04-27-2017 10:50 AM
Hi everyone,
I'm looking for the best method to capture all headers from every incoming message. My current approach is to add an Incoming Content Filter, with no Conditions, and an Action of log-entry("$AllHeaders")
Is this the best method? What other methods are available to capture headers?
Solved! Go to Solution.
04-27-2017 11:37 AM
Hi,
That would be one way to do it if you are looking to log all email headers.
If there is a specific header you would like to log you could also use the steps mentioned in the below article.
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118291-technote-esa-00.html
Thank You!
Libin Varghese
04-27-2017 11:37 AM
Hi,
That would be one way to do it if you are looking to log all email headers.
If there is a specific header you would like to log you could also use the steps mentioned in the below article.
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118291-technote-esa-00.html
Thank You!
Libin Varghese
03-14-2018 10:17 AM
@Libin Varghese wrote:
Hi,
That would be one way to do it if you are looking to log all email headers.
If there is a specific header you would like to log you could also use the steps mentioned in the below article.
Thank You!
Libin Varghese
Does "$AllHeaders" work in "logconfig"- "LOGHEADERS". I don't want to add a new content filter and also don't want input multiple header names with commas.
03-15-2018 02:04 AM
I do not see an option to log all headers under logconfig.
Message filter can also be used.
if (condition = true) { log-entry("$AllHeaders") }
03-17-2018 08:44 AM
Logging all headers has some performance implications on your ESA and SMA on a busy system.
I highly recommend that you only keep the headers in logconfig you really need as this will increase the mail logs size and the search times in your SMA's. An alternate approach to use is that you quarantine the messages you are interested for maybe 14 days and then delete them. In the policy quarantine you will always be able to see all incoming message headers.
04-05-2018 09:05 AM
The use case for this was ingestion of specific headers into our SIEM platform. As Marc points out, logging everything is a potential performance hit. We ultimately decided to use log-entry actions to target the specific headers we needed. This also allowed us to format the log lines for easier parsing by our SIEM.
For example:
log-entry("hostname=\"$Hostname\" direction=\"inbound\" size=\"$BodySize\" env_sender=\"$envelopefrom\" policy=\"$Policy\" listener=\"$RecvListener\" interface=\"$RecvInt\" src_ip=\"$RemoteIP\" src_host=\"$remotehost\" message_id=\"$Header['Message-ID']\"")
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide