I've begun sending Ironport Email Security Appliance logs to our ESM via syslog. This is working well as far as it goes, but I'm having a big problem with aggregation. Almost all of the logs received have the Ironport as their source IP, and no destination IP. Therefore, the ESM is aggregating them like crazy. Basically, every five minutes I'm getting one event with a high event count that is aggregated from the data of multiple emails passing through the Ironports.
Is it possible to adjust the aggregation for specific ASP rules?
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.