As part of "disarm" filtering in Symantec Messagin Gateway (SMG) 10.5 and later, fonts detected in PDF documents are logged as part of the Message Audit Logs (MAL). In some cases this may cause a significant increase in disk usage as the additional data is stored in MAL.
When enabling "disarm" filtering in SMG 10.5 and later, it is important to understand the impact this will have on disk utilization. Each font definition stored in the audit logs is approximately 30 bytes. A single PDF attachment can have multiple font definitions so a conservative estimate of three font definitins per PDF document results in a storage increase of 90 bytes per PDF attachment. While this is not a large increase in storage, it is measured on a per-PDF attachment basis. Different installations will have different mail flow rates and compositions so the total increase can range from trivial where disarm is not used or few messages contain PDF attachments to significant where large numbers of messages contain multiple PDF attachments. It is recommended that Alerts be configured for low disk space, at least initially, via the following steps:
Audit log data is stored on the scanner hosts rather than in the control center database and so total audit log disk usage will be distributed across all scanner hosts.
Viewing MAL disk usage from the CLI
Audit log files and their file size can be listed via the scanner command line interface (CLI) using the `list` command. While this does not provide a simple summary of disk usage specific to MAL it can be imported into any standard spreadsheet to summarize total audit log disk usage.
16384 /data/logs/scanner/audit_mta_log201310090000.idx
16384 /data/logs/scanner/audit_mta_log201310060000.idx
16384 /data/logs/scanner/audit_mta_log201310080000.idx
16384 /data/logs/scanner/audit_mta_log201310070000.idx
16384 /data/logs/scanner/audit_mta_log201310040000.idx
16384 /data/logs/scanner/audit_mta_log201310050000.idx
15541 /data/logs/scanner/audit_mta_log201310070000.lzm
15541 /data/logs/scanner/audit_mta_log201310090000.lzm
15541 /data/logs/scanner/audit_mta_log201310050000.lzm
15541 /data/logs/scanner/audit_mta_log201310040000.lzm
15538 /data/logs/scanner/audit_mta_log201310060000.lzm
15490 /data/logs/scanner/audit_mta_log201310080000.lzm
8746 /data/logs/scanner/audit_mta_log201310100000.lzm
8417 /data/logs/scanner/audit_mta_log201310030000.lzm
8192 /data/logs/scanner/audit_mta_log201310100000.idx
8192 /data/logs/scanner/audit_mta_log201310030000.idx
7267 /data/logs/scanner/audit_mta_log201310100000