Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Unable to query the MTA Events log in InterScan Messaging Security Suite/Virtual Appliance (IMSS/IMSVA)

    • Updated:
    • 12 Oct 2015
    • Product/Version:
    • InterScan Messaging Security Suite 7.1 Linux
    • Platform:
    • Linux - Red Hat RHEL 3 32-bit
    • Linux - Red Hat RHEL 3 64-bit
    • Linux - Red Hat RHEL 4 32-bit
    • Linux - Red Hat RHEL 4 64-bit
    • Linux - Red Hat RHEL 5 32-bit
    • Linux - Red Hat RHEL 5 64-bit
    • Linux - Red Hat RHEL 6 32-bit
    • Linux - Red Hat RHEL 6 64-bit
    • Unix - Solaris (Sun) version 10 (SunOS 5.10)
    • Unix - Solaris (Sun) version 7 (SunOS 5.7)
    • Unix - Solaris (Sun) version 8 (SunOS 5.8)
    • Unix - Solaris (Sun) version 9 (SunOS 5.9)
Summary

You can only query a day's worth of MTA events on IMSS/IMSVA. Old events do not appear in the console.

Details
Public

The issue occurs because IMSS reads the MTA events information from the postfix maillog file. It does not import the contents to the database so that running the vacuumdb command will have no effect on this. Therefore, the transactions found are limited to the contents of the maillog file.

To verify if the old events still exist, you need to manually check the contents of the maillog files (usually located under the /var/log/ folder). If all the maillog files, including maillog.1, maillog.2, etc contain transaction only for the same day, then those transactions are the only events that can be shown in the IMSVA console. This can mean that mail traffic is high and that the size of the log file is too small to log old events.

If you want to see old MTA transactions, you can either increase the log file limit and/or increase the number of maillog files that it will rotate. You should also consider the amount of traffic passing through IMSVA as it might use up the file size limit quickly, and in effect may override the old transactions.

If you want to configure the size and number of files to be rotated,  modify the logrotate.conf file:

  1. Open the /etc/logrotate.conf file.
     
    Create a backup of the logrotate.conf file before doing any modification.
  2. To change the log rotation settings for maillog, look for the /var/log/maillog area.
  3. From there you can change the size limit for each maillog file it creates. By default, this is set to 10MB.

    /var/log/maillog{ size 10240k
    postrotate
    /usr/bin/killall –HUP syslogd
    endscript

  4. The number of logs to rotate is set to 4 by default, and it applies to all log files being monitored. To set a specific rotate value, add another parameter under the /var/log/maillog area of the logrotate.conf file.

    Example:

    size 10240k
    rotate 10
    postrotate
    /usr/bin/killall –HUP syslogd
    endscript

    The settings above will limit the size of each file to 10MB and will keep only the recent 10 rotated log files.

  5. Save and close the logrotate.conf file.
  6. For the new settings to immediately take effect, run the following command:

    #logrotate -s /var/log/logstatus logrotate.conf

     
    The command assumes that you are in the /etc folder.

    You can also wait for the cronjob to call this new setting at a later time.

For more information on how to configure the logrotate.conf file, refer to the following article: HowTo: The Ultimate Logrotate Command Tutorial with 10 Examples.

Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1057443
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.


Need More Help?

Create a technical support case if you need further support.