Wissensdatenbank
Wissensdatenbank:
HOWTO: How do I read MailMarshal Log Files?
Gepostet von Daniel Riediger an 08 November 2010 15:13
HOWTO: How do I read MailMarshal Log Files?

This article applies to:

* MailMarshal SMTP

Question:
How do I read MailMarshal Log Files?

Information:

This article provides a short overview of how to read MailMarshal SMTP Log files.

Each MailMarshal service creates a text log file. A new file is created at least daily. If the log reaches 10MB, a new file is started. The logs are deleted after five days by default. The logs are located in the logging subfolder of the installation (for instance, c:\Program Files\Marshal\MailMarshal\logging). The files are named with the name of the service, date, and sequence letter (for instance, MMControllerJun13b.log).

You can change the location using the Server Tool (6.x and above). You can change the file size and retention with Registry settings. Contact Support for details.

Note: If you set up a rule to archive or quarantine messages, you can choose to save log files. When you select this option, MailMarshal will extract the log information for each message to a separate file. You can view these extracts in the MailMarshal Console. Normally this is the best way to retain logging information for longer than 5 days.

The logs are useful for troubleshooting purposes. Processing information and problems encountered are recorded in the log files.
What is logged?

* The MMArrayManager log (present in version 6.x and above) includes information about the database connection and database writing, directory connector updates, SpamCensor updates, configuration changes, and configuration reloads.
* The MMController log for version 6.x and above is present on email processing servers and includes information about the array manager connection and configuration retrieval. Version 6.2 and above also includes information about DNS lookup and caching. Prior to version 6.x, the array manager is not present and the controller log also includes directory connector updates, SpamCensor updates, and other system information.
* The MMSender log contains information about outbound connections and messages MailMarshal has sent. It will contain server handshaking and validation information.
* The MMReceiver log contains information about inbound connections and messages MailMarshal has received. It will contain DoS and DHA blocking details, server handshaking and validation information. This log alsos contain information on Receiver rules that have triggered.
* The MMEngine log contains a record of Standard rule processing for each message. This includes for each message a list of the rules that were checked, what rules if any triggered, and what actions MailMarshal performed.
* Other tools and services, such as the quarantine upgrade tool, also create log files.

How does email flow?

To troubleshoot email processing, a clear understanding of how MailMarshal processes email is required.

When an email is sent through MailMarshal (inbound or outbound), the Receiver service handshakes and validates the sending server. If the message is accepted, the Receiver assigns a unique message number starting with b00 (b0000X.XX), and applies any Receiver rules.

The Receiver then creates a MML file containing the message, in the Incoming folder.

The Engine picks up each MML file in turn, unpacks the email and its contents by layers, then applies the Standard rules. After actioning the rules, if a message is not blocked the Engine places the file in the Processed Ok folder.

The Sender service picks up the MML file and makes the required connections to send it to each recipient domain.

Note: The message number (starting with b00 for ordinary messages) is unique. This number identifies an individual message throughout the MailMarshal system. Therefore when looking through the logs (or in the Console) you can track particular messages through each of the services by searching via the message number.

For instance, in the Sender or Receiver logs, you can track by time sent or received, and email addresses of sender and recipient.

In the log files you will also notice the 4 digit number (for example 0116) before the time stamp of each line of log. This is the thread ID. This number is also useful to track when reading the raw logs. Normally MailMarshal services, especially the Sender and Receiver, are working on multiple threads at the same time. To trace a particular message you need to follow the thread ID which may skip lines in the logs. If you are interested in engine action, it is much easier to archive files and view the log excerpts, because these excerpts contain only the information about the specific message.

Examples

MMSender log for a message successfully sent to Hotmail:

3216 18:27:57.036 Trying Host 65.54.232.71 for domain hotmail.com
3216 18:27:58.505 Connected socket 1448 to Host 65.54.232.71 for domain hotmail.com
3216 18:27:58.646 RX: <220-HotMail (NO UCE) ESMTP server ready at Sun, 07 Jul 2002 23:25:18 -0700 >
3216 18:27:58.646 RX: <220 ESMTP spoken here>
3216 18:27:58.646 TX:
3216 18:27:58.786 RX: <250-hotmail.com Hello>
3216 18:27:58.786 RX: <250-8bitmime>
3216 18:27:58.786 RX: <250 SIZE 1572864>
3216 18:27:58.786 Can send to domain
3216 18:27:58.802 TX: SIZE=1542>
3216 18:27:58.943 RX: <250 Requested mail action okay, completed>
3216 18:27:58.943 TX: >
3216 18:27:59.208 RX: <250 Requested mail action okay, completed>
3216 18:27:59.208 TX:
3216 18:27:59.349 RX: <354 Start mail input; end with .>
3216 18:27:59.349 TX: <.>
3216 18:28:00.521 RX: <250 Requested mail action okay, completed>
3216 18:28:00.521 Sending final QUIT msg
3216 18:28:00.521 TX:
3216 18:28:00.677 RX: <221 Service closing transmission channel>

MMReceiver log for an incoming email from person1@example.com to PersonX@software.com.

3184 00:00:05.976 message <220 smtphost ESMTP Gateway Ready>
3184 00:00:05.976 Got:
3184 00:00:05.976 message <250-example@example.com> Hello example@example.com (100.200.0.2) 250 SIZE>
3184 00:00:05.976 Got: >
3184 00:00:05.976 message <250 sender ok >
3184 00:00:05.976 Got: >
3184 00:00:05.976 Checking user criteria for Rule Test:Block Spam
3184 00:00:05.976 Checking user criteria for Rule Test:Block These Servers
3184 00:00:05.976 message <250 Recipient ok >
3184 00:00:05.976 Got:
3184 00:00:05.976 message <354 send the mail data, end with .>
3184 00:00:05.976 Found From: Person
3184 00:00:05.976 Found Subject: FWD: This an example
3184 00:00:05.991 Found Message-ID:
3184 00:00:05.991 Received Mail Message B00036f142.00000001.mml from 100.200.0.2, 1753 bytes.
3184 00:00:05.991 message <250 B00036f142 Message accepted for delivery>
3184 00:00:05.991 Got:
3184 00:00:05.991 message <221 example@example.com closing connection>

From the logs above you can see standard 250 and 221 SMTP acknowledgments and closing connection entries that indicate that the message has been received or sent, and the servers initiating and closing the connections.

MMEngine log:

1940 13:37:57.921 Thread 2 already working on B000000053.00000001.mml
0116 13:37:57.911 Thread 2 Starting to unpack
0116 13:37:58.262 Type=MAIL, size=407272, Name=B000000053.00000001.mml
0116 13:37:58.262 Type=MHDR, size=582, Name=MsgHeader.txt
0116 13:37:58.262 Type=MBODY, size=2, Name=Quoted-Printable
0116 13:37:58.262 Type=MBODY, size=318, Name=Quoted-Printable_1
0116 13:37:58.262 Type=ZIP, size=1223, Name=example.zip
0116 13:37:58.262 Type=XLS, size=11776, Name=example.xls
0116 13:37:58.262 Type=JPG, size=295017, Name=24.jpg
0116 13:37:59.812 1 user(s) match rule -Test
0116 13:37:59.812 Name=U1\B000000053.00000001.mml (MAIL,407272) False
0116 13:37:59.812 Name=U2\MsgHeader.txt (MHDR,582) False
0116 13:37:59.812 Name=U2\Quoted-Printable (MBODY,2) False
0116 13:37:59.812 Name=U2\Quoted-Printable_1 (MBODY,318) False
0116 13:37:59.812 Name=U2\example.zip (ZIP,1223) False
0116 13:37:59.812 Name=U3\example.xls (XLS,11776) False
0116 13:37:59.812 Name=U2\24.jpg (JPG,295017) False

When the MailMarshal Engine processes an email, it first declares the contents of the email including the type, size and name (as you can see in the entries above at time 13:37:58.262). This is very useful in seeing what MailMarshal sees files as. (For instance, the file could be corrupt. You can confirm what MailMarshal has found by looking here).

The Engine unpacks the email into its parts and attachments, then unpacks each part for as many layers as are required. Each of these layers is normally identified by U1 (level 1) U2 (level2) and so on.
In U1 you would expect the entire message (mml file), in U2 you would expect to see the email parts (msg header, body), U3 would have the next level of attachment contents, in this case example.xls and 24.jpg (being the items attached in the email).

The Engine log records which rules have been applied to a message. For each rule, the log shows the number of users this rule applies to. In the example above 1 user(s) match rule -Test. ("Test" being the rule name)

Each item in the message contents is scanned using the criteria defined in the rules that match. If the rule triggers for that item, it is actioned as "True" and if not "False". Depending on the actions if any, the message is passed through the remaining rules.
Notes:

See additional information in the following articles:

http://www.m86security.com/kb/article.aspx?id=10175
Q10175 - "General tips on reading MailMarshal service logs"

http://www.m86security.com/kb/article.aspx?id=10192
Q10192 - "How do email messages flow through MailMarshal SMTP?"




This article was previously published as:
NETIQKB29391
Marshal KB403
(14 Stimme(n))
Hilfreich
Nicht hilfreich

Kommentare (0)