Syslog and WebTx Plugins with Splunk for Log Shipper
Syslog and WebTx Plugins with Splunk for Log Shipper
This document explains how to ingest Netskope Alerts, Events, and web transaction logs in CEF format from Netskope Tenant to Splunk using Cloud Exchange via the Log Shipper Syslog and WebTx plugins.
Prerequisites
To complete this configuration, you need:
- A Netskope Tenant (or multiple, for example, production and development/test instances)
- A Netskope Cloud Exchange tenant with the Log Shipper module already configured.
- A Splunk instance.
Sizing Recommendations
Refer to System requirements for different configurations. It is recommended to use the system with the medium specification if your data volume ranges to 100k EPM.
Syslog Plugin Support
| Event Support | Yes |
| Alert Support | Yes |
| WebTx Support | Yes |
| Logs Support | Yes |
All Netskope events, alert logs, and web transaction logs will be shared.
Note
- Incident event type is supported from Core version 4.1.0.
- CTEP alert type will be supported from Core version 4.2.0
Compatibility
CE version: v4.1.0 and v4.2.0.
API Details
The plugin uses a logging third-party library to push the data to the Syslog collector.
Refer to the official documentation for more information on the logging library:https://docs.python.org/3/library/logging.html
Performance Matrix
| Logs Ingested | Time Taken |
| 9940000 | 2 hours |
| Stack Size | Large RAM: 32GB Core: 16 |
| Alerts/Events | ~ 6 MBps |
| WebTx | ~ 6 MBps |
Workflow
- Create a Data Collector on Splunk.
- Configure the Syslog Plugin for the Splunk integration.
- Configure the WebTx Plugin for the Splunk integration.
- Configure a Log Shipper Business Rule for the Splunk integration.
- Configure Log Shipper SIEM Mappings for the Splunk integration.
- Configure the WebTx Mappings (optional).
- Validate the Splunk integration.
Click play to watch a video.
If you do not have a Splunk instance, follow these steps to install Splunk.
- Log in to your Splunk instance.
- From the dashboard, go to Settings > Data inputs.
- Click Add new for the TCP input.
- Add your port and click Next.
- Select the source type if you already have any, or click New to create a new source type.
- Enter the source type. Select the Source Type Category based on your requirements, or keep it as is.
- Scroll down to Index. If you already have any index that you want to use, select it from the Index dropdown. Otherwise, click Create a new index, add an Index Name, click Save, and then click Review.
- Review the details and click Submit.
- Click Start searching.
- Go to Settings > Plugins. Search for and select the Syslog CLS plugin box.
- Add a Plugin configuration name, select a mapping file from the dropdown, and then click Next.
- Disable the first toggle button if you want to ingest your alerts and events in the JSON format. Keep it as it enabled if you want to ingest your data into CEF format.
Note
Use this mapping file to send all the fields.
- Click Next.
- Enter these parameters:
- Syslog server: The IP address of the Splunk instance.
- Syslog Protocol: The protocol used to create the Data input on Splunk TCP.
- Syslog Port: The port used to create the Data input configuration on Splunk.
- Click Save.
Your Subscription Key and Subscription Endpoint are needed to configure the WebTx plugin. To get your Subscription Key and Subscription Endpoint parameters, follow these steps.
- In Cloud Exchange, go to Settings > Plugins, and then search for and select the Netskope WebTx CLS plugin box.
- Enter a configuration name and click Next.
- Enter your Subscription Key and Subscription Endpoint, and then click Save.
Go to Log Shipper > Business Rule. The default business rule filters all alerts and events. If you need to filter out any specific type of alert or event, click Create New Rule and configure a new business rule by adding a rule name and specific filters.
 |
- Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.
- Select the Source plugin (Netskope CLS plugin), Destination plugin (Syslog plugin), and a business rule, and then click Save.
- Click Add SIEM Mapping, select the Source plugin (Netskope WebTx plugin), Destination plugin (Syslog plugin), and a business rule, and then click Save.
Configure the WebTx Mapping
Use this configuration only when it is necessary to send specific WebTx fields in JSON format to the destination platform.
- Go to Settings > Log Shipper > Mapping.
- Clone the Syslog Default Mappings file.
- Enter the name of mapping file.
- Select the Editor view radio button.
- Scroll down to the “webtx” and enter the specific webtx fields inside the square brackets in double quotes (For example-”sc-status”). In case of multiple fields, use the comma-separated format.
Note
Refer the Format 3 fields from here to add fields in the webtx.
- Go back to the configured plugin and edit the Mapping file.
- Disable the toggle button as we want to send data in JSON format.
- Configure the SIEM mapping.
- Click Save.
Validate in Netskope Cloud Exchange
- Go to Logging.
- Search for ingested alerts with the filter “message contains ingested”. The ingested logs will be filtered.
- To search ingested events search “<message Like “events” && message Like “ingested”>”.
- To search ingested WebTx logs search “<message Like “ingested” && message Like “webtx”>”.
Validate in Spunk
- Log in to the Splunk UI.
- Go to Search and Reporting.
- Insert a query with source, index, and sourcetype.
- Click on the search button. Ingested data will be displayed on the platform.
