Having problems with your account or logging in?
A lot of changes are happening in the community right now. Some may affect you. READ MORE HERE
Highlighted
Fred McGhee Respected Contributor.
Respected Contributor.
246 views

Cisco IronPort - Partial Merged Email Event

We have Cisco IronPort coming in via Syslog. There are 1000's of partial merged email events produced. Is there a fix for these or is this just a bug between ArcSight and Cisco? Has anyone ever experienced this error and fixed it? 

 

Raw Example:

<22>Feb 13 13:44:33 pironport-u12 mail_logs_s: Info: MID 123911397 ICID 0 RID 1 To: <email_user@xxxx.xxx>

Labels (2)
Tags (1)
0 Likes
4 Replies
dkuehner Super Contributor.
Super Contributor.

Re: Cisco IronPort - Partial Merged Email Event

I had something similar when I tried to parse the SMTP Conversation Logs from Cisco IronPort. They were not parsed by default so I wrote a parser overwrite. When I checked the base parser, I realized they are using event merging. However when I try to use it for the conversation logs, it behaves absolutely weird. It creates one event for several lines as it should, but it misses several lines that are matching the criteria as well! Also it STILL sends all the single lines as well, which it shouldn´t.

I tried all possible settings and couldn´t get it to work properly. It seems like event merging is just not working.

0 Likes
tryptyk Trusted Contributor.
Trusted Contributor.

Re: Cisco IronPort - Partial Merged Email Event

Hi,

Same issue here trying to custom the default parser and creating a flex for merging very relevant logs entries (DMARC,SPF,DKIM).

That's a shame

0 Likes
zipperbox777 Contributor.
Contributor.

Re: Cisco IronPort - Partial Merged Email Event

Has anyone had any success unmangling the event merge that occurs with the Cisco IronPort parser? This is a confusing feature that does not appear to work and leaves questions about what content is missing or not.

 

0 Likes
Knowledge Partner
Knowledge Partner

Re: Cisco IronPort - Partial Merged Email Event

As I know, the connector waits 60 seconds to merge the logs. If processing of the emails takes longer than 60 seconds, it may cause partially merged logs.

Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.