Introduction
This document describes how to transfer logs from the Cisco Web Security Appliance (WSA) to a remote Secure Copy (SCP) server. You can configure the WSA logs, such as access and authentication logs, so that they are forwarded to an external server with SCP protocol when the logs roll-over or wrap.
The information in this document describes how to configure the log rotation rules as well as the Secure Shell (SSH) keys that are required for a successful transfer to an SCP server.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
This document is not restricted to specific software and hardware versions.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Configure
Complete these steps in order to configure the WSA logs so that they can be retreived with SCP on a remote server:
- Log into the WSA web GUI.
- Navigate to System Administration > Log Subscriptions.
- Select the name of the log(s) for which you desire to configure this retrieval method, such as access logs.
- In the Retrieval Method field, choose SCP on Remote Server.
- Enter the SCP host name or the IP address of the SCP server.
- Enter the SCP port number.
Note: The default setting is port 22.
- Enter the full path name of the SCP server target directory to which the the logs will be transfered.
- Enter the username for the SCP server authenticated user.
- If you want to automatically scan the host key or manually enter the host key, then enable Host Key Checking.
- Click Submit. The SSH key that you will place into the SCP server authorized_keys file should now appear near the top of the Edit Log Subscription page. Here is an example of a successfulmessage from the WSA:
- Click Commit Changes.
- If the SCP sever is a Linux or Unix server or a Macintosh machine, then paste the SSH keys from the WSA into the authorized_keys file located in the SSH directory:
- Navigate to the Users > <username> > .ssh directory.
- Paste the WSA SSH key into the authorized_keys file and save the changes.
Note: You must manually create an authorized_keys file if one does not exist in the SSH directory.
Verify
Complete these steps in order to verify that the logs are successfully transferred to the SCP server:
- Navigate to the WSA Log Subscriptions page.
- In the Rollover column, choose the log that you configured for SCP retrieval.
- Locate and click Rollover Now.
- Navigate to the SCP server folder that you configured for log retrieval and verify that the logs are transferred to that location.
Complete these steps in order to monitor the log transfer to the SCP server from the WSA:
- Log into the WSA CLI via SSH.
- Enter the grep command.
- Enter the appropriate number for the log that you want to monitor. For example, enter 31 from the grep list for the system_logs.
- Enter scp at the Enter the regular expression to grep prompt in order to filter the logs so that you can monitor only the SCP transactions.
- Enter Y at the Do you want this search to be case insensitive? prompt.
- Enter Y at the Do you want to tail the logs? prompt.
- Enter N at the Do you want to paginate the output? prompt. The WSA then lists the SCP transactions in real-time. Here is an example of successful SCP transactions from the WSA system_logs:
Wed Jun 11 15:06:14 2014 Info: Push success for subscription <the name of the log>:
Log aclog@20140611T145613.s pushed to remote host <IP address of the SCP Server>:22
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.