I agree, but we can add IronPort as custom device and write custom log parsers for that. I am confused which logs do we need to capture and write parsers as IronPort does not provide message log in one line I mean it break in pieces and maintain MID for each line.
Secondly, I have setup custom device, I received messages but I got "Buffer overflow" error message in IronPort and stop sending logs to CS-MARS.
Can you please advice so as to what could be the cause for this.
I really appreciate if you could advice some interesting things which we can log into CS-MARS from IronPort. Thanks.
What logs are IronPort device sending? syslog messages or snmp traps? Generally MARS pretty much just takes syslog and/or snmp. Other types of logging is normally pretty difficult to parse in MARS, and requires complex custom parser to be written.
I have setup to receive syslog messages from ironport. We configured IronPort to push syslog maillog messages to CS-MARS. It received for a while and it stopped giving error in Ironport something like CSMARS buffer overflow. Below are some messages received from IronPort in CS-MARS.
Parsing error or event type unknown: <22>May 14 12:47:35 MailLog_CSMARS: Info: Message done DCID 61561334 MID 102046326 to RID [1, 2, 3, 4]
Parsing error or event type unknown: <22>May 14 12:47:36 MailLog_CSMARS: Info: MID 102046330 interim AV verdict using Sophos CLEAN
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...