Only the first instance of matching test for a content filtering rule is logged in Message Audit Logs (MAL)

search cancel

Only the first instance of matching test for a content filtering rule is logged in Message Audit Logs (MAL)

book

Article ID: 211280

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

When matching content in the Messaging Gateway (SMG) content filtering rules, only the first instance of the matching text appears in the Message Audit Logs (MAL) rather than all instances or matching text.

For example, when searching for the string "the" in a message body, the string "The dog chased the cat across the yard" will result in a MAL entry that appears as follows.

Cause

This is expected behavior and by design in order optimize performance and to limit disk consumption by the Message Audit Logs.

In some use cases it is desirable for all instances of matching text, URLs for example, to be sent via Message Audit Logs to a SIEM but this was not originally a design consideration for the SMG content filtering rules.

Environment

Release :

Component :

Resolution

This is expected behavior and by design.

A modification to this limit is under consideration to meet new use cases introduced by the increase use of security information and event management (SIEM) solutions.

Attachments

Feedback

thumb_up Yes

thumb_down No