https://community.splunk.com/t5/Getting-Data-In/Incoming-email-info-from-Cisco-ESA/m-p/262785#M50438 <P>Did you have issues receiving these logs before? Or is this the first time? Did you make any changes to configuration files or upgrade anything in Splunk? </P> <P>Since I do not know your environment, I cannot verify with what you’ve given me whether this is an issue with Splunk, Cisco, or an intermediary network/security product in between. Going through this systematically will allow you to determine where the issue is. Try going through some troubleshooting steps. Start tracing it from the source to the destination. </P> <P>Try sending an email from your personal email to your work email and use that to trace the event from start to finish.</P> <P>Verify whether the event appears in the logs from the appliance. </P> <P>If yes,</P> <P>Verify if the appliance is forwarding those logs to the syslog server.</P> <P>If yes,</P> <P>Find the event in the syslog server and verify if the event was sorted (based on your syslog configuration file rules) into the appropriate directory.</P> <P>If yes,</P> <P>Verify the Splunk forwarder on the syslog server is configured to monitor that directory.</P> <P>If yes,</P> <P>Determine if the forwarder sent that event to the indexer. At this point you should be able to simply search for the event. Search all indexes, <CODE>index=* youremail@yourdomain.com</CODE>, for example. </P> <P>Hope that helps.</P> Tue, 31 Jan 2017 13:17:34 GMT adayton20 2017-01-31T13:17:34Z https://community.splunk.com/t5/Getting-Data-In/Incoming-email-info-from-Cisco-ESA/m-p/262781#M50434 <P>I installed the Cisco Security suite as well as the Cisco ESA add-on.</P> <P>I am forwarding the mail_logs from Cisco ESA to Splunk using syslog push over TCP.</P> <P>I can see info in the dashboards for outgoing messages but nothing from incoming.</P> <P>What do I need to configure to get the incoming messages info to show up?</P> Fri, 27 Jan 2017 15:10:20 GMT https://community.splunk.com/t5/Getting-Data-In/Incoming-email-info-from-Cisco-ESA/m-p/262781#M50434 heathramos 2017-01-27T15:10:20Z https://community.splunk.com/t5/Getting-Data-In/Incoming-email-info-from-Cisco-ESA/m-p/262782#M50435 <P>1.) Have you verified whether or not inbound email is a configured log subscription in the ESA?</P> <P>2.) Have you verified whether or not the indexers are ingesting inbound email logs from the ESA?</P> <P>3.) Have you verified the logs are not going to a different sourcetype or generic sourcetype?</P> Sun, 29 Jan 2017 02:29:56 GMT https://community.splunk.com/t5/Getting-Data-In/Incoming-email-info-from-Cisco-ESA/m-p/262782#M50435 adayton20 2017-01-29T02:29:56Z https://community.splunk.com/t5/Getting-Data-In/Incoming-email-info-from-Cisco-ESA/m-p/262783#M50436 <P>I don't see a log subscription specifically for inbound</P> <P>I am forwarding mail_logs</P> Mon, 30 Jan 2017 20:29:09 GMT https://community.splunk.com/t5/Getting-Data-In/Incoming-email-info-from-Cisco-ESA/m-p/262783#M50436 heathramos 2017-01-30T20:29:09Z https://community.splunk.com/t5/Getting-Data-In/Incoming-email-info-from-Cisco-ESA/m-p/262784#M50437 <P>for some reason eventtype=cisco-esa policy_direction=outbound has records but eventtype=cisco-esa policy_direction=inbound does not.</P> Tue, 29 Sep 2020 12:40:19 GMT https://community.splunk.com/t5/Getting-Data-In/Incoming-email-info-from-Cisco-ESA/m-p/262784#M50437 heathramos 2020-09-29T12:40:19Z https://community.splunk.com/t5/Getting-Data-In/Incoming-email-info-from-Cisco-ESA/m-p/262785#M50438 <P>Did you have issues receiving these logs before? Or is this the first time? Did you make any changes to configuration files or upgrade anything in Splunk? </P> <P>Since I do not know your environment, I cannot verify with what you’ve given me whether this is an issue with Splunk, Cisco, or an intermediary network/security product in between. Going through this systematically will allow you to determine where the issue is. Try going through some troubleshooting steps. Start tracing it from the source to the destination. </P> <P>Try sending an email from your personal email to your work email and use that to trace the event from start to finish.</P> <P>Verify whether the event appears in the logs from the appliance. </P> <P>If yes,</P> <P>Verify if the appliance is forwarding those logs to the syslog server.</P> <P>If yes,</P> <P>Find the event in the syslog server and verify if the event was sorted (based on your syslog configuration file rules) into the appropriate directory.</P> <P>If yes,</P> <P>Verify the Splunk forwarder on the syslog server is configured to monitor that directory.</P> <P>If yes,</P> <P>Determine if the forwarder sent that event to the indexer. At this point you should be able to simply search for the event. Search all indexes, <CODE>index=* youremail@yourdomain.com</CODE>, for example. </P> <P>Hope that helps.</P> Tue, 31 Jan 2017 13:17:34 GMT https://community.splunk.com/t5/Getting-Data-In/Incoming-email-info-from-Cisco-ESA/m-p/262785#M50438 adayton20 2017-01-31T13:17:34Z https://community.splunk.com/t5/Getting-Data-In/Incoming-email-info-from-Cisco-ESA/m-p/262786#M50439 <P>I believe it is an issue with ironport but not sure how to fix it.</P> <P>log files are coming over from ironport to splunk but the policy_direction field isn't associated with any incoming email logs</P> <P>this is a brand new set up</P> Tue, 31 Jan 2017 23:06:04 GMT https://community.splunk.com/t5/Getting-Data-In/Incoming-email-info-from-Cisco-ESA/m-p/262786#M50439 heathramos 2017-01-31T23:06:04Z https://community.splunk.com/t5/Getting-Data-In/Incoming-email-info-from-Cisco-ESA/m-p/262787#M50440 <P>I forgot to update this thread with what was wrong with my set up</P> <P>it looks like my incoming mail policy had a space in it's name and Splunk had issues extracting fields from the logs because of it</P> <P>change the space to an underscore fixed the issue</P> Tue, 07 Feb 2017 15:02:36 GMT https://community.splunk.com/t5/Getting-Data-In/Incoming-email-info-from-Cisco-ESA/m-p/262787#M50440 heathramos 2017-02-07T15:02:36Z