Cisco Cisco Email Security Appliance C650 Guía Del Usuario
28-24
AsyncOS 9.1.2 for Cisco Email Security Appliances User Guide
Chapter 28 Using Email Security Monitor
Email Security Monitor Pages
•
Sources of large-volume inbound email traffic that might not otherwise be considered spam.
Note that other reports that include statistics for internal senders (such as Internal Users or Outgoing
Senders) measure only the number of messages sent; they do not identify senders of a few messages to
a large number of recipients.
Senders) measure only the number of messages sent; they do not identify senders of a few messages to
a large number of recipients.
The Top Offenders by Incident chart shows the envelope senders who most frequently attempted to send
messages to more recipients than the configured limit. Each attempt is one incident. This chart
aggregates incident counts from all listeners.
messages to more recipients than the configured limit. Each attempt is one incident. This chart
aggregates incident counts from all listeners.
The Top Offenders by Rejected Recipients chart shows the envelope senders who sent messages to the
largest number of recipients above the configured limit. This chart aggregates recipient counts from all
listeners.
largest number of recipients above the configured limit. This chart aggregates recipient counts from all
listeners.
To configure rate limiting by envelope sender or modify the existing rate limit, see
.
System Capacity Page
The System Capacity page provides a detailed representation of the system load, including messages in
the work queue, average time spent in the work queue, incoming and outgoing messages (volume, size,
and number), overall CPU usage, CPU usage by function, and memory page swapping information.
the work queue, average time spent in the work queue, incoming and outgoing messages (volume, size,
and number), overall CPU usage, CPU usage by function, and memory page swapping information.
The system capacity page can be used to determine the following information:
•
Identify when a appliance is exceeding recommended capacity and configuration optimization or
additional appliances are needed.
additional appliances are needed.
•
Identify historical trends in system behavior which point to upcoming capacity issues.
•
Identify which part of the system is using the most resources to assist with troubleshooting.
It is important to monitor your appliance to ensure that your capacity is appropriate to your message
volumes. Over time, volume will inevitably rise and appropriate monitoring will ensure that additional
capacity or configuration changes can be applied proactively. The most effective way to monitor system
capacity is to track overall volume, messages in the work queue and incidents of Resource Conservation
Mode.
volumes. Over time, volume will inevitably rise and appropriate monitoring will ensure that additional
capacity or configuration changes can be applied proactively. The most effective way to monitor system
capacity is to track overall volume, messages in the work queue and incidents of Resource Conservation
Mode.
•
Volume: It is important to have an understanding of the “normal” message volume and the “usual”
spikes in your environment. Track this data over time to measure volume growth. You can use the
Incoming Mail and Outgoing Mail pages to track volume over time. For more information, see
spikes in your environment. Track this data over time to measure volume growth. You can use the
Incoming Mail and Outgoing Mail pages to track volume over time. For more information, see
and
.
•
Work Queue: The work queue is designed to work as a “shock absorber”-- absorbing and filtering
spam attacks and processing unusual increases in ham messages. However, the work queue is also
the best indicator of a system under stress, prolonged and frequent work queue backups may indicate
a capacity problem. You can use the WorkQueue page to track the average time messages spend in
the work queue and the activity in your work queue. For more information, see
spam attacks and processing unusual increases in ham messages. However, the work queue is also
the best indicator of a system under stress, prolonged and frequent work queue backups may indicate
a capacity problem. You can use the WorkQueue page to track the average time messages spend in
the work queue and the activity in your work queue. For more information, see
.
•
Resource Conservation Mode: When a appliance becomes overloaded, it will enter “Resource
Conservation Mode” (RCM) and send a CRITICAL system alert. This is designed to protect the
device and allow it to process any backlog of messages. Your appliance should enter RCM
infrequently and only during a very large or unusual increase in mail volume. Frequent RCM alerts
may be an indication that the system is becoming overloaded. Resource Conservation Mode is not
tracked by the system capacity page.
Conservation Mode” (RCM) and send a CRITICAL system alert. This is designed to protect the
device and allow it to process any backlog of messages. Your appliance should enter RCM
infrequently and only during a very large or unusual increase in mail volume. Frequent RCM alerts
may be an indication that the system is becoming overloaded. Resource Conservation Mode is not
tracked by the system capacity page.