I have received this logs to the remote syslogs, the thing is I cannot define why there's a lot of content_xx under the logs:
<timestamp>scanner_host bmserver: 1468742517|0a11033d-107ff700000003ae-db-578b3b71c702|UNTESTEDfirstname.lastname@example.org|has_urls|dz_document|unscannable_pmc|content_500|content_100|content_600|content_200|content_1467378199437|content_1468480937180|content_1468149396293|content_1467290403757|content_300|content_1467315954241|content_520|content_521|content_1467029228427|content_400|content_1467028895494|user_allow|user_deny|freq_va|freq_dha|freq_sa|connection_class_0|connection_class_1|connection_class_2|connection_class_3|connection_class_4|connection_class_5|connection_class_6|connection_class_7|connection_class_8|connection_class_9|senderauth_batv_sign|senderauth_batv_fail|blockedlang|knownlang
Can anyone can help me to explain this kind of logs.
Quite simple - "UNTESTED" means that these rules were not checked becasuse they overlap with others and have no impact.
With other words, for this inbound mail all listed rules did not fire / were not applied.
Thank you for your reply.
I'm having hard time to understand what this content means. Do you have idea?
Please take a look at https://support.symantec.com/en_US/article.TECH232772.html
It explains a few of the verdicts but not all:
content_.... if you open one of your content rules within the url you will find the policy-number wich is applied or untested.
has_urls ... as i see, currently not used
dz_document ... as i see, currently not used
unscannable_pmc ... unscannable but has potentially malicious content
user_allow | user_deny ... Your good | bad senders list
connection_class_x ... your local connection classification
senderauth_batv_sign | fail ... bounce address tag validation signed or query failed
knownlang | blockedlang ... if you check on used language and allow | block a certain one
This list is not a complete one. Even i requested a full documentation noone at symantec could provide me a complete list.
It took me several weeks to complete "my list" used for alerting and reporting.
If you need a certain one more, just let me know.
Thank you for this information, its a big help.