Ability to see who released/deleted a message?

jbranch · ‎04-13-2011

I have 6 guys in our IronPort, and for auditing purposes, it would be nice to see who actually released/deleted a message. I have had this ability in previous email filtering software, but I can;t seem to find anything int he message tracking logs that will tell me the login name of the person that managed the message. We need this functionality.

Thank you.

Christopher Smith · ‎04-13-2011

Greetings Josh,

You should be able to do this using the logs on the appliance.

1. Search the Mail_logs and get the MID number

Line should look like this:

Thu May 3 12:54:48 2007 Info: MID 1186003 released from quarantine
"Policy" (manual) t=767

2. Take the date/time stamp and search the gui_logs.

Line should look like this:

Thu May 3 12:54:48 2007 Info: req:19.191.113.146 user:admin

id:JTUnNoXVUpiAZMHDljbH 200 POST
/monitor/quarantines/local_quarantines_dosearch?name=Policy HTTP/1.1
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;
InfoPath.1; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30)

Answer: user =admin

screen location was = /monitor/quarantines/local_quarantines_dosearch?name=Policy

Christopher C Smith

CSE

Cisco IronPort Customer Support

jbranch · ‎04-14-2011

Thank you Chris. Definitely not a quick and easy method like our previous mail filter, but I'll give it a whirl.