Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2006
Views
5
Helpful
5
Replies

Clarification on emails released from Quarantine

karajulu1
Level 1
Level 1

‎11-10-2016 03:03 PM

Hi All,

I need assistance in understanding the Email Quarantine in ESA and the logs when it is released from the Quarantine.

1. Is it possible to find out who released the email from the Email Quarantine ( user ID ) ?

2. I have an issue - where the message log says as below

Message XXXXXX released from Quarantine Outbreak after 86454 seconds. Reason : expiration.

The above message was quarantined to Executable in the ESA - which has the below configuration.

Retention Period : 21 days

Default Action : Delete

Free up space by applying default action on message upon space overflow. - this alone is checked.

Can anyone advise on this.

Many thanks in advance.

Labels:
0 Helpful
5 Replies 5

dmccabej
Cisco Employee
Cisco Employee

‎11-10-2016 06:13 PM

Hello,

In order to try and narrow down who released the message you will need to search for the time range it was released either in the euqgui_logs (Spam Quarantine) or the gui_logs (PVO Quarantines). From there, you can then look and see who was logged in and on that page at the given time.

Regarding your second question ...It looks like you're referring to the Outbreak quarantine. The Outbreak 'retention' settings are actually listed on the Mail Policy itself. You can find them in the GUI under Mail Policies --> Incoming/Outgoing Mail Policies --> Outbreak Filters (screenshot below).

By default this is set to 1 day for Viral attachments, which would match your expiration above.

Hopefully this helps to clarify. 

Thanks!

-Dennis M.

0 Helpful

karajulu1
Level 1
Level 1
In response to dmccabej

‎11-16-2016 06:03 PM

Hi Dennis,

Thanks for the clarification.

I could see the same configuration in the Outbreak Filter.

Regarding the first question, is there any command in CLI to check who logged in and out on the appliance ( with time stamp ) or is it possible to check via GUI ?

Please advise.

Thanks in advance,

0 Helpful

dmccabej
Cisco Employee
Cisco Employee
In response to karajulu1

‎11-16-2016 07:25 PM

You can perform a grep with something similar to below. I don't believe we have anything currently available in the GUI for this information, although it would be very helpful.

test.lab.local> grep "Nov 16.*login" gui_logs

Wed Nov 16 22:19:22 2016 Info: login:X.X.X.X user:admin session:7rsWDa077Nty2EtHArYA The HTTPS session has been established successfully.

Hopefully that helps! :)

Thanks!

-Dennis M.

karajulu1
Level 1
Level 1
In response to dmccabej

‎11-16-2016 07:28 PM

Thank you so much.

0 Helpful

dmccabej
Cisco Employee
Cisco Employee
In response to karajulu1

‎11-16-2016 07:31 PM

You're very welcome! I'm glad I was able to help out and hopefully that answered your question/s. :)

Thanks!

-Dennis M.

0 Helpful
Customers Also Viewed These Support Documents