Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7432
Views
5
Helpful
5
Replies

How to find a message log of IronPort (ESA) by using couple of measures like IP address and email address?

Go to solution
pbabu6001
Level 1
Level 1

‎11-04-2016 06:59 AM

Hi,

Greetings!!

I would like to find message logs by using couple of measures (IP and email address), can you please suggest. I am able to find email logs with only one measure with particular email address or IP address.

For example:

Wed Oct 19 18:23:48 2016 Info: New SMTP ICID 935016945 interface public (10.148.64.12) address 41.72.61.245 reverse dns host unknown verified no

Wed Oct 19 18:23:48 2016 Info: ICID 935016945 REJECT SG BLACKLIST match sbrs[-10.0:-2.0] SBRS -10.0
Wed Oct 19 18:23:48 2016 Info: ICID 935016945 close

I want to find this particular email log by using 41.72.61.245 and BLACKLIST. 

Thank you so much!!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎11-06-2016 05:05 PM

Hello,

Assuming you have 'Rejected Connection Handling' enabled in Message Tracking, you could also try to perform this search that way. All you would need to do is Enter the Sender IP Address and check-in 'Search rejected connections only'.

As previously stated, grep is typically meant to be used for single line searching, so your request would be unavailable from the CLI. You would need to push the logs off to another server and create a script to search for your results.

Thanks!

-Dennis M.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎11-04-2016 08:26 AM

Hi,

The grep feature can only look at the mail logs line by line.

For instance
grep "Nov 3.*BLACKLIST" mail_logs

This would list all lines containing terms Nov 3 and BLACKLIST.

However, as the sender IP and the word BLACKLIST are two separate lines this would not work.

You can choose to push the mail logs to a different server and use third party tools to parse the mail_logs as per your requirement.

Thanks
Libin Varghese

Go to solution
pbabu6001
Level 1
Level 1
In response to Libin Varghese

‎11-14-2016 08:47 AM

Are you saying that third party tools means MS Excel etc., Can you please suggest me which is the best one?

0 Helpful

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎11-06-2016 05:05 PM

Hello,

Assuming you have 'Rejected Connection Handling' enabled in Message Tracking, you could also try to perform this search that way. All you would need to do is Enter the Sender IP Address and check-in 'Search rejected connections only'.

As previously stated, grep is typically meant to be used for single line searching, so your request would be unavailable from the CLI. You would need to push the logs off to another server and create a script to search for your results.

Thanks!

-Dennis M.

0 Helpful

Go to solution
pbabu6001
Level 1
Level 1

‎11-14-2016 08:43 AM

Thank you so much and just wanted to know eagerly that is there any script we can run in ESA?

0 Helpful

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to pbabu6001

‎11-14-2016 10:24 AM

You're very welcome! :)

Unfortunately, the commands we can run from the CLI of the ESA are limited in regards to searching/scripts. You would want to create a new mirrored copy of the logs, and then push that second copy off via SCP/Syslog to another host. From that host, you could then run custom scripts to parse the logs as you need. The scripts needed would depend on the host you send them to (IE: Linux / Windows / Etc), but we would not be able to provide that information. You could also use something like Nagios/Graylog/Etc and/or other monitoring/SNMP tools.

More info on Logging here :

ASyncOS Logging

Thanks!

-Dennis M.

0 Helpful
Customers Also Viewed These Support Documents