Searching for a message in the Message Audit Log

A query facility is provided to search the log to determine if one or more messages meet the criteria for the message you want to find.
The
Status > SMTP > Message Audit Logs
page enables you to specify either one or two criteria and related supplementary information as follows:
Host
One or more Scanners running the Symantec Messaging Gateway software. In order to find all details about a message, search on all attached Scanners.
Time range
Period of time for the search to query the audit log. While it is possible to search for longer periods, it is recommended that message searches not exceed one week.
Mandatory filter
Select the type of information for filtering messages. See Choices for the mandatory search criteria.
Mandatory filter value
Enter a string that corresponds to the Mandatory filter type you selected. For example, if you chose to filter messages by sender, enter a valid email address here.
Optional filter
Select from the list of optional filtering criteria. See Choices for the optional search criteria.
Optional filter value
If appropriate, enter a string or choose a value that corresponds to the Optional filter type you selected. For example, if you chose to filter messages by Connection IP, enter a valid IP address here. Or, if you choose to filter messages by Action taken, select the action for which you want to find messages.
Clear Filters
Clear the current filtering criteria from memory.
Display Filtered
Search for and display messages that fit your criteria.
Choices for the mandatory search criteria describes the items you can choose for your single required filter.
Choices for the mandatory search criteria
Criteria
Description
Sender
Name of the message sender. Specify <> to filter for messages that do not contain Sender names.
Recipient
Name of the message recipient.
Subject
Message subject.
Audit ID
Unique identifier generated by Symantec Messaging Gateway and included as a message header.
Connection IP
IP address of the connecting server. In cases where Symantec Messaging Gateway rejects an IP connection, this results in a row with the sender identified as none. Message details consist of the IP address and the reason for rejection. Symantec Messaging Gateway supports IPv4 addresses and IPv6 addresses.
Logical IP
Logical IP address of the connecting server.
The logical connection IP is used for deployments in which you have internal mail servers that forward messages to Symantec Messaging Gateway server. The logical connection IP address is the address of the first non-internal server connection.
The logical connection IP address is derived from the "Received:" headers of the message content. Symantec Messaging Gateway uses this IP address for filtering purposes. Based on your deployment, this address may be identical to the "Accepted from" IP address.
When you select
Logical IP
, you may specify IPv4 addresses, IPv6 addresses, or IPv6 CIDR ranges. CIDR ranges are only accepted where the prefix is a multiple of 4.
Choices for the optional search criteria describes the items you can choose for your single optional filter.
Choices for the optional search criteria
Criteria
Description
Sender
Name of the message sender. Specify <> to filter for messages that do not contain Sender names.
Authenticated sender
Name of an authenticated sender.
Recipient
Name of the message recipient
Subject
Message subject.
Message ID
Unique identifier typically generated by the email software initiating the sending of the message and included as a message header. Spammers have used this header to mask the identity of a message originator.
Verdict
The verdict and/or other characteristics of a message. When this filter option is selected, a list of possible verdicts appears in the
Optional filter value
drop-down list. Use these values to filter messages that resulted in a given verdict. For example, you can set the
Optional filter value
to
The message is a newsletter
.
Untested verdict
An available verdict for which the Scanner did not test. A drop-down list of verdict choices is provided.
Action taken
What happened to the message. When this filter option is selected, a list of possible actions appears in the Option filter value drop-down list. Use these values to filter messages that triggered policies that applied the given action.
If you select Reject message from the Option filter value drop-down list, the reason for rejection appears in the message detail.
  • Rejected message for a nonlocal recipient
  • Rejected message for exceeding size limit
  • Rejected message by MTA
  • Reject messages failing bounce attack validation
  • Reject invalid recipients rejected message for exceeding size limit
  • All recipients are invalid
Connection IP
Connection IP used to receive the message.
Symantec Messaging Gateway supports IPv4 addresses and IPv6 addresses.
Logical IP
Logical IP address of the connecting server.
The logical connection IP is used for deployments in which you have internal mail servers that forward messages to Symantec Messaging Gateway server. The logical connection IP address is the address of the first non-internal server connection.
The logical connection IP address is derived from the "Received:" headers of the message content. Symantec Messaging Gateway uses this IP address for filtering purposes. Based on your deployment, this address may be identical to the "Accepted from" IP address.
When you select
Logical IP
, you may specify IPv4 addresses, IPv6 addresses, or IPv6 CIDR ranges. CIDR ranges are only accepted where the prefix is a multiple of 4.
Target IP
IP address of the message destination.
Policy group
Name of the group (either the recipient's group or the sender's group) that determined which filter policy applied to the message.
Filter policy
Name of the filter policy applied to the message.
Virus
Name of the virus attached to the message.
Attachment
Name of a message attachment.
Suspect attachment
Name of a message attachment that triggered a content filtering policy.
Reason for unscannable verdict
Reason that the message matched the "If a message is unscannable for malware and content filtering for any reason" condition. A drop-down list of unscannable reasons is provided.
Source
Whether the message is internal or external.
Disarmed content
Whether the message's attachments contain potentially malicious content.
While searching, the following rules are used:
  • No more than 1,000 messages are allowed per search on each Scanner being searched.
  • Freeform text fields are non-case-sensitive substring searches.
The Message Audit Log provides information on each message received by each recipient. For example, if the same message is received by 10 recipients, you see 10 entries in the Message Audit Log. To reach the limit of 1,000 messages returned, Symantec Messaging Gateway counts multiple entries for the different recipients of the same message as one message.
Email messages that fail delivery are tracked as delivery failures in the Message Audit Log. For example, messages to non-existent users that bounce are considered delivery failures. Delivery failures are indicated with a Delivery Failure heading on the Audit Logs page in the Delivery section. In addition to being indicated on the Audit Logs page, undelivered messages are logged with the new DELIVERY_FAILURE audit log event. DELIVERY_FAILURE events are logged in the following format:
utc|uid|DELIVERY_FAILURE|recipient|reason
The
Actions
column indicates actions taken by the Scanner on messages, but does not indicate actions taken by administrators or users on messages. For example, if an administrator or user releases a message from Spam Quarantine, this activity is listed under
Spam Quarantine
, not
Actions
.
  1. To search the message audit log and view message details
  2. In the Control Center, click
    Status > SMTP > Message Audit Logs
    .
  3. Select the Scanner whose logs you wish to search from the
    Hosts
    drop-down list, or select
    All Scanners
    .
  4. Complete the desired search criteria.
  5. Click
    Display Filtered
    .
    Use the
    Entries per page
    drop-down list to specify the number of records to show per page. Use the
    Display _ of _
    drop-down list to choose a range of data to display.
  6. Click a message recipient in the To column to view processing details on that message.
  7. To search the message audit log for content filtering incidents
  8. In the Control Center, click
    Status > SMTP > Message Audit Logs
    .
  9. Select the Scanner whose logs you want to search from the
    Host
    drop-down list, or select
    All Scanners
    .
  10. Choose a selection from the
    Mandatory filter
    drop-down list and enter an appropriate value in the
    Mandatory filter value
    field.
  11. Choose
    Action taken
    from the
    Optional filter
    drop-down list.
  12. Choose either
    Create an informational incident
    or
    Create a quarantine incident
    from the
    Optional filter value
    drop-down list.
  13. Click
    Display Filtered
    .
    Use the
    Entries per page
    drop-down list to specify the number of records to show per page. Use the
    Display _ of _
    drop-down list to choose a range of data to display.
  14. Click a message recipient in the
    To
    column to view processing details on that message.
  15. To view the TLS encryption delivery status of a message in the message audit log
  16. Locate the message in the message audit log.
  17. Expand
    Recipient data
    >
    Delivery
    .
  18. Click
    Details
    .