Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 6 subscribers
  • Views 7747 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Timestamp in email messages

Mateusz Bender

Sometimes our ISP is causing us grief and there are connectivity problems.

I have set up UTM to check connectivity by pinging global DNSes (like 1.1.1.1 or 8.8.8.8); the UTM also sends out emails whenever connectivity fails. Unfortunately, these emails don't contain a timestamp. Obviously the UTM can't send an email when there are ISP-related issues, so it usually sends two emails once things go back to normal.

But those two emails don't have timestamps - at best, there's the "System Uptime" information, which is OKish, I guess. But it would be far better to have a timestamp, even if just in UTC. Or, better yet, it would be fantastic if the "connectivity restored" email would also contain information about the downtime duration (i.e. "connectivity was restored after ~15 minutes of downtime").

Is there any way to get either the timestamps, or the downtime calculation, in the UTM emails?



This thread was automatically locked due to age.
Parents
  • +1

    Have you looked at the internal headers?  There should be timestamps there,

  • 0 in reply to DouglasFoster

    Indeed! The headers contain the UTM timestamps! :)

    That said, it would be much more user-friendly to have them in the actual email message as well... I take it that's not possible?

  • 0 in reply to Mateusz Bender

    I think your problem is that the user interface displays a timestamp based on when the message was received, not based on when it was sent.   This is how users expect their new email to appear.  Arrival time is also the only timestamp that cannot be forged.

    I don't have a delayed message available to test this theory, but it must be true because my new messages always display at the top of the Inbox when it is sorted by date.   Since the displayed timestamp is chosen by the receiving system user interface, not by the sending system, it will be out of Sophos' control.

  • 0 in reply to DouglasFoster

    Obviously email clients will display the arrival time - that much is true. Again, I was hoping there's a way to put in the "send time" into the message itself, to make it readable. I checked and the header contains this information as well, as the email is sent internally by the UTM and has the following:

    Received: from <hostname> (<IP>) by
     DB5EUR03FT046.mail.protection.outlook.com (10.152.21.230) with Microsoft SMTP
     [...] via Frontend Transport; Tue, 24 Apr 2018 12:06:02 +0000
    Received: by localhost (Postfix, from userid 0)
        id 63B4A1A77; Tue, 24 Apr 2018 13:30:03 +0200 (CEST)

    Note the time difference: sent at 13:30 (Polish time zone, so +2 hours), then received at 12:06 (UTC, so 14:06 Polish time) - meaning the message was sent after 36 minutes.

    Again, the actual "case" I'm trying to deal with is finding out, from the emails, how long our network was down (a case to be made for either reimbursement from our ISP or for changing the ISP entirely). The receive times, as stated above, are not viable for this at all. The readily available "system uptime" information from the emails is helpful, but it's as helpful as the header-contained timestamps - it doesn't convey the information I'm looking for directly and one has to read into it to be able to tell what happened.

    Anyway, I'll mark the first answer at the correct one. It doesn't really solve my issue, but I recognize that what I'm looking for probably isn't available in the current implementation of UTM. Still, it'd be nice if it was available... ;)

  • 0 in reply to Mateusz Bender

    You are right, it should be in the message body.   Post the request in ideas.sophos.com

  • 0 in reply to DouglasFoster

    Apparently, this was already posted by someone else:

    https://ideas.sophos.com/forums/17359-sg-utm/suggestions/2560701-notifications-include-system-time-in-event-notifi

    It's a bit worrisome that the idea was posted in

Reply Children
  • 0 in reply to Mateusz Bender

    As if it is a difficult change to implement...

  • 0 in reply to Mateusz Bender

    In the email header, you should see two lines like the following that tell you exactly when the email was generated:

    Received: by localhost (Postfix, from userid 0)
	id F19xxxxx537; Sun,  3 Jun 2018 13:41:07 -0500 (CDT)

    In the lines above that, you should see when the email was finally sent successfully.

    You also could get this information from smtp.log and notifier.log would also list the exact moment the alert was generated.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML