Introduction
This document describes how to determine the disposition of a message with the mail logs retrieved from various commands on the Cisco Email Security Appliance (ESA).
Prerequisites
The information in this document is based on:
- ESA
- All versions of AsyncOS
Message Tracking
If you run AsyncOS for Email Version 6.0 or later, the most effective way to determine what happened to a particular message is to use the Message Tracking page from the Monitor tab. This allows you to search with a variety of options in an easy-to-use web interface.
If you run an older version or need to gather all of the log lines for troubleshooting purposes, use the grep or findevent commands as detailed in the next sections.
Findevent Command
If you have AsyncOS for Email Version 5.1.2 or later, the CLI findevent command makes it simpler to search for a specific message. Findevent lets you search by the envelope from, the envelope recipient, or the message Subject. This can be done regardless of case as well. Once you find your message, you can return every log line relevant to that message. If you run findevent with no arguments, it launches a wizard in order to guide you through the process. As always, you can use the help command in order to learn the short form:
> help findevent
findevent [-i] [-f from | -s subject | -t to] log_name
findevent -m mid log_name
The first form conducts a search for a specific envelope from, subject, or envelope to within the named log_name and lists the Message IDs (MIDs) that match. The -i flag can be used for non-case-sensitive searches.
The second form displays all of the log lines for the given MID.
If you have an older version, the CLI grep command can be used in order to accomplish the same thing. However, the use of the grep command requires more detailed knowledge of how ESAs log message events.
Grep Command
The first challenge when you search mail logs is to find your message. You can do this if you search for the sender, the recipient, or for the subject. Once you have found your message, it is important to understand how the mail logs are organized. Content Security mail log events are given acronyms. The most important events are ICID, MID, RID, and DCID.
Injection Connection ID (ICID): When a remote host establishes a connection to the appliance, that connection is assigned an ICID. One ICID can spawn many MIDs.
Note: ICID 0 defines a message that was injected from itself. In fact, the numeral 0 after an ICID or DCID refers to sessions open to or from the local loop address of the device.
MID: Once a connection is established, each successful Simple Mail Transfer Protocol (SMTP) mail from: command creates a new MID. A single MID can spawn many RIDs.
Recipient ID (RID): Each recipient (To: Cc: or Bcc gets a RID. RIDs only spawn multiple DCIDs if there is a soft bounce (connection error) and delivery is reattempted.
Delivery Connection ID (DCID): Each recipient that goes to the same destination domain receives the same DCID up to the limits of the receiving system. So if the receipients of a messages all go to the same domain, then there is one DCID for all of the RIDs. If instead, each RID goes to a separate domain, then there is a one-to-one correlation.
Note: DCID 0 defines a message that was never sent. In fact, the numeral 0 after an ICID or DCID refers to sessions open to or from the local loop address of the device.
Generally, when you find your message, you find its MID. Then you grep for the MID and determine the ICID and RID. With the ICID, you can determine the SenderBase Reputation Score (SBRS) for the sender. With the RID and then the DCID, you can determine what happened when the ESA attempted delivery.
Note: Once you have the MID, ICID, and DCID, you can retrieve all of the rows for that message in one grep, if the origin of the message is not older than your oldest mail log.
example.com> grep -e " MID 11123" -e " ICID 11092" -e " DCID 23349" mail_logs
Example
- Search for the message subject:
example.com> grep
Currently configured logs:
16. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
Enter the number of the log you wish to grep.
[]> 16
Enter the regular expression to grep.
[]> test
Do you want this search to be case insensitive? [Y]>
Do you want to tail the logs? [N]>
Do you want to paginate the output? [N]>
Mon Jan 23 10:25:03 2006 Info: SMTP listener testpairlist starting
Tue Jan 24 12:10:15 2006 Info: Message aborted MID 8 Dropped by filter
'testdrop'
Tue Jan 31 23:55:38 2006 Info: MID 32 Subject 'testmsgquarantine'
Wed Feb 1 00:23:59 2006 Info: MID 62 Subject 'testmsgquarantine'
Wed Feb 1 00:27:48 2006 Info: MID 64 Subject 'testmsg2'
Wed Feb 1 22:30:37 2006 Info: MID 80 Subject 'test zip'
Wed Feb 1 22:37:51 2006 Info: MID 83 Subject 'FW: test zip'
Wed Feb 1 22:41:50 2006 Info: MID 84 Subject 'FW: test zip'
Fri Feb 3 15:17:47 2006 Info: MID 94 Subject 'test'
Fri Feb 3 15:42:06 2006 Info: MID 96 Subject 'test'
This generated several matches that contained test in the subject. The message was sent at approximately 3:42pm, so you can use that MID for the next search.
Here are some impotant points to note about the questions:
- Do you want this search to be case insensitive? [Y]>
If you answer Yes to this question, it finds entries regardless of case.
- Do you want to tail the logs? [N]>
If you answer Yes to this question, it only finds new entries as they are generated. It does not search all of the log files. Choose No in order to search all of the logs.
- Do you want to paginate the output? [N]>
If you answer Yes to this question, it displays entries one page at a time. This is useful if you need to do a general search and expect to retrieve many entries. This stops the entries from scrolling off of the display.
- Search for the MID:
mail.example.com> grep
Currently configured logs:
16. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
Enter the number of the log you wish to grep.
[]> 16
Enter the regular expression to grep.
[]> MID 96
Do you want this search to be case insensitive? [Y]>
Do you want to tail the logs? [N]>
Do you want to paginate the output? [N]>
Fri Feb 3 15:41:43 2006 Info: Start MID 96 ICID 10394
Fri Feb 3 15:41:43 2006 Info: MID 96 ICID 10394 From: <bob@example.net>
Fri Feb 3 15:41:58 2006 Info: MID 96 ICID 10394 RID 0 To:
<nasir@example.com>
Fri Feb 3 15:42:06 2006 Info: MID 96 Message-ID
<4o8836$30@mail.example.com>
Fri Feb 3 15:42:06 2006 Info: MID 96 Subject 'test'
Fri Feb 3 15:42:06 2006 Info: MID 96 ready 23 bytes from
<bob@example.net>
Fri Feb 3 15:42:06 2006 Info: MID 96 matched all recipients for
per-recipient policy DEFAULT in the outbound table
Fri Feb 3 15:42:06 2006 Info: MID 96 antivirus negative
Fri Feb 3 15:42:06 2006 Info: MID 96 queued for delivery
Fri Feb 3 15:42:06 2006 Info: Delivery start DCID 14 MID 96 to RID [0]
Fri Feb 3 15:42:06 2006 Info: Message done DCID 14 MID 96 to RID [0]
Fri Feb 3 15:42:06 2006 Info: MID 96 RID [0] Response '2.6.0
<4o8836$30@mail.example.com> Queued mail for delivery'
Fri Feb 3 15:42:06 2006 Info: Message finished MID 96 done
Notice that the MID entries provide more information about the how the message is processed. The MID entries also reference the ICID and the DCID. If you want to know more about the incoming connection, grep for the ICID. If you want to know more about what happened when the the ESA attempted delivery, grep for the DCID.
- In order to determine where the message was delivered, search for the DCID.
mail.example.com> grep
Currently configured logs:
16. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
Enter the number of the log you wish to grep.
[]> 16
Enter the regular expression to grep.
[]> DCID 14
Do you want this search to be case insensitive? [Y]>
Do you want to tail the logs? [N]>
Do you want to paginate the output? [N]>
Fri Feb 3 15:42:06 2006 Info: New SMTP DCID 14 interface 192.168.0.199
address 10.1.1.112 port 25
Fri Feb 3 15:42:06 2006 Info: Delivery start DCID 14 MID 96 to RID [0]
Fri Feb 3 15:42:06 2006 Info: Message done DCID 14 MID 96 to RID [0]
Fri Feb 3 15:42:11 2006 Info: DCID 14 close
Notice that the message was delivered from the 192.168.0.199 interface to the host with IP address 10.1.1.112 over Port 25.
If delivery was not attempted, but the message was queued for delivery, it indicates that the system might have difficulty in its communications with the destination server. You can use hoststatus from the CLI in order to see if the status of the recipient host is Down and to verify that the Ordered IPs match either your SMTP routes for the destination domain or the public MX records, as applicable.