Activity Feed
- Karma Re: Cisco ESA Textmail Summary Index for PickleRick. 12-17-2024 03:42 AM
- Posted Cisco ESA Textmail Summary Index on Getting Data In. 12-13-2024 08:36 AM
- Tagged Cisco ESA Textmail Summary Index on Getting Data In. 12-13-2024 08:36 AM
- Tagged Cisco ESA Textmail Summary Index on Getting Data In. 12-13-2024 08:36 AM
- Tagged Cisco ESA Textmail Summary Index on Getting Data In. 12-13-2024 08:36 AM
- Tagged Cisco ESA Textmail Summary Index on Getting Data In. 12-13-2024 08:36 AM
- Karma Re: Can Splunk Enterprise Security use macros from another app? for sk314. 06-05-2020 12:49 AM
- Karma Re: Has anyone used Palo Alto Networks MineMeld to send logs to Splunk? Can you help with configuration? for gmellini. 06-05-2020 12:49 AM
- Posted All WSA logs are being tagged as Attack and Malware on Splunk Enterprise Security. 04-26-2019 09:44 AM
- Tagged All WSA logs are being tagged as Attack and Malware on Splunk Enterprise Security. 04-26-2019 09:44 AM
- Tagged All WSA logs are being tagged as Attack and Malware on Splunk Enterprise Security. 04-26-2019 09:44 AM
- Tagged All WSA logs are being tagged as Attack and Malware on Splunk Enterprise Security. 04-26-2019 09:44 AM
Topics I've Started
12-13-2024
08:36 AM
Hi All, I am trying to create summary index for Cisco ESA Textmail logs. I will then rebuild the Email data model using the summary index. The scheduled search is running correctly but when I try to search the summary index I get no events returned. How does one check that events are going into the summary index correctly? Steps Taken Created a new index called email_summary I have created a scheduled search to run every 15 minutes In the settings I have ticked 'Enable summary indexing' Saved Search index=email sourcetype=cisco:esa:textmail
| stats values(action) as action, values(dest) as dest, values(duration) as duration, values(file_name) as file_name, values(message_id) as message_id, values(recipient) as recipient, dc(recipient) as recipient_count, values(recipient_domain) as recipient_domain, values(src) as src, values(src_user) as src_user, values(src_user_domain) as src_user_domain, values(message_subject) as subject, values(tag) as tag, values(url) as url, values(user) AS user values(vendor_product) as vendor_product, values(vendor_action) as filter_action, values(reputation_score) as filter_score BY internal_message_id Thanks, Dave
... View more
04-26-2019
09:44 AM
I recently upgraded the Cisco WSA TA and now all WSA logs are being tagged as Malware and Attack traffic.
It seems the logs I am receiving have not got any AV scan information included and all such fields of the logs are marked as 'Unknown'.
Any help on where to start debugging this problem would be appreciated.
... View more