Guest

Cisco Content Security Management Appliance

ESA Reporting and Tracking Data Retention Expansion

Document ID: 117807

Updated: Jun 12, 2014

Contributed by Andrew Wurster and Robert Sherwin, Cisco TAC Engineers.

   Print

Introduction

This document describes how to increase the reporting and tracking data retention on the Cisco Email Security Appliance (ESA) in order to allow for data overlap.

Prerequisites

Cisco recommends that you have knowledge of these topics:

  • Cisco ESA
  • Cisco Content Security Management Appliance (SMA)

Reporting Data

When an SMA is offline or unreachable, the ESA begins to queue reporting data. The ESA by default retains 100 files, each with a 15-minute duration. Essentially, the ESA retains data for the current 1,500 minutes (15 x 100), which is equivalent to 25 hours. If the SMA is down for 30 hours, then you loose the reporting data for the first 5 hours (30 hours - 25 hours).

Use the information in this example in order to increase the number of files that are retained on the ESA for AsyncOS Versions 6.x through 7.1:

example.com> reportingconfig

Choose the operation you want to perform:
- MAILSETUP - Configure reporting for the ESA.
- MODE - Enable centralized or local reporting for the ESA.
[]> mailsetup

SenderBase timeout used by the web interface: 2 seconds
Sender Reputation Multiplier: 3
The current level of reporting data recording is: unlimited
No custom second level domains are defined.
Legacy mailflow report: Disabled

Choose the operation you want to perform:
- SENDERBASE - Configure SenderBase timeout for the web interface.
- MULTIPLIER - Configure Sender Reputation Multiplier.
- COUNTERS - Limit counters recorded by the reporting system.
- THROTTLING - Limit unique hosts tracked for rejected connection reporting.
- TLD - Add customer specific domains for reporting rollup.
- STORAGE - How long centralized reporting data will be stored on the C-series
before being overwritten.
- LEGACY - Configure legacy mailflow report.
[]> storage

While in centralized mode the C-series will store reporting data for the
M-series to collect.  If the M-series does not collect that data then
eventually the C-series will begin to overwrite the oldest data with
new data.

A maximum of 24 hours of reporting data will be stored.
How many hours of reporting data should be stored before data loss?
[24]> 30

Tracking Data

Similarly, when the SMA is offline or unreachable, the ESA begins to queue tracking data. The ESA retains 60 files, each with a three-minute duration. Therefore, the ESA retains the data for the past 180 minutes (60 x 3). Any tracking data that is not retrieved from the ESA and is older than three hours is lost.

Use the information in this example in order to increase the maximum number of tracking files:

example.com> trackingconfig

Choose the operation you want to perform:
- MODE - Set whether tracking is run on box or centralized.
[]> storage

While in centralized mode the C-series will store tracking data for the
M-series to collect.  If the M-series does not collect that data then
eventually the C-series will begin to overwrite the oldest data with new
data.

A maximum of 60 files are presently stored.  This means a maximum of 3 hours
will be stored, though depending on load that time may be smaller.
How many files should be stored before data loss?
[60]> 500

Note: For AsyncOS Versions 7.5 and later, the MAILSETUP is a hidden command under the reportingconfig.

Updated: Jun 12, 2014
Document ID: 117807