Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1134
Views
0
Helpful
4
Replies

seach in log file archive by using findevent

fisherman_ironport
Level 1
Level 1

‎03-25-2009 11:54 AM

Hi @all,
we are using several IronPort C series systems. All our log files are stored via scp on a central log file server running under Linux. The log files are stored in subfolders for each system.

Now it became to be necessary to search emails from last year. I did it by using the grep command and it was very complicated to find all informations (MID, ICID, DCID).

Does someone knows a way to use the findevent command on a Linux based system or do someone have a normal shell script which do the same work as the findevent command do?

Regards, Thomas

Labels:
0 Helpful
4 Replies 4

kluu_ironport
Level 2
Level 2

‎03-25-2009 03:17 PM

There is a tool on the Support Portal that emulates the AsyncOS's findevent command. The tool was written in Python which should work on your Linux system, assuming that Python is available on it.


Find Event Tool

Python

This is the core code to the CLI findevent command which will dump log information based on MID or regular expression searches on "To", "From" and "Subject". The help command description for findevent is "Find events in mail log files".

1. Log onto the support portal (http://www.ironport.com/support/login.html).
2. After you log in, click on "Appliance Documentation > Tools" on the left side and go down near the bottom of the page.

good luck

0 Helpful

kluu_ironport
Level 2
Level 2

‎03-25-2009 03:24 PM

How to get it working.

1. Load the python script into the /tmp directory

2. Verify the path to your Python code

bash> whereis python
python: /usr/bin/python /usr/bin/python2.4 /usr/lib/python2.4 /usr/share/man/man1/python.1.gz

3. Update the /tmp/findevent.py script with the path to Python

4. Make the script executable

chmod a+x /tmp/findevent.py

5.

/tmp/findevent.py -h
./findevent.py [-i] -F file [-f FROM | -m MID | -s SUBJECT -t TO]

Note:
- Only the last -f, -m, -s, or -t will be used.
- Multiple -F arguments can be specified but should be date
ordered to give consistent results.

0 Helpful

fisherman_ironport
Level 1
Level 1

‎03-25-2009 05:00 PM

Hi kluu,
many thanks for that.
Sounds good and I think that will work. I'll try it asap.

0 Helpful

steven_geerts
Level 1
Level 1

‎03-31-2009 11:36 PM

HI!

Has anyone of you done some porting to a syslog based log storage?

We use syslogNG to collect the output of our C series on a Linux system and I would love to have findevent operational on the centralized log server.
At the moment that's not possible because the trailing columns you have with syslog are not accepted by the Python script...

All advises are welcome!

Steven

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents