About message audit logging


Article ID: 179052


Updated On:


Messaging Gateway




Symantec Messaging Gateway provides a message auditing component that lets you search for messages and find out what has happened to them. When enabled, the Message Audit Log provides administrators with a trail of detailed information about every message that has been accepted and processed by a Scanner. Auditing information is used to track what decisions were made within a single Scanner framework. The Message Audit Log is not intended to replace debug or information level logging. Unlike standard Scanner logging, the Message Audit Log provides information specifically associated with a message.


Log entries for messages are created after all policy actions applicable to a message have taken place. Because some actions, like Forward a copy of the message and Add BCC recipients, modify the envelope, it can be difficult to distinguish between the original and later email recipients.


Messages that are rejected by the Spam Quarantine because they exceed the size limit appear in the Message Audit Log with no indication of the rejection. Instead, the rejection is recorded in the BrightmailLog.log file with the associated Audit ID that matches the entry in the Message Audit Log.

See Viewing the Control Center error log.

Symantec Messaging Gateway supports TLS encryption.

For a description of the logged information, see the search instructions.

See Searching for a message in the Message Audit Log.


The Message Audit Log provides information on each message received by each recipient. For example, if the same message is received by 10 recipients, you see 10 entries in the Message Audit Log. The number of messages that a query can return is limited to 1,000. However, to reach this limit Symantec Messaging Gateway counts multiple entries for the different recipients of the same message as one message.

Enabling message audit logging results in approximately 800 bytes of audit logs per message. Message audit logging can cause performance and storage problems if your site receives more than 1,000,000 messages per day.

Audit logs older than the current day are rolled over to a filename appended with the local date in the form yyyymmdd. Audit logs older than the default retention period of two days are deleted.