Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3029
Views
5
Helpful
2
Replies

Logging for URL filtering

The-Messenger
Level 1
Level 1

‎03-31-2016 11:29 AM

We've enabled URL filtering, working great, but I want to log more information for the exceptions that I know are coming.  I'm not getting the results I expect with my Add log entry action. 

My action step is:

log-entry("$MatchedContent triggered $FilterName")

All I'm getting with that log entry is:
Message 455 Custom Log Entry: triggered Mailicious_URL
Message 255 dropped by content filter 'Mailicious_URL' in the inbound table.

I want to see the URL that is getting caught but the $matchedcontent variable is not pulling it.  

What do I need to log the URL that is getting caught?

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Mathew Huynh
Cisco Employee
Cisco Employee

‎03-31-2016 05:08 PM

Hello The-Messenger,

To see the URL information in your mail_logs only (at the moment).

You will need to enable URL logging to be done via the outbreakfilterconfig via the command line.

---

myesa.local> outbreakconfig

Outbreak Filters: Enabled

Choose the operation you want to perform:
- SETUP - Change Outbreak Filters settings.
- CLUSTERSET - Set how the Outbreak Filters are configured in a cluster.
- CLUSTERSHOW - Display how the Outbreak Filters are configured in a cluster.
[]> setup

Outbreak Filters: Enabled
Would you like to use Outbreak Filters? [Y]> 

Outbreak Filters enabled.

Outbreak Filter alerts are sent when outbreak rules cross the threshold (go above or
 back down below), meaning that new messages of certain types could be quarantined
 or will no longer be quarantined, respectively.

Would you like to receive Outbreak Filter alerts? [N]> 

What is the largest size message Outbreak Filters should scan?
[2097152]> 

Do you want to use adaptive rules to compute the threat level of messages? [Y]> 

Logging of URLs is currently disabled.

Do you wish to enable logging of URL's? [N]> y

Logging of URLs has been enabled.

The Outbreak Filters feature is now globally enabled on the system. You must use the
 'policyconfig' command in the CLI or the Email Security Manager in the GUI to enable
 Outbreak Filters for the desired Incoming and Outgoing Mail Policies.

Note: Ensure that you commit any and all changes to your configuration before you proceed from either the GUI or the CLI on your ESA.

---

You can see the steps to enable it in this article:

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-technote-esa-00.html 

Regards,

Matthew

M. Miller
Level 1
Level 1

‎04-07-2021 07:24 AM

Dear Mathew Huynh,

 

thank you very much for this solution. It really took me a while to find this post. It just works like a charm. Now we are able to see all URLs within an e-mail, as well as matched category and URL defang action, logged in the mail_logs - Great!

0 Helpful
Customers Also Viewed These Support Documents