Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
369
Views
0
Helpful
1
Replies

Required help for Log Forwarding Issues from Cisco ESA to StellarCyber

mallikarjun1479
Level 1
Level 1

‎08-17-2024 09:56 AM

Dear Cisco Support Team,

I hope this message finds you well!

I am currently facing an issue with log forwarding from our Cisco Email Security Appliance (ESA) to Stellar Cyber for log monitoring. I would appreciate your assistance with the following points:

  1. Content Scanning Post-Whitelisting: Is it possible for the Cisco ESA to continue scanning the content of emails even after the sender’s email address has been whitelisted?

  2. Log Forwarding Issues: We are successfully able to send accept and relay log data from the ESA to Stellar Cyber. However, we are encountering difficulties in fetching quarantine and blocked email logs. Could you please provide the relevant documentation or guidance on how to enable or troubleshoot this issue?

Your prompt assistance in addressing these issues would be greatly appreciated. If you require any additional information or access to our system for troubleshooting, please let me know.

Thank you for your support.

Regards,

Mallikarjun Batthula

+91 7097040497

Labels:
0 Helpful
1 Reply 1

Ken Stieers
VIP
VIP

‎08-20-2024 07:52 AM

Mallikarjun,

For whitelisting, it depends on how you whitelisted, and what you actually want to happen.   By default the ESA ships with an "Allowed_List" sender group (used to be called "Whitelist"), with a "Trusted" mail policy that may have various security features turned off for mail that applies.  These settings are tracked by the mail as it flows through, so if you turn it off for a group of senders at the Mail Flow Policy level, when they hit your default policy, it won't scan them... 

I prefer to leave the security features in  Mail Flow Policy on for the most part, and then use Incoming Mail Policy to decide what mails get scanned as Incoming Mail Policy is based on "envelope sender", "from" or "reply-to" address.

For logs make sure under Security Services/Message Tracking you've enabled Rejected Connection Handling.  Actions that happen to a message should all be in the Mail_Logs log subscription.  Which log are you sending them?  Mail_logs or the CEF based "Consolidated Event Logs"??   Which quarantine logging info are you looking for? 

This isn't a TAC space, its public, so access to your system isn't something anyone here needs.  If you open a TAC case, there's a mechanism that you can use to give your TAC engineer access, but no-one here should ever get that access. 

0 Helpful
Customers Also Viewed These Support Documents