monitor active recipient counts cisco esa

saops2015 · ‎03-28-2019

Hi there,

Is there any way to monitor real time cisco ESA for active recipients count. example if the active count is more than 100 I should be notified.

Thanks,

Praveen Karingula

balaji.bandi · ‎03-29-2019

This can be possible, if you have some hands on scripting

Example : using Linux server, connect to ESA box. do the grep and store in the log file

process the log file, based on your requirement, if the number is more or equal send email to admin(may be your email).

check below reference.

https://thwack.solarwinds.com/docs/DOC-174863

https://www.cisco.com/c/en/us/td/docs/security/esa/esa11-0/user_guide_fs/b_ESA_Admin_Guide_11_0/b_ESA_Admin_Guide_chapter_0100010.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Paul Thomas Cyblue · ‎04-05-2019

Stats available in
- normal web GUI .../monitor/system_reports/system_status
- normal web GUI .../xml/tophosts
- probably API, haven't bothered with that yet
- CLI / SSH status
- CLI / SSH tophosts > 1 (active recipients)
- CLI / SSH tail > <num> (status)

The status Logs contain ActvRcp 13 UnatmptRcp 4 AtmptRcp 9
But for visibility of the associated domain then scripting at the /xml/tophosts output is probably going to be best.

Later you will need to correlate this with the raw DCID logs to ascertain the reason for the failed delivery attempts.
As Gmail will temporarily reject based on volume to a specific account, which may hide other issues to other gmail accounts or a problem in general.

Oh...see the "Email Security with Cisco IronPort" book for script examples.

marc.luescherFRE · ‎04-05-2019

Another, maybe much more basic way to monitor the workqueue are the follwing two options :

Option a)

System Administration

System health

Modify threshold for maximum messages in workqueue to a good number (100) we have 500

Add an email under Alerts and active Message Delivery as "Critical", edit the alerts settings to match your needs.

Option b)

Write a message filter on the CLI like :

CLIBasicMonitoringv1: if workqueue-count > 100 {

notify ("admin@domain.com", "Workqueue Monitoring Alert");

}

Unless you pull the data from an external system via either syslog or the API you always have the possible limitation that your notification email might get stuck within the email queue. There si supposed to be dedicated task for this but we have seen this happenig in the past before we changed over to moniutor via Splunk.

Paul Thomas Cyblue · ‎04-08-2019

Watch out that the workqueue can be zero, but Active Recipients can be queuing mail for the next hop.

Server receiving and processing, but cannot deliver.
This is one of the more invisible queues, as its after the workqueue so there are no filters to act on the stats.

Unfortunately, you will always have Active Recipients, such as Gmail rejecting due to account receiving too many messages.
So its a figure that is good to become familiar with what is normal for the environment.

marc.luescherFRE · ‎04-08-2019

we have an outstanding feature request for delivery-queue to be exposed in CLI, hopefully we will get it in V13.

sysresuem · ‎02-15-2024

No nes about delivery-queue exposition in CLI or better in WS call to facilitate monitoring ?