This document describes how to increase the reporting and tracking data retention on the Cisco Email Security Appliance (ESA) in order to allow for data overlap.
Cisco recommends that you have knowledge of these topics:
Cisco Content Security Management Appliance (SMA)
When an SMA is offline or unreachable, the ESA begins to queue reporting data. The ESA by default retains 100 files, each with a 15-minute duration. Essentially, the ESA retains data for the current 1,500 minutes (15 x 100), which is equivalent to 25 hours. If the SMA is down for 30 hours, then you lose the reporting data for the first 5 hours (30 hours - 25 hours).
Use the information in this example in order to increase the number of files that are retained on the ESA:
Choose the operation you want to perform: - MAILSETUP - Configure reporting for the ESA. - MODE - Enable centralized or local reporting for the ESA. > mailsetup
SenderBase timeout used by the web interface: 2 seconds Sender Reputation Multiplier: 3 The current level of reporting data recording is: unlimited No custom second level domains are defined. Legacy mailflow report: Disabled
Choose the operation you want to perform: - SENDERBASE - Configure SenderBase timeout for the web interface. - MULTIPLIER - Configure Sender Reputation Multiplier. - COUNTERS - Limit counters recorded by the reporting system. - THROTTLING - Limit unique hosts tracked for rejected connection reporting. - TLD - Add customer specific domains for reporting rollup. - STORAGE - How long centralized reporting data will be stored on the C-series before being overwritten. - LEGACY - Configure legacy mailflow report. > storage
While in centralized mode the C-series will store reporting data for the M-series to collect. If the M-series does not collect that data then eventually the C-series will begin to overwrite the oldest data with new data.
A maximum of 24 hours of reporting data will be stored. How many hours of reporting data should be stored before data loss? > 30
Similarly, when the SMA is offline or unreachable, the ESA begins to queue tracking data. The ESA retains 60 files, each with a three-minute duration. Therefore, the ESA retains the data for the past 180 minutes (60 x 3). Any tracking data that is not retrieved from the ESA and is older than three hours is lost.
Use the information in this example in order to increase the maximum number of tracking files:
Choose the operation you want to perform: - MODE - Set whether tracking is run on box or centralized. > storage
While in centralized mode the C-series will store tracking data for the M-series to collect. If the M-series does not collect that data then eventually the C-series will begin to overwrite the oldest data with new data.
A maximum of 60 files are presently stored. This means a maximum of 3 hours will be stored, though depending on load that time may be smaller. How many files should be stored before data loss? > 500