ESA Logs to send to SIEM?

KyleBolton · ‎10-07-2019

Looking to send some ESA logs to a SIEM. Any suggestions on types of logs to send?

Ken Stieers · ‎10-07-2019

Upgrade to 12.5 and send the new single line format log. 1 feed, altll the things that happened in one line per email.

Michael Douglas · ‎10-07-2019

Hello Kyle,

the type of logs really depends what you wish to do with the data. Are you looking to monitor the system status or look further at authentication logs (who logged to the appliance) or analyse the mail logs?

Here is some information that may give you a start:

The ESA supports system status monitoring via SNMP - https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117831-qanda-esa-00.html - you will require a SNMP Server or additional software that you may already have in use.

Additional references:

Splunk offers additional option to extract logs for further analysis:https://www.cisco.com/c/dam/m/en_us/products/security/technical-alliance-partners/core/assets/splunk-overview.pdf

Hope this helps.

Best regards,

Mike

.:|:.:|:. Michael Douglas | Designated Service Manager - Content Security | Cisco Systems

KyleBolton · ‎10-07-2019

Mostly analyze mail. Also any hits on Amp or AV.

ppreenja · ‎10-07-2019

Hello Kyle,

For sending certain ESA logs to SIEM, first you have to check the Network connectivity from the ESA to SIEM server then you can follow the steps in the below article that illustrate how to configure SCP to push mail logs on ESA:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200985-Configuring-SCP-push-of-mail-logs-on-ESA.html

Kindly note that basic configuration on the logs will allow you to set it up to FTP Push, SCP push or Syslog push, you can review the set up here:

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118456-technote-esa-00.html

This is can be done by navigating to System Configuration >> Log Subscriptions >> chose log you want to push to SIEM server >> Add the IP address of the server in the Syslog server push section.

Ensure that the connectivity to the server on the port is successful from both ESA and the server. Also ensure the speed and duplex settings. Normally, the appliance will just package up the log as created, and then work to push this over 514 (udp/tcp) to the end-destination.

Below is a reference article for integration details on all Cisco products:

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-smart-business-architecture/sbaSIEM_deployG.pdf

Note: If you need to pull the logs from the ESA or SMA on CES environment the only option is SCP. SCP allows files to be copied to, from, or between different hosts. It uses SSH for data transfer and provides the same authentication and same level of security as SSH.

Pull logs: SCP
Push Logs: SCP, FTP, Syslog

I hope this helps.

Cheers,
Pratham

marc.luescherFRE · ‎10-07-2019

Let me share with you what we do:

a) text file mail log, uploaded to SIEM for custom field extractions for many detailed fields not available in standard Ironport reports, alerts etc.

b) common event logs, for summary reports on email pipeline like dashboard etc. we aggregate text mail log and common event logs ointo one consolidated view

c) status logs , for monitoring and alerting eg when mail queue to large, cpu to high etc

d) system logs, for monitorign and alerting on critical events

I hope that helps. You can go crazy with logs in SIEM but there are limiots on how much the syslog daemon of the Ironports can sent to the SIEM. So be carefull to not overload other wise you will gte alerts.