sourcetype cisco:wsa:l4tm documented, but not working

[schose]

Hi all,

In the sc4s documentation cisco:wsa:l4tm is listed as a usable sourcetype. Splunk Docs also describe it: "to collect data for access logs, W3C logs, and L4TM logs for the Cisco Web Security Appliance, you must use Splunk Connect for Syslog."

In Cisco product documentation "Traffic Monitor Logs | Records sites added to the L4TM block and allow lists. | No | Yes" is listed as "Supports Syslog Push?" -> "No"

On recent v14.5.1-008 there is still no option to send l4tm logs using syslog:

can anybody help to clarify if this is a double documentation bug or any hints how to ingest cisco:wsa:l4tm using syslog?

Thanks for all in advance!

Andreas

[bparmar-splunk]

Hi @schose,
To ingest Cisco WSA logs, please refer this docs which helps you to configure to route logs to Splunk using SC4S.
Doc link: https://docs.splunk.com/Documentation/AddOns/released/CiscoWSA/Installationsteps

[schose]

Hi @bparmar-splunk ,

just to clarify, in Splunk docs it's stated that you can ingest Traffic Monitor Logs (cisco:wsa:l4tm) using syslog. The Vendor (Cisco) documents that this is not possible. I also try to show in the screenshot that ciscos documenation is right.

My question is: is this is an mistake in your documentation? How do you ensure that sourcestypes listed below "known vendors" are really working?

best regards,

Andreas