Recommendations for managing reports, logs, spam, and content incident folders in Messaging Gateway (SMG).

Different data/logs that SMG will store and which part of the product is related to it:

REPORTS DATA STORAGE

Where do I configure them?
Under Administration -> Settings -> Reports

Where is it stored?
All the data is stored temporarily on each Scanner then imported to the Control Center Database

What is the purpose of storing extra statuses data?
Reports data storage will only affect specific reports, if you do not use these reports you do not need to store data for it. All the summary reports including the Executive summary will not need this data to be stored for them to work. Storing extra status will in most cases overload the Control Center database as well as the information being transmitted between Scanners and the Control Center, if you need to store specific information because of report needs Symantec recommends storing for a low number of days and also scheduling the reports to be sent through email so you don't have to keep all the data in the Control Center and you will have a copy on email in the event that data is not in the Control Center anymore.

What are the extra statuses available for storage?
Sender domains
Senders
Sender HELO domains
Sender IP connections
Recipient domains
Recipients
Invalid Recipients

What are the recommended settings for each status?
Leave it unchecked unless you need the data for a specific report or feature such as probe accounts (probe accounts will require invalid recipients logging if you plan to use invalid recipients with it).

LOGS

Where do I configure them?
Under Administration -> Settings -> Logs

Where is it stored?
All the data is stored temporarily on each Scanner then imported to the Control Center Database and remotely on a Syslog server if you are using the remote option.

What is the purpose of storing these logs?
All log data will help identifying issues within different components. In some cases, Technical Support might need Debug level logs and this is the place to change the level if needed.

For customers that have retention requirements for all component logs, we highly recommend using remote logging to a syslog-ng server, for more information please check the following article: How to configure remote logging to a Syslog server on Symantec Brightmail Gateway

We also have the option to set the Database Log Storage Limits under the logs configuration page. This setting will tell how long to store the data in the Control Center Database, we do not recommend retaining data for long periods of time in the Control Center Database as it might affect its overall performance. You can also set the maximum size that will be used.

The Log Expunger is a very helpful process that will remove old data from the Control Center Database based on its configuration, by default it is set to run every day at 02:00 AM.

Message Audit Logs are stored separately on each Scanner, depending on how much traffic these logs might consume a lot of space. Symantec recommends you to watch the disk space to make sure you are not keeping too much data. If you want to track messages using the Control Center you have to enable these logs.

It is important to note that Message Audit Logs are not included in backups, they must be backed up separately per scanner using the command-line interface (CLI) tool mallog, for more information please check the following article: How to Backup Message Audit Logs

What are the components that you can configure using the Control Center?
Conduit
Brightmail Client
JLU Controller
Mail Transfer Agent
IM Relay
Directory Data Service
Content Filtering

What other components you can configure using the command-line interface (CLI) only:
Control Center logs (cc-config)
Agent logs (agent-config)

What is the recommended setting for each component?
Warnings

SPAM QUARANTINE

Where do I configure it?
Under Spam -> Settings -> Quarantine Settings

Where is it stored?
Starting version 9.0, all spam messages are stored on disk and a reference in the Control Center Database, on previous versions both messages and references were stored in the Control Center Database.

What is the purpose of the Spam Quarantine?
The Spam quarantine serves to temporarily store Suspect Spam messages for evaluation.

NOTE: Symantec recommends that users delete Spam.
What are the options to control its usage?

Which parameters can I configure to control the Spam Quarantine resources?
Under the Spam Quarantine Expunger you will have access to the various options that govern the spam quarantine utilization.
Days to store in Quarantine before deleting
Quarantine Expunger frequency
Quarantine Expunger start time

Then you will also have thresholds that you can use to better manage the usage if needed:
Maximum size of Quarantine
Maximum size per user
Maximum number of messages
Maximum number of messages per user

NOTE: Symantec recommends using the first option (Days to store in Quarantine before deleting) as the main option. Thresholds are usually configured when you have end user quarantine configured and want to have more granularity. It is also important to notice that the first option will always run first even when you have thresholds configured. Symantec does not recommend running the expunger too frequently as it will stop the quarantine listener while it runs (causing the MTA delivery queues to grow up temporarily). Basically, the more you run the quarantine expunger, the more the queues will grow up. The default setting should work well for most of the deployments.

What is the recommended setting for the spam quarantine expunger?
The defaults should work well for most of the cases.

Days to store in Quarantine before deleting: 7 days
Quarantine Expunger Frequency: Every Day
Quarantine Expunger start time: 01:00 AM

All the thresholds are UNCHECKED by default.


CONTENT INCIDENT FOLDERS

Where do I configure them?
Under Content -> Settings -> Content Incident Folders

Where is it stored?
First, there are two types of incident folders (quarantine incident folders and informational incident folders). Quarantine incident folders need constant management as messages will need to be either approved or rejected whereas Informational incident folders are used only for auditing purposes since it does not affect the flow of a given message.

All the messages are stored on disk in the Control Center and they also have a reference in the Control Center Database. For quarantine incident folders, the messages when approved or rejected might get sent back to the original scanner where it originated from, for more information about what ports are used, please check the following article: Unable to release messages from Messaging Gateway's suspect virus, spam or content incident quarantine

What is the purpose of the Incident Folders?
Incident folders can be used from a simple task as auditing to a more complicated task that needs further evaluation and approval by a security officer in a company.

Which parameters can I configure to control Incident folders resources?
There is a default content filtering expunging cycle that will always run on all content incident folders. You also have the option to configure specific expunger settings for each folder you create.

What is the recommended setting for the content incident folder expunger?
Incident expunger frequency: Every Day
Incident expunger start time: 04:00 AM

NOTE: Symantec recommends configuring the expunger setting for each folder to better control resources.