Symantec Messaging Gateway provides a message auditing component that lets you search for messages and find out what has happened to them. When enabled, the Message Audit Log provides administrators with a trail of detailed information about every message that has been accepted and processed by a Scanner. Auditing information is used to track what decisions were made within a single Scanner framework. The Message Audit Log is not intended to replace debug or information level logging. Unlike standard Scanner logging, the Message Audit Log provides information specifically associated with a message.
Log entries for messages are created after all policy actions applicable to a message have taken place. Because some actions, like Forward a copy of the message and Add BCC recipients, modify the envelope, it can be difficult to distinguish between the original and later email recipients.
Messages that are rejected by the Spam Quarantine because they exceed the size limit appear in the Message Audit Log with no indication of the rejection. Instead, the rejection is recorded in the BrightmailLog.log file with the associated Audit ID that matches the entry in the Message Audit Log.
The Message Audit Log provides information on each message received by each recipient. For example, if the same message is received by 10 recipients, you see 10 entries in the Message Audit Log. The number of messages that a query can return is limited to 1,000. However, to reach this limit Symantec Brightmail Gateway counts multiple entries for the different recipients of the same message as one message.
This limitation does not apply on the Command Line Interface. If there is a requirement to obtain more than 1,000 messages from the Message Audit Log then it is possible to use the command "malquery". For more information, please visit "How to use the CLI tool "malquery" on a Symantec Brightmail Gateway Appliance / Virtual Edition".
Enabling message audit logging results in approximately 800 bytes of audit logs per message. Message audit logging can cause performance and storage problems if your site receives more than 1,000,000 messages per day.