ES 10.0.6, Syslog - you good bro?
BWC
Cybersecurity Overlord ✭✭✭
Hi,
I'am not really happy with the log management (even having a hard time calling it that) on the E-Mail Security Appliance, downloading logs for further analysis is a joke and no pleasure at all.
But there is syslog for centralized logging, the savior. #SIDENOTE - the developer of rsyslog just lives a few kilometres away from here, go rsyslog :)
And here ends my story abruptly, the ESA is just not sending anything to the syslog server, even having it at severity level SYSLOG_DEBUG, nothing, nada, nil.
Does anyone configured the ESA forwarding information to a syslog and what information can be expected? The option "send message details" sounded so compelling.
--Michael@BWC
Category: Email Security Appliances
0
Answers
Apoligies but I need to bring this up again, anyone using syslog enabled on the ESA?
--Michael@BWC
Hiya @BWC,
We'll run up and advise.
Best, S.
Just struggling with it.. Logging a ticket.
Thanks, wasn't planning to put that burden on you. Was looking for a simple answer like "You're doing it wrong", but it seems it isn't working out of the box.
--Michael@BWC
Nah,.. it's all good I surely owe you one..
I liked what I saw at RSYSLOG. I'm messing with GRAYLOG which looks interesting. I'm looking to maybe use something that gives us some better intuition.
Have you taken any SIEM's for a spin? Are there any you like in particular?
Steph.
Hey @BWC
My case raised on this is with the back-end team so I'm guessing they know about it now at least ;) .
Best, S.
Hi @Halon5
oh this magic back-end team with all their wisdom, we'll see what they know about syslog. The back-end end for CaptureClient was giving me another task to scratch a CC (which went rogue) from my endpoint.
Thanks for checking, would be nice to have it working as it supposed to do.
--Michael@BWC
Hey @BWC There is zip coming out of that thing....
I am talking to tech support right now..
He had the same issue in his lab...
Still no syslog in 10.0.7 if anyone wonders.
--Michael@BWC
While checking for segfaults in the messages log, I've found this entry for syslog-ng (a syslog daemon). Which shows that my own remote syslog server is accepted, but not used?
Jul 20 17:20:32 esa syslog-ng[965]: Log statistics; processed='source(src)=7257', processed='destination(console_all)=0', processed='destination(dest_10.1.x.y)=3095', processed='destination(initd)=1', processed='destination(messages)=4162', processed='center(received)=7257', processed='center(queued)=7258', dropped='udp(AF_INET(10.1.x.y:514))=0'
Will check with syslog-ng documentation what that all means.
--Michael@BWC
Hi all,
I checked again, and it seems that with 10.0.7 a syslog record will be created for every successfully processed mail, this is fine, but I'am more interested in the problematic cases, like wrong protocol, wrong addresses etc.
--Michael@BWC