03-24-2014 10:26 AM
Hello,
We have quite a few users who can release emails. We need to find out who released an encrypted email. When we track the encrypted message through message tracking it shows it was manually released but no credentials are provided. I checked the help command for any useful commands when I ssh'd but nothing seemed useful. Last, findevent, nothing showed who released it.
Does anyone have any ideas?
Solved! Go to Solution.
03-25-2014 10:22 AM
Is your C160 in cluster with another appliance? Have you reconfigured logs at anytime? Are your "IronPort Text Mail Logs" named something else per chance in that log name listing? The same for "HTTP Logs"?
If these are not present, you would be advised to create these as 'new' from the 'logconfig' option on the CLI. Then, you will have a running log of all mail actions of the appliance, and also all web GUI actions and users, recording the access, options, and actions carried out through GUI.
-Robert
03-24-2014 11:22 AM
You will need to use 'grep' from the CLI of your appliance(s) in order to view the mail_logs and gui_logs. Use "released" in the mail_logs to get the timeframe of when the mails in question were released. (You may need to verifiy the MID for the mails in order to verify the particular ones in question.)
Enter the regular expression to grep.
[]> released
Then use 'grep' again to search the timeframe in gui_logs. This should display who carried out the action, or what userID they were logged in with --- showing "user:<userID>" in the log line.
I hope this helps!
-Robert
(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)
03-25-2014 09:26 AM
I typed in grep on the appliance. It gives me options 1-18 and only those options can be used. mail_logs and gui_logs is not one of the options.
For example i have ftpd_logs
reportqueryd_logs and more.
03-25-2014 10:22 AM
Is your C160 in cluster with another appliance? Have you reconfigured logs at anytime? Are your "IronPort Text Mail Logs" named something else per chance in that log name listing? The same for "HTTP Logs"?
If these are not present, you would be advised to create these as 'new' from the 'logconfig' option on the CLI. Then, you will have a running log of all mail actions of the appliance, and also all web GUI actions and users, recording the access, options, and actions carried out through GUI.
-Robert
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide