14 Replies Latest reply: May 25, 2012 7:30 AM by ecornwell RSS

IronPort Web Security Support

ecornwell

Hello,

I saw in the release notes that IronPort Web Security is now supported.  I've done some brief looking to see how to get the data there with no luck.  Does any one have any suggestions on how to integrate the WSA to LEM?  From what I've seen, it looks like it wants to accept the data via syslog.

 

Thanks!

 
  • Re: IronPort Web Security Support
    phil3

    Hello again.

    It took a little bit of digging, but I've worked out a procedure I'd like you to try. If any of these steps are out of order or missing, please let me know as I'm working on some documentation for this process as we speak.

    To configure Iron Port WSA to log to your LEM appliance:

    1. Connect to your Iron Port device.
    2. Click the System Administration tab.
    3. In the left pane, click Log Subscriptions.
    4. In the center pane, click Add Log Subscription.
    5. In the Log Type field, select Access Logs.
    6. In the Log Style section, select Squid.
    7. Provide a File Name if one is not provided by default.
    8. In the Retrieval Method section, select Syslog Push, and then supply the following information for your LEM appliance:
      • Hostname: Enter the hostname of your LEM appliance.
      • Protocol: Select TCP.
      • Facility: Select a Facility and note it. You will use this when you configure the connector on your LEM Manager.
        Note: The "logging facility" in Cisco products is equivalent to the local facility on the logging destination plus 16. For example, the default local facility used in the IronPort Web Security connector is local 7, so the corresponding logging facility in Iron Port would be 23.
    9. Click Submit.

    To configure the IronPort Web Security connector on your LEM Manager:

    1. Navigate to the Manage > Appliances view in the LEM Console and log onto the LEM Manager on which you want to configure the tool.
    2. Click the gear icon next to the LEM Manager, and then select Tools.
    3. In the Tool Configuration window, enter IronPort in the search box at the top of the Refine Results pane.
    4. Click the gear icon next to the IronPort Web Security connector, and then select New.
    5. Replace the Alias value with a custom alias, or accept the default.
    6. Verify the Log File value matches the Facility defined in Step 8.
    7. Click Save.
    8. Click the gear icon next to the new connector, denoted by an icon in the Status column, and then select Start.
    9. Click Close to close the Tool Configuration window.
    10. After the connector is running, create a filter to display all traffic from that device. For example, your filter conditions might read, Any Alert.ToolAlias = *IronPort* using the default Alias of IronPort Web Security.

    If that doesn't work, we can open a Support ticket so one of our techs can take a look at your system.

    Thanks in advance for being our guinea pig.

    • Re: IronPort Web Security Support
      ecornwell

      Hi Phil,

      Thanks for the response.  That's what I was thinking I should do but we don't have the "Syslog Push" option for the log export.  Do you know what version you have to have to support this? 

      Thanks!

      • Re: IronPort Web Security Support
        phil3

        The customer we originally set this up for had Iron Port S160. Although, now that I look at it, the "Syslog Push" option seems to be a feature in the Iron Port email security appliance.

        We're looking into this a bit further, but it might be more expedient to set up a Support call if you'd be open to that. That way, we'll be able to take a look at your options and collect a log sample if necessary.

        Thanks again.

      • Re: IronPort Web Security Support
        phil3

        Will you try selecting Webroot Logs instead of Access Logs and see what kind of options you have?

        • Re: IronPort Web Security Support
          ecornwell

          Yes, I saw the Syslog option in our ESA as well. 

          The Webroot logs do have the syslog option.  I'll try those.  Are any of the other logs recommended?

          • Re: IronPort Web Security Support
            phil3

            I saw a few others in the case notes that you might try:

             

            • Data Security Logs
            • System Logs
            • Default Proxy Logs
            • Updater Logs
            I'm very interested to know your outcome. Hopefully I'll be able to document this so the next person in your shoes doesn't have the same problems. :)
            P.S. When you get these logging, try pointing each one at a different facility first. When you do, make sure you have a connector for each facility. That way, you can see which ones are working and which ones aren't.
            • Re: IronPort Web Security Support
              ecornwell

              Ok, I've got all 5 of those setup and pointed towards LEM.  (I noticed your PS as I was typing this post.)  So far, I haven't see any data.  I event went to a site to get blocked. 

              I have them both set for facility local7.  Do I need to change LEM to be something like local 23?

              • Re: IronPort Web Security Support
                phil3

                If the option in Iron Port is "local7," then that should match the default Log File path on the LEM Manager. If you have that set correctly and the connector is started, look for alerts in the filter I suggested above, or keep an eye out for "Unmatched Data" alerts in the SolarWinds Alerts filter. If you don't see either, I don't think I can do much more to assist. You might want to open a Support ticket at this point.

                Thanks for keeping me posted.

                • Re: IronPort Web Security Support
                  ecornwell

                  Looks like I'm going to have to open a support case.  I checked and the syslog info is making it to LEM.  Running a checklogs from the console shows data in the facility I have configured but it doesn't look like it is parsing it at all.

                  • Re: IronPort Web Security Support
                    DanielleH

                    Hi ecornwell--

                    Would you please post back here with your ticket number and keep us updated with your progress on this issue?

                    Thanks!
                    DH

                  • Re: IronPort Web Security Support
                    phil3

                    That's probably a good idea.

                    One thing to check before you touch base with Support, though: Make sure you have the connector configured and started on your LEM Manager. That might be part of the problem. You might have already done this, but I thought I'd mention it just in case.

                    Thanks for keeping us posted. You're an invaluable resource!

                    • Re: IronPort Web Security Support
                      jeffness

                      What was the outcome of this? I have an IronPort S160 WSA and would like for LEM to be able to see the accesslogs if possible.

                      • Re: IronPort Web Security Support
                        ecornwell

                        I ended up getting a tool update that let it view some of the logs.  You have to configure the WSA to export the logs to syslog.  I have the following logs configured:

                         

                        Data Security

                        Default Proxy

                        System Logs

                        Updated

                        Webroot

                         

                        The version we're running doesn't support a syslog push for the access logs.  Last I looked we were getting a fairly high percentage of unmatched data.  I submitted the logs to support but don't remember where it went from there.  (I got pulled off to another couple of projects.)