05-17-2016 01:40 AM
Hi All,
I need to save on an external repository only the antispam verdit logs
taking a look on the mail_logs 2 CASE logs are present
by default is also present an antispam log, but no case verdict information are reported inside of this file in the same time frame
Does anyone know if there is a specific file where ESA write the CASE engine logs other than mail_logs?
Thanks
Gabriele
05-18-2016 05:40 PM
Hello Gabriele,
The mail_logs are the only available logs which will show the CASE verdict information as it is matched against the MID (email itself) that had triggered that verdict.
The antispam logs is to show the actual antispam process to see if there is any possible problems on the engine should it arise.
Alternatively you can run a grep command on the mail_logs to pull all verdict results, or refer to the GUI > Monitor > Message Tracking > Click Advanced and tick the Spam Positive/Suspect check boxes, search for this and export it to CSV for the daily reports or so.
Else, you can also refer to GUI > Monitor > Overview for the overall information.
Regards,
Matthew
09-27-2017 04:30 AM
Hello,
Is there any way to debug or ask TAC to debug the findings of the CASE Engine. So you can determine why an email is a positive spam message?
Regards
Derek
09-27-2017 05:48 AM
TAC will work with our Talos team in order to review and make determination on Spam/Ham messages. You will need to submit the email for reivew and open a support case if you feel there is warranted information pertaining to a Spam/Ham message.
The information shared may not be entirely what you are after --- as we will still retain internal information and scoring reasons. That process of the "why" will not be relayed to a customer.
Info on submitting email messages to Cisco:
ESA FAQ: How to submit email messages to Cisco
09-28-2017 09:02 AM
Hi
Thank you for the swift and detailed reply. I suspose we would like to know if its the content of body, the attachment, the IP reputatuion of the sender, so we can direct the sender to improve on this aspect and reduce the false positive rate for inbound mail.
Best Regards
Derek
10-03-2017 12:15 AM
Specific information such as that would be considered proprietary since the same information in hands of a malicious sender could result in them bypassing the current anti-spam rules.
If there is a specific sender you trust, recommended approach would be to bypass anti-spam scanning for that domain or sender IP.
Regards,
Libin Varghese
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide