10-07-2019 06:14 AM
10-07-2019 06:24 AM
10-07-2019 06:28 AM
Hello Kyle,
the type of logs really depends what you wish to do with the data. Are you looking to monitor the system status or look further at authentication logs (who logged to the appliance) or analyse the mail logs?
Here is some information that may give you a start:
The ESA supports system status monitoring via SNMP - https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117831-qanda-esa-00.html - you will require a SNMP Server or additional software that you may already have in use.
Additional references:
Splunk offers additional option to extract logs for further analysis:https://www.cisco.com/c/dam/m/en_us/products/security/technical-alliance-partners/core/assets/splunk-overview.pdf
Hope this helps.
Best regards,
Mike
10-07-2019 06:32 AM
Mostly analyze mail. Also any hits on Amp or AV.
10-07-2019 07:06 AM
10-07-2019 07:12 AM
Let me share with you what we do:
a) text file mail log, uploaded to SIEM for custom field extractions for many detailed fields not available in standard Ironport reports, alerts etc.
b) common event logs, for summary reports on email pipeline like dashboard etc. we aggregate text mail log and common event logs ointo one consolidated view
c) status logs , for monitoring and alerting eg when mail queue to large, cpu to high etc
d) system logs, for monitorign and alerting on critical events
I hope that helps. You can go crazy with logs in SIEM but there are limiots on how much the syslog daemon of the Ironports can sent to the SIEM. So be carefull to not overload other wise you will gte alerts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide