Message Sniffer.TechnicalDetails.LogFiles.Technical
From ARM-KB
This page is no longer maintained and may contain information that is out of date. We have left this page in place to provide a historical reference and to provide assistance to folks who may have not yet upgraded from Version 2 to Version 3. EVERYONE should upgrade to the latest version if they have not done so already.
For the latest information covered on this page, please see the following pages on our web site: http://www.armresearch.com/support/articles/software/snfServer/logFiles/index.jsp
Home -> Message Sniffer -> Technical Details -> Log Files -> Technical Log File Questions
No log file is being created. Why?
Sniffer isn't being called successfully. It would show up in the log if it were and it is virtually incapable of running without producing a log file. It may be that the path to the program is unclear. Double check all paths to make sure none of them are relative or pointing to an incorrect location.
It is also possible that something on your system is preventing it from writing to the log file.
You can also try launching it from the command line using exactly the same environment and syntax that your MTA will provide when it launches the program. This should provide you with an error message you can use.
What is the log processing schedule?
In conjunction with upgrading our database servers we have modified the log file processing schedule. The log file processing system will now pick up and process logs twice per day at 0300 and 1500 E.
Your Sniffer logs may be submitted at any time that works for your system. If your log upload is in progress when our system begins processing logs then your log will be skipped until the next round so that your upload can be completed.
Do I need to create a new log file once I upload?
No, Message Sniffer will create a new log file as needed. When rotating log files, the best way to do it is to rename the current log file (this is a very fast operation) and then do any processing, uploading you would like to do.
It is probably a good idea to keep your log files around for a couple of days depending upon how you handle spam and false positives. If you submit your false positive to our system - most of the time it will be able to identify the rules that matched so that we can make the proper adjustments. HOWEVER, in some cases the message you submit will be subtly altered by the process and you may need to refer to an old message sniffer log to find out which rules matched.
Is there a way to write its logs to a different location other than the default Sniffer directory?
No, not at this time.
I am using Declude. How can I relate the log entry to a specific email header?
In Declude you can set a configuration option to include the queue file name for the message. This is related to the D file name that will be scanned by Sniffer. When you detect a false positive you can match that to your Sniffer logs by searching for the correct file name.
Is there a tool available with which to analyze sniffer logs?
Here's one way: http://www.sawmill.net/formats/Message_Sniffer.html
I've been trying to upload my logs files and I'm keep getting permission denied. Thoughts?
Sometimes FTP clients complain that access was denied if they are unable to complete their FTP data connection - this is a firewall issue.
If you determine that your firewall is correct for FTP access and you have a good FTP client that you have verified is also working, then you may receive an access denied message from the server if you attempt to use some FTP commands -- you should limit your FTP script to simply connecting and "put"ing your file. You will also be denied if you attempt to overwrite a file that already exists -- so, if you use the same file name and you attempt to upload your log more than once in a short period then only he first attempt will be successful - you will need to wait for the first log file to be processed before you can upload with the same name again... it is usually safe to upload another log file with the same name after 2 hours.
Do you have a recommended method for archiving/maintaining the log file?
That's entirely up to you -- One recommendation is to rotate the log once per day and delete the log after 10 days. This goes along with a 10 day quarantine -- That is to say, if you keep a quarantine then you probably want to keep the log as long as you keep the messages.
Logs do get quite large so daily rotation is usually best. You can also customize your logs based on how you use them.
If you need your logs to resolve false positives then you can set the no-dupe option to reduce the length somewhat while retaining at least one entry for each matching rule.
If you do not need your logs for resolving false positives then you can use single-line mode to create only one log line per message.
Do you have a simple script for rotating logs?
Most folks roll their own so that it works well with the other log rotation schemes they have going on their systems.
I like to use a script something like:
del <snflic>.log.9
rename <snflic>.log.8 <snflic>.log.9
rename <snflic>.log.7 <snflic>.log.8
rename <snflic>.log.6 <snflic>.log.7
rename <snflic>.log.5 <snflic>.log.6
rename <snflic>.log.4 <snflic>.log.5
rename <snflic>.log.3 <snflic>.log.4
rename <snflic>.log.2 <snflic>.log.3
rename <snflic>.log.1 <snflic>.log.2
rename <snflic>.log <snflic>.log.1
where <snflic> is your license id.
Set it up as a daily scheduled task and that's usually all there is to it.
If the logs are being reported then adding that bit to this script or this script to that will usually work fine.
