Understanding Message Audit Log events sent to a remote syslog server
search cancel

Understanding Message Audit Log events sent to a remote syslog server

book

Article ID: 191018

calendar_today

Updated On:

Products

Messaging Gateway Messaging Gateway Messaging Gateway Hardware

Issue/Introduction

Message Audit Logs are comprised of many different log entries created by each component that handles a message. This article explains how the logs are arranged and how to recreate the Message Audit Log for unique message transactions.

Environment

Release : 10.7

Component : Scanner

Resolution

Log entries sent to remote syslog servers have several parts that define them. Understanding these parts is key to finding the Message Audit Log entries and understanding the full flow of a message. To examine the parts we will review the following Message Audit Log remote syslog entry:

5-15-2020 21:50 Local1.INFO 10.10.10.10 May 15 21:50:56 smgccs bmserver: 1589604656|c0a81919-3ddff70000000bb1-01-5ebf70f547e1|VERDICT|[email protected]|spam|default|spam or suspected spam: delete message

The Standard Prefix

Messages sent to remote syslog servers all start with the standard prefix:

[Date and time]   [Syslog Facility Level]   [IP address]   [Original log message]
5-15-2020 21:50   Local1.INFO               10.10.10.10    May 15 21:50:56 smgccs bmserver: 1589604656|c0a819....

The Standard Prefix is detailed at the following page:

Standard prefix for Scanner logs sent to remote syslog

The Original Log Message

The first three columns of the log entry are the standard prefix, and are followed by the original log message that appears in the logs of the Messaging Gateway appliance. For Message Audit Logs, the original log message has the following format:

[Date and time]   [Scanner host name]   [System process]   [Audit Log Message]
May 15 21:50:56   smgccs                bmserver:          1589604656|c0a81919-3ddff...

The Message Audit Log format for remote syslog is detailed at the following page:

Log format of message audit logs for remote syslog

The Audit Log Format and Events

The Audit Log Message format:

[UTC time stamp]   [UID/Audit ID]                               [Event ID]
1589604656         |c0a81919-3ddff70000000bb1-01-5ebf70f547e1   |VERDICT|[email protected]|spam|defa...

The Audit Log Format and Events are detailed at the following page:

Audit log format and events

The most important piece of data in the Message Audit Log entry is the UID/Audit ID. This ID string will exist for all the entries generated for the unique message transaction. When using a log aggregator or SIEM, the UID will be used to recreate the full Message Audit Log.

The Audit Log Format and Events page also lists the Event types that would be encountered when viewing Message Audit Log entries. In the above example the message verdict was spam and the message was deleted. There are many Message Audit Log Event Types listed in the link above and each component generates their own events. The full tracking of a message will exist over many log entries and can exist over various periods of time, depending on the status of the message. For example, if a message has delivery issues and is in the delivery queue for days, each delivery attempt will generate a new Message Audit Log entry for however long the message remains in the queue.

Additional Information

Below is an example of several log entries for the same unique message transaction. Notice that the consistent entry is the UID/Audit ID of c0a81919-3ddff70000000bb1-01-5ebf70f547e1.

May 15 21:50:55 smgccs ecelerity[2993]: 1589604655|c0a81919-3ddff70000000bb1-01-5ebf70f547e1|ORCPTS|[email protected]
May 15 21:50:55 smgccs ecelerity[2993]: 1589604597|c0a81919-3ddff70000000bb1-01-5ebf70f547e1|ACCEPT|192.168.25.125:49234
May 15 21:50:55 smgccs ecelerity[2993]: 1589604603|c0a81919-3ddff70000000bb1-01-5ebf70f547e1|SENDER|[email protected]
May 15 21:50:55 smgccs ecelerity[2993]: 1589604655|c0a81919-3ddff70000000bb1-01-5ebf70f547e1|RECEIVED
May 15 21:50:56 smgccs bmserver: 1589604655|c0a81919-3ddff70000000bb1-01-5ebf70f547e1|SOURCE|external
May 15 21:50:56 smgccs bmserver: 1589604655|c0a81919-3ddff70000000bb1-01-5ebf70f547e1|SUBJECT| Spam test email.
May 15 21:50:56 smgccs bmserver: 1589604655|c0a81919-3ddff70000000bb1-01-5ebf70f547e1|MSGID| <[email protected]>

The Verdict event can also contain extra fields to reveal data that was matched in a Content Filter policy. For example:

Jan 25 18:41:59 smgccs bmserver: 1643132519|4df6825b-a558b700000008f4-ea-61f03667ba89|VERDICT|[email protected]|content_1229572995573|default|match sender|header|from|@sender.test
Jan 25 18:41:59 smgccs bmserver: 1643132519|4df6825b-a558b700000008f4-ea-61f03667ba89|VERDICT|[email protected]|content_1229572995573|default|match sender|envelope|sender|sender.test

In the above examples, in the "default" policy group a policy called "match sender" had a string match against the header From: address and a string match against the envelope MAIL FROM: address, respectively. These matches were included in the Message Audit Log remote log entries.

For more general information on the VERDICT event, see: VERDICT audit log event