cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
682
Views
0
Helpful
8
Replies
Highlighted
Beginner

Best Logs To Subscribe To?

Hello, I am attempting to dive into the logs of our Cisco C300V and I am wondering which logs I should be subscribing to and reviewing?  We are using Cisco's Rep Filters, a couple DNSBL's, some content filtering, etc.  I want to get some insight as to what it is dropping for connections, what it is quarantining, etc and have these logs sent a repository for review.

Can anyone give me some insight as to which logs to review?  Also, what are you using to parse and review the logs?  

Thanks for your time. 

Joe

8 REPLIES 8
Highlighted
Cisco Employee

Hi Joe,

Emails blocked by reputation filtering by senderbase or DNSBL's and content filtering are all logged under ironport text mail_logs.

We can use the command grep to parse through the mail_logs, alternatively you can push these logs to syslog or ftp servers and use third-party tools to parse the logs. However, there are no recommendations on which method to use.

I would although recommend you to review available reports under the Monitor tab which would be easier than parsing through the mail logs.

Thanks
Libin Varghese

Highlighted

Libin,

Thanks for the reply.  I went ahead and started monitoring the log you specified, however I noticed that under Sys Admin --> Log Subscriptions.  I see the option to output via FTP, but I thought I could download them through the website?

Joe

Highlighted

Hello Joe,

FTP is just one of the log retrieval methods available. If you wish to use FTP, you would need to ensure FTP is enabled on the IP Interface of the ESA. If you do plan on pushing these logs off of the device, we highly recommend to first create a mirrored log (IE: A secondary mail_log) so that Support still has primary logs available to review when troubleshooting. At that point, you would then SCP/Syslog/FTP/etc the secondary log that was setup.

Here's some more info ::

ESA Logging

ESA Logging Retrieval Methods

Thanks!

-Dennis M.

Highlighted

Dennis,

I am aware of the FTP route, however from the documentation I am seeing I should be able to login to my device, go to log subscriptions and download any of the logs I want to review.  However I am not seeing a link to download any of them.  Does this need to be set-up somewhere that i am missing in the instructions?

Joe

Highlighted

Click on the directory name listed under the "Log files" column.

They're links to the files... might require you to login again...

Highlighted

This is what I am seeing under Log Subscriptions, I don't have a link to download them at all.  Is there a config setting I am missing?  

Highlighted

Hi,

This could be if you have multiple appliances in a cluster and the logs are at the cluster level.

You could try ftp://IP_of_the_appliance to review the logs on a particular appliance.

Note: The IP mentioned above should have FTP access enabled under Network -> IP Interfaces.

Thanks

Libin Varghese

Highlighted

I do have a cluster set-up with 2 appliances and a third being the quarantine.  I inherited the environment and am trying to track down everything I need to review some of the senderbase logs to see if a particular domain is being blocked and by what.

Thanks for the help. 

Joe

Content for Community-Ad