I installed the Cisco Security suite as well as the Cisco ESA add-on.
I am forwarding the mail_logs from Cisco ESA to Splunk using syslog push over TCP.
I can see info in the dashboards for outgoing messages but nothing from incoming.
What do I need to configure to get the incoming messages info to show up?
1.) Have you verified whether or not inbound email is a configured log subscription in the ESA?
2.) Have you verified whether or not the indexers are ingesting inbound email logs from the ESA?
3.) Have you verified the logs are not going to a different sourcetype or generic sourcetype?
for some reason eventtype=cisco-esa policydirection=outbound has records but eventtype=cisco-esa policydirection=inbound does not.
Did you have issues receiving these logs before? Or is this the first time? Did you make any changes to configuration files or upgrade anything in Splunk?
Since I do not know your environment, I cannot verify with what you’ve given me whether this is an issue with Splunk, Cisco, or an intermediary network/security product in between. Going through this systematically will allow you to determine where the issue is. Try going through some troubleshooting steps. Start tracing it from the source to the destination.
Try sending an email from your personal email to your work email and use that to trace the event from start to finish.
Verify whether the event appears in the logs from the appliance.
Verify if the appliance is forwarding those logs to the syslog server.
Find the event in the syslog server and verify if the event was sorted (based on your syslog configuration file rules) into the appropriate directory.
Verify the Splunk forwarder on the syslog server is configured to monitor that directory.
Determine if the forwarder sent that event to the indexer. At this point you should be able to simply search for the event. Search all indexes,
index=* email@example.com, for example.
Hope that helps.
I believe it is an issue with ironport but not sure how to fix it.
log files are coming over from ironport to splunk but the policy_direction field isn't associated with any incoming email logs
this is a brand new set up
I forgot to update this thread with what was wrong with my set up
it looks like my incoming mail policy had a space in it's name and Splunk had issues extracting fields from the logs because of it
change the space to an underscore fixed the issue