WebTx Plugin for Log Shipper
WebTx Plugin for Log Shipper
This document explains how to configure the WebTX Plugin for the Log Shipper module on the Netskope Cloud Exchange platform. If Log Shipper needs to transmit web transaction logs to a 3rd-party source, the Netskope WebTx plugin must be configured to extract those logs from Netskope.
Log Shipper does not filter on specific fields contained in the Web Transaction logs. Refer to Transaction Event Fields for more information. There are no options to select fields in the WebTx plugin configuration parameters. All logs will be sent to the destination configured in the SIEM mapping.
Note
You need to have Web Transactions v2 enabled on your Netskope tenant (if not, contact your CSM to get this feature enabled). Refer to Transaction Events for more information.
Prerequisites
To complete this configuration, you need:
- A Netskope tenant (or multiple, for example, production and development/test instances) that is already configured in Cloud Exchange.
- Event Streaming enabled on the Netskope tenant.
- A Netskope Cloud Exchange tenant with the Log Shipper module already configured.
- Connectivity to the following hosts:
- us-west1-pubsublite.googleapis.com (for US customers). europe-west3-pubsublite.googleapis.com (for EU customers). Alternatively, ensure Cloud Exchange can access *.googleapis.com (wildcard).
WebTx v2 Supported Plugins (aka Event Streaming)
- Syslog v2.0 (CEF, JSON)
- AlienVault v2.0 (CEF, JSON)
- Arcsight v2.0 (CEF, JSON)
- Azure Sentinel v2.0 (JSON)
- IBM Qradar v2.0 (CEF, JSON)
- LogRhythm v2.0 (CEF, JSON)
- Rapid7 v2.0 (CEF, JSON)
- Solarwinds v2.0 (CEF, JSON)
- Azure Storage (tar.gz)
- AWS Storage (tar.gz)
- Google Cloud Storage (tar.gz)
CE Version Compatibility
This plugin is compatible with all the supported Netskope CE Versions.
WebTx Plugin Support
This plugin is used to pull WebTx data from the Netskope Tenant.
| Event Types | No |
| Alert Types | No |
| WebTx | Yes |
Permissions
Web Transactions v2 should be enabled on the Netskope tenant.
API Details
Current core architecture uses pubsublite SDK for pulling WebTx logs from Google PubSub.
Workflow
- Get your Event Streaming info from your Netskope tenant.
- Configure the Log Shipper WebTx plugin.
- Configure a supported WebTx v2 plugin.
- Configure SIEM Mappings for WebTX.
- Log in to your Netskope tenant and go to Settings > Tools > Event Streaming.
- Copy the Subscription Endpoint.
- Click Generate and Download Key to get a Subscription Key.
 |
Configure the WebTx Plugin
- In Cloud Exchange, go to Settings > General and enable the Log Shipper module.
- Go to Log Shipper and click Plugins > Configure New Plugin.
- Search for and select the Netskope WebTx box to open the plugin creation pages.
- For Basic Information, enter a Configuration Name.
- Click Next.
- For Configuration Parameters, enter your Subscription Key and Subscription Endpoint, and then click Save.
Configure Log Shipper SIEM Mappings for the WebTx Plugin
- Go to Log Shipper > SIEM Mappings.
- Click Add SIEM Mapping.
- Select your Netskope WebTx plugin as the source.
- Select your Syslog plugin as the destination.
- Click Save.
After the SIEM mapping is added, the data will start getting parsed, transformed, and ingested into the syslog platform.
Validate the WebTx Plugin
Validate the Pull
To validate the pulling of WebTx from the Netskope tenant.
- Go to the Logging and search for the parsed logs.
Validate the Push
To validate the plugin workflow on Netskope Cloud Exchange.
- Go to Logging and search for ingested logs with the filter message contains ingested.
- The ingested logs will be filtered.
