Re: How to write a message filter alert for outbound email count over 10,000 for the day?

Greg Muszynski · ‎09-08-2018

Lets say we usually send no more than 10,000 emails per day and would like to know when we send more, but rather than looking at stale reports, we want to be alerted when it happens. How would we write such a message filter? I currently have one for the workqueue-count, example below, not our actual filter, however I believe the workqueue passes both inbound and outbound mail and I just want to count the outbound messages.

High_Workqueue_Count_Alert:

if (workqueue-count == 100)

{

notify ('admin@ourcompany.com', 'High Workqueue Alert', 'IronPort@ourcompany.com");

}

.

Greg Muszynski · ‎09-10-2018

reply I got from Cisco Tech Support

"At present there is no option to get notified when total mail exceeds a certain limit."

Ken Stieers · ‎09-11-2018

You could look at the reporting API, or SNMP...

Greg Muszynski · ‎09-11-2018

Talk to me Goose!

Replying via email, so I am not sure if this will get posted to the community, as I have never done it before, but we shall see

Ken Stieers · ‎09-11-2018

Looks like there aren't any counters available via SNMP

So its API start here:

https://www.cisco.com/c/en/us/td/docs/security/esa/esa_all/esa_api/b_ESA_API_Getting_Started_Guide/b_ESA_API_Getting_Started_Guide_chapter_00.html

Ken Stieers · ‎09-11-2018

Download Postman from here: https://www.getpostman.com/

Follow the steps in that getting started doc to turn on the API.

Open postman, create a collection and a request (I forget what order it prompts for them)

Select Basic Auth, and enter a username and password

Enter the url/request in the box, try something like this: https://<ESA>:6443/api/v1.0/stats/mail_outgoing_traffic_summary?1d

Hit send.

In your case, you may want to do a time based thing instead of “1d” which is the past 24 hours, if you want your query to be based on calendar day. That's covered in the API doc...