AMP.ENGINE.ALERT
|
See
Ensuring That You Receive Alerts About Advanced Malware Protection Issues
|
-
|
AMP.ENGINE.ALERT.WARN
|
Alert text: Failed to register the file analysis group name with Cisco Threat Grid server. Contact Cisco TAC for assistance.
Alert level: WARNING.
Description: Alert is sent when the email gateway fails to register the Appliance Group Name using the Smart Account ID with
the Cisco Thread Grid server.
|
Parameter: reason for the failure
|
AsyncOS API
Alerts
|
See “Alerts” section in the AsyncOS API for
Cisco Secure Email Gateway - Getting Started Guide .
|
-
|
Mailbox Auto
Remediation Alerts
|
See “Alerts” section in
Remediating Messages in Mailboxes
|
-
|
COMMON.APP_FAILURE
|
An
application fault occurred: $error
|
’error’ - The text
of the error, typically a traceback.
|
Warning. Sent
when there is an unknown application failure.
|
COMMON.ENGINE_AUTO_UPDATE_ ENABLED
|
<$level>: <$class>
|
'$engine' - The
name of the Service Engine. The values can be:
|
Information: Automatic updates have been enabled for the particular engine
<$engine>. You will now receive automatic engine updates for this engine.
|
COMMON.ENGINE_AUTO_UPDATE_ DISABLED
|
<$level>: <$class>
|
'$engine' - The
name of the Service Engine. The values can be:
|
Information: Automatic updates have been disabled for the particular engine
<$engine>. You will not receive any automatic updates for this engine,
unless you enable automatic updates in the global setting page of the
particular engine.
|
COMMON.KEY_EXPIRED_ ALERT
|
Your
"$feature" key has expired. Please contact your authorized Cisco
sales representative.
|
’feature’ - The
name of the feature that is about to expire.
|
Warning. Sent
when a feature key has expired.
|
COMMON.KEY_EXPIRING_ ALERT
|
Your
"$feature" key will expire in under $days day(s). Please contact your
authorized Cisco sales representative.
|
’feature’ - The
name of the feature that is about to expire.
’days’ - The
number of days it will expire.
|
Warning. Sent
when a feature key is about to expire.
|
COMMON.KEY_FINAL_EXPIRING_ ALERT
|
This is a
final notice. Your "$feature" key will expire in under $days day(s).
Please contact your authorized Cisco sales representative.
|
’feature’ - The
name of the feature that is about to expire.
’days’ - The
number of days it will expire.
|
Warning. Sent
as a final notice that a feature key is about to expire.
|
KEYS.GRACE_EXPIRING_ ALERT
|
All security services licenses for this
email gateway have expired. The
email gateway will continue to deliver mail without security services for $days days.
To renew
security services licenses, Please contact your authorized Cisco sales
representative.
|
’days’ - The
number of days remaining in the grace period at the time the alert was sent.
For more
information about the grace period, see
Virtual Email Gateway License Expiration.
|
Critical. Sent periodically from the start of the grace period for virtual
email gateway license expiration.
|
KEYS.GRACE_FINAL_EXPIRING_ ALERT
|
This is the final notice. All security services licenses for this
email gateway have expired. The
email gateway will continue to deliver mail without security services for 1 day.
To renew
security services licenses, Please contact your authorized Cisco sales
representative.
|
For more
information about the grace period, see
Virtual Email Gateway License Expiration.
|
Critical. Sent one day before the virtual
email gateway license expires.
|
KEYS.GRACE_EXPIRED_ALERT
|
Your grace period has expired. All security sevice have expired, and your
email gateway is non-functional. The
email gateway will no longer deliver mail until a new license is applied.
To renew
security services licenses, Please contact your authorized Cisco sales
representative.
|
For more
information about the grace period, see
Virtual Email Gateway License Expiration.
|
Critical. Sent when the grace period for virtual
email gateway has expired.
|
DNS.BOOTSTRAP_FAILED
|
Failed to
bootstrap the DNS resolver. Unable to contact root servers.
|
|
Warning. Sent when the
email gateway is unable to contact the root DNS servers.
|
COMMON.INVALID_FILTER
|
Invalid
$class: $error
|
‘class’ - Either
"Filter", "SimpleFilter", etc.
’error’ -
Additional why-filter-is-invalid info.
|
Warning.
Sent when an invalid filter is encountered.
|
IPBLOCKD.HOST_ADDED_TO_ ALLOWED_LIST
IPBLOCKD.HOST_ADDED_TO_ BLOCKED_LIST
IPBLOCKD.HOST_REMOVED_ FROM_BLOCKED_LIST
|
The host at $ip has been added to the blocked list because of an SSH DOS attack.
The host at $ip has been permanently added to the ssh allowed list.
The host at $ip has been removed from the blocked list.
|
’ip’ - IP
address from which a login attempt occurred.
|
Warning.
IP addresses that try to connect to the
email gateway over SSH but do not provide valid credentials are added to the SSH blocked list if more than 10 failed attempts occur within
two minutes.
When a user logs in successfully from the same IP address, that IP address is added to the allowed list.
Addresses on the allowed list. are allowed access even if they are also on the blocked list.
Entries are automatically removed from the blocked list after about a day.
|
LDAP.GROUP_QUERY_FAILED_ ALERT
|
LDAP:
Failed group query $name, comparison in filter will evaluate as false
|
’name’ - The
name of the query.
|
Critical.
Sent when an LDAP group query fails.
|
LDAP.HARD_ERROR
|
LDAP: work
queue processing error in $name reason $why
|
’name’ - The
name of the query.
’why’ - Why the
error happened.
|
Critical.
Sent when an LDAP query fails completely (after trying all servers).
|
LOG.ERROR.*
|
Critical.
Various logging errors.
|
|
MAIL.FILTER.RULE_MATCH_ ALERT
|
MID $mid
matched the $rule_name rule. \n Details: $details
|
‘mid’ - Unique
identification number of the message.
‘rule_name’ -
The name of the rule that matched.
‘details’ - More
information about the message or the rule.
|
Information. Sent every time when a Header Repeats rule evaluates to true .
|
MAIL.PERRCPT.LDAP_GROUP_ QUERY_FAILED
|
LDAP group
query failure during per-recipient scanning, possible LDAP misconfiguration or
unreachable server.
|
|
Critical.
Sent when an LDAP group query fails during per-recipient scanning.
|
MAIL.QUEUE.ERROR.*
|
Critical.
Various mail queue hard errors.
|
|
MAIL.OMH.DELIVERY_RETRY
|
Subject - 'Alert: Message Delivery failed for $hostname. DANE verification failed for one or more Domain(s).'
Message - The message delivery failed due to DANE verification failure for all mail exchange (MX) hosts in $hostname. The
email gateway will attempt message delivery again or bounce the message.
|
‘host’ - The host for which the DANE verification has failed.
|
MAIL.RES_CON_START_ ALERT. MEMORY
|
This system
(hostname: $hostname) has entered a ‘resource conservation’ mode in order to
prevent the rapid depletion of critical system resources. RAM utilization for
this system has exceeded the resource conservation threshold of
$memory_threshold_start%. The allowed receiving rate for this system will be
gradually decreased as RAM utilization approaches $memory_threshold_halt%.
|
’hostname’ - The
name of the host.
’memory_threshold_start’ - The percent threshold
where memory tarpitting starts.
’memory_threshold_halt’ - The percent threshold where
the system will halt due to memory being too full.
|
Critical.
Sent when RAM utilization has exceeded the system resource conservation
threshold.
|
MAIL.RES_CON_START_ ALERT. QUEUE_SLOW
|
This system
(hostname: $hostname) has entered a ‘resource conservation’ mode in order to
prevent the rapid depletion of critical system resources. The queue is
overloaded and is unable to maintain the current throughput.
|
’hostname’ - The
name of the host.
|
Critical.
Sent when the mail queue is overloaded and system resource conservation is
enabled.
|
MAIL.RES_CON_START_ ALERT. QUEUE
|
This system
(hostname: $hostname) has entered a ‘resource conservation’ mode in order to
prevent the rapid depletion of critical system resources. Queue utilization for
this system has exceeded the resource conservation threshold of
$queue_threshold_start%. The allowed receiving rate for this system will be
gradually decreased as queue utilization approaches $queue_threshold_halt%.
|
‘hostname’ - The
name of the host.
‘queue_threshold_start’ - The percent threshold where
queue tarpitting starts.
‘queue_threshold_halt’ - The percent threshold where
the system will halt due to the queue being too full.
|
Critical.
Sent when queue utilization has exceeded the system resource conservation
threshold.
|
MAIL.RES_CON_START_ ALERT. WORKQ
|
This system
(hostname: $hostname) has entered a ‘resource conservation’ mode in order to
prevent the rapid depletion of critical system resources. Listeners have been
suspended because the current work queue size has exceeded the threshold of
$suspend_threshold. Listeners will be resumed once the work queue size has
dropped to $resume_threshold. These thresholds may be altered via use of the
‘tarpit’ command on the system CLI.
|
‘hostname’ - The
name of the host.
‘suspend_threshold’ - Work queue size above which
listeners are suspended.
‘resume_threshold’ - Work queue size below which
listeners are resumed.
|
Information. Sent when listeners are suspended because the work queue size is
too big.
|
MAIL.RES_CON_START_ ALERT
|
This system
(hostname: $hostname) has entered a ‘resource conservation’ mode in order to
prevent the rapid depletion of critical system resources.
|
‘hostname’ - The
name of the host.
|
Critical. Sent when the
email gateway enters “resource conservation” mode.
|
MAIL.RES_CON_STOP_ALERT
|
This system
(hostname: $hostname) has exited ‘resource conservation’ mode as resource
utilization has dropped below the conservation threshold.
|
‘hostname’ - The
name of the host.
|
Information. Sent when the
email gateway leaves ‘resource conservation’ mode.
|
MAIL.URL_REP_
CLIENT.CATEGORY_CHANGE
|
See
Future URL Category Set Changes.
|
—
|
MAIL.BEAKER_
CONNECTOR.CERTIFICATE_INVALID
|
See
Troubleshooting URL Filtering.
|
MAIL.BEAKER_CONNECTOR.ERROR_
FETCHING_CERTIFICATE
|
MAIL.WORK_QUEUE_PAUSED_ NATURAL
|
work queue
paused, $num msgs, $reason
|
‘num’ - The
number of messages in the work queue.
‘reason’ - The
reason the work queue is paused.
|
Critical.
Sent when the work queue is paused.
|
MAIL.WORK_QUEUE_UNPAUSED_ NATURAL
|
work queue
resumed, $num msgs
|
‘num’ - The
number of messages in the work queue.
|
Critical.
Sent when the work queue is resumed.
|
NTP.NOT_ROOT
|
Not running
as root, unable to adjust system time
|
|
Warning. Sent when the
email gateway is unable to adjust time because NTP is not running as root.
|
QUARANTINE.ADD_DB_ERROR
|
Unable to
quarantine MID $mid - quarantine system unavailable
|
’mid’ - MID
|
Critical.
Sent when a message cannot be sent to a quarantine.
|
QUARANTINE.DB_UPDATE_ FAILED
|
Unable to
update quarantine database (current version: $version; target $target_version)
|
’version’ - The
schema version detected.
’target_version’
- The target schema version.
|
Critical.
Sent when a quarantine database cannot be updated.
|
QUARANTINE.DISK_SPACE_ LOW
|
The
quarantine system is unavailable due to a lack of space on the $file_system
partition.
|
’file_system’ -
The name of the filesystem.
|
Critical.
Sent when the disk space for quarantines is full.
|
QUARANTINE.THRESHOLD_ ALERT
|
Quarantine
"$quarantine" is $full% full
|
’quarantine’ -
The name of the quarantine.
’full’ - The
percentage of how full the quarantine is.
|
Warning.
Sent when a quarantine reaches 5%, 50%, or 75% of capacity.
|
QUARANTINE.THRESHOLD_ ALERT.SERIOUS
|
Quarantine
"$quarantine" is $full% full
|
’quarantine’ -
The name of the quarantine.
’full’ - The
percentage of how full the quarantine is.
|
Critical.
Sent when a quarantine reaches 95% of capacity.
|
REPORTD.DATABASE_OPEN_ FAILED_ALERT
|
The
reporting system has encountered a critical error while opening the database.
In order to prevent disruption of other services, reporting has been disabled
on this machine. Please contact customer support to have reporting enabled. The
error message is: $err_msg
|
’err_msg’ - The
error message raised
|
Critical.
Sent if the reporting engine is unable to open the database.
|
REPORTD.AGGREGATION_ DISABLED_ALERT
|
Processing
of collected reporting data has been disabled due to lack of logging disk
space. Disk usage is above $threshold percent. Recording of reporting events
will soon become limited and reporting data may be lost if disk space is not
freed up (by removing old logs, etc.). Once disk usage drops below $threshold
percent, full processing of reporting data will be restarted automatically.
|
’threshold’ -
The threshold value
|
Warning.
Sent if the system runs out of disk space. When the disk usage for a log entry
exceeds the log usage threshold, reportd disables aggregation and sends the
alert.
|
REPORTING.CLIENT.UPDATE_ FAILED_ALERT
|
Reporting
Client: The reporting system has not responded for an extended period of time
($duration).
|
’duration’ -
Length of time the client has been trying to contact the reporting daemon. This
is a string in a human readable format (’1h 3m 27s’).
|
Warning.
Sent if the reporting engine was unable to save reporting data.
|
REPORTING.CLIENT.JOURNAL. FULL
|
Reporting
Client: The reporting system is unable to maintain the rate of data being
generated. Any new data generated will be lost.
|
|
Critical.
Sent if the reporting engine is unable to store new data.
|
REPORTING.CLIENT.JOURNAL. FREE
|
Reporting
Client: The reporting system is now able to handle new data.
|
|
Information. Sent when the reporting engine is again able to store new data.
|
PERIODIC_REPORTS.REPORT_ TASK.BUILD_FAILURE
|
A failure
occurred while building periodic report ‘$report_title’. This subscription has
been removed from the scheduler.
|
‘report_title’ -
the report title
|
Critical.
Sent when the reporting engine is unable to build a report.
|
PERIODIC_REPORTS.REPORT_ TASK.EMAIL_FAILURE
|
A failure
occurred while emailing periodic report ‘$report_title’. This subscription has
been removed from the scheduler.
|
’report_title’ -
the report title
|
Critical.
Sent when a report could not be emailed.
|
PERIODIC_REPORTS.REPORT_ TASK.ARCHIVE_FAILURE
|
A failure
occurred while archiving periodic report ’$report_title’. This subscription has
been removed from the scheduler.
|
’report_title’ -
the report title
|
Critical.
Sent when a report could not be archived.
|
SENDERBASE.ERROR
|
Error
processing response to query $query: response was $response
|
’query’ - The
query address.
’response’ - Raw
data of response received.
|
Information. Sent when an error occurred while processing a response from
SenderBase.
|
SMTPAUTH.FWD_SERVER_ FAILED_ ALERT
|
SMTP Auth:
could not reach forwarding server $ip with reason: $why
|
’ip’ - The IP of
the remote server.
’why’ - Why the
error happened.
|
Warning.
Sent when the SMTP Authentication forwarding server is unreachable.
|
SMTPAUTH.LDAP_QUERY_ FAILED
|
SMTP Auth:
LDAP query failed, see LDAP debug logs for details.
|
|
Warning.
Sent when an LDAP query fails.
|
SYSTEM.HERMES_SHUTDOWN_ FAILURE.
REBOOT
|
While
preparing to ${what}, failed to stop mail server gracefully:
${error}$what:=reboot
|
’error’ - The
error that happened.
|
Warning.
Sent when there was a problem shutting down the system on reboot.
|
SYSTEM.HERMES_SHUTDOWN_ FAILURE.
SHUTDOWN
|
While
preparing to ${what}, failed to stop mail server gracefully:
${error}$what:=shut down
|
’error’ - The
error that happened.
|
Warning.
Sent when there was a problem shutting down the system.
|
SYSTEM.LOGIN_FAILURES_LOCK_ALERT
|
User "$user" is locked after $numlogins consecutive login failures. Last login attempt was from $rhost
Information: Sent when the user account is locked because of maximum number of failed login attempts
|
'user' - The name of the user
'numlogins' - The configured alert threshold
'rhost' - The address of the remote host
|
SYSTEM.RCPTVALIDATION.UPDATE_ FAILED
|
Error
updating recipient validation data: $why
|
’why’ - The
error message.
|
Critical.
Sent when a recipient validation update failed.
|
SYSTEM.SERVICE_TUNNEL. DISABLED
|
Tech
support: Service tunnel has been disabled
|
|
Information. Sent when a tunnel created for Cisco Support Services is disabled.
|
SYSTEM.SERVICE_TUNNEL. ENABLED
|
Tech
support: Service tunnel has been enabled, port $port
|
’port’ - The
port used for the service tunnel.
|
Information. Sent when a tunnel created for Cisco Support Services is enabled.
|
IPBLOCKD.HOST_ADDED_TO_ ALLOWED_LIST
IPBLOCKD.HOST_ADDED_TO_ BLOCKED_LIST
IPBLOCKD.HOST_REMOVED_FROM_ BLOCKED_LIST
|
The host at $ip has been added to the blocked list because of an SSH DOS attack.
The host at $ip has been permanently added to the ssh allowed list.
The host at $ip has been removed from the blocked list.
|
’ip’ - IP
address from which a login attempt occurred.
|
Warning.
IP addresses that try to connect to the
email gateway over SSH but do not provide valid credentials are added to the SSH blocked list if more than 10 failed attempts occur within
two minutes.
When a user logs in successfully from the same IP address, that IP address is added to the allowed list.
Addresses on the allowed list are allowed access even if they are also on the blocked list .
Entries are automatically removed from the blocked list after about a day.
|
WATCHDOG_RESTART_ALERT_ MSG
|
<$level>: <$class>, <$hostname>: $subject
$text
Warning.
The
email gateway uses the watchdog service to monitor the health condition of the following engines:
-
Anti-Spam
-
Anti-Virus
-
Anti
Malware Protection
-
Graymail
If any of
the above engines does not respond to the watchdog service for a certain
duration, the watchdog service restarts the engine(s) and sends an alert to the
administrator.
|
'subject'-
Watchdog alert subject specific to the engine
'text' -
Watchdog alert text specific to the engine
|
MAIL.IMH.GEODB_UPDATE_ COUNTRIES'
|
Warning.
Geolocation Update - the list of supported countries has changed.
Added
Countries - <$added>
Deleted
Countries - <$deleted>
Review your
HAT sender groups, Message Filters, and Content Filters settings accordingly.
|
’added’ -
The following countries are added: <iso_code1>:<country_nam
e1>,<iso_code2>:<country_name2>,
’deleted’ -
The following countries are deleted: <iso_code1>:<country_nam
e1>:<iso_code2>:<country_name2>,
|
MAIL.UPDATED_SHORT_URL_DOMAIN_LIST
|
Info. The list of shortened URL domains has been updated..
Added Domains: <$added_domains>
Deleted Domains - <$deleted_domains>
|
’added_domains’: The following domains are added: <domains_1>, <domain_2>
’deleted_domains’ : The following domains are deleted: <domain_3>, <domain_4>
|
MAIL.DOMAINS_NOT_REACHABLE
|
Warning. The following domains are not reachable by the
email gateway for shortened URL support: <$domains>
Check your firewall rules to allow your
email gateway to connect to these domains.
|
<$domains>: comma separated list of domains
|
MAIL.UPGRADE_CONFIG_CHANGE.ALERT
|
Info. Sent when the user configured value is changed by the system during the upgrade.
|
'text' - The Intelligent Multi-Scan and the Graymail global configuration settings have been modified during the upgrade. Please
review the global settings for the Intelligent Multi-Scan and the Graymail configurations.
|
CERTIFICATE.CERT_EXPIRING
_ALERT
|
Your certificate "$certificate" will expire in $days day(s).
Alert level : WARNING
|
'certificate', 'The name of the certificate that is about to expire.
'days', 'The number of days it will expire.'
|
CERTIFICATE.CERT_CRITICAL_
EXPIRING_ALERT
|
Your certificate "$certificate" will expire in $days hour(s).
Alert level : CRITICAL A ‘CRITICAL’ certificate validity period is less than 5 days.
|
'certificate', 'The name of the certificate that is about to expire.
'days', 'The number of days with remaining time (HH:MM:SS), for example, 4 days 10:12:20 hour(s).'
|
CERTIFICATE.CERT_EXPIRED_ALERT
|
Your certificate "$certificate" has expired.
Alert level : CRITICAL
|
'certificate', 'The name of the certificate that has expired.
|
MAIL.APP.NO_ACCESS_KEY
|
Alert text: 'Failed to poll for the Cisco Advanced Phishing Protection Cloud Service expiry date, add API AccessUID and API
Access secret key.'
Description: Alert is sent when a query for the APP expiry date failed because the API Access key and the secret key was not
entered.
|
N/A
|
MAIL.APP.INVALID_KEY |
Alert text: Failed to poll for the Cisco Advanced Phishing Protection Cloud Service expiry date because the API Access Key
is invalid. You need to re-configure the API Access UID and secret key.
Description: Alert is sent when a query for the APP expiry date failed because the API Access key and the secret key was not
entered.
|
N/A
|
MAIL.APP.EXPIRED
|
Alert text: The Cisco Advanced Phishing Protection Cloud Service has expired and is disabled. Contact your Cisco Account Manager
to renew the service and enable it.
Description: The Cisco Advanced Phishing Protection Cloud Service has expired and is disabled. You need to renew the APP license
and enable the APP service.
|
N/A
|
MAIL.APP.EXPIRY_REMINDER
|
Alert text: Cisco Advanced Phishing Protection Cloud Service expires on $eaas_expiry_date. You need to contact your Cisco
Account Manager to renew the service.
Description: Alert is sent each day, starting from three days before the expiry period.
|
Parameters: eaas_expiry_date eaas_expiry_date - date on which Cisco Advanced Phishing Protection Cloud Service will expire
|
MAIL.APP.SERVICE_
UNAVAILABLE
|
Alert text: Cisco Advanced Phishing Protection Cloud Service update. Unable to establish communication with the cloud service.
Description: 'APP cloud service is unavailable because ten consecutive mails failed to forward to APP.
|
N/A
|
MAIL.APP.SERVICE_
AVAILABLE
|
Alert text: Cisco Advanced Phishing Protection Cloud Service update. Communication with the cloud service has been established.
Description: APP cloud service is available.
|
N/A
|