Email Security Appliance (ESA)
Email Security Appliance (ESA): Protects email systems from spam, phishing, malware, and data loss with advanced threat filtering.
To onboard such an appliance to Axoflow, complete the generic appliance onboarding steps.
Labels
Axoflow automatically adds the following labels to data collected from this source:
| label | value |
|---|---|
| vendor | cisco |
| product | esa |
| format | text-plain | cef |
Note that the device can be configured to send plain syslog text or CEF-formatted output.
Sending data to Splunk
When sending the data collected from this source to Splunk, Axoflow uses the following sourcetype, index, and source settings:
| sourcetype | index | source |
|---|---|---|
| cisco:esa:http | esa:http | |
| cisco:esa:textmail | esa:textmail | |
| cisco:esa:amp | esa:amp | |
| cisco:esa:antispam | esa:antispam | |
| cisco:esa:system_logs | esa:system_logs | |
| cisco:esa:system_logs | esa:euq_logs | |
| cisco:esa:system_logs | esa:service_logs | |
| cisco:esa:system_logs | esa:reportd_logs | |
| cisco:esa:system_logs | esa:sntpd_logs | |
| cisco:esa:system_logs | esa:smartlicense | |
| cisco:esa:error_logs | esa:error_logs | |
| cisco:esa:error_logs | esa:updater_logs | |
| cisco:esa:content_scanner | esa:content_scanner | |
| cisco:esa:authentication | esa:authentication | |
| cisco:esa:http | esa:http | |
| cisco:esa:textmail | esa:textmail | |
| cisco:esa:amp | esa:amp | |
| cisco:esa | program: <variable> | |
| cisco:esa:cef | esa:consolidated |
Tested with: Splunk Add-on for Cisco ESA
Sending data to Google SecOps
When sending the data collected from this source to a dynamic Google SecOps destination, Axoflow sets the following log type: CISCO_EMAIL_SECURITY.