CLI Filters -> Logconfig

Geosoft_ironport · ‎11-12-2008

Hi Everyone,

Can anyone give me some information on what this is, how its used, and how to setup the Filters -> Logconfig in CLI? I don't see any documentation of this anywhere.

jmonrad · ‎11-12-2008

Hi Everyone,

Can anyone give me some information on what this is, how its used, and how to setup the Filters -> Logconfig in CLI? I don't see any documentation of this anywhere.

Sorry for the looong post following this, but it is a paste from the knowledgebase..

--

An important feature within the IronPort C-Series appliance is its logging capabilities. AsyncOS can generate many types of logs, recording varying types of information. Log files contain the records of regular operations and exceptions from various components of the system. This information can be valuable when monitoring your IronPort C-Series appliance as well as when troubleshooting or checking performance.

Logs can be configured and created through the IronPort CLI using the logconfig command or via the GUI. See the link below for configurng logs via the GUI.

Below is an example of creating a LDAP debug log subscription using the CLI:.

ironport.com> logconfig

Currently configured logs:
1. "antivirus" Type: "Anti-Virus Logs" Retrieval: FTP Poll
2. "avarchive" Type: "Anti-Virus Archive" Retrieval: FTP Poll
3. "bounces" Type: "Bounce Logs" Retrieval: FTP Poll
4. "brightmail" Type: "Symantec Brightmail Anti-Spam Logs" Retrieval: FTP Poll
5. "cli_logs" Type: "CLI Audit Logs" Retrieval: FTP Poll
6. "error_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
7. "ftpd_logs" Type: "FTP Server Logs" Retrieval: FTP Poll
8. "gui_logs" Type: "HTTP Logs" Retrieval: FTP Poll
9. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
10. "rptd_logs" Type: "Mailflow Report Logs" Retrieval: FTP Poll
11. "sntpd_logs" Type: "NTP logs" Retrieval: FTP Poll
12. "status" Type: "Status Logs" Retrieval: FTP Poll
13. "system_logs" Type: "System Logs" Retrieval: FTP Poll

Choose the operation you want to perform:
- NEW - Create a new log.
- EDIT - Modify a log subscription.
- DELETE - Remove a log subscription.
- SETUP - General settings.
- LOGHEADERS - Configure headers to log.
- HOSTKEYCONFIG - Configure SSH host keys.
[]> new

Choose the log file type for this subscription:
1. IronPort Text Mail Logs
2. qmail Format Mail Logs
3. Delivery Logs
4. Bounce Logs
5. Status Logs
6. Domain Debug Logs
7. Injection Debug Logs
8. System Logs
9. CLI Audit Logs
10. FTP Server Logs
11. HTTP Logs
12. NTP logs
13. Mailflow Report Logs
14. Symantec Brightmail Anti-Spam Logs
15. Symantec Brightmail Anti-Spam Archive
16. Anti-Virus Logs
17. Anti-Virus Archive
18. LDAP Debug Logs
[1]> 18

Please enter the name for the log:
[]> ldap_debug

Choose the method to retrieve the logs.
1. FTP Poll
2. FTP Push
3. SCP Push
[1]>

Filename to use for log files:
[ldap.log]>

Please enter the maximum file size:
[10485760]>

Please enter the maximum number of files:
[10]>

Currently configured logs:
1. "antivirus" Type: "Anti-Virus Logs" Retrieval: FTP Poll
2. "avarchive" Type: "Anti-Virus Archive" Retrieval: FTP Poll
3. "bounces" Type: "Bounce Logs" Retrieval: FTP Poll
4. "brightmail" Type: "Symantec Brightmail Anti-Spam Logs" Retrieval: FTP Poll
5. "cli_logs" Type: "CLI Audit Logs" Retrieval: FTP Poll
6. "error_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
7. "ftpd_logs" Type: "FTP Server Logs" Retrieval: FTP Poll
8. "gui_logs" Type: "HTTP Logs" Retrieval: FTP Poll
9. "ldap_debug" Type: "LDAP Debug Logs" Retrieval: FTP Poll
10. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
11. "rptd_logs" Type: "Mailflow Report Logs" Retrieval: FTP Poll
12. "sntpd_logs" Type: "NTP logs" Retrieval: FTP Poll
13. "status" Type: "Status Logs" Retrieval: FTP Poll
14. "system_logs" Type: "System Logs" Retrieval: FTP Poll

Choose the operation you want to perform:
- NEW - Create a new log.
- EDIT - Modify a log subscription.
- DELETE - Remove a log subscription.
- SETUP - General settings.
- LOGHEADERS - Configure headers to log.
- HOSTKEYCONFIG - Configure SSH host keys.
[]>

ironport.com> commit

Below is an example for editing an existing log.

ironport.com> logconfig

Currently configured logs:
1. "antivirus" Type: "Anti-Virus Logs" Retrieval: FTP Poll
2. "avarchive" Type: "Anti-Virus Archive" Retrieval: FTP Poll
3. "bounces" Type: "Bounce Logs" Retrieval: FTP Poll
4. "brightmail" Type: "Symantec Brightmail Anti-Spam Logs" Retrieval: FTP Poll
5. "cli_logs" Type: "CLI Audit Logs" Retrieval: FTP Poll
6. "error_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
7. "ftpd_logs" Type: "FTP Server Logs" Retrieval: FTP Poll
8. "gui_logs" Type: "HTTP Logs" Retrieval: FTP Poll
9. "ldap_debug" Type: "LDAP Debug Logs" Retrieval: FTP Poll
10. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
11. "rptd_logs" Type: "Mailflow Report Logs" Retrieval: FTP Poll
12. "sntpd_logs" Type: "NTP logs" Retrieval: FTP Poll
13. "status" Type: "Status Logs" Retrieval: FTP Poll
14. "system_logs" Type: "System Logs" Retrieval: FTP Poll

Choose the operation you want to perform:
- NEW - Create a new log.
- EDIT - Modify a log subscription.
- DELETE - Remove a log subscription.
- SETUP - General settings.
- LOGHEADERS - Configure headers to log.
- HOSTKEYCONFIG - Configure SSH host keys.
[]> edit

Enter the number of the log you wish to edit.
[]> 9

Please enter the name for the log:
[ldap_debug]>

Choose the method to retrieve the logs.
1. FTP Poll
2. FTP Push
3. SCP Push
[1]>

Please enter the filename for the log:
[ldap.log]>

Please enter the maximum file size:
[10485760]> 52422880

Please enter the maximum number of files:
[10]> 100

Currently configured logs:
1. "antivirus" Type: "Anti-Virus Logs" Retrieval: FTP Poll
2. "avarchive" Type: "Anti-Virus Archive" Retrieval: FTP Poll
3. "bounces" Type: "Bounce Logs" Retrieval: FTP Poll
4. "brightmail" Type: "Symantec Brightmail Anti-Spam Logs" Retrieval: FTP Poll
5. "cli_logs" Type: "CLI Audit Logs" Retrieval: FTP Poll
6. "error_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
7. "ftpd_logs" Type: "FTP Server Logs" Retrieval: FTP Poll
8. "gui_logs" Type: "HTTP Logs" Retrieval: FTP Poll
9. "ldap_debug" Type: "LDAP Debug Logs" Retrieval: FTP Poll
10. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
11. "rptd_logs" Type: "Mailflow Report Logs" Retrieval: FTP Poll
12. "sntpd_logs" Type: "NTP logs" Retrieval: FTP Poll
13. "status" Type: "Status Logs" Retrieval: FTP Poll
14. "system_logs" Type: "System Logs" Retrieval: FTP Poll

Choose the operation you want to perform:
- NEW - Create a new log.
- EDIT - Modify a log subscription.
- DELETE - Remove a log subscription.
- SETUP - General settings.
- LOGHEADERS - Configure headers to log.
- HOSTKEYCONFIG - Configure SSH host keys.
[]>

ironport.com> commit

--

Geosoft_ironport · ‎11-12-2008

I know what Logconfig is.... but there is no documentation for Filters -> Logconfig...

ironport.com> filters

Choose the operation you want to perform:
- NEW - Create a new filter.
- DELETE - Remove a filter.
- IMPORT - Import a filter script from a file.
- EXPORT - Export filters to a file
- MOVE - Move a filter to a different position.
- SET - Set a filter attribute.
- LIST - List the filters.
- DETAIL - Get detailed information on the filters.
- LOGCONFIG - Configure log subscriptions used by filters.
- ROLLOVERNOW - Roll over a filter log file.

jmonrad · ‎11-12-2008

I know what Logconfig is.... but there is no documentation for Filters -> Logconfig...

ironport.com> filters


Choose the operation you want to perform:
- NEW - Create a new filter.
- DELETE - Remove a filter.
- IMPORT - Import a filter script from a file.
- EXPORT - Export filters to a file
- MOVE - Move a filter to a different position.
- SET - Set a filter attribute.
- LIST - List the filters.
- DETAIL - Get detailed information on the filters.
- LOGCONFIG - Configure log subscriptions used by filters.
- ROLLOVERNOW - Roll over a filter log file.

My quick guess would be that you can create log subscriptions based on the filters you create and further more you can do a rollover on those logfiles like you can on regular logfiles.

Geosoft_ironport · ‎11-12-2008

Which is weird, because if you type in logconfig off of filters, it gives me this:

Currently configured logs:
No logs currently configured.

So, what type of log do I need to setup for filters to use logs. There isn't anything obvious in Logconfig...

meyd45_ironport · ‎11-12-2008

If you have a filter which does an archive("foo") action somewhere "foo" will show up under filters > logconfig. It allows you to set the log size and number of generations kept on the IronPort.

Geosoft_ironport · ‎11-12-2008

If you have a filter which does an archive("foo") action somewhere "foo" will show up under filters > logconfig.  It allows you to set the log size and number of generations kept on the IronPort.

would this be a correct example of the code to use?


DropBadSBRSEmails: if (reputation <= -3.0) AND (sendergroup != "whitelist") {
                       archive("badsbrs");
                       drop();
                   }

Geosoft_ironport · ‎11-12-2008

OK,

I found information that I needed now... thanks for the point out guys ;)