf

rick505d3 · ‎06-30-2016

Thanks Tao,