Getting Data In

Incoming email info from Cisco ESA

heathramos
Path Finder

I installed the Cisco Security suite as well as the Cisco ESA add-on.

I am forwarding the mail_logs from Cisco ESA to Splunk using syslog push over TCP.

I can see info in the dashboards for outgoing messages but nothing from incoming.

What do I need to configure to get the incoming messages info to show up?

0 Karma
1 Solution

heathramos
Path Finder

I forgot to update this thread with what was wrong with my set up

it looks like my incoming mail policy had a space in it's name and Splunk had issues extracting fields from the logs because of it

change the space to an underscore fixed the issue

View solution in original post

0 Karma

heathramos
Path Finder

I forgot to update this thread with what was wrong with my set up

it looks like my incoming mail policy had a space in it's name and Splunk had issues extracting fields from the logs because of it

change the space to an underscore fixed the issue

0 Karma

adayton20
Contributor

Did you have issues receiving these logs before? Or is this the first time? Did you make any changes to configuration files or upgrade anything in Splunk?

Since I do not know your environment, I cannot verify with what you’ve given me whether this is an issue with Splunk, Cisco, or an intermediary network/security product in between. Going through this systematically will allow you to determine where the issue is. Try going through some troubleshooting steps. Start tracing it from the source to the destination.

Try sending an email from your personal email to your work email and use that to trace the event from start to finish.

Verify whether the event appears in the logs from the appliance.

If yes,

Verify if the appliance is forwarding those logs to the syslog server.

If yes,

Find the event in the syslog server and verify if the event was sorted (based on your syslog configuration file rules) into the appropriate directory.

If yes,

Verify the Splunk forwarder on the syslog server is configured to monitor that directory.

If yes,

Determine if the forwarder sent that event to the indexer. At this point you should be able to simply search for the event. Search all indexes, index=* youremail@yourdomain.com, for example.

Hope that helps.

0 Karma

heathramos
Path Finder

I believe it is an issue with ironport but not sure how to fix it.

log files are coming over from ironport to splunk but the policy_direction field isn't associated with any incoming email logs

this is a brand new set up

0 Karma

heathramos
Path Finder

for some reason eventtype=cisco-esa policy_direction=outbound has records but eventtype=cisco-esa policy_direction=inbound does not.

0 Karma

heathramos
Path Finder

I don't see a log subscription specifically for inbound

I am forwarding mail_logs

0 Karma

adayton20
Contributor

1.) Have you verified whether or not inbound email is a configured log subscription in the ESA?

2.) Have you verified whether or not the indexers are ingesting inbound email logs from the ESA?

3.) Have you verified the logs are not going to a different sourcetype or generic sourcetype?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...