---

@Libin Varghese wrote:

Hi,

 

That would be one way to do it if you are looking to log all email headers.

 

If there is a specific header you would like to log you could also use the steps mentioned in the below article.

 

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118291-technote-esa-00.html

 

Thank You!

Libin Varghese

---

Does "$AllHeaders" work in "logconfig"- "LOGHEADERS".  I don't want to add a new content filter and also don't want input multiple header names with commas.

I do not see an option to log all headers under logconfig.

Message filter can also be used.

if (condition = true)
{
log-entry("$AllHeaders")
}

Logging all headers has some performance implications on your ESA and SMA on a busy system.

I highly recommend that you only keep the headers in logconfig you really need as this will increase the mail logs size and the search times in your SMA's. An alternate approach to use is that you quarantine the messages you are interested for maybe 14 days and then delete them. In the policy quarantine you will always be able to see all incoming message headers.

The use case for this was ingestion of specific headers into our SIEM platform. As Marc points out, logging everything is a potential performance hit. We ultimately decided to use log-entry actions to target the specific headers we needed. This also allowed us to format the log lines for easier parsing by our SIEM.

For example:

log-entry("hostname=\"$Hostname\" direction=\"inbound\" size=\"$BodySize\" env_sender=\"$envelopefrom\" policy=\"$Policy\" listener=\"$RecvListener\" interface=\"$RecvInt\" src_ip=\"$RemoteIP\" src_host=\"$remotehost\" message_id=\"$Header['Message-ID']\"")