Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Increasing the MTA Events log retention in Postfix

    • Updated:
    • 17 Dec 2020
    • Product/Version:
    • InterScan Messaging Security Suite 7.5
    • InterScan Messaging Security Suite 9.1
    • Interscan Messaging Security Virtual Appliance 9.1
    • Platform:
    • N/A
Summary

You can only query a day's worth of Mail Transfer Agent (MTA) events on InterScan Messaging Security Suite (IMSS) and InterScan Messaging Security Virtual Appliance (IMSVA). Old events do not appear in the console, thus, you may not be able to query some MTA event logs.

Details
Public

The issue occurs because IMSS/IMSVA reads the MTA events information from the Postfix maillog file. It does not import the contents to the database so that running the vacuumdb command will have no effect on this. Therefore, the transactions found are limited to the contents of the maillog file.

To verify if the old events still exist, you need to manually check the contents of the maillog files (usually located under the /var/log/ folder). If all the maillog files, including maillog.1, maillog.2, etc contain transaction only for the same day, then those transactions are the only events that can be shown in the IMSVA console. This can mean that mail traffic is high and that the size of the log file is too small to log old events.

If you want to see old MTA transactions, you can either increase the log file limit and/or increase the number of maillog files that it will rotate. You should also consider the amount of traffic passing through IMSVA as it might use up the file size limit quickly, and in effect may override the old transactions.

If you want to configure the size and number of files to be rotated,  modify the logrotate.conf file:

  1. Open the /etc/logrotate.conf file.
     
    Create a backup of the logrotate.conf file before doing any modification.
     
  2. To change the log rotation settings for maillog, look for the /var/log/maillog area.
  3. From there you can change the size limit for each maillog file it creates. By default, this is set to 10MB.

    /var/log/maillog{ size 10240k
    postrotate
    /usr/bin/killall –HUP syslogd
    endscript

  4. The number of logs to rotate is set to 4 by default, and it applies to all log files being monitored. To set a specific rotate value, add another parameter under the /var/log/maillog area of the logrotate.conf file.

    Example:

    size 10240k
    rotate 10
    postrotate
    /usr/bin/killall –HUP syslogd
    endscript

    The settings above will limit the size of each file to 10MB and will keep only the recent 10 rotated log files.

  5. Save and close the logrotate.conf file.
  6. For the new settings to immediately take effect, run the following command:

    #logrotate -s /var/log/logstatus logrotate.conf

     
    The command assumes that you are in the /etc folder.
     

    You can also wait for the cronjob to call this new setting at a later time.

Important Notes to Consider

  • If you encounter any issues, restore the backup copy of the configuration file.
  • Insufficient space in the disk may cause mail flow to stop, mail logging, and other performance-related issues.
  • It is recommended to use SIEM since IMSVA is not really designed to store huge amount of logs.
Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
1057443
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.