Configuring the event log

When configuring the event storage duration and selecting event types to be logged, you must take into account the amount of free disk space on processing servers.

Settings for event logging in the event log do not affect Syslog event logging settings.

To configure event log settings:

1. In the application web interface window, select the Settings → Logs and events → Events section.
2. Under Mail traffic, do the following:
   1. Under Log mail processing events, select traffic processing events that you want to be logged in the event log. You can select one of the following options:
      • All
      • Delete message/Delete attachment/Reject action applied
      • Nothing

      By default, the All option is selected.

      The selected setting is applied only to events logged in the event log after the changes are applied. The new setting does not apply to events that were logged earlier.

      The selected setting is applied on all cluster nodes.

   2. Under Log information on scanning links and MIME parts, select the information that you want recorded in the Event Log based on the results of scanning links and MIME parts by the Anti-Virus, Content Filtering, URL Advisor, and Anti-Phishing modules.

      You can select one of the following options:

      • Only for the messages that triggered scan modules.

        The log records information about each MIME part of all messages and each link which triggered scanning modules.

        Scanning modules are considered to be triggered by a link if the link is assigned one of the following statuses:

        • Anti-Phishing module: Phishing link, Phishing, Error.
        • URL Advisor module: Detected, Error.

        Scanning modules are considered to be triggered by a MIME part if at least one of the following events occurred as a result of scanning:

        • The Anti-Virus module assigned any status except Not scanned, Not detected, Bases error to the message.
        • The Anti-Virus module detected a document containing a macro in the message.
        • The Content Filtering module applied a Content Filtering expression to the MIME part.
      • For all messages.

        The log records information about the scan of each MIME part and each link of every message.

      For example, 5 attachments without threats or other objects were detected in the message, as well as 10 links on which scanning modules were triggered. If the Only for the messages that triggered scan modules value is selected, only information about the 10 links is recorded the event log. If the For all messages value is selected, information about the 5 attachments and the 10 links is recorded in the event log.

   3. If you want to log the hashes of MIME parts of a message to the event log, turn on the Log hash of MIME parts and attachments toggle switch. If the option is enabled, hash value will be added for every logged MIME part and attachment. Hash is not logged for links.
   4. If you turned on the Log hash of MIME parts and attachments toggle switch, in the Hash algorithm drop-down list, select a value: SHA256, MD5, or SHA1.
   5. In the Maximum event log size (MB) field, enter the size of the event log that, when reached, will cause earlier records to be deleted.

      Default value: 1024 MB. Possible values: integers from 100 to 2,147,483,647.

   6. In the Logging period (days) field, enter the number of days for which the application must store network traffic processing events on the server.

      Default value: 3 days. Possible values: integers from 1 to 8,589,934,592.

3. Under Application:
   1. In the Maximum event log size (MB) field, enter the size of the event log that, when reached, will cause earlier records to be deleted.

      Default value: 1024 MB. Possible values: integers from 100 to 2,147,483,647.

   2. In the Logging period (days) field, enter the number of days for which the application must store application events on the server.

Event logging in the event log is configured.