Procedure

1. Go to Logs → Query.
2. Next to Type, select Policy events.
   The query screen for policy event logs appears.
3. In the second drop-down box next to Type, select one of the following items related to the policy and the rules you configured for the policy:
   • All
   • Virus or malicious code
   • Spam/phish
   • Web Reputation

     Note If you select Web Reputation, IMSS displays two additional drop-down lists that contain website content categories. Select any category name to narrow down your log query.

   • Marketing message
   • DKIM enforcement
   • Attachment
   • Size
   • Content
   • Others
   • Scanning exceptions
4. Specify any of the following additional information:
   • Sender
   • Recipient(s)
   • Rule
   • Subject
   • Attachment(s)
   • Message ID
   If you leave any text box blank, all results for that item appear.
5. Click Display Log. A timestamp, action, rule, and message ID appear for each event.
6. Click the timestamp link to see the following information:
   • Timestamp
   • Sender
   • Recipient
   • Subject
   • Original size
   • Violating attachments
   • Rule type
   • Rule(s)
   • Action
   • Message ID
   • Internal ID
   • Reason
   • Scanner
7. Perform any of the additional actions:
   • To change the number of items that appears in the list at a time, select a new display value from the drop-down box on the top of the table.
   • To sort the table, click the column title.
   • To print the query results, click Print current page.
   • To save the query result to a comma-separated value file, click Export to CSV.

   Note "*A*;*B*" means a string that has A or B. "A*;*B" means a string that starts with A or ends with B. ";" represents the OR operation.