Because you cannot install a forwarder directly on your Cisco ESA appliance, you must configure Cisco ESA to place logs on a Splunk forwarder or single-instance Splunk Enterprise where you can configure monitor inputs.
You can send text mail, HTTP, SLL logs over Syslog, but you must send authentication logs via FTP or SCP.
192.168.0.Y is the Cisco ironport and 192.168.0.X is a another server where the Ironport is supposed to send copies (set via a Incoming Content Filter) but doesn't respond to ping so this might be the cause. I've disabled that copy policy but I guess I'll need 3 days to see if it that was the cause. Contact your ISP to create PTR (Reverse DNS) for you. Suppose if your email server external IP is 168.168.168.5 and your external name is mail.domain.com Now a days majority of the antispam system will check PTR(Reverse DNS) of the source sender IP.
Avoid configuring Splunk to listen for syslog messages directly. Instead, you can collect Syslog data using Splunk Connect for Syslog (SC4S). To configure your deployment to use SC4S to collect Syslog data, follow the steps described in the Splunk Connect for Syslog manual.
If SLL logs are configured in the system, make sure that delivery logs for the same system are not enabled as this may lead to data duplication in the Splunk environment. Since both the logs are mapped to the same data model 'Email', collecting the same information from different sources may lead to data duplication in ES.
Configure SLL logs
If SLL logs are configured in the system, make sure that delivery logs for the same system are not enabled as this may lead to data duplication in the Splunk environment. Since both the logs are mapped to the same data model 'Email', collecting the same information from different sources may lead to data duplication in ES.
As of version 1.4.0, this is the recommended Log Subscription for collecting data. As Consolidated Event Logs captures all information in SLL (Single Log Line) format.
Download Ironport Driver Tool
- On your Cisco ESA, select System Administration > Log Subscriptions.
- In Add Log Subscription select the log type as Consolidated Event Logs
- Select the fields that you want in the consolidated event log.
- Select a log retrieval mechanism for the log subscription:
- Manually Download
- FTP Push
- SCP Push
- Syslog Push
- AWS S3 Push. Make sure that you have a valid AWS S3 bucket to use this retrieval method.
Send logs over Syslog
We recommend that you avoid listening directly to syslog and instead use Spunk Connect for Syslog. For more information, see Splunk Connect for Syslog manual.
You can configure Cisco IronPort ESA to send text mail, SLL and OAM log information over TCP or UDP. The default port is 514. If you do not have root access to that port, use a higher one such as 5140.
Authentication logs cannot be sent via Syslog.
Configure the device to send the data as Syslog over UDP/TCP.
Download Ironport Driver Download
- From the ESA console menu, navigate to System Administration > Log Subscriptions.
- Select the log name that you want to send to Splunk Enterprise. For example,
mail_logs
. - Provide the necessary information about the Syslog server.
- Repeat for any additional log files you want to send to Splunk Enterprise.
- Configure Splunk Enterprise to listen on the same port that you selected above to receive Syslog data from Cisco ESA.
Send logs via FTP or SCP
Work with your Cisco ESA administrator to determine the location of the authentication log files.
Download Ironport Driver Software
- On the ESA device, run this command:
esa.acme.com> logconfig
. This command returns a list of log names, including authentication, antivirus, and cli_logs. The name of the log file is the directory in which it resides. The log files themselves are named with time and date stamps and an 's' suffix for saved files and a 'c' suffix for the current file. - If it is not already enabled, enable FTP or SCP on the Cisco ESA device using the
interfaceconfig
command in the CLI. - Ask your Cisco ESA administrator to set up an SCP or FTP job by running a command such as this one:
scp 'admin@esa.acme.com:/authentication/*.s' <path to monitor esa files />
- You may not want to copy all the saved files each time. Work with your Cisco ESA administrator to implement a batch transfer setup that complies with your enterprise policies and practices.