Solved: Unable to get Audit logs from Cisco ESA

MiteshAgrawal15061994 · ‎11-28-2019

Hi Team,

I am an SIEM engineer and work on ArcSight and LogRhythm SIEM. We need to integrate Cisco ESA with our SIEM tool to collect all logs from email security appliance.

We are facing 2 issues in doing this,

1- Unable to get full session logs (need help on how to configure and which module to get full session logs).

2 - Not receiving audit configuration change logs ((need help on which module to configure to get audit logs).

Regards,

Mitesh Agrawal

marc.luescherFRE · ‎12-01-2019

Hi Mitesh,

that looks like you have a done everything you need to the Ironports ESA for this to work.

Now come the more tricky parts on the SIEM.

For the best possible correlation of mail events you need to correlate all mail event for a given MID for a period of 10 seconds. This will allow you to get a full picture of a single mail events. Keep in mind that every time you run any message filters or content filters an additional MID is spun off the original one. Unless you need that information you should ignore.

So your pattern in raw data looks like:

Dec 1 13:07:15 192.168.207.13 mail_logs_splunk: Info: Start MID 128832755 ICID 38557304

Dec 1 13:07:15 192.168.207.13 mail_logs_splunk: Info: MID 128832755 ICID 38557304 From: <prvs=6238305210=iwarehouse.notify@raymondcorp.com>

up to ...

Dec 1 13:07:15 192.168.207.13 mail_logs_splunk: Info: Message finished MID 128832755 done

For system log you will need to look for the following text strings User and commit changes

example

Nov 27 10:58:00 192.168.207.13 system_logs_splunk: Info: PID 1635: User mluescher commit changes: added cvent to whitelist

I hope that helps

-Marc

View solution in original post

marc.luescherFRE · ‎12-03-2019

Hi Mitesh

a full mail event would give you the either the ENV FROM or SMTP FROM . If you are interested in receiving friendly from, in case it is different then you need to add a message filter to add the friendly from as a debug entry so a SIEM can pick it up.

To filter the messages which have been classified as SPAM there are multiple ways to do this but I would either look for the AntiSPAM verdicts like:

Mon Dec 2 14:33:52 2019 Info: MID 359940626 interim verdict using engine: IMS bulk
Mon Dec 2 14:33:53 2019 Info: MID 359940628 interim verdict using engine: IMS bulk
Mon Dec 2 14:33:53 2019 Info: MID 359940628 interim verdict using engine: IMS marketing
Mon Dec 2 14:33:54 2019 Info: MID 359940638 interim verdict using engine: IMS spam negative

This gives you an idea of the predisposition of an email and you can pick it up in your SIEM.

On a personal note. Interaction with a SIEM will become much more easy once your ESA is upgraded to v 13 and you will be using the CLF Common Log File Format.

While you have up to 50 lines across multiple MID's and ICID's today you will be able to have just one line with the final verdict in one line like:

Dec 3 11:43:45 192.168.207.13 CEL_Splunk: CEF:0|Cisco|C600V Email Security Virtual Appliance|13.0.0-314|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=420A515A1F1CEBDE3B3D-0586E51CFC0F ESAMID=129401795 ESAICID=38708364 ESADCID=17591779 ESAAMPVerdict=SKIPPED ESAASVerdict=NEGATIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH endTime=Tue Dec 3 11:43:44 2019 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED ESADMARCVerdict=Skipped dvc=192.168.207.13 ESAFriendlyFrom=Keila ESAGMVerdict=NEGATIVE startTime=Tue Dec 3 11:43:41 2019 deviceInboundInterface=InboundInterface deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=keilar@danhilcontainers.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=United States ESAMFVerdict=MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<A7FD5A1C-3421-40EF-8B9E-00AD00EC7A77@danhilcontainers.com>' ESAOFVerdict=NEGATIVE duser=Artemio.Alanis@fmc-xx.com ESAHeloDomain=NAM02-SN1-obe.outbound.protection.outlook.com ESAHeloIP=40.107.77.72 cfp1Label=SBRSScore cfp1=3.5 ESASDRDomainAge=20 years 3 days cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict=None sourceHostName=mail-eopbgr770072.outbound.protection.outlook.com ESASenderGroup=UNKNOWNLIST sourceAddress=40.107.77.72 msg='Re: P.O. 4510967481 // CAJA E INSERTO LILIPUT PREGUNTA DANHIL--' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2 ESAURLDetails={'http://secure-web.cisco.com/175hwjpPdgRKSY_HK2Z75YJ4T_NRP5_ruQ_QK89kSafYgjFAYdBx3z191RkzWHe6u4flU0qBOKKX4pOmPzEBGHoIoJ44iycGvjW0dOhCksMS8207wgdxqv7bbnJRhXcRaQFDFhc_8Y_ukcNP0kZKj9jk5UMulrTZToMrdOT-A76GuRQ1h2aH6MQvKBXwMELhfSJsY3taE5vwAvpHiUUCurHwdxKafG......': {'WbrsScore': '7.3'}, 'http://secure-web.cisco.com/1Xm4n9v74aQdi7IVfnY_DPo8WYMXrr5MGd2HD-NTQH01O4xEcHK7Pn_zRgSoGhisYYi1oxQ8gxaLN0v7TqnMtMB7TQWIyspdKIOChDtHQeOHpLQfLgud-sAyTnQhzzirbWdpaG72cj-GND4dWj_VQw1ytxmuLZMw6fOgn-ijTMIkj7irx4EO_DsRGe3E4yXDetkombvVf9nr4Btxd1RJwH4APxmWCf......': {'WbrsScore': '7.3'}, 'www.fmcxxx.com': {'WbrsScore': '5.0'}}

View solution in original post

marc.luescherFRE · ‎12-04-2019

Hi Mitesh,

sorry it took some time to get back to you as I first had to review the configuration change log function and if there where any changes since my last setup.

In short the configuration history logs create an XML config file dump every time a config changes is performed. While this can be very helpfull to understand the nature of any change and the author it will require a high end of backend logic in your SIEM. Also those files do not offer direct syslog forward to a SSH pull might need to be done.

Every "dump" will need to be fully XML parsed and imported into a database by your SIEM. When the next "dump" occurs a delta extract combined with the submitting user will need to be created.

While this sound like an easy task to parse a config file - in our case of 2 MB - makes this a very complex task. My recommendation for you would be to create a SIEM alert based on a detected end user change as outlined in a previous post. (system logs).

Then if needed you can map this change to a XML config log change file.

I hope this helps

-Marc

View solution in original post

marc.luescherFRE · ‎11-29-2019

Hi there,

the solution is based on the software release you are running on the ESA appliances. Staring 13.0.0-314 Cisco introduced the Common Log File format for mail logs. You will need to create a new log subscription with the CLF format and then specifiy the syslog forwarding parameters as required by your SIEM.

Make sure to select TCP and not UDP as the protocol to avoid performance problems.

Should you not be able to upgrade to above software release, then I would recommend to create a new log subcription of the type Ironport Text Mail logs and specify the Syslog forward information here.

For the acocunt login information you would need to do the same with the system logs and your SIEM will see entries like:

Fri Sep 27 07:41:21 2019 Info: PID 1637: User mluescher commit changes: added CEL logs

I hope that helps

-Marc

MiteshAgrawal15061994 · ‎11-30-2019

Hi Marc,

Thanks for your reply.

You understood my issue correctly. We are running on Cisco Iron Port C370 Version 11.0.2. We have already created the baseline in which all log subscriptions are created at the device end and configured to our destination using syslog.

We have selected "Log Level" as "Informational" and "Facility" as "Local 7".

Please help whether any changes needs to be done in these config. We are receiving logs but as mentioned in my post earlier, those details are not captured in the logs.

Waiting for your reply.

Regards,

Mitesh Agrawal

marc.luescherFRE · ‎12-01-2019

Hi Mitesh,

that looks like you have a done everything you need to the Ironports ESA for this to work.

Now come the more tricky parts on the SIEM.

For the best possible correlation of mail events you need to correlate all mail event for a given MID for a period of 10 seconds. This will allow you to get a full picture of a single mail events. Keep in mind that every time you run any message filters or content filters an additional MID is spun off the original one. Unless you need that information you should ignore.

So your pattern in raw data looks like:

Dec 1 13:07:15 192.168.207.13 mail_logs_splunk: Info: Start MID 128832755 ICID 38557304

Dec 1 13:07:15 192.168.207.13 mail_logs_splunk: Info: MID 128832755 ICID 38557304 From: <prvs=6238305210=iwarehouse.notify@raymondcorp.com>

up to ...

Dec 1 13:07:15 192.168.207.13 mail_logs_splunk: Info: Message finished MID 128832755 done

For system log you will need to look for the following text strings User and commit changes

example

Nov 27 10:58:00 192.168.207.13 system_logs_splunk: Info: PID 1635: User mluescher commit changes: added cvent to whitelist

I hope that helps

-Marc

MiteshAgrawal15061994 · ‎12-03-2019

Hi Marc,

Actually I work in ArcSight SIEM and we receive a mail log (with sender, receiver and MID once the message is sent successfully). But now we have integrated Cisco ESA with LogRhythm and we are receiving logs as well but not receiving the full-session log. Is there any configuration to enable session logs in Cisco ESA.

I know my question is a bit confusing but please help.

Regards,

Mitesh Agrawal

MiteshAgrawal15061994 · ‎12-03-2019

Hi Marc,

Can you please confirm whether the Cisco ESA generates a log (which includes Sender as well as receiver - full session) when the message/mail is delivered successfully.

We need to write a rule in order to check for spamming from a specific "From Address".

Regards,

Mitesh Agrawal

marc.luescherFRE · ‎12-03-2019

Hi Mitesh

a full mail event would give you the either the ENV FROM or SMTP FROM . If you are interested in receiving friendly from, in case it is different then you need to add a message filter to add the friendly from as a debug entry so a SIEM can pick it up.

To filter the messages which have been classified as SPAM there are multiple ways to do this but I would either look for the AntiSPAM verdicts like:

Mon Dec 2 14:33:52 2019 Info: MID 359940626 interim verdict using engine: IMS bulk
Mon Dec 2 14:33:53 2019 Info: MID 359940628 interim verdict using engine: IMS bulk
Mon Dec 2 14:33:53 2019 Info: MID 359940628 interim verdict using engine: IMS marketing
Mon Dec 2 14:33:54 2019 Info: MID 359940638 interim verdict using engine: IMS spam negative

This gives you an idea of the predisposition of an email and you can pick it up in your SIEM.

On a personal note. Interaction with a SIEM will become much more easy once your ESA is upgraded to v 13 and you will be using the CLF Common Log File Format.

While you have up to 50 lines across multiple MID's and ICID's today you will be able to have just one line with the final verdict in one line like:

Dec 3 11:43:45 192.168.207.13 CEL_Splunk: CEF:0|Cisco|C600V Email Security Virtual Appliance|13.0.0-314|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=420A515A1F1CEBDE3B3D-0586E51CFC0F ESAMID=129401795 ESAICID=38708364 ESADCID=17591779 ESAAMPVerdict=SKIPPED ESAASVerdict=NEGATIVE ESAAVVerdict=NOT_EVALUATED ESACFVerdict=MATCH endTime=Tue Dec 3 11:43:44 2019 ESADKIMVerdict=pass ESADLPVerdict=NOT_EVALUATED ESADMARCVerdict=Skipped dvc=192.168.207.13 ESAFriendlyFrom=Keila ESAGMVerdict=NEGATIVE startTime=Tue Dec 3 11:43:41 2019 deviceInboundInterface=InboundInterface deviceDirection=0 ESAMailFlowPolicy=ACCEPT suser=keilar@danhilcontainers.com cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=United States ESAMFVerdict=MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<A7FD5A1C-3421-40EF-8B9E-00AD00EC7A77@danhilcontainers.com>' ESAOFVerdict=NEGATIVE duser=Artemio.Alanis@fmc-xx.com ESAHeloDomain=NAM02-SN1-obe.outbound.protection.outlook.com ESAHeloIP=40.107.77.72 cfp1Label=SBRSScore cfp1=3.5 ESASDRDomainAge=20 years 3 days cs3Label=SDRThreatCategory cs3=N/A cs6Label=SDRRepScore cs6=Neutral ESASPFVerdict=None sourceHostName=mail-eopbgr770072.outbound.protection.outlook.com ESASenderGroup=UNKNOWNLIST sourceAddress=40.107.77.72 msg='Re: P.O. 4510967481 // CAJA E INSERTO LILIPUT PREGUNTA DANHIL--' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2 ESAURLDetails={'http://secure-web.cisco.com/175hwjpPdgRKSY_HK2Z75YJ4T_NRP5_ruQ_QK89kSafYgjFAYdBx3z191RkzWHe6u4flU0qBOKKX4pOmPzEBGHoIoJ44iycGvjW0dOhCksMS8207wgdxqv7bbnJRhXcRaQFDFhc_8Y_ukcNP0kZKj9jk5UMulrTZToMrdOT-A76GuRQ1h2aH6MQvKBXwMELhfSJsY3taE5vwAvpHiUUCurHwdxKafG......': {'WbrsScore': '7.3'}, 'http://secure-web.cisco.com/1Xm4n9v74aQdi7IVfnY_DPo8WYMXrr5MGd2HD-NTQH01O4xEcHK7Pn_zRgSoGhisYYi1oxQ8gxaLN0v7TqnMtMB7TQWIyspdKIOChDtHQeOHpLQfLgud-sAyTnQhzzirbWdpaG72cj-GND4dWj_VQw1ytxmuLZMw6fOgn-ijTMIkj7irx4EO_DsRGe3E4yXDetkombvVf9nr4Btxd1RJwH4APxmWCf......': {'WbrsScore': '7.3'}, 'www.fmcxxx.com': {'WbrsScore': '5.0'}}

MiteshAgrawal15061994 · ‎12-04-2019

Hi Marc,

Thanks for your detailed reply.

Now the full-session logs picture is clear to me and I can configure usecase based on RID to check for spamming.

For config changes and audit logs previously you mentioned that the logs will come from "System Logs". Can you please confirm this as well. Also, from admin guide I found that the config changes are captured in "Configuration history Logs". Can we create a log subscription for this as well? Our issue is we are not able to capture "user" name in the raw log. Can this be an issue with baseline? Currently it is "local7" and "Informational".

Regards,

Mitesh Agrawal

marc.luescherFRE · ‎12-04-2019

Hi Mitesh,

sorry it took some time to get back to you as I first had to review the configuration change log function and if there where any changes since my last setup.

In short the configuration history logs create an XML config file dump every time a config changes is performed. While this can be very helpfull to understand the nature of any change and the author it will require a high end of backend logic in your SIEM. Also those files do not offer direct syslog forward to a SSH pull might need to be done.

Every "dump" will need to be fully XML parsed and imported into a database by your SIEM. When the next "dump" occurs a delta extract combined with the submitting user will need to be created.

While this sound like an easy task to parse a config file - in our case of 2 MB - makes this a very complex task. My recommendation for you would be to create a SIEM alert based on a detected end user change as outlined in a previous post. (system logs).

Then if needed you can map this change to a XML config log change file.

I hope this helps

-Marc

MiteshAgrawal15061994 · ‎12-04-2019

Hi @marc.luescherFRE ,

Thanks for your support. I have found the issue. The logging level for system logs was set to "Warning" but I have been told that it is logging at "Informational" level.

I found the raw logs and over there it was mentioned as "Loc7.WARN" so got to know that.

Thanks for all your help @marc.luescherFRE .

Regards,

Mitesh Agrawal

marc.luescherFRE · ‎01-02-2020

Hi Mitesh,

setting log level "Info" will also include Warning and Critical log levels.

Have a nice day

-Marc

MiteshAgrawal15061994 · ‎01-02-2020

Hi @marc.luescherFRE ,

Hope you are doing good.

I wanted to know whether if I select logging level "Info" then will I get all logs above that level (like Warning, Critical ,etc.) or in logs I will get only "Informational" logs?

Regards,

Mitesh Agrawal