We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.

How can I read the debug/archive smtp logs using my Email Security Gateway's syslog?

  • Type: Knowledgebase
  • Date changed: 10 months ago
Solution #00006618

The Email Security Gateway

The /mail/log/debug and /mail/log/archive/ logs have all the information you need for messages that were scanned (SCAN). delivered (SEND), or blocked (RECV).

Mail with a SCAN flag was accepted by the Barracuda and processed; If it passes scanning, delivery is then attempted.

Mail with a SEND flag reflects the delivery attempt for the SCAN entry.

Mail with a RECV flag was accepted by the Barracuda but then blocked for some reason.

Here is an example of a message that was scanned and delivered. Note there is a line for each action:

Oct 17 13:29:04 ms4 scan[5125]: coi103.confirmedcc.com[] 1382041743-0f8241420001-6AQV5q 1382041743 1382041744 SCAN - ESC1115192143834_1101844754833_149549_r20@in.constantcontact.com pzukowski@iroquois.iu5.org - 7 11 - SZ:18402 SUBJ:Register Now! - Fall Give Me Twenty Reading Challenge

Oct 17 13:29:06 ms4 outbound/smtp[13266]: 1382041743-0f8241420001-6AQV5q 0 0 SEND ENC 1 8B2052296C 250 2.6.0 <1115192143834.1101844754833.149549.3.1316105A@scheduler.constantcontact.com> [InternalId=1547658] Queued mail for delivery

and here is an example of a message that was classified with RECV and then was blocked:

Oct 17 13:15:48 ms4 inbound/pass1[3970]: unknown[] 1382040948-0f823dad0000-LuzkN2 1382040948 1382040948 RECV - - 5 4 -

If a message in the log is shown as queued, it means that the Barracuda archive log does not have a SEND line for the message ID. This is usually caused when the log rotates before the message is delivered.

So if you have the message ID of a message still showing queued, in the log you can use the message ID to search the archive log and find the status of the delivery.

If there is NO SEND line in the archive, it means that the message could not be delivered, and it was eventually rejected and an NDR should have been returned to the sender (although not always). /mail/log/info is the only place that will show this action but that only goes back 4-5 days.

All SCAN and RECV lines have codes in them that tell you what happened with the message. In the above examples we see for the SCAN message the code " 7 11 " which is a whitelisted message for Client IP.. In the RECV message above we see the code " 5 4 " which is a Deferred message for Rate Control

All SEND messages will show the message ID, the queue ID delivery response we got back from the destination server.

For more information about the debug message log, please reference the TechLibrary articles regarding the syslog services.

Link to this page: