Enabling logging on WSA

book

Article ID: 171372

calendar_today

Updated On:

Products

CASB Audit CASB Gateway Advanced Data Loss Prevention Cloud Package

Issue/Introduction

To enable logging on WSA, do the following. 

Resolution

Introduction

The Cisco WSA (Web Security Appliance) helps organizations get advanced threat defense, advanced malware protection, application visibility and control, insightful reporting, and secure mobility. The Cisco Web Security Appliance (WSA) combines all of these forms of protection and more in a single solution. The WSA also helps to secure and control web traffic, while simplifying deployment and reducing costs. Two main WSA log files subscriptions typically used by the administrators are Access Log and W3C Access log that record all Web Proxy filtering and scanning activity.

These logs can be configured to either
● FTP them onto the Appliance itself
● FTP them onto an FTP Server
● SCP them into an SCP Server (or into Elastica via an SCP/SFTP connection)
● Syslog Push
○ When using Syslog UDP keep in mind that the logs get truncated at 1024 characters Supported Cisco WSA Version Cisco WSA minimum supported version: 7.7

Supported Cisco WSA Log Formats

Elastica Audit supports the following log formats written directly (RAW) from firewall as well as transporter
over syslog where a syslog server receives these logs from WSA and then writes them to file(s). These files can
be transferred to Elastica CloudSoc using SFTP/SCP. Optionally, you can use Elastica SpanVA appliance to
collect logs from all your firewalls and proxies and transfer them to Elastica CloudSoc. For further details on
how you can use Elastica SpanVA to simplify ongoing log collection and transfer, please contact your Elastica
representative.

How to Enable Logging on the WSA

To view the different types of subscriptions:

Go to System Administration → Log Subscriptions
Configuring access Log Messages

To set up access logs:

Go to System Administration → Log Subscriptions → accesslogs
By default, accesslogs would be available on FTP on the appliance itself but could be configured to be FTP’d, SCP’d or Syslog’d to a different server. WSA also provides an option for adding Custom Fields. Ensure to have the Log Style as Squid.
Once the right type of mechanism has been setup for your WSA accesslogs, they can be compressed and uploaded to Audit for analysis.
Note: Remember to Commit Changes for them to take affect.

Configuring W3C Log Messages

To set up W3C logs:

Go to System Administration → Log Subscriptions → Add Log Subscription
● In the Log Type chose W3C
● Provide a Log Name
● Select the Desired Log Fields (Note: either timestamp or [date, time] or x-local_time are required)
● Select the Log Retrieval method (Syslog shown in the example) Note: Remember to Commit Changes for them to take affect.

Syslog Push

In the above example we have set the Retrieval Method to Syslog Push which sends log messages to a remote syslog server on port 514. This method conforms to RFC 3164.

When you choose this method, you must enter the following information:
● Syslog server hostname
● Protocol to use for transmission, either UDP or TCP
● Maximum message size
● Valid values for UDP are 1024 to 9216.
● Valid values for TCP are 1024 to 65535.
● Facility to use with the log

Configuring an SCP connection and managing SSH-Keys for key based SCP


First create a new SCP connection from the Elastica Portal Audit → Sources
Click Create Connection and copy the relevant SCP Server, Username and Data Source Path information to be supplied to WSA. Since WSA supports only Key Based SCP, we ignore the password here
Go back into your Cisco WSA Portal and setup an SCP connection :
Go to System Administration → Log Subscriptions → Add Log Subscription
● In the Log Type chose W3C
● Provide a Log Name
● Select the Desired Log Fields (Note: either timestamp or [date, time] or x-local_time are required)
● Enter Desired Rollover parameters by size or time indicating period to SCP the files over
● Select SCP as the Log Retrieval method
● Enter the SCP Host, Directory and Username as provided in the Elastica Portal
● Clicking Submit would display the WSA Public SSH Key to be provided to Elastica Portal
● Copy this Key
● Commit Changes for them to take affect.

Go to the Elastica Portal (User → Settings → SSH Keys) and provide this SSH Key to sync with it’s SCP/SFTP servers.
● Click on ADD NEW KEY
● Provide a Name, a Description and the SSH Key
● Click on ADD
This Key will then be copied over to Elastica SCP Servers in your account and Cisco WSA will be able to SCP the Logs based on the Rollover Frequency that was configured.

Destinations Discovery Support

Destinations are discovered by the Audit WSA data source by adding the following fields in your Log Subscription:
● s-ip (for W3C Logs)
● %k (for access Logs)