Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2669
Views
0
Helpful
4
Replies

Find all messages rejected beacuse of size

Go to solution
Juraj Ban
Level 1
Level 1

‎02-24-2015 05:22 AM

Hi,

What’s good way to get all messages that are rejected based on Size of attachment?

I tried to grep some, but all results are pretty useless.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎02-24-2015 06:49 AM

Did you see/try this TechNote:

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118494-technote-esa-00.html

 

Determine Large Messages or Message Size in the Mail Logs for the ESA

From the CLI, use grep to find the size of large messages that have processed through the ESA and have been written into the mail logs.

Message size is based on the message headers, the body of the message, and then any attachments associated to the mail message. All three components of the message will total up to comprise the total bytes of that mail message in the mail logs.

 

Messages That Are 100k to 999k in Size

myesa.local> grep -i "ready ...... bytes" mail_logs

You should get a listing similar to:

Mon Sep 22 12:31:23 2014 Info: MID 7997803 ready 160670 bytes from
<Kong@mycompany.com>
Mon Sep 22 12:31:26 2014 Info: MID 7997807 ready 119580 bytes from 
<JE@mycompany.com>
Mon Sep 22 12:31:27 2014 Info: MID 7997809 ready 198130 bytes from 
<cau@mycompany.com>
<<<SNIP FOR BREVITY>>>

Here, we can see the first message returned in the list was sent through with total size of 160670 bytes, or .15 megabytes.

 

Messages That Are 1MB to 9.9MB in Size

myesa.local> grep -i "ready ....... bytes" mail_logs

You should get a listing similar to:

Mon Sep 22 10:41:58 2014 Info: MID 7988729 ready 10373660 bytes from 
<Alex.Smith@there.com>
Mon Sep 22 11:09:49 2014 Info: MID 7991249 ready 16630923 bytes from 
<rwitherspoon@domain.com>
Mon Sep 22 11:11:21 2014 Info: MID 7991406 ready 12019486 bytes from 
<cris@mycompany.com>
Mon Sep 22 11:15:34 2014 Info: MID 7991666 ready 12116559 bytes from 
<cris@mycompany.com>
<<<SNIP FOR BREVITY>>>

Here, we can see the first message returned in the list was sent through with total size of 10373660 bytes, or 9.9 megabytes.

 

Messages That Are 10MB to 99.9MB in Size

myesa.local> grep -i "ready ........ bytes" mail_logs

You should get a listing similar to:

Mon Sep 22 07:08:15 2014 Info: MID 7976074 ready 29503682 bytes from
 <user@webmail.domain.com>
Mon Sep 22 08:04:19 2014 Info: MID 7977866 ready 14414288 bytes from 
<mg@mycompany.com>
Mon Sep 22 08:16:09 2014 Info: MID 7978373 ready 34933771 bytes from 
<dude@lost.com>
Mon Sep 22 08:24:32 2014 Info: MID 7978688 ready 10197589 bytes from 
<here@mycompany.com>
Mon Sep 22 08:36:05 2014 Info: MID 7979273 ready 19893615 bytes from 
<etino@mycompany.com>
<<<SNIP FOR BREVITY>>>

Here, we can see the first message returned in the list was sent through with total size of 29503682 bytes, or 28.1 megabytes.

Note: "-i" indicates the the search should be case insensitive.

Note: "." indicates how many characters the search should match. In the above examples, there are 6 periods in the first command, 7 periods in the second command and 8 periods in the third command. For our examples, we are using the matching "." for byte size.

 
Cheers,
Robert Sherwin

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Robert Sherwin
Cisco Employee
Cisco Employee

‎02-24-2015 06:49 AM

Did you see/try this TechNote:

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118494-technote-esa-00.html

 

Determine Large Messages or Message Size in the Mail Logs for the ESA

From the CLI, use grep to find the size of large messages that have processed through the ESA and have been written into the mail logs.

Message size is based on the message headers, the body of the message, and then any attachments associated to the mail message. All three components of the message will total up to comprise the total bytes of that mail message in the mail logs.

 

Messages That Are 100k to 999k in Size

myesa.local> grep -i "ready ...... bytes" mail_logs

You should get a listing similar to:

Mon Sep 22 12:31:23 2014 Info: MID 7997803 ready 160670 bytes from
<Kong@mycompany.com>
Mon Sep 22 12:31:26 2014 Info: MID 7997807 ready 119580 bytes from 
<JE@mycompany.com>
Mon Sep 22 12:31:27 2014 Info: MID 7997809 ready 198130 bytes from 
<cau@mycompany.com>
<<<SNIP FOR BREVITY>>>

Here, we can see the first message returned in the list was sent through with total size of 160670 bytes, or .15 megabytes.

 

Messages That Are 1MB to 9.9MB in Size

myesa.local> grep -i "ready ....... bytes" mail_logs

You should get a listing similar to:

Mon Sep 22 10:41:58 2014 Info: MID 7988729 ready 10373660 bytes from 
<Alex.Smith@there.com>
Mon Sep 22 11:09:49 2014 Info: MID 7991249 ready 16630923 bytes from 
<rwitherspoon@domain.com>
Mon Sep 22 11:11:21 2014 Info: MID 7991406 ready 12019486 bytes from 
<cris@mycompany.com>
Mon Sep 22 11:15:34 2014 Info: MID 7991666 ready 12116559 bytes from 
<cris@mycompany.com>
<<<SNIP FOR BREVITY>>>

Here, we can see the first message returned in the list was sent through with total size of 10373660 bytes, or 9.9 megabytes.

 

Messages That Are 10MB to 99.9MB in Size

myesa.local> grep -i "ready ........ bytes" mail_logs

You should get a listing similar to:

Mon Sep 22 07:08:15 2014 Info: MID 7976074 ready 29503682 bytes from
 <user@webmail.domain.com>
Mon Sep 22 08:04:19 2014 Info: MID 7977866 ready 14414288 bytes from 
<mg@mycompany.com>
Mon Sep 22 08:16:09 2014 Info: MID 7978373 ready 34933771 bytes from 
<dude@lost.com>
Mon Sep 22 08:24:32 2014 Info: MID 7978688 ready 10197589 bytes from 
<here@mycompany.com>
Mon Sep 22 08:36:05 2014 Info: MID 7979273 ready 19893615 bytes from 
<etino@mycompany.com>
<<<SNIP FOR BREVITY>>>

Here, we can see the first message returned in the list was sent through with total size of 29503682 bytes, or 28.1 megabytes.

Note: "-i" indicates the the search should be case insensitive.

Note: "." indicates how many characters the search should match. In the above examples, there are 6 periods in the first command, 7 periods in the second command and 8 periods in the third command. For our examples, we are using the matching "." for byte size.

 
Cheers,
Robert Sherwin
0 Helpful

Go to solution
Juraj Ban
Level 1
Level 1
In response to Robert Sherwin

‎02-24-2015 06:59 AM

I am interested in all messages that are rejected, so they are over 25Mb.

Above command is almost good, but I still need better filter. Or is there any command, so I can paginate results and filter in Excel?

 

If I grep, I only grep last month of data (that is data in mail_logs) but in database I have one year of data. How can I also find that data in database?

0 Helpful

Go to solution
Juraj Ban
Level 1
Level 1
In response to Juraj Ban

‎02-24-2015 07:01 AM

Sry.

grep is working I just add:

grep -i "ready [2-9][5-9]...... bytes" mail_logs

 

0 Helpful

Go to solution
Garrett Hensley
Level 1
Level 1

‎11-08-2023 05:31 PM

I find that the accepted solution here is incorrect for the exact question. The provided solution only finds accepted messaged of the specified sizes. However, it will NOT find messages that are rejected based on size limitations. For that you need to do:

grep -i "Receiving Failed: Message size exceeds limit" mail_logs

The logging on rejected messages is limited. This will get you the ID of the message. Then you can grep for that and see the ip address and mail server it came from. You won't get any message information like sender or subject or anything. It rejects the connection so it doesn't log anything past that.

0 Helpful
Customers Also Viewed These Support Documents