Cisco IronPort Mail Gateway
- What is Discovered and Monitored
- Event Types
- Rules
- Reports
- Configuration
- Settings for Access Credentials
What is Discovered and Monitored
Protocol |
Information discovered |
Metrics collected |
Used for |
---|---|---|---|
SNMP | Ping Status, SNMP Ping Stat, Uptime, CPU Util, Mem Util, Net Intf Stat, Hardware Status | ||
Syslog |
Mail attributes: attributes include MID, ICID, DCID, Sender address, Receiver Address, Mail Subject, Sent Bytes, Attachment, Spam indicator, Virus indicator, Quarantine indicator, SMTP delivery failures and failure codes, mail action - pass, block, clean. |
Security Monitoring and compliance |
Event Types
In ADMIN > Device Support > Event Types, search for "ironport-mail" to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
In RESOURCES > Reports, search for "ironport mail" in the main content panel Search... field to see the reports for this device.
Configuration
SNMP
FortiSIEM uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation. For more information, refer to sections "Discovery Settings" and "Setting Credentials" in the User Guide.
Syslog
- Log in to your Ironport Mail Gateway device manager with administrator privileges.
- Edit the Log Subscription settings.
- For Log Name, enter IronPort-Mail.
This identifies the log to FortiSIEM as originating from an Ironport mail gateway device. - For Retrieval Method, select Syslog Push.
- For Hostname, enter the IP address of your FortiSIEM virtual appliance.
- For Protocol, select UDP.
Sample Parsed Ironport Mail Gateway Syslog
Tue Sep 24 11:39:49 2012 IronPort-Mail: Info: MID 200257071 ready 24663 bytes from <someone@example.net>Sep 24 11:39:49 18.0.19.8 IronPort-Mail: Info: MID 1347076 ICID 346818 From: <john.doe@example.com>Tue Sep 24 11:39:49 2012 IronPort-Mail: Info: Message aborted MID 200257071 Dropped by antivirus Tue Sep 24 11:39:49 2012 IronPort-Mail: Info: Delayed: DCID 5 MID 200257071 to RID 0 - 4.1.0 - Unknown address error ('466', ['Mailbox temporarily full.'])[]
Settings for Access Credentials
Set these Access Method Definition values to allow FortiSIEM to communicate with your device.
Setting | Value |
---|---|
Name | <set name> |
Device Type | Cisco IronPort AsyncOS Mail |
Access Protocol | See Access Credentials |
Port | See Access Credentials |
Password config | See Password Configuration |