Web Security Services

 View Only

Missing details in Splunk logs

  • 1.  Missing details in Splunk logs

    Posted Oct 14, 2022 03:24 AM

    Hi Experts,

    When we are investigating WSS errors one of the key fields is the "Error ID" that appears to the end user:

    Unfortunately when we ingest the logging from the WSS Splunk extension we don't get this detail. It seems like it should be available from the WSS documentation and it would be this field,

    Reference ID specified in the reference_id(Rule_ID)
    action in a policy rule.

    Reference: WSS Access Log Formats (broadcom.com)


    We just updated to the latest Splunk connector (TA-SymantecWebSecurityService-S39-2.1.0-69.tar__0.gz) in a hope to resolve this but to no avail. Can you please advise why we may not be seeing this, or if we can enable it or if its on a future roadmap.