Gateway Log & Error Reference
Table of Contents
- Viewing Container Logs
- Log File Paths
- Downloading & Compressing Logs
- Log Rotation Configuration
- Exporting Logs to a SIEM
- Filtering for Errors
- Enable Debug Logging
- Postfix/SMTP Error Codes
- Java Content Filter Errors
- ACM & Accounts Errors
- CKS-Related Errors
- TLS/Certificate Errors
- Getting Help
Viewing Container Logs
Gateway outputs logs to stdout, which includes both Postfix mail logs and Java content filter logs. Both Docker and Podman provide commands to view these logs, displaying the stdout (standard output) and stderr (standard error) streams from the running container.
Basic Commands
| Action | Docker | Podman | Kubernetes |
|---|---|---|---|
| View logs | docker logs <container_id> |
podman logs <container_id> |
kubectl logs <pod> -n <namespace> |
| Last 100 lines | docker logs --tail 100 <container_id> |
podman logs --tail 100 <container_id> |
kubectl logs --tail=100 <pod> -n <namespace> |
| Follow in real-time | docker logs -f <container_id> |
podman logs -f <container_id> |
kubectl logs -f <pod> -n <namespace> |
| With timestamps | docker logs --timestamps <container_id> |
podman logs --timestamps <container_id> |
(timestamps included by default) |
| Last 1 hour | docker logs --since=1h <container_id> |
podman logs --since=1h <container_id> |
kubectl logs --since=1h <pod> -n <namespace> |
| Previous instance | (use log file path) | (use log file path) | kubectl logs --previous <pod> -n <namespace> |
Log File Paths
Docker
Docker stores logs in a specific path on the host machine:
/var/lib/docker/containers/<containerID>/<containerID>-json.log
Each container has its own directory, and log files are saved as JSON.
Podman
Podman allows you to configure a custom log path using the --log-opt parameter:
podman run \ --log-opt path=/var/log/gateway.log \ ...
This allows you to specify a custom log location, which is useful for centralized log storage and management.
Kubernetes
Logs are managed by the container runtime and accessible via kubectl logs. For persistent storage, configure a logging sidecar or external log aggregation.
Downloading & Compressing Logs
Export Logs to a File
Docker:
docker logs <container_id> > gateway-logs.txt 2>&1
Podman:
podman logs <container_id> > gateway-logs.txt 2>&1
Kubernetes:
kubectl logs <pod> -n <namespace> > gateway-logs.txt
Transfer Logs from Remote Host
Use scp or other file transfer tools to download log files:
scp user@remote_host:/path/to/gateway-logs.txt /local/path/
Compress Logs
Logs can grow quite large. Compressing them makes it easier to store and transfer:
Docker:
docker logs <container_id> 2>&1 | gzip > gateway-logs.gz
Podman:
podman logs <container_id> 2>&1 | gzip > gateway-logs.gz
Extract compressed logs:
gunzip gateway-logs.gz
Log Rotation Configuration
Log rotation prevents container logs from consuming too much disk space.
Docker Log Rotation
Configure log rotation as part of the container setup:
docker run \ --env-file /var/virtru/vg/env/gateway.env \ -v /var/virtru/vg/tls/:/etc/postfix/tls \ -v /var/virtru/vg/dkim/:/etc/opendkim/keys \ --publish 9001:25 \ --interactive --tty --detach \ --restart unless-stopped \ --name gateway \ --log-opt max-size=100m \ --log-opt max-file=10 \ containers.virtru.com/gateway:v<version-number>
| Option | Description |
|---|---|
--log-opt max-size=100m |
Limits each log file to 100MB |
--log-opt max-file=10 |
Keeps a maximum of 10 log files, discarding oldest |
Podman Log Rotation
Configure log rotation with custom log path:
podman run \ --env-file /var/virtru/vg/env/gateway.env \ -v /var/virtru/vg/tls/:/etc/postfix/tls \ -v /var/virtru/vg/dkim/:/etc/opendkim/keys \ --publish 9001:25 \ --interactive --tty --detach \ --restart unless-stopped \ --name gateway \ --log-opt path=/var/log/gateway.log \ containers.virtru.com/gateway:v<version-number>
For more information on Docker logging drivers, see: Docker Logging Configuration
Exporting Logs to a SIEM
Logs can be forwarded to a remote syslog server for centralized monitoring and analysis.
Docker Syslog Driver
Configure the container to send logs directly to a remote syslog server:
docker run \ --env-file /var/virtru/vg/env/gateway.env \ -v /var/virtru/vg/tls/:/etc/postfix/tls \ -v /var/virtru/vg/queue/gateway/:/var/spool/postfix \ -v /var/virtru/vg/dkim/:/etc/opendkim/keys \ --name gateway \ --publish 9001:25 \ --interactive --tty --detach \ --restart unless-stopped \ --log-driver syslog \ --log-opt syslog-address=tcp://192.168.10.15:10514 \ containers.virtru.com/gateway:v<version-number>
| Option | Description |
|---|---|
--log-driver syslog |
Use syslog logging driver |
--log-opt syslog-address=tcp://192.168.10.15:10514 |
Remote syslog server address and port |
Host-Level Syslog Forwarding
Alternatively, forward all host syslog entries (including container logs) to a remote server.
Note: This will include additional host events beyond container logs.
Edit /etc/rsyslog.d/50-default.conf:
nano /etc/rsyslog.d/50-default.conf
Add at the top:
*.* action(type="omfwd" target="192.168.10.15" port="10514" protocol="tcp" action.resumeRetryCount="100" queue.type="linkedList" queue.size="10000")
| Parameter | Description |
|---|---|
target |
Remote syslog server IP |
port |
Remote syslog server port |
protocol |
Transport protocol (tcp/udp) |
action.resumeRetryCount |
Number of retry attempts |
queue.size |
Number of entries to queue before discarding |
Important: Due to the nature of TCP, if the remote syslog server is unavailable, entries will be blocked and discarded if a retry queue is not configured.
Restart rsyslog after making changes:
sudo systemctl restart rsyslog
Filtering for Errors
Use these patterns to filter logs for specific error types.
Useful Grep Patterns
| Pattern | What It Finds |
|---|---|
grep -iE "(error|exception|fatal|failed|denied)" |
All errors |
grep -E "[45][0-9]{2} " |
All 4XX and 5XX SMTP codes |
grep -i "exception" |
Java exceptions |
grep "status=deferred" |
Deferred mail (temporary failures) |
grep "status=bounced" |
Bounced mail (permanent failures) |
grep -i "certificate|ssl|tls" |
TLS/certificate errors |
grep "DLP" |
DLP rule matches/blocks |
Example: Filter Errors from Docker
docker logs <container_id> 2>&1 | grep -iE "(error|exception|fatal|failed|denied)"
Example: Filter SMTP Codes from Kubernetes
kubectl logs <pod> -n <namespace> | grep -E "status=(deferred|bounced)|[45][0-9]{2} "Enable Debug Logging
For more verbose output when troubleshooting, set these environment variables:
| Variable | Value | Description |
|---|---|---|
GATEWAY_LOG_LEVEL |
debug |
Detailed application logs |
GATEWAY_VERBOSE_LOGGING |
1 |
Verbose Postfix logging |
GATEWAY_SMTPD_TLS_LOGLEVEL |
2 |
TLS server log level (0-4) |
GATEWAY_SMTP_TLS_LOGLEVEL |
2 |
TLS client log level (0-4) |
Note: Debug logging increases log volume significantly. Disable after troubleshooting is complete.
Postfix/SMTP Error Codes
4XX - Temporary Failures (Sender Should Retry)
| Code | Message | Meaning | Resolution |
|---|---|---|---|
421 |
Service not available | Gateway temporarily unavailable | Restart Gateway, check resources |
450 |
Mailbox unavailable | Temporary issue with recipient | Retry later |
451 |
Local error in processing | Content filter failure | Check Java logs for exception |
452 |
Insufficient storage | Disk full on Gateway | Free disk space |
454 |
TLS not available | TLS negotiation failed | Check certificates |
5XX - Permanent Failures (Do Not Retry)
| Code | Message | Meaning | Resolution |
|---|---|---|---|
521 |
Host does not accept mail | Gateway rejecting connection | Check GATEWAY_RELAY_ADDRESSES
|
550 |
Mailbox unavailable | Recipient rejected or relay denied | Add sender IP to relay list |
552 |
Message too large | Exceeds size limit | Reduce attachment size |
554 |
Transaction failed | General failure | Check logs for specific cause |
Gateway-Specific SMTP Errors
| Error Pattern | Meaning | Resolution |
|---|---|---|
451 Requested action aborted: encryption failed |
Content filter couldn't encrypt | Check network connectivity to Virtru services |
451 Virtru services temporarily unavailable |
Cannot reach Virtru cloud services | Check network connectivity to *.virtru.com
|
451 Organization configuration not found |
Organization not found or invalid | Verify GATEWAY_ORGANIZATION_DOMAIN
|
550 Relay access denied |
Sender IP not in allowed relay list | Add IP to GATEWAY_RELAY_ADDRESSES
|
550 DLP rule blocked message |
DLP policy triggered block action | Review DLP rules in Dashboard |
552 Message size exceeds maximum |
Email exceeds configured limit | Reduce size or increase GATEWAY_MESSAGE_SIZE_LIMIT
|
Postfix Queue Status Messages
Found in logs with status=:
| Log Pattern | Meaning | Resolution |
|---|---|---|
status=sent |
Successfully delivered | None - success |
status=deferred (connect to host[] timed out) |
Cannot reach downstream server | Check firewall, DNS, downstream server |
status=deferred (TLS is required, but was not offered) |
TLS mismatch with downstream | Adjust GATEWAY_SMTP_SECURITY_LEVEL
|
status=bounced (host[] said: 550 User unknown) |
Invalid recipient | Verify recipient address |
status=bounced (host[] said: 550 relay not permitted) |
Downstream rejecting relay | Check downstream relay config |
warning: connect to transport: Connection refused |
Content filter not running | Restart Gateway |
Java Content Filter Errors
Exception Types
| Exception | Meaning | Resolution |
|---|---|---|
SmtpProcessingException |
General SMTP processing failure | Check full stack trace for details |
DlpBlockException |
DLP rule blocked the message | Review DLP rules in Dashboard |
EmailFormatException |
Malformed email (invalid MIME, encoding) | Check sending mail client |
RecoverableProcessingException |
Temporary error - message will retry | Check network, auto-retry will occur |
UnrecoverableProcessingException |
Permanent error - message will bounce | Check credentials, size limits |
Common Stack Trace Patterns
| Stack Trace Pattern | Meaning | Resolution |
|---|---|---|
java.net.ConnectException: Connection refused |
Cannot connect to Virtru services | Check firewall, proxy settings |
java.net.SocketTimeoutException: Read timed out |
Slow or no response from services | Check network latency |
java.net.UnknownHostException |
DNS resolution failed | Check container DNS settings |
javax.net.ssl.SSLHandshakeException |
TLS certificate issue | Check certificate chain, trust store |
java.lang.OutOfMemoryError: Java heap space |
Not enough memory for processing | Increase JVM heap size |
ACM & Accounts Errors
HTTP errors returned when Gateway communicates with Virtru services:
| Status | Meaning | Resolution |
|---|---|---|
400 |
Invalid request | Check request format, contact support if persistent |
401 |
Authentication failed | Regenerate API token |
403 |
Permission denied | Check organization permissions, policy access |
404 |
Resource not found | Verify configuration settings |
429 |
Too many requests | Reduce request rate |
500 |
Service error | Retry, contact support if persistent |
Common 403 Reasons
| Reason | Meaning | Resolution |
|---|---|---|
unauthorized |
Not authorized to access resource | Verify permissions |
expired |
Policy or token has expired | Renew policy or regenerate token |
deactivated |
Policy has been revoked | Contact policy owner |
CKS-Related Errors
For customers using Customer Key Server (CKS), these errors may appear when decrypting content:
| Status | Error | Meaning | Resolution |
|---|---|---|---|
412 |
Preconditions not met | User public key required but missing | Generate user key pair |
422 |
CKS request error | Error communicating with CKS | Check CKS connectivity, contact admin |
TLS/Certificate Errors
| Error Message | Meaning | Resolution |
|---|---|---|
SSL certificate problem: unable to get local issuer certificate |
Missing CA certificate | Add CA certificate to trust store |
TLS handshake failed |
TLS version or protocol mismatch | Adjust TLS compliance settings |
certificate has expired |
Server certificate has expired | Renew TLS certificate |
certificate verify failed |
Invalid or untrusted certificate | Add certificate to trust store |
no suitable cipher |
No common cipher suite | Check TLS compliance level settings |
self signed certificate |
Self-signed cert not trusted | Add cert to trust store |
TLS Compliance Levels
| Level | Description |
|---|---|
MEDIUM |
Standard compliance - most deployments |
HIPAA_2018 |
HIPAA compliant ciphers - healthcare |
PCI_321 |
PCI DSS 3.2.1 compliant - payment card |
HIGH |
Maximum security |
Do not mix HIPAA_2018, PCI_321, or HIGH - choose one.
Getting Help
If you're unable to resolve an issue using this guide, please contact Virtru Support:
Virtru Support Portal: support.virtru.com
When contacting support, please include:
- Gateway version
- Relevant log output (filtered for errors)
- Steps to reproduce the issue
- Any recent configuration changes