4 Replies Latest reply on Jun 8, 2011 5:15 PM by DBO

    Cannot search for a specific e-mail

    DBO

      One of our user report a phishing message.  After checking, I can see 11 occurences of that one and all have been quarantine, except, the message that this user report.

       

      I simply can't find it doing a search in the GUI, either by destination address, subject, Mail-ID or the sender IP address.  I can only find a trace in the summary log of that day.

       

      Fact is that I can find more messages in that log that will not show up in Queue search, either Quarantined or processed.

       

      Since we keep our logs for 14 days (Administration/Cleanup schedule/Logfiles), what is the problem????  Can't we trust a search in the GUI now?

       

      Sorry, I have open a case tonight but was unable to understood what the guy at the end of the line was telling.  I will call tomorrow, hoping he will not be on that shift.

        • 1. Re: Cannot search for a specific e-mail
          Attila Polinger

          Hi,

           

          I assume you are talking about McAfee Email Gateway or Email and Web Security software.

          I'd like to add that we also have an open case with a similar issue: cannot find email in logs/message database. Its in Tier II stage but still they are only in the process of analyzing the MER that I've sent.

           

          Nevertheless, you could also try using the product off-box SQL reports database to find messages (nead some manual work/preparation but could be worth, much faster in searching). If you feel like you gave it a try check out System-appliance Management-Database setting-External Access (EWS 5.6 console).

           

          Hope I could be of some help.

           

          Attila

           

          Message was edited by: apoling on 07/06/11 12:32:41 CEST
          • 2. Re: Cannot search for a specific e-mail
            DBO

            No, It's SecureMail/Ironmail 6.7.2. 

            • 3. Re: Cannot search for a specific e-mail
              ijahnke

              How old was the message when you tried to view it in the gui?

               

              The GUI search and the logs are two seperate functions. In the Administration tab you have a seperate cleanup schedule for both, one for log files and the other for statistics which (off the top of my head) i believe controls how long the data will be kept for gui searches. Because the gui creates a seperate temporary log file for each message there is no real reason to keep them, aside from convienence, since the log files hold the exact same information.

               

              Unfortunately the default cli commands are lacking, but there isnt much you cant do if you use the correct syntax along with the grep command:

               

              Example:

               

              All rules with "-d head" can be changed to "-d tail" to tail live logs

               

               

              To search Proxy:

              showevents -s cfile="/conf/scevents.ini" -s ifile="/log/scmail-logs.bin" -d head -g module=smtpproxy

               

               

              To search superq:

              showevents -s cfile="/conf/scevents.ini" -s ifile="/log/scmail-logs.bin" -d head -g module=superq

               

               

              To search smtpo:

              showevents -s cfile="/conf/scevents.ini" -s ifile="/log/scmail-logs.bin" -d head -g module=smtpo

               

               

              To search a msgid or connection id:

              showevents -s cfile="/conf/scevents.ini" -s ifile="/log/scmail-logs.bin" -d head -g msgorconnid=<msg_id>

               

               

              To search for an event id:

              showevents -s cfile="/conf/scevents.ini" -s ifile="/log/scmail-logs.bin" -d head -g eid=<event_id>

               

              to search by start time:

              showevents -s cfile="/conf/scevents.ini" -s ifile="/log/scmail-logs.bin" -d head -g module=smtpproxy -g stime=<20110517:10:01:01 or 20110517:10:01 or 20110517:10>

                                                                                                                                                                                                                      

               

               

              to search by end time:

              showevents -s cfile="/conf/scevents.ini" -s ifile="/log/scmail-logs.bin" -d head -g module=smtpproxy -g etime=<20110517:10:01:01 or 20110517:10:01 or  20110517:10>

               

               

               

              to search a time range

              showevents -s cfile="/conf/scevents.ini" -s ifile="/log/scmail-logs.bin" -d head -g module=smtpproxy -g stime=20110517:10:01 -g etime=20110517:10:05

               

               

               

              Rules can be combined:

               

              To search for accepted messages connecting on May 12th between 19:15 and 19:25

              showevents -s cfile="/conf/scevents.ini" -s ifile="/log/scmail-logs.bin.ends20110513" -d head -g module=smtpproxy -g eid=9284 -g stime=20110512:19:15 -g etime=20110512:19:25

               

              Message was edited by: ijahnke on 6/7/11 10:11:33 AM CDT
              • 4. Re: Cannot search for a specific e-mail
                DBO

                Yes, that was it.  I wasn't able to understand the guy from support but he's email was clearer.    Funny I never realised I was missing some e-mail while doing a GUI search.

                 

                Thank you for the search sample but it is cleary not what we should have to use with such a system.

                 

                Ce message a été modifié par: DBO on 08/06/11 17:15:58 CDT