Comparing logs from two systems
Is it possible to compare logs from two different systems?
Specifically looking to compare RSA DLP log events and Cisco Ironport ESA logs. I would like to be able look in the RSA DLP Logs for an incident, then looking for the same To, From, and Subject to find the message ID of that message in Ironport. Then to check whether that Message was sent with TLS or not.
Yes, you can absolutely do this, and Event Explorer will be your tool of choice for this forensic task! There are a multitude of ways to do this, but here's an easy one:
1) Set up an event trace that returns all events for your DLP and the Ironport ESA devices in a specified time range.
2) Run the event trace, and in a standard table filter for the string you wish to compare in the Message column.
You will then get all results matching your query and can then cross-refernce the Message ID in the appropriate column!
I hope that helps.