45
Chapter 5 Logging
Overview
5-10
Cisco IronPort AsyncOS 7.5 for Email Daily Management Guide
OL-25138-01
Log Retrieval Methods
Log files can be retrieved based upon one of the following file transfer protocols.
You set the protocol while creating or editing the log subscription in the GUI or
via the
logconfig
command during the log subscription process.
Table 5-3
Log Transfer Protocols
Manually
Download
This method lets you access log files at any time by clicking a link to
the log directory on the Log Subscriptions page, then clicking the log
file to access. Depending on your browser, you can view the file in a
browser window, or open or save it as a text file. This method uses
the HTTP(S) protocol and is the default retrieval method.
Note
Using this method, you cannot retrieve logs for any computer
in a cluster, regardless of level (machine, group, or cluster),
even if you specify this method in the CLI.
FTP Push
This method periodically pushes log files to an FTP server on a
remote computer. The subscription requires a username, password,
and destination directory on the remote computer. Log files are
transferred based on a rollover schedule set by you. See also Note
About Loading Passwords for Log Subscriptions, page 8-56.
SCP Push h This method periodically pushes log files to an SCP server on a
remote computer. This method requires an SSH SCP server on a
remote computer using the SSH1 or SSH2 protocol. The subscription
requires a username, SSH key, and destination directory on the
remote computer. Log files are transferred based on a rollover
schedule set by you.
Syslog
Push
This method sends log messages to a remote syslog server. This
method conforms to RFC 3164. You must submit a hostname for the
syslog server and choose to use either UDP or TCP for log
transmission. The port used is 514. A facility can be selected for the
log; however, a default for the log type is pre-selected in the
dropdown menu. Only text-based logs can be transferred using
syslog push.
47
5-11
Cisco IronPort AsyncOS 7.5 for Email Daily Management Guide
OL-25138-01
Chapter 5 Logging
Overview
Log Filenames and Directory Structure
Cisco IronPort AsyncOS creates a directory for each log subscription based on the
log subscription name. The actual name of the log file in the directory is
composed of the log filename specified by you, the timestamp when the log file
was started, and a single-character status code. The filename of logs are made
using the following formula:
/LogSubscriptionName/LogFilename.@timestamp.statuscode
Status codes may be
.current
or
.s
(signifying saved). You should only transfer
or delete log files with the saved status.
Log Rollover and Transfer Schedule
Log files are created by log subscriptions, and are rolled over (and transferred, if
a push-based retrieval option is selected) based on the first user-specified
condition reached: maximum file size or scheduled rollover. Use the
logconfig
command in the CLI or the Log Subscriptions page in the GUI to configure both
the maximum file size and time interval for scheduled rollovers. You can also use
the Rollover Now button in the GUI or the
rollovernow
command in the CLI to
rollover selected log subscriptions. See Rolling Over Log Subscriptions,
page 5-66 for more information on scheduling rollovers.
Logs retrieved using manual download are saved until they reach the maximum
number you specify (the default is 10 files) or until the system needs more space
for log files.
Logs Enabled by Default
Your Cisco IronPort appliance is pre-configured with the following log
subscriptions enabled by default (other logs may be configured depending on
which license keys you have applied). By default, the retrieval method is
“Manually Download.”
Table 5-4
Pre-configured Log Subscriptions
Log # Log Subscription Name Log Type
1
antispam
Anti-Spam logs
2
antivirus
Anti-Virus Logs
77
Chapter 5 Logging
Overview
5-12
Cisco IronPort AsyncOS 7.5 for Email Daily Management Guide
OL-25138-01
All pre-configured log subscriptions have a Log Level of 3, except for
error_logs
which is set at 1 so that it will contain only errors. See Log Levels, page 5-58 for
more information. For information about creating new log subscriptions, or
modifying existing ones, see Log Subscriptions, page 5-57.
3
asarchive
Anti-Spam Archive
4
authentication
Authentication Logs
5
avarchive
Anti-Virus Archive
6
bounces
Bounce Logs
7
cli_logs
CLI Audit Logs
8
encryption
Encryption
9
error_logs
IronPort Text Mail Logs
10
euq_logs
IronPort Spam Quarantine
Logs
11
euqgui_logs
IronPort Spam Quarantine
GUI Logs
12
ftpd_logs
FTP Server Logs
13
gui_logs
HTTP Logs
14
mail_logs
IronPort Text Mail Logs
15
reportd_logs
Reporting Logs
16
reportingqueryd_logs Reporting Query Logs
17
scanning
Scanning Logs
18
slbld_logs
Safe/Block Lists Logs
19
sntpd_logs
NTP logs
20
status
Status Logs
21
system_logs
System Logs
22
trackerd_logs
Tracking Logs
23
updater_logs
Updater Logs
Table 5-4
Pre-configured Log Subscriptions (continued)
Log # Log Subscription Name Log Type
53
5-13
Cisco IronPort AsyncOS 7.5 for Email Daily Management Guide
OL-25138-01
Chapter 5 Logging
Log Types
Log Types
This section covers the following topics:
•
Using IronPort Text Mail Logs, page 5-14
•
Using IronPort Delivery Logs, page 5-24
•
Using IronPort Bounce Logs, page 5-28
•
Using IronPort Status Logs, page 5-30
•
Using IronPort Domain Debug Logs, page 5-33
•
Using IronPort Injection Debug Logs, page 5-34
•
Using IronPort System Logs, page 5-37
•
Using IronPort CLI Audit Logs, page 5-38
•
Using IronPort FTP Server Logs, page 5-39
•
Using IronPort HTTP Logs, page 5-40
•
Using IronPort NTP Logs, page 5-41
•
Using Scanning Logs, page 5-42
•
Using IronPort Anti-Spam Logs, page 5-43
•
Using IronPort Anti-Virus Logs, page 5-44
•
Using IronPort Spam Quarantine Logs, page 5-45
•
Using IronPort Spam Quarantine GUI Logs, page 5-46
•
Using IronPort LDAP Debug Logs, page 5-47
•
Using Safelist/Blocklist Logs, page 5-49
•
Using Reporting Logs, page 5-50
•
Using Reporting Query Logs, page 5-52
•
Using Updater Logs, page 5-53
•
Understanding Tracking Logs, page 5-55
•
Using Authentication Logs, page 5-55
40
Chapter 5 Logging
Log Types
5-14
Cisco IronPort AsyncOS 7.5 for Email Daily Management Guide
OL-25138-01
Timestamps in Log Files
The following log files include the begin and end date of the log itself, the version
of AsyncOS, and the GMT offset (provided in seconds, and only at the beginning
of the log):
•
Anti-Virus log
•
LDAP log
•
System log
•
Mail log
Using IronPort Text Mail Logs
They contain details of email receiving, email delivery and bounces. Status
information is also written to the mail log every minute. These logs are a useful
source of information to understand delivery of specific messages and to analyze
system performance.
These logs do not require any special configuration. However, you must configure
the system properly to view attachment names, and attachment names may not
always be logged. For information, see Enabling and Disabling Local Message
Tracking, page 3-3 and Tracking Service Overview, page 3-1.
Information displayed in text mail logs is shown in Table 5-5.
Table 5-5
Text Mail Log Statistics
Statistic
Description
ICID
Injection Connection ID. This is a numerical identifier for an
individual SMTP connection to the system, over which 1 to
thousands of individual messages may be sent.
DCID
Delivery Connection ID. This is a numerical identifier for an
individual SMTP connection to another server, for delivery of
1 to thousands of messages, each with some or all of their RIDs
being delivered in a single message transmission.
50
5-15
Cisco IronPort AsyncOS 7.5 for Email Daily Management Guide
OL-25138-01
Chapter 5 Logging
Log Types
Interpreting an IronPort Text Mail Log
Use the following sample as a guide to interpret log files.
Note
Individual lines in log files are NOT numbered. They are numbered here only for
sample purposes.
RCID
RPC Connection ID. This is a numerical identifier for an
individual RPC connection to the IronPort Spam quarantine. It
is used to track messages as they are sent to and from the
IronPort Spam Quarantine.
MID
Message ID: Use this to track messages as they flow through
the logs.
RID
Recipient ID: Each message recipient is assigned an ID.
New
New connection initiated.
Start
New message started.
Table 5-5
Text Mail Log Statistics (continued)
Statistic
Description
Table 5-6
Text Mail Log Detail
1
Mon Apr 17 19:56:22 2003 Info: New SMTP ICID 5 interface
Management (10.1.1.1) address 10.1.1.209 reverse dns host
remotehost.com verified yes
2
Mon Apr 17 19:57:20 2003 Info: Start MID 6 ICID 5
3
Mon Apr 17 19:57:20 2003 Info: MID 6 ICID 5 From:
<sender@remotehost.com>
4
Mon Apr 17 19:58:06 2003 Info: MID 6 ICID 5 RID 0 To:
<mary@yourdomain.com>
5
Mon Apr 17 19:59:52 2003 Info: MID 6 ready 100 bytes from
<sender@remotehost.com>
6
Mon Apr 17 19:59:59 2003 Info: ICID 5 close
7
Mon Mar 31 20:10:58 2003 Info: New SMTP DCID 8 interface
192.168.42.42 address 10.5.3.25
49
Chapter 5 Logging
Log Types
5-16
Cisco IronPort AsyncOS 7.5 for Email Daily Management Guide
OL-25138-01
Use Table 5-7 as a guide to reading the preceding log file.
Examples of Text Mail Log Entries
Following are some sample log entries based on various situations.
8
Mon Mar 31 20:10:58 2003 Info: Delivery start DCID 8 MID 6 to
RID [0]
9
Mon Mar 31 20:10:58 2003 Info: Message done DCID 8 MID 6 to RID
[0]
10
Mon Mar 31 20:11:03 2003 Info: DCID 8 close
Table 5-6
Text Mail Log Detail (continued)
Table 5-7
Detail of Text Mail Log Example
Line Number
Description
1.
A new connection is initiated into the system and assigned an
Injection ID (ICID) of “5.” The connection was received on the
Management IP interface and was initiated from the remote host at
10.1.1.209.
2.
The message was assigned a Message ID (MID) of “6” after the
MAIL
FROM
command is issued from the client.
3.
The sender address is identified and accepted.
4.
The recipient is identified and assigned a Recipient ID (RID) of “0.”
5.
MID 5 is accepted, written to disk, and acknowledged.
6.
Receiving is successful and the receiving connection closes.
7.
Next the message delivery process starts. It is assigned a Delivery
Connection ID (DCID) of “8” from 192.168.42.42 and to 10.5.3.25.
8.
The message delivery starts to RID “0.”
9.
Delivery is successful for MID 6 to RID “0.”
10.
The delivery connection closes.
Documents you may be interested
Documents you may be interested
