Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3887
Views
5
Helpful
6
Replies

Who released an email from quarantine?

Go to solution
peter.gazinoski
Level 1
Level 1

‎11-09-2016 09:12 PM

Is there a way to find out which user released an email from quarantine on the ESAs or SMAs? The logs will show something like MID 1361 released from quarantine "Policy" (manual) but won't show which user actually released the email.

Thanks 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎11-09-2016 10:05 PM

Hello,

We do not currently have a log tied directly to this action, but you can search through the gui_logs to narrow down which user was viewing the page at that time.

Info needed: Date/Time the message was released from quarantine

The format in the gui_logs would look something like this :

grep "Nov 10 00:48:08" gui_logs

Thu Nov 10 00:47:07 2016 Info: req:X.X.X.X user:admin id:qKy1kqxxb3oUTwQbrZ3c 200 GET /monitor/local_quarantines_dosearch?key=time_added&reason_string=&name=Unclassified&pageSize=20&time_stamp=1478756777.809&reason_code=&dir=desc&pg=1 HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36

Thanks!

-Dennis M.

View solution in original post

6 Replies 6

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎11-09-2016 10:05 PM

Hello,

We do not currently have a log tied directly to this action, but you can search through the gui_logs to narrow down which user was viewing the page at that time.

Info needed: Date/Time the message was released from quarantine

The format in the gui_logs would look something like this :

grep "Nov 10 00:48:08" gui_logs

Thu Nov 10 00:47:07 2016 Info: req:X.X.X.X user:admin id:qKy1kqxxb3oUTwQbrZ3c 200 GET /monitor/local_quarantines_dosearch?key=time_added&reason_string=&name=Unclassified&pageSize=20&time_stamp=1478756777.809&reason_code=&dir=desc&pg=1 HTTP/1.1 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36

Thanks!

-Dennis M.

Go to solution
peter.gazinoski
Level 1
Level 1
In response to dmccabej

‎11-10-2016 04:22 PM

Dennis, thanks that worked.

0 Helpful

Go to solution
dmccabej
Cisco Employee
Cisco Employee
In response to peter.gazinoski

‎11-10-2016 06:15 PM

You're very welcome! I'm glad it helped. :)

0 Helpful

Go to solution
carolinageanni
Level 1
Level 1
In response to peter.gazinoski

‎11-11-2016 11:56 AM

:) 

0 Helpful

Go to solution
Pravar
Level 1
Level 1

‎11-10-2016 04:30 AM

Check the message tracking log for the particular message and locate the ID that is mentioned at last while transferring to your quarantine at SMA from ESA. Go to SMA and check for the mail_logs with the particular ID. You will be see the action (delete/release) and the user for the particular message.

0 Helpful

Go to solution
peter.gazinoski
Level 1
Level 1
In response to Pravar

‎11-10-2016 04:26 PM

I can see that it's been release in the logs unfortunately this doesn't show me by whom.

0 Helpful
Customers Also Viewed These Support Documents