Syslog - Cisco Email Security Appliance

Device Details

Device Name	Syslog - Cisco Email Security Appliance
Vendor	Cisco
Device Type	Email Security Gateway
Supported Model Name/Number	Windows Server 2008, 2012, 2016+
Supported Software Version(s)	N/A
Collection Method	Syslog
Configurable Log Output?	No
Log Source Type	Syslog - Cisco Email Security Appliance
Log Processing Policy	LogRhythm Default
Exceptions	N/A
Additional Information	https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_0100110.html

Supported Log Messages

Type	Product Version	Supported Schema Fields
Account Commit Changes	N/A	<severity>, <processid>, <login>, <account>, <command>, <process>
Advanced Malware Protection	N/A	<severity>, <session>, <subject>, <hash>, <object>, <objecttype>
AMP Engine Reputation Query Message	N/A	<severity>, <process>, <processid>, <subject>, <objectname>, <status>, <reason>
Anti-Spam Message	N/A	<severity>, <process>, <subject>, <objectname>, <reason>
Bad Command Syntax	N/A	<processid>, <object>
Begin Logfile	N/A	<object>
Bounced Message Pending Delivery	N/A	<Session>, <object>
Cache Status	N/A	<object>, <quantity>, <seconds>
Case Spam and Anti-Spam Messages	N/A	<severity>, <process>, <session>, <tag2>, <object>, <command>, <version>, <tag1>
Catch All : Level 1	N/A	<tag1>, <severity>
Catch All : Mail_logs	N/A	<severity>, <vendorinfo>, <session>, <subject>, <result>, <object>, <domainorigin>, <objecttype>
Cloudmark Anti-Spam Messages	N/A	<severity>, <tag1>, <result>, <session>
Command Not Supported for Delivery Connection	N/A	<processid>, <process>
Connection Error	N/A	<processid>, <domain>, <dip>, <dport>, <vmid>, <domainimpacted>, <tag1>, <sip>, <reason>, <object>
Could Not Fetch Object	N/A	<severity>, <object>, <url>, <objectname>
DCID Messages Per Connection Limit Reached	N/A	<processid>
Destination Unreachable	N/A	<session>, <dname>, <object>
DKIM Malformed Signature	N/A	<session>, <object>
DNS Error	N/A	<dname>
DNS Recursion Level Exceeded	N/A	<quantity>, <dname>
DomainKeys Identified Mail Information	N/A	<session>, <result>, <command>, <domain>, <version>, <sender>, <result>, <account>, <tag1>, <tag2>
Email Delivery Connection Closed	N/A	<process>, <processid>, <action>, <tag1>
Email Delivery Started	N/A	<processid>, <session>, <responsecode>
Email Message Dropped	N/A	<action>, <session>, <subject>, <object>, <tag1>
Email Message Queued for Delivery	N/A	<session>, <action>, <recipient>
Email Message Recipient Information	N/A	<session>, <processid>, <responsecode>, <recipient>, <sender>, <tag1>
Email Message Scanning Problem	N/A	<session>, <tag1>
Email Message Split	N/A	<session>, <object>
Email Process Information	N/A	<session>, <process>
Email Processing Complete	N/A	<processid>, <session>, <responsecode>
Email Processing Info	N/A	<Session>, <subject>, <action>, <tag1>
Email Ready for Scan	N/A	<session>, <bytesin>, <sender>
Email Sender Information	N/A	<session>, <sender>
Email Subject Information	N/A	<session>, <subject>
Graymail Syslog	N/A	<severity>, <objectname>, <action>, <objecttype>
GUI Log Messages	N/A	<severity>, <process>, <tag2>, <vmid>, <object>, <sip>, <subject>, <login>, <session>, <url>, <objectname>, <dname>, <sport>
Host Information	N/A	<object>, <quantity>, <size>
HTTP Request	N/A	<sip>, <login>, <vmid>, <command>, <url>, <version>, <useragent>, <object>
ICID Hat Reject Messages	N/A	<severity>, <processid>, <recipient>, <sender>, <dip>, <sip>, <subject>
Idle Connection Dropped	N/A	<severity>, <sip>, <seconds>
Incoming Email Processing Started	N/A	<Session>, <processid>
Injection Connection Disconnected	N/A	<processid>, <sip>, <object>
Injection Connection Lost	N/A	<processid>
Interim Verdict Engine Information	N/A	<session>, <subject>, <object>, <action>, <status>
Invalid Bounce	N/A	<session>, <object>
Invalid DNS Response	N/A	<object>, <sip>, <dname>
Invalid Recipient Address	N/A	<session>, <recipient>, <domain>
IronPort Image Analysis	N/A	<severity>, <session>, <subject>, <object>, <quantity>
Lame DNS Server Information	N/A	<sname>
Last Message Repeated	N/A	<severity>, <dname>, <subject>, <quantity>, <url>, <protname>, <responsecode>
LDAP Messages	N/A	<severity>, <protname>, <tag2>, <command>, <objectname>, <sname>, <object>, <tag1>, <vmid>, <subject>
Mail_logs : Alias Match	N/A	<severity>, <session>, <responsecode>, <recipient>, <subject>
Mail_logs : AMP File Reputation	N/A	<severity>, <action>, <vendorinfo>, <reason>, <subject>, <status>, <processid>, <objecttype>, <object>, <session>
Mail_logs : DMARC	N/A	<severity>, <process>, <object>, <domainorigin, <status>, <subject>
Mail_logs : LDAP	N/A	<severity>, <subject>, <reason>, <session>, <responsecode>, <sender>
Mail_logs : URL Reputation	N/A	<severity>, <session>, <url>, <vendorinfo>, <action>, <subject>
Mail Failed Sender ID Check	N/A	<session>, <sip>, <sname>
Mailbox Has Exceeded the Limit	N/A	<session>, <recipient>
Matched All Recipients to Policy	N/A	<session>, <object>, <tag1>
Message Aborted	N/A	<tag1>, <session>, <object>
Message Attachment	N/A	<session>, <object>
Message Bounced or Delayed	N/A	<tag1>, <processid>, <session>, <tag2>, <domain>, <dname>, <recipient>, <object>, <vmid>, <object>
Message Bypass Applied	N/A	<session>, <object>, <recipient>
Message Generated by Notify-Copy Filter	N/A	<session>, <object>
Message Generated for Message Bounce	N/A	<session>, <object>
Message ID Added	N/A	<session>, <object>, <login>, <domain>
Message ID Rewritten	N/A	<session>, <object>, <protname>
Message Pending	N/A	<session>, <responsecode>, <object>
Message Quarantined by Filter	N/A	<session>, <threatname>, <object>
Message Recipient Rejected	N/A	<session>, <recipient>, <object>
Message Response	N/A	<session>, <object>, <tag1>, <sender>, <bytesin>, <hours>, <minutes>, <seconds>
Message Sender Rejected	N/A	<processid>, <sender>, <object>
Message Subject Information	N/A	<session>, <subject>
Message Too Big to Scan	N/A	<session>, <bytesin>, <size>
Message Virus Free	N/A	<session>, <subject>, <object>, <action>
Miscellaneous MID Messages	N/A	<severity>, <session>, <object>, <status>, <sip>, <result>, <subject>, <recipient>, <object>, <hash>, <domainorigin>, <objectname>, <objecttype>
Nameserver Resolution Error	N/A	<object>, <domain>
New Delivery Connection	N/A	<protname>, <processid>, <sip>, <dip>, <dport>
Outbreak Detected	N/A	<object>, <threatname>, <threatid>
Pattern 1 : Delivery Notification	N/A	<session>, <recipient>, <tag1>, <tag2>
Pattern 2 : Email Delivery Information	N/A	<tag1>, <session>, <tag2>
Pattern 3 : Email Scan Results	N/A	<session>, <action>, <tag1>, <tag2>, <subject>
Pattern 4 : New Email Reception Connection	N/A	<process>, <tag2>, <processid>, <sip>, <sname>, <status>, <tag1>
Pattern 5: FTP Syslog	N/A	<tag1>, <session>, <tag2>, <tag3>, <login>, <sip>, <dip>
Pattern 6 : SMTP Conversation Syslog	N/A	<sip>, <sname>, <domainorigin>, <session>, <responsecode>, <sender>, <recipient>, <tag1>, <tag2>
Pattern 7 : Gmail Debug Syslog	N/A	<session>, <tag1>, <tag2>, <recipient>
Pattern 8 : Encryption Syslog	N/A	<tag1>, <session>, <tag2>
Pattern 9 : Anti-Virus Logs	N/A	<url>, <session>, <objecttype>, <result>, <object>, <subject>, <result>, <tag2>, <action>, <tag1>
Pattern 10 : NTP Syslog	N/A	<tag1>, <dip>, <recipient>, <tag2>
Pattern 11 : HTTP Syslog	N/A	<tag1>, <session>, <login>, <tag2>, <dip>, <sip>, <dport>, <sport>, <sip>, <object>, <url>, <tag2>
Pattern 12 : Scanning Syslog	N/A	<tag1>, <tag2>, <recipient>, <subject>
Pattern 13 : CLI Syslog	N/A	<severity>, <tag1>, <session>, <login>, <tag2>, <subject>, <sip>, <dip>, <tag4>, <tag3>, <command>
Pattern 14 : CASE Anti-Spam	N/A	<tag1>, <process>, <session>, <tag2>
Pattern 15 : CASE Updates	N/A	<tag1>, <tag3>, <tag2>, <seconds>
Pattern 16 : System Logs	N/A	<tag1>, <login>, <tag2>, <recipient>, <dip>, <sname>, <object>, <sip>
Pattern 17 : Textmail General	N/A	<dip>, <dport>, <domainorigin>, <sip>, <session>, <processid>, <tag1>, <tag2>
Pattern 18 : Spam Quarantine	N/A	<process>, <tag1>, <object>, <seconds>, <milliseconds>, <quantity>, <tag2>
Pattern 18 : Status Logs Syslog	N/A	<tag1>, <tag2>
Pattern 19 : System Logs	N/A	<tag1>, <login>, <tag3>, <tag2>, <recipient>, <dip>, <sname>, <object>, <sip>
Potential Directory Harvest Attack	N/A	<severity>, <threatname>, <sip>, <sname>, <quantity>, <processid>, <object>
Receiving Failed	N/A	<processid>, <object>
Reroute Query	N/A	<protname>, <object>, <session>, <sender>, <recipient>
RPC Delivery Local IronPort Messages	N/A	<severity>, <subject>, <process>, <processid>, <session>, <action>
Scanned Queue for Remaining Messages	N/A	<dname>, <quantity>
Scanning for Expiration Candidates	N/A	<session>, <status>, <object>, <dname>, <quantity>
SDR : Consolidated Sender Reputation Messages	N/A	<severity>, <session>, <group>, <sender>, <domainorigin>
SDR : Tracker Header Messages	N/A	<severity>, <session>, <url>
Sender Group Reputation	N/A	<processid>, <process>, <action>, <object>, <group>, <dip>, <dport>, <dname>, <object>, <amount>
Sender Policy Framework Message	N/A	<session>, <object>, <sender>, <tag1>, <tag2>, <sname>, <subject>
Service Information	N/A	<object>, <tag1>
Session Established	N/A	<severity>, <sip>, <login>, <session>, <protname>
Session Expired	N/A	<severity>, <session>, <account>
Session Not Found	N/A	<severity>, <session>, <sip>
Signature Verified and Rewritten	N/A	<session>, <recipient>
SMTP Authentication	N/A	<protname>, <processid>, <tag1>, <account>, <object>
SMTP Connection Rejected	N/A	<protname>, <dip>
SMTP Error Messages	N/A	<severity>, <dname>, <process>, <dip>, <dport>, <account>, <url>, <vmid>, <tag1>, <subject>
SMTP System Sending Message	N/A	<severity>, <tag1>, <recipient>, <subject>
Sophos Antivirus Message	N/A	<severity>, <process>, <subject>, <processid>, <vmid>, <threatname>, <objectname>
Spam and Mail Log Messages	N/A	<severity>, <processid>, <result>, <tag1>, <object>
Spam Quarantine	N/A	<process>, <session>
Subscription Push Success	N/A	<severity>, <object>, <dip>
System/Critical Alert Message	N/A	<severity>, <tag1>, <recipient>, <subject>
System Limit Reached	N/A	<dip>, <object>, <processid>, <quantity>
Time Offset from UTC in Seconds	N/A	<object>, <seconds>
Transport Layer Security Messages	N/A	<tag1>, <processid>, <tag2>, <protname>, <process>, <object>
Unknown Command	N/A	<session>, <object>
Updater Log Messages	N/A	<process>, <tag1>, <severity>, <process>, <object>, <tag2>, <subject>
User Logoff	N/A	<severity>, <login>, <session>, <subject>
Warning Messages Type 1	N/A	<severity>, <session>, <object>, <objecttype, <objectname>, <tag1>
Warning Messages Type 2	N/A	<severity>, <process>, <session>, <tag1>, <vendorinfo>, <subject>, <tag2>, <vmid>, <dip>

Revision History

KB Version	Log Type	Change Type	Details
KB 7.1.576.2	Mail_logs : URL Reputation	Regular Expression Update	Regex is updated to parse Values from <process> to parse into <session> Update values parsing in <action>
KB 7.1.576.2	Sender Group Reputation Inbound Email Correction Established Email Delivery Started Email Processing Info Pattern 3 : Email Scan Results	Regular Expression Update	Regex is updated to parse RID in <responsecode> DCID\ICID in<processid> MID in<session>

KB Version

Log Type

Change Type

Details

KB 7.1.576.2

Mail_logs : URL Reputation

Regular Expression Update

Regex is updated to parse

Values from <process> to parse into <session>
Update values parsing in <action>

KB 7.1.576.2

Sender Group Reputation

Inbound Email Correction Established

Email Delivery Started

Email Processing Info

Pattern 3 : Email Scan Results

Regular Expression Update

Regex is updated to parse

RID in <responsecode>
DCID\ICID in<processid>
MID in<session>