Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
222
Views
0
Helpful
1
Replies

Whitelist and Spam/blocklist

Ganga Raju
Level 1
Level 1

‎04-28-2025 02:19 AM

I have cisco ironport with OS - AsyncOS 15.5.1 for Cisco C600V build 055
I need we added a domain to whitelist in  >> mail policies >> Incoming Mail Policy >> Whitelist and Spam/blocklist
and contenet filters  blocklist - where I have the option to add sender email id or domains.

I see a few entreis that I ahave not recognized., where in the logs (log subscriptions) I can find who and when they were aded..

Labels:
0 Helpful
1 Reply 1

Jonatan Jonasson
Level 4
Level 4

‎04-28-2025 06:03 AM

Depending on your log subscription config, amount and retention.

The system_logs and audit_logs will have entries for all commits, including the commit comment and the username that posted the commit.
If you search through and find all "commit changes" within the system logs, (or preferably if you're logging to syslog/siem), you can identify all changes and the relevant dates. Maybe the admin that made this change was nice enough to describe it in the commit comment textbox.

Next up are the audit_logs.
Depending on the log level, you might either have information about config being changed and which section, or if you have debug you will see the actual change.

If you don't have remote logging, you can view the logs in CLI, or you can download them from the appliances either via some transfer protocol (FTP/SCP/etc if configured), or via HTTP.
For HTTP download, refer to this guide: https://www.cisco.com/c/en/us/support/docs/security/cloud-email-security/215858-downloading-logs-from-the-gui-of-your-es.html

(was top of google, same method also works for on-prem appliances.)

Keep in mind that if you have two or more appliances in a cluster, that you need to fetch logs from both devices, depending on which device the admin logged in to.

An example:  (I modified an incoming mail policy sender)

Mon Apr 28 12:48:40 2025 Info: Appliance: redacted, User: admin, Event: The following configuration changes were commited with comment - 'addddd'

Mon Apr 28 12:48:41 2025 Debug: - Current Time: Wed Nov 8 10:37:16 2023
Mon Apr 28 12:48:41 2025 Debug: + Current Time: Mon Apr 28 12:48:41 2025
Mon Apr 28 12:48:41 2025 Debug: Feature "Incoming Mail Handling": Quantity = 1, Time Remaining = "Perpetual"
Mon Apr 28 12:48:41 2025 Debug: -->
Mon Apr 28 12:48:41 2025 Debug: <config>
Mon Apr 28 12:48:41 2025 Debug: @@ -8493,6 +8493,11 @@
Mon Apr 28 12:48:41 2025 Debug: <receiver>redacted@redacted</receiver>
Mon Apr 28 12:48:41 2025 Debug: <receiver_oper>and</receiver_oper>
Mon Apr 28 12:48:41 2025 Debug: </policy_member>
Mon Apr 28 12:48:41 2025 Debug: + <policy_member>
Mon Apr 28 12:48:41 2025 Debug: + <sender>ANY</sender>
Mon Apr 28 12:48:41 2025 Debug: + <receiver>redacted@redacted</receiver>
Mon Apr 28 12:48:41 2025 Debug: + <receiver_oper>and</receiver_oper>
Mon Apr 28 12:48:41 2025 Debug: + </policy_member>
Mon Apr 28 12:48:41 2025 Debug: <antispam_policy>
Mon Apr 28 12:48:41 2025 Debug: <policy_status>DEFAULT</policy_status>
Mon Apr 28 12:48:41 2025 Debug: </antispam_policy>

 

0 Helpful
Customers Also Viewed These Support Documents