cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1118
Views
0
Helpful
1
Replies
Beginner

Audit All IP's Sending thru IronPort C300

Hi All:

I have been asked to audit an IronPort C300 running v6.3.5-003 to determine the IP and hostname of all systems sending email through the device. This is my first time working with an IronPort and would appreciate any suggestions on how to best do this.

The ultimate goal is to get the systems sending through it to change their settings to send to a DNS alias instead of directly to this appliance we are trying to retire. The systems sending through it should be internal to the company, but we may have external systems sending as well.

Is exporting the last 30 days in the web GUI undering monitoring for "Outgoing Senders: IP Addresses" and "Incoming Mail: IP Addresses" sufficient? Do I need both or are just the "Incoming Mail: IP Addresses" the ones I need. Is there any way to get the appliance to log more than the last 30 days.

Thanks for any help.

1 REPLY 1
Highlighted
Enthusiast

Re: Audit All IP's Sending thru IronPort C300

Hi Scott,

I am not sure that the data your looking at in the GUI is going to give you a complete picture. Ideally you would want to consult the mail logs on the appliance for this type of data. All connections sucessfull or not are logged in the mail logs. This would include the source IP. There should also be host information based on the reverse lookup via DNS in the mail logs as well.

You can search the logs to gather more information about the From,  To, Subject of the emails coming from this IP address that you're  interested in.

The name of the log is "mail_logs". You can see this in the [System Administration > Log Subscriptions > mail_logs].

There are several ways to access these logs.

1. Via the web browser.

- Go to [System Administration > Log Subscription].
- For the mail_logs, click on the ftp link to the right of mail_logs
-  If it gives you an error, go to "Network -> IP interface", select  the interface that you normally access to the Ironport on and turn on  the FTP/port 21 service.


2. From the command line,

- Using a ssh client like Putty and log onto the command line of the Ironport appliance via port 22/ssh.
- From the command line, type this to search for the IP

grep (press Enter)
The # of the "mail_logs"
Then enter the pattern to search, ie. 192.168.1.1 or joe@example.com

For the next three questions, press enter and keep the defaults.

The search may take a bit of time to complete.

Once the output comes back, you can search either the ICID or the MID.

i.e

grep "ICID 123456" mail_logs


Once the output comes back, you can search for the MID

grep "MID 78901234" mail_logs

and so on.

You should be able to see the From, To, Subject from the MID
You should see the IP address and the HAT  Sender Group  from the ICID


3.  Another option is to ftp the mail_logs to a local machine(Desktop) and  use your own file/text editor to search for the IP addresses.

Here is a link to some Support Portal knowledge base articles that may be of use:

How can I determine the disposition of a message using the mail logs?
http://tinyurl.com/jb7z4

What is a Message ID (MID)?
http://tinyurl.com/ky3kf


How do I extract the SBRS score of a sender from the mail logs?
http://tinyurl.com/3xh3sl

Additionally there are some user contributed tools that may help with this task. The Spamtowho tool may be useful.

You can locate that in the downloads section of the forums here,

https://supportforums.cisco.com/docs/DOC-9075

Christopher C Smith

CSE
Cisco IronPort Customer Support.