Skip to content

Source types for the Splunk Add-on for Cisco ESA

The Splunk Add-on for Cisco ESA provides index-time and search-time knowledge for seven types of logs: authentication, textmail, HTTP, Malware, Bounce, Delivery,Consolidated Event, Antispam, Error, System, and Content Scanner data. The add-on does not apply a source type to any incoming logs. You can apply the appropriate source types to your Cisco ESA log data during the data input phase.

Log type

Source type

Event type

Description

CIM data models

Authentication

cisco:esa:authentication

cisco_esa_auth_logs

These logs record successful user logins and unsuccessful login attempts. Logs are stored as a .s (Ex. authentication.@20130302T122552.s) on the server. These logs cannot be configured to send through syslog push, so you must send them to send through ftp or scp.

Authentication

Textmail

cisco:esa:textmail

cisco_esa_change_logs, cisco_esa_alerts, cisco_esa_textmail

Text mail logs for Cisco IronPort ESA record email information and status. Logs are stored as a .s (Ex. mail.@20130712T172736.s) on the server.

Change, Alerts, Email

HTTP

cisco:esa:http

cisco_esa_proxy, cisco_esa_http_session, cisco_esa_logout_logs, cisco_esa_change_logs, cisco_esa_web_logs, cisco_esa_account_management_logs, cisco_esa_alerts

The HTTP logs for Cisco IronPort ESA record information about the secure HTTP services enabled on the interface. Logs are stored as a .s (Ex. gui.@20130302T122618.s) on the server.

Network Sessions, Change, Web

Malware Data

cisco:esa:amp

cisco_esa_amp cisco_esa_mar cisco_esa_alerts, cisco_esa_amp_malware, cisco_esa_alerts

Advanced Malware Protection (AMP) of Cisco IronPort ESA records malware detection and blocking, continuous analysis, and retrospective alerting details. Logs are stored as a .s (Ex. amp.@20180103T132842.s) on the server.

Alerts, Malware

Legacy data

cisco:esa:legacy

cisco_esa_authentication cisco_esa_email cisco_esa_proxy cisco_esa_auth_logs

If you have an older version of the add-on installed before the source types were renamed to follow best practices, your events indexed with the older source types cisco_esa and cisco:esa are now searchable under this new source type.

Authentication

Consolidated Event

cisco:esa:cef

cisco_esa_cef

The Consolidated Event Logs summarize each message event in a single log line. Use this log type to reduce the number of bytes of data (log information) sent to a Security Information and Event Management (SIEM) vendor or application for analysis. The logs are in the Common Event Format (CEF) log message format that is widely used by most SIEM vendors.

Email

Bounce Logs

cisco:esa:bounce

cisco_esa_bounce

Bounce logs record information about bounced recipients. The information recorded for each bounced recipient includes:

  • the message ID
  • the recipient ID
  • the Envelope From address
  • the Envelope To address,
  • the reason for the recipient bounce,
  • the response code from the recipient host.

In addition, you can choose to log a fixed amount of each bounced recipient message. This amount is defined in bytes and the default is zero.

Email

Delivery Logs

cisco:esa:delivery

cisco_esa_delivery

Delivery logs record critical information about the AsyncOS email delivery operations. The log messages are "stateless," which means that all associated information is recorded in each log message and users do not need to reference previous log messages for information about the current delivery attempt.

Email

Antispam Logs

cisco:esa:antispam

cisco_esa_change_logs, cisco_esa_alerts

Anti-spam logs record the status of the anti-spam scanning feature of your system, including the status on receiving updates of the latest anti-spam rules. Also, any logs related to the Context Adaptive Scanning Engine are logged here.

Change, Alerts

Error Logs

cisco:esa:error_logs

cisco_esa_alerts

The Error logs record the errors while sending the alerts, internal Ironport server errors as well as DNS issues.

Alerts

System Logs

cisco:esa:system_logs

cisco_esa_system_logs, cisco_esa_alerts, cisco_esa_account_management_logs

System logs record the following: boot information, virtual appliance license expiration alerts, DNS status information, and comments users typed using commit command. System logs are useful for troubleshooting the basic state of the appliance.

Network Resolution (DNS), Alerts, Change

Content Scanner Logs

cisco:esa:content_scanner

cisco_esa_change_logs

The Content Scanner logs record the activities of the Content Scanner engine.

Change