All Apps and Add-ons

Splunk Add-on for Cisco ESA: Which directory sends the data to Splunk and where can I locate it?

randino
New Member

I am trying to figure out which directory the Splunk Add-on for Cisco ESA is sending the data to Splunk as noted on step 4 "Click Browse next to the File or Directory field."
http://docs.splunk.com/Documentation/AddOns/released/CiscoESA/Configureinputsonaforwarder

I can search against the data but it is not indexing correctly. The source type is syslog. I tried to run searching within Splunk but cannot find where the logs are being stored in.

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi Randino,

Seems your ESA system was configured to send syslog to Splunk over TCP or UDP rather than through monitor inputs. If this is the case, you should for configuration steps in the following topic:

http://docs.splunk.com/Documentation/AddOns/released/CiscoESA/ConfigureCiscoESA#Send_textmail_and_ht...

Also, by " but cannot find where the logs are being stored in", did you mean you want to know where to locate the ESA logs before indexing? If so, you might as well consult the Cisco ESA docs, for example:

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118315-technote-esa-00.h...

Hope it helps. Thanks!

0 Karma

randino
New Member

On the first part, I did configure the ESA to go through UDP 514 Syslog. I want to configure the monitor inputs to configure text mail logs, HTTP logs, and authentication logs. Step 4 of the guide says to browse to the FILE or Directory within Splunk. I want to know where that file is located.

Second part.
Not on the ESA but Splunk

0 Karma

goodsellt
Contributor

Randino,

You'll need to copy the logs files over from your ESA device using SCP to a Splunk UF and then monitor those files and assign the proper sourcetype from there.

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi Randino,

Please note which Splunk component below you use to collect data from Cisco ESA:

  • Universal forwarder or light forwarder are deployed on the same server of the ESA system and therefore you can locate and directly monitor log files from there.
  • If you use heavy forwarders or indexers to collect data and they are not deployed on the ESA server, you need to make the logs directory a shared directory on the ESA server or find a way to sync the logs you want to index to the Splunk server so that Splunk can monitor the log inputs.

Regarding your log location questions, I think you can find detailed answers in the doc:
http://docs.splunk.com/Documentation/AddOns/released/CiscoESA/ConfigureCiscoESA

  • You can configure Cisco IronPort ESA to send textmail and OAM log information over TCP or UDP. The default port is 514, but if you do not have root access you should use a higher port such as 5140.
  • Work with your Cisco ESA administrator to determine the location of the authentication log files. On the ESA device, run the following command: esa.acme.com> logconfig

Hope it helps. Thanks!

0 Karma

dtregonning_spl
Splunk Employee
Splunk Employee

Hi Randino,
Apologies if i am misunderstanding your question.

This step is asking for you to point Splunk to the Cisco ESA Log file that is being generated from your Cisco ESA installation not a file generated in a Splunk Directory.

Splunk will index and store data into buckets. http://docs.splunk.com/Documentation/Splunk/6.4.3/Indexer/HowSplunkstoresindexes

Lets focus on what the issue is with the data not indexing correctly? Whats happening and what are you expecting?

0 Karma

randino
New Member

Thank you for the reply.

I have already configured the ESA to send mail logs to Splunk on UDP 514. The mail logs are making it to Splunk. I want the data to populate within Cisco Security Suite. I am trying to do step 4 on the guide Browse to the file directory where the ESA logs are located.

I want to know where the logs from the ESA are being created or where do I need to point Monitor Inputs.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...