Detiled Logs

thedarkangel_ironport · ‎01-23-2008

Hello again,
Our customer wants to view more detiled logs for incomming and outgoing mails.They want to trace it by users, for example:
They want to have a look from yesterday, the logs for incomming mail for the user X.This is because they take this logs to their bosses and they want to trace it more detailed.

Any ideas about this kind of issues?

Thanks and b/r

Pat_ironport · ‎01-23-2008

I think, there will be something like that in the upcoming AsynchOS 6.0 called "On-Box Message Tracking".

The Releasenotes for this new feature:

New Feature: On-Box Message Tracking
AsyncOS 6.0 for Email includes an on-box message tracking interface that allows you to track messages that traverse your IronPort C-Series or X-Series Email Security appliance. The message tracking feature makes it easy to find the status of messages that the Email Security appliance processes. Email administrators can quickly resolve help desk calls by
determining the exact location of a message. With on-box message tracking, an administrator can determine if a particular message was delivered, found to contain a virus, or placed in a spam quarantine — or if it is located somewhere else in the mail stream.
Instead of having to search through log files using “grep” or similar tools, you can use the flexible tracking interface of the Email Security appliance to locate messages. To track messages, you create a message tracking query. You can use a variety of search parameters in combination, and you can refine tracking queries to narrow the result set.
If you are running AsyncOS 6.0 for Security Management on an IronPort M-Series appliance, you can perform centralized tracking on all of your organization’s IronPort C-Series and X-Series Email Security appliances. For more information about centralized tracking, see the IronPort AsyncOS 6.0 for Security Management User Guide.

verylongbloke_ironport · ‎01-29-2008

All this information will be stored in the mail_logs by default i.e. remote IP, rcpt, sender, subject, verdicts etc....

You can either pull the logs down via FTP or push them off via SCP/Syslog. Then all you need to do is grep/search for the rcpt email address and find every message ID matching the string you search for.

Of course you could use the GREP feature in the CLI already built in as well :D

The v6 release does provide message tracking if you have a C150 or above....if not you need to upgrade your hardware as message tracking takes a decent chunk of memory up.

chhaag · ‎01-30-2008

Log on via the CLI and try >help findevent

This tool wraps grep and makes it much easier to search the mail logs w/o needing to understand the IronPort log syntax.

Once 6.0 is out you can use the GUI equivalent called Tracker, however, as stated, keeping the Tracker database populated has a performance impact.

cheers

garrett_ironport · ‎01-31-2008

Log on via the CLI and try >help findevent

This tool wraps grep and makes it much easier to search the mail logs w/o needing to understand the IronPort log syntax.

Once 6.0 is out you can use the GUI equivalent called Tracker, however, as stated, keeping the Tracker database populated has a performance impact.

cheers

Tacking on to that, there's a bit more info in the Advanced User Guide, including an example of tracking messages based on a specific Subject. See the "Managing and Monitoring via the CLI" chapter -- it's in there under Managing the Email Queue > Tracking Messages Within the System.

Also, just a quick reminder that the Technical Publication team positively craves feedback, so feel free to send email via the "docfeedback" address.

Thanks!