Cisco Cisco Email Security Appliance X1050 Guía Del Usuario
28-25
User Guide for AsyncOS 9.8 for Cisco Email Security Appliances
Chapter 28 Using Email Security Monitor
Email Security Monitor Pages
•
Compromised user accounts that might be used to send spam in bulk.
•
Out-of-control applications in your organization that use email for notifications, alerts, automated
statements, etc.
statements, etc.
•
Sources of heavy email activity in your organization, for internal billing or resource-management
purposes.
purposes.
•
Sources of large-volume inbound email traffic that might not otherwise be considered spam.
Note that other reports that include statistics for internal senders (such as Internal Users or Outgoing
Senders) measure only the number of messages sent; they do not identify senders of a few messages to
a large number of recipients.
Senders) measure only the number of messages sent; they do not identify senders of a few messages to
a large number of recipients.
The Top Offenders by Incident chart shows the envelope senders who most frequently attempted to send
messages to more recipients than the configured limit. Each attempt is one incident. This chart
aggregates incident counts from all listeners.
messages to more recipients than the configured limit. Each attempt is one incident. This chart
aggregates incident counts from all listeners.
The Top Offenders by Rejected Recipients chart shows the envelope senders who sent messages to the
largest number of recipients above the configured limit. This chart aggregates recipient counts from all
listeners.
largest number of recipients above the configured limit. This chart aggregates recipient counts from all
listeners.
To configure rate limiting by envelope sender or modify the existing rate limit, see
System Capacity Page
The System Capacity page provides a detailed representation of the system load, including messages in
the work queue, average time spent in the work queue, incoming and outgoing messages (volume, size,
and number), overall CPU usage, CPU usage by function, and memory page swapping information.
the work queue, average time spent in the work queue, incoming and outgoing messages (volume, size,
and number), overall CPU usage, CPU usage by function, and memory page swapping information.
The system capacity page can be used to determine the following information:
•
Identify when a appliance is exceeding recommended capacity and configuration optimization or
additional appliances are needed.
additional appliances are needed.
•
Identify historical trends in system behavior which point to upcoming capacity issues.
•
Identify which part of the system is using the most resources to assist with troubleshooting.
It is important to monitor your appliance to ensure that your capacity is appropriate to your message
volumes. Over time, volume will inevitably rise and appropriate monitoring will ensure that additional
capacity or configuration changes can be applied proactively. The most effective way to monitor system
capacity is to track overall volume, messages in the work queue and incidents of Resource Conservation
Mode.
volumes. Over time, volume will inevitably rise and appropriate monitoring will ensure that additional
capacity or configuration changes can be applied proactively. The most effective way to monitor system
capacity is to track overall volume, messages in the work queue and incidents of Resource Conservation
Mode.
•
Volume: It is important to have an understanding of the “normal” message volume and the “usual”
spikes in your environment. Track this data over time to measure volume growth. You can use the
Incoming Mail and Outgoing Mail pages to track volume over time. For more information, see
spikes in your environment. Track this data over time to measure volume growth. You can use the
Incoming Mail and Outgoing Mail pages to track volume over time. For more information, see
and
.
•
Work Queue: The work queue is designed to work as a “shock absorber”-- absorbing and filtering
spam attacks and processing unusual increases in ham messages. However, the work queue is also
the best indicator of a system under stress, prolonged and frequent work queue backups may indicate
a capacity problem. You can use the WorkQueue page to track the average time messages spend in
the work queue and the activity in your work queue. For more information, see
spam attacks and processing unusual increases in ham messages. However, the work queue is also
the best indicator of a system under stress, prolonged and frequent work queue backups may indicate
a capacity problem. You can use the WorkQueue page to track the average time messages spend in
the work queue and the activity in your work queue. For more information, see
.