Cannot get WSS log events into custom index in Splunk with SynAPI

book

Article ID: 205608

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Integrating Splunk SIEM with WSS Cloud.

After successfully installing the Splunk WSS application on Splunk , the logs are going to main index instead of the WSS index (that SIEM team created).  

Cannot find an option to select the new index while adding the data into the broadcom’s WSS Splunk APP.

Integration of API key with Splunk is working and we are seeing logs but only issue here is that logs are going to the main index. The documentation provided says that the index name can be changed, but does not stipulate how to change it.

Environment

WSS SyncAPI enabled

Splunk WSS plugin installed

Resolution

In Splunk, the default index is main. If you want to ingest data into a different index then you need to modify inputs.conf by performing the following steps:

* Copy inputs.conf from default($SPLUNK_HOME/etc/apps/TA-SymantecWebSecurityService/default) to local($SPLUNK_HOME/etc/apps/TA-SymantecWebSecurityService/local)
* Add index=<index_name> in the following section:

[batch://$SPLUNK_HOME/var/spool/splunk/...stash_ta_scwss_logs.zip]
sourcetype = symantec:websecurityservice:scwss-poll
move_policy = sinkhole

* Save it.
* Restart splunk.

 Note that If the index is changed then role needs to be created too, using the following steps:

* Go to Settings-> Roles
* Create new role and inherit role "user".
* Add new index to the "Indexes searched by default".