Configure Cisco ESA to send logs to Splunk Enterprise for the Splunk Add-on for Cisco ESA

Because you cannot install a forwarder directly on your Cisco ESA appliance, you must configure Cisco ESA to place logs on a Splunk forwarder or single-instance Splunk Enterprise where you can configure monitor inputs.

You can send text mail, HTTP, SLL logs over Syslog, but you must send authentication logs via FTP or SCP.

Avoid configuring Splunk to listen for syslog messages directly. Instead, you can collect Syslog data using Splunk Connect for Syslog (SC4S). To configure your deployment to use SC4S to collect Syslog data, follow the steps described in the Splunk Connect for Syslog manual.

If SLL log encryption is configured in the system, make sure that unencrypted logs for the same system are not enabled as this may lead to data duplication in the Splunk environment. Since both the logs are mapped to the same data model "Email", collecting the same information from different sources may lead to data duplication in ES.

Configure SLL logs

If SLL logs are configured in the system, make sure that delivery logs for the same system are not enabled as this may lead to data duplication in the Splunk environment. Since both the logs are mapped to the same data model "Email", collecting the same information from different sources may lead to data duplication in ES.

As of version 1.5.0, this is the recommended Log Subscription for collecting data. As Consolidated Event Logs captures all information in SLL (Single Log Line) format.

1. On your Cisco ESA, select System Administration > Log Subscriptions.
2. In Add Log Subscription select the log type as Consolidated Event Logs
3. Select the fields that you want in the consolidated event log.
4. Select a log retrieval mechanism for the log subscription:
   • Manually Download
   • FTP Push
   • SCP Push
   • Syslog Push
   • AWS S3 Push. Make sure that you have a valid AWS S3 bucket to use this retrieval method.

Send logs over Syslog

We recommend that you avoid listening directly to syslog and instead use Splunk Connect for Syslog. For more information, see Splunk Connect for Syslog manual.

You can configure Cisco IronPort ESA to send text mail, SLL and OAM log information over TCP or UDP. The default port is 514. If you do not have root access to that port, use a higher one such as 5140.

Authentication logs cannot be sent via Syslog.

Configure the device to send the data as Syslog over UDP/TCP.

1. Configure Splunk Enterprise to listen on the same port that you selected above to receive Syslog data from Cisco ESA.
2. From the ESA console menu, navigate to System Administration > Log Subscriptions.
3. Select the log name that you want to send to Splunk Enterprise. For example, mail_logs.
4. Provide the necessary information about the Syslog server.
5. Repeat for any additional log files you want to send to Splunk Enterprise.
>

Send logs via FTP or SCP

Work with your Cisco ESA administrator to determine the location of the authentication log files.

1. On the ESA device, run this command: esa.acme.com> logconfig. This command returns a list of log names, including authentication, antivirus, and cli_logs. The name of the log file is the directory in which it resides. The log files themselves are named with time and date stamps and an 's' suffix for saved files and a 'c' suffix for the current file.
2. If it is not already enabled, enable FTP or SCP on the Cisco ESA device using the interfaceconfigcommand in the CLI.
3. Ask your Cisco ESA administrator to set up an SCP or FTP job by running a command such as this one: scp 'admin@esa.acme.com:/authentication/*.s' <path to monitor esa files />
4. You may not want to copy all the saved files each time. Work with your Cisco ESA administrator to implement a batch transfer setup that complies with your enterprise policies and practices.