AMP.ENGINE.ALERT
|
See Ensuring That You Receive Alerts About Advanced Malware Protection Issues
|
-
|
AMP.ENGINE.ALERT.WARN
|
Alert text: Failed to register the file analysis group name with Cisco Threat Grid server. Contact Cisco TAC for assistance.
Alert level: WARNING.
Description: Alert is sent when the email gateway fails to register the Appliance Group Name using the Smart Account ID with
the Cisco Secure Malware Analytics (Threat Grid) server.
|
Parameter: reason for the failure
|
AsyncOS API Alerts
|
See “Alerts” section in the AsyncOS API for
Cisco Secure Email Gateway - Getting Started Guide .
|
-
|
Mailbox Auto Remediation Alerts
|
See “Alerts” section in
Remediating Messages in Mailboxes
|
-
|
COMMON.APP_FAILURE
|
An application fault occurred: $error
|
’error’ - The text of the error, typically a traceback.
|
Warning. Sent when there is an unknown application failure.
|
COMMON.ENGINE_AUTO_UPDATE_ ENABLED
|
<$level>: <$class>
|
'$engine' - The name of the Service Engine. The values can be:
|
Information: Automatic updates have been enabled for the particular engine <$engine>. You will now receive automatic engine
updates for this engine.
|
COMMON.ENGINE_AUTO_UPDATE_ DISABLED
|
<$level>: <$class>
|
'$engine' - The name of the Service Engine. The values can be:
|
Information: Automatic updates have been disabled for the particular engine <$engine>. You will not receive any automatic
updates for this engine, unless you enable automatic updates in the global setting page of the particular engine.
|
COMMON.KEY_EXPIRED_ ALERT
|
Your "$feature" key has expired. Please contact your authorized Cisco sales representative.
|
’feature’ - The name of the feature that is about to expire.
|
Warning. Sent when a feature key has expired.
|
COMMON.KEY_EXPIRING_ ALERT
|
Your "$feature" key will expire in under $days day(s). Please contact your authorized Cisco sales representative.
|
’feature’ - The name of the feature that is about to expire.
’days’ - The number of days it will expire.
|
Warning. Sent when a feature key is about to expire.
|
COMMON.KEY_FINAL_EXPIRING_ ALERT
|
This is a final notice. Your "$feature" key will expire in under $days day(s). Please contact your authorized Cisco sales
representative.
|
’feature’ - The name of the feature that is about to expire.
’days’ - The number of days it will expire.
|
Warning. Sent as a final notice that a feature key is about to expire.
|
KEYS.GRACE_EXPIRING_ ALERT
|
All security services licenses for this
email gateway have expired. The
email gateway will continue to deliver mail without security services for $days days.
To renew security services licenses, Please contact your authorized Cisco sales representative.
|
’days’ - The number of days remaining in the grace period at the time the alert was sent.
For more information about the grace period, see Virtual Email Gateway License Expiration.
|
Critical. Sent periodically from the start of the grace period for virtual
email gateway license expiration.
|
KEYS.GRACE_FINAL_EXPIRING_ ALERT
|
This is the final notice. All security services licenses for this
email gateway have expired. The
email gateway will continue to deliver mail without security services for 1 day.
To renew security services licenses, Please contact your authorized Cisco sales representative.
|
For more information about the grace period, see Virtual Email Gateway License Expiration.
|
Critical. Sent one day before the virtual
email gateway license expires.
|
KEYS.GRACE_EXPIRED_ALERT
|
Your grace period has expired. All security sevice have expired, and your
email gateway is non-functional. The
email gateway will no longer deliver mail until a new license is applied.
To renew security services licenses, Please contact your authorized Cisco sales representative.
|
For more information about the grace period, see Virtual Email Gateway License Expiration.
|
Critical. Sent when the grace period for virtual
email gateway has expired.
|
DNS.BOOTSTRAP_FAILED
|
Failed to bootstrap the DNS resolver. Unable to contact root servers.
|
|
Warning. Sent when the
email gateway is unable to contact the root DNS servers.
|
COMMON.INVALID_FILTER
|
Invalid $class: $error
|
‘class’ - Either "Filter", "SimpleFilter", etc.
’error’ - Additional why-filter-is-invalid info.
|
Warning. Sent when an invalid filter is encountered.
|
IPBLOCKD.HOST_ADDED_TO_ ALLOWED_LIST
IPBLOCKD.HOST_ADDED_TO_ BLOCKED_LIST
IPBLOCKD.HOST_REMOVED_ FROM_BLOCKED_LIST
|
The host at $ip has been added to the blocked list because of an SSH DOS attack.
The host at $ip has been permanently added to the ssh allowed list.
The host at $ip has been removed from the blocked list.
|
’ip’ - IP address from which a login attempt occurred.
|
Warning.
IP addresses that try to connect to the
email gateway over SSH but do not provide valid credentials are added to the SSH blocked list if more than 10 failed attempts occur within
two minutes.
When a user logs in successfully from the same IP address, that IP address is added to the allowed list.
Addresses on the allowed list. are allowed access even if they are also on the blocked list.
Entries are automatically removed from the blocked list after about a day.
|
LDAP.GROUP_QUERY_FAILED_ ALERT
|
LDAP: Failed group query $name, comparison in filter will evaluate as false
|
’name’ - The name of the query.
|
Critical. Sent when an LDAP group query fails.
|
LDAP.HARD_ERROR
|
LDAP: work queue processing error in $name reason $why
|
’name’ - The name of the query.
’why’ - Why the error happened.
|
Critical. Sent when an LDAP query fails completely (after trying all servers).
|
LOG.ERROR.*
|
Critical. Various logging errors.
|
|
MAIL.FILTER.RULE_MATCH_ ALERT
|
MID $mid matched the $rule_name rule. \n Details: $details
|
‘mid’ - Unique identification number of the message.
‘rule_name’ - The name of the rule that matched.
‘details’ - More information about the message or the rule.
|
Information. Sent every time when a Header Repeats rule evaluates to true .
|
MAIL.PERRCPT.LDAP_GROUP_ QUERY_FAILED
|
LDAP group query failure during per-recipient scanning, possible LDAP misconfiguration or unreachable server.
|
|
Critical. Sent when an LDAP group query fails during per-recipient scanning.
|
MAIL.QUEUE.ERROR.*
|
Critical. Various mail queue hard errors.
|
|
MAIL.OMH.DELIVERY_RETRY
|
Subject - 'Alert: Message Delivery failed for $hostname. DANE verification failed for one or more Domain(s).'
Message - The message delivery failed due to DANE verification failure for all mail exchange (MX) hosts in $hostname. The
email gateway will attempt message delivery again or bounce the message.
|
‘host’ - The host for which the DANE verification has failed.
|
MAIL.RES_CON_START_ ALERT. MEMORY
|
This system (hostname: $hostname) has entered a ‘resource conservation’ mode in order to prevent the rapid depletion of critical
system resources. RAM utilization for this system has exceeded the resource conservation threshold of $memory_threshold_start%.
The allowed receiving rate for this system will be gradually decreased as RAM utilization approaches $memory_threshold_halt%.
|
’hostname’ - The name of the host.
’memory_threshold_start’ - The percent threshold where memory tarpitting starts.
’memory_threshold_halt’ - The percent threshold where the system will halt due to memory being too full.
|
Critical. Sent when RAM utilization has exceeded the system resource conservation threshold.
|
MAIL.RES_CON_START_ ALERT. QUEUE_SLOW
|
This system (hostname: $hostname) has entered a ‘resource conservation’ mode in order to prevent the rapid depletion of critical
system resources. The queue is overloaded and is unable to maintain the current throughput.
|
’hostname’ - The name of the host.
|
Critical. Sent when the mail queue is overloaded and system resource conservation is enabled.
|
MAIL.RES_CON_START_ ALERT. QUEUE
|
This system (hostname: $hostname) has entered a ‘resource conservation’ mode in order to prevent the rapid depletion of critical
system resources. Queue utilization for this system has exceeded the resource conservation threshold of $queue_threshold_start%.
The allowed receiving rate for this system will be gradually decreased as queue utilization approaches $queue_threshold_halt%.
|
‘hostname’ - The name of the host.
‘queue_threshold_start’ - The percent threshold where queue tarpitting starts.
‘queue_threshold_halt’ - The percent threshold where the system will halt due to the queue being too full.
|
Critical. Sent when queue utilization has exceeded the system resource conservation threshold.
|
MAIL.RES_CON_START_ ALERT. WORKQ
|
This system (hostname: $hostname) has entered a ‘resource conservation’ mode in order to prevent the rapid depletion of critical
system resources. Listeners have been suspended because the current work queue size has exceeded the threshold of $suspend_threshold.
Listeners will be resumed once the work queue size has dropped to $resume_threshold. These thresholds may be altered via use
of the ‘tarpit’ command on the system CLI.
|
‘hostname’ - The name of the host.
‘suspend_threshold’ - Work queue size above which listeners are suspended.
‘resume_threshold’ - Work queue size below which listeners are resumed.
|
Information. Sent when listeners are suspended because the work queue size is too big.
|
MAIL.RES_CON_START_ ALERT
|
This system (hostname: $hostname) has entered a ‘resource conservation’ mode in order to prevent the rapid depletion of critical
system resources.
|
‘hostname’ - The name of the host.
|
Critical. Sent when the
email gateway enters “resource conservation” mode.
|
MAIL.RES_CON_STOP_ALERT
|
This system (hostname: $hostname) has exited ‘resource conservation’ mode as resource utilization has dropped below the conservation
threshold.
|
‘hostname’ - The name of the host.
|
Information. Sent when the
email gateway leaves ‘resource conservation’ mode.
|
MAIL.URL_REP_
CLIENT.CATEGORY_CHANGE
|
See Future URL Category Set Changes.
|
—
|
MAIL.BEAKER_
CONNECTOR.CERTIFICATE_INVALID
|
See Troubleshooting URL Filtering.
|
MAIL.BEAKER_CONNECTOR.ERROR_
FETCHING_CERTIFICATE
|
MAIL.WORK_QUEUE_PAUSED_ NATURAL
|
work queue paused, $num msgs, $reason
|
‘num’ - The number of messages in the work queue.
‘reason’ - The reason the work queue is paused.
|
Critical. Sent when the work queue is paused.
|
MAIL.WORK_QUEUE_UNPAUSED_ NATURAL
|
work queue resumed, $num msgs
|
‘num’ - The number of messages in the work queue.
|
Critical. Sent when the work queue is resumed.
|
NTP.NOT_ROOT
|
Not running as root, unable to adjust system time
|
|
Warning. Sent when the
email gateway is unable to adjust time because NTP is not running as root.
|
QUARANTINE.ADD_DB_ERROR
|
Unable to quarantine MID $mid - quarantine system unavailable
|
’mid’ - MID
|
Critical. Sent when a message cannot be sent to a quarantine.
|
QUARANTINE.DB_UPDATE_ FAILED
|
Unable to update quarantine database (current version: $version; target $target_version)
|
’version’ - The schema version detected.
’target_version’ - The target schema version.
|
Critical. Sent when a quarantine database cannot be updated.
|
QUARANTINE.DISK_SPACE_ LOW
|
The quarantine system is unavailable due to a lack of space on the $file_system partition.
|
’file_system’ - The name of the filesystem.
|
Critical. Sent when the disk space for quarantines is full.
|
QUARANTINE.THRESHOLD_ ALERT
|
Quarantine "$quarantine" is $full% full
|
’quarantine’ - The name of the quarantine.
’full’ - The percentage of how full the quarantine is.
|
Warning. Sent when a quarantine reaches 5%, 50%, or 75% of capacity.
|
QUARANTINE.THRESHOLD_ ALERT.SERIOUS
|
Quarantine "$quarantine" is $full% full
|
’quarantine’ - The name of the quarantine.
’full’ - The percentage of how full the quarantine is.
|
Critical. Sent when a quarantine reaches 95% of capacity.
|
REPORTD.DATABASE_OPEN_ FAILED_ALERT
|
The reporting system has encountered a critical error while opening the database. In order to prevent disruption of other
services, reporting has been disabled on this machine. Please contact customer support to have reporting enabled. The error
message is: $err_msg
|
’err_msg’ - The error message raised
|
Critical. Sent if the reporting engine is unable to open the database.
|
REPORTD.AGGREGATION_ DISABLED_ALERT
|
Processing of collected reporting data has been disabled due to lack of logging disk space. Disk usage is above $threshold
percent. Recording of reporting events will soon become limited and reporting data may be lost if disk space is not freed
up (by removing old logs, etc.). Once disk usage drops below $threshold percent, full processing of reporting data will be
restarted automatically.
|
’threshold’ - The threshold value
|
Warning. Sent if the system runs out of disk space. When the disk usage for a log entry exceeds the log usage threshold,
reportd disables aggregation and sends the alert.
|
REPORTING.CLIENT.UPDATE_ FAILED_ALERT
|
Reporting Client: The reporting system has not responded for an extended period of time ($duration).
|
’duration’ - Length of time the client has been trying to contact the reporting daemon. This is a string in a human readable format
(’1h 3m 27s’).
|
Warning. Sent if the reporting engine was unable to save reporting data.
|
REPORTING.CLIENT.JOURNAL. FULL
|
Reporting Client: The reporting system is unable to maintain the rate of data being generated. Any new data generated will
be lost.
|
|
Critical. Sent if the reporting engine is unable to store new data.
|
REPORTING.CLIENT.JOURNAL. FREE
|
Reporting Client: The reporting system is now able to handle new data.
|
|
Information. Sent when the reporting engine is again able to store new data.
|
PERIODIC_REPORTS.REPORT_ TASK.BUILD_FAILURE
|
A failure occurred while building periodic report ‘$report_title’. This subscription has been removed from the scheduler.
|
‘report_title’ - the report title
|
Critical. Sent when the reporting engine is unable to build a report.
|
PERIODIC_REPORTS.REPORT_ TASK.EMAIL_FAILURE
|
A failure occurred while emailing periodic report ‘$report_title’. This subscription has been removed from the scheduler.
|
’report_title’ - the report title
|
Critical. Sent when a report could not be emailed.
|
PERIODIC_REPORTS.REPORT_ TASK.ARCHIVE_FAILURE
|
A failure occurred while archiving periodic report ’$report_title’. This subscription has been removed from the scheduler.
|
’report_title’ - the report title
|
Critical. Sent when a report could not be archived.
|
SENDERBASE.ERROR
|
Error processing response to query $query: response was $response
|
’query’ - The query address.
’response’ - Raw data of response received.
|
Information. Sent when an error occurred while processing a response from SenderBase.
|
SMTPAUTH.FWD_SERVER_ FAILED_ ALERT
|
SMTP Auth: could not reach forwarding server $ip with reason: $why
|
’ip’ - The IP of the remote server.
’why’ - Why the error happened.
|
Warning. Sent when the SMTP Authentication forwarding server is unreachable.
|
SMTPAUTH.LDAP_QUERY_ FAILED
|
SMTP Auth: LDAP query failed, see LDAP debug logs for details.
|
|
Warning. Sent when an LDAP query fails.
|
SYSTEM.HERMES_SHUTDOWN_ FAILURE.
REBOOT
|
While preparing to ${what}, failed to stop mail server gracefully: ${error}$what:=reboot
|
’error’ - The error that happened.
|
Warning. Sent when there was a problem shutting down the system on reboot.
|
SYSTEM.HERMES_SHUTDOWN_ FAILURE.
SHUTDOWN
|
While preparing to ${what}, failed to stop mail server gracefully: ${error}$what:=shut down
|
’error’ - The error that happened.
|
Warning. Sent when there was a problem shutting down the system.
|
SYSTEM.LOGIN_FAILURES_LOCK_ALERT
|
User "$user" is locked after $numlogins consecutive login failures. Last login attempt was from $rhost
Information: Sent when the user account is locked because of maximum number of failed login attempts
|
'user' - The name of the user
'numlogins' - The configured alert threshold
'rhost' - The address of the remote host
|
SYSTEM.RCPTVALIDATION.UPDATE_ FAILED
|
Error updating recipient validation data: $why
|
’why’ - The error message.
|
Critical. Sent when a recipient validation update failed.
|
SYSTEM.SERVICE_TUNNEL. DISABLED
|
Tech support: Service tunnel has been disabled
|
|
Information. Sent when a tunnel created for Cisco Support Services is disabled.
|
SYSTEM.SERVICE_TUNNEL. ENABLED
|
Tech support: Service tunnel has been enabled, port $port
|
’port’ - The port used for the service tunnel.
|
Information. Sent when a tunnel created for Cisco Support Services is enabled.
|
IPBLOCKD.HOST_ADDED_TO_ ALLOWED_LIST
IPBLOCKD.HOST_ADDED_TO_ BLOCKED_LIST
IPBLOCKD.HOST_REMOVED_FROM_ BLOCKED_LIST
|
The host at $ip has been added to the blocked list because of an SSH DOS attack.
The host at $ip has been permanently added to the ssh allowed list.
The host at $ip has been removed from the blocked list.
|
’ip’ - IP address from which a login attempt occurred.
|
Warning.
IP addresses that try to connect to the
email gateway over SSH but do not provide valid credentials are added to the SSH blocked list if more than 10 failed attempts occur within
two minutes.
When a user logs in successfully from the same IP address, that IP address is added to the allowed list.
Addresses on the allowed list are allowed access even if they are also on the blocked list .
Entries are automatically removed from the blocked list after about a day.
|
WATCHDOG_RESTART_ALERT_ MSG
|
<$level>: <$class>, <$hostname>: $subject $text
Warning.
The
email gateway uses the watchdog service to monitor the health condition of the following engines:
-
Anti-Spam
-
Anti-Virus
-
Anti Malware Protection
-
Graymail
If any of the above engines does not respond to the watchdog service for a certain duration, the watchdog service restarts
the engine(s) and sends an alert to the administrator.
|
'subject'- Watchdog alert subject specific to the engine
'text' - Watchdog alert text specific to the engine
|
MAIL.IMH.GEODB_UPDATE_ COUNTRIES'
|
Warning. Geolocation Update - the list of supported countries has changed.
Added Countries - <$added>
Deleted Countries - <$deleted>
Review your HAT sender groups, Message Filters, and Content Filters settings accordingly.
|
’added’ - The following countries are added: <iso_code1>:<country_nam e1>,<iso_code2>:<country_name2>,
’deleted’ - The following countries are deleted: <iso_code1>:<country_nam e1>:<iso_code2>:<country_name2>,
|
MAIL.UPDATED_SHORT_URL_DOMAIN_LIST
|
Info. The list of shortened URL domains has been updated..
Added Domains: <$added_domains>
Deleted Domains - <$deleted_domains>
|
’added_domains’: The following domains are added: <domains_1>, <domain_2>
’deleted_domains’ : The following domains are deleted: <domain_3>, <domain_4>
|
MAIL.DOMAINS_NOT_REACHABLE
|
Warning. The following domains are not reachable by the
email gateway for shortened URL support: <$domains>
Check your firewall rules to allow your
email gateway to connect to these domains.
|
<$domains>: comma separated list of domains
|
MAIL.UPGRADE_CONFIG_CHANGE.ALERT
|
Info. Sent when the user configured value is changed by the system during the upgrade.
|
'text' - The Intelligent Multi-Scan and the Graymail global configuration settings have been modified during the upgrade. Please
review the global settings for the Intelligent Multi-Scan and the Graymail configurations.
|
CERTIFICATE.CERT_EXPIRING
_ALERT
|
Your certificate "$certificate" will expire in $days day(s).
Alert level : WARNING
|
'certificate', 'The name of the certificate that is about to expire.
'days', 'The number of days it will expire.'
|
CERTIFICATE.CERT_CRITICAL_
EXPIRING_ALERT
|
Your certificate "$certificate" will expire in $days hour(s).
Alert level : CRITICAL A ‘CRITICAL’ certificate validity period is less than 5 days.
|
'certificate', 'The name of the certificate that is about to expire.
'days', 'The number of days with remaining time (HH:MM:SS), for example, 4 days 10:12:20 hour(s).'
|
CERTIFICATE.CERT_EXPIRED_ALERT
|
Your certificate "$certificate" has expired.
Alert level : CRITICAL
|
'certificate', 'The name of the certificate that has expired.'
|
CERTIFICATE.UPDATER_
CERT_EXPIRING_ALERT
|
Your certificate "$certificate" will expire in $days day(s). Use the updateconfig -> trusted_certificates -> delete subcommand in the CLI to delete any unused certificates from the updater trusted certificate list.
Alert level : WARNING
|
'certificate', 'The name of the certificate that is about to expire.'
'days', 'The number of days it will expire.'
|
CERTIFICATE.UPDATER_CERT_
CRITICAL_EXPIRING_ALERT
|
Your certificate "$certificate" will expire in $days hour(s). Use the updateconfig -> trusted_certificates -> delete subcommand in the CLI to delete any unused certificates from the updater trusted certificate list.
Alert level : CRITICAL
|
'certificate', 'The name of the certificate that is about to expire.'
'days', 'The number of days it will expire.'
|
MAIL.APP.NO_ACCESS_KEY
|
Alert text: 'Failed to poll for the Cisco Advanced Phishing Protection Cloud Service expiry date, add API AccessUID and API
Access secret key.'
Description: Alert is sent when a query for the APP expiry date failed because the API Access key and the secret key was not
entered.
|
N/A
|
MAIL.APP.INVALID_KEY |
Alert text: Failed to poll for the Cisco Advanced Phishing Protection Cloud Service expiry date because the API Access Key
is invalid. You need to re-configure the API Access UID and secret key.
Description: Alert is sent when a query for the APP expiry date failed because the API Access key and the secret key was not
entered.
|
N/A
|
MAIL.APP.EXPIRED
|
Alert text: The Cisco Advanced Phishing Protection Cloud Service has expired and is disabled. Contact your Cisco Account Manager
to renew the service and enable it.
Description: The Cisco Advanced Phishing Protection Cloud Service has expired and is disabled. You need to renew the APP license
and enable the APP service.
|
N/A
|
MAIL.APP.EXPIRY_REMINDER
|
Alert text: Cisco Advanced Phishing Protection Cloud Service expires on $eaas_expiry_date. You need to contact your Cisco
Account Manager to renew the service.
Description: Alert is sent each day, starting from three days before the expiry period.
|
Parameters: eaas_expiry_date eaas_expiry_date - date on which Cisco Advanced Phishing Protection Cloud Service will expire
|
MAIL.APP.SERVICE_
UNAVAILABLE
|
Alert text: Cisco Advanced Phishing Protection Cloud Service update. Unable to establish communication with the cloud service.
Description: 'APP cloud service is unavailable because ten consecutive mails failed to forward to APP.
|
N/A
|
MAIL.APP.SERVICE_
AVAILABLE
|
Alert text: Cisco Advanced Phishing Protection Cloud Service update. Communication with the cloud service has been established.
Description: APP cloud service is available.
|
N/A
|