Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »

This quick start guide will help Accenture MDR customers configure Cisco® IronPort Web Security to allow log collection from the Log Collection Platform (LCP).

The document includes the following topics:

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination   

 TCP Port   

Description

Cisco IronPort Proxy  

LCP

21 (TCP)

FTP port for log upload   

Configuring Cisco IronPort Security

To configure the IronPort Web Security device, follow the steps below.

1.Login to the Ironport Web Security web interface.                         

2. Go to System Administration > Log Subscriptions. The Log Subscriptions page appears.                         

3 .On the Log Subscriptions page, click Add Log Subscription. The new Log Subscription page appears.                                               

Note: The username should be ciscoironport only. With any other name, logs will be processed via the Universal FTP collector.

4. On the new Log Subscription page, do the following:                                        

Table 1-2: Log Subscription Fields

Information

Description

Log Type

Select W3C Logs, as the collector works only with W3C compatible logs.

Log Name

You must enter a log name. This log name is used for the log directory which stores log files for the subscription.

Log Fields

From the Available Log Fields list, select the required fields and then click Add. The selected fields will be added to the Selected Log Fields list.

For the recommended log fields, refer Recommended fields. You can re-order the fields using the Move Up and Move Down buttons. If you want to remove a field from the Selected Log Fields list, select the field and click Remove.

Note: You can add the fields in any order.

Rollover by File Size

Specify the maximum file size to which the current log file can grow before it is archived and a new log file started.

Note: The maximum recommended file size of the FTP log is 500 MB. But this size can be reduced as per the device logging status.

Rollover by Time

Specify the maximum time interval before the current log file is archived and a new log file started.

File Name

Enter a name for the log file.

Log Compression

Specifies whether or not rolled over files are compressed.

Note: Although gzip compression is supported, it is recommended not to enable this field as the file size may reach GB after decompression, which leads to slow processing of logs by the LCP.

Log Exclusions

(Optional)

Allows you to specify HTTP status codes (4xx or 5xx only) to exclude the associated transactions from a W3C access log.

Note: You can provide multiple status code with comma (,) separated values.

Retrieval Method

Specifies where rolled over log files are stored and how they are retrieved for reading. You must transfer the logs to the configured folder of the machine where the collector is installed. Select FTP on Remote Server and enter the following information:

FTP Host: Enter the lcp_ip_address

Directory: Provide directory as “/”

Username: Provide username as ciscoironport always. 

Passphrase: You can keep it blank.

 Note:  File transfer via SCP is not supported.

5. Click Submit. The details appear in the Log Subscriptions page, and the Commit Changes button is enabled at the top-right corner. 

6. Click Commit Changes to save the changes. The Uncommitted Changes page appears.

7. Optionally, you can rollover the logs by selecting the check box under the Rollover field and clicking Rollover Now.

8. Enter a comment in the Comment field and click Commit Changes. After successful commit, a message, "Your changes have been committed.", appears.

Recommended Log Fields 

Note: Arrange the Log Fields using below sequence. 

Cisco(R) Ironport Web Security

timestamp

c-ip

c-port

cs(Referer)

cs(User-Agent)

cs(X-Forwarded-For)

cs-auth-group

cs-method

cs-mime-type

cs-uri

cs-url

cs-username

cs-version

date

time

s-hierarchy

s-hostname

s-ip

s-port

sc-http-status

sc-result-code

sc-result-code-denial

cs-bytes

sc-bytes

x-acltag

x-elapsed-time

x-mcafee-av-virustype

x-mcafee-scanverdict

x-mcafee-virus-name

x-result-code

x-webcat-code-full

x-webroot-scanverdict

x-webroot-spyid

x-webroot-threat-name

x-amp-verdict

x-amp-malware-name 

x-amp-score

x-amp-upload

x-amp-filename

x-amp-sha

LCP Configuration Parameters

Table 1-3: The Cisco IronPort event collector (FTP - 3798) properties to be configured by MDR are shown in the table.

Property

Default Value

Description

Port Number

 

21

The default port number for FTP.

Hostnames/IP Addresses 

Cisco IronPort Proxy SG IP Address

Logging device IP Address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the Accenture MDR On-boarding team. 

 

  • No labels

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.