Custom filtering for journaling issue
I've opened a ticket with Symantec Support. When I get a solution I will post.
Separate topic but I do custom filtering for journaling with EV as well. I'm trying to customize the 'Default Filter Rules.xml' to do two things. First, I want to strip 'TIF' attachments (we get a ton) as well as filter email sent to particular email addresses. Every time I add rule 4 below the journaling task fails with event ID 2276. I've added the required registry dword for this option.
Second, the example xml file has a variety of rules including a rule to exclude email if it originates from an email address but not 'sent to'. How would I filter for email 'Sent to' said email? Would it be similar to the distro group example below? Also, thought maybe the Rule 3 would apply here but that desciption also says 'if it originates' not sent to like I'm looking for. Would it be as simple as changing author to recipient(s)?
<!--Rule 2: This rule will exclude any email from archiving
if it is sent to distribution list.-->
<RULE NAME="DISTRO Email" ACTION="HARD_DELETE">
<!--Rule 3: This rule will exclude any email from archiving
if it originates from the email address below.-->
<RULE NAME="Confirmation" ACTION="HARD_DELETE">
<!--Rule 4: (Available for Exchange Server archiving only)
Delete TIF attachments before archiving-->
<RULE NAME="DeleteTIF" ATTACHMENT_ACTION="REMOVE">