Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

How to find out who released an encrypted email in ironport? C160 Appliance

Hello,

We have quite a few users who can release emails. We need to find out who released an encrypted email. When we track the encrypted message through message tracking it shows it was manually released but no credentials are provided. I checked the help command for any useful commands when I ssh'd but nothing seemed useful. Last, findevent, nothing showed who released it.

 

Does anyone have any ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Is your C160 in cluster with

Is your C160 in cluster with another appliance?  Have you reconfigured logs at anytime?  Are your "IronPort Text Mail Logs" named something else per chance in that log name listing?  The same for "HTTP Logs"? 

If these are not present, you would be advised to create these as 'new' from the 'logconfig' option on the CLI.  Then, you will have a running log of all mail actions of the appliance, and also all web GUI actions and users, recording the access, options, and actions carried out through GUI.

-Robert

3 REPLIES
Cisco Employee

You will need to use 'grep'

You will need to use 'grep' from the CLI of your appliance(s) in order to view the mail_logs and gui_logs.  Use "released" in the mail_logs to get the timeframe of when the mails in question were released.  (You may need to verifiy the MID for the mails in order to verify the particular ones in question.)  

Enter the regular expression to grep.

[]> released

 

Then use 'grep' again to search the timeframe in gui_logs.  This should display who carried out the action, or what userID they were logged in with --- showing "user:<userID>" in the log line.

I hope this helps!

-Robert

 

(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

Community Member

I typed in grep on the

I typed in grep on the appliance. It gives me options 1-18 and only those options can be used. mail_logs and gui_logs is not one of the options.

 

For example i have ftpd_logs

reportqueryd_logs and more.

Cisco Employee

Is your C160 in cluster with

Is your C160 in cluster with another appliance?  Have you reconfigured logs at anytime?  Are your "IronPort Text Mail Logs" named something else per chance in that log name listing?  The same for "HTTP Logs"? 

If these are not present, you would be advised to create these as 'new' from the 'logconfig' option on the CLI.  Then, you will have a running log of all mail actions of the appliance, and also all web GUI actions and users, recording the access, options, and actions carried out through GUI.

-Robert

124
Views
0
Helpful
3
Replies
CreatePlease to create content