About managing the size of content incident folders
Your content incident folders can fill up quickly and consume a lot of disk space when one or both of the following conditions exist:
You have a large number of content filtering policies whose actions are to create incidents in content incident folders.
You have a large number of messages that violate policies.
Symantec Messaging Gateway provides an Expunger that can manage the size of your content incident folders. The Expunger automatically runs at the frequency that you specify.
When the Expunger runs, it expunges incidents from your content incident folders based on the following criteria:
By the maximum content incident folder size
The maximum content incident folder size is the sum of the block size (the size on disk) of each message file in the folder. The actual disk usage may be higher.
When a folder reaches its maximum size, a message is sent to the BrightmailLog.log. When the folder reaches the maximum size that you specify for alerts (for example, 120% of the maximum size), then an alert is sent. Only one alert is sent if multiple folders reach their maximum size at the same time. However, you continue to receive alert emails to notify you of any subsequent folders that exceed their maximum size. The oldest incidents are deleted until the folder returns to its maximum size.
Symantec recommends that you expunge folders based on size while you fine-tune content filtering policies. Then you can modify the Expunger settings as desired.
You must specify a maximum content incident folder size. The default maximum size is 5 GB, but you can modify this setting.
By the number of days that you want to store incidents
Optionally, you can specify the number of days to store an incident before the Expunger performs one of the following actions:
This option is only available for content quarantine incident folders. After the Expunger approves the incident, it is deleted from the folder.
This option is only available for content quarantine incident folders. After the Expunger rejects the incident, it is deleted from the folder.
This action is the custom action that you specify when you create a policy action to create a quarantine incident. This option is only available for content quarantine incident folders. After the Expunger applies the custom action on the folder, the action that is taken on the incidents is the action that is defined in the policy.
This option is available for both content quarantine incident folders and informational incident folders.
When this threshold is met, incidents in quarantine incident folders are expunged, even if they have not been reviewed. Symantec Messaging Gateway takes the action that you specify in the content filtering policy, starting with the oldest incidents. Symantec Messaging Gateway determines the age of an email based on the time that the message is received.
You configure your Expunger criteria when you create the content incident folder. You can specify one or both the folder size thresholds and days to store thresholds. You can also modify the settings at any time thereafter. When a threshold is met, no further incidents are created in the folder.