How to administrate Log setting on Symantec Brightmail Gateway

book

Article ID: 180040

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

 

Resolution

You can administrate the log setting uin the Control Center: Administration / Logs (In the left panel).

Table: Components for local and remote logging

Log component

Description

Conduit

Retrieves the antispam rules from Symantec Security Response through secure HTTPS file transfer. Conduit authenticates antispam rules and alerts the Brightmail Engine to their presence. Conduit manages statistics for use by Symantec Security Response and by Symantec Brightmail Gateway to compile reports.

Brightmail Client

Receives the email from the MTA and communicates with the Brightmail Engine to provide message filtering.

Brightmail Engine

Scans the email, email attachments, and file transfers for viruses, spam, and content filtering according to the filter polices that you have configured.

JLU Controller

Automatically downloads virus definitions from Symantec Security Response to the Scanner. The Scanner's Brightmail Engine uses this information to identify known security threats.

Mail Transfer Agent

Routes the inbound messages and outbound messages to the Brightmail Engine for processing and delivers filtered messages to their internal destinations or to remote destinations.

The remote syslog facility setting is not available for the Mail Transfer Agent because it always logs messages to the mail facility. The MTA log is the same as the maillog log file that is accessible using the tail command.

IM Relay

Scans instant messages and attachments for spim and viruses according to the filtering polices and IM network access policies that you have configured.

Directory Data Service

Monitors the directory data service.

Content Filtering

Detects content filtering violations in email with custom and predefined filters and acts on matching messages using policies.

This component is only available for local logs, not remote syslog. Symantec Network Prevent log data is not included.

Message Audit Logs

Detailed information about every message that Scanners accept and process.

The log level setting is not available for message audit logs.

 

Table: Log levels for local and remote logging

Log level

Description

Errors

Provides the most urgent information. This level provides the least amount of log information.

Warnings

Provides warning information and all Errors level data. This level is the default log level for all Scanner components (local and remote).

Notices

Provides information about normal but significant conditions and Warnings and Errors level data.

Information

Provides informational messages and Warnings, Errors, and Notices data.

Debug

Provides debugging information and Warnings, Errors, Notices, and Information data. This level provides the greatest amount of log information.

Warning:

Consult Symantec Technical Support before you use this log level. The amount of log data that is recorded can seriously affect the performance of Symantec Brightmail Gateway.


Table: Log Settings page - Local

Item

Description

Enable local logs for components of the following host

Choose the Scanner for which you want to enable or disable logging and configure log behavior.

Component Local Log Levels

See Table: Components for local and remote logging and Table: Log levels for local and remote logging on this page for more information.

Content Filtering Local Log Thresholds

See Table: Components for local and remote logging and Table: Log levels for local and remote logging on this page for more information.

Apply these Local Log Levels to all hosts

Apply these local log settings to all Symantec Brightmail Gateway Scanners in your system. In general, keeping the log settings consistent is recommended.

Maximum log size

Maximum size for all logs.

Days to store log data before deleting

Retention period for logs.

Log Expunger frequency

Frequency for flushing logs.

Log Expunger start time

Start time for flushing logs.

Enable message logs

Select this option to trace all messages through the mail flow.

Days to store log data before deleting

Retention period for the message audit logs. Message log data can consume a large amount of hard disk space on Symantec Brightmail Gateway. Typically each message requires 1 - 2 KB of message audit log data. If you must retain message logs for long periods, consider sending message logs to a remote syslog.

Maximum number of log data to be retrieved

Set the maximum lines of message audit data to be retrieved on the Message Audit Logs page in the Control Center. If you set a higher value, the page searches additional older data. If you set a lower value, searches run faster.

Enable error-level help links in log descriptions

Select this option to display a question mark icon next to error-level Scanner log events on the Status > System > Logs page. Click the icon to display a Web page that contains more information about the error if information is available. Symantec tracks the error information requests and adds new error information continually. If you block Internet access to the Control Center, uncheck this option to prevent display of the links.

Save

Save the changes that you made on this page. You may be prompted to restart log components. Click Restart Now to save changes and restart log components. Click Restart Later to save changes but not restart log components. Click Cancel to discard changes. If you choose Restart Later, the changes do not take effect until the log component is manually restarted.

Cancel

Discard the changes that you made on this page.


Table: Log Settings page - Remote

Item

Description

Enable Syslogs for the following host

Symantec Brightmail Gateway Scanner from which to send log data to the remote syslog. Ensure that the remote syslog is configured to match the settings on this page.

Host

The remote syslog server's IP address.

Port

The port on the remote syslog server that handles log data. Port 514 is the customary port for inbound and outbound syslog data.

Protocol

The protocol to use to send logs to the remote syslog server: UDP or TCP. Historically, UDP has been used for syslog, but TCP is a more reliable protocol.

Component Remote Log Levels

See Table: Components for local and remote logging and Table: Log levels for local and remote logging on this page for more information.

Facility

Facility to which to route log data on the remote syslog.

Enable message logs

Send message logs to the remote syslog.

Message log facility

The facility on the remote syslog where message audit logs are written.

Apply these Remote Logging settings to all hosts

Apply these remote log settings to all Symantec Brightmail Gateway hosts in your system.

Save

Save the changes that you made on this page. You may be prompted to restart log components. Click Restart Now to save changes and restart log components. Click Restart Later to save changes but not restart log components. Click Cancel to discard changes. If you choose Restart Later, the changes do not take effect until the log component is manually restarted.

Cancel

Discard the changes that you made on this page.


If you enable remote logs, log data for some standard UNIX log components are also sent to the remote syslog. The following log components from the selected Scanner are also sent to the remote syslog:

  • messages

  • secure

  • cron

  • boot.log

Log data for these components are sent to the standard syslog facility on the remote syslog. Log levels for these components cannot be configured.