It took a little bit of digging, but I've worked out a procedure I'd like you to try. If any of these steps are out of order or missing, please let me know as I'm working on some documentation for this process as we speak.
To configure Iron Port WSA to log to your LEM appliance:
- Connect to your Iron Port device.
- Click the System Administration tab.
- In the left pane, click Log Subscriptions.
- In the center pane, click Add Log Subscription.
- In the Log Type field, select Access Logs.
- In the Log Style section, select Squid.
- Provide a File Name if one is not provided by default.
- In the Retrieval Method section, select Syslog Push, and then supply the following information for your LEM appliance:
- Hostname: Enter the hostname of your LEM appliance.
- Protocol: Select TCP.
- Facility: Select a Facility and note it. You will use this when you configure the connector on your LEM Manager.
Note: The "logging facility" in Cisco products is equivalent to the local facility on the logging destination plus 16. For example, the default local facility used in the IronPort Web Security connector is local 7, so the corresponding logging facility in Iron Port would be 23.
- Click Submit.
To configure the IronPort Web Security connector on your LEM Manager:
- Navigate to the Manage > Appliances view in the LEM Console and log onto the LEM Manager on which you want to configure the tool.
- Click the gear icon next to the LEM Manager, and then select Tools.
- In the Tool Configuration window, enter
IronPortin the search box at the top of the Refine Results pane.
- Click the gear icon next to the IronPort Web Security connector, and then select New.
- Replace the Alias value with a custom alias, or accept the default.
- Verify the Log File value matches the Facility defined in Step 8.
- Click Save.
- Click the gear icon next to the new connector, denoted by an icon in the Status column, and then select Start.
- Click Close to close the Tool Configuration window.
- After the connector is running, create a filter to display all traffic from that device. For example, your filter conditions might read,
Any Alert.ToolAlias = *IronPort*using the default Alias of IronPort Web Security.
If that doesn't work, we can open a Support ticket so one of our techs can take a look at your system.
Thanks in advance for being our guinea pig.
The customer we originally set this up for had Iron Port S160. Although, now that I look at it, the "Syslog Push" option seems to be a feature in the Iron Port email security appliance.
We're looking into this a bit further, but it might be more expedient to set up a Support call if you'd be open to that. That way, we'll be able to take a look at your options and collect a log sample if necessary.
I saw a few others in the case notes that you might try:
I'm very interested to know your outcome. Hopefully I'll be able to document this so the next person in your shoes doesn't have the same problems. :)P.S. When you get these logging, try pointing each one at a different facility first. When you do, make sure you have a connector for each facility. That way, you can see which ones are working and which ones aren't.
- Data Security Logs
- System Logs
- Default Proxy Logs
- Updater Logs
If the option in Iron Port is "local7," then that should match the default Log File path on the LEM Manager. If you have that set correctly and the connector is started, look for alerts in the filter I suggested above, or keep an eye out for "Unmatched Data" alerts in the SolarWinds Alerts filter. If you don't see either, I don't think I can do much more to assist. You might want to open a Support ticket at this point.
Thanks for keeping me posted.
That's probably a good idea.
One thing to check before you touch base with Support, though: Make sure you have the connector configured and started on your LEM Manager. That might be part of the problem. You might have already done this, but I thought I'd mention it just in case.
Thanks for keeping us posted. You're an invaluable resource!
I ended up getting a tool update that let it view some of the logs. You have to configure the WSA to export the logs to syslog. I have the following logs configured:
The version we're running doesn't support a syslog push for the access logs. Last I looked we were getting a fairly high percentage of unmatched data. I submitted the logs to support but don't remember where it went from there. (I got pulled off to another couple of projects.)