logs_query_help

Querying Logs

You can perform queries on five types of events or information:

Message tracking: Records message details such as the sender, recipient(s), message size, and the final action that IMSVA or Cloud Pre-Filter has taken. The query result also indicates the name and type of the policy rule that was triggered.
System events: Tracks the time of system events such as user access, modification of rules, registration of MCP agent and so on.
Policy events: Provides details on the policy rules that were triggered, the actions taken, and the message details.
MTA events: Provides connection details of Postfix on the local computer where the central controller is installed.
IP filtering: Provides the time when IMSVA started and stopped blocking email messages from the queried IP address.

Log Query Behavior

With the inclusion of Cloud Pre-Filter to IMSVA, changes in the way that users can query logs have been introduced.

Message Tracking Enhancement

IMSVA splits Message tracking logs in to:

IMSVA data only: These message tracking logs only contain data from IMSVA.
Cloud Pre-Filter + IMSVA data: These message tracking logs contain data from the Cloud Pre-Filter and IMSVA.

IMSVA includes hyperlinks for quarantined, archived, and postponed messages in Message tracking logs. This provides detailed information about those messages.

Query Behavior

IMSVA provides the following log query behavior:

General Query Information

Query	IMSVA Only	IMSVA + Cloud Pre-Filter
a@a.com	Only the exact match is returned. Result: a@a.com	Displays all messages sent to any variant of "a@a.com", including those with multiple recipients. Result: za@a.com a@a.com.us a@a.com; b@a.com b@a.com; a@a.com b@a.com; a@a.com; c@a.com
Query conditions for Message tracking left blank Subject Message ID Sender Recipient	All query conditions can be left blank	User must provide filtering criteria for at least one of the four query conditions.
* in Subject field All other query conditions left blank	Returns all messages	Returns approximately 10000 query results
* in Message ID field All other query conditions left blank	Returns all messages	Returns approximately 10000 query results

"Sender" Query Information

Query	IMSVA Only	IMSVA + Cloud Pre-Filter
5!#?	Valid Sender value in IMSVA, though no results will be returned.	Not supported. User must provide a properly formatted, complete or partial email address.
*test@example.com	Valid Sender value in IMSVA. Returns: All variations ending with test@example.com	Not supported. The wildcard "*" is not supported in the Sender field.
test@example.com	Valid Sender value in IMSVA. Returns: Only messages sent from test@example.com	Valid Sender value in IMSVA. Returns: Only messages sent from test@example.com

"Recipient" Query Information

Query	IMSVA Only	IMSVA + Cloud Pre-Filter
test@example.com	Valid Recipient value in IMSVA. Returns: Only messages sent to test@example.com	Valid Recipient value in IMSVA. Returns: Approximately 10000 results sent to all variations of test@example.com (the same as using "test@example.com" in IMSVA Only data)
*test@example.com	Valid Recipient value in IMSVA. Returns: All variations ending with test@example.com	Not supported. The wildcard "*" is not supported in the Recipient field.
test@example.com*	Valid Recipient value in IMSVA. Returns: All variations starting with "test@example.com"	Not supported. The wildcard "*" is not supported in the Recipient field.
test@example.com	Valid Recipient value in IMSVA. Returns: All variations of test@example.com	Not supported. The wildcard "*" is not supported in the Recipient field. Use test@example.com instead.
test@example.com; test2@example.com	Valid Recipient value in IMSVA. Result: Combined result of querying test@example.com and test2@example.com.	Not supported Use "test@example.com" or "test2@example.com"
%^$&^	Valid Recipient value in IMSVA, though no results will be returned.	Not supported. User must provide a properly formatted, complete or partial email address.

The data <server name>[127.0.0.1], from returned queries, indicates the default DNS server.

To query message tracking logs:

Choose Logs > Query from the menu. The Log Query screen appears.
Next to Type, select Message tracking. The query screen for message event logs appears.
In the second drop-down box next to Type, select one of the following:

IMSVA data only: Displays all messages which are directed through IMSVA
Cloud Pre-Filter + IMSVA data: Displays all messages which are directed through Cloud Pre-Filter and IMSVA. This includes messages which are deleted by Cloud Pre-Filter.

Next to Dates, select a date and time range.
Type any of the following additional information:

Subject:
Message ID
Sender
Recipient
1. Use the asterisk wildcard for partial searches on any field.

2. The Subject and Message ID fields only display when IMSVA data only is selected.

Click Display Log. A timestamp, sender, recipient, subject, and last known action appear for each event.
Click the timestamp link to see the following information:

Timestamp
Sender
Recipient
Subject
Source IP address
Message size
Message ID
Internal ID
Delivery IP address
Delivery feedback
Scanner that detected the message
Rule that detected the violation
Action details

Perform any of the additional actions:

To change the number of items that appears in the list at a time, select a new display value from the drop-down box on the top of the table.
To print the query results, click Print current page.
To save the query result to a comma-separated value file, click Export to CSV.
Click the action link to view detailed information about the action.

To query system event logs:

Choose Logs > Query from the menu.
Next to Type, select System events. The query screen for system event logs appears.
In the second drop-down box next to Type, select one of the following:

All events: Displays the timestamp and descriptions for all system events.
Updates: Displays the timestamp of scan engine and pattern file updates from the ActiveUpdate server to the IMSVA admin database.
Service status: Displays the timestamp and descriptions when the scanner service is started or stopped.
Admin activity: Displays the timestamp and descriptions for major admin activities such as changing IMSVA settings, admin account log on and log off.
Errors: Displays the timestamp and descriptions for all errors that IMSVA encountered.

In the third drop-down box next to Type, select the server to view.
Next to Dates, select a date and time range.
Next to Description, type any special words to search for.
Click Display Log. A timestamp, component, and description appear for each event.
Perform any of the additional actions:

To change the number of items that appears in the list at a time, select a new display value from the drop-down box on the top of the table.
To sort the table, click the column title.
To print the query results, click Print current page.
To save the query result to a comma-separated value file, click Export to CSV.

To view policy event logs:

Choose Logs > Query from the menu.
Next to Type, select Policy events. The query screen for policy event logs appears.
In the second drop-down box next to Type, select one of the following items related to the policy and the rules you configured for the policy:

All
Virus or malicious code
Spyware/grayware
Spam/phish
Web Reputation
DKIM enforcement
Attachment
Size
Content
Compliance
Others
Scanning exceptions
Spam Tagged by Cloud Pre-Filter

Type any of the following additional information:

Sender
Recipient(s)
Rule
Subject
Attachment(s)
Message ID
If you leave any text box blank, all results for that item appear.

Click Display Log. A timestamp, action, rule, and message ID appear for each event.
Click the timestamp link to see the following information:

Timestamp
Sender
Recipient
Subject
URL
Risk Level
Message size
Violating attachments
Rule type
Rule(s)
Action
Message ID
Internal ID
Scanner that detected the message

Perform any of the additional actions:

To change the number of items that appears in the list at a time, select a new display value from the drop-down box on the top of the table.
To sort the table, click the column title.
To print the query results, click Print current page.
To save the query result to a comma-separated value file, click Export to CSV.

- "*A*;*B*" means a string that has A or B.

- "A*;*B" means a string that starts with A or ends with B.

- ";" represents the OR operation.

To query MTA event logs:

Choose Logs > Query from the menu.
Next to Type, select MTA events. The query screen for MTA event logs appears.
On the second drop-down menu next to Type, select the IMSVA device to query.
Next to Dates, select a date and time range.
Next to Description, type the keyword to search for.
Click Display Log. A timestamp and MTA event description appears.
Perform any of the additional actions:

To change the number of items that appears in the list at a time, select a new display value from the drop-down box on the top of the table.
To print the query results, click Print current page
To save the query result to a comma-separated value file, click Export to CSV.

To query IP filtering logs:

Choose Logs > Query from the menu.
Next to Type, select IP filtering. The query screen for MTA event logs appears.
In the second drop-down box next to Type, select one of the following items related to IP Filtering:

All
Email reputation
DHA attack
Bounced mail
Virus
Spam
Manual: Refers to the IP addresses that you have specified in the blocked list.

Next to Dates, select a date and time range.
Next to IP, provide any IP address to search for.
Click Display Log. Information appears for the time that IMSVA both started and stopped blocking each IP address or domain.
Perform any of the additional actions:

To change the number of items that appears in the list at a time, select a new display value from the drop-down box on the top of the table.
To print the query results, click Print current page.
To save the query result to a comma-separated value file, click Export to CSV.