Configure CEF Log Entry and CEF Headers in ESA

Available Languages

Download Options

  • PDF     (139.0 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (204.6 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (148.3 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:October 25, 2022
Document ID:218345

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the configuration for Common Event Format (CEF) Log entry and headers for Cisco Secure Email Gateway (SEG).

    Prerequisites

    Requirements

    Cisco recommends knowledge of these topics:

    • Cisco Secure Email Gateway / Email Security Appliance (SEG / ESA)
    • Content Filters knowledge
    • Log subscription knowledge

    Components Used

    The information in this document is based on these software and hardware versions:

    • Email Security Appliance version 14.3

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    The Consolidated Event Logs summarizes each message event in a single log line. Use this log type in order to reduce the number of bytes of data (log information) sent to a Security Information and Event Management (SIEM) vendor or application for analysis. The logs are in the CEF log message format that is widely used by most SIEM vendors.

    CEF Log Entry and CEF Headers are added to provide extra information to track and organize the mail events.

    Configure

    CEF Log Entry

    Add the incoming/outgoing content filter

    First, create the content filter on the ESA:

    1. Go to Mail Policies > Incoming/Outgoing content filters
    2. Click in Add Filter
    3. Name the filter
    4. Add condition desired
    5. Click in Add Action
    6. Select Add CEF Log Entry
    7. Name the label and use Action Variables for the value box
    8. Submit and Commit

    This documentation example we use $MatchedContent Action Variable, as shown in the image:

    CEF Log entry action in content filtersCEF Log entry action in content filters

    Add CEF Log Entry in the Consolidated Event Log Subscription

    Next, create or modify the Consolidated Event Log Subscription to add the CEF Log Entry previously created:

    1. Go to System Administration > Log Subscriptions
    2. Add or Select the Consolidated Event Logs
    3. Select Custom Log Entries and click Add
    4. Submit and Commit

    Custom Log Entries in CEF Log SubscriptionCustom Log Entries in CEF Log Subscription

    CEF Headers

    Add the CEF Headers to log:

    First add the CEF Headers in the ESA

    1. Go to System Administration > Logs Subscription
    2. Click in Edit Settings under Global Settings
    3. Under CEF Headers, list the headers to log
    4. Submit and Commit

    CEF Headers ConfigurationCEF Headers Configuration

    Add CEF Log Entry in the Consolidated Event Log Subscription

    Next, create or modify the Consolidated Event Log Subscription to add the CEF Headers previously recorded:

    1. Go to System Administration > Logs Subscription
    2. Add or Select the Consolidated Event Logs
    3. Select Custom Log Entries and click Add
    4. Submit and Commit

    CEF Log Headers in CEF Log SubscriptionCEF Log Headers in CEF Log Subscription

    Related information

    Revision History

    Revision Publish Date Comments
    1.0
    26-Oct-2022
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Salvador Rivera Portillo
      Technical Consulting Engineer
    • Chris Arellano
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco