Thanks For Downloading!Review the documentation below and follow any custom installation steps. If no install steps are listed, most Splunk Apps and Add-ons can be installed as follows: Windows: Decompress the downloaded file using a tool like 7-Zip and place the resulting folder into Unix/Linux: Decompress the downloaded file using a tool like DescriptionThe Splunk for Cisco IronPort Email Security Appliance (ESA) technology add-on is a collection of inputs, field extractions, and other search-time knowledge that is used to drive reporting and search for data collected from Cisco ESA devices. This add-on can be used standalone, or it can be installed with the Cisco Security Suite umbrella apps and other Cisco Security Suite apps and add-ons to provide a single pane of glass interface and get out of box reports on Cisco ESA and other Cisco technology data. Important note: This add-on, under its new name, Splunk for Cisco IronPort Email Security Appliance, replaces the older and very popular Cisco IronPort E-mail Security Add On and contains all of the functionality of its predecessor plus the enhancements listed in the release notes below. Additional information and download for Cisco Security Suite can be found on Splunkbase. The other Cisco Security Suite apps and add-ons include:
Installation and configuration instructions for this add-on can be found in the README file within the downloaded package. Versions and Release Notes
Version 2.0 (current version - updated Jan 25, 2013)
release notes:
Reports and dashboards have been removed from the plug-in and placed in the Cisco Security Suite. Please download the Cisco Security Suite for the search head components.
Version 1.0.0
(updated Mar 14, 2011)
release notes:
- Updated to provide compatibility with Splunk 4.2 |
Hi,
I'm not getting any data with the sourcetype=cisco_esa, I have the following in the inputs.conf:
[udp://514] #regular syslog
disabled = false
sourcetype = syslog
connection_host = dns
[udp://192.168.1.200:514] #ironport syslog
disabled = false
host = 192.168.1.200
sourcetype = cisco_esa
connection_host = dns
However, data from host 192.168.1.200 is being indexed with the [udp://514] index and not the [udp://192.168.1.200:514].
What do I have to change to have it recorded with the sourcetype=cisco_esa?
Thanks a lot,
I'm very disappointed with this app. I got it to work and set up / made mods to conf files, but it really lacks. I would rather go to the ESA boxes to get the info. Unless I'm missing something there needs to be alot of work to get this app right.
ok, this app works for me, but, it has some things wrong with it:
- Spelling is wrong, i before e except after c, summary has "Top Recievers" ! you can fix this by editing the esa_overview.xml file, etc.
- the summary graph titles are confusing because there are 4 types of "Top". Top Internal Sender (mailfrom my domains), Top External Sender (mailfrom not my domains), Top Internal Receiver (mailto my domains), Top External Receiver (mailto not my domains),
i will create a search for these 4, so here you go (note that comment formatting is difficult, but you get the idea). edit the savedsearches.conf in "default" of App, etc.
[IronPort E-mail - Top 25 Internal Senders] cron_schedule = 0 0-23 * * * dispatch.earliest_time = -24h dispatch.latest_time = +0s displayview = flashtimeline enableSched = 1 request.ui_dispatch_view = flashtimeline search = eventtype=cisco_esa mailfrom=*@domain\.com | top mailfrom limit=25 showperc=t
[IronPort E-mail - Top 25 External Senders] cron_schedule = 0 0-23 * * * dispatch.earliest_time = -24h dispatch.latest_time = +0s displayview = flashtimeline enableSched = 1 request.ui_dispatch_view = flashtimeline search = eventtype=cisco_esa NOT mailfrom=*@domain\.com | top mailfrom limit=25 showperc=t
[IronPort E-mail - Top 25 Internal Recipients] cron_schedule = 0 0-23 * * * dispatch.earliest_time = -24h dispatch.latest_time = +0s displayview = flashtimeline enableSched = 1 request.ui_dispatch_view = flashtimeline search = eventtype=cisco_esa mailto=*@domain\.com | top mailto limit=25 showperc=t
[IronPort E-mail - Top 25 External Recipients] cron_schedule = 0 0-23 * * * dispatch.earliest_time = -24h dispatch.latest_time = +0s displayview = flashtimeline enableSched = 1 request.ui_dispatch_view = flashtimeline search = eventtype=cisco_esa NOT mailto=*@domain\.com | top mailto limit=25 showperc=t
I have not been able to get this app to work. Here is the error I see:
2011-11-15 19:23:26,566 WARNING [4ec2bc2e79508a550] view:168 - "Splunk_CiscoIronportEmailSecurity" app does not have a navigation configuration file defined.
2011-11-15 19:23:26,566 ERROR [4ec2bc2e79508a550] view:180 - Unable to parse nav XML for app=Splunk_CiscoIronportEmailSecurity; 'NoneType' object is unsubscriptable
2011-11-15 19:23:26,566 WARNING [4ec2bc2e79508a550] view:212 - Unable to process navigation configuration for app "Splunk_CiscoIronportEmailSecurity"; using defaults.
