How to use the CLI tool "malquery" on a Symantec Brightmail Gateway Appliance / Virtual Edition

Article:TECH88877  |  Created: 2008-01-25  |  Updated: 2011-10-17  |  Article URL http://www.symantec.com/docs/TECH88877
Article Type
Technical Solution

Product(s)

Issue



How to query the Message Audit Log (MAL) of a system to find out information about specific messages through the command line of the Symantec Brightmail Gateway (SBG) Appliance.

 


Solution



For Symantec Brightmail Gateway 9.5

 

 

For Symantec Brightmail Gateway versions 7.5/7.6

Usage:
malquery 

    -l <start time YYYYMMDDHHMM>,<end time YYYYMMDDHHMM>
      -g <start time UTC>,<end time UTC> -u <uid> [-u <uid> ... ]
      -e <event name[,arg #]><=|*><string> [-e <event name[,arg #]><=|*><string> ... ] [-m #] [-o <filename>] [-d] [-v] 

Example:
> malquery -l YYYYMMDDHHHH,YYYYMMDDHHHH -e RCPTS=”mike.smith@example.com”

Where YYYYMMDDHHHH should be replaced with the start and end time for the search, choose yesterday and today for the days. Example: 200803140000 for midnight on 14th March 2008

When searching for an entire domain: " *@example.com ", you must use the coma, as shown in the following example: 
> malquery -l YYYYMMDDHHHH,YYYYMMDDHHHH -e RCPTS,*@example.com

Here is an example of a search for the email sender:
> 'malquery -l YYYYMMDDHHHH,YYYYMMDDHHHH -e SENDER,*@example.com'

For Symantec Brightmail Gateway versions 7.7 and later

Usage:
malquery (-l start,end | -g start,end)
(-u uid [-u uid ...] | -e event[,arg_num]<=|*>string [-e ...]
| -q event[,arg_num]<=|*>quoted-printable-string [-q ...])
[-m max_results] [-i index_max] [-o output_file] [-d] [-v]


-l start,end Date range to search. Dates in the form YYYYMMDDhhmm
(e.g. July 4, 2008, 11:59 PM = 200807042359). Start and end
date are separated by a comma with no space.

-g start,end GMT date range to search, in Unix time; i.e. seconds since
1 Jan 1970 00:00 (e.g. July 4, 2008, 11:59 PM = 1215212340).
Start and end date are separated by a comma with no space.

-u uid Find the email message with the specified Audit ID (uid).

-e ... Find email messages containing events matching the specified
criterion. Examples:
-e RCPTS=dale@company.com -- recipient specified
-e SUBJECT*"my flowers" -- subject contains 'my flowers'

-q ... Find email messages containing events matching the specified
criterion in quoted-printable encoding. Example:
-q SUBJECT*"red =3D rose" -- subject contains 'red = rose'

-m max_results Maximum number of messages to return. The default is 1000.

-i index_max The index (.idx file) will be used if the number of matching
results is less than or equal to index_max. Otherwise, the
index will be ignored. The default for index_max is 1000.
This option exists because looking up large numbers of
events in the index can actually be more time consuming than
searching the flat file.

-o file Output matching results to the specified file.

-d Distributed option. The behavior of this option is
undocumented.

-v Enable verbose mode (i.e. debug logging).

Example:
> malquery -l 200807040000,200807090000 -e RCPTS=dale@company.com -e SUBJECT*"check this out" -m 500 -o /tmp/results.xml

Symantec Brightmail Gateway 9.0 Command Line Reference Guide
Pages 55-58
ftp://ftp.entsupport.symantec.com/pub/support/documentation/sbg_90_commandline_guide.pdf 

The malquery syntax can be found on page 55 of the command line guide.

The command line guide is available through the link below:

http://www.symantec.com/business/support/index?page=content&id=DOC3737



Legacy ID



2008012509161254


Article URL http://www.symantec.com/docs/TECH88877


Terms of use for this information are found in Legal Notices