Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1491
Views
0
Helpful
3
Replies

How to find out who released an encrypted email in ironport? C160 Appliance

Go to solution
Dominic Kallas
Level 1
Level 1

‎03-24-2014 10:26 AM

Hello,

We have quite a few users who can release emails. We need to find out who released an encrypted email. When we track the encrypted message through message tracking it shows it was manually released but no credentials are provided. I checked the help command for any useful commands when I ssh'd but nothing seemed useful. Last, findevent, nothing showed who released it.

 

Does anyone have any ideas?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee
In response to Dominic Kallas

‎03-25-2014 10:22 AM

Is your C160 in cluster with another appliance?  Have you reconfigured logs at anytime?  Are your "IronPort Text Mail Logs" named something else per chance in that log name listing?  The same for "HTTP Logs"? 

If these are not present, you would be advised to create these as 'new' from the 'logconfig' option on the CLI.  Then, you will have a running log of all mail actions of the appliance, and also all web GUI actions and users, recording the access, options, and actions carried out through GUI.

-Robert

Cheers,
Robert Sherwin

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎03-24-2014 11:22 AM

You will need to use 'grep' from the CLI of your appliance(s) in order to view the mail_logs and gui_logs.  Use "released" in the mail_logs to get the timeframe of when the mails in question were released.  (You may need to verifiy the MID for the mails in order to verify the particular ones in question.)  

Enter the regular expression to grep.

[]> released

 

Then use 'grep' again to search the timeframe in gui_logs.  This should display who carried out the action, or what userID they were logged in with --- showing "user:<userID>" in the log line.

I hope this helps!

-Robert

 

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

Cheers,
Robert Sherwin
0 Helpful

Go to solution
Dominic Kallas
Level 1
Level 1
In response to Robert Sherwin

‎03-25-2014 09:26 AM

I typed in grep on the appliance. It gives me options 1-18 and only those options can be used. mail_logs and gui_logs is not one of the options.

 

For example i have ftpd_logs

reportqueryd_logs and more.

0 Helpful

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee
In response to Dominic Kallas

‎03-25-2014 10:22 AM

Is your C160 in cluster with another appliance?  Have you reconfigured logs at anytime?  Are your "IronPort Text Mail Logs" named something else per chance in that log name listing?  The same for "HTTP Logs"? 

If these are not present, you would be advised to create these as 'new' from the 'logconfig' option on the CLI.  Then, you will have a running log of all mail actions of the appliance, and also all web GUI actions and users, recording the access, options, and actions carried out through GUI.

-Robert

Cheers,
Robert Sherwin
0 Helpful
Customers Also Viewed These Support Documents