Searching for a message in the Message Audit Log
A query facility is provided to search the log to determine if one or more messages meet the criteria for the message you want to find.
The
Status > SMTP > Message Audit Logs
page enables you to specify either one or two criteria and related supplementary information as follows:Host | One or more Scanners running the Symantec Messaging Gateway software. In order to find all details about a message, search on all attached Scanners. |
Time range | Period of time for the search to query the audit log. While it is possible to search for longer periods, it is recommended that message searches not exceed one week. |
Mandatory filter | Select the type of information for filtering messages. See Choices for the mandatory search criteria. |
Mandatory filter value | Enter a string that corresponds to the Mandatory filter type you selected. For example, if you chose to filter messages by sender, enter a valid email address here. |
Optional filter | Select from the list of optional filtering criteria. See Choices for the optional search criteria. |
Optional filter value | If appropriate, enter a string or choose a value that corresponds to the Optional filter type you selected. For example, if you chose to filter messages by Connection IP, enter a valid IP address here. Or, if you choose to filter messages by Action taken, select the action for which you want to find messages. |
Clear Filters | Clear the current filtering criteria from memory. |
Display Filtered | Search for and display messages that fit your criteria. |
Choices for the mandatory search criteria describes the items you can choose for your single required filter.
Criteria | Description |
|---|---|
Sender | Name of the message sender. Specify <> to filter for messages that do not contain Sender names. |
Recipient | Name of the message recipient. |
Subject | Message subject. |
Audit ID | Unique identifier generated by Symantec Messaging Gateway and included as a message header. |
Connection IP | IP address of the connecting server. In cases where Symantec Messaging Gateway rejects an IP connection, this results in a row with the sender identified as none. Message details consist of the IP address and the reason for rejection. Symantec Messaging Gateway supports IPv4 addresses and IPv6 addresses. |
Logical IP | Logical IP address of the connecting server.
The logical connection IP is used for deployments in which you have internal
mail servers that forward messages to Symantec Messaging Gateway server. The
logical connection IP address is the address of the first non-internal server
connection.
The logical connection IP address is derived from the "Received:" headers of
the message content. Symantec Messaging Gateway uses this IP address for
filtering purposes. Based on your deployment, this address may be identical to
the "Accepted from" IP address.
When you select Logical IP , you may specify IPv4 addresses, IPv6 addresses,
or IPv6 CIDR ranges. CIDR ranges are only accepted where the prefix is a
multiple of 4. |
Choices for the optional search criteria describes the items you can choose for your single optional filter.
Criteria | Description |
|---|---|
Sender | Name of the message sender. Specify <> to filter for messages that do not contain Sender names. |
Authenticated sender | Name of an authenticated sender. |
Recipient | Name of the message recipient |
Subject | Message subject. |
Message ID | Unique identifier typically generated by the email software initiating the sending of the message and included as a message header. Spammers have used this header to mask the identity of a message originator. |
Verdict | The verdict and/or other characteristics of a message. When this filter option is selected, a list of possible verdicts appears in the Optional filter value drop-down list. Use these values to filter messages that resulted in a given verdict. For example, you can set the Optional filter value to The message is a newsletter . |
Untested verdict | An available verdict for which the Scanner did not test. A drop-down list of verdict choices is provided. |
Action taken | What happened to the message. When this filter option is selected, a list of possible actions appears in the Option filter value drop-down list. Use these values to filter messages that triggered policies that applied the given action. If you select Reject message from the Option filter value drop-down list, the reason for rejection appears in the message detail.
|
Connection IP | Connection IP used to receive the message. Symantec Messaging Gateway supports IPv4 addresses and IPv6 addresses. |
Logical IP | Logical IP address of the connecting server.
The logical connection IP is used for deployments in which you have internal
mail servers that forward messages to Symantec Messaging Gateway server. The
logical connection IP address is the address of the first non-internal server
connection.
The logical connection IP address is derived from the "Received:" headers of
the message content. Symantec Messaging Gateway uses this IP address for
filtering purposes. Based on your deployment, this address may be identical to
the "Accepted from" IP address.
When you select Logical IP , you may specify IPv4 addresses, IPv6 addresses,
or IPv6 CIDR ranges. CIDR ranges are only accepted where the prefix is a
multiple of 4. |
Target IP | IP address of the message destination. |
Policy group | Name of the group (either the recipient's group or the sender's group) that determined which filter policy applied to the message. |
Filter policy | Name of the filter policy applied to the message. |
Virus | Name of the virus attached to the message. |
Attachment | Name of a message attachment. |
Suspect attachment | Name of a message attachment that triggered a content filtering policy. |
Reason for unscannable verdict | Reason that the message matched the "If a message is unscannable for malware and content filtering for any reason" condition. A drop-down list of unscannable reasons is provided. |
Source | Whether the message is internal or external. |
Disarmed content | Whether the message's attachments contain potentially malicious content. |
While searching, the following rules are used:
- No more than 1,000 messages are allowed per search on each Scanner being searched.
- Freeform text fields are non-case-sensitive substring searches.
The Message Audit Log provides information on each message received by each recipient. For example, if the same message is received by 10 recipients, you see 10 entries in the Message Audit Log. To reach the limit of 1,000 messages returned, Symantec Messaging Gateway counts multiple entries for the different recipients of the same message as one message.
Email messages that fail delivery are tracked as delivery failures in the Message Audit Log. For example, messages to non-existent users that bounce are considered delivery failures. Delivery failures are indicated with a Delivery Failure heading on the Audit Logs page in the Delivery section. In addition to being indicated on the Audit Logs page, undelivered messages are logged with the new DELIVERY_FAILURE audit log event. DELIVERY_FAILURE events are logged in the following format:
utc|uid|DELIVERY_FAILURE|recipient|reason
The
Actions
column indicates actions taken by the Scanner on messages, but does not indicate actions taken by administrators or users on messages. For example, if an administrator or user releases a message from Spam Quarantine, this activity is listed under Spam Quarantine
, not Actions
.- To search the message audit log and view message details
- In the Control Center, clickStatus > SMTP > Message Audit Logs.
- Select the Scanner whose logs you wish to search from theHostsdrop-down list, or selectAll Scanners.
- Complete the desired search criteria.
- ClickDisplay Filtered.Use theEntries per pagedrop-down list to specify the number of records to show per page. Use theDisplay _ of _drop-down list to choose a range of data to display.
- Click a message recipient in the To column to view processing details on that message.
- To search the message audit log for content filtering incidents
- In the Control Center, clickStatus > SMTP > Message Audit Logs.
- Select the Scanner whose logs you want to search from theHostdrop-down list, or selectAll Scanners.
- Choose a selection from theMandatory filterdrop-down list and enter an appropriate value in theMandatory filter valuefield.
- ChooseAction takenfrom theOptional filterdrop-down list.
- Choose eitherCreate an informational incidentorCreate a quarantine incidentfrom theOptional filter valuedrop-down list.
- ClickDisplay Filtered.Use theEntries per pagedrop-down list to specify the number of records to show per page. Use theDisplay _ of _drop-down list to choose a range of data to display.
- Click a message recipient in theTocolumn to view processing details on that message.
- To view the TLS encryption delivery status of a message in the message audit log
- Locate the message in the message audit log.
- ExpandRecipient data>Delivery.
- ClickDetails.