Run a Log Search
From the Log Search tab in the Administration Console, you can run queries based on the following criteria. Many log searches include the date range, sender, and/or recipient only; but you can also narrow your search by specifying inbound or outbound traffic, as well as the message disposition and other criteria:
Date range: This range corresponds to the time zone for the organization in which you’re running the search. Select a date range that matches the date and time the message was sent. You can use a date range such as Today, Yesterday, Last 7 days, or Last 30 Days.
The time zone for an organization is displayed adjacent to the search fields -- for example, America/New_York. This format specifies a country or world region, followed by a specific location within that region.
From: Enter the complete email address of the sender -- for example,
angela@cuppamocha.com. You can also run a search by domain by entering the domain name of the sender -- for example, cuppamocha.com.
Direction: Specifies whether your search includes inbound or outbound messages. If you leave this field blank, your search includes both inbound and outbound.
Disposition: Narrows the search to include only messages that were processed in a specific way after passing through the message security service filters -- for example, Quarantined, Bounced, or Encrypted. Select the Disposition from the drop-down list.
Subject: Find Log Search results by entering an exact or partial subject. Searches by subject are case insensitive. Non-ASCII characters are not supported for Subject searches.
Note: For searches on a partial subject, the results only match whole words. For example, if the subject is Basketball Bracket, the message will not appear in the results if you search on the words "ball" or "basket." However, if you enter the word basketball, the message will appear in the results.
Sender MTA: Sender IP address (mail transfer agent).
Click More search criteria to display this field, and enter a numeric value -- for example, 74.125.67.100.
Recipient MTA: Recipient IP address (mail transfer agent).
Click More search criteria to display this field, and enter a numeric value -- for example, 74.125.67.100.
User ID: Unique number from the message security service that identifies the sender of an outbound message or the recipient of an inbound message. (A user’s primary email address can be changed, but its ID always remains the same.) Click More search criteria to display this field.
To locate a User ID, log in to the Administration Console. Go to Orgs and Users > Users, and then click the relevant user to open the User Overview page. The User ID is displayed in the Summary box on the right side of the page.
Important: When running a Log Search, enter the system number as well as the User ID. For example, if the user’s organization is on System 7 and the User ID is 200029564, enter the following in the User ID field: 7-200029564
Org ID: Unique number from the message security service that identifies the sender’s Org ID for an outbound message or the recipient’s Org ID for an inbound message. Click More search criteria to display this field.
To locate an Org ID, log in to the Administration Console. Go to Orgs and Users > Orgs, and then click the relevant organization to open the Organization Management page. The Organization ID is displayed in the Summary box on the right side of the page.
Important: When running a Log Search, enter the system number as well as the Org ID. For example, if the organization is on System 7 and the Org ID is 100003947, enter the following in the Org ID field: 7-100003947.
Content Filter: Enables you to search by the name of the Content Manager filter. Searches on both exact and partial text are supported, and searches are case insensitive.
SMTP Message-ID: A globally unique message identifier that’s generated by the sender of a message. If present, the SMTP Message-ID is located in the message header.
Note: The SMTP Message-ID differs from the “Message ID,” which is a unique identifier specific to the message security service.
For additional details about these fields and their possible values, see Log Search Fields. For a description of typical uses for Message Log Search, see Common Log Search Scenarios.
To run a Log Search:
1. From the Log Search tab, choose an organization from the Choose Org drop-down list at the top of the page.
2. Select a date range that matches the date and time the message was sent. This range corresponds to the time zone for the organization in which you’re running the search. You can use a date range such as Today, Yesterday, Last 7 days, or Last 30 Days.
To enter a different date range, choose the Custom date range option, and enter the date and time using the following format of year/month/date:
2009/06/23 00:00
To narrow the range, you can also type the hours, minutes, and seconds in the above format.
3. From the Log Source drop-down list, choose SMTP Mail Flow, Delivered from Quarantine, Dual Delivery, or Rescanner Delivery.
4. Depending on the search scenario, enter the sender’s address in the From field, enter the recipient’s address in the To field. You can also enter the Direction and Disposition, or enter the Subject using both exact and partial searches (See Common Log Search Scenarios.)
5. To expand the search criteria, click More search criteria. This displays additional fields: Sender MTA, Recipient MTA, User ID, Org ID, Content Filter, and SMTP Message-ID, and Disposition Filter.
6. Click Search to open the search results page.
If you want to save a copy of your search results, click Export Selected or Export All to download a .csv file to your computer.
Note: In the heading row, click and drag the edges of a column to widen it.
7. To view details about a specific message, click the Message ID link to open the message details page (example shown below).
Note: The “Message ID” is a unique number for the message security service that identifies a specific message. It differs from the SMTP Message-ID, which is often found in the message header.
To view more details about a specific message recipient, expand the row for that recipient.
