Documentation Center
AlienVault® USM Anywhere™

Cisco IronPort

When you configure Cisco IronPort integration to send log data to USM Anywhere, you can use the Cisco IronPort plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Cisco
Device type Email and web security gateway
Connection type syslog
Vendor link http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa7-1/cli_guide/ESA_7-1_FCS_CLI_Reference_Guide.pdf

Integrating Cisco IronPort

Before you configure the integration, you must have the IP Address of the USM AnywhereUSM Appliance Sensor. You configure the log to be pushed to a USM Anywhere Sensor, using its IP address and the UDP transport protocol. A mail facility is used and it is stored in the directory.

The following example shows how to use the logconfig command to configure a new delivery log called MailLogSyslogPush. with the IP address of 10.1.1.2.

To create an SCP push delivery log

  1. From the mail3.example.com prompt, enter:

    logconfig

     

    Currently configured logs:

    1. "antispam" Type: "Anti-Spam Logs" Retrieval: FTP Poll

    2. "antivirus" Type: "Anti-Virus Logs" Retrieval: FTP Poll

    3. "asarchive" Type: "Anti-Spam Archive" Retrieval: FTP Poll

    4. "authentication" Type: "Authentication Logs" Retrieval: FTP Poll

    5. "avarchive" Type: "Anti-Virus Archive" Retrieval: FTP Poll

    6. "bounces" Type: "Bounce Logs" Retrieval: FTP Poll

    7. "cli_logs" Type: "CLI Audit Logs" Retrieval: FTP Poll

    8. "encryption" Type: "Encryption Logs" Retrieval: FTP Poll

    9. "error_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll

    10. "euq_logs" Type: "IronPort Spam Quarantine Logs" Retrieval: FTP Poll

    11. "euqgui_logs" Type: "IronPort Spam Quarantine GUI Logs" Retrieval: FTP

    Poll

    12. "ftpd_logs" Type: "FTP Server Logs" Retrieval: FTP Poll

    13. "gui_logs" Type: "HTTP Logs" Retrieval: FTP Poll

    14. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll

    15. "reportd_logs" Type: "Reporting Logs" Retrieval: FTP Poll

    16. "reportqueryd_logs" Type: "Reporting Query Logs" Retrieval: FTP Poll

    17. "scanning" Type: "Scanning Logs" Retrieval: FTP Poll

    18. "slbld_logs" Type: "Safe/Block Lists Logs" Retrieval: FTP Poll

    19. "sntpd_logs" Type: "NTP logs" Retrieval: FTP Poll

    20. "status" Type: "Status Logs" Retrieval: FTP Poll

    21. "system_logs" Type: "System Logs" Retrieval: FTP Poll

    22. "trackerd_logs" Type: "Tracking Logs" Retrieval: FTP Poll

    23. "updater_logs" Type: "Updater Logs" Retrieval: FTP Poll

    Choose the operation you want to perform:

    - NEW - Create a new log.

    - EDIT - Modify a log subscription.

    - DELETE - Remove a log subscription.

    - SETUP - General2 settings.

    - LOGHEADERS - Configure headers to log.

    - HOSTKEYCONFIG - Configure SSH host keys.

    []> new

     

    Choose the log file type for this subscription:

    1. IronPort Text Mail Logs

    2. qmail Format Mail Logs

    3. Delivery Logs

    4. Bounce Logs

    5. Status Logs

    6. Domain Debug Logs

    7. Injection Debug Logs

    8. SMTP Conversation Logs

    9. System Logs

    10. CLI Audit Logs

    11. FTP Server Logs

    12. HTTP Logs

    13. NTP logs

    14. LDAP Debug Logs

    15. Anti-Spam Logs

    16. Anti-Spam Archive

    17. Anti-Virus Logs

    18. Anti-Virus Archive

    19. Scanning Logs

    20. IronPort Spam Quarantine Logs

    21. IronPort Spam Quarantine GUI Logs

    22. Reporting Logs

    23. Reporting Query Logs

    24. Updater Logs

    25. Tracking Logs

    26. Safe/Block Lists Logs

    27. Authentication Logs

    [1]> 1

     

    Please enter the name for the log:

    []> MailLogSyslogPush

     

    Log level:

    1. Critical

    2. Warning

    3. Information

    4. Debug

    5. Trace

    [3]> 2

     

    Choose the method to retrieve the logs.

    FTP Poll

    2. FTP Push

    3. SCP Push

    4. Syslog Push

    [1]>

    4

    Hostname to deliver the logs:

    []> 10.1.1.2

     

    Which protocol do you want to use to transfer the log data?

    1. UDP

    2. TCP

    [1]> 1

     

    Which facility do you want the log data to be sent as?

    1. auth

    2. authpriv

    3. console

    4. daemon

    5. ftp

    6. local0

    7. local1

    8. local2

    9. local3

    10. local4

    11. local5

    12. local6

    13. local7

    14. mail

    15. ntp

    16. security

    17. user

    [14]> 14

     

    Currently configured logs:

    1. "MailLogSyslogPush" Type: "IronPort Text Mail Logs" Retrieval: Syslog Push

    -

    Host 10.1.1.2

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application
  • application_type
  • bytes_out
  • content_category
  • customfield_0
  • customfield_1
  • customfield_2
  • customheader_0
  • customheader_1
  • customheader_2
  • destination_address
  • destination_hostname
  • destination_ntdomain
  • destination_port
  • destination_username
  • event_description
  • event_name
  • event_outcome
  • event_severity
  • file_name
  • malware_family
  • malware_variant
  • operating_system
  • policy
  • rep_device_rule_id
  • rep_device_version
  • reputation_score
  • request_method
  • request_referrer
  • request_url
  • request_user_agent
  • response_code
  • response_content_type
  • source_address
  • source_port
  • source_username
  • timestamp_occured
  • timestamp_received

Troubleshooting

For troubleshooting, refer to the vendor documentation:

https://www.cisco.com/c/dam/en/us/td/docs/security/wsa/wsa7-1/user_guide/Cisco_IronPort_AsyncOS_7-1-0_User_Guide_for_Web_Security_Appliances.pdf