Splunk® Supported Add-ons

Splunk Add-on for Cisco ESA

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Configure Cisco ESA to send logs to Splunk Enterprise for the Splunk Add-on for Cisco ESA

Because you cannot install a forwarder directly on your Cisco ESA appliance, you must configure Cisco ESA to place logs on a Splunk forwarder or single-instance Splunk Enterprise where you can configure monitor inputs.

You can send text mail, HTTP, SLL logs over Syslog, but you must send authentication logs via FTP or SCP.

You can send textmail and http logs over syslog, but you must send authentication logs via ftp or scp.

If SLL logs are configured in the system, make sure that delivery logs for the same system are not enabled as this may lead to data duplication in the Splunk environment. Since both the logs are mapped to the same data model "Email", collecting the same information from different sources may lead to data duplication in ES.

Configure SLL logs

If SLL logs are configured in the system, make sure that delivery logs for the same system are not enabled as this may lead to data duplication in the Splunk environment. Since both the logs are mapped to the same data model "Email", collecting the same information from different sources may lead to data duplication in ES.

As of version 1.4.0, this is the recommended Log Subscription for collecting data. As Consolidated Event Logs captures all information in SLL (Single Log Line) format.

  1. On your Cisco ESA, select System Administration > Log Subscriptions.
  2. In Add Log Subscription select the log type as Consolidated Event Logs
  3. Select the fields that you want in the consolidated event log.
  4. Select a log retrieval mechanism for the log subscription:
    • Manually Download
    • FTP Push
    • SCP Push
    • Syslog Push
    • AWS S3 Push. Make sure that you have a valid AWS S3 bucket to use this retrieval method.

Send logs over Syslog

You can configure Cisco IronPort ESA to send text mail, SLL and OAM log information over TCP or UDP. The default port is 514. If you do not have root access to that port, use a higher one such as 5140.

Authentication logs cannot be sent via Syslog.

Configure the device to send the data as Syslog over UDP/TCP.

  1. From the ESA console menu, navigate to System Administration > Log Subscriptions.
  2. Select the log name that you want to send to Splunk Enterprise. For example, mail_logs.
  3. Provide the necessary information about the Syslog server.
  4. Repeat for any additional log files you want to send to Splunk Enterprise.
  5. Configure Splunk Enterprise to listen on the same port that you selected above to receive Syslog data from Cisco ESA.

Send logs via FTP or SCP

Work with your Cisco ESA administrator to determine the location of the authentication log files.

  1. On the ESA device, run this command: esa.acme.com> logconfig. This command returns a list of log names, including authentication, antivirus, and cli_logs. The name of the log file is the directory in which it resides. The log files themselves are named with time and date stamps and an 's' suffix for saved files and a 'c' suffix for the current file.
  2. If it is not already enabled, enable FTP or SCP on the Cisco ESA device using the interfaceconfigcommand in the CLI.
  3. Ask your Cisco ESA administrator to set up an SCP or FTP job by running a command such as this one: scp 'admin@esa.acme.com:/authentication/*.s' <path to monitor esa files />
  4. You may not want to copy all the saved files each time. Work with your Cisco ESA administrator to implement a batch transfer setup that complies with your enterprise policies and practices.
Last modified on 01 September, 2020
PREVIOUS
Install the Splunk Add-on for Cisco ESA
  NEXT
Configure monitor inputs for the Splunk Add-on for Cisco ESA

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters