Cisco Cisco Email Security Appliance X1070 Guía Para Resolver Problemas
log_name and lists the Message IDs (MIDs) that match. The −i flag can be used for non−case−sensitive
searches.
searches.
The second form displays all of the log lines for the given MID.
If you have an older version, the CLI grep command can be used in order to accomplish the same thing.
However, the use of the grep command requires more detailed knowledge of how ESAs log message events.
However, the use of the grep command requires more detailed knowledge of how ESAs log message events.
Grep Command
The first challenge when you search mail logs is to find your message. You can do this if you search for the
sender, the recipient, or for the subject. Once you have found your message, it is important to understand how
the mail logs are organized. Content Security mail log events are given acronyms. The most important
events are ICID, MID, RID, and DCID.
sender, the recipient, or for the subject. Once you have found your message, it is important to understand how
the mail logs are organized. Content Security mail log events are given acronyms. The most important
events are ICID, MID, RID, and DCID.
Injection Connection ID (ICID): When a remote host establishes a connection to the appliance, that
connection is assigned an ICID. One ICID can spawn many MIDs.
connection is assigned an ICID. One ICID can spawn many MIDs.
Note: ICID 0 defines a message that was injected from itself. In fact, the numeral 0 after an ICID or DCID
refers to sessions open to or from the local loop address of the device.
refers to sessions open to or from the local loop address of the device.
MID: Once a connection is established, each successful Simple Mail Transfer Protocol (SMTP) mail from:
command creates a new MID. A single MID can spawn many RIDs.
command creates a new MID. A single MID can spawn many RIDs.
Recipient ID (RID): Each recipient (To: Cc: or Bcc gets a RID. RIDs only spawn multiple DCIDs if there is a
soft bounce (connection error) and delivery is reattempted.
soft bounce (connection error) and delivery is reattempted.
Delivery Connection ID (DCID): Each recipient that goes to the same destination domain receives the same
DCID up to the limits of the receiving system. So if the receipients of a messages all go to the same domain,
then there is one DCID for all of the RIDs. If instead, each RID goes to a separate domain, then there is a
one−to−one correlation.
DCID up to the limits of the receiving system. So if the receipients of a messages all go to the same domain,
then there is one DCID for all of the RIDs. If instead, each RID goes to a separate domain, then there is a
one−to−one correlation.
Note: DCID 0 defines a message that was never sent. In fact, the numeral 0 after an ICID or DCID refers to
sessions open to or from the local loop address of the device.
sessions open to or from the local loop address of the device.
Generally, when you find your message, you find its MID. Then you grep for the MID and determine the
ICID and RID. With the ICID, you can determine the SenderBase Reputation Score (SBRS) for the sender.
With the RID and then the DCID, you can determine what happened when the ESA attempted delivery.
ICID and RID. With the ICID, you can determine the SenderBase Reputation Score (SBRS) for the sender.
With the RID and then the DCID, you can determine what happened when the ESA attempted delivery.
Note: Once you have the MID, ICID, and DCID, you can retrieve all of the rows for that message in one grep,
if the origin of the message is not older than your oldest mail log.
if the origin of the message is not older than your oldest mail log.
example.com> grep −e " MID 11123" −e " ICID 11092" −e " DCID 23349" mail_logs
Example
Search for the message subject:
example.com> grep
Currently configured logs:
16. "mail_logs" Type: "IronPort Text Mail Logs" Retrieval: FTP Poll
Enter the number of the log you wish to grep.
[]> 16
Enter the regular expression to grep.
1.