cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Ironport ESA Event Aggregation

Jump to solution

Hi all,

ESM/ERC combo box here, running version 10.2.

I've begun sending Ironport Email Security Appliance logs to our ESM via syslog.  This is working well as far as it goes, but I'm having a big problem with aggregation.  Almost all of the logs received have the Ironport as their source IP, and no destination IP.  Therefore, the ESM is aggregating them like crazy.  Basically, every five minutes I'm getting one event with a high event count that is aggregated from the data of multiple emails passing through the Ironports.

Is it possible to adjust the aggregation for specific ASP rules?

Any other thoughts about what I'm doing?

Any help is appreciated.

Thanks,

- Steve

1 Solution

Accepted Solutions
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Ironport ESA Event Aggregation

Jump to solution

To edit aggregation settings go to

Policy Editor -> Receiver -> Data Source

Open Advanced Filter, select only the device type ID you are looking for.

Here you may completely disable aggregation all together for each rule or select rule(s) and Operations -> Modify Aggregation Settings.

Setting aggregation is one of the most important factors in having a reliable SIEM while still having excellent performance.

Brent

View solution in original post

2 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Ironport ESA Event Aggregation

Jump to solution

To edit aggregation settings go to

Policy Editor -> Receiver -> Data Source

Open Advanced Filter, select only the device type ID you are looking for.

Here you may completely disable aggregation all together for each rule or select rule(s) and Operations -> Modify Aggregation Settings.

Setting aggregation is one of the most important factors in having a reliable SIEM while still having excellent performance.

Brent

View solution in original post

Highlighted

Re: Ironport ESA Event Aggregation

Jump to solution

Hello Brent,

Thank you very much!

I was looking for the aggregation settings under the ASP rules, instead of the Data Source rules. 

I appreciate the help.

Best regards,

- Steve

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community