Views:

The issue occurs because IMSS/IMSVA reads the MTA events information from the Postfix maillog file. It does not import the contents to the database so that running the vacuumdb command will have no effect on this. Therefore, the transactions found are limited to the contents of the maillog file.

To verify if the old events still exist, you need to manually check the contents of the maillog files (usually located under the /var/log/ folder). If all the maillog files, including maillog.1, maillog.2, etc contain transaction only for the same day, then those transactions are the only events that can be shown in the IMSVA console. This can mean that mail traffic is high and that the size of the log file is too small to log old events.

If you want to see old MTA transactions, you can either increase the log file limit and/or increase the number of maillog files that it will rotate. You should also consider the amount of traffic passing through IMSVA as it might use up the file size limit quickly, and in effect may override the old transactions.

If you want to configure the size and number of files to be rotated,  modify the logrotate.conf file:

  1. Open the /etc/logrotate.conf file.
     
    Create a backup of the logrotate.conf file before doing any modification.
     
  2. To change the log rotation settings for maillog, look for the /var/log/maillog area.
  3. From there you can change the size limit for each maillog file it creates. By default, this is set to 10MB.

    /var/log/maillog{ size 10240k
    postrotate
    /usr/bin/killall –HUP syslogd
    endscript

  4. The number of logs to rotate is set to 4 by default, and it applies to all log files being monitored. To set a specific rotate value, add another parameter under the /var/log/maillog area of the logrotate.conf file.

    Example:

    size 10240k
    rotate 10
    postrotate
    /usr/bin/killall –HUP syslogd
    endscript

    The settings above will limit the size of each file to 10MB and will keep only the recent 10 rotated log files.

  5. Save and close the logrotate.conf file.
  6. For the new settings to immediately take effect, run the following command:

    #logrotate -s /var/log/logstatus logrotate.conf

     
    The command assumes that you are in the /etc folder.
     

    You can also wait for the cronjob to call this new setting at a later time.

Important Notes to Consider

  • If you encounter any issues, restore the backup copy of the configuration file.
  • Insufficient space in the disk may cause mail flow to stop, mail logging, and other performance-related issues.
  • It is recommended to use SIEM since IMSVA is not really designed to store huge amount of logs.
Keywords: cannot query logs,unable to generate mta event logs,unavailable query logs,query message tracking agent logs,old MTA events,mta event logs