search cancel

Audit logs could not be retrieved from the following hosts. Please check the Control Center Logs for details

book

Article ID: 162576

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

You are trying to search for a message through Message Audit logs in Symantec Messaging Gateway. Message Audit log search query is taking too long or timing and out and not able to display any results.

Occasionally it is able to bring some results.

In order to troubleshoot this further, 

  1. Enable Debug logs for Control center
  2. Enable Debug logs for Agent on the scanner you are suspecting having the issue.

You can also try to search using malquery command on each scanner and then compare the results. 

In Agent_log you will find the following error message.

2015-10-30T14:16:52+11:00 (INFO:8779.4096834448): [43057] Executing /opt/Symantec/Brightmail/common/sbin/malquery -c /data/scanner/etc/bmiconfig.xml -g 1446171413,1446175013 -m 1000 -o /tmp/mal_bcc.1446175013048 -q RCPTS*@
2015-10-30T14:16:52+11:00 (DEBUG:8779.4096834448): [43050] Command handler: Response status code is 100: The operation was successful.
2015-10-30T14:16:52+11:00 (DEBUG:8779.4096834448): [43030] Command handler: End command SCRIPT-EXECUTE. Return code: 0.
2015-10-30T14:16:52+11:00 (DEBUG:8779.4096834448): [43073] HTTP return code: 200.
2015-10-30T14:16:52+11:00 (DEBUG:8779.4096834448): [./include/bma_base_connection.h:696:decrement_ref_count] decremented base_connect::ref_count to 0
2015-10-30T14:16:57+11:00 (DEBUG:8779.4138780384): [./include/bma_base_connection.h:660:increment_ref_count] incremented base_connect::ref_count to 1
2015-10-30T14:16:57+11:00 (DEBUG:8779.4138780384): [src/bma_queue.cpp:182:put] queue put: waking up one client (post_count = 1)
2015-10-30T14:16:57+11:00 (DEBUG:8779.4107320208): [src/bma_queue.cpp:266:get] queue get: got a transaction after waiting (pre_count = 1)
2015-10-30T14:16:57+11:00 (DEBUG:8779.4107320208): [src/bma_synch_half.cpp:151:svc] service thread got a transaction
2015-10-30T14:16:57+11:00 (DEBUG:8779.4107320208): [43071] Received HTTP POST.
2015-10-30T14:16:57+11:00 (DEBUG:8779.4107320208): [43029] Command handler: Begin command DATABLOB-GET.
2015-10-30T14:16:57+11:00 (DEBUG:8779.4107320208): [43031] Command handler: Command parameter: REQUEST-ID=1446175018065.
2015-10-30T14:16:57+11:00 (DEBUG:8779.4107320208): [43031] Command handler: Command parameter: FILE-NAME=$TEMPDIR$$/$mal_bcc.1446175013048.
2015-10-30T14:16:57+11:00 (DEBUG:8779.4107320208): [43031] Command handler: Command parameter: FILE-AFTER=.
2015-10-30T14:16:57+11:00 (DEBUG:8779.4107320208): [43031] Command handler: Command parameter: MARKER=.
2015-10-30T14:16:57+11:00 (DEBUG:8779.4107320208): [43031] Command handler: Command parameter: MAX-BYTES=.
2015-10-30T14:16:57+11:00 (INFO:8779.4107320208): [43067] The requested file /tmp/mal_bcc.1446175013048 could not be found.
2015-10-30T14:16:57+11:00 (DEBUG:8779.4107320208): [43050] Command handler: Response status code is 500: The operation failed.
2015-10-30T14:16:57+11:00 (DEBUG:8779.4107320208): [43030] Command handler: End command DATABLOB-GET. Return code: 0.

 

Cause

This is caused by storing message audit logs for longer periods typically up to 90 days. As for the '/tmp/mal_bcc.##### not found' messages in the agent log, this is somewhat to be expected - the BCC keeps querying for the file every 5 seconds until it gives up or the file is found.

Resolution

Please reduce the number of days to store message audit logs to 14 days. If you wish to store for longer period, Please use syslog options available in Administration>logs.