ES 10.0.6, Syslog - you good bro?
I'am not really happy with the log management (even having a hard time calling it that) on the E-Mail Security Appliance, downloading logs for further analysis is a joke and no pleasure at all.
But there is syslog for centralized logging, the savior. #SIDENOTE - the developer of rsyslog just lives a few kilometres away from here, go rsyslog :)
And here ends my story abruptly, the ESA is just not sending anything to the syslog server, even having it at severity level SYSLOG_DEBUG, nothing, nada, nil.
Does anyone configured the ESA forwarding information to a syslog and what information can be expected? The option "send message details" sounded so compelling.
Apoligies but I need to bring this up again, anyone using syslog enabled on the ESA?
We'll run up and advise.
Just struggling with it.. Logging a ticket.
Thanks, wasn't planning to put that burden on you. Was looking for a simple answer like "You're doing it wrong", but it seems it isn't working out of the box.
Nah,.. it's all good I surely owe you one..
I liked what I saw at RSYSLOG. I'm messing with GRAYLOG which looks interesting. I'm looking to maybe use something that gives us some better intuition.
Have you taken any SIEM's for a spin? Are there any you like in particular?
My case raised on this is with the back-end team so I'm guessing they know about it now at least ;) .
oh this magic back-end team with all their wisdom, we'll see what they know about syslog. The back-end end for CaptureClient was giving me another task to scratch a CC (which went rogue) from my endpoint.
Thanks for checking, would be nice to have it working as it supposed to do.
Hey @BWC There is zip coming out of that thing....
I am talking to tech support right now..
He had the same issue in his lab...
Still no syslog in 10.0.7 if anyone wonders.
While checking for segfaults in the messages log, I've found this entry for syslog-ng (a syslog daemon). Which shows that my own remote syslog server is accepted, but not used?
Jul 20 17:20:32 esa syslog-ng: Log statistics; processed='source(src)=7257', processed='destination(console_all)=0', processed='destination(dest_10.1.x.y)=3095', processed='destination(initd)=1', processed='destination(messages)=4162', processed='center(received)=7257', processed='center(queued)=7258', dropped='udp(AF_INET(10.1.x.y:514))=0'
Will check with syslog-ng documentation what that all means.
I checked again, and it seems that with 10.0.7 a syslog record will be created for every successfully processed mail, this is fine, but I'am more interested in the problematic cases, like wrong protocol, wrong addresses etc.