[Top] [Prev] [Next] [Bottom]




Managing MAILsweeper


Logging

MAILsweeper can create three types of log file, these are:

MAILsweeper can also write to the Windows NT application event log, either during startup or disposal. See page 6-9 for more details.

MAILsweeper logging is discussed briefly on the next few pages. For full details on logging and how to configure the log files, see page 7-109.

SMTP systems only. Certain logging information can also be supplied via the MAILsweeper Console icon. For more details see page 2-68.

Log file locations

The locations and names of the log files MAILsweeper can create are specified by entries in the configuration section for the log file type, that is, [SystemLog], [MessageLog] or [DebugLog]. These sections are usually found in the logging configuration file, LOGGING.CFG.

For example:

[MessageLog]
FileRootName=C:\MSW\LOG\NR%05u.LOG
NameType=NumericSeq

The FileRootName directive specifies the directory in which the log files are located. In this example, the directory is C:\MSW\LOG. It also specifies a template that is used to generate the name of the log files. In this example the template is NR%05u.LOG.

The NameType directive specifies what sort of data substitutes the token in the template used by the FileRootName directive. In this example, the %05u token is substituted by an incrementing number up to five digits.

Setting logging levels

The amount of information stored in each of the MAILsweeper log files, or written to the event log, can be controlled. This is achieved using the MaxLevel directive, found in the configuration section for the log, that is, [SystemLog], [MessageLog],[DebugLog]or [EventLog]. The section is usually found in the logging configuration file, LOGGING.CFG.

For example:

[MessageLog]
FileRootName=C:\MSW\LOG\NR%05u.LOG
NameType=NumericSeq
StreamType=UserFile
MaxLevel=Normal

[SystemLog]
FileRootName=C:\MSW\LOG\DT%s.LOG
NameType=Date
StreamType=SystemFile
MaxLevel=Brief

The four levels of logging are:

To enable changes made to the MaxLevel directive you must restart the MAILsweeper service.

The level of information stored in each of the MAILsweeper logs should be controlled carefully. More disk space is used when the logging level is set to one of the higher values. Furthermore, over time the number of log files will build up and this will take up an excessive amount of disk space if not managed. It is recommended you archive and delete the log files on a regular basis. For details on how to archive the system log see page 6-23.

Saving message logs

MAILsweeper generates a message log for every message that it processes. The amount of information detailed in this log depends on the logging level specified by the MaxLevel directive. See page 6-7 for details.

By default, the message log is only saved if the message is quarantined. You can, however, save the message log for all messages, if required. For example, this may be useful for a new installation or on a site where problems are being experienced.

Saving a message log for every message may result in an excessive amount of disk space being used, especially if the logging level is set to one of the higher values.

Whether message logs should be saved for all messages, or quarantined messages only, is specified using the SaveMsgLogs directive, found in the [Main] section of the mail configuration file, MIMESWP.CFG.

For example:

[Main]
SaveMsgLogs=FALSE 

saves message log files for quarantined messages only. This is the default.

[Main]
SaveMsgLogs=TRUE 

saves message log files for all messages.

The location of the saved message log is specified by the FileRootName directive. This directive is found in the [MessageLog] section of the logging configuration file, LOGGING.CFG .1 See page 6-6 for details.

To enable changes made to the SaveMsgLogs directive you must restart the MAILsweeper service.

Event log

MAILsweeper is configured to write all startup errors and operation errors to the Windows NT application event log.

MAILsweeper can also be configured to write to the event log during disposal. This is achieved using the Event directive. See page 7-36 for more details.

Configuration details for the event log are found in the mail configuration file, MIMESWP.CFG.

For example:

[Logging]
SystemLog=0
...
EventLog=3

[EventLog]
EventSource=MAILsweeper
StreamType=Appevent
MaxLevel=Brief
It is recommended that you do not change the configuration details for the event log without assistance from technical support.

Viewing the event log

To view the Windows NT application event log (for Windows NT 4.0):2

1. Click on the Windows NT 4.0 Start button.
2. Point to the Programs menu option.
3. Point to the Administrative Tools menu option.
4. Click on the Event Viewer program name.
5. Select Application from the Log menu to ensure you are viewing the application event log.

To view more details on any of the events listed in the application event log, double click on the entry. Alternatively, select the entry and then Detail from the View menu.

An Event Dialog box is displayed showing more information about the selected event.

From this dialog box you can view details on the other events listed. Click on the Previous and Next buttons to move through the events.

For more information on the Windows NT application event log refer to your Windows NT documentation.

SNMP traps

MAILsweeper can be configured to issue SNMP traps to a SNMP Manager at startup and shutdown.

MAILsweeper can also be configured to issue a trap to the SNMP Manager during disposal. This is achieved using the Trap directive. See page 7-37 for more details.

Configuration details for SNMP traps are found in the mail configuration file, MIMESWP.CFG. These details reflect the information entered during installation.

For example:

[SNMPTrapConfig]
Community=public
TargetAddress=195.121.24.11
If you are upgrading from a MIMEsweeper installation that is of a version prior to 3.2, or you did not enter any SNMP configuration information during installation, the SNMP trap configuration section is disabled.

For more details on the [SNMPTrapConfig] section, see page 7-19.

Quarantine areas

MAILsweeper places all quarantined messages in designated quarantine areas. Currently up to ten quarantine areas can be configured, with separate quarantine areas usually being used for different quarantine reasons.

For example:

[Blocked Messages]
Location=c:\MSW\QTINE\Blocked\
File=c:\MSW\QTINE\Blocked\Quarntne.lst

(as the quarantine area for messages found to contain a virus.)

[Encrypted Messages]
Location=c:\MSW\QTINE\Encrypted\
File=c:\MSW\QTINE\Encrypted\Quarntne.lst

(as the quarantine area for encrypted messages.)

Configuration details for the quarantine areas are found in the mail configuration file, MIMESWP.CFG.

For full details on how to configure the quarantine areas, see page 7-28.

Messages held in the quarantine areas can subsequently be viewed safely and appropriate action taken, depending on the quarantine reason. For example, if the message contains a virus, the virus can be removed and the message forwarded on to the original recipients. Alternatively, the message can be copied to removable media for further investigation, or simply deleted. You can use MAILsweeper Manager to view and manage the contents of the quarantine areas. See page 6-14 for details.

When a message is released from quarantine you may wish to include some text with the message, explaining the reason for delay. This can be achieved using the automated editing facility, see page 7-34 for details.

The number of stored quarantine messages will build up if not managed carefully. For this reason, it is recommended that you check the quarantine areas regularly, for example, using MAILsweeper Manager, and take appropriate action on the contents. See page 6-14 for more details.

Changing scanning intervals

MAILsweeper scans the host mail system at predetermined intervals.

You can change the interval between scans, using the IdleTime directive.

This directive is found in the [Main] section of the mail configuration file, MIMESWP.CFG.

For example:

[Main]
SaveMsgLogs=TRUE
IdleTime=10
Administrator=Admin_Front@FrontDoor
Server=MIMEsweeper@FrontDoor

The value of the IdleTime directive can be any integer between 10 and 3600 (seconds). The default is 10.

To enable any changes made to the IdleTime directive, you must restart the MAILsweeper service.

MAILsweeper Manager

MAILsweeper Manager is a management facility that allows you to:

MAILsweeper Manager can be run locally, that is, when it is located on the same machine as the MAILsweeper service, see below for details

MAILsweeper Manager can also be run remotely, that is, to manage MAILsweeper over the network. To run Manager remotely see page 6-25.

Starting MAILsweeper Manager (locally)

To run MAILsweeper Manager locally (for Windows NT 4.0):3

1. Click on the Windows NT 4.0 Start button.
2. Point to the Programs menu option.
3. Point to the MIMEsweeper menu option.
4. Click on the Manager program name.

Alternatively, type MCN at the command prompt.

When Manager starts, the MAILsweeper Manager dialog box is displayed. Initially, this dialog box displays a list of the five most recent messages that MAILsweeper has processed, see the next page for more details on this list.

The MAILsweeper Manager dialog box also shows certain processing information for the current MAILsweeper session, that is:

If for some reason Manager is unable to communicate with the MAILsweeper service then this dialog box will change colour to red and display an appropriate warning message. See page 6-24 for more details.

Stopping MAILsweeper Manager

To stop Manager, click on the Exit button of the MAILsweeper Manager dialog box. Alternatively, press the <X> key.

Viewing recent messages

When the MAILsweeper Manager dialog box is initially displayed it shows a list of the last five messages that MAILsweeper has processed.

This information can also be displayed by selecting RecentMessages from the drop-down list box associated with the Message Area field.

For example:

The summary information displayed for the Recent Messages area is:

If MAILsweeper is deployed in a cc:Mail hub environment each clean message will appear twice on the list of Recent Messages, while each quarantined messages will appear only once, as shown above. This is due to the way in which MAILsweeper processes the message. See page 2-79 for more details.

Viewing quarantined messages

You can view a list of messages held in any of the quarantined message areas. To do this select the quarantine area from the drop-down list box associated with the Message Area field of the MAILsweeper Manager dialog box, as shown below.

Each item on the list allows you to view the contents of one of the quarantined message areas, except RecentMessages, which displays the last five messages MAILsweeper has processed. See page 6-16 for details.

The dialog box below shows a list of messages currently held in the Blocked Messages quarantine area. See the next page for more details on this list.

The summary information displayed for each quarantined message is:

This comment is configurable, see page 7-28 for details.

Selecting quarantined messages for further processing:

Any quarantined message listed in the MAILsweeper Manager dialog box can be selected for further processing, that is, for:

To select a message for further processing click on the message Id.

To select more than one message, hold down the <Ctrl> key while you click on each message Id.

Messages in the Recent Messages area cannot be selected for further processing.

Copying quarantined messages

You can use MAILsweeper Manager to copy one or more messages from the quarantine areas. For example, you may want to copy a message onto floppy disk so that it can be safely examined on another machine, prior to release or deletion.

To copy quarantined messages:

1. Select the Id of the message(s) from the message area of the MAILsweeper Manager dialog box, as explained on page 6-18.
2. Click on the Copy button to display the following dialog box.

3. Type in the name of the directory where the selected messages are to be copied to. The default is A:\.
4. Click on the OK button.
If Manager is being run remotely, A: is the drive located on the MAILsweeper machine. This is not the same machine that Manager is being run from. See page 6-25 for details on remote management.

Releasing quarantined messages

Quarantined messages can be released back into the mail system after they have been checked, for forwarding to their original recipients.

Releasing a message does not keep a copy of the message in the quarantine area. If you want to keep a copy of the message for some reason you should forward the message using the Send option. See page 6-21 for details.

To release quarantined messages:

1. Select the Id of the message(s) from the message area of the MAILsweeper Manager dialog box, as explained on page 6-18.
2. Click on the Release button. A dialog box is displayed prompting you to confirm the message release.

3. Click on the Yes button to confirm the release of each selected message individually. Click on the Yes to all button to release all selected messages without confirmation.

The default <Response> assigned to a released message is Release. This follows the Clean disposal route, meaning that the message is simply forwarded on to its original recipients with no further action. The default can be changed if required, by including a ReleaseDisposal directive in the appropriate quarantine configuration section. For example, you may wish to utilise automated message editing to include a message indicating the reason for quarantine. See page 7-34 for more details on automated message editing and page 7-30 for more details on ReleaseDisposal.

A message should only be released back into the mail system after it has been checked and you are sure it is safe for onward delivery.

Sending quarantined messages

Quarantined messages can be sent back into the mail system after they have been checked, for forwarding to their original recipients.

Sending a message keeps a copy of the message in the quarantine area. This can be useful if you need to keep a copy of the message for some reason. If you do not need to keep a copy you should forward the message using the Release option. See page 6-20 for details.

To send quarantined messages:

1. Select the Id of the message(s) from the message area of the MAILsweeper Manager dialog box, as explained on page 6-18.
2. Click on the Send button. A dialog box is displayed prompting you to confirm the message send.

3. Click on the Yes button to confirm the sending of each selected message individually. Click on the Yes to all button to send all selected messages without confirmation.

The default <Response> assigned to a sent message is Release. This follows the Clean disposal route, meaning that the message is simply forwarded on to its original recipients with no further action. The default can be changed if required, by including a ReleaseDisposal directive in the appropriate quarantine configuration section. For example, you may wish to utilise automated message editing to include a message indicating the reason for quarantine. See page 7-34 for more details on automated message editing and page 7-30 for more details on ReleaseDisposal.

A message should only be sent back into the mail system after it has been checked and you are sure it is safe for onward delivery.

Deleting quarantined messages

Quarantined messages can be deleted from the quarantine area and permanently removed from the mail system.

It is recommended that you check the quarantine areas regularly and delete any unwanted messages. This will prevent your disk becoming filled up with old messages.

To delete quarantined messages:

1. Select the Id of the message(s) from the message area of the MAILsweeper Manager dialog box, as explained on page 6-18.
2. Click on the Delete button. A dialog box is displayed prompting you to confirm the message deletion.

3. Click on the Yes button to confirm the deletion of each selected message individually. Click on the Yes to all button to delete all selected messages without confirmation.
Once a message is deleted from the mail system it CANNOT be retrieved later, so be sure this is what you want to do.

Archiving log files

MAILsweeper Manager enables you to archive the system log files. You may want to do this, for example, to release disk space or to look at the log files on another PC.

This facility archives the system log files only. Message log and debug log files cannot be archived in this manner. The current (today's) system log file is NOT archived.

To archive the system log files:

1. Select the Archive system logs option from the System menu4 of the MAILsweeper Manager dialog box, shown on page 6-17. This displays the following dialog box.

2. Type in the name of the directory where the log files are to be archived. The default is A:\.
3. By default the system log files are deleted after archiving. If the log files are NOT to be deleted click on the Delete After Copy check box to deselect it. (A tick indicates that the log files will be deleted.)
4. Click on the OK button.
If Manager is being run remotely, A: is the drive located on the MAILsweeper machine. This is not the same machine that Manager is running on. See page 6-25 for details on remote management.

Stopping the MAILsweeper service

MAILsweeper starts automatically when the system is started and stops when the system is stopped. However, you may have to stop MAILsweeper manually at other times, for example, to carry out post office maintenance.

You can stop the MAILsweeper service manually, using MAILsweeper Manager.

To stop the MAILsweeper service:

1. Select the Shutdown Service option from the System menu5 of the MAILsweeper Manager dialog box, shown on page 6-17.
2. Exit the MAILsweeper Manager dialog box immediately, by clicking on the Exit button or pressing the <X> key

If you do not exit Manager immediately the MAILsweeper Manager dialog box turns red and displays the following message:

`Unable to communicate with service'

This is because the MAILsweeper Manager can no longer communicate with the MAILsweeper service (as it has been stopped). In this situation Manager will continue attempts to communicate with the MAILsweeper service and will re-establish communications when the service is restarted.

The above message may also be displayed if MAILsweeper Manager and the MAILsweeper service are running on separate machines and the network connection has been broken. In this instance the MAILsweeper service may still be running and communications will be re-established when the network connection is restored.

MAILsweeper can also be stopped via the Services dialog box found in the Control Panel, or at the command prompt. For details, see pages 6-2 and 6-5 respectively.

Starting MAILsweeper Manager (remotely)

The MAILsweeper service can be accessed and managed remotely by using MAILsweeper Manager on any Windows 95 or Windows NT machine.

This remote management interface enables you to manage MAILsweeper over the network, that is, when the MAILsweeper Manager and service are located on different machines.

Remote management allows you to perform all of the same functions as local management. See page 6-14 for details on these functions.

When copying messages from the quarantine areas or archiving the system logs, A: is the drive located on the

MAILsweeper machine. This is not the same machine that Manager is being run from.

Before you can run Manager remotely, it must be installed on the remote machine.

Installing Manager on the remote machine

To install MAILsweeper Manager on the remote machine:

1. From the remote machine, access the host MAILsweeper machine. For example, you could do this using mapped drives.
2. Under the MAILsweeper directory of the host machine (default C:\MSW) there is a program called Netsetup.exe. Run this and follow the InstallShield dialog boxes to install Manager on the remote machine. The default directory for the installation is C:\MSW but you can change this if required, via one of the InstallShield dialog boxes.
One of the dialog boxes asks you to supply a TCP/IP hostname. This is the hostname of the MAILsweeper machine, not the remote machine that Manager is being run from.

Running Manager on the remote machine

To run MAILsweeper Manager remotely (for Windows NT 4.0):6

1. Click on the Windows NT 4.0 Start button.
2. Point to the Programs menu option.
3. Point to the MIMEsweeper menu option.
4. Click on the Remote Manager for <hostname> program name (where <hostname> is the name of the MAILsweeper machine).
The other two entries in the MIMEsweeper group allow you to Uninstall Manager or to access the MIMEsweeper manual (in HTML format).

Alternatively, you can type the following command at the DOS prompt of the remote machine.

MCN <hostname>

where <hostname> is the host name or the IP address of the MAILsweeper machine (this is not the NetBeui hostname).

For example:

MCN 129.215.112.165

If no <hostname> is supplied, Manager will try to connect to a MAILsweeper service on the remote machine.

For a remote manager to access a MAILsweeper host that is protected by a firewall, it may require TCP port 135 to be opened for access to the remote manager host.

 



[Top] [Prev] [Next] [Bottom]



1 When the message is quarantined, the log file is also saved in one of the quarantine areas. See page 6-12 for details.

2 For Windows 3.51, double-click on the Event Viewer icon that is displayed in the Administrative Tools program group.

3 For Windows 3.51, double-click on the Manager icon that is displayed in the MIMEsweeper program group.

4 For Windows NT 4.0, access the System menu by clicking on the small Manager icon at the top left corner of the screen.

5 For Windows NT 4.0, access the System menu by clicking on the small Manager icon at the top left corner of the screen.

6 For Windows 3.51, double-click on the Remote Manager for <hostname> icon that is displayed in the MIMEsweeper program group.

msw.support@mimesweeper.com

Copyright © 1998, Content Technologies Limited. All rights reserved.