04-13-2011 05:49 AM
I have 6 guys in our IronPort, and for auditing purposes, it would be nice to see who actually released/deleted a message. I have had this ability in previous email filtering software, but I can;t seem to find anything int he message tracking logs that will tell me the login name of the person that managed the message. We need this functionality.
Thank you.
04-13-2011 06:59 PM
Greetings Josh,
You should be able to do this using the logs on the appliance.
1. Search the Mail_logs and get the MID number
Line should look like this:
Thu May 3 12:54:48 2007 Info: MID 1186003 released from quarantine
"Policy" (manual) t=767
2. Take the date/time stamp and search the gui_logs.
Line should look like this:
Thu May 3 12:54:48 2007 Info: req:19.191.113.146 user:admin
id:JTUnNoXVUpiAZMHDljbH 200 POST
/monitor/quarantines/local_quarantines_dosearch?name=Policy HTTP/1.1
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;
InfoPath.1; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30)
Answer: user =admin
screen location was = /monitor/quarantines/local_quarantines_dosearch?name=Policy
Christopher C Smith
CSE
Cisco IronPort Customer Support
04-14-2011 10:31 AM
Thank you Chris. Definitely not a quick and easy method like our previous mail filter, but I'll give it a whirl.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide