Integrating Cisco ESA Email Security Appliance Logfiles - Filebeat or Elastic agent

[mnasec]

Hi,
we are using a 13 node SO Grid cluster (2.3.200) and have several log sources integrated (PA firewalls, Cisco WSA Proxy, Symon, etc) and the next step now will be the Cisco Email Security Appliances (ESA), based on Cisco Ironport Systems.

Had anyone integrated ESA logs into SO in the past?
Problem will be, that ESA Logs are not single line logs, there will be several lines per email session/event. So the main question for us is using filebeat/syslog - or wait for the integration of elastic agent (https://docs.elastic.co/integrations/cisco_secure_email_gateway) into SO.

I there a timeline for supporting elastic agents in SO?

[InfosecGoon]

Unfortunately, it doesn't look like the Cisco module for Filebeat supports ESA logs (https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-module-cisco.html), but you're right, there is an Elastic Agent integration for it (https://docs.elastic.co/integrations/cisco_secure_email_gateway).

Elastic Agent will be supported in the new Security Onion 2.4 -- we're planning to have a beta available for public release soon so that people can start testing use cases like this.

[mnasec]

Thanks so far, we will wait for the public beta :-)