|Email Plug-in (Reporting):||22.214.171.124|
|Email Plug-in (Encryption):||126.96.36.199|
Hello, I am attempting to dive into the logs of our Cisco C300V and I am wondering which logs I should be subscribing to and reviewing? We are using Cisco's Rep Filters, a couple DNSBL's, some content filtering, etc. I want to get some insight as to what it is dropping for connections, what it is quarantining, etc and have these logs sent a repository for review.
Can anyone give me some insight as to which logs to review? Also, what are you using to parse and review the logs?
Thanks for your time.
Emails blocked by reputation filtering by senderbase or DNSBL's and content filtering are all logged under ironport text mail_logs.
We can use the command grep to parse through the mail_logs, alternatively you can push these logs to syslog or ftp servers and use third-party tools to parse the logs. However, there are no recommendations on which method to use.
I would although recommend you to review available reports under the Monitor tab which would be easier than parsing through the mail logs.
Thanks for the reply. I went ahead and started monitoring the log you specified, however I noticed that under Sys Admin --> Log Subscriptions. I see the option to output via FTP, but I thought I could download them through the website?
FTP is just one of the log retrieval methods available. If you wish to use FTP, you would need to ensure FTP is enabled on the IP Interface of the ESA. If you do plan on pushing these logs off of the device, we highly recommend to first create a mirrored log (IE: A secondary mail_log) so that Support still has primary logs available to review when troubleshooting. At that point, you would then SCP/Syslog/FTP/etc the secondary log that was setup.
Here's some more info ::
I am aware of the FTP route, however from the documentation I am seeing I should be able to login to my device, go to log subscriptions and download any of the logs I want to review. However I am not seeing a link to download any of them. Does this need to be set-up somewhere that i am missing in the instructions?
This could be if you have multiple appliances in a cluster and the logs are at the cluster level.
You could try ftp://IP_of_the_appliance to review the logs on a particular appliance.
Note: The IP mentioned above should have FTP access enabled under Network -> IP Interfaces.
I do have a cluster set-up with 2 appliances and a third being the quarantine. I inherited the environment and am trying to track down everything I need to review some of the senderbase logs to see if a particular domain is being blocked and by what.
Thanks for the help.