Data Loss Prevention SMTP Prevent Diagnostic and troubleshooting
Article ID: 160811
Updated On:
Products
Issue/Introduction
Understanding log information in SMTP Prevent for diagnostics and troubleshooting
Resolution
SMTP Prevent (Email) log file names use the format of SmtpPrevent_OperationalX.log (where X is a number).
The number of files that are stored and the size for the individual files can be specified by changing the values in the RequestProcessorLogging.properties file.
Any modification applied to these settings should take into account the space and possible performance impact of your environment.
By default, the values are:
■ com.vontu.mta.log.SmtpOperationalLogHandler.limit = 5000000
■ com.vontu.mta.log.SmtpOperationalLogHandler.count = 5
In addition, the level of detail written to the logs can be specified.
At various log levels, components in the com.vontu.mta.rp package output can be defined for varying levels of detail.
The com.vontu.mta.rp.level setting specifies log levels in the RequestProcessorLogging.properties file which is stored in the <Drive>\Program Files\Symantec\DataLossPrevention\DetectionServer\<Version>\Protect\config directory.
For example, com.vontu.mta.rp.level = FINE specifies the FINE level of detail.
The following levels can be specified:
|
Level |
Guidelines |
|
INFO |
General events: connect and disconnect notices, information on the messages that are processed per connection. |
|
FINE |
Some additional execution tracing information. |
|
FINER |
Envelope command streams, message headers, detection results. |
|
FINEST |
Complete message content, deepest execution tracing, and error tracing. |
The tables below document defined Network Prevent for Email operational logging data for each Category:
Core Events
|
Code |
Description |
|
1100 |
Starting Network Prevent (Email)
|
|
1101 |
Shutting down Network Prevent (Email) |
|
1102
|
Reconnecting to FileReader (tid=id) Where id is the thread identifier. The RequestProcessor attempts to re-establish its connection with the FileReader for detection.
|
|
1103
|
Reconnected to the FileReader successfully (tid=id) The RequestProcessor was able to re-establish its connection to the FileReader.
|
Core Errors
|
Code |
Description |
|
5100 |
Could not connect to the FileReader (tid=id timeout=.3s) An attempt to re-connect to the FileReader failed. |
|
5101 |
FileReader connection lost (tid=id) The RequestProcessor’s connection to the FileReader was lost. |
Connectivity Events
|
Code |
Description |
|
1200 |
Listening for incoming connections (local=hostname) Hostnames is an IP address or fully-qualified domain name. |
|
1201 |
Connection accepted (tid=id cid=N local=hostname:port remote=hostname:port) Where N is the connection identifier. |
|
1202 |
Peer disconnected (tid=id cid=N local=hostname:port remote=hostname:port) |
|
1203 |
Forward connection established (tid=id cid=N local=hostname:port remote=hostname:port) |
|
1204 |
Forward connection closed (tid=id cid=N local=hostname:port remote=hostname:port) |
|
1205 |
Service connection closed (tid=id cid=N local=hostname:port remote=hostname:port messages=1 time=0.14s) |
|
|
|
Connectivity Errors
|
Code |
Description |
|
5200 |
Connection is rejected from the unauthorized host (tid=id local=hostname:port remote=hostname:port) |
|
5201 |
Local connection error (tid=id cid=N local=hostname:port remote=hostname:port reason=Explanation) |
|
5202 |
Sender connection error (tid=id cid=N local=hostname:port remote=hostname:port reason=Explanation) |
|
5203 |
Forwarding connection error (tid=id cid=N local=hostname:port remote=hostname:port reason=Explanation) |
|
5204 |
Peer disconnected unexpectedly (tid=id cid=N local=hostname:port remote=hostname:port reason=Explanation) |
|
5205 |
Could not create listener (address=local=hostname:port reason=Explanation) |
|
5206 |
Authorized MTAs contains invalid hosts: hostname, hostname, ... |
|
5207 |
MTA restrictions are active, but no MTAs are authorized to communicate with this host |
Message Events
|
1300 |
Message complete (cid=N message_id=3 dlp_id=message_identifier size=number sender=email_address recipient_count=N disposition=response estatus=statuscode rtime=N dtime=N mtime=N Where: ■ Recipient_count is the total number of addressees in the To, CC, and BCC fields. ■ Response is the Network Prevent (Email) response which can be one of: PASS, BLOCK, BLOCK_AND_REDIRECT, REDIRECT, MODIFY, or ERROR. ■ The estatus is an Enhanced Status code as listed in “Network Prevent (Email) Originated Responses” on page 276. ■ The rtime is the time in seconds for Network Prevent (Email) to fully receive the message from the sending MTA. ■ The dtime is the time in seconds for Network Prevent (Email) to perform detection on the message. ■ The mtime is the total time in seconds for Network Prevent (Email) to process the message Message Errors. |
Message Errors
|
Code |
Description |
|
5300 |
Error while processing message (cid=N message_id=header_ID dlp_id=message_identifier size=0 sender=email_address recipient_count=N disposition=response estatus=statuscode rtime=N dtime=N mtime=N reason=Explanation Where header_ID is an RFC 822 Message-Id header if one exists. |
|
5301 |
Sender rejected during re-submit |
|
5302 |
Recipient rejected during re-submit |
Note:
Refer to the the log file event codes from the Administration Guide for further details.
Feedback
