Searching for a message in the Message Audit Log

Article Id: 179055

Status: Published

Updated On: 06-06-2017 12:47

Legacy Id: HOWTO126091

Products:

Messaging Gateway

Issue/Introduction:

Resolution:

A query facility is provided to search the log to determine if one or more messages meet the criteria for the message you want to find.

The Status > SMTP > Message Audit Logs page enables you to specify either one or two criteria and related supplementary information as follows:

Host	One or more Scanners running the Symantec Messaging Gateway software. In order to find all details about a message, search on all attached Scanners.
Time range	Period of time for the search to query the audit log. While it is possible to search for longer periods, it is recommended that message searches not exceed one week.
Mandatory filter	Select the type of information for filtering messages. See Table: Choices for the mandatory search criteria.
Mandatory filter value	Enter a string that corresponds to the Mandatory filter type you selected. For example, if you chose to filter messages by sender, enter a valid email address here.
Optional filter	Select from the list of optional filtering criteria. See Table: Choices for the optional search criteria.
Optional filter value	If appropriate, enter a string or choose a value that corresponds to the Optional filter type you selected. For example, if you chose to filter messages by Connection IP, enter a valid IP address here. Or, if you choose to filter messages by Action taken, select the action for which you want to find messages.
Clear Filters	Clear the current filtering criteria from memory.
Display Filtered	Search for and display messages that fit your criteria.

Table: Choices for the mandatory search criteria describes the items you can choose for your single required filter.

Table: Choices for the mandatory search criteria

Criteria	Description
Sender	Name of the message sender. Specify <> to filter for messages that do not contain Sender names.
Recipient	Name of the message recipient.
Subject	Message subject.
Audit ID	Unique identifier generated by Symantec Messaging Gateway and included as a message header.
Connection IP	IP address of the connecting server. In cases where Symantec Messaging Gateway rejects an IP connection, this results in a row with the sender identified as none. Message details consist of the IP address and the reason for rejection. Symantec Messaging Gateway supports IPv4 addresses and IPv6 addresses.
Logical IP	Logical IP address of the connecting server. The logical connection IP is used for deployments in which you have internal mail servers that forward messages to Symantec Messaging Gateway server. The logical connection IP address is the address of the first non-internal server connection. The logical connection IP address is derived from the "Received:" headers of the message content. Symantec Messaging Gateway uses this IP address for filtering purposes. Based on your deployment, this address may be identical to the "Accepted from" IP address. When you select Logical IP, you may specify IPv4 addresses, IPv6 addresses, or IPv6 CIDR ranges. CIDR ranges are only accepted where the prefix is a multiple of 4.

Table: Choices for the optional search criteria describes the items you can choose for your single optional filter.

Table: Choices for the optional search criteria

Criteria	Description
Sender	Name of the message sender. Specify <> to filter for messages that do not contain Sender names.
Authenticated sender	Name of an authenticated sender.
Recipient	Name of the message recipient
Subject	Message subject.
Message ID	Unique identifier typically generated by the email software initiating the sending of the message and included as a message header. Spammers have used this header to mask the identity of a message originator.
Verdict	The verdict and/or other characteristics of a message. When this filter option is selected, a list of possible verdicts appears in the Optional filter value drop-down list. Use these values to filter messages that resulted in a given verdict. For example, you can set the Optional filter value to The message is a newsletter.
Untested verdict	An available verdict for which the Scanner did not test. A drop-down list of verdict choices is provided.
Action taken	What happened to the message. When this filter option is selected, a list of possible actions appears in the Option filter value drop-down list. Use these values to filter messages that triggered policies that applied the given action. If you select Reject message from the Option filter value drop-down list, the reason for rejection appears in the message detail. Rejected message for a nonlocal recipient Rejected message for exceeding size limit Rejected message by MTA Reject messages failing bounce attack validation Reject invalid recipients rejected message for exceeding size limit All recipients are invalid
Connection IP	Connection IP used to receive the message. Symantec Messaging Gateway supports IPv4 addresses and IPv6 addresses.
Logical IP	Logical IP address of the connecting server. The logical connection IP is used for deployments in which you have internal mail servers that forward messages to Symantec Messaging Gateway server. The logical connection IP address is the address of the first non-internal server connection. The logical connection IP address is derived from the "Received:" headers of the message content. Symantec Messaging Gateway uses this IP address for filtering purposes. Based on your deployment, this address may be identical to the "Accepted from" IP address. When you select Logical IP, you may specify IPv4 addresses, IPv6 addresses, or IPv6 CIDR ranges. CIDR ranges are only accepted where the prefix is a multiple of 4.
Target IP	IP address of the message destination.
Policy group	Name of the group (either the recipient's group or the sender's group) that determined which filter policy applied to the message.
Filter policy	Name of the filter policy applied to the message.
Virus	Name of the virus attached to the message.
Attachment	Name of a message attachment.
Suspect attachment	Name of a message attachment that triggered a content filtering policy.
Reason for unscannable verdict	Reason that the message matched the "If a message is unscannable for malware and content filtering for any reason" condition. A drop-down list of unscannable reasons is provided.
Source	Whether the message is internal or external.
Disarmed content	Whether the message's attachments contain potentially malicious content.

While searching, the following rules are used:

No more than 1,000 messages are allowed per search on each Scanner being searched.
Freeform text fields are non-case-sensitive substring searches.

Note:

The Message Audit Log provides information on each message received by each recipient. For example, if the same message is received by 10 recipients, you see 10 entries in the Message Audit Log. To reach the limit of 1,000 messages returned, Symantec Messaging Gateway counts multiple entries for the different recipients of the same message as one message.

Email messages that fail delivery are tracked as delivery failures in the Message Audit Log. For example, messages to non-existent users that bounce are considered delivery failures. Delivery failures are indicated with a Delivery Failure heading on the Audit Logs page in the Delivery section. In addition to being indicated on the Audit Logs page, undelivered messages are logged with the new DELIVERY_FAILURE audit log event. DELIVERY_FAILURE events are logged in the following format: utc|uid|DELIVERY_FAILURE|recipient|reason

The Actions column indicates actions taken by the Scanner on messages, but does not indicate actions taken by administrators or users on messages. For example, if an administrator or user releases a message from Spam Quarantine, this activity is listed under Spam Quarantine, not Actions.

To search the message audit log and view message details

In the Control Center, click Status > SMTP > Message Audit Logs.
Select the Scanner whose logs you wish to search from the Hosts drop-down list, or select All Scanners.
Complete the desired search criteria.
Click Display Filtered.
Use the Entries per page drop-down list to specify the number of records to show per page. Use the Display _ of _ drop-down list to choose a range of data to display.
Click a message recipient in the To column to view processing details on that message.

To search the message audit log for content filtering incidents

In the Control Center, click Status > SMTP > Message Audit Logs.
Select the Scanner whose logs you want to search from the Host drop-down list, or select All Scanners.
Choose a selection from the Mandatory filter drop-down list and enter an appropriate value in the Mandatory filter value field.
Choose Action taken from the Optional filter drop-down list.
Choose either Create an informational incident or Create a quarantine incident from the Optional filter value drop-down list.
Click Display Filtered.
Use the Entries per page drop-down list to specify the number of records to show per page. Use the Display _ of _ drop-down list to choose a range of data to display.
Click a message recipient in the To column to view processing details on that message.

To view the TLS encryption delivery status of a message in the message audit log

Locate the message in the message audit log.
Expand Recipient data > Delivery.
Click Details.

See About message audit logging.

See How the Message Audit Log helps to fine-tune and troubleshoot content filtering policies.