cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Ironport ESA Event Aggregation

Jump to solution

Hi all,

ESM/ERC combo box here, running version 10.2.

I've begun sending Ironport Email Security Appliance logs to our ESM via syslog.  This is working well as far as it goes, but I'm having a big problem with aggregation.  Almost all of the logs received have the Ironport as their source IP, and no destination IP.  Therefore, the ESM is aggregating them like crazy.  Basically, every five minutes I'm getting one event with a high event count that is aggregated from the data of multiple emails passing through the Ironports.

Is it possible to adjust the aggregation for specific ASP rules?

Any other thoughts about what I'm doing?

Any help is appreciated.

Thanks,

- Steve

1 Solution

Accepted Solutions
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Ironport ESA Event Aggregation

Jump to solution

To edit aggregation settings go to

Policy Editor -> Receiver -> Data Source

Open Advanced Filter, select only the device type ID you are looking for.

Here you may completely disable aggregation all together for each rule or select rule(s) and Operations -> Modify Aggregation Settings.

Setting aggregation is one of the most important factors in having a reliable SIEM while still having excellent performance.

Brent
2 Replies
Reliable Contributor brenta
Reliable Contributor
Report Inappropriate Content
Message 2 of 3

Re: Ironport ESA Event Aggregation

Jump to solution

To edit aggregation settings go to

Policy Editor -> Receiver -> Data Source

Open Advanced Filter, select only the device type ID you are looking for.

Here you may completely disable aggregation all together for each rule or select rule(s) and Operations -> Modify Aggregation Settings.

Setting aggregation is one of the most important factors in having a reliable SIEM while still having excellent performance.

Brent

Re: Ironport ESA Event Aggregation

Jump to solution

Hello Brent,

Thank you very much!

I was looking for the aggregation settings under the ASP rules, instead of the Data Source rules. 

I appreciate the help.

Best regards,

- Steve

More McAfee Tools to Help You
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • Visit: Business Service Portal
  • More: Search Knowledge Articles
  • ePolicy Orchestrator Support

    • Download the new ePolicy Orchestrator (ePO) Support Center Extension which simplifies ePO management and provides support resources directly in the console. Learn more about ePO Support Center