As an administrator, I would like to ingest the Cloud Secure Web Gateway (SWG) proxy raw access logs into my Splunk Enterprise instance.

Splunk Enterprise

Cloud Secure Web Gateway (SWG)

The configuration needed on the Splunk and WSS portal: 

1. Download the WSS Splunk App: Web Security Service Splunk App
2. Install both TA-SymantecWebSecurityService and SymantecWebSecurityService applications
3. Log into Splunk. Go to Apps>Manage Apps and click on Install app from a file.
   
   
   
   
   
   
4. Upload “SymantecWebSecurityService-S16-1.0.0-17.tar.gz” and “TA-SymantecWebSecurityService-S16-1.1.1-34.tar.gz”
   
   
   
   
5. Log in to the WSS portal and add the Application Programming Interface (API) key
   
   
   • Navigate to Account Configuration > API Credentials
   • Click Add API Credentials. The WSS displays the New API Credential dialog, which contains the random characters Username and Password.
   • Check the boxes for "Reporting Access Logs" and "Audit Logs"
     
     
     
     
6. Complete setup for TA, on Splunk, go to Go to Settings > Data inputs
   
   
   
   
7. Find “Symantec Web Security Service” and click on “+ Add new”
   
    - Name: Name of input
    - API User Name: User to connect to threat pulse portal. The one you created earlier in step 5
    - API Key: password for API from threat pulse portal (step 5)
    - Data collection start time
    - Click on “more Settings:
   
   
   
   
8. Make sure source type is set to “manual and “source type” is: symantec:websecurityservice:scwss-poll
   
   
   
   
   
9. Click on “next” and “start searching” or
   Click on to see all dashboards >Apps>Symantec Web Security Service App For Splunk for real-time data monitoring
   
   

Please note: Symantec Splunk Apps are freely downloadable and editable. As such, they are unsupported by Symantec and are provided to assist with Splunk integration efforts.