Overview
Understanding Log Files and Log Subscriptions
Logs are a compact, efficient method of gathering critical information about the email operations of AsyncOS. These logs record information regarding activity on your appliance . The information will vary depending upon the log you view, for example, Bounce logs or Delivery logs.
Most logs are recorded in plain text (ASCII) format; however, delivery logs are formatted in binary for resource efficiency. The ASCII text information is readable in any text editor.
Cisco offers the M-Series Content Security Management appliance for centralized reporting and tracking tool for logs from multiple appliances . See your Cisco representative for more information.
A log subscription associates a log type with a name, logging level, and other constraints such as size and destination information; multiple subscriptions for the same log type are permitted.
Log Types
The log type indicates what information will be recorded within the generated log such as message data, system statistics, binary or textual data. You select the log type when creating a log subscription. See Log Subscriptions for more information.
AsyncOS generates the following log types:
Log |
Description |
---|---|
Text Mail Logs |
Text mail logs record information regarding the operations of the email system. For example, message receiving, message delivery attempts, open and closed connections, bounces, TLS connections, and others. |
qmail Format Mail Logs |
qmail format delivery logs record the same information regarding the operations of the email system as delivery logs following, but stored in qmail format. |
Delivery Logs |
Delivery logs record critical information about the email delivery operations of the appliance — for example, information regarding each recipient delivery and bounce at the time of the delivery attempt. The log messages are “stateless,” meaning that all associated information is recorded in each log message and users need not reference previous log messages for information about the current delivery attempt. Delivery logs are recorded in a binary format for resource efficiency. Delivery Log files must be post-processed using a provided utility to convert them to XML or CSV (comma-separated values) format. The conversion tools are located at: https://supportforums.cisco.com/document/33721/cisco-ironport-systems-contributed-tools |
Bounce Logs |
Bounce logs record information about bounced recipients. The information recorded for each bounced recipient includes: the message ID, the recipient ID, the Envelope From address, the Envelope To address, the reason for the recipient bounce, and the response code from the recipient host. In addition, you can choose to log a fixed amount of each bounced recipient message. This amount is defined in bytes and the default is zero. |
Status Logs |
This log file records system statistics found in the CLI status commands, including status detail and dnsstatus . The period of recording is set using the setup subcommand in logconfig . Each counter or rate reported in status logs is the value since the last time the counter was reset. |
Domain Debug Logs |
Domain debug logs record the client and server communication during an SMTP conversation between the appliance and a specified recipient host. This log type can be used to debug issues with specific recipient hosts. You must specify the total number of SMTP sessions to record in the log file. As sessions are recorded, this number decreases. You can stop domain debug before all sessions have been recorded by deleting or editing the log subscription. |
Injection Debug Logs |
Injection debug logs record the SMTP conversation between the appliance and a specified host connecting to the system. Injection debug logs are useful for troubleshooting communication problems between the Email Security appliance and a host on the Internet. |
System Logs |
System logs record the following: boot information, virtual appliance license expiration alerts, DNS status information, and comments users typed using commit command. System logs are useful for troubleshooting the basic state of the appliance . |
CLI Audit Logs |
The CLI audit logs record all CLI activity on the system. |
FTP Server Logs |
FTP logs record information about the FTP services enabled on the interface. Connection details and user activity are recorded. |
GUI Logs |
See HTTP Logs. |
HTTP Logs |
HTTP logs record information about the HTTP and/or secure HTTP services enabled on the interface. Because the graphical user interface (GUI) is accessed via HTTP, the HTTP logs are ostensibly the GUI equivalent of the CLI Audit logs. Session data (new session, session expired) and pages accessed in the GUI are recorded. These logs also include information about SMTP transactions, for example information about scheduled reports emailed from the appliance . |
NTP Logs |
NTP logs record the conversation between the appliance and any NTP (Network Time Protocol) servers configured. For more information, see “Editing the Network Time Protocol (NTP) Configuration (Time Keeping Method)” in the “System Administration” chapter. |
LDAP Debug Logs |
LDAP debug logs are meant for debugging LDAP installations. (See the “LDAP Queries” chapter.) Useful information about the queries that the appliance is sending to the LDAP server are recorded here. |
Anti-Spam Logs |
Anti-spam logs record the status of the anti-spam scanning feature of your system, including the status on receiving updates of the latest anti-spam rules. Also, any logs related to the Context Adaptive Scanning Engine are logged here. |
Anti-Spam Archive |
If you enabled an Anti-Spam scanning feature, messages that are scanned and associated with the “archive message” action are archived here. The format is an mbox-format log file. For more information about anti-spam engines, see the “Anti-Spam” chapter. |
Graymail Engine Logs |
Contains information about the graymail engine, status, configuration, and so on. Most information is at Info or Debug level. |
Graymail Archive |
Contains archived messages (the messages that are scanned and associated with the “archive message” action). The format is an mbox-format log file. |
Anti-Virus Logs |
AntiVirus logs record the status of the anti-virus scanning feature of your system, including the status on receiving updates of the latest anti-virus identity files. |
Anti-Virus Archive |
If you enabled an anti-virus engine, messages that are scanned and associated with the “archive message” action are archived here. The format is an mbox-format log file. For more information, see the “Anti-Virus” chapter. |
AMP Engine Logs |
The AMP Engine logs record the status of the Advanced Malware Protection features of the system. For more information, see File Reputation Filtering and File Analysis |
AMP Archive |
If you have configured mail policies to archive messages that Advanced Malware Protection engine has found to have attachments that are unscannable or contain malware, those messages are archived here. The format is an mbox-format log file. |
Scanning Logs |
The scanning log contains all LOG and COMMON messages for scanning engines (see Alerts). This is typically application faults, alert sent, alert failed, and log error messages. This log does not apply to system-wide alerts. |
Spam Quarantine Logs |
Spam Quarantine logs record actions associated with the Spam Quarantine processes. |
Spam Quarantine GUI Logs |
Spam Quarantine logs record actions associated with the Spam Quarantine including configuration via the GUI, end user authentication, and end user actions (releasing email, etc.). |
SMTP Conversation Logs |
The SMTP conversation log records all parts of incoming and outgoing SMTP conversations. |
Safe/Block Lists Logs |
Safelist/blocklist logs record data about the safelist/blocklist settings and database. |
Reporting Logs |
Reporting logs record actions associated with the processes of the centralized reporting service. |
Reporting Query Logs |
Reporting query logs record actions associated with the reporting queries that are run on the appliance . |
Updater Logs |
The updater log records events related to updates for system services, such as McAfee Anti-Virus definition updates. |
Tracking Logs |
Tracking logs record actions associated with the processes of the tracking service. Tracking logs are a subset of the mail logs. |
Authentication Logs |
The authentication log records successful user logins and unsuccessful login attempts. |
Configuration History Logs |
Configuration history logs record the following information: What changes were made on the appliance , and when were the changes made? A new configuration history log is created each time a user commits a change. |
Upgrade Logs |
Status information about upgrade download and installation. |
API Logs |
API logs record various events related to the AsyncOS API for the appliance , for example:
|
Consolidated Event Logs |
The Consolidated Event Logs summarizes each message event in a single log line. Using this log type you can reduce the number of bytes of data (log information) sent to a Security Information and Event Management (SIEM) vendor or application for analysis. The logs are in the Common Event Format (CEF) log message format that is widely used by most SIEM vendors. |
CSN Logs |
The CSN logs contain details about the CSN data uploads. The CSN data (appliance and feature usage details can be seen at the trace level. |
Advanced Phishing Protection Logs |
The Advanced Phishing Protection logs contain information related to Cisco Advanced Phishing Protection Cloud Service. Most information is at the Info or Critical level. |
Log Type Characteristics
The following table summarizes the different characteristics of each log type.
Contains |
||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Tra nsac tional |
State less |
Reco rded as text |
Reco rded as mbox file |
Reco rded as binary |
Perio dic Status Inform ation |
Mess age Recei ving Inform ation |
Deli very Infor mation |
Indivi dual Hard Bounces |
Indivi dual Soft Bounces |
Injec tion SMTP Conve rsation |
Hea der Log ging |
Deli very SMTP Conve rsation |
Con figur ation Inform ation |
|
Mail Logs |
• |
• |
• |
• |
• |
• |
• |
• |
||||||
qmail Format Delivery Logs |
• |
• |
• |
• |
• |
• |
||||||||
Delivery Log |
• |
• |
• |
• |
• |
• |
||||||||
Bounce Logs |
• |
• |
• |
• |
• |
|||||||||
Status Logs |
• |
• |
• |
|||||||||||
Domain Debug Logs |
• |
• |
• |
• |
• |
• |
||||||||
Injection Debug Logs |
• |
• |
• |
• |
||||||||||
System Logs |
• |
• |
• |
|||||||||||
CLI Audit Logs |
• |
• |
• |
|||||||||||
FTP Server Logs |
• |
• |
• |
|||||||||||
HTTP Logs |
• |
• |
• |
|||||||||||
NTP Logs |
• |
• |
• |
|||||||||||
LDAP Logs |
• |
• |
||||||||||||
Anti-spam Logs |
• |
• |
• |
|||||||||||
Anti-Spam Archive |
• |
|||||||||||||
Graymail Engine Logs |
• |
• |
• |
|||||||||||
Graymail Archive |
• |
|||||||||||||
Anti-virus Logs |
• |
• |
• |
|||||||||||
Anti-Virus Archive |
• |
|||||||||||||
AMP Engine Logs |
• |
• |
• |
|||||||||||
AMP Archive |
• |
|||||||||||||
Scanning Logs |
• |
• |
• |
• |
||||||||||
Spam Quarantine |
• |
• |
• |
|||||||||||
Spam Quarantine GUI |
• |
• |
• |
|||||||||||
Safe/Block Lists Logs |
• |
• |
• |
|||||||||||
Reporting Logs |
• |
• |
• |
|||||||||||
Reporting Query Logs |
• |
• |
• |
|||||||||||
Updater Logs |
• |
|||||||||||||
Tracking Logs |
• |
• |
• |
• |
• |
• |
• |
• |
||||||
Authentication Logs |
• |
• |
||||||||||||
Config uration History Logs |
• |
• |
• |
|||||||||||
API Logs |
• |
• |
||||||||||||
Consolidated Event Logs |
• |
• |
• |
• |
||||||||||
CSN Logs |
• |
• |
• |
• |
||||||||||
Advanced Phishing Protection Logs |
• |
• |
Log Retrieval Methods
Log files can be retrieved based upon one of the following file transfer protocols. You set the protocol while creating or editing the log subscription in the GUI or via the logconfig command during the log subscription process.
Note |
When using a Log Push method on a particular log, that log will be locally unavailable for troubleshooting or searching via the CLI. |
Manually Download |
This method lets you access log files at any time by clicking a link to the log directory on the Log Subscriptions page, then clicking the log file to access. Depending on your browser, you can view the file in a browser window, or open or save it as a text file. This method uses the HTTP(S) protocol and is the default retrieval method.
|
||
FTP Push |
This method periodically pushes log files to an FTP server on a remote computer. The subscription requires a username, passphrase, and destination directory on the remote computer. Log files are transferred based on a rollover schedule set by you. |
||
SCP Push |
This method periodically pushes log files to an SCP server on a remote computer. This method requires an SSH SCP server on a remote computer using the SSH1 or SSH2 protocol. The subscription requires a username, SSH key, and destination directory on the remote computer. Log files are transferred based on a rollover schedule set by you. |
||
Syslog Push |
This method sends log messages to a remote syslog server. This method conforms to RFC 3164. You must submit a hostname for the syslog server and choose to use either UDP or TCP for log transmission. The port used is 514. A facility can be selected for the log; however, a default for the log type is pre-selected in the dropdown menu. Only text-based logs can be transferred using syslog push. |
||
[Only for Consolidated Event Logs] AWS S3 Push |
This method periodically pushes log files to the Amazon Simple Storage Service (S3) Bucket available on the Amazon Web Services (AWS) public cloud. The subscription requires an S3 bucket name, access key, and a secret key to access the Amazon S3 bucket. You can set a rollover schedule to transfer the log files.
|
Log Filenames and Directory Structure
AsyncOS creates a directory for each log subscription based on the log subscription name. The actual name of the log file in the directory is composed of the log filename specified by you, the timestamp when the log file was started, and a single-character status code. The filename of logs are made using the following formula:
/LogSubscriptionName/LogFilename.@timestamp.statuscode
Status codes may be .current or .s (signifying saved). You should only transfer or delete log files with the saved status.
Log Rollover and Transfer Schedule
Log files are created by log subscriptions, and are rolled over (and transferred, if a push-based retrieval option is selected) based on the first user-specified condition reached: maximum file size or scheduled rollover. Use the logconfig command in the CLI or the Log Subscriptions page in the GUI to configure both the maximum file size and time interval for scheduled rollovers. You can also use the Rollover Now button in the GUI or the rollovernow command in the CLI to rollover selected log subscriptions. See Rolling Over Log Subscriptions for more information on scheduling rollovers.
Logs retrieved using manual download are saved until they reach the maximum number you specify (the default is 10 files) or until the system needs more space for log files.
Logs Enabled by Default
Your appliance is pre-configured with many log subscriptions enabled by default (other logs may be configured depending on which license keys you have applied). By default, the retrieval method is “Manually Download.”
All pre-configured log subscriptions have a Log Level of 3, except for error_logs which is set at 1 so that it will contain only errors. See Log Levels for more information. For information about creating new log subscriptions, or modifying existing ones, see Log Subscriptions.