Splunk® Supported Add-ons

Splunk Add-on for Cisco ESA

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Source types for the Splunk Add-on for Cisco ESA

The Splunk Add-on for Cisco ESA provides index-time and search-time knowledge for seven types of logs: authentication, textmail, HTTP, Malware, Bounce, Delivery and Consolidated Event data. The add-on does not apply a source type to any incoming logs. You can apply the appropriate source types to your Cisco ESA log data during the data input phase.

Log type Source type Event type Description CIM data models
Authentication cisco:esa:authentication cisco_esa_authentication These logs record successful user logins and unsuccessful login attempts. Logs are stored as a <filename>.s (Ex. authentication.@20130302T122552.s) on the server. These logs cannot be configured to send through syslog push, so you must send them to send through ftp or scp. Authentication
Textmail cisco:esa:textmail cisco_esa_email Text mail logs for Cisco IronPort ESA record email information and status. Logs are stored as a <filename>.s (Ex. mail.@20130712T172736.s) on the server. None
HTTP cisco:esa:http cisco_esa_proxy The HTTP logs for Cisco IronPort ESA record information about the secure HTTP services enabled on the interface. Logs are stored as a <filename>.s (Ex. gui.@20130302T122618.s) on the server. None
Malware Data cisco:esa:amp * cisco_esa_amp
  • cisco_esa_mar
Advanced Malware Protection (AMP) of Cisco IronPort ESA records malware detection and blocking, continuous analysis, and retrospective alerting details. Logs are stored as a <filename>.s (Ex. amp.@20180103T132842.s) on the server. None
Legacy data cisco:esa:legacy * cisco_esa_authentication
  • cisco_esa_email
  • cisco_esa_proxy
If you have an older version of the add-on installed before the source types were renamed to follow best practices, your events indexed with the older source types cisco_esa and cisco:esa are now searchable under this new source type. None
Consolidated Event cisco:esa:cef cisco_esa_cef The Consolidated Event Logs summarize each message event in a single log line. Use this log type you to reduce the number of bytes of data (log information) sent to a Security Information and Event Management (SIEM) vendor or application for analysis. The logs are in the Common Event Format (CEF) log message format that is widely used by most SIEM vendors. Email
Bounce Logs cisco:esa:bounce N/A Bounce logs record information about bounced recipients. The information recorded for each bounced recipient includes:
  • the message ID
  • the recipient ID
  • the Envelope From address
  • the Envelope To address,
  • the reason for the recipient bounce,
  • the response code from the recipient host.

In addition, you can choose to log a fixed amount of each bounced recipient message. This amount is defined in bytes and the default is zero.

Delivery Logs cisco:esa:delivery cisco_esa_delivery Delivery logs record critical information about the AsyncOS email delivery operations. The log messages are "stateless," which means that all associated information is recorded in each log message and users do not need to reference previous log messages for information about the current delivery attempt. Email
Last modified on 01 September, 2020
Lookups for the Splunk Add-on for Cisco ESA
Troubleshoot the Splunk Add-on for Cisco ESA

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters