...
The document includes the following topics:
...
Table of Contents |
---|
...
Port Requirements
...
Configuring Cisco IronPort Security
...
Recommended Log Fields
|
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MSSMDR_Supported_Products_List.xlsx) which can be found in Accenture Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | TCP Port | Description |
Cisco IronPort Proxy | LCP | 21 (TCP) | FTP port for log upload |
Configuring Cisco IronPort Security
To configure the IronPort Web Security device, follow the steps below.
...
3 .On the Log Subscriptions page, click Add Log Subscription. The new Log Subscription page appears.
...
Information | Description |
Log Type | Select W3C Logs, as the collector works only with W3C compatible logs. |
Log Name | You must enter a log name. This log name is used for the log directory which stores log files for the subscription. |
Log Fields | From the Available Log Fields list, select the required fields and then click Add. The selected fields will be added to the Selected Log Fields list. For the recommended log fields, refer Recommended fields. You can re-order the fields using the Move Up and Move Down buttons. If you want to remove a field from the Selected Log Fields list, select the field and click Remove. Note: You can add the fields in any order. |
Rollover by File Size | Specify the maximum file size to which the current log file can grow before it is archived and a new log file started. Note: The maximum recommended file size of the FTP log is 500 MB. But this size can be reduced as per the device logging status. |
Rollover by Time | Specify the maximum time interval before the current log file is archived and a new log file started. |
File Name | Enter a name for the log file. |
Log Compression | Specifies whether or not rolled over files are compressed. Note: Although gzip compression is supported, it is recommended not to enable this field as the file size may reach GB after decompression, which leads to slow processing of logs by the LCP. |
Log Exclusions (Optional) | Allows you to specify HTTP status codes (4xx or 5xx only) to exclude the associated transactions from a W3C access log. Note: You can provide multiple status code with comma (,) separated values. |
Retrieval Method | Specifies where rolled over log files are stored and how they are retrieved for reading. You must transfer the logs to the configured folder of the machine where the collector is installed. Select FTP on Remote Server and enter the following information: FTP Host: Enter the lcp_ip_address Directory: Provide directory as “/” Username: Provide username as ciscoironport always. Passphrase: You can keep it blank. |
Note: File transfer via SCP is not supported.
...
Table 1-3: The Cisco IronPort event collector (FTP - 3798) properties to be configured by MSS MDR are shown in the table.
Property | Default Value | Description |
Port Number
| 21 | The default port number for FTP. |
Hostnames/IP Addresses | Cisco IronPort Proxy SG IP Address | Logging device IP Address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture MDR On-boarding team. |
...