Because you cannot install a forwarder directly on your Cisco ESA appliance, you must configure Cisco ESA to place logs on a Splunk forwarder or single-instance Splunk Enterprise where you can configure monitor inputs.
Step 5 Select OFED InfiniBand Drivers from the list of software type. Step 6 Select and download the software. The recommended driver software packages are OFED 1.2.5 or subsequent releases. SecurityFocus is designed to facilitate discussion on computer security related topics, create computer security awareness, and to provide the Internet's largest and most comprehensive database of computer security knowledge and resources to the public. Great way to liven up any presentation and help your audience retain knowledge. LearningSquared lets you create and play your own jeopardy style learning game - in the classroom, boardroom or living room. $20 Educator Discount.
You can send text mail, HTTP, SLL logs over Syslog, but you must send authentication logs via FTP or SCP.
Avoid configuring Splunk to listen for syslog messages directly. Instead, you can collect Syslog data using Splunk Connect for Syslog (SC4S). To configure your deployment to use SC4S to collect Syslog data, follow the steps described in the Splunk Connect for Syslog manual.
If SLL logs are configured in the system, make sure that delivery logs for the same system are not enabled as this may lead to data duplication in the Splunk environment. Since both the logs are mapped to the same data model 'Email', collecting the same information from different sources may lead to data duplication in ES.
Configure SLL logs
If SLL logs are configured in the system, make sure that delivery logs for the same system are not enabled as this may lead to data duplication in the Splunk environment. Since both the logs are mapped to the same data model 'Email', collecting the same information from different sources may lead to data duplication in ES.
As of version 1.4.0, this is the recommended Log Subscription for collecting data. As Consolidated Event Logs captures all information in SLL (Single Log Line) format.
- On your Cisco ESA, select System Administration > Log Subscriptions.
- In Add Log Subscription select the log type as Consolidated Event Logs
- Select the fields that you want in the consolidated event log.
- Select a log retrieval mechanism for the log subscription:
- Manually Download
- FTP Push
- SCP Push
- Syslog Push
- AWS S3 Push. Make sure that you have a valid AWS S3 bucket to use this retrieval method.
Send logs over Syslog
We recommend that you avoid listening directly to syslog and instead use Spunk Connect for Syslog. For more information, see Splunk Connect for Syslog manual.
Download Ironport Driver Download
You can configure Cisco IronPort ESA to send text mail, SLL and OAM log information over TCP or UDP. The default port is 514. If you do not have root access to that port, use a higher one such as 5140.
Authentication logs cannot be sent via Syslog.
Configure the device to send the data as Syslog over UDP/TCP.
- From the ESA console menu, navigate to System Administration > Log Subscriptions.
- Select the log name that you want to send to Splunk Enterprise. For example,
mail_logs
. - Provide the necessary information about the Syslog server.
- Repeat for any additional log files you want to send to Splunk Enterprise.
- Configure Splunk Enterprise to listen on the same port that you selected above to receive Syslog data from Cisco ESA.
Download Ironport Driver Free
Send logs via FTP or SCP
Work with your Cisco ESA administrator to determine the location of the authentication log files.
Download Ironport Driver App
- On the ESA device, run this command:
esa.acme.com> logconfig
. This command returns a list of log names, including authentication, antivirus, and cli_logs. The name of the log file is the directory in which it resides. The log files themselves are named with time and date stamps and an 's' suffix for saved files and a 'c' suffix for the current file. - If it is not already enabled, enable FTP or SCP on the Cisco ESA device using the
interfaceconfig
command in the CLI. - Ask your Cisco ESA administrator to set up an SCP or FTP job by running a command such as this one:
scp 'admin@esa.acme.com:/authentication/*.s' <path to monitor esa files />
- You may not want to copy all the saved files each time. Work with your Cisco ESA administrator to implement a batch transfer setup that complies with your enterprise policies and practices.