How to use the command line "malquery" tool
search cancel

How to use the command line "malquery" tool

book

Article ID: 177259

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

Message Audit Logs (MAL) from Messaging Gateway (SMG) need to be bulk exported or a query needs to be run that is expected to return more than the 1000 results per scanner limit set in the Control Center GUI.

Environment

Messaging Gateway

Cause

MAL queries run from the SMG Control Center Status > Message Audit Logs page are limited to 1000 results per scanner.

Resolution

To address the limitations of storage and retrieval size for the Message Audit Logs, it is highly recommended to use remote logging to send the Message Audit Logs to an external syslog service such as a SIEM. The following articles will help with configuring/using remote logging:


Another option is to use the "malquery" command. The command line (CLI) malquery command may be used to generate query results with an arbitrary, or no limit on the number of results. When running malquery from the SMG admin CLI, only the local scanner is queried so if multiple scanners need to be queries the command would need to be run on each SMG scanner.

Usage:
malquery 

  • -l <start time YYYYMMDDHHMM>,<end time YYYYMMDDHHMM>
      -g <start time UTC>,<end time UTC> -u <uid> [-u <uid> ... ]
      -e <event name[,arg #]><=|*><string> [-e <event name[,arg #]><=|*><string> ... ] [-m #] [-o <filename>] [-d] [-v] 

Example:
> malquery -l YYYYMMDDHHHH,YYYYMMDDHHHH -e RCPTS=”[email protected]

Where YYYYMMDDHHHH should be replaced with the start and end time for the search, choose yesterday and today for the days. Example: 200803140000 for midnight on 14th March 2008

When searching for an entire domain: " *@example.com ", you must use the coma, as shown in the following example: 
> malquery -l YYYYMMDDHHHH,YYYYMMDDHHHH -e RCPTS,*@example.com

Here is an example of a search for the email sender:
> 'malquery -l YYYYMMDDHHHH,YYYYMMDDHHHH -e SENDER,*@example.com'

For Symantec Brightmail Gateway versions 7.7 and later

Usage:
malquery (-l start,end | -g start,end)
(-u uid [-u uid ...] | -e event[,arg_num]<=|*>string [-e ...]
| -q event[,arg_num]<=|*>quoted-printable-string [-q ...])
[-m max_results] [-i index_max] [-o output_file] [-d] [-v]


-l start,end Date range to search. Dates in the form YYYYMMDDhhmm
(e.g. July 4, 2008, 11:59 PM = 200807042359). Start and end
date are separated by a comma with no space.

-g start,end GMT date range to search, in Unix time; i.e. seconds since
1 Jan 1970 00:00 (e.g. July 4, 2008, 11:59 PM = 1215212340).
Start and end date are separated by a comma with no space.

-u uid Find the email message with the specified Audit ID (uid).

-e ... Find email messages containing events matching the specified
criterion. Examples:
-e [email protected] -- recipient specified
-e SUBJECT*"my flowers" -- subject contains 'my flowers'

-q ... Find email messages containing events matching the specified
criterion in quoted-printable encoding. Example:
-q SUBJECT*"red =3D rose" -- subject contains 'red = rose'

-m max_results Maximum number of messages to return. The default is 1000.

-i index_max The index (.idx file) will be used if the number of matching
results is less than or equal to index_max. Otherwise, the
index will be ignored. The default for index_max is 1000.
This option exists because looking up large numbers of
events in the index can actually be more time consuming than
searching the flat file.

-o file Output matching results to the specified file.

-d Distributed option. The behavior of this option is
undocumented.

-v Enable verbose mode (i.e. debug logging).

Example:
> malquery -l 200807040000,200807090000 -e [email protected] -e SUBJECT*"check this out" -m 500 -o /tmp/results.xml