Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1174
Views
0
Helpful
5
Replies

NetWitness Syslog push from Ironport ESA

TuereTurner
Level 1
Level 1

‎02-27-2019 10:21 AM

I am trying to send syslogs to NetWitness from the ironport ESA.

 

There doesn't seem to be a firewall issue... we are ale to telnet from the on 514 to the syslog server.

When this command is ran a record shows in  Netwitness ,but no ironport text mail logs are showing up.

 

We are using TCP and the facility is mail.

 

 

How can I confirm the clustered ironport  ESA's are sending the logs to Netwitness?

 

 

Labels:
0 Helpful
5 Replies 5

Ken Stieers
VIP
VIP

‎02-27-2019 10:40 AM

Did you set up a log subscription?


0 Helpful

TuereTurner
Level 1
Level 1
In response to Ken Stieers

‎02-27-2019 10:46 AM

Yes the log subscription was created.


0 Helpful

Ken Stieers
VIP
VIP
In response to TuereTurner

‎02-27-2019 11:00 AM

Here's a link I found to Netwitness docs related to Cisco ESA... might be helpful?



https://community.rsa.com/api/core/v3/contents/25748/data?v=2




0 Helpful

TuereTurner
Level 1
Level 1
In response to Ken Stieers

‎02-27-2019 11:39 AM

So I used this doc to configure the log subscription .

 

It's pretty straight forward.

 

Is there anyway for me to trouble shoot the syslog push to Netwitness.

 

Maybe a grep on system logs?

 

 

0 Helpful

Ken Stieers
VIP
VIP
In response to TuereTurner

‎02-27-2019 12:22 PM

I don't have any syslog pushes, so I don't see anything in my system logs... so maybe?



Do you have the option to rollover a syslog push? That might kick it?

Otherwise maybe a packet capture?






0 Helpful
Customers Also Viewed These Support Documents