B ESA Admin Guide Chapter 011101

Download as pdf or txt
Download as pdf or txt
You are on page 1of 8

Tracking Messages

This chapter contains the following sections:


• Message Tracking Overview , on page 1
• Enabling Message Tracking, on page 1
• Searching for Messages , on page 2
• Working with Message Tracking Search Results , on page 4
• Checking Message Tracking Data Availability , on page 7
• Troubleshooting Message Tracking, on page 8

Message Tracking Overview


Message tracking helps resolve help desk calls by giving a detailed view of message flow. For example, if a
message was not delivered as expected, you can determine if it was found to contain a virus or placed in a
spam quarantine — or if it is located somewhere else in the mail stream.
You can search for a particular email message or a group of messages that match criteria that you specify.

Note You cannot use message tracking to read the content of messages.

Enabling Message Tracking

Note Message tracking data is preserved only for messages that are processed after you enable this feature.

Before you Begin


• In order to search for and display attachment names in Message Tracking and view attachment names
in log files, you must configure and enable at least one body scanning process, such as a message filter
or content filter.
• To support searching by subject, log files must be configured to record subject headers. For more
information, see Logging.

Tracking Messages
1
Tracking Messages
Searching for Messages

• If you are setting up Centralized Tracking: Set up your Security Management appliance to support
centralized message tracking for this Email Security appliance. See the Cisco Content Security
Management Appliance User Guide.

Step 1 Click Services > Centralized Services > Message Tracking.


Use this path even if you do not plan to centralize this service.

Step 2 Select Enable Message Tracking Service.


Step 3 If you are enabling message tracking for the first time after running the System Setup Wizard, review the end-user license
agreement, and click Accept.
Step 4 Choose a Message Tracking Service:

Option Description

Local Tracking Use message tracking on this appliance.

Centralized Tracking Use a Security Management appliance to track messages for multiple Email Security appliances
including this one.

Step 5 (Optional) Select the check box to save information for rejected connections.
For best performance, leave this setting disabled.

Step 6 Submit and commit your changes.

What to do next
If you selected Local Tracking:
• Choose who can access content related to DLP violations. See Controlling Access to Sensitive Information
in Message Tracking.
• (Optional) Adjust the disk space allocation for storing messages. See Managing Disk Space.

Searching for Messages


Step 1 Choose Monitor > Message Tracking
Step 2 Enter search criteria.
• To view all options, click the Advanced link.
• Tracking does not support wildcard characters or regular expressions.
• Tracking searches are not case sensitive.
• Unless otherwise specified, the query is an “AND” search: The query returns messages that match all conditions
specified in the search fields. For example, if you specify text strings for the envelope recipient and the subject line
parameters, the query returns only messages that match both the specified envelope recipient and the subject line.

Tracking Messages
2
Tracking Messages
Searching for Messages

• Search criteria include:

Option Description

Envelope Sender Select Begins With, Is, or Contains, then enter an email address, username,
or domain of a message sender to find.
You can enter any character(s). No validation of your entry is performed.

Envelope Recipient Select Begins With, Is, or Contains, and enter an email address, username,
or domain of a message recipient to find.
You can enter any character(s). No validation of your entry is performed.

Subject Select Begins With, Is, or Contains, and enter a text string to search for in
the message subject line.
Warning: Do not use this type of search in environments where regulations
prohibit such tracking.

Message Received Specify a date and time range.


If you do not specify a date, the query returns data for all dates. If you specify
a time range only, the query returns data for that time range across all available
dates.
Use the local date and time that the message was received by the Email Security
appliance.

Advanced options:

Sender IP Address/ Domain / Network Specify the IP address, domain, or network owner of a remote host.
Owner
You can search within rejected connections only or search all messages.

Attachment Select Begins With, Is, or Contains, and enter an ASCII or Unicode text string
for one attachment to find. Leading and trailing spaces are not stripped from
the text you enter.
You can search for messages by attachment filenames only if you have
performed:
• Body scan using a message filter
• Body scan using a content filter
• Advanced Malware Protection (AMP) scan.

For more information about identifying files based on SHA-256 hash, see
Identifying Files by SHA-256 Hash.

Message Event Select one or more message processing events. For example, you can search
for messages that have been delivered, quarantined, or hard bounced.
Message events are added with an “OR” operator: Selecting multiple events
finds messages that match any of the conditions you specify.

Tracking Messages
3
Tracking Messages
Working with Message Tracking Search Results

Option Description

Message ID Header Enter a text string for the SMTP Message-ID header.
This RFC 822 message header uniquely identifies each email message. It is
inserted in the message when the message is first created.

Cisco IronPort MID Enter a message number to search for. An IronPort MID uniquely identifies
each email message on the Email Security appliance.

Cisco IronPort Host Select an Email Security appliance to restrict the search to messages processed
by that appliance, or select all appliances.

Step 3 Click Search to submit the query.


The query results are displayed at the bottom of the page.

What to do next
Related Topics
• Working with Message Tracking Search Results , on page 4

Working with Message Tracking Search Results


Keep the following points in mind:
• Messages appear in the results only after they have been logged on the Email Security appliance and
retrieved by the Security Management appliance. Depending on the size of logs and the frequency of
polling, there could be a small gap between the time when an email message was sent and when it actually
appears in tracking and reporting results.
• For information about searches involving Advanced Malware Protection (file reputation scanning and
file analysis), see About Message Tracking and Advanced Malware Protection Features.

Actions you can take when working with search results:


• Show more than 250 search results by returning to the search criteria, clicking Advanced, scrolling to
the Query Settings, and setting the maximum number of results to 1000.
• Show more results per page by choosing an option from the top right side of the search results section.
• Navigate through multiple pages of search results from the top right side of the search results section.
• Narrow your search results by floating the cursor over a value in the search results that you want to add
as a condition. If an orange highlight appears, you can click that value to narrow the search by that
criterion. This adds the additional criterion to the search criteria. For example, if you search for messages
sent to a particular recipient, you can then click on a sender name in the search results to find all messages
to that recipient from that sender within the time range (and meeting any other criteria) that you originally
specified.
• If more than 1000 messages match your search criteria, you can click Export All (a link at the top right
of the search results section) and export up to 50,000 search results as a comma-separated values file
and work with the data in another application.

Tracking Messages
4
Tracking Messages
Message Tracking Details

• View more details for a message by clicking Show Details in the row for that message. A new browser
window opens with the message details.
• For quarantined messages, you can click a link in the message tracking search results to view details
such as the reason the message was quarantined.

Note If you clicked a link in a report page to view message details in Message Tracking, and the set of results is
not what you expected, this can occur if reporting and tracking were not both simultaneously and continuously
enabled during the time period you are reviewing.

Related Topics
• Message Tracking Details , on page 5

Message Tracking Details


Item Description

Envelope and Header Summary


section:

Received Time Time that the Email Security appliance received the message.
Dates and times are displayed using the local time configured on the
Email Security appliance.

MID Unique IronPort message ID.

Message Size Message size.

Subject Subject line of the message.


The subject line in the tracking results may have the value “(No
Subject)” if the message does not have a subject, or if log files are not
configured to record subject headers. For more information, see
Logging

Envelope Sender Address of the sender in the SMTP envelope.

Envelope Recipients If your deployment uses the alias table for alias expansion, the search
finds the expanded recipient addresses rather than the original envelope
addresses. For more information about Alias Tables, see “Creating
Alias Tables” in the “Configuring Routing and Delivery Features”
chapter .
In all other cases, message tracking queries find the original envelope
recipient addresses.

Message ID Header The RFC 822 message header.

SMTP Auth User ID SMTP authenticated username of the sender, if the sender used SMTP
authentication to send the message. Otherwise, the value is “N/A.”

Tracking Messages
5
Tracking Messages
Message Tracking Details

Item Description

Attachments The names of files attached to the message.


Messages that contain at least one attachment with the queried name
will appear in the search results.
Some attachments may not be tracked. For performance reasons,
scanning of attachment names occurs only as part of other scanning
operations, for example message or content filtering, DLP, or
disclaimer stamping. Attachment names are available only for messages
that pass through body scanning while the attachment is still attached.
Situations in which an attachment name will not appear in search
results include (but are not limited to):
• if the system only uses content filters, and a message is dropped
or its attachment is stripped by anti-spam or anti-virus filters
• if message splintering policies strip the attachment from some
messages before body scanning occurs.
For performance reasons, the names of files within attachments, such
as OLE objects or archives such as .ZIP files, are not searched.

Sending Host Summary section

Reverse DNS Hostname Name of the sending host, as verified by reverse DNS (PTR) lookup.

IP Address IP address of the sending host.

SBRS Score SenderBase reputation score. The range is from 10 (likely a trustworthy
sender) to -10 (apparent spammer). A score of “None” indicates that
there was no information about this host at the time the message was
processed.
For more information about SBRS, see Sender Reputation Filtering

Processing Details section

Summary information The Summary tab displays status events logged during the processing
of the message.
(If one of the tabs below is displayed,
this information is displayed in a tab. Entries include information about Mail Policy processing, such as
Summary information always Anti-Spam and Anti-Virus scanning, and other events such as message
displays.) splitting and custom log entries added by a content or message filter.
If the message was delivered, the details of the delivery are displayed
here.
The last recorded event is highlighted in the processing details.

Tracking Messages
6
Tracking Messages
Checking Message Tracking Data Availability

Item Description

DLP Matched Content tab This tab displays only for messages that were caught by DLP policies.
This tab includes information about the match, as well as the sensitive
content that triggered the DLP policy match.
You must configure the appliance to display this information. See
Displaying Sensitive DLP Data in Message Tracking.
To control access to this tab, see Controlling Access to Sensitive
Information in Message Tracking.

URL Details tab This tab displays only for messages caught by URL Reputation and
URL Category content filters and by outbreak filters.
This tab displays the following information:
• The reputation score or category associated with the URL
• The action performed on the URL (rewrite, defang, or redirect)
• If a message contains multiple URLs, which URL has triggered
the filter action.
You must configure the appliance to display this information. See
Displaying URL Details in Message Tracking.
To control access to this tab, see Controlling Access to Sensitive
Information in Message Tracking.

Related Topics
• Searching for Messages , on page 2

Checking Message Tracking Data Availability


You can determine the date range that your message tracking data includes, as well as identify any missing
intervals in that data.

Step 1
Step 2 Select Monitor > Message Tracking.
Step 3 Look for Data in time range: in the upper right corner of the Search box.
Step 4 Click the value shown for Data in time range:.

What to do next
Related Topics
• About Message Tracking and Upgrades , on page 8

Tracking Messages
7
Tracking Messages
About Message Tracking and Upgrades

About Message Tracking and Upgrades


New message tracking features may not apply to messages that were processed before upgrade, because the
required data may not have been retained for those messages. For possible limitations related to message
tracking data and upgrades, see the Release Notes for your release.

Troubleshooting Message Tracking


Related Topics
• Attachments Do Not Appear in Search Results , on page 8
• Expected Messages Are Missing from Search Results , on page 8

Attachments Do Not Appear in Search Results


Problem
Attachment names are not found and displayed in search results.
Solution
See configuration requirements at Enabling Message Tracking, on page 1 . Also see limitations for attachment
name searches in Message Tracking Details , on page 5.

Expected Messages Are Missing from Search Results


Problem
Search results did not include messages that should have met the criteria.
Solution
• Results for many searches, and especially searches that involve Message Events, depend on your appliance
configuration. For example, if you search for a URL Category for which you have not filtered, no results
will be found, even if a message contains a URL in that category. Verify that you have configured the
Email Security appliance properly to achieve the behavior that you expected. For example, check your
mail policies, content and message filters, and quarantine settings.
• If expected information is missing after you clicked a link in a report, see Troubleshooting Email Reports.

Tracking Messages
8

You might also like