ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Configure the Splunk Web Security Service App

book

Article ID: 173498

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

As an administrator, I would like to ingest the Web Security Service proxy raw access log to Splunk Enterprise

Environment

Splunk Enterprise

Web Security Service

Resolution

The configuration needed on the Splunk and WSS portal:

  1. Download the Symantec Enterprise APPS for Splunk: Web Security Service Splunk App
  2. Install both TA-SymantecWebSecurityService and SymantecWebSecurityService applications
  3. Log into Splunk. Go to Apps>Manage Apps and click on Install app from a file.





  4. Upload “SymantecWebSecurityService-S16-1.0.0-17.tar.gz” and “TA-SymantecWebSecurityService-S16-1.1.1-34.tar.gz”



  5. Log in to the WSS portal and add the Application Programming Interface (API) key

    • Navigate to Account Configuration > API Credentials
    • Click Add API Credentials. The WSS displays the New API Credential dialog, which contains the random characters Username and Password.
    • Check the boxes for "Reporting Access Logs" and "Audit Logs"



  6. Complete setup for TA, on Splunk, go to Go to Settings > Data inputs



  7. Find “Symantec Web Security Service” and click on “+ Add new

     - Name: Name of input
     - API User Name: User to connect to threat pulse portal. The one you created earlier in step 5
     - API Key: password for API from threat pulse portal (step 5)
     - Data collection start time
     - Click on “more Settings:



  8. Make sure source type is set to “manual and “source type” is: symantec:websecurityservice:scwss-poll




  9. Click on “next” and “start searching” or
    Click on to see all dashboards >Apps>Symantec Web Security Service App For Splunk for real-time data monitoring

 

Attachments