Visualize hidden Cisco WSA statistics
The most important system log for performance troubleshooting on Cisco WSA is a "hidden" prox_track. While it contains a lot of very helpful information, it cannot be configured, modified or pushed like other default log types, it must be retrieved using FTP/SCP. Cisco WSA Insight Splunk App provides visualization of prox_track and System Health (shd) logs, assists with troubleshooting of performance
issues and gives insights into OS metrics. It can be used for ad-hoc troubleshooting or for continious monitoring of Cisco WSA.
===Installation and configuration===
|System Health Logs||shd_logs/shd.current||cisco:wsa:shd|
===Special handling of track_stats/prox_track.log===
To feed into Splunk only last entries from prox_track.log use following (insecure) bash script as cron job (replace operator, password and wsa with a username, a password and an appliance hostname accordingly):
timestamp=$(date +%s) # use one of following methods: lftp -e "open; get track_stats/prox_track.log -o $timestamp; quit" operator:password@wsa >/dev/null # curl ftp://operator:password@wsa/track_stats/prox_track.log -s -o $timestamp # scp operator:password@wsa:/track_stats/prox_track.log $timestamp grep -A1000000 -f timestamp.txt $timestamp | grep -A1000000 -P "^\s+ user time: " | grep -A1000000 -E "^Current Date: " | grep -E -f patterns.txt >> prox_track.log grep "^Current Date:" $timestamp | tail -1 > timestamp.txt rm -f $timestamp
Create a file patterns.txt with following content, it used in the script as grep pattern to include only lines from prox_track.log file that we need:
^Current Date: ^INFO: proxy running for ^INFO: traffic over ^INFO: Transparent NTLMSSP ^INFO: Basic Auth ^INFO: Negotiate Auth ^INFO: AuthCache: Capacity ^INFO: DNS Cache Stats: weightavg user time: system time: block input operations: block output operations: DNS Time Auth Helper Service Time Auth Helper Wait Time WBRS Wait Time WBRS Service Time Server Transaction Time Server Wait Time Client Time
It is suggested to use .netrc to hide credentials or even better to use scp instead of lftp to retrieve the prox_track log.
Use an operator credentials instead of admin to reduce security exposure.
All what you do with this app is on your own responsibility!
This is a first public release, consider it beta
added connections view
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.