Cisco IronPort Email Security Appliance (ESA) is a hardware appliance providing advanced threat prevention, mail filtering and spam and virus detection providing a powerful multilayered approach to email security.

IronPorts provide a great packaged solution to a difficult problem and generally speaking require little manual upkeep and administration when implemented right, and as a system administrator one of the most important components of setting anything up right is monitoring.  Although IronPorts have great reporting and monitoring flavour baked right into the cake and topped with SNMP icing, sometimes you’ll want to retrieve information from your IronPort that isn’t available via SNMP or via a script or automated process.

For this reason I’ve written the Perl module Cisco::IronPort which is available on the CPAN.  Using this module you can retrieve a number of statistics from your IronPorts for use in monitoring and alerting.  For example to retrieve the total message count and number of messages marked as spam (maybe for use in a dashboard):

#!/usr/bin/perl

use strict;
use warnings;

use Cisco::IronPort;
use Carp qw(croak);

my $iport = Cisco::IronPort->new(
		username	=> 'username',
		password	=> 'password',
		server		=> 'ironport.company.com'
	) or croak "Unable to create constructor: $!\n";

my %stats = $iport->incoming_mail_summary_current_hour;
print "Total messages\t: $stats{total_attempted_messages}{count}\n";
print "Spam messages\t: $stats{spam_detected}{count} (" . (int($stats{spam_detected}{percent}*100))/100 . ")\n";
print "Stopped by reputation filtering\t: $stats{stopped_by_reputation_filtering}{count} (" . (int($stats{stopped_by_reputation_filtering}{percent}*100))/100 . ")\n";

Which outputs:

Total messages    : 33198
Spam messages    : 283 (0.85)
Stopped by reputation filtering    : 25596 (77.1)

With a few small modification it’s easy to make this simple script produce output that would be consumable by a Nagios check or Splunk, however for a sysadmin the output above, whilst being potentially interesting, isn’t terribly exciting.  Instead, a sysadmin may find it more useful to keep an eye on performance parameters that may hint at potential problems.  The following script produces a small textual graph reminiscent of Cisco ‘show  proc cpu’ output showing the average time messages have spent in the workqueue for the past hour.

#!/usr/bin/perl

use Cisco::IronPort;    
use Carp qw(croak);
use POSIX;

my $i = Cisco::IronPort->new(
                                username        => 'username',
                                password        => 'password',
                                server          => 'ironport.company.com'
                        ) or croak "Unable to create contructor: $!\n";

my %h = $i->average_time_in_workqueue_current_day;
my @a;
$c=0;

my ($lower,$upper) = (  map { $_->[1] }
                        sort { $a->[0] <=> $b->[0] }
                        map { [$h{$_}{time}, $_] } keys %h)[0,-1];

for ($i=0;$i<10;$i++) { for ($j=0;$j<(scalar keys %h);$j++) {$a[$i][$j]=" "} }

print "Average time spent in workqueue\n";
print " - lower: $h{$lower}{begin_date} - $h{$lower}{time}\n";
print " - upper: $h{$upper}{begin_date} - $h{$upper}{time}\n\n";

foreach $v (sort keys %h) { 
        $b = ceil (1 + ((10 - 1) * ($h{$v}{time} - $h{$lower}{time}))
                        / ($h{$upper}{time} - $h{$lower}{time}));
        for $x (-($b-1) .. 0) { $a[abs $x][$c] = "#"}
        $c++
}                       

$c=0;

for $i (reverse @a) {
        print "\t [ @$i ]";
        $c == 0 and print " - ",(int($h{$upper}{time}*100))/100;
        $c == 9 and print " - ",(int($h{$lower}{time}*100))/100;
        print "\n";
        $c++
}

print "\t$h{$lower}{begin_date}\t\t$h{$upper}{begin_date}\n";

Which when executed produces something similar to:

Average time spent in workqueue
 - lower: 2012-08-06 19:00 GMT - 0.862891207154
 - upper: 2012-08-06 07:00 GMT - 39.6755756579

	 [   #                                               ] - 39.67
	 [   #                                               ]
	 [   #                                               ]
	 [   #                                               ]
	 [   #                                               ]
	 [   #                                               ]
	 [   #                                               ]
	 [   #                                     #         ]
	 [ # # # # # # # # # # # # #   # # # # # # # # # # # ]
	 [ # # # # # # # # # # # # # # # # # # # # # # # # # ] - 0.86
	2012-08-06 19:00 GMT		2012-08-06 07:00 GMT

Neat – now we can keep an on our mail queue wait times from the shell.

The above script can easily by altered to use any of the other available methods in Cisco::IronPort to get similar output for the number of messages in the workqueue, incoming messages per hour, CPU utilisation, etc.

Leave a reply