Configuring the event log

When configuring the event storage duration and selecting event types to be logged, you must take into account the amount of free disk space on processing servers.

Settings for event logging in the event log do not affect Syslog event logging settings.

To configure event log settings:

In the application web interface window, select the Settings → Logs and events → Events section.
Under Mail traffic events, do the following:
1. Under Log mail processing events, select traffic processing events that you want to be logged in the event log. You can select one of the following options:
  - All
  - Delete message/Delete attachment/Reject action applied
  - Nothing
  By default, the All option is selected.
  
  The selected setting is applied only to events logged in the event log after the changes are applied. The new setting does not apply to events that were logged earlier.
  The selected setting is applied on all cluster nodes.
2. Under Log information on scanning links and MIME parts, select the information that you want recorded in the Event Log based on the results of scanning links and MIME parts by the Anti-Virus, Content Filtering, Link scanning, and Anti-Phishing modules.
  You can select one of the following options:
  - Only for the messages whose MIME parts triggered scan modules.
    The log records information about each MIME part of all messages and each link which triggered scanning modules.
    Scanning modules are considered to be triggered by a link if the link is assigned one of the following statuses:
    - Anti-Phishing module: Phishing, Error.
    - Link scanning module: Detected, Error.
    Scanning modules are considered to be triggered by a MIME part if at least one of the following events occurred as a result of scanning:
    - The Anti-Virus module assigned any status except Not scanned, Not detected, Bases error to the message.
    - The Anti-Virus module detected a document containing a macro in the message.
    - The Content Filtering module applied a Content Filtering expression to the MIME part.
  - For all messages.
    The log records information about the scan of each MIME part and each link of every message.
  For example, 5 attachments without threats or other objects were detected in the message, as well as 10 links on which scanning modules were triggered. If the Only for the messages whose MIME parts triggered scan modules value is selected, only information about the 10 links is recorded the event log. If the For all messages value is selected, information about the 5 attachments and the 10 links is recorded in the event log.
3. If you want to log the hashes of MIME parts of a message to the event log, turn on the Log hash of MIME parts and attachments toggle switch. If the option is enabled, hash value will be added for every logged MIME part and attachment. Hash is not logged for links.
4. If you turned on the Log hash of MIME parts and attachments toggle switch, in the Hash algorithm drop-down list, select a value: SHA256, MD5, or SHA1.
5. In the Maximum event log size (MB) field, enter the size of the event log that, when reached, will cause earlier records to be deleted.
  Default value: 1024 MB. Possible values: integers from 100 to 2,147,483,647.
6. In the Logging period (days) field, enter the number of days for which the application must store network traffic processing events on the server.
  Default value: 3 days. Possible values: integers from 1 to 8,589,934,592.
Under Application events:
1. In the Maximum event log size (MB) field, enter the size of the event log that, when reached, will cause earlier records to be deleted.
  Default value: 1024 MB. Possible values: integers from 100 to 2,147,483,647.
2. In the Logging period (days) field, enter the number of days for which the application must store application events on the server.
  Default value: 1100 days.
Under Audit events:
1. Under Audit log level, select the level of detail of the Audit Log. You can select one of the following options:
  - Do not log audit events
  - Log audit events without information on modified parameters
    Only audit events will be logged, without information on the modified parameters and their values
  - Log audit events and modified parameters
    Audit events and the old and new values of the modified parameters will be logged
  The default is Log audit events without information on modified parameters.
  
  Regardless of the Audit log level value, KSMG logs authentication attempt events to syslog with the authpriv(10) category. Events are logged for successful and unsuccessful attempts to log in to the application using Kerberos, NTLM, and local account authentication.
  If audit event logging is enabled, KSMG also writes Audit Log events to syslog with the facility selected in the Settings → Logs and events → Syslog section on the Standard format tab.
2. In the Maximum event log size (MB) field, enter the size of the Audit Log that, when reached, will cause earlier records to be deleted.
  Default value: 1024 MB. Possible values: integers from 100 to 2,147,483,647.
3. In the Logging period (days) field, enter the number of days for which the application must store audit events on the server.
  Default value: 1100 days.
4. If the event record is long, it is broken up into parts in the log. In the Maximum size of a modified settings part in CEF (characters) field, enter the maximum size of such a part in UTF-8 characters. The minimum value is 4000; the default value is 4000.
Click Save.

Event logging in the event log is configured.

Page top