Solved: Re: Backup and restore logs, quarantines cisco ironport c170

alexandre.samuel · ‎12-21-2011

Hello,

Is there anyway to backup and restore logs and quarantine to another ironport c170?

Thanks in advance.

Alexandre

Andreas Mueller · ‎12-23-2011

Hello Alexandre,

logs can easily be downloaded via FTP or SCP, there is a folder per logs subscription, i.e.

/mail_logs

/system_logs

/error_logs

Each folder contains multiple logs, thos e are with extention .s are the ones that have rolled over, while .c and .current are the ones currently written to. I would not recommend to upload them to another appliance, as this may cause problems or at least confusion. Quarantines cannot be backed up, that functionality is limited to SMAs (M-series).

Hope that helps,

Andreas

View solution in original post

Andreas Mueller · ‎12-23-2011

Hello Alexandre,

logs can easily be downloaded via FTP or SCP, there is a folder per logs subscription, i.e.

/mail_logs

/system_logs

/error_logs

Each folder contains multiple logs, thos e are with extention .s are the ones that have rolled over, while .c and .current are the ones currently written to. I would not recommend to upload them to another appliance, as this may cause problems or at least confusion. Quarantines cannot be backed up, that functionality is limited to SMAs (M-series).

Hope that helps,

Andreas

alexandre.samuel · ‎12-29-2011

Hi Andreas,

Thanks for your prompt response.

Moreoever, how can exploit this logs (e.g : /mail_logs, /system_logs, /error_logs) in the best and most efficient way ? (eq: Cisco tools...)

Best regards,

Alexandre

Andreas Mueller · ‎12-30-2011

Hello Alexandre,

the logs are normal text files that you can open with any text editor, or grep as usual from any command line. There is also the findevent command available for download:

https://supportforums.cisco.com/docs/DOC-9075

On the same link, there is also a tool called spamtowho.exe, which you can use for statistics, reporting, etc. on Cisco IronPort mail logs.

Hope that helps,

Andreas

ccg-security · ‎09-26-2017

Is there any procedure to backup the logs?

Libin Varghese · ‎09-26-2017

Hi,

You can use FTP or SCP to access the appliance and download the logs to your system.

You can also navigate to System Administration -> Log Subscriptions -> Click on a log to modify -> Retrieval Method -> To push the logs to a different server.

- Libin V

ccg-security · ‎09-27-2017

Thank you Libin. Do you have an idea how can we access the root of WSA? because we're still getting the logging disk high utilization.

Libin Varghese · ‎09-27-2017

I do not think root access is available for end customers, at least that is the case for ESA.

I would recommend opening a case with TAC to get that reviewed.

It would be best to have an engineer check if the high disk usage is due to a defect before you decide on deleting logs.

- Libin V

Ken Stieers · ‎09-27-2017

There is no "root" access available to on the WSA.

The logs get imported into the reporting db for reports and then are kept until they age out/ rollover.

To address space issues on the logging disk, you can set the logs to compress, tell it to keep fewer logs, rotate them faster and just delete them via ftp....

ccg-security · ‎09-27-2017

Thank you Ken for the information. Right now our logging disk is 97%, and we would like to know what causes the high utilization of logging disk?

Ken Stieers · ‎09-27-2017

It's a balancing act between the amount of traffic you have and the length of time you keep the logs.

Nothing is "broken" or "wrong" you've just outgrown the default config on a C170.

Assuming its still fast enough for you, you'll need to tweak the log settings.

ccg-security · ‎09-27-2017

Thanks Ken,

How can we tweak the settings?