Release : 10.7
Component : Scanner
Log entries sent to remote syslog servers have several parts that define them. Understanding these parts is key to finding the Message Audit Log entries and understanding the full flow of a message. To examine the parts we will review the following Message Audit Log remote syslog entry:
5-15-2020 21:50 Local1.INFO 10.10.10.10 May 15 21:50:56 smgccs bmserver: 1589604656|c0a81919-3ddff70000000bb1-01-5ebf70f547e1|VERDICT|user.[email protected]|spam|default|spam or suspected spam: delete message
Messages sent to remote syslog servers all start with the standard prefix:
[Date and time] [Syslog Facility Level] [IP address] [Original log message]
5-15-2020 21:50 Local1.INFO 10.10.10.10 May 15 21:50:56 smgccs bmserver: 1589604656|c0a819....
The Standard Prefix is detailed at the following page:
The first three columns of the log entry are the standard prefix, and are followed by the original log message that appears in the logs of the Messaging Gateway appliance. For Message Audit Logs, the original log message has the following format:
[Date and time] [Scanner host name] [System process] [Audit Log Message]
May 15 21:50:56 smgccs bmserver: 1589604656|c0a81919-3ddff...
The Message Audit Log format for remote syslog is detailed at the following page:
The Audit Log Message format:
[UTC time stamp] [UID/Audit ID] [Event ID]
1589604656 |c0a81919-3ddff70000000bb1-01-5ebf70f547e1 |VERDICT|[email protected]|spam|defa...
The Audit Log Format and Events are detailed at the following page:
Audit log format and events
The most important piece of data in the Message Audit Log entry is the UID/Audit ID. This ID string will exist for all the entries generated for the unique message transaction. When using a log aggregator or SIEM, the UID will be used to recreate the full Message Audit Log.
The Audit Log Format and Events page also lists the Event types that would be encountered when viewing Message Audit Log entries. In the above example the message verdict was spam and the message was deleted. There are many Message Audit Log Event Types listed in the link above and each component generates their own events. The full tracking of a message will exist over many log entries and can exist over various periods of time, depending on the status of the message. For example, if a message has delivery issues and is in the delivery queue for days, each delivery attempt will generate a new Message Audit Log entry for however long the message remains in the queue.
Below is an example of several log entries for the same unique message transaction. Notice that the consistent entry is the UID/Audit ID of c0a81919-3ddff70000000bb1-01-5ebf70f547e1.
May 15 21:50:55 smgccs ecelerity: 1589604655|c0a81919-3ddff70000000bb1-01-5ebf70f547e1|ORCPTS|[email protected]
May 15 21:50:55 smgccs ecelerity: 1589604597|c0a81919-3ddff70000000bb1-01-5ebf70f547e1|ACCEPT|192.168.25.125:49234
May 15 21:50:55 smgccs ecelerity: 1589604603|c0a81919-3ddff70000000bb1-01-5ebf70f547e1|SENDER|[email protected]
May 15 21:50:55 smgccs ecelerity: 1589604655|c0a81919-3ddff70000000bb1-01-5ebf70f547e1|RECEIVED
May 15 21:50:56 smgccs bmserver: 1589604655|c0a81919-3ddff70000000bb1-01-5ebf70f547e1|SOURCE|external
May 15 21:50:56 smgccs bmserver: 1589604655|c0a81919-3ddff70000000bb1-01-5ebf70f547e1|SUBJECT| Spam test email.
May 15 21:50:56 smgccs bmserver: 1589604655|c0a81919-3ddff70000000bb1-01-5ebf70f547e1|MSGID| <[email protected]>
The Verdict event can also contain extra fields to reveal data that was matched in a Content Filter policy. For example:
Jan 25 18:41:59 smgccs bmserver: 1643132519|4df6825b-a558b700000008f4-ea-61f03667ba89|VERDICT|[email protected]|content_1229572995573|default|match email@example.com
Jan 25 18:41:59 smgccs bmserver: 1643132519|4df6825b-a558b700000008f4-ea-61f03667ba89|VERDICT|[email protected]|content_1229572995573|default|match sender|envelope|sender|sender.test
In the above examples, in the "default" policy group a policy called "match sender" had a string match against the header From: address and a string match against the envelope MAIL FROM: address, respectively. These matches were included in the Message Audit Log remote log entries.
For more general information on the VERDICT event, see: VERDICT audit log event