Recommendations for managing reports, logs, spam and content incident folders in Messaging Gateway (SMG).
Different data / logs that SMG will store and which part of the product is related to it:
REPORTS DATA STORAGE
Where do I configure them? Under Administration -> Settings -> Reports
Where is it stored? All the data is stored temporarily on each Scanner then imported to the Control Center Database
What is the purpose of storing extra statuses data? Reports data storage will only affect specific reports, if you do not use these reports you do not need to store data for it. All the summary reports including the Executive summary will not need this data to be stored for them to work. Storing extra status will in most cases overload the Control Center database as well as the information being transmitted between Scanners and the Control Center, if you need to store specific information because of report needs Symantec recommends storing for a low number of days and also scheduling the reports to be sent through email so you don't have to keep all the data in the Control Center and you will have a copy on email in the event that data is not in the Control Center anymore.
What are the extra statuses available for storage? Sender domains Senders Sender HELO domains Sender IP connections Recipient domains Recipients Invalid Recipients
What are the recommended settings for each status? Leave it unchecked unless you need the data for a specific report or feature such as probe accounts (probe accounts will required invalid recipients logging if you plan to use invalid recipients with it).
Where do I configure them? Under Administration -> Settings -> Logs
Where is it stored? All the data is stored temporarily on each Scanner then imported to the Control Center Database and remotely on a syslog server if you are using the remote option.
What is the purpose of storing these logs? All log data will help identifying issues within different components. In some cases Technical Support might need Debug level logs and this is the place to change the level if needed.
We also have the option to set the Database Log Storage Limits under the logs configuration page. This setting will tell how long to store the data in the Control Center Database, we do not recommend retaining data for long periods of time in the Control Center Database as it might affect its overall performance. You can also set the maximum size that will be used.
The Log Expunger is a very helpful process that will remove old data from the Control Center Database based on its configuration, by default it is set to run every day at 02:00 AM.
Message Audit Logs are stored separate on each Scanner, depending on how much traffic these logs might consume a lot of space. Symantec recommends you to watch the disk space to make sure you are not keeping too much data. If you want to track messages using the Control Center you have to enable these logs.
It is important to note that Message Audit Logs are not included in backups, they must be backed up separately per scanner using the command line interface (CLI) tool mallog, for more information please check the following article: How to Backup Message Audit Logs
What are the components that you can configure using the Control Center? Conduit Brightmail Client JLU Controller Mail Transfer Agent IM Relay Directory Data Service Content Filtering
What other components you can configure using the command line interface (CLI) only: Control Center logs (cc-config) Agent logs (agent-config)
What is the recommended setting for each component? Warnings
Where do I configure it? Under Spam -> Settings -> Quarantine Settings
Where is it stored? Starting version 9.0, all spam messages are stored on disk and a reference in the Control Center Database, on previous versions both messages and references were stored in the Control Center Database.
What is the purpose of the Spam Quarantine? The Spam quarantine serves to temporarily store Suspect Spam messages for evaluation.
NOTE: Symantec recommends that users delete Spam. What are the options to control its usage?
Which parameters can I configure to control the Spam Quarantine resources? Under the Spam Quarantine Expunger you will have access to the various options that govern the spam quarantine utilization. Days to store in Quarantine before deleting Quarantine Expunger frequency Quarantine Expunger start time
Then you will also have thresholds that you can use to better manage the usage if needed: Maximum size of Quarantine Maximum size per user Maximum number of messages Maximum number of messages per user
NOTE: Symantec recommends using the first option (Days to store in Quarantine before deleting) as the main option. Thresholds are usually configured when you have end user quarantine configured and want to have more granularity. It is also important to notice that the first option will always run first even when you have thresholds configured. Symantec does not recommend running the expunger too frequently as it will stop the quarantine listener while it runs (causing the MTA delivery queues to grow up temporarily). Basically, the more you run the quarantine expunger, the more the queues will grow up. The default setting should work well for most of the deployments.
What is the recommended setting for the spam quarantine expunger? The defaults should work well for most of the cases.
Days to store in Quarantine before deleting: 7 days Quarantine Expunger Frequency: Every Day Quarantine Expunger start time: 01:00 AM
All the thresholds are UNCHECKED by default.
CONTENT INCIDENT FOLDERS
Where do I configure them? Under Content -> Settings -> Content Incident Folders
Where is it stored? First, there are two types of incident folders (quarantine incident folders and informational incident folders). Quarantine incident folders need constant management as messages will need to be either approved or rejected whereas Informational incident folders are used only for auditing purposes since it does not affect the flow of a given message.
What is the purpose of the Incident Folders? Incident folders can be used from a simple task as auditing to a more complicated task that needs further evaluation and approval by a security officer in a company.
Which parameters can I configure to control Incident folders resources? There is a default content filtering expunging cycle that will always run on all content incident folders. You also have the option to configure specific expunger settings for each folder you create.
What is the recommended setting for the content incident folder expunger? Incident expunger frequency: Every Day Incident expunger start time: 04:00 AM
NOTE: Symantec recommends configuring the expunger setting for each folder to better control resources.
Imported Document ID: TECH131606
Subscribing will provide email updates when this Article is updated. Login is required.