Loading...
Loading...

Trustwave Knowledge Base

Home » Knowledgebase » Trustwave MailMarshal (SEG) » HOWTO: General tips on reading MailMarshal (SEG) service logs

HOWTO: General tips on reading MailMarshal (SEG) service logs

Expand / Collapse
Show/Hide Article Tools


This article applies to:

  • Trustwave MailMarshal (SEG)

Symptoms:

  • General tips on reading SEG/MailMarshal service logs.

Information:

The MailMarshal service logs are located by default in the \Logging\ subfolder of the install folder. The logs contain detailed information about the ongoing operation of each service. Familiarity with these logs is key to achieving a quick and successful understanding of MailMarshal issues.

Use Word Wrap wisely in Notepad.
Typically we view MailMarshal service logs in Notepad. Sometimes it is important to clearly see the columns in the log - if so turn off Word Wrap. Each service log will have three columns - the columns are Thread Number, Time, and Logged Data. At other times, it is more important to see all the Logged Data on-screen - in this case turn on Word Wrap. Also use Notepad in full screen mode.

Learn to use the thread number.
The MailMarshal services run multi-threaded. Therefore different threads of data can be written to the logs at the same time. When reading the logs the data appears to jump from topic to topic in a meaningless way. However if you follow the thread number you can easily track relevant entries. Use the Notepad search function to locate subsequent thread entries.

Note that thread numbers can be used again once freed up by the thread.

Use the Message ID
The message name (such as B422c96d90000) is also a useful way of tracking the progress of a message through the logs. Unlike the Thread number, it is unique and never reused. If the message is created with a filename of, say, B422c96d90000.000000000001.0001.mml, then the B422c96d90000 part will be used in all the MailMarshal logs when referencing this message, or any messages split from it. A split typically occurs if the message has multiple recipients, and a rule applies to some but not all recipients.

Use a Grep tool to parse information from logs
Given that logs may be appear cryptic due to the multithreaded operation of MailMarshal, some users find it extremely helpful to use a grep tool to assist viewing of relevant information in the logs. One example of such a tool is PowerGREP from JGS.

Familiarize yourself with commonly-used log entries

  • RX - Data that MailMarshal receives from the connected mail server.
  • TX - Data that MailMarshal transmits to the connected mail server.
  • Event - an event raised by MailMarshal in response to an error condition.

Follow the progress of a message from start to finish.
When it is being processed by MailMarshal, a message will go through the MailMarshal Receiver, Engine and Sender services, in that order

Receiver:
The MMReceiver logs steps for an individual message as follows:

  • Initial handshake between MailMarshal and other mail server, including MAIL FROM: and RCPT TO. 
  • Receiver Rules are run against the information gleaned from the initial handshake
  • DATA command is received to signal start of transmission of message.
  • QUIT is received at end of message.

Engine:
The MMEngine logs steps for an individual message as follows:

  • Thread unpacks message.
  • Rules are run against message.
  • If rule triggers, the actions taken against message are logged.

Sender:
The MMSender logs steps for an individual message as follows:

  • Recipient domain is resolved in DNS.
  • A new thread is started to connect to the remote server and initiate handshake.
  • Sender transmits HELO, MAIL FROM: and RCPT TO.
  • DATA command is transmitted to signal start of transmission of message.
  • QUIT is transmitted at end of message.
  • Message is considered successfully sent when "250 OK" acknowledgement from recipient server.

Notes on other MailMarshal Logs

MailMarshal includes two other services that exist in every MailMarshal system, the Controller and Array Manager services. In addition, there are some optional services and utilities, each with their own logs. They are MMUpdater, MMSpamProfiler, MMReleaseMessage,  MMPop3, and MMGetMail.

In MailMarshal (SEG) 10, the Configuration Service (back end for the web Management Interface) also generates logs (found in Config Service\Logging).

MMController:
Each MailMarshal node will have a MailMarshal Controller, which interfaces between the central Array Manager and the node's mail processing services (I.E. Receiver, Engine and Sender).

  • Reports on configuration updates received from the Array Manager.
  • Logs when message is unpacked for viewing in Console.
  • Logs when SQL log information is passed to Array Manager.
  • From 6.2, logs information about DNS lookup and caching.
MMArrayManager:
Any given system of MailMarshal servers will have one central Array Manager.

  • Logs LDAP and AD groups updates
  • Oversees and logs the status of MailMarshal nodes
  • Logs SQL database updates.
  • Records the processing of Digest Notifications
MMUpdater:
This is the log of the service that performs upgrades of the processing nodes as requested from the Configurator (in version 6.4 through 8.2).

  • Upgrade log
MMSpamProfiler:
This log provides information about the SpamProfiler spam detection service (if enabled). 
  • The separate log is present in versions above 7.5.7; in 6.7 through 7.2.3; and in other installations depending on hotfix installation.
     
  • SpamProfiler Updates
  • Message detection scores
MMReleaseMessage:
If you use the MMReleaseMessage.exe external command to allow end users to release email, a log file is generated to record release activities.

  • Release code is parsed from message
  • Service connects to Node to locate and release message.
MMPop3:
MailMarshal can operate as a fully functional Pop3 server. If used this way the MMPop3 service allows local users to connect to MailMarshal to retrieve their email using Pop3.

  • Mail Client connects to MMPop3 service to retrieve message.
  • Mail Client authenticates and downloads messages from MailMarshal.
MMGetMail:
MMGetMail logs will only exist if you use Mail Batching or the standalone MMGetMail application to retrieve mail from a remote Pop3 service. Very few sites still use this method.

  • MMGetmail service connects to remote POP3 server, authenticates and retrieves message.
  • MMGetmail connects to Receiver and generates the SMTP commands necessary to pass the message to the Receiver.

Notes:

See also the following Knowledge Base articles:

  • Q10429 - How do I read MailMarshal Log Files?
  • Q10192 - How do email messages flow through MailMarshal SMTP?

This article was previously published as:
NETIQKB46128

To contact Trustwave about this article or to request support:

Rate this Article:
     
Tags:

Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster.


Execution: 0.031. 8 queries. Compression Disabled.
Powered by InstantKB.NET