安全 : Cisco IronPort Email 安全设备

I日志消息信息标题?

2016 年 10 月 27 日 - 机器翻译
其他版本: PDFpdf | 英语 (2015 年 8 月 22 日) | 反馈

简介

本文描述如何记录通过思科电子邮件安全工具处理的信息标题(ESA)。

贡献由John Yu和罗伯特Sherwin, Cisco TAC工程师。

I日志消息信息标题?

有时,因为他们穿过设备,记录信息标题的出现和内容是有用的。您指定报头通过logconfig > logheaders记录。ESA将记录在IronPort文本邮件日志、IronPort交付日志和IronPort跳动日志的指定的信息标题。如果报头存在,系统记录报头和值的名称。 报头信息在发送信息以后recored。

下面示例如何对记录与报头X IPAS结果和X IronPort AV的任何消息的启用日志:

my_esa.local> logconfig

Currently configured logs:
Log Name Log Type Retrieval Interval
---------------------------------------------------------------------------------
1. amp AMP Engine Logs Manual Download None
2. amparchive AMP Archive Manual Download None
3. antispam Anti-Spam Logs Manual Download None
4. antivirus Anti-Virus Logs Manual Download None
5. asarchive Anti-Spam Archive Manual Download None
6. authentication Authentication Logs Manual Download None
7. avarchive Anti-Virus Archive Manual Download None
8. bounces Bounce Logs Manual Download None
9. cli_logs CLI Audit Logs Manual Download None
10. encryption Encryption Logs Manual Download None
11. error_logs IronPort Text Mail Logs Manual Download None
12. euq_logs Spam Quarantine Logs Manual Download None
13. euqgui_logs Spam Quarantine GUI Logs Manual Download None
14. ftpd_logs FTP Server Logs Manual Download None
15. gui_logs HTTP Logs Manual Download None
16. mail_logs IronPort Text Mail Logs Manual Download None
17. mail_logs_copy IronPort Text Mail Logs SCP Push - Host
192.168.0.200: Port 22None
18. repeng Reputation Engine Logs Manual Download None
19. reportd_logs Reporting Logs Manual Download None
20. reportqueryd_logs Reporting Query Logs Manual Download None
21. scanning Scanning Logs Manual Download None
22. slbld_logs Safe/Block Lists Logs Manual Download None
23. snmp_logs SNMP Logs Manual Download None
24. sntpd_logs NTP logs Manual Download None
25. status Status Logs Manual Download None
26. system_logs System Logs Manual Download None
27. trackerd_logs Tracking Logs Manual Download None
28. updater_logs Updater Logs Manual Download None
29. upgrade_logs Upgrade Logs Manual Download None

Choose the operation you want to perform:
- NEW - Create a new log.
- EDIT - Modify a log subscription.
- DELETE - Remove a log subscription.
- SETUP - General settings.
- LOGHEADERS - Configure headers to log.
- HOSTKEYCONFIG - Configure SSH host keys.
[]> logheaders

Please enter the list of headers you wish to record in the
log files.
Separate multiple headers with commas.
[]> X-IPAS-Result, X-IronPort-AV

返回到主CLI提示符,并且确认其中任一/所有更改。

当您查看mail_logs,您将看到报头的结果当前被注入日志如配置:

Thu Aug 14 08:40:18 2014 Info: New SMTP ICID 10282 interface Management 
(192.168.0.199) address 192.168.0.200 reverse dns host ns.domain.com verified no
Thu Aug 14 08:40:18 2014 Info: ICID 10282 RELAY SG RELAY_SG match 192.168.0.200
SBRS not enabled
Thu Aug 14 08:40:18 2014 Info: Start MID 1403 ICID 10282
Thu Aug 14 08:40:18 2014 Info: MID 1403 ICID 10282 From: <orig_user@domain.com>
Thu Aug 14 08:40:18 2014 Info: MID 1403 ICID 10282 RID 0 To: <end_user@example.com>
Thu Aug 14 08:40:18 2014 Info: MID 1403 using engine: SPF Verdict Cache using
cached verdict
Thu Aug 14 08:40:18 2014 Info: SPF Verdict Cache cache status: hits = 7, misses = 12,
expires = 0, adds = 12, seconds saved = 0.06, total seconds = 0.56
Thu Aug 14 08:40:18 2014 Info: MID 1403 SPF: helo identity postmaster@domain.com None
Thu Aug 14 08:40:18 2014 Info: MID 1403 using engine: SPF Verdict Cache using
cached verdict
Thu Aug 14 08:40:18 2014 Info: MID 1403 SPF: mailfrom identity orig_user@domain.com
Pass (v=spf1)
Thu Aug 14 08:40:18 2014 Info: MID 1403 using engine: SPF Verdict Cache using
cached verdict
Thu Aug 14 08:40:18 2014 Info: MID 1403 SPF: pra identity orig_user@domain.com None
headers from
Thu Aug 14 08:40:18 2014 Info: MID 1403 Message-ID '<20140814124103.GC6764@domain.com>'
Thu Aug 14 08:40:18 2014 Info: MID 1403 Subject 'Hello - this is the morning report...'
Thu Aug 14 08:40:18 2014 Info: MID 1403 ready 611 bytes from <orig_user@domain.com>
Thu Aug 14 08:40:18 2014 Info: MID 1403 matched all recipients for per-recipient policy
DEFAULT in the outbound table
Thu Aug 14 08:40:18 2014 Info: ICID 10282 close
Thu Aug 14 08:40:20 2014 Info: MID 1403 interim verdict using engine: CASE spam negative
Thu Aug 14 08:40:20 2014 Info: MID 1403 using engine: CASE spam negative
Thu Aug 14 08:40:20 2014 Info: MID 1403 interim AV verdict using Sophos CLEAN
Thu Aug 14 08:40:20 2014 Info: MID 1403 antivirus negative
Thu Aug 14 08:40:20 2014 Info: MID 1403 Outbreak Filters: verdict negative
Thu Aug 14 08:40:20 2014 Info: MID 1403 DLP no violation
Thu Aug 14 08:40:20 2014 Info: MID 1403 queued for delivery
Thu Aug 14 08:40:20 2014 Info: New SMTP DCID 173 interface 192.168.0.199 address
111.22.111.22 port 25
Thu Aug 14 08:40:20 2014 Info: DCID 173 STARTTLS command not supported
Thu Aug 14 08:40:20 2014 Info: Delivery start DCID 173 MID 1403 to RID [0]
Thu Aug 14 08:40:20 2014 Info: Message done DCID 173 MID 1403 to RID [0]
[('X-IPAS-Result', 'AmYGAMSt7FPAqADI/2dsb2JhbABahBuNU6VQAZpbiQV3hCMhYxg0BRi
JC8VuF4wKg1+DGYEdAQSPCoMNiiEBmHaDHwEBAQ'), ('X-IronPort-AV', 'E=Sophos;i=
"5.01,863,1400040000"; \r\n d="scan\'208";a="1403"')]

Thu Aug 14 08:40:20 2014 Info: MID 1403 RID [0] Response '2.0.0 OK
F6/FE-18769-93EACE35'
Thu Aug 14 08:40:20 2014 Info: Message finished MID 1403 done
Thu Aug 14 08:40:25 2014 Info: DCID 173 close

从接收的电子邮件,如果将直接地查看在该电子邮件的报头,您将看到在原始报头的选中项目X IPAS结果和X IronPort AV报头,在首先接收的跳前:

X-IronPort-Anti-Spam-Filtered: true
X-IPAS-Result: AmYGAMSt7FPAqADI/2dsb2JhbABahBuNU6VQAZpbiQV3hCMhYxg0BRiJC8VuF4wKg1+
DGYEdAQSPCoMNiiEBmHaDHwEBAQ
X-IronPort-AV: E=Sophos;i="5.01,863,1400040000"; 
   d="scan'208";a="1403"

Received: from ns.domain.com (HELO mail.domain.com) ([192.168.0.200])  by
 myesa_local.domain.com with ESMTP; 14 Aug 2014 08:40:18 -0400
Received: by mail.domain.com (Postfix, from userid 1000)id 29F4E8033E; Thu,
 14 Aug 2014 08:41:03 -0400 (EDT)
Date: Thu, 14 Aug 2014 08:41:03 -0400
From: robert <orig_user@domain.com.com>
To: <end_user@example.com>
Subject: Hello - this is the morning report...
Message-ID: <20140814124103.GC6764@domain.com>
MIME-Version: 1.0
User-Agent: Mutt/1.5.21 (2010-09-15)
X-RR-Connecting-IP: 111.22.111.222:25
X-Cloudmark-Score: 0
Return-Path: orig_user@domain.com.com
X-MS-Exchange-Organization-AuthSource: xhc-aln-x10.example.com
X-MS-Exchange-Organization-AuthAs: Internal
X-MS-Exchange-Organization-AuthMechanism: 10
Content-type: text/plain;
charset="US-ASCII"
Content-transfer-encoding: 7bit

No info this morning.

-Joe

注意: SMTP协议的RFC查找在http://www.faqs.org/rfcs/rfc2821.html并且定义了用户定义的报头。

相关信息



Document ID: 118291