14 Replies Latest reply on May 25, 2012 7:30 AM by ecornwell

    IronPort Web Security Support



      I saw in the release notes that IronPort Web Security is now supported.  I've done some brief looking to see how to get the data there with no luck.  Does any one have any suggestions on how to integrate the WSA to LEM?  From what I've seen, it looks like it wants to accept the data via syslog.



        • Re: IronPort Web Security Support

          Hello again.

          It took a little bit of digging, but I've worked out a procedure I'd like you to try. If any of these steps are out of order or missing, please let me know as I'm working on some documentation for this process as we speak.

          To configure Iron Port WSA to log to your LEM appliance:

          1. Connect to your Iron Port device.
          2. Click the System Administration tab.
          3. In the left pane, click Log Subscriptions.
          4. In the center pane, click Add Log Subscription.
          5. In the Log Type field, select Access Logs.
          6. In the Log Style section, select Squid.
          7. Provide a File Name if one is not provided by default.
          8. In the Retrieval Method section, select Syslog Push, and then supply the following information for your LEM appliance:
            • Hostname: Enter the hostname of your LEM appliance.
            • Protocol: Select TCP.
            • Facility: Select a Facility and note it. You will use this when you configure the connector on your LEM Manager.
              Note: The "logging facility" in Cisco products is equivalent to the local facility on the logging destination plus 16. For example, the default local facility used in the IronPort Web Security connector is local 7, so the corresponding logging facility in Iron Port would be 23.
          9. Click Submit.

          To configure the IronPort Web Security connector on your LEM Manager:

          1. Navigate to the Manage > Appliances view in the LEM Console and log onto the LEM Manager on which you want to configure the tool.
          2. Click the gear icon next to the LEM Manager, and then select Tools.
          3. In the Tool Configuration window, enter IronPort in the search box at the top of the Refine Results pane.
          4. Click the gear icon next to the IronPort Web Security connector, and then select New.
          5. Replace the Alias value with a custom alias, or accept the default.
          6. Verify the Log File value matches the Facility defined in Step 8.
          7. Click Save.
          8. Click the gear icon next to the new connector, denoted by an icon in the Status column, and then select Start.
          9. Click Close to close the Tool Configuration window.
          10. After the connector is running, create a filter to display all traffic from that device. For example, your filter conditions might read, Any Alert.ToolAlias = *IronPort* using the default Alias of IronPort Web Security.

          If that doesn't work, we can open a Support ticket so one of our techs can take a look at your system.

          Thanks in advance for being our guinea pig.

            • Re: IronPort Web Security Support

              Hi Phil,

              Thanks for the response.  That's what I was thinking I should do but we don't have the "Syslog Push" option for the log export.  Do you know what version you have to have to support this? 


                • Re: IronPort Web Security Support

                  The customer we originally set this up for had Iron Port S160. Although, now that I look at it, the "Syslog Push" option seems to be a feature in the Iron Port email security appliance.

                  We're looking into this a bit further, but it might be more expedient to set up a Support call if you'd be open to that. That way, we'll be able to take a look at your options and collect a log sample if necessary.

                  Thanks again.

                  • Re: IronPort Web Security Support

                    Will you try selecting Webroot Logs instead of Access Logs and see what kind of options you have?

                      • Re: IronPort Web Security Support

                        Yes, I saw the Syslog option in our ESA as well. 

                        The Webroot logs do have the syslog option.  I'll try those.  Are any of the other logs recommended?

                          • Re: IronPort Web Security Support

                            I saw a few others in the case notes that you might try:


                            • Data Security Logs
                            • System Logs
                            • Default Proxy Logs
                            • Updater Logs
                            I'm very interested to know your outcome. Hopefully I'll be able to document this so the next person in your shoes doesn't have the same problems. :)
                            P.S. When you get these logging, try pointing each one at a different facility first. When you do, make sure you have a connector for each facility. That way, you can see which ones are working and which ones aren't.
                              • Re: IronPort Web Security Support

                                Ok, I've got all 5 of those setup and pointed towards LEM.  (I noticed your PS as I was typing this post.)  So far, I haven't see any data.  I event went to a site to get blocked. 

                                I have them both set for facility local7.  Do I need to change LEM to be something like local 23?

                                  • Re: IronPort Web Security Support

                                    If the option in Iron Port is "local7," then that should match the default Log File path on the LEM Manager. If you have that set correctly and the connector is started, look for alerts in the filter I suggested above, or keep an eye out for "Unmatched Data" alerts in the SolarWinds Alerts filter. If you don't see either, I don't think I can do much more to assist. You might want to open a Support ticket at this point.

                                    Thanks for keeping me posted.