HCL Notes and Domino wiki: Troubleshooting Lotus Protector for Mail Security: Message Tracking with Log Files

Message Tracking with Log Files

Added by ~Ted Minjumiettu | Edited by ~Hank Prejipytherli on September 28, 2017 | Version 7

Actions ▼

Abstract

Abstract

No abstract provided.

Tags: log, logging, Lotus Protector for Mail Security

There are four key log files that can help you quickly and easily diagnose mail flow issues with Protector: SMTP, Filters, Messages and SMAIL. You can access all of these log files by logging into the console of the appliance with the root account..

SMTP
/var/log/xmail/smtp-YYYYMMDDHH00
This logs all incoming emails to the server, both destined to the Internet and Internal networks. For every message, you should see a RECV and RCPT. If you don't see a message on this log, we never received it. Some of the IP filters will also show errors on this log if a message was blocked by our IP filters. If you don't see a message on this log file, Protector never received it.

FILTERS
/var/log/xmail/filters-YYYYMMDDHH00
This logs our IP layer filters including Recipient Verification. Note that when you enable Recipient Verification, ALL messages lines will show the words Recipient Verification, but that does not mean they were blocked by it, only checked against it.

MESSAGES
/var/log/messages
This log shows all mail security notices, but also shows the messages that are analyzed. If a message was blocked by one of our content filters, it will show here in the form of which Rule and Analysis Module matched against the email and if a Response was applied to the message and the ultimate message action status, typically action taken=1. If a message does not show a Rule and Analysis Module in the log and has an action taken=0, this indicates that the message has passed all checks and will be delivered to your internal mailbox.

SMAIL
/var/log/xmail/smail-YYYYMMDDHH00
This log shows all mail that has been or is attempted to be delivered by the server, for both External and Internal mail. If the message is delivered to the Internet it will show "SMTP", a message delivered to Internal will show "RLYS". If you see either of these, you know the message is now at its next hop and not in Protector.

EXAMPLE INBOUND EMAIL:
LPforMS:~ # tail /var/log/xmail/smtp-201107290900
"swg.usma.ibm.com"      "swg.usma.ibm.com"      "127.0.0.1"     "2011-07-29 09:12:02"   "mail.ibm.com" "swg.usma.ibm.com"      "joey@example.com"      "samanthadaryn@swg.usma.ibm.com"   "11072913-8336-0000-0000-0000001200EE" "RCPT=OK"       ""      "0"     ""
"swg.usma.ibm.com"      "swg.usma.ibm.com"      "127.0.0.1"     "2011-07-29 09:12:17"   "mail.ibm.com" "swg.usma.ibm.com"      "joey@example.com"      "samanthadaryn@swg.usma.ibm.com"   "11072913-8336-0000-0000-0000001200EE" "RECV=OK"       ""      "64"    ""

LPforMS:~ # tail /var/log/xmail/filters-201107290900
"joey@example.com"      "samanthadaryn@swg.usma.ibm.com"        "127.0.0.1"     "127.0.0.1"     "2011-07-29 09:12:02"   "post-rcpt"     ""      "11072913-8336-0000-0000-0000001200EE"     "0"     "0"     "Recipient Verification;"

LPforMS:~ # tail /var/log/messages
Jul 29 09:12:23 LPforMS pvmail[1444]: id=MS name=MSM_MailProcessed time="2011-7-29 9:12:23" fw=LPforMS pri=6 issueid=6000031 msg="Mail Processed" msgid=11072913-8336-0000-0000-0000001200EE sender="joey@example.com" recipient="samanthadaryn@swg.usma.ibm.com" direction=inbound size=709 attachmentcount=0 src=127.0.0.1 ActionTaken=0

LPforMS:~ # tail /var/log/xmail/smail-201107290900
"swg.usma.ibm.com"      "1311945143834.b34d3ba0.6dd.12c.LPforMS"        "11072913-8336-0000-0000-0000001200EE" "joey@example.com"      "samanthadaryn@swg.usma.ibm.com" "RLYS"   "LPDominoSvr.swg.usma.ibm.com" "2011-07-29 09:12:24"   "Message accepted for delivery"

For a full list of SMTP errors, reference this support article:https://www-304.ibm.com/support/docview.wss?uid=swg21437369