This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can I download ES1100 mail logs from the appliance?

...and if I can is there any more detail there than from viewing through Search?

We're currently experiencing a situation where some email (though not all) from a particular domain is not arriving.  Their SMTP logs are showing a "Connection timed out", and their is nothing appearing on our logs when I search for their domain as a sender.  I'm hoping that these failed connections will be being logged, though they aren't associated with a sender (or recipient).  Looking at the dashboard, we seem to be receiving 1 message a second, with a latency of just under 5 secs.

Alistair



This thread was automatically locked due to age.
Parents
  • Hi Alistair,

    You sure can .. under Configuration / System / Backup 

    configure your FTP server information. at the bottom are some selectable checkboxes..

    From there you can then import the logs to splunk .. search them with tools like grep / sed & awk to cut out all of the information you wish.

     

    System configuration, this will include a copy of your UI configuration.

    Quarantined Messages, this will dump messages from the quarantine as the are expired.

    System logs, there will be two files..

     

    File #1: is the post fix logs of all mail transactions as they pass from front > back end mail-queues and visa versa depending on the direction of the email.

     

    Here is a sample: 

    Jun 7 01:54:28 sea postfix/backend/smtpd[93185]: A728138966_9375CD4B: client=localhost.localdomain[127.0.0.1]
    Jun 7 01:54:28 sea postfix/backend/cleanup[93186]: A728138966_9375CD4B: message-id=<B49BABD8.7C09A9CC@usdelivery.com>
    Jun 7 01:54:28 sea postfix/backend/qmgr[22910]: A728138966_9375CD4B: from=<user@devcot.local>, size=7474, nrcpt=1 (queue active)
    Jun 7 01:54:28 sea postfix/smtp[92457]: B937A382F3_9375B07F: to=<user@devcot.local>, relay=127.0.0.1[127.0.0.1]:10025, conn_use=9, delay=461, delays=0/453/0/7.9, dsn=2.0.0, status=sent (250 OK, sent 59375CCC_91432_3_9 A728138966_9375CD4B)

    [message delivered to the 127.0.0.1 address AKA the Milter/processing engine]

    Jun 7 01:54:28 sea postfix/qmgr[17194]: B937A382F3_9375B07F: removed
    Jun 7 01:54:28 sea MessageInfo[91431]: 59375CC9_91431_3_8: [Policy.pm:426] conn times: r=90s u=25.4s s=0.80s
    Jun 7 01:54:28 sea postfix/backend/smtpd[93181]: disconnect from localhost.localdomain[127.0.0.1]
    Jun 7 01:54:28 sea postfix/backend/smtp[93189]: setting up TLS connection to 192.168.5.18[192.168.5.18]:25
    Jun 7 01:54:28 sea postfix/backend/smtp[93189]: 192.168.5.18[192.168.5.18]:25: re-using session with untrusted certificate, look for details earlier in the log
    Jun 7 01:54:28 sea postfix/backend/smtp[93189]: Untrusted TLS connection established to 192.168.5.18[192.168.5.18]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
    Jun 7 01:54:28 sea postfix/backend/smtp[93189]: A728138966_9375CD4B: to=<user@devcot.local>, relay=192.168.5.18[192.168.5.18]:25, delay=0.19, delays=0.1/0/0.04/0.04, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 365EEE0035)
    Jun 7 01:54:28 sea postfix/backend/qmgr[22910]: A728138966_9375CD4B: removed

    [message delivered from the Milter > downstream / exchange]

    You will also see deferred and other non delivery issues.

     

     

    The next log is called the messages log and it contains all of the rule hits when the message was processed.. Every message will appear in both logs..  

    2017-05-25T03:08:32 q=59375CCC_91432_3_9 f=<user@devcot.local> t=<user@devcot.local> Rule=?q?High_Spam_to_all type=Spam b=ok action=discard h=URI_CLASS_SHD_DOMAIN h=STYLE_RATWARE_COMBINED h=IMGSPAM_BODY h=HTML_70_90 h=HTML_FONT_INVISIBLE h=BODYTEXTH_SIZE_10000_LESS h=BODYTEXTP_SIZE_3000_LESS h=BODYTEXTP_SIZE_400_LESS h=BODY_SIZE_3000_3999 h=BODY_SIZE_5000_LESS h=BODY_SIZE_7000_LESS h=NO_URI_HTTPS h=URI_WITH_PATH_ONLY h=__ANY_URI h=__C230066_P5 h=__CP_URI_IN_BODY h=__CT h=__CTYPE_HAS_BOUNDARY h=__CTYPE_MULTIPART h=__CTYPE_MULTIPART_ALT h=__HAS_FROM h=__HAS_HTML h=__HAS_LIST_HEADER h=__HAS_LIST_UNSUBSCRIBE h=__HAS_MSGID h=__HTML_AHREF_TAG h=__HTML_TAG_CENTER h=__HTML_TAG_DIV h=__HTML_TAG_IMG_X2 h=__HTTP_IMAGE_TAG h=__IMGSPAM_BODY h=__MIME_HTML h=__MIME_TEXT_H h=__MIME_TEXT_H1 h=__MIME_TEXT_H2 h=__MIME_TEXT_P h=__MIME_TEXT_P1 h=__MIME_TEXT_P2 h=__MIME_VERSION h=__MULTIPLE_URI_HTML h=__MULTIPLE_URI_TEXT h=__SANE_MSGID h=__STYLE_TAG h=__SUBJ_ALPHA_END h=__TAG_EXISTS_HTML h=__TO_MALFORMED_2 h=__TO_NO_NAME h=__URI_IN_BODY h=__URI_NOT_IMG h=__URI_NO_MAILTO h=__URI_WITH_PATH h=__ZERO_DOT_MSGID SpamHi inbound p=0.945 S=?q?Regrow_Your_Hair_in_Weeks,_Amazing_New_Cure_for_Hair_loss fur= r=192.168.5.18 tm=45.79 a=d/eom

     

    q= is the queue id of the message

    rule = what rule hit with the highest priority "action"   (so if a message hits 10 rules, the highest priority rule with an action will be listed)

    action = quarantined, discard, delivered etc.

    p= the spam score in percentage.. 94.5%

    s= subject of email

    r= first relay of the email, this should be the mta's ip

    the rest of it the file is various rules, they will not mean much to humans..

Reply
  • Hi Alistair,

    You sure can .. under Configuration / System / Backup 

    configure your FTP server information. at the bottom are some selectable checkboxes..

    From there you can then import the logs to splunk .. search them with tools like grep / sed & awk to cut out all of the information you wish.

     

    System configuration, this will include a copy of your UI configuration.

    Quarantined Messages, this will dump messages from the quarantine as the are expired.

    System logs, there will be two files..

     

    File #1: is the post fix logs of all mail transactions as they pass from front > back end mail-queues and visa versa depending on the direction of the email.

     

    Here is a sample: 

    Jun 7 01:54:28 sea postfix/backend/smtpd[93185]: A728138966_9375CD4B: client=localhost.localdomain[127.0.0.1]
    Jun 7 01:54:28 sea postfix/backend/cleanup[93186]: A728138966_9375CD4B: message-id=<B49BABD8.7C09A9CC@usdelivery.com>
    Jun 7 01:54:28 sea postfix/backend/qmgr[22910]: A728138966_9375CD4B: from=<user@devcot.local>, size=7474, nrcpt=1 (queue active)
    Jun 7 01:54:28 sea postfix/smtp[92457]: B937A382F3_9375B07F: to=<user@devcot.local>, relay=127.0.0.1[127.0.0.1]:10025, conn_use=9, delay=461, delays=0/453/0/7.9, dsn=2.0.0, status=sent (250 OK, sent 59375CCC_91432_3_9 A728138966_9375CD4B)

    [message delivered to the 127.0.0.1 address AKA the Milter/processing engine]

    Jun 7 01:54:28 sea postfix/qmgr[17194]: B937A382F3_9375B07F: removed
    Jun 7 01:54:28 sea MessageInfo[91431]: 59375CC9_91431_3_8: [Policy.pm:426] conn times: r=90s u=25.4s s=0.80s
    Jun 7 01:54:28 sea postfix/backend/smtpd[93181]: disconnect from localhost.localdomain[127.0.0.1]
    Jun 7 01:54:28 sea postfix/backend/smtp[93189]: setting up TLS connection to 192.168.5.18[192.168.5.18]:25
    Jun 7 01:54:28 sea postfix/backend/smtp[93189]: 192.168.5.18[192.168.5.18]:25: re-using session with untrusted certificate, look for details earlier in the log
    Jun 7 01:54:28 sea postfix/backend/smtp[93189]: Untrusted TLS connection established to 192.168.5.18[192.168.5.18]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
    Jun 7 01:54:28 sea postfix/backend/smtp[93189]: A728138966_9375CD4B: to=<user@devcot.local>, relay=192.168.5.18[192.168.5.18]:25, delay=0.19, delays=0.1/0/0.04/0.04, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 365EEE0035)
    Jun 7 01:54:28 sea postfix/backend/qmgr[22910]: A728138966_9375CD4B: removed

    [message delivered from the Milter > downstream / exchange]

    You will also see deferred and other non delivery issues.

     

     

    The next log is called the messages log and it contains all of the rule hits when the message was processed.. Every message will appear in both logs..  

    2017-05-25T03:08:32 q=59375CCC_91432_3_9 f=<user@devcot.local> t=<user@devcot.local> Rule=?q?High_Spam_to_all type=Spam b=ok action=discard h=URI_CLASS_SHD_DOMAIN h=STYLE_RATWARE_COMBINED h=IMGSPAM_BODY h=HTML_70_90 h=HTML_FONT_INVISIBLE h=BODYTEXTH_SIZE_10000_LESS h=BODYTEXTP_SIZE_3000_LESS h=BODYTEXTP_SIZE_400_LESS h=BODY_SIZE_3000_3999 h=BODY_SIZE_5000_LESS h=BODY_SIZE_7000_LESS h=NO_URI_HTTPS h=URI_WITH_PATH_ONLY h=__ANY_URI h=__C230066_P5 h=__CP_URI_IN_BODY h=__CT h=__CTYPE_HAS_BOUNDARY h=__CTYPE_MULTIPART h=__CTYPE_MULTIPART_ALT h=__HAS_FROM h=__HAS_HTML h=__HAS_LIST_HEADER h=__HAS_LIST_UNSUBSCRIBE h=__HAS_MSGID h=__HTML_AHREF_TAG h=__HTML_TAG_CENTER h=__HTML_TAG_DIV h=__HTML_TAG_IMG_X2 h=__HTTP_IMAGE_TAG h=__IMGSPAM_BODY h=__MIME_HTML h=__MIME_TEXT_H h=__MIME_TEXT_H1 h=__MIME_TEXT_H2 h=__MIME_TEXT_P h=__MIME_TEXT_P1 h=__MIME_TEXT_P2 h=__MIME_VERSION h=__MULTIPLE_URI_HTML h=__MULTIPLE_URI_TEXT h=__SANE_MSGID h=__STYLE_TAG h=__SUBJ_ALPHA_END h=__TAG_EXISTS_HTML h=__TO_MALFORMED_2 h=__TO_NO_NAME h=__URI_IN_BODY h=__URI_NOT_IMG h=__URI_NO_MAILTO h=__URI_WITH_PATH h=__ZERO_DOT_MSGID SpamHi inbound p=0.945 S=?q?Regrow_Your_Hair_in_Weeks,_Amazing_New_Cure_for_Hair_loss fur= r=192.168.5.18 tm=45.79 a=d/eom

     

    q= is the queue id of the message

    rule = what rule hit with the highest priority "action"   (so if a message hits 10 rules, the highest priority rule with an action will be listed)

    action = quarantined, discard, delivered etc.

    p= the spam score in percentage.. 94.5%

    s= subject of email

    r= first relay of the email, this should be the mta's ip

    the rest of it the file is various rules, they will not mean much to humans..

Children