简介
本文档介绍原因以及如何排除SMA上缺少3分钟范围数据间隔的消息跟踪数据的故障。
要求
了解以下主题:
- 思科安全管理设备(SMA)
- 思科邮件安全设备(ESA)
- 集中邮件跟踪
使用的组件
本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。
问题
SMA从ESA设备遇到多达三分钟的缺少数据间隔。
解决方案
本地和集中邮件跟踪简要工作流程
跟踪工作有两种模式:
I.欧空局本地跟踪。
1. Trackerd解析由qlogd(tracking.@*.s)处理的跟踪信息二进制日志文件中的数据
2. Trackerd将其保存在Haystack下。
二。欧空局集中跟踪。
1. qlogd将跟踪信息二进制日志文件(tracking.@*.s.gz)写入/data/pub/export/tracking目录
2. SMA smad进程检查、拉动,然后从ESA的/data/pub/export/tracking目录中删除跟踪原始数据(tracking.@*.s.gz)。
3.从ESA提取的跟踪文件保存在SMA的/data/log/tracking/<ESA_IP>/目录中。
4. Trackerd将文件移动到/data/tracking/incoming_queue/0/<ESA_IP>目录,并处理文件。
5.删除存储在MT数据库和跟踪文件中的已处理文件。
调查步骤
步骤1:ESA trackerd_logs分析
在/data/pub/trackerd_logs/folder中观察trackerd_logs后,发现ESA上的qlogd一般会写入3分钟间隔的跟踪数据文件。
在本示例中,文件夹/data/pub/export/tracking/ T*部分文件名中的数据文件表示文件的生成时间。T值之间的差值为3分钟。
grep "172.16.200.12" trackerd.current | tail
Wed Mar 8 22:07:36 2023 Info: Tracking parser moved /data/log/tracking/172.16.200.12/tracking.@20230308T205758Z_20230308T210058Z.s.gz to /data/tracking/incoming_queue/0/172.16.200.12/tracking.@20230308T205758Z_20230308T210058Z.s.gz.
Wed Mar 8 22:12:03 2023 Info: Tracking parser moved /data/log/tracking/172.16.200.12/tracking.@20230308T210058Z_20230308T210358Z.s.gz to /data/tracking/incoming_queue/0/172.16.200.12/tracking.@20230308T210058Z_20230308T210358Z.s.gz.
Wed Mar 8 22:14:28 2023 Info: Tracking parser moved /data/log/tracking/172.16.200.12/tracking.@20230308T210358Z_20230308T210658Z.s.gz to /data/tracking/incoming_queue/0/172.16.200.12/tracking.@20230308T210358Z_20230308T210658Z.s.gz.
Wed Mar 8 22:16:53 2023 Info: Tracking parser moved /data/log/tracking/172.16.200.12/tracking.@20230308T210658Z_20230308T210958Z.s.gz to /data/tracking/incoming_queue/0/172.16.200.12/tracking.@20230308T210658Z_20230308T210958Z.s.gz.
Wed Mar 8 22:19:19 2023 Info: Tracking parser moved /data/log/tracking/172.16.200.12/tracking.@20230308T210958Z_20230308T211258Z.s.gz to /data/tracking/incoming_queue/0/172.16.200.12/tracking.@20230308T210958Z_20230308T211258Z.s.gz.
Wed Mar 8 22:23:48 2023 Info: Tracking parser moved /data/log/tracking/172.16.200.12/tracking.@20230308T211258Z_20230308T211558Z.s.gz to /data/tracking/incoming_queue/0/172.16.200.12/tracking.@20230308T211258Z_20230308T211558Z.s.gz.
第二步: SMA trackerd_logs分析
根据步骤1中获取的信息,检查SMA上的/data/pub/trackerd_logs,以便在问题部分中查找和确认丢失的数据文件。
此帧中介绍了相关日志示例及其结果。仅对第一个ESA(192.168.235.64)在SMA上过滤的trackerd_logs:
/data/pub/trackerd_log on SMA - filtered only for ESA 192.168.235.64
Mon Feb 13 20:11:06 2023 Info: Tracking parser moved /data/log/tracking/192.168.235.64/tracking.@20230213T190731Z_20230213T191031Z.s.gz to /data/tracking/incoming_queue/0/192.168.235.64/tracking.@20230213T190731Z_20230213T191031Z.s.gz.
Mon Feb 13 20:15:18 2023 Info: Tracking parser moved /data/log/tracking/192.168.235.64/tracking.@20230213T191031Z_20230213T191331Z.s.gz to /data/tracking/incoming_queue/0/192.168.235.64/tracking.@20230213T191031Z_20230213T191331Z.s.gz.
Mon Feb 13 20:17:26 2023 Info: Tracking parser moved /data/log/tracking/192.168.235.64/tracking.@20230213T191331Z_20230213T191631Z.s.gz to /data/tracking/incoming_queue/0/192.168.235.64/tracking.@20230213T191331Z_20230213T191631Z.s.gz.
tracking.@20230213T191631Z_20230213T191931Z.s.gz - the file is missing -- this line is manually added by owner.
Mon Feb 13 20:23:40 2023 Info: Tracking parser moved /data/log/tracking/192.168.235.64/tracking.@20230213T191931Z_20230213T192231Z.s.gz to /data/tracking/incoming_queue/0/192.168.235.64/tracking.@20230213T191931Z_20230213T192231Z.s.gz.
Mon Feb 13 20:25:51 2023 Info: Tracking parser moved /data/log/tracking/192.168.235.64/tracking.@20230213T192231Z_20230213T192531Z.s.gz to /data/tracking/incoming_queue/0/192.168.235.64/tracking.@20230213T192231Z_20230213T192531Z.s.gz.
Mon Feb 13 23:15:20 2023 Info: Tracking parser moved /data/log/tracking/192.168.235.64/tracking.@20230213T221032Z_20230213T221332Z.s.gz to /data/tracking/incoming_queue/0/192.168.235.64/tracking.@20230213T221032Z_20230213T221332Z.s.gz.
Mon Feb 13 23:17:27 2023 Info: Tracking parser moved /data/log/tracking/192.168.235.64/tracking.@20230213T221332Z_20230213T221632Z.s.gz to /data/tracking/incoming_queue/0/192.168.235.64/tracking.@20230213T221332Z_20230213T221632Z.s.gz.
tracking.@20230213T221632Z_20230213T221932Z.s.gz - the file is missing -- this line is manually added by owner.
Mon Feb 13 23:23:42 2023 Info: Tracking parser moved /data/log/tracking/192.168.235.64/tracking.@20230213T221932Z_20230213T222232Z.s.gz to /data/tracking/incoming_queue/0/192.168.235.64/tracking.@20230213T221932Z_20230213T222232Z.s.gz.
Mon Feb 13 23:25:52 2023 Info: Tracking parser moved /data/log/tracking/192.168.235.64/tracking.@20230213T222232Z_20230213T222532Z.s.gz to /data/tracking/incoming_queue/0/192.168.235.64/tracking.@20230213T222232Z_20230213T222532Z.s.gz.
Mon Feb 13 23:30:04 2023 Info: Tracking parser moved /data/log/tracking/192.168.235.64/tracking.@20230213T222532Z_20230213T222832Z.s.gz to /data/tracking/incoming_queue/0/192.168.235.64/tracking.@20230213T222532Z_20230213T222832Z.s.gz.
...... Log examples for two missed files can be considered satisfactory. Omitted logs for other files to avoid complexity.
In Summary, Missing file examples on SMA from ESA 192.168.235.64:
tracking.@20230213T191631Z_20230213T191931Z.s.gz
tracking.@20230213T221632Z_20230213T221932Z.s.gz
tracking.@20230214T041633Z_20230214T041933Z.s.gz
tracking.@20230214T064034Z_20230214T064334Z.s.gz
tracking.@20230214T070134Z_20230214T070434Z.s.gz
第三步:smaduser操作分析
下一步是检查ESA的/data/pub/cli_logs/上的SMA smad行为。
如前所述,smad在/data/pub/export/tracking(ls -AF)中检查ESA的文件,复制文件(scp -f /../tracking.*.s.gz),然后由smaduser通过SSH访问删除该文件(rm /./tracking.*.s.gz)。
在此步骤中,发现主SMA(IP: 172.24.81.94)在主SMA下载和删除文件之前还有另一个SMA(IP: 192.168.251.92)。
当主SMA检查目录(ls -AF)中的文件时,它无法看到该文件,因为192.168.251.92 smaduser已将其删除。
相关日志示例如下:
for file tracking.@20230213T191631Z_20230213T191931Z.s.gz
grep -i "tracking.@20230213T191631Z_20230213T191931Z.s.gz" cli.current (missing file on SMA)
Mon Feb 13 20:19:29 2023 Info: PID 51423: User smaduser login from 172.24.81.94 on 192.168.235.64
Mon Feb 13 20:19:29 2023 Info: PID 51423: User smaduser executed batch command: 'ls -AF /export/tracking/'
Mon Feb 13 20:19:29 2023 Info: PID 51423: User smaduser logged out of Command Line Interface using SSH connection.
Mon Feb 13 20:19:32 2023 Info: PID 51485: User smaduser login from 192.168.251.92 on 192.168.235.64
Mon Feb 13 20:19:32 2023 Info: PID 51485: User smaduser executed batch command: 'ls -AF /export/tracking/'
Mon Feb 13 20:19:32 2023 Info: PID 51485: User smaduser logged out of Command Line Interface using SSH connection.
Mon Feb 13 20:19:35 2023 Info: PID 51541: User smaduser login from 192.168.251.92 on 192.168.235.64
Mon Feb 13 20:19:35 2023 Info: PID 51541: User smaduser executed batch command: 'scp -f /export/tracking/tracking.@20230213T191631Z_20230213T191931Z.s.gz'
Mon Feb 13 20:19:38 2023 Info: PID 51599: User smaduser login from 192.168.251.92 on 192.168.235.64
Mon Feb 13 20:19:38 2023 Info: PID 51599: User smaduser executed batch command: 'rm /export/tracking/tracking.@20230213T191631Z_20230213T191931Z.s.gz'
Mon Feb 13 20:19:39 2023 Info: PID 51599: User smaduser logged out of Command Line Interface using SSH connection.
for file tracking.@20230213T221632Z_20230213T221932Z.s.gz
grep -i "tracking.@20230213T221632Z_20230213T221932Z.s.gz" cli.current
Mon Feb 13 23:19:33 2023 Info: PID 19143: User smaduser login from 192.168.251.92 on 192.168.235.64
Mon Feb 13 23:19:33 2023 Info: PID 19143: User smaduser executed batch command: 'ls -AF /export/tracking/'
Mon Feb 13 23:19:33 2023 Info: PID 19143: User smaduser logged out of Command Line Interface using SSH connection.
Mon Feb 13 23:19:37 2023 Info: PID 19231: User smaduser login from 192.168.251.92 on 192.168.235.64
Mon Feb 13 23:19:37 2023 Info: PID 19231: User smaduser executed batch command: 'scp -f /export/tracking/tracking.@20230213T221632Z_20230213T221932Z.s.gz'
Mon Feb 13 23:19:40 2023 Info: PID 19339: User smaduser login from 192.168.251.92 on 192.168.235.64
Mon Feb 13 23:19:40 2023 Info: PID 19339: User smaduser executed batch command: 'rm /export/tracking/tracking.@20230213T221632Z_20230213T221932Z.s.gz'
Mon Feb 13 23:19:40 2023 Info: PID 19339: User smaduser logged out of Command Line Interface using SSH connection.
...... Log examples for two missed files can be considered satisfactory. Omitted logs for other files to avoid complexity.
解决方案摘要
跟踪邮件跟踪过程本身有助于成功解决此问题。
在ESA上通过cli_logs确定了另一个SMA。它会连接到ESA,拉取并删除文件,然后删除主SMA。该文件对于主SMA不可用。
在冗余SMA“安全设备”上删除ESA/禁用ESA服务,或完全停用生产中的冗余SMA。