Skip to main content

Netskope Help

WebTx Plugin for Log Shipper

If Log Shipper needs to transmit web transaction logs to a third party source, the Netskope WebTx plugin must be configured to extract those logs from Netskope. This is not required if only events and alerts logs are intended to be pushed to a third party collector.

Log Shipper does not filter on specific fields contained in the Web Transaction logs. Refer to Transaction Event Fields for more information. There are no options to select fields in the configuration parameters. All logs will be sent to the destination configured in the sharing rule.

Note

You need to have Web Transactions v2 enabled on your Netskope tenant (if not, contact your CSM to get this feature enabled). Refer to Transaction Events for more information.

Prerequisites

To complete this configuration, you need:

  • A Netskope Tenant (or multiple, for example, production and development/test instances).

  • Event Streaming enabled on the Netskope Tenant

  • A Netskope Cloud Exchange tenant with the Log Shipper module already configured.

WebTx v2 Supported Plugins (aka Event Streaming)
  • Syslog v2.0 (CEF, JSON)

  • AlienVault v2.0 (CEF, JSON)

  • Arcsight v2.0 (CEF, JSON)

  • Azure Sentinel v2.0 (JSON)

  • IBM Qradar v2.0 (CEF, JSON)

  • LogRhythm v2.0 (CEF, JSON)

  • Rapid7 v2.0 (CEF, JSON)

  • Solarwinds v2.0 (CEF, JSON)

  • Azure Storage (tar.gz)

  • AWS Storage (tar.gz)

  • Google Cloud Storage (tar.gz)

Workflow
  1. Get Event Streaming info on a Netskope tenant.

  2. Configure the Log Shipper WebTx plugin.

  3. Configure a supported WebTx v2 plugin.

  4. Configure SIEM Mappings for WebTX.

  1. Log in to your Netskope tenant and go to Settings > Tools > Event Streaming.

  2. Copy the Subscription Endpoint.

  3. Click Generate and Download Key to get a Subscription Key.

image1.png
  1. In Cloud Exchange, go to Settings > Plugins.

  2. Search for and select the Netskope WebTx box to open the plugin creation pages.

    image2.png

    For Basic Information, enter a Configuration Name.

    image3.png
  3. Click Next.

  4. For Configuration Parameters, enter your Subscription Key and Subscription Endpoint, and then click Save.

    image10.png

Syslog is this example in this procedure. Verify that you have the Syslog v1.1.1 or greater plugin installed.

  1. Go to Settings > Plugins.

  2. Select Syslog v1.1.1 (CLS).

    image5.png
  3. For Basic Information, enter a Configuration Name.

  4. Select a mapping (the Syslog default in this case).

    • When sending traffic to a 3rd party application, you can select a mapping file to translate the data fields.

  5. Click Next.

    image6.png
  6. Enter the Configuration Parameters on the second page:

    • Syslog Server: Add your syslog server IP or DNS name.

    • Syslog Format: Enter CEF (if you plan on also supporting JSON)

    • Syslog Protocol: Enter UDP, TCP, or TLS.

    • Syslog Port: Add a port number to use. In this case, 514.

    • Syslog Certificate: If using the TLS protocol, enter the certificate.

    image7.png
  7. Click Save

  1. Go to Log Shipper > SIEM Mappings.

  2. Click Add SIEM Mapping.

  3. Select your Netskope WebTx plugin as the source.

  4. Select your Syslog plugin as the destination.

  5. Click Save

image8.png