Retrieve all messages for a specific time frame with malquery

book

Article ID: 162333

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

You want to retrieve all message audit logs for a specific time frame from Symantec Messaging Gateway (SMG).

Cause

This is not possible on a high traffic system since the MAL is limited to 1,000 returned messages.

Resolution

It is possible to retrieve a very high number of MAL entries through the command line and the command malquery.

Malquery takes the following format:

  • malquery (-l start,end | -g start,end | -s start [ -n end] | -p range) (-a aid [-a aid ...] | -e event[,arg_num]<=|*>string [-e ...] | -q event[,arg_num]<=|*>quoted-printable-string [-q ...]) [-m max_results] [-I index_max] [-o url] [-v]

The output format of malquery is XML, so you can send it to an ftp server and then import it into a database and continue working with it.

A suggestion for a daily (scripted) retrieval for all messages would be:

  • malquery -p 1d -e "RCPTS*@" -m 1000000000 -o ftp://user:[email protected]<ipofyourftpserver>/path/filename

If you want all messages and all attempted connections:

  • malquery -p 1d -q "ACCEPT*."  -m 1000000000 -o ftp://user:[email protected]<ipofyourftpserver>/path/filename

For the retrieval of all messages with attachments, an example could be:

  • malquery -p 1d -q "ATTACH*."  -m 1000000000 -o ftp://user:[email protected]<ipofyourftpserver>/path/filename

Retrieving all messages that permanently failed in the last day:

  • malquery -p 1d -q "DELIVERY_FAILURE*."  -m 1000000000 -o ftp://user:[email protected]<ipofyourftpserver>/path/filename