Sophos Email Appliance syslog capabilities

Information about the syslog capabilities of the Sophos Email Appliance.

Syslog is a tool for sending log messages from a client system to a server or receiver. The logs can be used for auditing and analysis. Syslog uses a standard protocol, described by RFC 5424. The Sophos Email Appliance can be configured to send log messages to a syslog receiver, where the information can be collected and analyzed.

The Email Appliance can produce several kinds of logs. Each has an associated category that indicates what facility generated the log information, and a value that indicates the severity of the log message. The following table lists the appliance’s log types, and associated information:


Log


Facility

Facility
Code


Severity

Severity
Code


Notes
administrator audit auth 4 Notice: normal but significant condition 5 Always logged when syslog is enabled. Provides information about system changes, authorizations and similar events.
system status auth 4 Notice: normal but significant condition 5 Optional. Provides information about system events such as reboots and upgrades.
message policy mail 2 Informational: informational messages 6 Optional. Provides information about policy events that the appliance has been configured to log.
mail transfer agent mail 2 Informational: informational messages 6 Optional. Provides detail information about email messages sent or received by the appliance.

The following sections provide a number of examples of log entries for each type of available log. These can be used to aid in configuring analysis and auditing software.

Administrator audit log examples

  • A log entry showing a successful login attempt: 
    Jan 11 22:34:14 somehost admin-ui[24874]: [NOTICE] [192.0.2.143] admin/en: 
  logged in with tz=America/Vancouver window=1280x811 
  screen=1280x1024 ua=Mozilla/5.0 (Windows; U;Windows NT 5.1; 
  en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
  • A log entry showing internal variable changes: 
    Jan 11 03:36:54 somehost3 admin-ui[1652]: [NOTICE] [192.0.2.96] admin/en:  
  config: option 'proxy_enabled' set to '1' (was '0')
  • A log entry showing a policy being updated to a new setting: 
    Jan 11 03:57:11 somehost admin-ui[1200]: [NOTICE] [192.0.2.96] admin/en: 
  policy: outbound virus action set to discard (was quarantine)
  • A log entry showing an administrator performing a log search: 
    Jan 11 06:33:34 somehost admin-ui[27250]: [NOTICE] [192.0.2.96] admin/en:  
  Log search: atime='2010-01-09T08:00:00' count='1000' sort='-time' 
  timezone='America/Vancouver' to='tlsuser1@somehost2.example' 
  ztime='2010-01-11T08:00:00'
  • Logging out of the appliance’s admin interface: 
    Jan 11 22:32:39 esa10 admin-ui[24529]: [NOTICE] [192.0.2.125] 
  admin/en: logged out

System status log example

  • This example shows a selection of typical events that will be recorded in the system status log: 
    Jan 11 03:35:15 somehost3 shutdown: start: system starting up
Jan 11 03:38:08 somehost3 sophox-register[3350]: Updated license.
Jan 11 03:38:18 somehost3 sea-upgrade[5274]: factory_probe: no updates available 
    on http://tankrepo/repo/esa/projects/trident/freebsd/
Jan 11 03:46:43 somehost3 shutdown: reboot: UI: register/update
Jan 11 03:47:43 somehost3 shutdown: reboot by root: UI: register/update
Jan 11 22:21:27 somehost3 data-update: appliance failed to retrieve data 
  updates from Sophos
Jan 11 21:51:10 somehost3 sea-upgrade[99777]: download: no updates available on  
  http://esa.sophos.com/es4000/delta
Jan 11 04:29:39 somehost3 appliance-status[20828]: appliance status changed to 
  error from ok <System fans>
Jan 11 04:38:44 somehost3 appliance-status[26639]: appliance status changed to
  ok from warn
Jan 11 05:26:28 somehost3 sea-upgrade[79970]: download: found update 1.127
Jan 11 05:26:28 somehost3 sea-upgrade[79970]: starting download: 
  http://127.0.0.1/1/120/tank-1.127-n.tar.gz
Jan 11 05:26:28 somehost3 sea-upgrade[79970]: finished download: 
  http://127.0.0.1/1/120/tank-1.127-n.tar.gz

Message policy log examples

  • A simple example of a message policy log entry, showing a message being quarantined: 
    Jan 11 20:26:14 q=4B4B8966_98410_2_1 f=<junk@example.com>: 
  t=<tester2@host.example> Rule=Quarantine type=Legit b=ok action=quarantine 
  inbound S=one fur= r=192.0.2.107 tm=0.22 a=d/eom
  • A more complex entry, showing a spam message being processed: 
    Jan 11 20:11:36 q=4B4B85F4_90724_2_1 f=<junk@example.com>:  
  t=<tester1@host.example> b=ok action=deliver h=BASE64_ENC_TEXT 
  h=DATE_IN_PAST_96_XX h=FROM_NAME_ONE_WORD h=MIME_TEXT_ONLY_MP_MIXED 
  h=SUPERLONG_LINE h=BODY_SIZE_10000_PLUS h=TO_NO_NAME h=__BAT_BOUNDARY 
  h=__CT h=__CTYPE_HAS_BOUNDARY h=__CTYPE_MULTIPART 
  h=__CTYPE_MULTIPART_MIXED h=__HAS_MSGID h=__MIME_TEXT_ONLY 
  h=__MIME_VERSION h=__MOZILLA_MSGID h=__SANE_MSGID h=__STOCK_PHRASE_6 
  h=__SXL_SIG_TIMEOUT h=__TO_MALFORMED_2 h=__USER_AGENT 
  inbound S=?q?This_should_exceed p=0.112 fur= r=192.0.2.107 tm=4.11 a=a/eom

A mail transfer agent log example

  • This is a selection from a the mail transfer log, showing an email message being received: 
    Jan 11 22:06:52 somehost3 postfix/smtpd[26327]: connect from  
  test.example[192.0.2.107]
Jan 11 22:06:56 somehost3 postfix/smtpd[26327]: 3A3D12FE3F1C_B4BA100F: 
  client=test.example[192.0.2.107]
Jan 11 22:06:56 somehost3 postfix/cleanup[26434]: 3A3D12FE3F1C_B4BA100F:  
  message-id=<200106290254.f5T2sEO19584@smtp1.example.com>
Jan 11 22:06:56 somehost3 postfix/qmgr[2937]: 3A3D12FE3F1C_B4BA100F: 
  from=<user@test.example>, size=16031, nrcpt=1 (queue active)
Jan 11 22:06:56 somehost3 postfix/smtpd[26327]: disconnect from 
            test.example[192.0.2.107]