As an administrator, I would like to ingest the Cloud Secure Web Gateway (SWG) proxy raw access logs into my Splunk Enterprise instance.

Note: Symantec Splunk Apps are provided to assist with Splunk integration efforts. Symantec offers best-effort support for the Symantec Cloud SWG Splunk application. 

Splunk Enterprise

Cloud Secure Web Gateway (SWG)

Complete the following steps:

1. Download the WSS Splunk App: Web Security Service Splunk App
2. Install both TA-SymantecWebSecurityService and SymantecWebSecurityService applications.
3. Log into Splunk.
4. Go to Apps > Manage Apps and click Install app from a file.
   
   
   
   
   
   
5. Upload “SymantecWebSecurityService-S16-1.0.0-17.tar.gz” and “TA-SymantecWebSecurityService-S16-1.1.1-34.tar.gz”.
   
   
   
   
6. Log in to the Cloud SWG portal and add the Application Programming Interface (API) key:
   
   
   1. Navigate to Account Configuration > API Credentials.
   2. Click Add API Credentials. The portal displays the New API Credential dialog, which contains random characters for Username and Password.
   3. Copy the Username and Password to a file; you will need them to configure the App.
   4. Check the boxes for Reporting Access Logs and Audit Logs.
   5. Click Save.
      
      
      
      
7. Complete setup for TA, in Splunk, go to Settings > Data inputs.
   
   
   
   
8. Find Symantec Web Security Service and click + Add new.
9. Enter the following settings:
   • Name: Name of input.
   • API User Name: User to connect to the Cloud SWG portal (the name created in step 6).
   • API Key: API password for the Cloud SWG portal (from step 6).
   • Data Collection Start Time: Start time in UTC.
     
     
     
10. Click More settings. The dialog displays more settings.
11. Make sure that Set sourcetype is set to Manual and Source type is symantec:websecurityservice:scwss-poll.
    
    
    
    
    
12. Save the settings.
13. Click Next to search for the app.
    Alternatively, to see all dashboards, click Apps > Symantec Web Security Service App For Splunk for real-time data monitoring.