Skip to main content

Netskope Help

Syslog and WebTx Plugins with Splunk for Log Shipper

This document explains how to ingest Netskope Alerts, Events, and web transaction logs in CEF format from Netskope Tenant to Splunk using Cloud Exchange via the Log Shipper Syslog and WebTx plugins.

Sizing Recommendation

Refer to System requirements for different configurations. It is recommended to use the system with the medium specification if your data volume ranges to 100k EPM.

Prerequisites

To complete this configuration, you need:

  • A Netskope Tenant (or multiple, for example, production and development/test instances)

  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.

  • A Splunk instance.

Workflow
  1. Create a Data Collector on Splunk.

  2. Configure the Syslog Plugin for the Splunk integration.

  3. Configure the WebTx Plugin for the Splunk integration.

  4. Configure a Log Shipper Business Rule for the Splunk integration.

  5. Configure Log Shipper SIEM Mappings for the Splunk integration.

  6. Validate the Splunk integration.

Click play to watch a video.

 

If you do not have a Splunk instance, follow these steps to install Splunk.

  1. Log in to your Splunk instance.

    image1.png
  2. From the dashboard, go to Settings > Data inputs.

    image2.png
  3. Click Add new for the TCP input.

    image3.png
  4. Add your port and click Next.

    image4.png
  5. Select the source type if you already have any, or click New to create a new source type.

  6. Enter the source type. Select the Source Type Category based on your requirements, or keep it as is.

    image5.png
  7. Scroll down to Index. If you already have any index that you want to use, select it from the Index dropdown. Otherwise, click Create a new index, add an Index Name, click Save, and then click Review.

    image6.png
  8. Review the details and click Submit.

    image7.png
  9. Click Start searching.

  1. Go to Settings > Plugins. Search for and select the Syslog CLS plugin box.

    image11.png
  2. Add a Plugin configuration name and click Next.

  3. Disable the first toggle button if you want to ingest your alerts and events in the JSON format. Keep it as it enabled if you want to ingest your data into CEF format.

    image12.png
  4. Click Next.

  5. Enter these parameters:

    1. Syslog server: The IP address of the Splunk instance.

    2. Syslog Protocol: The protocol used to create the Data input on Splunk TCP.

    3. Syslog Port: The port used to create the Data input configuration on Splunk.

      image13.png
  6. Click Save.

Your Subscription Key and Subscription Endpoint are needed to configure the WebTx plugin. To get your Subscription Key and Subscription Endpoint parameters, follow these steps.

  1. In Cloud Exchange, go to Settings > Plugins, and then search for and select the Netskope WebTx CLS plugin box.

    image8.png
  2. Enter a configuration name and click Next.

    image9.png
  3. Enter your Subscription Key and Subscription Endpoint, and then click Save.

    image10.png

Go to Log Shipper > Business Rule. The default business rule filters all alerts and events. If you need to filter out any specific type of alert or event, click Create New Rule and configure a new business rule by adding a rule name and specific filters.

image14.png
  1. Go to Log Shipper > SIEM Mappings and click Add SIEM Mapping.

  2. Select the Source plugin (Netskope CLS plugin), Destination plugin (Syslog plugin), and a business rule, and then click Save.

    image15.png
  3. Click Add SIEM Mapping, select the Source plugin (Netskope WebTx plugin), Destination plugin (Syslog plugin), and a business rule, and then click Save.

    image16.png

In Cloud Exchange:

  1. In Log Shipper, go to Logging.

  2. Search for ingested logs with the filter <message Like "ingested”>. The ingested logs will be filtered.

    image17.png

In Spunk:

On the Events tab in the Splunk UI (see screen below), click Search.

image18.png