cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5679
Views
0
Helpful
11
Replies

Backup and restore logs, quarantines cisco ironport c170

Hello,

Is there anyway to backup and restore logs and quarantine to another ironport c170? 

Thanks in advance.

Alexandre

1 Accepted Solution

Accepted Solutions

Andreas Mueller
Level 4
Level 4

Hello Alexandre,

logs can easily be downloaded via FTP or SCP, there is a folder per logs subscription, i.e.

/mail_logs

/system_logs

/error_logs

Each folder contains multiple logs, thos e are with extention .s are the ones that have rolled over, while .c and .current are the ones currently written to. I would not recommend to upload them to another appliance, as this may cause problems or at least confusion. Quarantines cannot be backed up, that functionality is limited to SMAs (M-series).

Hope that helps,

Andreas

View solution in original post

11 Replies 11

Andreas Mueller
Level 4
Level 4

Hello Alexandre,

logs can easily be downloaded via FTP or SCP, there is a folder per logs subscription, i.e.

/mail_logs

/system_logs

/error_logs

Each folder contains multiple logs, thos e are with extention .s are the ones that have rolled over, while .c and .current are the ones currently written to. I would not recommend to upload them to another appliance, as this may cause problems or at least confusion. Quarantines cannot be backed up, that functionality is limited to SMAs (M-series).

Hope that helps,

Andreas

Hi Andreas,

Thanks for your prompt response.

Moreoever, how can exploit this logs (e.g : /mail_logs, /system_logs, /error_logs) in the best and most efficient way ? (eq: Cisco tools...)

Best regards,

Alexandre

Hello Alexandre,

the logs are normal text files that you can open with any text editor, or grep as usual from any command line. There is also the findevent command available for download:

https://supportforums.cisco.com/docs/DOC-9075

On the same link, there is also a tool called spamtowho.exe, which you can use for statistics, reporting, etc. on Cisco IronPort mail logs.

Hope that helps,

Andreas

Is there any procedure to backup the logs?

Hi,

 

You can use FTP or SCP to access the appliance and download the logs to your system.

 

You can also navigate to System Administration -> Log Subscriptions -> Click on a log to modify -> Retrieval Method -> To push the logs to a different server.

 

- Libin V

Thank you Libin. Do you have an idea how can we access the root of WSA? because we're still getting the logging disk high utilization.

I do not think root access is available for end customers, at least that is the case for ESA.

 

I would recommend opening a case with TAC to get that reviewed.

 

It would be best to have an engineer check if the high disk usage is due to a defect before you decide on deleting logs.

 

- Libin V

 

 

There is no "root" access available to on the WSA.

The logs get imported into the reporting db for reports and then are kept until they age out/ rollover.

To address space issues on the logging disk, you can set the logs to compress, tell it to keep fewer logs, rotate them faster and just delete them via ftp....


Thank you Ken for the information. Right now our logging disk is 97%, and we would like to know what causes the high utilization of logging disk?

It's a balancing act between the amount of traffic you have and the length of time you keep the logs.



Nothing is "broken" or "wrong" you've just outgrown the default config on a C170.

Assuming its still fast enough for you, you'll need to tweak the log settings.






Thanks Ken,

 

How can we tweak the settings?