Syslog - Cisco Email Security Appliance
Device Details
| Device Name | Syslog - Cisco Email Security Appliance |
|---|---|
Vendor | Cisco |
Device Type | Email Security Gateway |
Supported Model Name/Number | Windows Server 2008, 2012, 2016+ |
Supported Software Version(s) | N/A |
Collection Method | Syslog |
Configurable Log Output? | No |
Log Source Type | Syslog - Cisco Email Security Appliance |
Log Processing Policy | LogRhythm Default |
Exceptions | N/A |
Additional Information | https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_0100110.html |
Supported Log Messages
Type | Product Version | Supported Schema Fields |
|---|---|---|
| Account Commit Changes | N/A | <severity>, <processid>, <login>, <account>, <command>, <process> |
| Advanced Malware Protection | N/A | <severity>, <session>, <subject>, <hash>, <object>, <objecttype> |
| AMP Engine Reputation Query Message | N/A | <severity>, <process>, <processid>, <subject>, <objectname>, <status>, <reason> |
| Anti-Spam Message | N/A | <severity>, <process>, <subject>, <objectname>, <reason> |
| Bad Command Syntax | N/A | <processid>, <object> |
| Begin Logfile | N/A | <object> |
| Bounced Message Pending Delivery | N/A | <Session>, <object> |
| Cache Status | N/A | <object>, <quantity>, <seconds> |
| Case Spam and Anti-Spam Messages | N/A | <severity>, <process>, <session>, <tag2>, <object>, <command>, <version>, <tag1> |
| Catch All : Level 1 | N/A | <tag1>, <severity> |
| Catch All : Mail_logs | N/A | <severity>, <vendorinfo>, <session>, <subject>, <result>, <object>, <domainorigin>, <objecttype> |
| Cloudmark Anti-Spam Messages | N/A | <severity>, <tag1>, <result>, <session> |
| Command Not Supported for Delivery Connection | N/A | <processid>, <process> |
| Connection Error | N/A | <processid>, <domain>, <dip>, <dport>, <vmid>, <domainimpacted>, <tag1>, <sip>, <reason>, <object> |
| Could Not Fetch Object | N/A | <severity>, <object>, <url>, <objectname> |
| DCID Messages Per Connection Limit Reached | N/A | <processid> |
| Destination Unreachable | N/A | <session>, <dname>, <object> |
| DKIM Malformed Signature | N/A | <session>, <object> |
| DNS Error | N/A | <dname> |
| DNS Recursion Level Exceeded | N/A | <quantity>, <dname> |
| DomainKeys Identified Mail Information | N/A | <session>, <result>, <command>, <domain>, <version>, <sender>, <result>, <account>, <tag1>, <tag2> |
| Email Delivery Connection Closed | N/A | <process>, <processid>, <action>, <tag1> |
| Email Delivery Started | N/A | <processid>, <session>, <responsecode> |
| Email Message Dropped | N/A | <action>, <session>, <subject>, <object>, <tag1> |
| Email Message Queued for Delivery | N/A | <session>, <action>, <recipient> |
| Email Message Recipient Information | N/A | <session>, <processid>, <responsecode>, <recipient>, <sender>, <tag1> |
| Email Message Scanning Problem | N/A | <session>, <tag1> |
| Email Message Split | N/A | <session>, <object> |
| Email Process Information | N/A | <session>, <process> |
| Email Processing Complete | N/A | <processid>, <session>, <responsecode> |
| Email Processing Info | N/A | <Session>, <subject>, <action>, <tag1> |
| Email Ready for Scan | N/A | <session>, <bytesin>, <sender> |
| Email Sender Information | N/A | <session>, <sender> |
| Email Subject Information | N/A | <session>, <subject> |
| Graymail Syslog | N/A | <severity>, <objectname>, <action>, <objecttype> |
| GUI Log Messages | N/A | <severity>, <process>, <tag2>, <vmid>, <object>, <sip>, <subject>, <login>, <session>, <url>, <objectname>, <dname>, <sport> |
| Host Information | N/A | <object>, <quantity>, <size> |
| HTTP Request | N/A | <sip>, <login>, <vmid>, <command>, <url>, <version>, <useragent>, <object> |
| ICID Hat Reject Messages | N/A | <severity>, <processid>, <recipient>, <sender>, <dip>, <sip>, <subject> |
| Idle Connection Dropped | N/A | <severity>, <sip>, <seconds> |
| Incoming Email Processing Started | N/A | <Session>, <processid> |
| Injection Connection Disconnected | N/A | <processid>, <sip>, <object> |
| Injection Connection Lost | N/A | <processid> |
| Interim Verdict Engine Information | N/A | <session>, <subject>, <object>, <action>, <status> |
| Invalid Bounce | N/A | <session>, <object> |
| Invalid DNS Response | N/A | <object>, <sip>, <dname> |
| Invalid Recipient Address | N/A | <session>, <recipient>, <domain> |
| IronPort Image Analysis | N/A | <severity>, <session>, <subject>, <object>, <quantity> |
| Lame DNS Server Information | N/A | <sname> |
| Last Message Repeated | N/A | <severity>, <dname>, <subject>, <quantity>, <url>, <protname>, <responsecode> |
| LDAP Messages | N/A | <severity>, <protname>, <tag2>, <command>, <objectname>, <sname>, <object>, <tag1>, <vmid>, <subject> |
| Mail_logs : Alias Match | N/A | <severity>, <session>, <responsecode>, <recipient>, <subject> |
| Mail_logs : AMP File Reputation | N/A | <severity>, <action>, <vendorinfo>, <reason>, <subject>, <status>, <processid>, <objecttype>, <object>, <session> |
| Mail_logs : DMARC | N/A | <severity>, <process>, <object>, <domainorigin, <status>, <subject> |
| Mail_logs : LDAP | N/A | <severity>, <subject>, <reason>, <session>, <responsecode>, <sender> |
| Mail_logs : URL Reputation | N/A | <severity>, <session>, <url>, <vendorinfo>, <action>, <subject> |
| Mail Failed Sender ID Check | N/A | <session>, <sip>, <sname> |
| Mailbox Has Exceeded the Limit | N/A | <session>, <recipient> |
| Matched All Recipients to Policy | N/A | <session>, <object>, <tag1> |
| Message Aborted | N/A | <tag1>, <session>, <object> |
| Message Attachment | N/A | <session>, <object> |
| Message Bounced or Delayed | N/A | <tag1>, <processid>, <session>, <tag2>, <domain>, <dname>, <recipient>, <object>, <vmid>, <object> |
| Message Bypass Applied | N/A | <session>, <object>, <recipient> |
| Message Generated by Notify-Copy Filter | N/A | <session>, <object> |
| Message Generated for Message Bounce | N/A | <session>, <object> |
| Message ID Added | N/A | <session>, <object>, <login>, <domain> |
| Message ID Rewritten | N/A | <session>, <object>, <protname> |
| Message Pending | N/A | <session>, <responsecode>, <object> |
| Message Quarantined by Filter | N/A | <session>, <threatname>, <object> |
| Message Recipient Rejected | N/A | <session>, <recipient>, <object> |
| Message Response | N/A | <session>, <object>, <tag1>, <sender>, <bytesin>, <hours>, <minutes>, <seconds> |
| Message Sender Rejected | N/A | <processid>, <sender>, <object> |
| Message Subject Information | N/A | <session>, <subject> |
| Message Too Big to Scan | N/A | <session>, <bytesin>, <size> |
| Message Virus Free | N/A | <session>, <subject>, <object>, <action> |
| Miscellaneous MID Messages | N/A | <severity>, <session>, <object>, <status>, <sip>, <result>, <subject>, <recipient>, <object>, <hash>, <domainorigin>, <objectname>, <objecttype> |
| Nameserver Resolution Error | N/A | <object>, <domain> |
| New Delivery Connection | N/A | <protname>, <processid>, <sip>, <dip>, <dport> |
| Outbreak Detected | N/A | <object>, <threatname>, <threatid> |
| Pattern 1 : Delivery Notification | N/A | <session>, <recipient>, <tag1>, <tag2> |
| Pattern 2 : Email Delivery Information | N/A | <tag1>, <session>, <tag2> |
| Pattern 3 : Email Scan Results | N/A | <session>, <action>, <tag1>, <tag2>, <subject> |
| Pattern 4 : New Email Reception Connection | N/A | <process>, <tag2>, <processid>, <sip>, <sname>, <status>, <tag1> |
| Pattern 5: FTP Syslog | N/A | <tag1>, <session>, <tag2>, <tag3>, <login>, <sip>, <dip> |
| Pattern 6 : SMTP Conversation Syslog | N/A | <sip>, <sname>, <domainorigin>, <session>, <responsecode>, <sender>, <recipient>, <tag1>, <tag2> |
| Pattern 7 : Gmail Debug Syslog | N/A | <session>, <tag1>, <tag2>, <recipient> |
| Pattern 8 : Encryption Syslog | N/A | <tag1>, <session>, <tag2> |
| Pattern 9 : Anti-Virus Logs | N/A | <url>, <session>, <objecttype>, <result>, <object>, <subject>, <result>, <tag2>, <action>, <tag1> |
| Pattern 10 : NTP Syslog | N/A | <tag1>, <dip>, <recipient>, <tag2> |
| Pattern 11 : HTTP Syslog | N/A | <tag1>, <session>, <login>, <tag2>, <dip>, <sip>, <dport>, <sport>, <sip>, <object>, <url>, <tag2> |
| Pattern 12 : Scanning Syslog | N/A | <tag1>, <tag2>, <recipient>, <subject> |
| Pattern 13 : CLI Syslog | N/A | <severity>, <tag1>, <session>, <login>, <tag2>, <subject>, <sip>, <dip>, <tag4>, <tag3>, <command> |
| Pattern 14 : CASE Anti-Spam | N/A | <tag1>, <process>, <session>, <tag2> |
| Pattern 15 : CASE Updates | N/A | <tag1>, <tag3>, <tag2>, <seconds> |
| Pattern 16 : System Logs | N/A | <tag1>, <login>, <tag2>, <recipient>, <dip>, <sname>, <object>, <sip> |
| Pattern 17 : Textmail General | N/A | <dip>, <dport>, <domainorigin>, <sip>, <session>, <processid>, <tag1>, <tag2> |
| Pattern 18 : Spam Quarantine | N/A | <process>, <tag1>, <object>, <seconds>, <milliseconds>, <quantity>, <tag2> |
| Pattern 18 : Status Logs Syslog | N/A | <tag1>, <tag2> |
| Pattern 19 : System Logs | N/A | <tag1>, <login>, <tag3>, <tag2>, <recipient>, <dip>, <sname>, <object>, <sip> |
| Potential Directory Harvest Attack | N/A | <severity>, <threatname>, <sip>, <sname>, <quantity>, <processid>, <object> |
| Receiving Failed | N/A | <processid>, <object> |
| Reroute Query | N/A | <protname>, <object>, <session>, <sender>, <recipient> |
| RPC Delivery Local IronPort Messages | N/A | <severity>, <subject>, <process>, <processid>, <session>, <action> |
| Scanned Queue for Remaining Messages | N/A | <dname>, <quantity> |
| Scanning for Expiration Candidates | N/A | <session>, <status>, <object>, <dname>, <quantity> |
| SDR : Consolidated Sender Reputation Messages | N/A | <severity>, <session>, <group>, <sender>, <domainorigin> |
| SDR : Tracker Header Messages | N/A | <severity>, <session>, <url> |
| Sender Group Reputation | N/A | <processid>, <process>, <action>, <object>, <group>, <dip>, <dport>, <dname>, <object>, <amount> |
| Sender Policy Framework Message | N/A | <session>, <object>, <sender>, <tag1>, <tag2>, <sname>, <subject> |
| Service Information | N/A | <object>, <tag1> |
| Session Established | N/A | <severity>, <sip>, <login>, <session>, <protname> |
| Session Expired | N/A | <severity>, <session>, <account> |
| Session Not Found | N/A | <severity>, <session>, <sip> |
| Signature Verified and Rewritten | N/A | <session>, <recipient> |
| SMTP Authentication | N/A | <protname>, <processid>, <tag1>, <account>, <object> |
| SMTP Connection Rejected | N/A | <protname>, <dip> |
| SMTP Error Messages | N/A | <severity>, <dname>, <process>, <dip>, <dport>, <account>, <url>, <vmid>, <tag1>, <subject> |
| SMTP System Sending Message | N/A | <severity>, <tag1>, <recipient>, <subject> |
| Sophos Antivirus Message | N/A | <severity>, <process>, <subject>, <processid>, <vmid>, <threatname>, <objectname> |
| Spam and Mail Log Messages | N/A | <severity>, <processid>, <result>, <tag1>, <object> |
| Spam Quarantine | N/A | <process>, <session> |
| Subscription Push Success | N/A | <severity>, <object>, <dip> |
| System/Critical Alert Message | N/A | <severity>, <tag1>, <recipient>, <subject> |
| System Limit Reached | N/A | <dip>, <object>, <processid>, <quantity> |
| Time Offset from UTC in Seconds | N/A | <object>, <seconds> |
| Transport Layer Security Messages | N/A | <tag1>, <processid>, <tag2>, <protname>, <process>, <object> |
| Unknown Command | N/A | <session>, <object> |
| Updater Log Messages | N/A | <process>, <tag1>, <severity>, <process>, <object>, <tag2>, <subject> |
| User Logoff | N/A | <severity>, <login>, <session>, <subject> |
| Warning Messages Type 1 | N/A | <severity>, <session>, <object>, <objecttype, <objectname>, <tag1> |
| Warning Messages Type 2 | N/A | <severity>, <process>, <session>, <tag1>, <vendorinfo>, <subject>, <tag2>, <vmid>, <dip> |
Revision History
KB Version | Log Type | Change Type | Details |
|---|---|---|---|
| KB 7.1.576.2 | Mail_logs : URL Reputation | Regular Expression Update | Regex is updated to parse
|
| KB 7.1.576.2 | Sender Group Reputation Inbound Email Correction Established Email Delivery Started Email Processing Info Pattern 3 : Email Scan Results | Regular Expression Update | Regex is updated to parse
|