When viewing log files to troubleshoot issues, it is important to understand how each of them work in order to quickly diagnose issues. The purpose of this article is to inform the reader of what each log file contains, and which log files are important.
There are some similarities across almost all log files:
This is a list of log files that you will typically use when troubleshooting. Click on the links for each log to see a page dedicated to that specific feature as well as understanding that log file. Click on any of the log names to be taken to a page that will explicitly explain how each of those logs work.
Log Name | Log Description |
---|---|
AuthTerminate.log ConnTerminate.log FromTerminate.log HelloTerminate.log rcptTerminate.log TimeoutTerminate.log SMTPError.log |
All of these logs refer to Xeams Intrusion detection. To learn more about Intrusion detection checkout this page:Intrusion Detection For information about each specific log, click on any one of their names. |
SMTPConversation.log |
This log contains communication between a foreign SMTP server sending to Xeams. |
SMTPProxyConversation.log |
This log is identical to SMTPConversation.log but will only be logged to when Xeams is running as a Proxy server. |
This log is Xeams has a IMAP server configured. Any commands sent between Xeams and the IMAP client, such as Microsoft Outlook or Mozilla Thunderbird, will be logged here. | This log is Xeams has a POP3 server configured. Any commands sent between Xeams and the POP3 client, such as Microsoft Outlook or Mozilla Thunderbird, will be logged here. |
This log refers to messages going Outbound from Xeams. Anything leaving Xeams SMTP server will be logged to SMTPOuboundConnversation.log. | |
These logs are in addition to SMTPOuboundConversation.log. If there are any errors with this process you will see more detailed information about that message in OutboundAuditTrailFailure.log, whereas successful messages will be in OutboundAuditTrailSuccess.log |
|
InvalidPasswordAttempts.log | If someone attempts to connect to Xeams using a valid account with an invalid password, this log will list the IP address and attempted username of any invalid password attempts. This page will talk about this: Invalid Passwords |
NDR.log | This log will be written to whenever Xeams sends or receives an NDR. For more information on NDR checkout this page: Xeams NDR |
SuccessfulLogins.log | The SuccessfulLogins.log will record any user that entered their credentials correctly. This includes SMTP, HTTP, IMAP and POP3. This is useful to find out which user logged in during a specific time, and if they are logging in securely or not. |
Xeams.log | This log contains information about the Xeams webserver itself. For troubleshooting generic webserver issues start here. For information on Xeams.log checkout this page: Xeams Logging |
This is a list of logs that are either generic webserver logs, or only logged to when a specific feature is enabled in Xeams.
Log Name | Log Description |
---|---|
DeletedEmails.log | This contains information about emails that are scored higher than your deletion threshold. When an email is automatically deleted by Xeams, it will be logged here. This will contain the Timestamp, Subject, Sender and Recipient. |
DKIMFailure.log | If there is a problem with DKIM from either an Incomming or Outgoing message, it will be logged here. This contains the Timestamp, LCID, Subject, Sender and Recipient. |
DRVCommunication.log | List of emails deleted by users. This contains timestamp of deletion, IP of the machine that deleted the email, username, subject of the email, file location of the .eml file. |
E2EEnc.log | If the End-To-End Encryption feature is enabled in Xeams, whenever an email is sent using E2E Encryption it will be logged to E2EEnc.log. This contains the Timestamp, LCID, Sender and Recipient. |
EmailRestoration.log | If a user restores an email from their Quarantine Report, that will be logged here. This will contain the Timestamp of Restoration, Username, and subject of the email. |
ExternalTools.log | If you are running an external process when a new email is recieved via the External Tools feature, that process running will be logged here. It contains the timestamp, subject of the message that triggered this tool, and which tool was triggered. For more information on External Processes checkout this page: External Processes |
ForgedSenders.log | Description Here |
GreyListing.log | If the Grey Listing feature is enabled in Xeams, any messages that are received that contain a Grey Listed IP are logged here. For information on this feature and how to understand this log go to this page: Grey Listing |
MailingList.log | This log is written to when the Mailing List feature of Xeams is utilized. |
MailMerge.log | This log is written to when the Mail Merge feature of Xeams is utilized. |
OutboundForgeries.log | If an Outbound Forgery alert is generated that will be logged here. This will contain the Timestamp, LCID, Sender, Recipeint and Subject of the email. |
Performance.log | description here |
ProxyAudtiTrail.log | If Xeams is running with the Proxy SMTP server enabled, the full audit trail will be logged here. |
QuarantineReports.log | Xeams sends out quarantine reports to users at specified times. When a quarantine report is sent to a user it will be logged here. This will contain the Timestamp, Recipeint of the reports, and how many total reports were generated and sent. |
SmartHost.log | If a smart host is used any communication between Xeams and the Smart host will be logged here. |
SrvStdErr.log SrvStdOut.log StarterErr.log StarterOut.log |
These are generic Java webserver logs. |
UserFilters.log | If any user filtering rules are enabled, a log of these triggering will be written here. An example of this would be a rule that takes any inbound messages for John@mycompany.com and delivers them to the inbox of Frank@mycompany.com and Lisa@mycompany.com |
ChallengeResponse.log | This log contains information regarding Email Challenge/Response filtering. There is a page that talks about this here: Challenge/Response |
This section covers how to enable additional logging tools in Xeams.
To enable additional logging tools in Xeams you will need to modify the contents of logconfig.xml
. This file is located in your main $INSTALL_DIR/ folder. Once editing this file, you will notice there are two sections:
Each appender must have a corresponding category. The Appender specifies where the content is logged, such as the log name, size, and location, whereas the Category specifies what content is logged.
This log will be used whenever a user creates a temporary email and that address recieves an email.
Appender<appender class="org.apache.log4j.RollingFileAppender" name="TEMP_EMAIL">Category
<param name="File" value="logs/TempEmailTransformer.log"/>
<param name="Append" value="true"/>
<param name="MaxFileSize" value="5MB"/>
<layout class="org.apache.log4j.PatternLayout">
</layout>
</appender>
<category name="TempEmailTransformer" additivity="false"> <priority value="DEBUG"/> <appender-ref ref="TEMP_EMAIL"/> </category>
If you have the Front Door Rejector enabled and specified for IP filtering, events caught by the rejector will be logged here.
Appender<appender class="org.apache.log4j.RollingFileAppender" name="IPATTACKER"> <param name="File" value="logs/IPAttacker.log"/> <param name="Append" value="true"/> <param name="MaxFileSize" value="5MB"/> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/> </layout>
</appender>
<category name="IPAttacker" additivity="false"> <priority value="DEBUG" /> <appender-ref ref="IPATTACKER"/> </category>
If you have the Front Door Rejector enabled and specified for IP filtering, events caught by the rejector will be logged here.
Appender<appender class="org.apache.log4j.RollingFileAppender" name="LDAP"> <param name="File" value="logs/Ldap.log"/> <param name="Append" value="true"/> <param name="MaxFileSize" value="5MB"/> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/> </layout>
</appender>
<category name="LdapCommunication" additivity="false"> <priority value="DEBUG" /> <appender-ref ref="LDAP"/> </category>
Xeams has the ability to handle emails with large attachments by using SynaMan to remove the attachment from the message and include it as a download link in the message body. If this occurs, Xeams will log the event here.
Appender
<appender class="org.apache.log4j.RollingFileAppender" name="LARGE_EMAIL_LOG"> <param name="File" value="logs/LargeEmails.log"/> <param name="Append" value="true"/> <param name="MaxFileSize" value="5MB"/> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/> </layout>
</appender>
<category name="LargeEmail" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="EMAIL"/>
<appender-ref ref="LARGE_EMAIL_LOG"/>
</category>
If you have setup a distribution list, whenever an email comes in and gets forwarded to multiple aliases, that email will be logged here, along with the users that recieved it.
Appender
<appender name="ALIAS_HANDLER" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/Aliases.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>
<category name="AliasHandler" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="ALIAS_HANDLER"/>
</category>
Xeams has the ability to improve itself via the Spam Learner feature. Whenever you forward a message to the spam learner address it will be logged here.
Appender<appender name="SPAM_LEARNER" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/SpamLearner.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>
<category name="SpamLearner" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="SPAM_LEARNER"/>
</category>
If you have the Front Door Rejector enabled and configured to filter content, these events will be logged here.
Appender<appender name="FRONTDOOR" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/FrontDoor.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>
<category name="FrontDoorRejector" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="FRONTDOOR"/>
</category>
This log will have events related to emails caught by the DomainInspector filter.
Appender<appender name="DOMAIN_INSPECTOR" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/DomainInspector.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>
<category name="DomainInspector" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="DOMAIN_INSPECTOR"/>
</category>
If you have multiple Xeams server's running with clustering enabled, any communication between the servers is logged here.
Appender<appender name="CLUSTER" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/Cluster.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p [%t] %c{2} - %m%n"/>
</layout>
</appender>
<category name="ClusterManager" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="CLUSTER"/>
</category>
You can configure Xeams to assign scores to emails that come in with either invalid or no DMARC configured. If an email is assigned a score through this filter it will be logged here.
Appender<appender name="DMARC" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/Dmarc.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="25MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p [%t] %c{2} - %m%n"/>
</layout>
</appender>
<category name="Dmarc" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="DMARC"/>
</category>
If Xeams is configured to send emails out that it received from a different SMTP server, this log will check that email has a valid DMARC.
Appender<appender name="DMARC_OB_REPORTS" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/DmarcObReports.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="25MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p [%t] %c{2} - %m%n"/>
</layout>
</appender>
<category name="DmarcOutboundReporter" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="DMARC_OB_REPORTS"/>
</category>
<appender name="NO_TLS" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/NoTLSRejections.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="25MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>
<category name="SMTP_TLS_NOT_USED" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="NO_TLS"/>
</category>
<appender name="RBL_SERVERS" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/RblServers.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>
<category name="RBLServerCheck" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="RBL_SERVERS"/>
</category>
If you use SynRBL as your RBL server in Xeams, any filtering that is caught by the SynRBL is logged here.
Appender<appender name="SynRBL" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/SynRBL.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>
<category name="SynRblCUM" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="SynRBL"/>
</category>
<appender name="WELL_KNOWN_DOMAINS" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/WellKnownDomains.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>
<category name="WellKnownDomains" additivity="false"> <priority value="DEBUG"/> <appender-ref ref="WELL_KNOWN_DOMAINS"/> </category>
<appender name="VIRUS_DETECTOR" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/VirusDetector.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>
<category name="VirusDetector" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="VIRUS_DETECTOR"/>
</category>
<appender name="ClamAV_Client" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/ClamAVClient.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>
<category name="ClamAvClient" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="ClamAV_Client" />
</category>
<appender name="CUSTOM_FILTERS_PERF" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/CustomFiltersPerf.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="5MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>
<category name="CustomFilterPerformance" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="CUSTOM_FILTERS_PERF"/>
</category>
<appender name="OB_THRU_SLAVE" class="org.apache.log4j.RollingFileAppender">
<param name="File" value="logs/ObThruSlaves.log" />
<param name="Append" value="true" />
<param name="MaxFileSize" value="25MB" />
<layout class="org.apache.log4j.PatternLayout">
<param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/>
</layout>
</appender>
<category name="OutboundEmailToSlaves" additivity="false">
<priority value="DEBUG" />
<appender-ref ref="OB_THRU_SLAVE"/>
</category>
<appender name="EXTERNAL_TOOL" class="org.apache.log4j.RollingFileAppender"> <param name="File" value="logs/ExternalTool.log" /> <param name="Append" value="true" /> <param name="MaxFileSize" value="5MB" /> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/> </layout> </appender>
<category name="ExternalTool" additivity="false"> <priority value="DEBUG" /> <appender-ref ref="EXTERNAL_TOOL"/> </category>
If you have custom recipient rejectors specified for your front door rejector, any blocked recipients will be logged here.
Appender<appender name="CUSTOM_RR" class="org.apache.log4j.RollingFileAppender"> <param name="File" value="logs/CustomRecipientRejector.log"/> <param name="Append" value="true"/> <param name="MaxFileSize" value="5MB"/> <layout class="org.apache.log4j.PatternLayout"> <param name="ConversionPattern" value="%d %-5p %c{2} - %m%n"/> </layout> </appender>
<category name="CustomRecipientRejector" additivity="false"> <priority value="DEBUG"/> <appender-ref ref="CUSTOM_RR"/> </category>
This section covers which logs to look at when troubleshooting specific errors.
If you cannot reach Xeams webserver, even from the local machine, there could be an issue with it. First, confirm that the webserver is running by checking the services on the local machine for Xeams. If it is running, restart the service.
Once the service has been restarted, check to see if the webserver is now reachable.
In either situation, open up Xeams.log and scroll to the very end. Slightly above the end you should see a line that looks like this:
xeams.ServerStarter - ---------------------------------------------------
This line is the restart of Xeams. If the server is now reachable you can scroll up from here and search for [ERROR] lines to see what has gone wrong.
If the server is still unreachable, search below the lines for [ERROR] lines to see what is causing the server to not start.
If you are having issues with inbound emails, check out our troubleshooting page on this here: Troubleshooting Inbound Messages
If you are having issues with outbound emails, check out our troubleshooting page on this here: Troubleshooting Outbound Messages
Certain configurations can slow down Xeams, making it unresponsive. Please take a look at the performance KB article to help you troubleshoot the root of the cause.