Hello Johann,
As far as I know, the Cisco Ironport ESA supports sending logs in syslog format which contains all of the sender, receiver, datasize fields in the same message, to be parsed and normalized accordingly. For example :
<13>Feb 24 04:10:35 192.168.1.1 2022-02-24 04:10:35 +01:00 192.168.1.1 logpoint-intern-company-mail-sll-log: CEF:0|Cisco|C695 Email Security Appliance|14.0.1-033|ESA_CONSOLIDATED_LOG_EVENT|Consolidated Log Event|5|deviceExternalId=C4F7D5D5E582-WZP23250PJJ ESAMID=28118928 ESAICID=11133452 ESADCID=13169974 ESAAMPVerdict=NOT_EVALUATED ESAASVerdict=NOT_EVALUATED ESAAVVerdict=NEGATIVE ESACFVerdict=NO_MATCH endTime=Fri Feb 24 04:10:35 2021 ESADLPVerdict=NOT_EVALUATED dvc=192.168.2.2 ESAAttachmentDetails={'LA finance 6338318 Ringhoffer_W\xc3\xa4lzfr\xc3\xa4smaschine Rich. 201.00100.pdf': {'BodyScanner': {}}, 'image008_acb3d59f-1695-4daa-81e7-040ef4d5e326.png': {'BodyScanner': {}}} ESAFriendlyFrom=<harry.david@aw-finance.de> ESAGMVerdict=NOT_EVALUATED startTime=Fri Feb 24 04:10:35 2021 deviceOutboundInterface=Outbound deviceDirection=1 ESAMailFlowPolicy=RELAY suser=harry.david@aw-finance.de cs1Label=MailPolicy cs1=DEFAULT cs2Label=SenderCountry cs2=not enabled ESAMFVerdict=MATCH act=DELIVERED cs4Label=ExternalMsgID cs4='<440d4203cf794c21983b420502f0ab76@aw-finance.de>' ESAMsgSize=254680 ESAOFVerdict=NOT_EVALUATED duser=larry.david@cw-finance.com ESAHeloDomain=finance.de ESAHeloIP=192.168.40.61 cfp1Label=SBRSScore cfp1=not enabled sourceHostName=unknown ESASenderGroup=RELAYLIST sourceAddress=192.168.40.61 msg='\=?iso-8859-1?Q?AW:_dearange_LA_6338218_-housen&_Co._KG_V?\= \=?iso-8859-1?Q?krezag-_W\=E4lzfr\=E4smaschine_david_R_200_?\= \=?iso-8859-1?Q?CNC_(Bj._12.2000_-_SN_2/017/00)_+_gurung?\= \=?iso-8859-1?Q?/Serwema?\=' ESATLSInCipher=ECDHE-RSA-AES256-GCM-SHA384 ESATLSInConnStatus=Success ESATLSInProtocol=TLSv1.2 ESATLSOutCipher=DHE-RSA-AES256-SHA256 ESATLSOutConnStatus=Success ESATLSOutProtocol=TLSv1.2
Here, sender = suser, receiver = duser and datasize = ESAMsgSize fields.
Additionally, in the older versions, Cisco Ironport ESA also used to send logs in multiple lines , all of which used to be joined by the message_identifier field. If you are receiving the logs in multiple lines, make sure you use the Email Parser and corresponding Cisco IronPort Compiled Normalizer while configuring the Syslog Processing Policy which combines all of these multi line messages and uses the normalizer accordingly.
Regards,
Hi Johann.
If you still have challenges after Gaurav´s post/answer then please open a Support Ticket and we can help you look into this problem.
Regards,
Brian Hansen, LogPoint
Hi Gaurav,
Hi Brian,
the missing link in my understanding was the Email Parser which must be configured in this scenario.
The CiscoIronPort ESA sender and receicer events are logged always in seperate events/logs. The Email parser merge this events during the parsing process. This is the prerequisite for the compiled ESA normalizer and to get the information in the atequate form to match the eMail UEBA query.
Thanks.
Regards,
Johann