01-20-2015 06:25 PM
Hi,
I would like to know if there is a way to monitor, in real time, the email that hits a policy. What are the policies that it has violated for us to know what we should add on the policy to minimize false positives.
Thank you!
01-21-2015 07:06 AM
To view real time logs, you can establish ssh to the ESA and:
- tail
- 16 (mail logs)
You can also use Monitor -> Message Tracking to see message details.
You can use gathered information to fine tune incoming mail policies.
01-21-2015 04:11 PM
Thank you for your response. I do apologize, I am still new on this product and not sure if I am asking the correct question. When you establish ssh to ESA, it is also giving you a view in which policy an email violates? I have checked the Monitor>Message Tracking and this is not (for now) we want to evaluate. Please advise.
Thank you!
01-26-2015 09:39 PM
I believe when a DLP policy violation is found it'll be seen as:
Info: MID 212 DLP violation
In the mail logs.
So if you want to find the MIDs which hit a violation you'd run this command in the CLI.
CLI > grep -i "DLP violation" mail_logs
This will bring up all matches of violation.
then grep "MID XXXX" mail_logs to see what email details it was.
To find out which DLP policy was matched, you may need to change the mail_logs to 'debug' level.
GUI > System Admin > Log Subscriptions > Click on the mail_logs and change to debug (there is a lot more information here)
or CLI > logconfig > edit > (number of mail_logs) and change it here
Commit changes.
01-26-2015 10:08 PM
Hi Matthew,
Thanks for the info. l will be using this after we have set up the test environment. For the policy testing, do you have any suggestions or recommendations we can follow? I have seen a doc on cisco website regarding the custom testing of policy: http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118537-technote-esa-00.pdf
Please advise.
Thanks!
01-26-2015 10:19 PM
Hello,
There are no 'true' recommendations on what would be best.
But this comes down to your local requirements on how strict you would like it to be.
Never the less, the article provided is a good starting point for the customizations to what can be done and you will just need to tune it to your requirements.
I
01-26-2015 10:33 PM
Hi Matthew,
I guess will just try this policy for testing. Thanks for the response. Can I get back to this thread if I have some other clarifications?
Thanks a lot have a nice day!
01-26-2015 10:41 PM
That's fine, i'll be happy to assist with your general concerns through this medium.
However should the issue start requiring detailed log reviews and such, i would suggest opening a case for deeper troubleshooting.
As i don't think we would like to put your system information on a public forum :)
01-26-2015 10:50 PM
Hi Matthew,
Yes that's right. For security purposes. Thanks for the recommendations again. Be getting back to you once we have problems with the testing.
Thanks again! :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide