Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1388
Views
0
Helpful
1
Replies

WSA and Splunk Integration - File Rollover Configuration

Matthew Martin
Level 5
Level 5

‎05-04-2016 10:09 AM

Hello All,

We have our Cisco WSA's (*Web Security Appliance S170) Log Subscriptions configured to send Access, AMP and Traffic logs to a Remote FTP server that is running Splunk and the Cisco Web Security Advanced Reporting 4.5.0 Add-On.

For quite a while we did not have logrotation setup on the Splunk server and after a few weeks Splunk got filled to capacity, which in turn caused the WSA's log partition/directories to get all backed-up to 100% capacity as well.

So, at the moment, I am configuring logrotation on the logs sent over by the WSA server and also I am now deleting all the very old log files sent by the WSA.

So what I would like to try and figure out now is if there is a way to have the WSA server send (*i.e. "Rollover") the logs to the Splunk server fairly often, maybe every couple of minutes, and have it APPEND to a single log file instead of creating a new file every 5 minutes when it FTPs the current log file.? I am assuming this might be something I would need to configure on the Splunk server (*the Splunk server OS is SLES 11.4) but I'm not too sure yet how to accomplish this, if it's possible..? Maybe using syslog-ng or something along those lines? As an example of sort of what I want to do, we have our SIP Gateway configured to send the SIP Messages to a Syslog server where it continuously updates the same log file on that server.

So for Example what I would like to Achieve is this:
The WSA would send Access log data every 5 minutes to the Splunk Server. The Splunk server would then append that incoming data to a file called "wsa-access.log". Then, once a day logrotate would rotate the log file to "wsa-access.1.log", then clear out the "wsa-access.log" file to start fresh, and the WSA would then continue writing data to the same wsa-access.log file...

So does anyone know if something like this is possible to achieve? Any thoughts or suggestions would be greatly appreciated!

Thanks in Advance,
Matt

Labels:
0 Helpful
1 Reply 1

Matthew Martin
Level 5
Level 5

‎05-04-2016 02:43 PM

Apologies.... I think I found my answer in the Log Subscription configuration for my Original Question...

Just noticed the Syslog Push option for sending log data to a remote server... This is what I'll want to use, correct??


*** QUESTION ***
I just deleted a FTP Log Subscription about 5-10 minutes ago for AMP logs that were FTP'ing once a minute to a remote server. However, I can still see AMP log files coming in to that Remote Server. Any idea why these are still sending to this server even though I deleted the Log Subscription for it??

Thanks in Advance,
Matt

0 Helpful
Customers Also Viewed These Support Documents