cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7772
Views
5
Helpful
5
Replies

How to find a message log of IronPort (ESA) by using couple of measures like IP address and email address?

pbabu6001
Level 1
Level 1

Hi,

Greetings!!

I would like to find message logs by using couple of measures (IP and email address), can you please suggest. I am able to find email logs with only one measure with particular email address or IP address.

For example:

Wed Oct 19 18:23:48 2016 Info: New SMTP ICID 935016945 interface public (10.148.64.12) address 41.72.61.245 reverse dns host unknown verified no

Wed Oct 19 18:23:48 2016 Info: ICID 935016945 REJECT SG BLACKLIST match sbrs[-10.0:-2.0] SBRS -10.0
Wed Oct 19 18:23:48 2016 Info: ICID 935016945 close

I want to find this particular email log by using 41.72.61.245 and BLACKLIST. 

Thank you so much!!

1 Accepted Solution

Accepted Solutions

dmccabej
Cisco Employee
Cisco Employee

Hello,

Assuming you have 'Rejected Connection Handling' enabled in Message Tracking, you could also try to perform this search that way. All you would need to do is Enter the Sender IP Address and check-in 'Search rejected connections only'.

As previously stated, grep is typically meant to be used for single line searching, so your request would be unavailable from the CLI. You would need to push the logs off to another server and create a script to search for your results.

Thanks!

-Dennis M.

View solution in original post

5 Replies 5

Libin Varghese
Cisco Employee
Cisco Employee

Hi,

The grep feature can only look at the mail logs line by line.

For instance
grep "Nov 3.*BLACKLIST" mail_logs

This would list all lines containing terms Nov 3 and BLACKLIST.

However, as the sender IP and the word BLACKLIST are two separate lines this would not work.

You can choose to push the mail logs to a different server and use third party tools to parse the mail_logs as per your requirement.

Thanks
Libin Varghese

Are you saying that third party tools means MS Excel etc., Can you please suggest me which is the best one?

dmccabej
Cisco Employee
Cisco Employee

Hello,

Assuming you have 'Rejected Connection Handling' enabled in Message Tracking, you could also try to perform this search that way. All you would need to do is Enter the Sender IP Address and check-in 'Search rejected connections only'.

As previously stated, grep is typically meant to be used for single line searching, so your request would be unavailable from the CLI. You would need to push the logs off to another server and create a script to search for your results.

Thanks!

-Dennis M.

pbabu6001
Level 1
Level 1

Thank you so much and just wanted to know eagerly that is there any script we can run in ESA?

You're very welcome! :)

Unfortunately, the commands we can run from the CLI of the ESA are limited in regards to searching/scripts. You would want to create a new mirrored copy of the logs, and then push that second copy off via SCP/Syslog to another host. From that host, you could then run custom scripts to parse the logs as you need. The scripts needed would depend on the host you send them to (IE: Linux / Windows / Etc), but we would not be able to provide that information. You could also use something like Nagios/Graylog/Etc and/or other monitoring/SNMP tools.

More info on Logging here :

ASyncOS Logging

Thanks!

-Dennis M.