Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1882
Views
0
Helpful
1
Replies

Audit All IP's Sending thru IronPort C300

scottwhite42
Level 1
Level 1

‎09-02-2011 01:15 PM

Hi All:

I have been asked to audit an IronPort C300 running v6.3.5-003 to determine the IP and hostname of all systems sending email through the device. This is my first time working with an IronPort and would appreciate any suggestions on how to best do this.

The ultimate goal is to get the systems sending through it to change their settings to send to a DNS alias instead of directly to this appliance we are trying to retire. The systems sending through it should be internal to the company, but we may have external systems sending as well.

Is exporting the last 30 days in the web GUI undering monitoring for "Outgoing Senders: IP Addresses" and "Incoming Mail: IP Addresses" sufficient? Do I need both or are just the "Incoming Mail: IP Addresses" the ones I need. Is there any way to get the appliance to log more than the last 30 days.

Thanks for any help.

Labels:
0 Helpful
1 Reply 1

Christopher Smith
Level 4
Level 4

‎09-05-2011 11:05 AM

Hi Scott,

I am not sure that the data your looking at in the GUI is going to give you a complete picture. Ideally you would want to consult the mail logs on the appliance for this type of data. All connections sucessfull or not are logged in the mail logs. This would include the source IP. There should also be host information based on the reverse lookup via DNS in the mail logs as well.

You can search the logs to gather more information about the From,  To, Subject of the emails coming from this IP address that you're  interested in.

The name of the log is "mail_logs". You can see this in the [System Administration > Log Subscriptions > mail_logs].

There are several ways to access these logs.

1. Via the web browser.

- Go to [System Administration > Log Subscription].
- For the mail_logs, click on the ftp link to the right of mail_logs
-  If it gives you an error, go to "Network -> IP interface", select  the interface that you normally access to the Ironport on and turn on  the FTP/port 21 service.


2. From the command line,

- Using a ssh client like Putty and log onto the command line of the Ironport appliance via port 22/ssh.
- From the command line, type this to search for the IP

grep (press Enter)
The # of the "mail_logs"
Then enter the pattern to search, ie. 192.168.1.1 or joe@example.com

For the next three questions, press enter and keep the defaults.

The search may take a bit of time to complete.

Once the output comes back, you can search either the ICID or the MID.

i.e

grep "ICID 123456" mail_logs


Once the output comes back, you can search for the MID

grep "MID 78901234" mail_logs

and so on.

You should be able to see the From, To, Subject from the MID
You should see the IP address and the HAT  Sender Group  from the ICID


3.  Another option is to ftp the mail_logs to a local machine(Desktop) and  use your own file/text editor to search for the IP addresses.

Here is a link to some Support Portal knowledge base articles that may be of use:

How can I determine the disposition of a message using the mail logs?
http://tinyurl.com/jb7z4

What is a Message ID (MID)?
http://tinyurl.com/ky3kf


How do I extract the SBRS score of a sender from the mail logs?
http://tinyurl.com/3xh3sl

Additionally there are some user contributed tools that may help with this task. The Spamtowho tool may be useful.

You can locate that in the downloads section of the forums here,

https://supportforums.cisco.com/docs/DOC-9075

Christopher C Smith

CSE
Cisco IronPort Customer Support. 

0 Helpful
Customers Also Viewed These Support Documents