Data Loss Prevention SMTP Prevent Diagnostic and troubleshooting

book

Article ID: 160811

calendar_today

Updated On:

Products

Data Loss Prevention Network Prevent for Email Data Loss Prevention Enforce

Issue/Introduction

Understanding log information in SMTP Prevent for diagnostics and troubleshooting

Resolution

 SMTP Prevent (Email) log file names use the format of SmtpPrevent_OperationalX.log (where X is a number). The number of files that are stored and their sizes can be specified by changing the values in the RequestProcessorLogging.properties file. By default, the values are:

■ com.vontu.mta.log.SmtpOperationalLogHandler.limit = 5000000

■ com.vontu.mta.log.SmtpOperationalLogHandler.count = 5

 At various log levels, components in the com.vontu.mta.rp package output varying levels of detail. The com.vontu.mta.rp.level setting specifies log levels in the RequestProcessorLogging.properties file which is stored in the Vontu\Protect\config directory. For example, com.vontu.mta.rp.level = FINE specifies the FINE level of detail.  The following levels can be specified:

 

 

Level

Guidelines

INFO

General events: connect and disconnect notices, information on the messages that are processed per connection.

FINE

Some additional execution tracing information.

FINER

Envelope command streams, message headers, detection results.

FINEST

Complete message content, deepest execution tracing, and error tracing.

 

The tables below document defined Network Prevent (Email) operational logging data for each Category:

Core Events

Code

Description

1100

Starting Network Prevent (Email)

 

1101

Shutting down Network Prevent (Email)

1102

 

Reconnecting to FileReader (tid=id)

Where id is the thread identifier. The RequestProcessor attempts to re-establish its connection with the FileReader for detection.

 

1103

 

Reconnected to the FileReader successfully (tid=id)

The RequestProcessor was able to re-establish its connection to the FileReader.

 

 

Core Errors

Code

Description

5100

Could not connect to the FileReader (tid=id timeout=.3s)

An attempt to re-connect to the FileReader failed.

5101

FileReader connection lost (tid=id)

The RequestProcessor’s connection to the FileReader was lost.

 

Connectivity Events

Code

Description

1200

Listening for incoming connections (local=hostname)

Hostnames is an IP address or fully-qualified domain name.

1201

Connection accepted (tid=id cid=N local=hostname:port

remote=hostname:port)

Where N is the connection identifier.

1202

Peer disconnected (tid=id cid=N

local=hostname:port

remote=hostname:port)

1203

Forward connection established (tid=id cid=N

local=hostname:port

remote=hostname:port)

1204

Forward connection closed (tid=id cid=N

local=hostname:port

remote=hostname:port)

1205

Service connection closed (tid=id cid=N

local=hostname:port

remote=hostname:port messages=1 time=0.14s)

 

 

 

Connectivity Errors

Code

Description

5200

Connection is rejected from the unauthorized host (tid=id

local=hostname:port

remote=hostname:port)

5201

Local connection error (tid=id cid=N

local=hostname:port

remote=hostname:port reason=Explanation)

5202

Sender connection error (tid=id cid=N

local=hostname:port

remote=hostname:port reason=Explanation)

5203

Forwarding connection error (tid=id cid=N

local=hostname:port

remote=hostname:port reason=Explanation)

5204

Peer disconnected unexpectedly (tid=id cid=N

local=hostname:port

remote=hostname:port reason=Explanation)

5205

Could not create listener (address=local=hostname:port

reason=Explanation)

5206

Authorized MTAs contains invalid hosts: hostname,

hostname, ...

5207

MTA restrictions are active, but no MTAs are authorized

to communicate with this host

 

Message Events

1300

Message complete (cid=N message_id=3 dlp_id=message_identifier

size=number sender=email_address recipient_count=N

disposition=response estatus=statuscode rtime=N

dtime=N mtime=N

Where:

■ Recipient_count is the total number of addressees in the To, CC, and BCC

fields.

■ Response is the Network Prevent (Email) response which can be one of: PASS,

BLOCK, BLOCK_AND_REDIRECT, REDIRECT, MODIFY, or ERROR.

■ The estatus is an Enhanced Status code as listed in “Network Prevent (Email)

Originated Responses” on page 276.

■ The rtime is the time in seconds for Network Prevent (Email) to fully receive

the message from the sending MTA.

■ The dtime is the time in seconds for Network Prevent (Email) to perform

detection on the message.

■ The mtime is the total time in seconds for Network Prevent (Email) to process

the message Message Errors.

 

Message Errors

Code

Description

5300

Error while processing message (cid=N message_id=header_ID

dlp_id=message_identifier size=0 sender=email_address

recipient_count=N disposition=response estatus=statuscode

rtime=N dtime=N mtime=N reason=Explanation

Where header_ID is an RFC 822 Message-Id header if one exists.

5301

Sender rejected during re-submit

5302

Recipient rejected during re-submit

 

Note:

  Refer to the the log file event codes from the Administration Guide for further details.