Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Cisco Cloud Web Security

 

The JSA DSM for Cisco Cloud Web Security (CWS) collects web usage logs from a Cisco Cloud Web Security (CWS) storage by using an Amazon S3 - compatible API.

The following table describes the specifications for the Cisco Cloud Web Security DSM:

Table 1: Cisco Cloud Web Security DSM Specifications

Specification

Value

Manufacturer

Cisco

DSM name

Cisco Cloud Web Security

RPM file name

DSM-CiscoCloudWebSecurity-JSA_version-build_number.noarch.rpm

Supported versions

N/A

Protocol

Amazon AWS S3 REST API

Event format

W3C

Recorded event types

All web usage logs

Automatically discovered?

No

Includes identity?

No

Includes custom properties?

No

More information

Cisco CWS product information (https://www.cisco.com/go/cws)

To integrate Cisco Cloud Web Security with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs, in the order that they are listed, on your JSA console:

    • Protocol Common RPM

    • Amazon AWS REST API Protocol RPM

    • DSMCommon RPM

    • Cisco Cloud Web Security DSM RPM

  2. Enable Log Extraction in your Cisco ScanCenter (administration portal).

  3. Add a Cisco Cloud Web Security log source on the JSA console. The following table describes the parameters that require specific values for Cisco Cloud Web Security event collection:

    Table 2: Cisco Cloud Web Security Log Source Parameters

    Parameter

    Value

    Log Source type

    Cisco Cloud Web Security

    Protocol Configuration

    Amazon AWS S3 REST API

    Log Source Identifier

    The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the Log Source Name. If you configured more than one Cisco CWS log source, you might want to identify the first log source as ciscocws1, the second log source as ciscocws2, and the third log source as ciscocws13.

    Signature Version

    Select Signature Version 2.

    If your Cisco CWS API is using Signature Version 4, contact your system administrator.

    Region Name

    The region that is associated with the Amazon S3 bucket. Applicable only to Signature version 4.

    Service Name

    The name of the Amazon Web Service. Applicable only to Signature version 4.

    Bucket Name

    The name of the Cisco CWS bucket where the log files are stored.

    Endpoint URL

    https://vault.scansafe.com/

    Public Key

    The access key to enable log extraction from the Cisco CWS bucket.

    Access Key

    The secret key to enable log extraction from the Cisco CWS bucket.

    Directory Prefix

    The location of the root directory on the Cisco CWS storage bucket from where the Cisco CWS logs are retrieved. For example, the root directory location might be cws-logs/.

    File Pattern

    .*?\.txt\.gz

    Event Format

    W3C. The log source retrieves W3C text formatted events.

    Use Proxy

    When a proxy is configured, all traffic for the log source travels through the proxy so that JSA can access the Amazon AWS S3 buckets.

    Configure the Proxy Server, Proxy Port, Proxy Username, and Proxy Password fields. If the proxy does not require authentication, leave the Proxy Username and Proxy Password fields blank.

    Automatically Acquire Server Certificate(s)

    If you select Yes, JSA downloads the certificate and begins trusting the target server.

    Recurrence

    Specifies how often the Amazon AWS S3 REST API Protocol connects to the Cisco CWS API to check for new files, and retrieves them if they exist. The format is M/H/D for Months/Hours/Days. The default is 5 M.

    Every access to an AWS S3 bucket incurs a monetary cost to the account that owns the bucket. Therefore, a smaller recurrence value increases the cost.

The following table shows a sample event message from Cisco Cloud Web Security:

Table 3: Cisco Cloud Web Security Sample Message

Event name

Low level category

Sample log message

c:comp - block

Access Denied

2016-08-22 18:22:34 GMT 127.0.0.1 127.0.0.1 GET http www.cisco.com 80 / Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0 - 0 0 0 1.1.1.1 c:comp Block all block category Computers and Internet 127.0.0.1 0 Unknown

Configuring Cloud Web Security to Communicate with JSA

To send events from Cloud Web Security to JSA, you must enable log extraction in Cisco CWS ScanCenter.

The log extraction service must be enabled and provisioned for your company. You must have super user administrator privileges to access the Log Extraction page.

  1. Log in to your Cisco ScanCenter account.
  2. Click the Admin tab to view the administration menus.
  3. From the Your Account menu, click Log Extraction.
  4. In the Actions column in the Credentials area, click Issue Key.
  5. In the Warning dialog box, click Issue & Download.

    A key pair is issued and the keypair.csv file is downloaded.

    The Access Key and Last issued column values are updated. The secret key does not display in the user interface (UI).

  6. Open the keypair.csv file and make a copy of the accessKey and secretKey.

    The keypair.csv file contains a 20 character string access key and a 40 character string secret key. The key pair values that you copied are used when you configure the log source in JSA.

  7. From the Connection Details pane, copy and record the values in the Endpoint and Bucket columns.

    The connection details values that you copied are used when you configure the log source in JSA.

Configure the log source in JSA.

For more information about Cisco CWS log extraction, see the Cisco ScanCenter Administrator Guide, Release 5.2 on the Cisco website (https://search.cisco.com/search?query=cisco%20scancenter%20administrator%20guide&locale=enUS&tab=Cisco).