There is a need to query the Message Audit Log on a Symantec Messaging Gateway scanner on the Command Line Interface. It is possible to use "malquery" for that purpose. It is worth noting, that "malquery" does not have the limitation of 1,000 messages as it is exhibited on the Graphical User Interface (Status --> Message Audit Log). For more information, please visit "About message audit logging for the Symantec Messaging Gateway".
For Symantec Messaging Gateway 10.x
- -l <start time YYYYMMDDHHMM>,<end time YYYYMMDDHHMM>
-g <start time UTC>,<end time UTC> -u <uid> [-u <uid> ... ]
-e <event name[,arg #]><=|*><string> [-e <event name[,arg #]><=|*><string> ... ] [-m #] [-o <filename>] [-d] [-v]
> malquery -l YYYYMMDDHHHH,YYYYMMDDHHHH -e RCPTS=”email@example.com”
Where YYYYMMDDHHHH should be replaced with the start and end time for the search, choose yesterday and today for the days. Example: 200803140000 for midnight on 14th March 2008
When searching for an entire domain: " *@example.com ", you must use the coma, as shown in the following example:
> malquery -l YYYYMMDDHHHH,YYYYMMDDHHHH -e RCPTS,*@example.com
Here is an example of a search for the email sender:
> 'malquery -l YYYYMMDDHHHH,YYYYMMDDHHHH -e SENDER,*@example.com'
For Symantec Brightmail Gateway versions 7.7 and later
malquery (-l start,end | -g start,end)
(-u uid [-u uid ...] | -e event[,arg_num]<=|*>string [-e ...]
| -q event[,arg_num]<=|*>quoted-printable-string [-q ...])
[-m max_results] [-i index_max] [-o output_file] [-d] [-v]
-l start,end Date range to search. Dates in the form YYYYMMDDhhmm
(e.g. July 4, 2008, 11:59 PM = 200807042359). Start and end
date are separated by a comma with no space.
-g start,end GMT date range to search, in Unix time; i.e. seconds since
1 Jan 1970 00:00 (e.g. July 4, 2008, 11:59 PM = 1215212340).
Start and end date are separated by a comma with no space.
-u uid Find the email message with the specified Audit ID (uid).
-e ... Find email messages containing events matching the specified
-e RCPTSfirstname.lastname@example.org -- recipient specified
-e SUBJECT*"my flowers" -- subject contains 'my flowers'
-q ... Find email messages containing events matching the specified
criterion in quoted-printable encoding. Example:
-q SUBJECT*"red =3D rose" -- subject contains 'red = rose'
-m max_results Maximum number of messages to return. The default is 1000.
-i index_max The index (.idx file) will be used if the number of matching
results is less than or equal to index_max. Otherwise, the
index will be ignored. The default for index_max is 1000.
This option exists because looking up large numbers of
events in the index can actually be more time consuming than
searching the flat file.
-o file Output matching results to the specified file.
-d Distributed option. The behavior of this option is
-v Enable verbose mode (i.e. debug logging).
> malquery -l 200807040000,200807090000 -e RCPTSemail@example.com -e SUBJECT*"check this out" -m 500 -o /tmp/results.xml
Symantec Brightmail Gateway 9.0 Command Line Reference Guide
The malquery syntax can be found on page 55 of the command line guide.
The command line guide is available through the link below:
Imported Document Id