Table of Contents
Log to fileLog to the Windows Event LogLog to a Syslog ServerLog Event TypesLog ParametersSafeSend has three different types of logging capabilities for auditing purposes. Here we'll walk through how to adjust the logging settings.
If both SS_LoggingFileLogEnabled and SS_LoggingWindowsEventLogEnabled are set to 1, SafeSend will log both to a physical file and to the Windows Event Log.
The event types being logged can also be controlled using SS_LoggingEventTypeFilter which is set to 255 by default to log all event types. Note that this is a bitmask type of setting.
The event types are defined as: Bit 0: email_external, Bit 1: email_internal, Bit 2: email_cancelled.
- SS_LoggingEventTypeFilter = 1: External emails.
- SS_LoggingEventTypeFilter = 2: Internal emails.
- SS_LoggingEventTypeFilter = 3: External + Internal emails.
- SS_LoggingEventTypeFilter = 4: Cancelled emails.
- SS_LoggingEventTypeFilter = 5: External + Cancelled emails.
- SS_LoggingEventTypeFilter = 6: Internal + Cancelled emails.
- SS_LoggingEventTypeFilter = 7: External + Internal + Cancelled emails.
Log to file
The file logging can be enabled by configuring SS_LoggingFileLogEnabled equal to 1. The log files are stored in the C:\Users{username}\AppData\Local\SafeSend location and are unique per user. So if two users use the same machine, SafeSend will create log files for each user in different folders. SafeSend uses a methodology called rotating logs for fast writing of its log data. The two files that are used to store the log information are named ‘safesend1.log’ and ‘safesend2.log’.
When one of the log files is too large, SafeSend starts writing to the other file instead. This enables SafeSend to limit the size of the log files by the use of a configuration named SS_LoggingFileLogMaxSizeMB.
The default value of SS_LoggingFileLogMaxSizeMB is 50, meaning that SafeSend limits the two log files together to 50 MB in size. SafeSend will thus store a minimum of 25 MB which translates into 46,000 log events. Assuming an average user sends 30 emails every day, the default log file will be able to store 46,000/30 ~= 1533 days of email activity. Assuming 260 working days a year, the default log settings will store 1533/260 ~= 6 years of email activity.
Log file
Log to the Windows Event Log
SafeSend can also be configured to log to the Windows Event Log. This is done by setting SS_LoggingWindowsEventLogEnabled to 1. The Windows Event Log is useful because it is possible to collect the logs in a central log server. Collecting individual logs can be done using Microsoft technology or by using third-party applications.
- For version 4.2.4 or earlier, the log data can be viewed by opening the Event Viewer and filtering on ‘SafeSend’ as an event source.
- For version 4.2.5 or later, the log data can be viewed under Applications and Services Logs > SafeSend Outlook Security in the Event Viewer.
Windows Event Viewer
Log to a Syslog Server
We recently added the ability to send logs directly to a central Syslog server using the UDP network protocol. It works by specifying the hostname and port of your Syslog server and SafeSend takes care of the rest. User actions, e.g. when the user confirms an email, are then sent seamlessly to your Syslog server which can be configured to forward the data into your SIEM system for further analysis or for storage.
There are three relevant settings to manage the Syslog option in SafeSend:
- LoggingSyslogHostname
- LoggingSyslogPort
- LoggingSyslogUseStrictRFC5424Format
You can read more about them by referring to the VIPRE SafeSend Settings Reference Guide.
Log Event Types
Log event ‘Email external’
2016-05-23T20:15:01.4297910+02:00 category=info action=email_external machine=”machinename” user=”username” from=”myname@mydomain.com” type=”email” subject=”test” nr_total_recipients=3 nr_internal_recipients=1 nr_external_recipients=2 nr_files_attached=1 nr_files_reviewed=0 external_recipients=”external1@domain.com;external2@domain.com” attachments=”attachment.pdf”
Log event ‘Email internal’
2016-05-23T20:29:34.2861288+02:00 category=info action=email_internal machine=”machine-name” user=”username” from=”myname@mydomain.com” reason=”no_recipients_to_confirm” type=”email” subject=”test” nr_total_recipients=1 nr_internal_recipients=1 nr_files_attached=0
Log event ‘Email cancelled’
2016-05-23T20:29:29.8328932+02:00 category=info action=email_cancelled machine=”machine-name” user=”username” from=”myname@mydomain.com” type=”email” subject=”test” nr_total_recipients=1 nr_internal_recipients=0 nr_external_recipients=1 nr_files_attached=0 nr_files_reviewed=0
Log Parameters
Parameter | Description | External email | Cancelled email | Internal email |
---|---|---|---|---|
action | “email_external”, “email_cancelled” or “email_internal” | x | x | x |
machine | The Windows machine name | x | x | x |
user | The Windows user name | x | x | x |
from | the sender’s email address | x | x | x |
type | “email”, “meeting” or “task” | x | x | x |
subject | The subject of the email | x | x | x |
nr_total_recipients | The total number of recipients | x | x | x |
nr_internal_recipients | The number of internal recipients | x | x | x |
nr_external_recipients | The number of external recipients | x | x | x |
nr_files_attached | The number of files attached | x | x | x |
nr_files_reviewed | The number of times that the user has clicked “(open)” from SafeSend to review the file. Opening the same file two times would result in a count of 1. | x | x | not included |
external_recipients | The email address of external recipients separated by “;” | x | not included | not included |
cancelled_reason | “autoforwarded_email”, “no_attachments_found” or “no_recipients_to_confirm” | not included | not included | x |
attachments | The file names of the attachments separated by “;” | optional | optional | not included |
dlp | Describes the DLP Content Scanning results if DLP is enabled. Can contain “timed-out” or “, , , “. All matches are separated by “;”. | optional | optional | not included |
replyto | The ReplyTo email address if the user has set it to a custom value (not the sender’s email) | optional | optional | not included |
nr_recipients_removed | The number of recipients removed from the original recipients' list | optional | not included | not included |
recipients_removed | The name/email of the recipients removed from the original recipient list separated by “;” | optional | not included | not included |
nr_attachments_removed | The number of attachments removed from the original attachments list | optional | not included | not included |
attachments_removed | The file names of the attachments removed from the original attachments list separated by “;” | optional | not included | not included |
Please refer to Related Articles for direct links to other processes pertinent to the one detailed in this article.