/ _ \ \_\(_)/_/ _//"\\_ more on JOHLEM.net / \ 0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0o0 ============================= IronPort Investigation & Troubleshooting Cheat Sheet ============================= Filename: ironport_investigation_cheatsheet.txt Command | Description ----------------------------------|----------------------------------------------------------------------------------- tail mail_logs | View the last few lines of the mail logs to see recent events. grep "" mail_logs | Search for specific strings within mail logs (e.g., message IDs or email addresses). grep "" -A 10 -B 10 mail_logs | Search for specific strings and include 10 lines before and after the match. hoststatus | Check the status of all configured hosts (useful for checking mail delivery status). workqueue | Display messages currently in the queue (useful for troubleshooting mail flow). rate | Show the current email rate, including incoming and outgoing messages. status | Display overall system status, including queue sizes, processing rates, etc. grep "" mail_logs | Search mail logs for all occurrences of a specific email address. tail -f mail_logs | Follow the mail logs in real-time to observe ongoing mail processing activities. top | Display active processes and resource usage on the IronPort device (CPU, memory). grep "MID " mail_logs | Search for specific Message IDs in the mail logs to trace a particular email. grep "ICID " mail_logs | Search for specific ICID in the mail logs, helpful for identifying inbound connection. grep "DCID " mail_logs | Search for specific DCID in the mail logs, helpful for identifying outbound connection. grep "RID " mail_logs | Search for specific RID in the mail logs, useful for identifying recipients. grep "TID " mail_logs | Search for specific Transaction ID (TID) in the mail logs, useful for tracking sessions. grep "SPAM" mail_logs | Search the mail logs for entries tagged as spam. grep "BOUNCE" mail_logs | Search the mail logs for bounced emails. tail mail_logs | grep "SPF" | Search for Sender Policy Framework (SPF) checks in real-time. tail mail_logs | grep "DKIM" | Search for DomainKeys Identified Mail (DKIM) checks in real-time. grep "block" mail_logs | Search for blocked connections in the mail logs. grep "virus" mail_logs | Search the mail logs for entries related to virus detection. grep "policy" mail_logs | Search for messages that hit specific policy rules in the logs. tail -f grep "451" mail_logs | Real-time tracking of 451 errors (temporary issues, often related to DNS or greylisting). grep "TLS" mail_logs | Search for TLS encryption-related entries in the mail logs. hostrate | Check the rate at which each host is sending/receiving messages. logconfig | Show or change the logging configuration. status detail | Provide a detailed system status overview including all subsystems. grep "" mail_logs | Find specific attachments in the mail logs. smtproutes | Show the current SMTP routes configuration. dnsflush | Flush the DNS cache, often necessary if DNS issues are suspected. nslookup | Perform a DNS lookup for a domain, useful for resolving domain issues. cli_test_mail_flow | Simulate sending an email through the IronPort to test email flow. grep "phish" mail_logs | Search for potential phishing-related entries in the mail logs. help | Show a list of available commands on the IronPort device. ============================================================================================================