Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
881
Views
0
Helpful
8
Replies

Cisco AsyncOS 8.0- DLP

kacerveza1
Level 1
Level 1

‎01-20-2015 06:25 PM

Hi,

I would like to know if there is a way to monitor, in real time, the email that hits a policy. What are the policies that it has violated for us to know what we should add on the policy to minimize false positives.

 

Thank you!

Labels:
0 Helpful
8 Replies 8

Jernej Vodopivec
Level 4
Level 4

‎01-21-2015 07:06 AM

To view real time logs, you can establish ssh to the ESA and:

- tail

- 16 (mail logs)

You can also use Monitor -> Message Tracking to see message details.

You can use gathered information to fine tune incoming mail policies.

0 Helpful

kacerveza1
Level 1
Level 1
In response to Jernej Vodopivec

‎01-21-2015 04:11 PM

Hi Jernej Vodopivec,

Thank you for your response. I do apologize, I am still new on this product and not sure if I am asking the correct question. When you establish ssh to ESA, it is also giving you a view in which policy an email violates? I have checked the Monitor>Message Tracking and this is not (for now) we want to evaluate. Please advise.

 

Thank you!

 

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee

‎01-26-2015 09:39 PM

I believe when a DLP policy violation is found it'll be seen as:

Info: MID 212 DLP violation

 

In the mail logs.

 

So if you want to find the MIDs which hit a violation you'd run this command in the CLI.

 

CLI > grep -i "DLP violation" mail_logs

 

This will bring up all matches of violation.

then grep "MID XXXX" mail_logs to see what email details it was.

 

To find out which DLP policy was matched, you may need to change the mail_logs to 'debug' level.

 

GUI > System Admin > Log Subscriptions > Click on the mail_logs and change to debug (there is a lot more information here)

 

or CLI > logconfig > edit > (number of mail_logs) and change it here

 

Commit changes.

0 Helpful

kacerveza1
Level 1
Level 1
In response to Mathew Huynh

‎01-26-2015 10:08 PM

Hi Matthew,

 

Thanks for the info. l will be using this after we have set up the test environment. For the policy testing, do you have any suggestions or recommendations we can follow? I have seen a doc on cisco website regarding the custom testing of policy: http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118537-technote-esa-00.pdf

 

Please advise.

 

Thanks! 

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to kacerveza1

‎01-26-2015 10:19 PM

Hello,

 

There are no 'true' recommendations on what would be best.

But this comes down to your local requirements on how strict you would like it to be.

 

Never the less, the article provided is a good starting point for the customizations to what can be done and you will just need to tune it to your requirements.

 

I

0 Helpful

kacerveza1
Level 1
Level 1
In response to Mathew Huynh

‎01-26-2015 10:33 PM

Hi Matthew,

 

I guess will just try this policy for testing. Thanks for the response. Can I get back to this thread if I have some other clarifications?

 

Thanks a lot have a nice day!

0 Helpful

Mathew Huynh
Cisco Employee
Cisco Employee
In response to kacerveza1

‎01-26-2015 10:41 PM

That's fine, i'll be happy to assist with your general concerns through this medium.

 

However should the issue start requiring detailed log reviews and such, i would suggest opening a case for deeper troubleshooting.

 

As i don't think we would like to put your system information on a public forum :)

0 Helpful

kacerveza1
Level 1
Level 1
In response to Mathew Huynh

‎01-26-2015 10:50 PM

Hi Matthew,

 

Yes that's right. For security purposes. Thanks for the recommendations again. Be getting back to you once we have problems with the testing.

 

Thanks again! :)

0 Helpful
Customers Also Viewed These Support Documents