Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2891
Views
5
Helpful
5
Replies

ESA CASE engine Log

gabrieleferrari
Level 1
Level 1

‎05-17-2016 01:40 AM

Hi All,

I need to save on an external repository only the antispam verdit logs

taking a look on the mail_logs 2 CASE logs are present

by default is also present an antispam log, but no case verdict information are reported inside of this file in the same time frame

Does anyone know if there is a specific file where ESA write the CASE engine logs other than mail_logs?

Thanks

Gabriele

Labels:
0 Helpful
5 Replies 5

Mathew Huynh
Cisco Employee
Cisco Employee

‎05-18-2016 05:40 PM

Hello Gabriele,

The mail_logs are the only available logs which will show the CASE verdict information as it is matched against the MID (email itself) that had triggered that verdict.

The antispam logs is to show the actual antispam process to see if there is any possible problems on the engine should it arise.

Alternatively you can run a grep command on the mail_logs to pull all verdict results, or refer to the GUI > Monitor > Message Tracking > Click Advanced and tick the Spam Positive/Suspect check boxes, search for this and export it to CSV for the daily reports or so.

Else, you can also refer to GUI > Monitor > Overview for the overall information.

Regards,

Matthew

0 Helpful

integritysolutions
Level 1
Level 1

‎09-27-2017 04:30 AM

Hello,

Is there any way to debug or ask TAC to debug the findings of the CASE Engine. So you can determine why an email is a positive spam message?  

 

Regards

Derek

0 Helpful

Robert Sherwin
Cisco Employee
Cisco Employee
In response to integritysolutions

‎09-27-2017 05:48 AM

TAC will work with our Talos team in order to review and make determination on Spam/Ham messages.  You will need to submit the email for reivew and open a support case if you feel there is warranted information pertaining to a Spam/Ham message.

 

The information shared may not be entirely what you are after --- as we will still retain internal information and scoring reasons.  That process of the "why" will not be relayed to a customer.

 

Info on submitting email messages to Cisco:

ESA FAQ: How to submit email messages to Cisco

 

Cheers,
Robert Sherwin
0 Helpful

integritysolutions
Level 1
Level 1
In response to Robert Sherwin

‎09-28-2017 09:02 AM

Hi 

Thank you for the swift and detailed reply.  I suspose we would like to know if its the content of body, the attachment, the IP reputatuion of the sender, so we can direct the sender to improve on this aspect and reduce the false positive rate for inbound mail.

 

Best Regards

Derek

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to integritysolutions

‎10-03-2017 12:15 AM

Specific information such as that would be considered proprietary since the same information in hands of a malicious sender could result in them bypassing the current anti-spam rules.

 

If there is a specific sender you trust, recommended approach would be to bypass anti-spam scanning for that domain or sender IP.

 

Regards,

Libin Varghese

Customers Also Viewed These Support Documents