Splunk® Supported Add-ons

Splunk Add-on for Cisco ESA

Download manual as PDF

Download topic as PDF

Configure Cisco ESA to send logs to Splunk Enterprise for the Splunk Add-on for Cisco ESA

Because you cannot install a forwarder directly on your Cisco ESA appliance, you must configure Cisco ESA to place logs on a Splunk forwarder or single-instance Splunk Enterprise where you can configure monitor inputs.

You can send textmail and http logs over syslog, but you must send authentication logs via ftp or scp.

Send textmail and http logs over syslog

You can configure Cisco IronPort ESA to send textmail and OAM log information over TCP or UDP. The default port is 514. If you do not have root access to that port, use a higher one such as 5140.

Authentication logs cannot be sent via syslog. See the next section to learn how to configure Cisco ESA to send these logs.

To configure the device to send the data as syslog over UDP/TCP, follow these steps:

  1. From the ESA console menu, navigate to System Administration > Log Subscriptions.
  2. Select the log name that you want to send to Splunk Enterprise. For example, mail_logs.
  3. Provide the necessary information about the syslog server.
  4. Repeat for any additional log files you want to send to Splunk Enterprise.
  5. Configure Splunk Enterprise to listen on the same port that you selected above to receive syslog data from Cisco IronPort ESA.

Send authentication logs via ftp or scp

  1. Work with your Cisco ESA administrator to determine the location of the authentication log files. On the ESA device, run this command: esa.acme.com> logconfig .
    This command returns a list of log names, such as authentication, antivirus, and cli_logs, etc. The name of the log file is the directory in which it resides. The log files themselves are named with time and date stamps and an 's' suffix for saved files and a 'c' suffix for the current file.
  2. If it is not already enabled, enable ftp or scp on the Cisco ESA device using the interfaceconfig command in the CLI.
  3. Ask your Cisco ESA administrator to set up an scp or ftp job by running a command such as this one: scp 'admin@esa.acme.com:/authentication/*.s' <path to monitor esa files />

You may not want to copy all the *.s files each time. Work with your Cisco ESA administrator to implement a batch transfer setup that complies with your enterprise policies and practices.

Next, configure your monitor inputs.

Install the Splunk Add-on for Cisco ESA
Configure monitor inputs for the Splunk Add-on for Cisco ESA

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters