Source types for the Splunk Add-on for Cisco ESA
The Splunk Add-on for Cisco ESA provides index-time and search-time knowledge for seven types of logs: authentication, textmail, HTTP, Malware, Bounce, Delivery and Consolidated Event data. The add-on does not apply a source type to any incoming logs. You can apply the appropriate source types to your Cisco ESA log data during the data input phase.
|Log type||Source type||Event type||Description||CIM data models|
||These logs record successful user logins and unsuccessful login attempts. Logs are stored as a <filename>.s (Ex. authentication.@20130302T122552.s) on the server. These logs cannot be configured to send through syslog push, so you must send them to send through ftp or scp.||Authentication|
||Text mail logs for Cisco IronPort ESA record email information and status. Logs are stored as a <filename>.s (Ex. mail.@20130712T172736.s) on the server.||None|
||The HTTP logs for Cisco IronPort ESA record information about the secure HTTP services enabled on the interface. Logs are stored as a <filename>.s (Ex. gui.@20130302T122618.s) on the server.||None|
||Advanced Malware Protection (AMP) of Cisco IronPort ESA records malware detection and blocking, continuous analysis, and retrospective alerting details. Logs are stored as a <filename>.s (Ex. amp.@20180103T132842.s) on the server.||None|
||If you have an older version of the add-on installed before the source types were renamed to follow best practices, your events indexed with the older source types
||The Consolidated Event Logs summarize each message event in a single log line. Use this log type you to reduce the number of bytes of data (log information) sent to a Security Information and Event Management (SIEM) vendor or application for analysis. The logs are in the Common Event Format (CEF) log message format that is widely used by most SIEM vendors.|
||N/A||Bounce logs record information about bounced recipients. The information recorded for each bounced recipient includes:
In addition, you can choose to log a fixed amount of each bounced recipient message. This amount is defined in bytes and the default is zero.
||Delivery logs record critical information about the AsyncOS email delivery operations. The log messages are "stateless," which means that all associated information is recorded in each log message and users do not need to reference previous log messages for information about the current delivery attempt.|
Lookups for the Splunk Add-on for Cisco ESA
Troubleshoot the Splunk Add-on for Cisco ESA
This documentation applies to the following versions of Splunk® Supported Add-ons: released