How to use the CLI tool "malquery" on a Symantec Brightmail Gateway Appliance / Virtual Edition

Article:TECH88877  |  Created: 2008-01-25  |  Updated: 2011-10-17  |  Article URL
Article Type
Technical Solution



How to query the Message Audit Log (MAL) of a system to find out information about specific messages through the command line of the Symantec Brightmail Gateway (SBG) Appliance.



For Symantec Brightmail Gateway 9.5



For Symantec Brightmail Gateway versions 7.5/7.6


    -l <start time YYYYMMDDHHMM>,<end time YYYYMMDDHHMM>
      -g <start time UTC>,<end time UTC> -u <uid> [-u <uid> ... ]
      -e <event name[,arg #]><=|*><string> [-e <event name[,arg #]><=|*><string> ... ] [-m #] [-o <filename>] [-d] [-v] 


Where YYYYMMDDHHHH should be replaced with the start and end time for the search, choose yesterday and today for the days. Example: 200803140000 for midnight on 14th March 2008

When searching for an entire domain: " * ", you must use the coma, as shown in the following example: 

Here is an example of a search for the email sender:

For Symantec Brightmail Gateway versions 7.7 and later

malquery (-l start,end | -g start,end)
(-u uid [-u uid ...] | -e event[,arg_num]<=|*>string [-e ...]
| -q event[,arg_num]<=|*>quoted-printable-string [-q ...])
[-m max_results] [-i index_max] [-o output_file] [-d] [-v]

-l start,end Date range to search. Dates in the form YYYYMMDDhhmm
(e.g. July 4, 2008, 11:59 PM = 200807042359). Start and end
date are separated by a comma with no space.

-g start,end GMT date range to search, in Unix time; i.e. seconds since
1 Jan 1970 00:00 (e.g. July 4, 2008, 11:59 PM = 1215212340).
Start and end date are separated by a comma with no space.

-u uid Find the email message with the specified Audit ID (uid).

-e ... Find email messages containing events matching the specified
criterion. Examples:
-e -- recipient specified
-e SUBJECT*"my flowers" -- subject contains 'my flowers'

-q ... Find email messages containing events matching the specified
criterion in quoted-printable encoding. Example:
-q SUBJECT*"red =3D rose" -- subject contains 'red = rose'

-m max_results Maximum number of messages to return. The default is 1000.

-i index_max The index (.idx file) will be used if the number of matching
results is less than or equal to index_max. Otherwise, the
index will be ignored. The default for index_max is 1000.
This option exists because looking up large numbers of
events in the index can actually be more time consuming than
searching the flat file.

-o file Output matching results to the specified file.

-d Distributed option. The behavior of this option is

-v Enable verbose mode (i.e. debug logging).

> malquery -l 200807040000,200807090000 -e -e SUBJECT*"check this out" -m 500 -o /tmp/results.xml

Symantec Brightmail Gateway 9.0 Command Line Reference Guide
Pages 55-58 

The malquery syntax can be found on page 55 of the command line guide.

The command line guide is available through the link below:

Legacy ID


Article URL

Terms of use for this information are found in Legal Notices