This article provides a comprehensive guide on how to retrieve events related to the release of messages from spam quarantine from your Syslog server.

To retrieve the event of releasing a message from spam quarantine from your Syslog server, you need to look for specific details logged under a particular facility and process ID. Below are the essential elements to check:

• Syslog Facility: AUTHPRIV - security/authorization messages (private) (100)
• Syslog Process ID: AuditLogHelper
• Syslog Message ID: The Syslog message ID follows a specific format, detailing the timestamp, message ID, recipient email address, quarantine release event, and the administrator who performed the release. The format is as follows:
  timestamp|messageID|RECIPIENT_MAIL_ADDRESS|QUARANTINE_RELEASE|ADMIN_USER_WHO_RELEASED_THE_MESSAGE

For more information on the format of Message Audit Logs sent to a syslog server, please see this article:

Understanding Message Audit Log events sent to a remote syslog server