Documentation Home
Help! Errors
Help! False Positives
Help! Spam Leakage
Installation Guides
Features
Procedures
SNF Community
Software
Technology
Tools
Direct Support
Glossary
Q&A
SNFServer
Log Files
Status Logs
Status logs can be configured to capture per second, per minute, and per hour snapshots of real-time activity to special XML formatted log files. In addition, these snapshots can be appended to create a log file containing structured data points at the given intervals.
Note that these snap-shots are available via the api and by XCI request even if they are not configured to be saved to log files.
Here are three sample snap-shots taken from one of our spamtrap pre-processing systems:
Sample status.second snap-shot
These status reports all use the same format to provide useful performance monitoring data. In fact, with only a few additions the status.minute report is exactly what is sent back to our support systems once per minute (or so) as telemetry. The format of these status reports is described below:
<stats nodeid='xxxxxxxx' basetime='20080602033557' elapsed='60250' class='minute'>nodeid - The license id of the node.
basetime - The beginning timestamp for the report in compressed ISO format. YYYYMMDDhhmmss.
elapsed - The number of milliseconds covered by the report.
class - Either hour, minute, or second depending upon the report class.
<version> <engine>SNFMulti Engine Version 2.9rc25 Build: May 1 2008 14:19:06</engine> <platform>SNF Server Version 2-9b2 Build: May 1 2008 14:19:17</platform> </version>
version - Version information about the SNF installation creating the status report.
version/engine - SNFMulti Engine version and build information.
version/platform - SNF Program version and build information.
<timers> <run started='20080524162807' elapsed='731330'/> <sync latest='20080602033616' elapsed='41'/> <save latest='20080602032916' elapsed='461'/> <condense latest='20080601122818' elapsed='54519'/> </timers>
timers - Maintenance timer status.
timers/run - Total run time information.
timers/run@started - UTC timestamp for the start time of the SNF application.
timers/run@elapsed - Number of milliseconds passed since the timer's last event.
timers/sync - SNF SYNC operations timer.
timers/sync@latest - UTC timestamp of the latest indicated event. In the above example the last sync event was 41 milliseconds ago as of the basetime (20080602033557).
timers/condense - GBUdb Condensation timer. In the above example, the GBUdb database was last condensed at 20080601122818, 54519 milliseconds ago as of the basetime.
<gbudb> <size bytes='134217728'/> <records count='664959'/> <utilization percent='98.2742'/> </gbudb>
gbudb - GBUdb status information.
gbudb/size - The size of the GBUdb.
gbudb/size@bytes - Amount of RAM used for GBUdb records.
gbudb/records@count - Number of active IP records in this node's GBUdb.
gbudb/utilization@percent - Percentage of allocated GBUdb records in use. When this reaches 100% the GBUdb system will allocate additional space for new GBUdb records.
<counters> <m c='2664'/> <s c='2661'/> <h c='3'/> <t c='2081'/> </counters>
counters - Counts of specific events during the indicated period. In the above example 60250 ms.
counters/m@c - Count of messages processed during the indicated period.
counters/s@c - Count of "spam" processed during the indicated period.
counters/h@c - Count of "ham" processed during the indicated period.
counters/w@c - (not shown above) Count of "white" events in the indicated period.
counters/c@c - (not shown above) Count of "caution" events in the indicated period.
counters/b@c - (not shown above) Count of "black" events in the indicated period.
counters/t@c - Count of "truncate" events in the indicated period.
counters/a@c - (not shown above) Count of "auto-panic" events in the indicated period.
counters/r@c - (not shown above) Count of "rule-panic" events in the indicated period.
<rates> <m s='33.2502' m='2593.22' h='152277' d='2.77382e+006'/> <s s='33.2502' m='2590.51' h='152093' d='2.75445e+006'/> <h s='0' m='2.71637' h='184.363' d='19367.7'/> <w s='0' m='0' h='0' d='0'/> <c s='0' m='0' h='8.01577' d='1765.33'/> <b s='0' m='0' h='12.469' d='2108.04'/> <t s='25.1039' m='2020.98' h='119089' d='1.73397e+006'/> <a s='0' m='0' h='0' d='0'/> <r s='0' m='0' h='0' d='0'/> </rates>
rates - Event rates per second, minute, hour, and day for a sliding window appropriate to the indicated period. For status.second the period is based on a sliding window of about 6 seconds. For status.minute the period is based on a sliding window covering approximately the last minute and the last 6 seconds. For status.hour the period is based on a sliding window covering approximately the last hour and the last 6 minutes. Wherever a moment indicator does not contain enough data in the window (for example, when calculating the per-day rate before a day has passed) then the value is estimated using the data that is available. Note that the sliding windows used to make these calculations contain data collected and summarized over the entire previous day (or more) so they provide very accurate measurements once sufficient run-time data has been collected. For example: After a day of operation the d (day) value will be calculated by averaging the current sliding window with the entire prevous day's actual data.
rates/m - Message processing rate.
rates/m@s - Messages processed per second (33.2502 in the above example)
rates/m@m - Messages processed per minute (2593.22 in the above example)
rates/m@h - Messages processed per hour (152277 in the above example)
rates/m@d - Messages processed per day (2.77832 Million in the above example)
rates/s - Spam event rates (capture rates).
rates/h - Ham (not spam) event rates.
rates/w - White (GBUdb white override) event rates.
rates/c - Caution (GBUdb caution override) event rates.
rates/b - Black (GBUdb black override) event rates.
rates/t - Truncate (GBUdb truncate override) event rates.
rates/a - Auto-Panic event rates.
rates/r- Rule-Panic event rates.
<results>
<histogram hits='2664'>
<g k='0' c='3'/>
<g k='5' c='39'/>
<g k='20' c='2081'/>
<g k='47' c='1'/>
<g k='48' c='3'/>
<g k='50' c='1'/>
<g k='52' c='256'/>
<g k='54' c='41'/>
<g k='57' c='6'/>
<g k='59' c='5'/>
<g k='60' c='227'/>
<g k='61' c='1'/>
</histogram>
</results>
results - Histogram data showing result codes from SNF message scans.
results/histogram@hits - Number of total events in the histogram.
results/histogram/g - Group data for a single group in the histogram.
results/histogram/g@k - Key value for a group in the histogram.
results/histogram/g@c - Count of the events for a group in the histogram. In the above example, the histogram shows that during this period the result code 20 occurred 2081 times. That is precisely what the event counter for truncate says and approximately the rate of truncate events per minute (2020.98).
<rules>
<rulebase utc='20080602033628'/>
<active utc='20080602033628'/>
<update ready='no' utc='20080602033038'/>
<latest rule='1911756'/>
<histogram hits='580'>
<g k='73990' c='14'/>
<g k='285230' c='2'/>
<g k='800334' c='1'/>
<g k='812688' c='1'/>
<!-- many entries skipped -->
<g k='1911678' c='2'/>
<g k='1911682' c='4'/>
<g k='1911752' c='7'/>
<g k='1911756' c='9'/>
</histogram>
</rules>
rules - Rulebase and rule activity data.
rules/rulebase@utc - UTC timestamp of the current rulebase file.
rules/active@utc - UTC timestamp of the last rulebase successfully loaded and now active.
rules/update@ready - 'Yes' if rulebase file on server is known to be newer than the active rulebase.
rules/update@utc - UTC timestamp of the rulebase available from the server.
rules/latest@rule - Latest (highest number) matching rule ID seen so far.
rules/histogram - Rule activity histogram for the given period. The histogram format is the same as the results histogram format (see above) except that in this case rule IDs are used as group keys for the histogram.
<panics> </panics>
panics - Rule panic entries.
Please email support@armresearch.com with any questions.