Where did that message go? An introduction to Message Audit Logs - Part 1
Message Audit Logs (MAL) were introduced into the Symantec Messaging Gateway (SMG) (known then as the Symantec Brightmail Gateway) to help track messages that are processed by the SMG appliance. When first introduced, MAL was fairly rudimentary and lacked some needed functionality needed to properly track a message. Fast forward several iterations, with each version implementing MAL better and better, and we have the extremely useful tool that now exists.
MAL can be accessed from the Status page and can tell you almost everything you need to know about a message transaction processed by the SMG appliance. This information is related to SMG version 9.5.2-3, but can be applicable to other versions as well.
Searching for messages
There are many options available to help you search for message transactions, which are found in the Filter section. The MAL Filter options are detailed in the following KB url:
Filter - some helpful notes
MAL entries are stored on the scanners that created the entry. The Control Center will gather the logs from the scanner host specified when searching; the default is to search all scanner hosts. If you know what scanner processed the SMTP transaction you are researching, you can save search time by specifying that scanner host.
Mandatory filter - Connection IP:
More useful than many know. In current versions of the SMG appliance, MAL logging begins at connection time. By searching for connecting IPs, you can reveal occurrences where a sending MTA connected but was not able to establish an SMTP transaction. This is very useful in various situations, including troubleshooting possible network stability issues.
The filter values are wildcarded and case insensitive. You can search all email addresses using just an @ symbol, or search for all messages related to a domain by using @domain.dom. You can also search all IP addresses using a . (period) alone or IP subsets using part of the IP address.
Be aware that this can also yield some unexpected results. For example, if we use a Sender filter value of red.com it can return both the expected email related to the red.com domain, as well as email from firstname.lastname@example.org. Also, if we search for an IP address of 68.17 it will return both 126.96.36.199 and 192.168.173.25, as well as any other connecting IP that has 68.17 in the string.
The time range available for searching is directly limited by the MAL settings configuration (Administration > Settings : Logs > Message Audity Logs). It's not unheard of to set the Time range to "Past month" and have it return just two days worth of entries, only to find out that it was only storing two days of logs by configuration. Time range can also be affected by the inherent limitations of the search results, listed below.
MAL search results have a certain limitation that is odd when encountered and not that easy to understand. The maximum number of message items that can be returned by MAL is 1,000 messages; so, if you search for all messages with a broad filter criteria and a long time range, the most messages you will get back is 1,000. However, you may actually see many more results available and the top number of available results can vary.
The reason is that the search result list shows one entry per recipient of a message. For example, if your search resulted in one message that had five recipients, you would see five result entries. By that same rule, if your search resulted in the maximum message count of 1,000 and ten of those messages had two recipients, you would end up with 1010 result entries. If every message returned had multiple recipients, you could end up with over 2,000 result entries.
Another option for extended MAL logging:
If your environment requires you to research SMTP transactions that often exceed or have problems with the limitations above, remote logging using syslog would be your answer. I will tackle this subject in another blog.
I hope this information provides some useful tips. In a future blog I will likely delve into some helpful examples that we see in support cases. Feel free to let me know your thoughts on this post and whether you find it helpful or not.