Mail Gateway logging
H/OS 2 has extended logging and debugging capabilities, all events (system, mail, rpc) are logged, to multiple facilities in the web administration, as well as syslog (optional).
Contents |
General logging
Logs may be found in various places in the web administration as well as logged using syslog, but since the appliance itself contains limited space for logging and history. For long term storage of logs (for debugging, troubleshooting and accountability) it's highly recommended to use syslog.
System Logs
System logs are log file that doesn't directly helps in message debugging, rather in system debugging and health monitoring.
| Events | Web Administration | Description |
|---|---|---|
| Global | Diagnostics → Real Time Log | Primary system log |
| Startup | Diagnostics → Real Time Log | Startup log |
| Critical | Diagnostics → Real Time Log | Critical system events (also in Global) |
| Overview → Status | ||
| Cluster | Diagnostics → Real Time Log | Clustering daemon log (also in Global) |
| Administration → Clustering | ||
| Update | System → Updates | Update log (also in Global) |
| RPC | Diagnostics → Real Time Log | Authentication log (eg. backend, login, ssh, http) |
Mail Logs
Mail logs is part of message tracing. They will tell you what happened to a message in transit and where it ended up (Deliver, Reject, Quarantine, Queues etc). The most powerful tool in tracking in the Mail Gateway → Activity → Logging tool. It support free-text searching as well as advanced regular expressions based on time.
| Events | Web Administration | Description |
|---|---|---|
| Mail Gateway | Mail Gateway → Activity → Logging | Primary message log |
| Mail Gateway → Reporting → Real Time Log | ||
| Anti-Virus / Kaspersky | Mail Gateway → Reporting → Real Time Log | Kaspersky update log |
| Anti-Virus / ClamAV | Mail Gateway → Reporting → Real Time Log | ClamAV update log |
| Anti-Spam / SpamAssassin | Mail Gateway → Reporting → Real Time Log | sa-update update log |
| Quarantine / LDAP Synchronization | Mail Gateway → Reporting → Real Time Log | LDAP account synchronization log |
| Storage Import | Mail Gateway → Storage Management | Mail import/pick up (using FTP) |
Log rotation
Mail logs are rotated by size, and not by volume/messages. That makes it very hard to predict the amount of messages or time range that will be stored in the logs at a specific time. So given the nature of this problem, the best way to answer the question "how far back in time will my logs go?" can only be answered by running the unit for a while, and on regular occasions do a test search on (Mail Gateway → Activity → History) and see the timestamp printed by searchlog.
Jan 16 14:49:34 (info) searchlog: Log file rotated
But If you ask this question, you probably take logging seriously are therefore a high candidate to use #Syslog (which we highly encourage) to store logs permanently and with a predictable retention policy. For casual management where missing logs aren't a policy problem more a bad luck kind of deal, only to store logs on the unit are totally fine.
Log file are rotated on 500 MB, there are two log files, one mail.log.old which is at least 500 MB and a mail.log which can be anywhere from 0 to ~499 MB.
A Message/SMTP session can be anywhere from eg. ten to fifty or more lines all depends on the different actions taken, so presenting you with a table (volume/time) could be off by days, weeks, months.
Mail Debugging
The Mail Gateway → Activity → Logging tool should be considered the main tool for finding what happened to a message. It will show the log for a message, spawn over all mail processes (smtpd, mailpolicyd, mailscand, mailqueued, cleanupd etc.)
| Syntax | Example | Description |
|---|---|---|
| 127.0.0.1 | 127.0.0.1 | Searches using a plain free text search |
| messageid | 43de929d-cc22-11dd-90ef-0048546ae42b | Searches for a message (and shows full transaction) |
| /<regexp>/ | /127\.0\.0\.1/ | Searches using a Regular Expression |
Incoming Queue
If direct processing is not enabled (it's enabled by default) the Mail Gateway → Activity → Incoming Queue consists of mail that has not yet been scanned by the mail scanning process (mailscand). This queue may help the unit to receive mail much faster than the mail scanning process can process mail, helping the SPG/VSP to handle large bursts of mail messages. In most setups this queue is always empty (not in use).
Outgoing Queue
The Mail Gateway → Activity → Outgoing Queue consists of mail that has been scanned by the mail scanning process but not yet delivered. Once the mail has been delivered it will be moved to Mail Gateway → Activity → History. If a mail cannot be delivered the reason can be shown by pressing the explanation mark button. If a mail is stuck in this queue you may inspect the reason by pressing the "Show in log" button in the message table.
History
This page shows messages that has been delivered, in combination with some information about spam score etc etc. By pressing the "Show in log" button in the message table the log for this message will be shown if the message log hasn't been rotated.
Syslog
Syslog is one of the most useful tools for debugging and monitoring an H/OS appliance. By using external an external Syslog server, one can have almost unlimited logging traceability. Enabling Syslog is as easy as, on the Administration → Syslog's tab.
- Create a new Syslog server
- Type the IP address of your Syslog server into the Address field
- Press Save as New.
Be aware that we support both TCP and UDP. TCP should be used if possible since you may with UDP lose log entires (given the nature of the UDP protocol).
Using Syslog also provides for better performance; if internal logging and history is disabled. Please see the performance section.
