ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Configure the Splunk Web Security Service App


Article ID: 173498


Updated On:


Web Security Service - WSS


As an administrator, I would like to ingest the Web Security Service proxy raw access log to Splunk Enterprise


Splunk Enterprise

Web Security Service


The configuration needed on the Splunk and WSS portal:

  1. Download the Symantec Enterprise APPS for Splunk: Web Security Service Splunk App
  2. Install both TA-SymantecWebSecurityService and SymantecWebSecurityService applications
  3. Log into Splunk. Go to Apps>Manage Apps and click on Install app from a file.

  4. Upload “SymantecWebSecurityService-S16-1.0.0-17.tar.gz” and “TA-SymantecWebSecurityService-S16-1.1.1-34.tar.gz”

  5. Log in to the WSS portal and add the Application Programming Interface (API) key

    • Navigate to Account Configuration > API Credentials
    • Click Add API Credentials. The WSS displays the New API Credential dialog, which contains the random characters Username and Password.
    • Check the boxes for "Reporting Access Logs" and "Audit Logs"

  6. Complete setup for TA, on Splunk, go to Go to Settings > Data inputs

  7. Find “Symantec Web Security Service” and click on “+ Add new

     - Name: Name of input
     - API User Name: User to connect to threat pulse portal. The one you created earlier in step 5
     - API Key: password for API from threat pulse portal (step 5)
     - Data collection start time
     - Click on “more Settings:

  8. Make sure source type is set to “manual and “source type” is: symantec:websecurityservice:scwss-poll

  9. Click on “next” and “start searching” or
    Click on to see all dashboards >Apps>Symantec Web Security Service App For Splunk for real-time data monitoring