Video Screencast Help

Exclude certain sender addresses from journaling / archiving

Created: 15 Jan 2014 • Updated: 11 Aug 2014 | 7 comments
This issue has been solved. See solution.

Hi everyone,

We have been using EV 10 against Exchange 2010 for message archiving for awhile. A new requirement just came up that is throwing me for a bit of a loop.

Basically we were told to start journaling everything which is simple enough to do. The problem is that we have various automated emails from our monitoring systems, automation and the output of our ticketing systems which adds up really quickly and which we don't want to keep forever. A rough back-of-the-envelope guess at the number of these messages is about 10,000/day - multiply that by 7 years and it is like 25 million messages! Argubably we should not generate so many emails but that is another conversation unfortunatly.

So, at the very least, what I'd like to do is journal everything but those messages sent by the 10 or so email addresses which are responsible for this flood. I actually wouldn't mind excluding them from archival by Vault altogether but will settle with keeping them out of the journal as hopefully the users delete them in less than a year.

It looks like I can do this with Custom Filtering but would like a bit of guidance as to how to proceed.

Regards,

Jason

Operating Systems:

Comments 7 CommentsJump to latest comment

A_J's picture

Hi Jason,

With Enterprise Vault you can do Selective Journaling..

Have look on the below Link.

https://www-secure.symantec.com/connect/articles/selective-journaling-enterprise-vault

Also you can refer Enterprise Vault Admin Guide..

I guess this what you are looking for..

GertjanA's picture

Hello Jason,

The above is looking at this from an archiving point of view. What this describes is what messages from the Journal Mailbox will be archived. This (I believe) does mean that the messages that are NOT being journaled remain in the Journal Mailbox. I am not sure that is desirable. (you might want to test that!)

To resolve this, you probably need to configure journaling rules in Exchange itself. I'm not to familiar with it, as organizations I've been in tend to journal everything, and accept the 'useless' mails, but I believe it is possible to do the following:

In Exchange! Create a distributionlist, containing everyone that needs to be Journaled. Configure a rule to only Journal messages from/to people in that DL. Configure EV to archive the Journal mailbox.

Check http://technet.microsoft.com/en-us/library/aa995915(v=exchg.141).aspx for more information on rules.

(EDIT) - you might be able to work around the accumelation of not archived mails, by creating a rule in the journal mailbox to delete certain mails (i.e. based on subject/sender or something else common to those mails)

Thank you, Gertjan, MCSE, MCITP,MCTS, SCS, STS
Company: www.t2.nl

www.quadrotech-it.com

www.symantec.com/vision

GabeV's picture

Hi Jason,

For journal archiving, you can setup rules to filter and apply different archiving rules to specific messages:

About external filtering
http://www.symantec.com/docs/HOWTO58246

Enterprise Vault provides the following filtering features:

  • Selective journaling. This feature provides simple filtering of Exchange Server journaled messages. You set up a filter for the Exchange Journaling task that selects, by address, the messages to archive. Other messages are deleted.
  • Group journaling. This feature enables the Exchange Journaling task to mark selected messages, in order to reduce the scope of subsequent searches. This can be particularly useful where there is a high volume of journaled email and you want to be able to identify messages sent between particular groups of users.
  • Custom filtering. This feature provides more sophisticated filtering for the following: (1) Exchange mailbox, journal, and public folder archiving. (2) Domino mailbox and journal archiving. (3) File System archiving.

For more details about journal filtering, take a look at the following technote:

Symantec Enterprise Vault 10.0.4 - Setting up Exchange Server Archiving
http://www.symantec.com/docs/DOC6595 (Page 241)

I hope this helps.

“Success is not final, failure is not fatal: it is the courage to continue that counts.”–Winston Churchill

JasonU's picture

I should clarify. These systems sending all the automated email are:

1.) Not Exchange users - they are just allowed to SMTP relay into the mail environment

2.) Email 1/3 to 1/2 the company in many cases

I just want to exclude this flood of emails from these systems from at least getting journaled and possibly from getting archived a year later as well (people should delete them once they have gotten informed by them).

It looks like the only way to do this is custom filtering. Does anybody have some guidance on how to achieve that?

Mayday's picture

there's nothing to stop you just creating a simple outlook rule on the journal mailbox to delete the messages once they arrive, that'll stop them getting archived, its quick and dirty but it works fine

JesusWept3's picture

I agree with Gertjan, look at an Exchange solution to stop the mail from getting in to the journal mailbox in the first place, its a lot quicker than selective journaling or custom filters

SOLUTION
Rob.Wilcox's picture

I also agree with JW3, the interface for managing the transport rules in Exchange is also much better.