Disarm filtering of PDF attachments can increase message audit log disk usage


Article ID: 158502


Updated On:


Messaging Gateway


 As part of "disarm" filtering in Symantec Messagin Gateway (SMG) 10.5 and later, fonts detected in PDF documents are logged as part of the Message Audit Logs (MAL). In some cases this may cause a significant increase in disk usage as the additional data is stored in MAL.


When enabling "disarm" filtering in SMG 10.5 and later, it is important to understand the impact this will have on disk utilization. Each font definition stored in the audit logs is approximately 30 bytes. A single PDF attachment can have multiple font definitions so a conservative estimate of three font definitins per PDF document results in a storage increase of 90 bytes per PDF attachment. While this is not a large increase in storage, it is measured on a per-PDF attachment basis. Different installations will have different mail flow rates and compositions so the total increase can range from trivial where disarm is not used or few messages contain PDF attachments to significant where large numbers of messages contain multiple PDF attachments. It is recommended that Alerts be configured for low disk space, at least initially, via the following steps:

  1. Log in to the control center as an administrator
  2. Go to Administration->Alerts
  3. Select the "Disk Space" tab
  4. Check the "Available disk space less than" checkbox
  5. Leave the disk usage at 1GB or set to your preferred tolerance
  6. Click "Save"

Audit log data is stored on the scanner hosts rather than in the control center database and so total audit log disk usage will be distributed across all scanner hosts.

Viewing MAL disk usage from the CLI

Audit log files and their file size can be listed via the scanner command line interface (CLI) using the `list` command. While this does not provide a simple summary of disk usage specific to MAL it can be imported into any standard spreadsheet to summarize total audit log disk usage.

vm-sbg> list -t | grep audit
       16384 /data/logs/scanner/audit_mta_log201310090000.idx
       16384 /data/logs/scanner/audit_mta_log201310060000.idx
       16384 /data/logs/scanner/audit_mta_log201310080000.idx
       16384 /data/logs/scanner/audit_mta_log201310070000.idx
       16384 /data/logs/scanner/audit_mta_log201310040000.idx
       16384 /data/logs/scanner/audit_mta_log201310050000.idx
       15541 /data/logs/scanner/audit_mta_log201310070000.lzm
       15541 /data/logs/scanner/audit_mta_log201310090000.lzm
       15541 /data/logs/scanner/audit_mta_log201310050000.lzm
       15541 /data/logs/scanner/audit_mta_log201310040000.lzm
       15538 /data/logs/scanner/audit_mta_log201310060000.lzm
       15490 /data/logs/scanner/audit_mta_log201310080000.lzm
        8746 /data/logs/scanner/audit_mta_log201310100000.lzm
        8417 /data/logs/scanner/audit_mta_log201310030000.lzm
        8192 /data/logs/scanner/audit_mta_log201310100000.idx
        8192 /data/logs/scanner/audit_mta_log201310030000.idx
        7267 /data/logs/scanner/audit_mta_log201310100000