Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Contact Us
Login

Fusion Platform Login

What is the Trustwave Fusion Platform?

Support Download/Forum Login

MailMarshal Cloud Login
Incident Response
Experiencing a security breach?

Get access to immediate incident response assistance.

24 HOUR HOTLINES
AMERICAS +1 855 438 4305

EMEA +44 8081687370

AUSTRALIA +61 1300901211

SINGAPORE +65 68175019

Recommended Actions

Contact Us
Login

login

Fusion Platform Login

What is the Trustwave Fusion Platform?

Support Download/Forum Login

MailMarshal Cloud Login
Incident Response
Incident Response
Experiencing a security breach?

Get access to immediate incident response assistance.

24 HOUR HOTLINES
AMERICAS +1 855 438 4305

EMEA +44 8081687370

AUSTRALIA +61 1300901211

SINGAPORE +65 68175019

Recommended Actions

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Request a Demo

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services

BY INDUSTRY

BY REGULATION

BY TOPIC

Microsoft Security

Unlock the full power of Microsoft Security

Offensive Security

Solutions to maximize your security ROI

Rapidly Secure New Environments

Security for rapid response situations

Securing the Cloud

Safely navigate and stay protected

Securing the IoT Landscape

Test, monitor and secure network objects

About Us

We reduce cyber risk and fortify organizations

Awards and Accolades

Recognition by analysts and media outlets

Trustwave SpiderLabs Team

Global researchers, ethical hackers, and responders

Trustwave Fusion Security Operations Platform

Unprecedented security visibility and control

Trustwave Security Colony

Access to cybersecurity threat protection resources

Technology Alliance Partners

Key alliances who align and support our ecosystem of security offerings

Trustwave PartnerOne Program

Join forces with Trustwave to protect against the most advance cybersecurity threats

BLOGS

UPCOMING

MEDIA & ASSETS

NOTICES

HELP

Trustwave Knowledge Base

KB Home Search Latest Additions Most Popular

Knowledgebase

Home » Knowledgebase » Email Content Manager » HOWTO: General tips on reading MailMarshal Exchange service logs

HOWTO: General tips on reading MailMarshal Exchange service logs

Show/Hide Article Tools

This article applies to:

Trustwave ECM/MailMarshal Exchange 7.X

Symptoms:

General tips on reading MailMarshal service logs.

Information:

The MailMarshal service logs are located by default in the \Logging\ subfolder of the install folder. The logs contain detailed information about the ongoing operation of each service. Familiarity with these logs is key to achieving a quick and successful understanding of MailMarshal issues.

Use Word Wrap wisely in Notepad.
Typically we view MailMarshal service logs in Notepad. Sometimes it is important to clearly see the columns in the log - if so turn off Word Wrap. Each service log will have three columns - the columns are Thread Number, Time, and Logged Data. At other times, it is more important to see all the Logged Data on-screen - in this case turn on Word Wrap. Also use Notepad in full screen mode.

Learn to use the thread number.
The MailMarshal services run multi-threaded. Therefore different threads of data can be written to the logs at the same time. When reading the logs the data appears to jump from topic to topic in a meaningless way. However if you follow the thread number you can easily track relevant entries. Use the Notepad search function to locate subsequent thread entries.

Note that thread numbers can be used again once freed up by the thread.

Use the Message ID
The message name (such as B422c96d90000) is also a useful way of tracking the progress of a message through the logs. Unlike the Thread number, it is unique and never reused. If the message is created with a filename of, say, B422c96d90000.000000000001.0001.mml, then the B422c96d90000 part will be used in all the MailMarshal logs when referencing this message, or any messages split from it. A split typically occurs if the message has multiple recipients, and a rule applies to some but not all recipients.

Use a Grep tool to parse information from logs
Given that logs may be appear cryptic due to the multithreaded operation of MailMarshal, some users find it extremely helpful to use a grep tool to assist viewing of relevant information in the logs. One example of such a tool is PowerGREP from JGS.

Follow the progress of a message from start to finish.
When it is being processed by MailMarshal Exchange, a message will be processed by the MailMarshal Transport Agent, Engine, and again the Transport Agent service.

Transport Agent:
The MEXTransportAgent logs steps for an individual message as follows:

Inspects messages in the Exchange Replay directory.

If a message has already been processed by MailMarshal Exchange, no further action results.

If a message has NOT already been processed by MailMarshal Exchange, the message and header information is placed in a file and queued for Engine processing.

Engine:
The MMEngine logs steps for an individual message as follows:

Thread unpacks message.

Rules are run against message.

If a rule triggers, the actions taken against message are logged

If the message is to be delivered, it is moved to the ProcessedOK folder and then returned to the Exchange Replay directory.

In version 7.1, where possible messages are returned through an object in memory and not through the Replay directory.

Transport Agent:
As described above, the Agent checks the message and determines that no further action is required.

Notes on other MailMarshal Logs
MailMarshal Exchange includes two other services that exist in every MailMarshal system, the Controller and Array Manager services. In addition, the optional MMReleaseMessage logs activity.

The Agent Installer, Agent Controller, and Updater services also log activity, but they are not directly related to message processing.

MEXController Logs:
Each MailMarshal node will have a MailMarshal Controller, which interfaces between the central Array Manager and the node's mail processing services (Agent and Engine).

Reports on configuration updates received from the Array Manager.

Logs when message is unpacked for viewing in Console.

Logs when SQL log information is passed to Array Manager.

MEXArrayManager Logs:
Any given system of MailMarshal servers will have one central Array Manager

Logs LDAP and AD groups updates

Oversees and logs the status of MailMarshal nodes

Logs SQL database updates.

Records the processing of Digest Notifications

MEXReleaseMessage Logs
If you use the MEXReleaseMessage.exe external command to allow end users to release email, a log file is generated to record release activities.

Release code is parsed from message

Service connects to Node to locate and release message.