Disarm filtering of PDF attachments can increase message audit log disk usage
Last Updated October 10, 2013
As part of "disarm" filtering in Symantec Messagin Gateway (SMG) 10.5 and later, fonts detected in PDF documents are logged as part of the Message Audit Logs (MAL). In some cases this may cause a significant increase in disk usage as the additional data is stored in MAL.
When enabling "disarm" filtering in SMG 10.5 and later, it is important to understand the impact this will have on disk utilization. Each font definition stored in the audit logs is approximately 30 bytes. A single PDF attachment can have multiple font definitions so a conservative estimate of three font definitins per PDF document results in a storage increase of 90 bytes per PDF attachment. While this is not a large increase in storage, it is measured on a per-PDF attachment basis. Different installations will have different mail flow rates and compositions so the total increase can range from trivial where disarm is not used or few messages contain PDF attachments to significant where large numbers of messages contain multiple PDF attachments. It is recommended that Alerts be configured for low disk space, at least initially, via the following steps:
Log in to the control center as an administrator
Go to Administration->Alerts
Select the "Disk Space" tab
Check the "Available disk space less than" checkbox
Leave the disk usage at 1GB or set to your preferred tolerance
Audit log data is stored on the scanner hosts rather than in the control center database and so total audit log disk usage will be distributed across all scanner hosts.
Viewing MAL disk usage from the CLI
Audit log files and their file size can be listed via the scanner command line interface (CLI) using the `list` command. While this does not provide a simple summary of disk usage specific to MAL it can be imported into any standard spreadsheet to summarize total audit log disk usage.