Audit logging on Cisco Ironport ESA and WSA

How do I audit the admin activity for changes done on the Ironport appliances. The log subscriptions does not log the actions performed by a administrator on the GUI.

Similar Messages

What is the cisco ironport C680 and M680 configuration backup file size?

what is the cisco ironport C680 and M680 configuration backup file size?

Size of the XML itself? That is going to vary based on what you have configured, total lines of code, and # of appliances you may/may not have in cluster.
M680, based on SMA as stand-alone, should be similar --- you are probably looking @ < 1 MB...
Looking @ my test environment, in which I have a nightly cron job set to grab a backup of...
-rw-rw---- 1 robert robert 161115 Sep 26 02:00 C000V-564D1A718795ACFEXXXX-YYYYBAD60A5A-20140926T020002.xml
So, 161115 bytes = .15 MB
-Robert

Audit log of the User access and permissions

Hi All,
We need to have the Audit trail of the user access and permission. Meaning Changes to user access rights will be logged.
This should include:
Current Access Rights (including Date the access was given),
Group membership (including Date the access was given),
Previous Access Rights (including Date the access was given and revoked).
Can we reuse any out of the box functionality of CQ. Does anybody having any pointer to this?
Thanks,
Debasis

Hi PChamoun,
At the outset thanks a lot for the clue. I am very new to CQ. Could you please guide me like, what are the API required to track the rep:policy node changes. Even if workflow will be started after any change to rep:policy but how I will be able to get the information of what change happened.
Thanks,
Debasis

Backup and restore logs, quarantines cisco ironport c170

Hello,
Is there anyway to backup and restore logs and quarantine to another ironport c170?
Thanks in advance.
Alexandre

Hello Alexandre,
logs can easily be downloaded via FTP or SCP, there is a folder per logs subscription, i.e.
/mail_logs
/system_logs
/error_logs
Each folder contains multiple logs, thos e are with extention .s are the ones that have rolled over, while .c and .current are the ones currently written to. I would not recommend to upload them to another appliance, as this may cause problems or at least confusion. Quarantines cannot be backed up, that functionality is limited to SMAs (M-series).
Hope that helps,
Andreas

Cisco Ironport ESA System setup wizard

Hi all,
i'm installing a Cisco ESA. I configured IP of Data1 and Management and Hostname with temporary data to enable feature keys.
Now i have to migrate those parameter to final configuration except management. IF i run again the system setup wizard does it blow up
the features installed and activated?
Thanks
smaikol

If you re-run systemsetup again from the CLI - it will reset the IP and listeners you have configured, along with the network information associated. You are presented the warning message from the CLI:
WARNING: The system setup wizard will completely delete any existing 'listeners' and all associated settings including the 'Host Access Table'
- mail operations may be interrupted.
</warning>
The features themselves are still present and licensed, and should not change. During the setup wizard prompts - you are asked if you want to use and enable the features - such as Anti-Spam, Anti-Virus:
Do you want to use Anti-Spam scanning in the default Incoming Mail policy? [Y]>
Would you like to enable the Spam Quarantine? [Y]>
1. IronPort Anti-Spam
2. Intelligent Multi-Scan
3. Cloudmark Service Provider Edition
Enter the number of the Anti-Spam engine you would like to use on the default Incoming Mail policy.
[]> 1
IronPort selected for DEFAULT policy
Do you want to use Anti-Virus scanning in the default Incoming and Outgoing Mail policies? [Y]>
1. McAfee Anti-Virus
2. Sophos Anti-Virus
Enter the number of the Anti-Virus engine you would like to use on the default Incoming and Outgoing Mail policies.
[]> 2
Sophos selected for DEFAULT policy
Do you want to use Anti-Malware scanning in the default Incoming Mail policies? [Y]>
Advanced Malware Protection selected for DEFAULT policy
Do you want to enable Outbreak Filters? [Y]>
Outbreak Filters enabled.
Allow the sharing of limited data with SenderBase? [Y]>
You have successfully configured Outbreak Filters and SenderBase.
</setup>
Usually, it is just simpler if you are re-IPing the ESA from a temporary IP to permanent IP to just change the information associated via ifconfig and modify the interface as needed, or on the GUI use Network > IP Interfaces.
-Robert

Cisco ironport esa compressed files

hi,
can a cisco esa c170 filter exe files contained in an attached compressed folder ( .zip, .rar), if it is possible, can any one please help us with the steps to do so?
thanks,

It is possible, yes. This characteristic is part of the AsyncOS, not the hardware appliance, so it will work with any device (hardware or virtual).
Please refer to:
http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-5-6/ESA_8-5-6_User_Guide.pdf
Attachment Filenames and Single Compressed Files within Archive Files
This example shows how to match single compressed files in archives such as those created by gzip:
quarantine_gzipped_exe_or_pif:
if (attachment-filename == '(?i)\\.(exe|pif)($|.gz$)') {
quarantine("Policy");
Also please refer to:
Table 9-6 Attachment Groups (continued)
Attachment Group Name
Compressed
Scanned File Types
• ace(ACEArchivercompressedfile)
• arc(SQUASHCompressedarchive)
• arj(RobertJungARJcompressedarchive)
• binhex
• bz(Bzipcompressedfile)
• bz2(Bzipcompressedfile)
• cab(Microsoftcabinetfile)
• gzip*(Compressedfile-UNIXgzip)
• lha(CompressedArchive[LHA/LHARC/LHZ])
• rar(Compressedarchive
• sit(Compressedarchive-Macintoshfile[Stuffit]) • tar*(Compressedarchive)
• unix(UNIXcompressfile)
• zip*(Compressedarchive-Windows)
• zoo(ZOOCompressedArchiveFile)
* These file types can be “body-scanned”
As you can see above, rar is in the list and so is zip.
I hope that helps.
Best regards,
-Valter

Cisco ironport c360 and c170

Dear cisco fellows,
I've looked everywere, but I can't find the number of emails per hour the C360 and the C170 can handle (not the number of mailbixes).
I'd appreciate a response
BR,

I don't think you will find this information in a public forum. The throughput is affected by many factors including AV and AS settings, use of TLS and encryption, DKIM signing, use of content filters, size of emails, etc. You will find guidance on how many users a model of the ESA can support, based on general assumptions. You may find some "unburdened" numbers which tell you how many emails an ESA could process if all it did was relay the mail, but that is not real world. I think you will need to speak to your Cisco rep or SE if you want a number of emails based on your particular setup.

Cisco ironport 370 to 670 Configuration Compatibility Issue

I have currently Cisco IronPort S360 and want to Upgade with Cisco S670, upload configuration file of Cisco ironport 360 in &760 but unable to succeed.becasue of compatibility issue of OS .any one can help me regarding how to compatible .
Regards,
Shafiq

Hi Shafiq,
Please open a ticket and send both of your configuration files with the ticket. The CSE will need to verify that the network interfaces are the same or modify your xml file to allow it to be successfully uploaded to the new 670.
Sincerely,
Erik Kaiser
WSA CSE
WSA Cisco Forums Moderator

Problem with the XI-Audit log entries in the table "XI_AF_MSG_AUDIT"

Hi,
I have an async-szenarios for PO:
We send Idoc's from SAP ERP to a WebService via SOAP. And we take Ack's. We use Integrationsprocess with deadline block to catche the errors after the retrying (three times) and to send they via e-mail.
Our problem is, the number of the audit logs in the table "XI_AF_MSG_AUDIT":
In the RTW only we see one audit log (with three retries) in an error case. But in the table XI_AF_MSG_AUDIT there are about 76 entries for the same audit log in the error case and about 20 entries in the case of the succuessfull processing.
This number of the entries in the table causes problem with the size of the redo log file and delete job of cours the large size of the table and therefore problem on the data base. The table can not be controlled. The delete job can not run and cancels every time due this redo log problems
What can cause that?
How can it be prevented, that so much entries are not be made in the table "XI_AF_MSG_AUDIT".
Best regards
Gueltekin

Hi Gueltekin,
I am only aware of the general property auditLogEnabled of J2EE Engine Service SAP XI AF Core, which controls in general (default = true) that entries in the AF Message Audit log are written at all.
(see [http://help.sap.com/saphelp_nw70/helpdata/en/5c/22ee41c334c717e10000000a155106/frameset.htm|http://help.sap.com/saphelp_nw70/helpdata/en/5c/22ee41c334c717e10000000a155106/frameset.htm])
I assume that your scenarios in the error case is sending up to three messages and for each message the number of audit log infos are created. You might want to check the detailed entries in the log and see from where they are comming, you might use customer modules etc. as well.
Best regards,
Silvia

Audit Reports on Cisco Security Manager

Is there a way to schedule audit reports from Cisco Security Manager and distribute those reports via email or some other method?
My auditors want a daily report of firewall configuration changes. They do not want to login into CS-Mgr every day to manually generate the report.

Security Audit operates in one of two modes-the Security Audit wizard, which lets you choose which potential security-related configuration changes to implement on your router, and One-Step Lockdown, which automatically makes all recommended security-related configuration changes.
On routers that do not support the command scheduler interval, Security Audit configures the scheduler allocate command whenever possible. When a router is fast-switching a large number of packets, it is possible for the router to spend so much time responding to interrupts from the network interfaces that no other work gets done. Some very fast packet floods can cause this condition. It may stop administrative access to the router, which is very dangerous when the device is under attack. The scheduler allocate command guarantees a percentage of the router CPU processes for activities other than network switching, such as management processes.
The configuration that will be delivered to the router to set the scheduler allocate percentage is as follows:
scheduler allocate 4000 1000

TFS 2013 - Export Audit Log - API?

Trying to use the new 2013 access audit log found on the "Access Levels" Admin web page to compare against list of users with MSDN accounts to ensure licensing compliance. While I can manually export the access log to .csv per the built-in
functionality, is the audit log accessible via the TFS API?
Would like to automate, say obtaining audit log entries for the last 6 months ... within a PS script.

Hi Jdlaw64,
Thanks for your post.
The Export Audit Log shows all current users and groups information in TFS Server, it contains all the information of who accessed the TFS Server and when they did that, and it also shows what level of access that user or group has. We cannot get the entries
from this log by date time(last 6 months).
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.

Audit Log requirement

Hi,
I would like to know if SAP Enterprise Portal provides Audit Logging as a standard feature and if so how we can configure the same. Also is it possible to monitor the users based on the business functionalities they access (like what menu functionalities they access etc).
Also we have a requirement for monitoring and checking external interfaces (external systems that are being interfaced by enterprise portal). Is it possible to provide this through any of the standard features.
Thanks & Regards
Suresh

hi suresh, robert,
this is the basic information about the security log
http://help.sap.com/saphelp_nwce711/helpdata/en/03/37dc4c25e4344db2935f0d502af295/content.htm
let me know any further updates in this
ravindra

False Positive Audit Logs?

Is it possible to get this log when running the audit for a mailbox and in fact the non-owner (user2) didn't accessed the mailbox?
If I look under event logs I cannot find any cmdlet event adding Full Access to user1
I deleted all events
Checked that user2 has no full access for user1 mailbox
... but still from time to time I see under audit that user 2 accessed user1 inbox as delegate! How is that possible?
Operation                : FolderBind
OperationResult       : Succeeded
LogonType               : Delegate
ExternalAccess         : False
FolderPathName       : \Inbox
ClientInfoString        : Client=MSExchangeRPC
ClientIPAddress        : *******
ClientMachineName   :
ClientProcessName    :OUTLOOK.EXE
ClientVersion            :14.0.6025.1000
InternalLogonType    : Owner
MailboxOwnerUPN     : user1 @ domain
MailboxOwnerSid       : *******
DestMailboxOwnerUPN:
DestMailboxOwnerSid  :
DestMailboxGuid          :
CrossMailboxOperation :
LogonUserDisplayName: User 2
LogonUserSid             : *******
SourceItems              : {}
SourceFolders            : {}
ItemId                      :
ItemSubject              :
DirtyProperties          :
OriginatingServer      : MailServer (14.01.0438.000)
MailboxGuid              : *******
MailboxResolvedOwnerName : User1
LastAccessed            : 05/01/2014 10:00:00
Identity                    : ******
IsValid                     : True

Hi,
Firstly, I’d like to explain, we can delegate the viewer access and open other user’s inbox or other folder:
http://office.microsoft.com/en-in/outlook-help/allow-someone-else-to-manage-your-mail-and-calendar-HA010075081.aspx
Thus, please check if there is send on behalf permission of mailbox folder permission.
Additionally, the Logon Type in audit log only has Owner, Delegate and Admin. And any access from other user will be recorded in the log:
http://technet.microsoft.com/en-us/library/ff459237(v=exchg.141).aspx
Thanks,
Angela Shi
TechNet Community Support

Cisco IronPort Web Security 7.5 (Async OS).

Hi All,
Can anybody provide me the W3C sample logs of Cisco IronPort Web Security 7.5 (Async OS).
Thanks,
Sachin.

"05/Oct/2012:10:17:00 +0200" 2152 NONE - 10.0.0.1 NONE 504 0 GET http://www.cisco.com/index.html - ALLOW_CUSTOMCAT_11-Intranet_Access-Intranet_Access_RD-NONE-NONE-NONE-Intranet "Intranet"

Connection problems with ESA C160 and WSA S160

currently I have deployed ESA C160 and WSA S160 devices in a network but I cannot remotely connect to the devices.
I have installed Cisco 2811 Terminal server with octal cable connections and cannot seem to get terminal access.
As well I have connected the Management Interface to a local switch and provisioned VLANs on subnet 192.168.42.X to allow for access but no connection seems to work to gain access to the devices.
I am wondering if there is a specific cable configuration or connection which will allow me access to the applicances for configuration.
Any help is appreciated!

HI
Are you attempting a remote connection to the serial ports via 2811? I may be missunderstanding your post.
The serial ports are 9600 Baud 8N1. Typically you will use a null modem cable for the connection.
For the network you should be able to connect to the manamgement interface SSH and HTTPS should be enabled by default. If you connect directly to this port using a crossover cable can you establish a connection?
If the network connection is failing I would first start with the serial port so you can verify that the configuration is as you expect it to be, meaning the IP address and services enabled. If everything checks out in the configuration. I would next test using a crossover cable on the same subnet. If that works then I would connect the appliance to a switch and test from there. The biggest questions that come up are can you route to the appliance over the network and can you resolve the host over the network.
Christopher C Smith
CSE
Cisco IronPort Customer Support

Audit logging on Cisco Ironport ESA and WSA

Similar Messages

Maybe you are looking for