Alerting

Details on how to configure Ironport for E-Mails to log to Splunk

ageld
Path Finder

Hello, Splunk ninjas

I have installed Splunk for Ironport App on my test Splunk idexer. When I go to configure Ironport, I see multiple different log types defined there:

Anti-Spam Logs
Anti-Virus Logs
Anti-Spam Archive
Anti-Virus Archive
Bounce Logs
CLI Audit Logs
Encryption Logs
IronPort Text Mail Logs
IronPort Spam Quarantine Logs
IronPort Spam Quarantine GUI
FTP Server Logs
HTTP Logs
IronPort Text Mail Logs
Reporting Logs
Reporting Query Logs
Scanning Logs
Safe/Block Lists Logs
NTP logs
Status Logs
System Logs
Tracking Logs
Updater Logs

Which log types does Splunk for Ironport App expect to recieve and via which method -- file upload or syslog?

We do not currently utilize Splunk anti-spam and anti-virus features. We use it for e-mail encryption. I have configured SMTP Conversation Logs to be delivered via syslog into the file onto Splunk indexer server and marked that file as cisco_esa to be recognized by the application. Logs however, were not recognized as multi-line and some of the reports are not working properly. Does the application need the log to be configured as multi-line one? How can I configure it?

Also, I do not know if I configured everything properly, but on the first summary screen, the titles of pie-charts are mixed up -- Top Senders should be on the place of Top Receivers and vice-versa. The data is fine, just the titles are in wrong places.

Thanks in advance for your help.

0 Karma
1 Solution

ageld
Path Finder

Finally, it is solved.

The following steps are to configure Splunk for Cisco Ironport EMail Security application:

  1. On the Ironport :
    -- System Admininstration -> Log Subscriptions
    -- Create a subscription with log type: "IronPort Text Mail Logs" with log level "Information". Send log to a syslog server using "SyslogPush". I run separate syslog daemon on Splunk server, which logs into files.

  2. On Splunk server:
    -- Create the following inputs.conf file in /etc/apps/Splunk_CiscoIronportEmailSecurity/local directory:

[monitor:///var/log/]

disabled = false

followTail = 0

sourcetype = cisco_esa

Some searches I found useful.

Find e-mails encrypted by TLS:
sourcetype="cisco_esa" | transaction maxspan=180s keepevicted=true mid dcid icid | search "TLS success" | eval mailto=lower(mailto) | eval mailfrom=lower(mailfrom) | stats count by mailto mailfrom | accum count AS Total | sort -Total mailto | table mailfrom mailto count Total

Find e-mails not encrypted by TLS:

sourcetype="cisco_esa" | transaction maxspan=180s keepevicted=true mid dcid icid | search "STARTTLS command not supported" | eval mailto=lower(mailto) | eval mailfrom=lower(mailfrom) | stats count by mailto mailfrom | accum count AS Total | sort -Total mailto | table mailfrom mailto count Total

View solution in original post

paul_hignutt
Engager

Where do you tell it to look for the "/var/log/xx" on a Windows deployed Splunk> server?

0 Karma

ageld
Path Finder

Finally, it is solved.

The following steps are to configure Splunk for Cisco Ironport EMail Security application:

  1. On the Ironport :
    -- System Admininstration -> Log Subscriptions
    -- Create a subscription with log type: "IronPort Text Mail Logs" with log level "Information". Send log to a syslog server using "SyslogPush". I run separate syslog daemon on Splunk server, which logs into files.

  2. On Splunk server:
    -- Create the following inputs.conf file in /etc/apps/Splunk_CiscoIronportEmailSecurity/local directory:

[monitor:///var/log/]

disabled = false

followTail = 0

sourcetype = cisco_esa

Some searches I found useful.

Find e-mails encrypted by TLS:
sourcetype="cisco_esa" | transaction maxspan=180s keepevicted=true mid dcid icid | search "TLS success" | eval mailto=lower(mailto) | eval mailfrom=lower(mailfrom) | stats count by mailto mailfrom | accum count AS Total | sort -Total mailto | table mailfrom mailto count Total

Find e-mails not encrypted by TLS:

sourcetype="cisco_esa" | transaction maxspan=180s keepevicted=true mid dcid icid | search "STARTTLS command not supported" | eval mailto=lower(mailto) | eval mailfrom=lower(mailfrom) | stats count by mailto mailfrom | accum count AS Total | sort -Total mailto | table mailfrom mailto count Total

ageld
Path Finder

No, I could not find a way to push Transaction logs from Ironport devices to Splunk. When I turn transaction logging on, I can query stuff right on the Ironport box, but I have not find a way to send those logs either as flat file or as syslog messages to Splunk. I will open ticket with Ironport support. I will update this post if I make this whole thing work.

0 Karma

jamesklassen
Path Finder

I'm having difficulty determining exactly what data Splunk is looking for with this app. I'm unable to find any documention. The readme that comes with the appdoes not provide any specific configuration instructions.

Ageld, did you manage to get this working? Which log subscription did you send to Splunk? Did you use syslog?

Update: Figured it out through trial and error. You will want to import the text mail logs. I set up an FTP server on the Windows Splunk server with IIS, and had IronPort send a log file every 10 minutes. Splunk indexes this directory, name the file input as cisco_esa.

0 Karma

jhansen
Splunk Employee
Splunk Employee

Hi ageld - The Splunk for Cisco Ironport Email Security Appliance (S4CESA) app is designed to accept data via flat file, which is Cisco's recommended approach. You can push the data to your Splunk server (or an intermediary server) and bring the files in using a standard file monitor.

As for the data types, Splunk can consume any of the data types listed in your post and you can query/report on that data as you normally would with Splunk. The S4CESA app currently reports only on the "Tracking Logs". If there are particular areas where you'd like to see additional reporting, let us know by sending an email to support@splunk.com. This will allow it to feed into our tracking and triage process.

0 Karma

ageld
Path Finder

It would be beneficial to make S4CESA to report on which e-mails got encrypted and which are not by sender, receipient and message subject. I've yet to figure out which Ironport log records such an information. Encryption log under "Informational" level does not have this information. I will try to switch it into Debug level to see if it is any more useful.

0 Karma
Get Updates on the Splunk Community!

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...