Solved: Re: Cisco Ironport Send Logs To SIEM

lnhquang1993 · ‎12-06-2021

Hello Everyone,

I have a cluster Ironport running AsyncOS Version: 13.5.3-010. I want to send email logs to SIEM Server to centralize monitor and analyze. But the logs sent to SIEM are very short and missing a lot of information.

For example:

A log record with Event Name: "Mailserver info send" and the payload is :

<38>Dec 07 14:40:24 mail_logs: Info: MID 5674344 ICID 5062620 RID 0 To: <test@exp.com>

Based on this payload, we only know the email is being sent to test@exp.com. We have no idea about the sender of the subject. If you want to know about the subject or any other information, you must use MID and continue searching between other thousand records to find the subject and receiver. And even though, it still takes a lot of time to find your correct information.

I have no idea why Cisco decide to split things that should be in the same log message. the same thing happens for very important events like Anti-spam, viruses, outbreaks, etc.

Is there any way to configure mapping information into a single log record so I can see the whole picture when I receive a Syslog message from Ironport to Qradar?

Thank!

Ken Stieers · ‎12-07-2021

You want to enable the CEF log...
This is docs the CES, but its the same on an ESA

https://docs.ces.cisco.com/docs/single-log-line-sll

View solution in original post

balaji.bandi · ‎12-07-2021

ESA send Logs RAW Format, how you like to use based on the requirement, some SIEM Link Splunk offer some kind of reports, again this is based on the requirement :

you can do Log subscription to push the Logs using SCP or which ever method you desired.

System Configuration >> Log Subscriptions >> chose log you want to push to SIEM server

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200985-Configuring-SCP-push-of-mail-logs-on-ESA.html

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118456-technote-esa-00.html

Admin guide also give you that information :

https://www.cisco.com/c/en/us/td/docs/security/esa/esa13-0/user_guide/b_ESA_Admin_Guide_13-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

lnhquang1993 · ‎12-07-2021

Hi Balaji,

Thank you for your reply, I'm using QRadar and it only supports the monitoring app for Cisco ESA but not the Cisco IronPort. The OS name of Cisco Ironport and ESA seem like the same to me but I'm not sure is there any difference inside. I was try to install the App but it does not show any information. So I guess the app only works for ESA but not Ironport.

Inside the document you share, about the example of logs format, it already split the log into multiple lines.

Wed Jun 16 21:42:34 2004 Info: New SMTP ICID 282204970 interface mail.example.com
(1.2.3.4) address 2.3.4.5 reverse dns host unknown verified no

Wed Jun 16 21:42:34 2004 Info: ICID 282204970 SBRS None

Wed Jun 16 21:42:35 2004 Info: Start MID 200257070 ICID 282204970

Wed Jun 16 21:42:35 2004 Info: MID 200257070 ICID 282204970 From: <someone@foo.com>

Wed Jun 16 21:42:36 2004 Info: MID 200257070 ICID 282204970 RID 0 To: <user@example.com>

Wed Jun 16 21:42:38 2004 Info: MID 200257070 Message-ID
'<37gva9$5uvbhe@mail.example.com>'

Wed Jun 16 21:42:38 2004 Info: MID 200257070 Subject 'Hello'

Wed Jun 16 21:42:38 2004 Info: MID 200257070 ready 24663 bytes from <someone@foo.com>

Wed Jun 16 21:42:38 2004 Info: MID 200257070 antivirus negative

Wed Jun 16 21:42:38 2004 Info: MID 200257070 queued for delivery

Wed Jun 16 21:42:38 2004 Info: New SMTP DCID 2386069 interface 1.2.3.4 address 1.2.3.4

Wed Jun 16 21:42:38 2004 Info: Delivery start DCID 2386069 MID 200257070 to RID [0]

Wed Jun 16 21:42:38 2004 Info: ICID 282204970 close

Wed Jun 16 21:42:38 2004 Info: Message done DCID 2386069 MID 200257070 to RID [0]
[('X-SBRS', 'None')]

Wed Jun 16 21:42:38 2004 Info: MID 200257070 RID [0] Response 2.6.0
<37gva9$5uvbhe@mail.example.com> Queued mail for delivery

Wed Jun 16 21:42:43 2004 Info: DCID 2386069 close

With this format, each line will be a different log record in QRadar with a different event name. I don't see the example about SCP log format in the document but I guess it will be the same and if so, changing log methods from Syslog to SCP still does not resolve my concern.

I need something to help send the log in a single line. For example:

Wed Jun 16 21:42:35 2004 Info: MID 200257070 ICID 282204970 From: <someone@foo.com> To: <user@example.com> Subject 'Hello' ready 24663 bytes antivirus negative queued for delivery

Then, when sending this message to QRadar. I only need to look into a single log record and be able to get all the necessary information.

lnhquang1993 · ‎12-07-2021

Hi Balaji,

Thank you for your reply. I'm using Qradar SIEM and it has an application for Cisco ESA but not Cisco Ironport. I'm read the App requirement and I notice the version name is just like the OS of Ironport but maybe the OS of Cisco ESA and Ironport different even they share the same name. SO the app not working for Ironport.

Inside the document, you can see that the example logs split information into multiple lines so when send to SIEM it will create multiple event records too. I can't find any example about SCP message log format so I am not sure it also split information like Syslog or not. But if SCP also split information into multiple lines, then it does not help resolve my problem.

I need the information put into a single line so when sent to SIEM, it only creates 1 log record. For exp:

Wed Jun 16 21:42:35 2004 Info: MID 200257070 ICID 282204970 From: <someone@foo.com>, To: <user@example.com>, Subject 'Hello', ready 24663 bytes from <someone@foo.com>, antivirus negative, queued for delivery

Instead of split like this:

Wed Jun 16 21:42:35 2004 Info: MID 200257070 ICID 282204970 From: <someone@foo.com>

Wed Jun 16 21:42:36 2004 Info: MID 200257070 ICID 282204970 RID 0 To: <user@example.com>

Wed Jun 16 21:42:38 2004 Info: MID 200257070 Message-ID
'<37gva9$5uvbhe@mail.example.com>'

Wed Jun 16 21:42:38 2004 Info: MID 200257070 Subject 'Hello'

Wed Jun 16 21:42:38 2004 Info: MID 200257070 ready 24663 bytes from <someone@foo.com>

Wed Jun 16 21:42:38 2004 Info: MID 200257070 antivirus negative

Wed Jun 16 21:42:38 2004 Info: MID 200257070 queued for delivery

Ken Stieers · ‎12-07-2021

You want to enable the CEF log...
This is docs the CES, but its the same on an ESA

https://docs.ces.cisco.com/docs/single-log-line-sll

lnhquang1993 · ‎12-07-2021

Hi Ken Stieers,

You're correct. I'm looking for this. Let me check and update you if this is available on my Cisco Ironport Devices.

shane.dollery · ‎12-08-2021

Does the Consolidated Event Logs contain the information you want?

lnhquang1993 · ‎12-08-2021

Hi Shane,

Yes, I do get some info that I want but that is not all I want. Something like subject and the other still missing or being encoded.

lnhquang1993 · ‎12-08-2021

Hi Ken Stieers,

Following your guide help me put my information into single logs events as I want. But there is still missing some information. For example Email Subject, I'm not sure it is encoded or completely missing. Below is the raw logs:

<38>Dec 09 10:01:51 MailGateway: CEF:0|Cisco|C300V Email Security Virtual Appliance|13.5.3-010|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=4223C0D405C993AF5B66-1AF68549C776 ESAMID=57253 ESAICID=51012 ESADCID=26070 ESAAMPVerdict=NOT_EVALUATED ESAASVerdict=NOT_EVALUATED ESAAVVerdict=NEGATIVE ESACFVerdict=NO_MATCH endTime=Thu Dec  9 10:01:49 2021 ESADLPVerdict=NOT_EVALUATED dvc=10.X.X.X ESAFriendlyFrom='Ng\\xc3\\xa2n h\\xc3\\xa0ng Ph\\xc6\\xb0\\xc6\\xa1ng \\xc4\\x90\\xc3\\xb4ng OCB\\t<customer@adc.com.vn>' ESAGMVerdict=NOT_EVALUATED startTime=Thu Dec  9 10:01:38 2021 deviceOutboundInterface=IncomingMail deviceDirection=1 ESAMailFlowPolicy=RELAY suser=customer@adc.com.vn cs1Label=MailPolicy cs1=Drop mail >5Mb cs2Label=SenderCountry cs2=not applicable ESAMFVerdict=NO_MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<961759881.38489.1639018900165.JavaMail.root@103.adc.vn>' ESAOFVerdict=NOT_EVALUATED duser=minta@gmail.com ESAHeloDomain=mail.adc.com.vn ESAHeloIP=10.X.X.X cfp1Label=SBRSScore cfp1=rfc1918 sourceHostName=dc-ex01.abc.vn ESASenderGroup=RELAYLIST sourceAddress=10.X.X.X msg='\=?UTF-8?Q?NG\=C3\=82N_H\=C3\=80NG_OCB_\=E2\=80\=93_TH\=C3\=94NG_T?\=\\r\\n \=?UTF-8?Q?IN_\=C4\=90\=C4\=82NG_K\=C3\=8D_G\=C3\=93I_T\=C3\=80I_KHO\=E1\=BA\=A2N?\=\\r\\n \=?UTF-8?Q?_THANH_TO\=C3\=81N_TR\=E1\=BB\=B0C_TUY\=E1\=BA\=BEN_?\=\\r\\n \=?UTF-8?Q?OCB_OMNI_(English_below)?\=' ESATLSInCipher=ECDHE-RSA-AES128-SHA256 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2

I guess the Subject could be this:

msg='\=?UTF-8?Q?NG\=C3\=82N_H\=C3\=80NG_OCB_\=E2\=80\=93_TH\=C3\=94NG_T?\=\\r\\n \=?UTF-8?Q?IN_\=C4\=90\=C4\=82NG_K\=C3\=8D_G\=C3\=93I_T\=C3\=80I_KHO\=E1\=BA\=A2N?\=\\r\\n \=?UTF-8?Q?_THANH_TO\=C3\=81N_TR\=E1\=BB\=B0C_TUY\=E1\=BA\=BEN_?\=\\r\\n \=?UTF-8?Q?OCB_OMNI_(English_below)?\=

But somehow it and or info inside email message being encode