Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

seach in log file archive by using findevent

Hi @all,
we are using several IronPort C series systems. All our log files are stored via scp on a central log file server running under Linux. The log files are stored in subfolders for each system.

Now it became to be necessary to search emails from last year. I did it by using the grep command and it was very complicated to find all informations (MID, ICID, DCID).

Does someone knows a way to use the findevent command on a Linux based system or do someone have a normal shell script which do the same work as the findevent command do?

Regards, Thomas

New Member

Re: seach in log file archive by using findevent

There is a tool on the Support Portal that emulates the AsyncOS's findevent command. The tool was written in Python which should work on your Linux system, assuming that Python is available on it.

Find Event Tool


This is the core code to the CLI findevent command which will dump log information based on MID or regular expression searches on "To", "From" and "Subject". The help command description for findevent is "Find events in mail log files".

1. Log onto the support portal (
2. After you log in, click on "Appliance Documentation > Tools" on the left side and go down near the bottom of the page.

good luck

New Member

Re: seach in log file archive by using findevent

How to get it working.

1. Load the python script into the /tmp directory

2. Verify the path to your Python code

bash> whereis python
python: /usr/bin/python /usr/bin/python2.4 /usr/lib/python2.4 /usr/share/man/man1/python.1.gz

3. Update the /tmp/ script with the path to Python

4. Make the script executable

chmod a+x /tmp/


/tmp/ -h
./ [-i] -F file [-f FROM | -m MID | -s SUBJECT -t TO]

- Only the last -f, -m, -s, or -t will be used.
- Multiple -F arguments can be specified but should be date
ordered to give consistent results.

Re: seach in log file archive by using findevent

Hi kluu,
many thanks for that.
Sounds good and I think that will work. I'll try it asap.

New Member

Re: seach in log file archive by using findevent


Has anyone of you done some porting to a syslog based log storage?

We use syslogNG to collect the output of our C series on a Linux system and I would love to have findevent operational on the centralized log server.
At the moment that's not possible because the trailing columns you have with syslog are not accepted by the Python script...

All advises are welcome!