Message audit log queries performed from Status > Message Audit Logs fail to show all actions for messages released from content quarantine when both an optional filter is used to search for the messages and the message has been released from quarantine.
Messages originally quarantined by a scanner to which the message is subsequently released shows all actions including quarantine release and final delivery. Messages quarantined by a scanner other than the scanner to which the message is released from the Content Quarantine do not show the Deliver Message Normally action in the summary and the detail view does not show the final delivery of the message
A warning is presented that audit log results may be partial even though All Scanners is selected when performing the query.
This is due to the distributed storage of audit log information across multiple scanners and the Control Center. In some cases, the scanner which processes the quarantine release does not have an audit log entry which matches the full set of audit log query filters and so those events do not appear in either the audit log summary or detail views.
In these cases the audit log search results will show a message indicating that partial results may be displayed and instructing that a search using the message audit id be used to return all audit events:
The message audit log query may have returned partial results. Please use the Audit ID filter and select All Scanners to get complete results.
This is currently part of the audit log query design and expected results.
The design for audit log queries with multiple filters may be modified in a future release.