3 Replies Latest reply on Dec 28, 2011 3:50 PM by PhilM

    Command for Trusted Source logs

    Arshad

      Hi, I am using Sidewinder Firewall ver 8.1.2 . I want to see log of those emails that are dropped inbound on Sendmail due to  TrustedSource feature. I have applied Sendmail for inbound mails. What is the cli command to see those emails that get dropped due to TrustedSource?

       

      Thanks

        • 1. Re: Command for Trusted Source logs
          PhilM

          I can't say for certain as I don't currently have access to a v8 Firewall running sendmail with TrustedSource enabled - or GTI as it is now called. But, I would expect to find it in one of two places:-

           

          Either in the main sendmail logfile /var/log/maillog, or in the Firewall's primary audit feed - the /var/log/audit.raw file or by running the audit viewer. In the case of the audit, I would look out for events associated with the sendmail process (they may well be 'attack' events) when connections to sendmail are being blocked by TrustedSource/GTI. When you open up any of these audit entries and look at the data inside, you should see the reputation score contained within it.

           

          Hope that helps.

          Phil.

          • 2. Re: Command for Trusted Source logs
            sliedl

            You could try these acat commands on the command-line:

             

            $> acat -e "category AUDIT_C_GTI"

            or

            $> acat -e "event AUDIT_R_REPUTATION"

            or (both together)

            $> acat -e "event AUDIT_R_REPUTATION or category AUDIT_C_GTI"

             

            I am not positive those will work as I do not have any examples of emails denied by TrustedSource/GTI to look at myself.

            • 3. Re: Command for Trusted Source logs
              PhilM

              The more I think about it the more I recall looking at a customer's appliance, I could see evidence of messages being blocked in the maillog file.