Configure Cisco ESA to send logs to Splunk Enterprise for the Splunk Add-on for Cisco ESA
Because you cannot install a forwarder directly on your Cisco ESA appliance, you must configure Cisco ESA to place logs on a Splunk forwarder or single-instance Splunk Enterprise where you can configure monitor inputs.
You can send textmail and http logs over syslog, but you must send authentication logs via ftp or scp.
Send textmail and http logs over syslog
You can configure Cisco IronPort ESA to send textmail and OAM log information over TCP or UDP. The default port is 514. If you do not have root access to that port, use a higher one such as 5140.
Authentication logs cannot be sent via syslog. See the next section to learn how to configure Cisco ESA to send these logs.
To configure the device to send the data as syslog over UDP/TCP, follow these steps:
- From the ESA console menu, navigate to System Administration > Log Subscriptions.
- Select the log name that you want to send to Splunk Enterprise. For example, mail_logs.
- Provide the necessary information about the syslog server.
- Repeat for any additional log files you want to send to Splunk Enterprise.
- Configure Splunk Enterprise to listen on the same port that you selected above to receive syslog data from Cisco IronPort ESA.
Send authentication logs via ftp or scp
- Work with your Cisco ESA administrator to determine the location of the authentication log files. On the ESA device, run this command:
This command returns a list of log names, such as authentication, antivirus, and cli_logs, etc. The name of the log file is the directory in which it resides. The log files themselves are named with time and date stamps and an 's' suffix for saved files and a 'c' suffix for the current file.
- If it is not already enabled, enable ftp or scp on the Cisco ESA device using the
interfaceconfigcommand in the CLI.
- Ask your Cisco ESA administrator to set up an scp or ftp job by running a command such as this one:
scp 'email@example.com:/authentication/*.s' <path to monitor esa files />
You may not want to copy all the
*.s files each time. Work with your Cisco ESA administrator to implement a batch transfer setup that complies with your enterprise policies and practices.
Install the Splunk Add-on for Cisco ESA
Configure monitor inputs for the Splunk Add-on for Cisco ESA
This documentation applies to the following versions of Splunk® Supported Add-ons: released