The Cisco Email Security Appliance (ESA) creates a directory for each log subscription based on the log subscription name.
ESA log file format
The actual name of the log file in the directory is composed of the log filename specified by you, the timestamp when the log file was started, and a single-character status code.
/LogSubscriptionName/LogFilename.@timestamp.statuscode
LogSubscriptionNames can be seen via the logconfig command:
esa.example.com> logconfig
Currently configured logs:
Log Name Log Type Retrieval Interval
---------------------------------------------------------------------------------
1. TLStest Injection Debug Logs Manual Download None
2. Test Domain Debug Logs Manual Download None
3. amp AMP Engine Logs Manual Download None
4. amparchive AMP Archive Manual Download None
5. antispam Anti-Spam Logs Manual Download None
6. antivirus Anti-Virus Logs Manual Download None
7. asarchive Anti-Spam Archive Manual Download None
8. authentication Authentication Logs Manual Download None
9. avarchive Anti-Virus Archive Manual Download None
10. bounces Bounce Logs Manual Download None
11. cli_logs CLI Audit Logs Manual Download None
12. encryption Encryption Logs Manual Download None
13. error_logs IronPort Text Mail Logs Manual Download None
Additional Log FIle Extensions
Status codes may show a file extension such as .c (signifying current) or .s (signifying saved)
How can I access the logs?
By default, there are two methods for retrieving your logs that are stored within your ESA: FTP or SCP.
You should use the same login credentials for log retrieval as you use to authenticate to the ESA for administration.
Access Logs by FTP
FTP: Command Line
ftp hostname.example.com
cd /LogNameDirectory
get <filename >
FTP: GUI Client
A GUI FTP client such as Filezilla can be used to 'drag and drop' from the ESA to your local machine.
Using FTP: Web Browser
Any FTP supported web browser, such as Mozilla Firefox, Google Chrome or Microsoft Internet Explorer can be used as well.
Copy logs to another system via SCP
Using SCP:
scp admin@mail3.example.com:/LogNameDirectory/LogFilename
Note: Please make sure you have the proper service (FTP or SCP) enabled on your ESA using the interfaceconfig command in the CLI.