Device Details

Device NameSyslog - Cisco Email Security Appliance

Vendor

Cisco

Device Type

Email Security Gateway

Supported Model Name/Number

Windows Server 2008, 2012, 2016+

Supported Software Version(s)

N/A

Collection Method

Syslog

Configurable Log Output?

No

Log Source Type

Syslog - Cisco Email Security Appliance

Log Processing Policy

LogRhythm Default

Exceptions

N/A

Additional Information

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-1/user_guide/b_ESA_Admin_Guide_11_1/b_ESA_Admin_Guide_chapter_0100110.html

Supported Log Messages

Type

Product Version

Supported Schema Fields

Account Commit ChangesN/A<severity>, <processid>, <login>, <account>, <command>, <process>
Advanced Malware ProtectionN/A<severity>, <session>, <subject>, <hash>, <object>, <objecttype>
AMP Engine Reputation Query MessageN/A<severity>, <process>, <processid>, <subject>, <objectname>, <status>, <reason>
Anti-Spam MessageN/A<severity>, <process>, <subject>, <objectname>, <reason>
Bad Command SyntaxN/A<processid>, <object>
Begin LogfileN/A<object>
Bounced Message Pending DeliveryN/A<Session>, <object>
Cache StatusN/A<object>, <quantity>, <seconds>
Case Spam and Anti-Spam MessagesN/A<severity>, <process>, <session>, <tag2>, <object>, <command>, <version>, <tag1>
Catch All : Level 1N/A<tag1>, <severity>
Catch All : Mail_logsN/A<severity>, <vendorinfo>, <session>, <subject>, <result>, <object>, <domainorigin>, <objecttype>
Cloudmark Anti-Spam MessagesN/A<severity>, <tag1>, <result>, <session>
Command Not Supported for Delivery ConnectionN/A<processid>, <process>
Connection ErrorN/A<processid>, <domain>, <dip>, <dport>, <vmid>, <domainimpacted>, <tag1>, <sip>, <reason>, <object>
Could Not Fetch ObjectN/A<severity>, <object>, <url>, <objectname>
DCID Messages Per Connection Limit ReachedN/A<processid>
Destination UnreachableN/A<session>, <dname>, <object>
DKIM Malformed SignatureN/A<session>, <object>
DNS ErrorN/A<dname>
DNS Recursion Level ExceededN/A<quantity>, <dname>
DomainKeys Identified Mail InformationN/A<session>, <result>, <command>, <domain>, <version>, <sender>, <result>, <account>, <tag1>, <tag2>
Email Delivery Connection ClosedN/A<process>, <processid>, <action>, <tag1>
Email Delivery StartedN/A<processid>, <session>, <responsecode>
Email Message DroppedN/A<action>, <session>, <subject>, <object>, <tag1>
Email Message Queued for DeliveryN/A<session>, <action>, <recipient>
Email Message Recipient InformationN/A<session>, <processid>, <responsecode>, <recipient>, <sender>, <tag1>
Email Message Scanning ProblemN/A<session>, <tag1>
Email Message SplitN/A<session>, <object>
Email Process InformationN/A<session>, <process>
Email Processing CompleteN/A<processid>, <session>, <responsecode>
Email Processing InfoN/A<Session>, <subject>, <action>, <tag1>
Email Ready for ScanN/A<session>, <bytesin>, <sender>
Email Sender InformationN/A<session>, <sender>
Email Subject InformationN/A<session>, <subject>
Graymail SyslogN/A<severity>, <objectname>, <action>, <objecttype>
GUI Log MessagesN/A<severity>, <process>, <tag2>, <vmid>, <object>, <sip>, <subject>, <login>, <session>, <url>, <objectname>, <dname>, <sport>
Host InformationN/A<object>, <quantity>, <size>
HTTP RequestN/A<sip>, <login>, <vmid>, <command>, <url>, <version>, <useragent>, <object>
ICID Hat Reject MessagesN/A<severity>, <processid>, <recipient>, <sender>, <dip>, <sip>, <subject>
Idle Connection DroppedN/A<severity>, <sip>, <seconds>
Incoming Email Processing StartedN/A<Session>, <processid>
Injection Connection DisconnectedN/A<processid>, <sip>, <object>
Injection Connection LostN/A<processid>
Interim Verdict Engine InformationN/A<session>, <subject>, <object>, <action>, <status>
Invalid BounceN/A<session>, <object>
Invalid DNS ResponseN/A<object>, <sip>, <dname>
Invalid Recipient AddressN/A<session>, <recipient>, <domain>
IronPort Image AnalysisN/A<severity>, <session>, <subject>, <object>, <quantity>
Lame DNS Server InformationN/A<sname>
Last Message RepeatedN/A<severity>, <dname>, <subject>, <quantity>, <url>, <protname>, <responsecode>
LDAP MessagesN/A<severity>, <protname>, <tag2>, <command>, <objectname>, <sname>, <object>, <tag1>, <vmid>, <subject>
Mail_logs : Alias MatchN/A<severity>, <session>, <responsecode>, <recipient>, <subject>
Mail_logs : AMP File ReputationN/A<severity>, <action>, <vendorinfo>, <reason>, <subject>, <status>, <processid>, <objecttype>, <object>, <session>
Mail_logs : DMARCN/A<severity>, <process>, <object>, <domainorigin, <status>, <subject>
Mail_logs : LDAPN/A<severity>, <subject>, <reason>, <session>, <responsecode>, <sender>
Mail_logs : URL ReputationN/A<severity>, <session>, <url>, <vendorinfo>, <action>, <subject>
Mail Failed Sender ID CheckN/A<session>, <sip>, <sname>
Mailbox Has Exceeded the LimitN/A<session>, <recipient>
Matched All Recipients to PolicyN/A<session>, <object>, <tag1>
Message AbortedN/A<tag1>, <session>, <object>
Message AttachmentN/A<session>, <object>
Message Bounced or DelayedN/A<tag1>, <processid>, <session>, <tag2>, <domain>, <dname>, <recipient>, <object>, <vmid>, <object>
Message Bypass AppliedN/A<session>, <object>, <recipient>
Message Generated by Notify-Copy FilterN/A<session>, <object>
Message Generated for Message BounceN/A<session>, <object>
Message ID AddedN/A<session>, <object>, <login>, <domain>
Message ID RewrittenN/A<session>, <object>, <protname>
Message PendingN/A<session>, <responsecode>, <object>
Message Quarantined by FilterN/A<session>, <threatname>, <object>
Message Recipient RejectedN/A<session>, <recipient>, <object>
Message ResponseN/A<session>, <object>, <tag1>, <sender>, <bytesin>, <hours>, <minutes>, <seconds>
Message Sender RejectedN/A<processid>, <sender>, <object>
Message Subject InformationN/A<session>, <subject>
Message Too Big to ScanN/A<session>, <bytesin>, <size>
Message Virus FreeN/A<session>, <subject>, <object>, <action>
Miscellaneous MID MessagesN/A<severity>, <session>, <object>, <status>, <sip>, <result>, <subject>, <recipient>, <object>, <hash>, <domainorigin>, <objectname>, <objecttype>
Nameserver Resolution ErrorN/A<object>, <domain>
New Delivery ConnectionN/A<protname>, <processid>, <sip>, <dip>, <dport>
Outbreak DetectedN/A<object>, <threatname>, <threatid>
Pattern 1 : Delivery NotificationN/A<session>, <recipient>, <tag1>, <tag2>
Pattern 2 : Email Delivery InformationN/A<tag1>, <session>, <tag2>
Pattern 3 : Email Scan ResultsN/A<session>, <action>, <tag1>, <tag2>, <subject>
Pattern 4 : New Email Reception ConnectionN/A<process>, <tag2>, <processid>, <sip>, <sname>, <status>, <tag1>
Pattern 5: FTP SyslogN/A<tag1>, <session>, <tag2>, <tag3>, <login>, <sip>, <dip>
Pattern 6 : SMTP Conversation SyslogN/A<sip>, <sname>, <domainorigin>, <session>, <responsecode>, <sender>, <recipient>, <tag1>, <tag2>
Pattern 7 : Gmail Debug SyslogN/A<session>, <tag1>, <tag2>, <recipient>
Pattern 8 : Encryption SyslogN/A<tag1>, <session>, <tag2>
Pattern 9 : Anti-Virus LogsN/A<url>, <session>, <objecttype>, <result>, <object>, <subject>, <result>, <tag2>, <action>, <tag1>
Pattern 10 : NTP SyslogN/A<tag1>, <dip>, <recipient>, <tag2>
Pattern 11 : HTTP SyslogN/A<tag1>, <session>, <login>, <tag2>, <dip>, <sip>, <dport>, <sport>, <sip>, <object>, <url>, <tag2>
Pattern 12 : Scanning SyslogN/A<tag1>, <tag2>, <recipient>, <subject>
Pattern 13 : CLI SyslogN/A<severity>, <tag1>, <session>, <login>, <tag2>, <subject>, <sip>, <dip>, <tag4>, <tag3>, <command>
Pattern 14 : CASE Anti-SpamN/A<tag1>, <process>, <session>, <tag2>
Pattern 15 : CASE UpdatesN/A<tag1>, <tag3>, <tag2>, <seconds>
Pattern 16 : System LogsN/A<tag1>, <login>, <tag2>, <recipient>, <dip>, <sname>, <object>, <sip>
Pattern 17 : Textmail GeneralN/A<dip>, <dport>, <domainorigin>, <sip>, <session>, <processid>, <tag1>, <tag2>
Pattern 18 : Spam QuarantineN/A<process>, <tag1>, <object>, <seconds>, <milliseconds>, <quantity>, <tag2>
Pattern 18 : Status Logs SyslogN/A<tag1>, <tag2>
Pattern 19 : System LogsN/A<tag1>, <login>, <tag3>, <tag2>, <recipient>, <dip>, <sname>, <object>, <sip>
Potential Directory Harvest AttackN/A<severity>, <threatname>, <sip>, <sname>, <quantity>, <processid>, <object>
Receiving FailedN/A<processid>, <object>
Reroute QueryN/A<protname>, <object>, <session>, <sender>, <recipient>
RPC Delivery Local IronPort MessagesN/A<severity>, <subject>, <process>, <processid>, <session>, <action>
Scanned Queue for Remaining MessagesN/A<dname>, <quantity>
Scanning for Expiration CandidatesN/A<session>, <status>, <object>, <dname>, <quantity>
SDR : Consolidated Sender Reputation MessagesN/A<severity>, <session>, <group>, <sender>, <domainorigin>
SDR : Tracker Header MessagesN/A<severity>, <session>, <url>
Sender Group ReputationN/A<processid>, <process>, <action>, <object>, <group>, <dip>, <dport>, <dname>, <object>, <amount>
Sender Policy Framework MessageN/A<session>, <object>, <sender>, <tag1>, <tag2>, <sname>, <subject>
Service InformationN/A<object>, <tag1>
Session EstablishedN/A<severity>, <sip>, <login>, <session>, <protname>
Session ExpiredN/A<severity>, <session>, <account>
Session Not FoundN/A<severity>, <session>, <sip>
Signature Verified and RewrittenN/A<session>, <recipient>
SMTP AuthenticationN/A<protname>, <processid>, <tag1>, <account>, <object>
SMTP Connection RejectedN/A<protname>, <dip>
SMTP Error MessagesN/A<severity>, <dname>, <process>, <dip>, <dport>, <account>, <url>, <vmid>, <tag1>, <subject>
SMTP System Sending MessageN/A<severity>, <tag1>, <recipient>, <subject>
Sophos Antivirus MessageN/A<severity>, <process>, <subject>, <processid>, <vmid>, <threatname>, <objectname>
Spam and Mail Log MessagesN/A<severity>, <processid>, <result>, <tag1>, <object>
Spam QuarantineN/A<process>, <session>
Subscription Push SuccessN/A<severity>, <object>, <dip>
System/Critical Alert MessageN/A<severity>, <tag1>, <recipient>, <subject>
System Limit ReachedN/A<dip>, <object>, <processid>, <quantity>
Time Offset from UTC in SecondsN/A<object>, <seconds>
Transport Layer Security MessagesN/A<tag1>, <processid>, <tag2>, <protname>, <process>, <object>
Unknown CommandN/A<session>, <object>
Updater Log MessagesN/A<process>, <tag1>, <severity>, <process>, <object>, <tag2>, <subject>
User LogoffN/A<severity>, <login>, <session>, <subject>
Warning Messages Type 1N/A<severity>, <session>, <object>, <objecttype, <objectname>, <tag1>
Warning Messages Type 2N/A<severity>, <process>, <session>, <tag1>, <vendorinfo>, <subject>, <tag2>, <vmid>, <dip>

Revision History

KB Version

Log Type

Change Type

Details

KB 7.1.576.2Mail_logs : URL ReputationRegular Expression Update

Regex is updated to parse

  • Values from <process> to parse into <session>
  • Update values parsing in <action>
KB 7.1.576.2

Sender Group Reputation

Inbound Email Correction Established

Email Delivery Started

Email Processing Info

Pattern 3 : Email Scan Results

Regular Expression Update

Regex is updated to parse

  • RID in <responsecode>
  • DCID\ICID in<processid>
  • MID in<session>