Hi - Thanks for the reply....this is now resolved...the above steps were performed yesterday, and nothing was running on port 25 on both....listernerconfig revealed why: no listerners configured?

Cause - "Someone" had changed the clusterlevel config...cluster was configured with listerns, but someone had changed both C170's to manually override the cluster with machine level config....checking the logs (gui_log and cli_log), I can see "someone"(We only have 3 staff who login to these devices, but all with "admin" and all from the same nat IP), had edited the listeners 3 days ago, a commit was applied 2 days ago, and another commit was done yesterday morning...so it really doesn't add up..If the listeners were changed 3 days ago, and commit done 2 days ago, why didn't both boxes stop listening on port 25, 2 days ago....Is the logging on these devices not reliable, or doesn't log "everything".....It's now resolved (forced both 170's to use the cluster settings for listeners)...but Im still very interested in how to accurately audit when it was changed, and by who....as it's not something that is "easily/accidentally" done...

Hello John,

I believe I was the engineer who handled that TAC case who corrected the issue for you when the case was raised up.

With regards to those auditing.

The GUI and CLI logs will display who has logged in and what commands were used or page was reviewed.

While i explained to Shaun and Michael on the information this log has, we do not have a direct way to audit every change that was issued (atleast from my knowledge).

I apologise if there isn't an exact auditing log available to provide this information that you're seeking with what and who made that change.

At most you can narrow down who was logged into the device at the time the mails ceased to work by grepping the time-stamp against the gui_logs and cli_logs

Also to keep in mind to review both devices as their logs will yield different information.