Cisco Cisco Email Security Appliance X1070 Information Guide

Contributed by Enrico Werner, Cisco TAC Engineer.
Jul 27, 2015

This document describes why the Email Security Appliance (ESA) is unable to send data to a syslog server.

The ESA has been configured to push log subscriptions to a syslog server. The files might or might not be
successfully pushed to the syslog server. In any case, there can be network errors in the mail log file
similar to this:

Log Error: Subscription Mail_Log: Network error while sending log data

 to syslog server

A packet capture between the ESA and the syslog server shows connection drops initiated by the syslog
server, which in this example is 10.44.167.30.

If you follow the TCP stream in the packet capture you will see this:

<22>Jun 25 08:50:03 example.com: Info: Begin Logfile

<22>Jun 25 08:50:03 example.com: Info: Version: 8.0.1−023 SN: A4BADB4712A9−511AA1E

<22>Jun 25 08:50:03 example.com: Info: Time offset from UTC: 7200 seconds

<22>Jun 25 08:50:03 example.com: Info: A System/Critical alert was sent to

 alerts@ironport.com with subject "Critical <System> mail.example.com: Log Error:

 Subscription Mail_Log: Network error while sending l...".

The errors indicate that there is either a firewall or Intrusion Prevention System (IPS) that blocks access to
the syslog server at the IP Address. If all devices in−between have been examined and confirmed in order to
allow the traffic, then this could also mean that the syslog server is too busy and refused the connections.
When the ESA is configured to send a log file to a syslog server, then by default it will use the UDP syslog
port 514 unless configured to use TCP. Once the appliance is configured, the only thing that causes the
connection to be listed as refused is if it receives packets that close the connection when it is opened.