Custom Filtering & Custom Properties

Hi everybody.

Today I’d like to explain how to configure Custom Filtering & Custom Properties on Symantec Enterprise Vault side. It might be useful for you if you need to archive specific journal reports (emails) only, but not all emails.

Actually, I was trying to configure it myself, using Symantec documentation only, but I failed. Afterwards I raised a discussion within Symantec community, but again with no success. And finally I know how to complete Custom Filtering & Custom Properties configuration and I share this info here.

As I explained earlier, the scenario may includes (but not limited) the following cases: you would like to exclude any email from archiving if 3-rd party attribute has specific value (“True”, “False”, etc), for example.

Here we need to do 2 things:

1. Create Custom Filtering: in plain language it is customized rule which determine what actually Enterprise Vault has to do  (ACTION) with journal email  if CONDITION(s) is met.

E.g. email in journal report has attribute with the value “decrypted: true” and this email will be moved to Deleted items in Journaling Mailbox.

Default Filter Rules.xml

——————————————-

<?xml version=”1.0″?>

<RULE_SET xmlns=”x-schema:ruleset schema.xdr”>

<RULE NAME=”MoveDeletedItemsIfSuccess” ACTION=”MOVE_DELETED_ITEMS”>

<NAMEDPROP TAG=”Header” INCLUDES=”ANY”>

<PROP VALUE=”*x-si-jrda-result: success*” />   

</NAMEDPROP>

</RULE>

</RULE_SET>

——————————————-

What it says: move the item (email) to Deleted Items if in Properties the following attribute with appropriate value exist: “*x-si-jrda-result: success*

IMPORTANT: Don’t forget to make a frame with ‘*’ around your attribute and value. It cost me 1 day.

2. Create Custom Properties: in plain language it is file. It regulates which extra attribute must be indexed (and afterwards processes within Custom Filtering, in our case).

File looks like:

——————————————-

<?xml version=”1.0″ encoding=”UTF-8″?>

<CUSTOMPROPERTYMETADATA xmlns:xsi=”http://www.w3.org/2001/XMLSchema-instance&#8221; xsi:noNamespaceSchemaLocation=”customproperties.xsd”>

    <!– 1. DEFINITION OF CONTENT CATEGORIES AVAILABLE –>

    <CONTENTCATEGORIES DEFAULT=”HeaderData”>

        <CONTENTCATEGORY NAME=”HeaderData”>

            <INDEXEDPROPERTIES RETRIEVE=”Y”>

                <PROPERTY TAG=”Header”/>            

            </INDEXEDPROPERTIES>

        </CONTENTCATEGORY>    

    </CONTENTCATEGORIES>

    <!– 2. DEFINITION OF CUSTOM PROPERTIES AVAILABLE –>

    <CUSTOMPROPERTIES>

        <NAMESPACE TYPE=”MAPI”>

            <PROPERTY NAME=”0x007D” TAG=”Header”/>

        </NAMESPACE>

    </CUSTOMPROPERTIES>

    <!– 3. DEFINITION OF PRESENTATION PROPERTIES AVAILABLE –>

    <PRESENTATION>

        <APPLICATION NAME=”search.asp” LOCALE=”1033″>

            <FIELDGROUPS>

                <FIELDGROUP LABEL=”HeaderData”>

                    <FIELD TAG=”Header” LABEL=”Header” CATEGORY=”HeaderData”/>

                </FIELDGROUP>

            </FIELDGROUPS>

            <AVAILABLECATEGORIES>

                <AVAILABLECATEGORY CONTENTCATEGORY=”HeaderData” LABEL=”Header”/>

            </AVAILABLECATEGORIES>

        </APPLICATION>

    </PRESENTATION>

</CUSTOMPROPERTYMETADATA>

——————————————-

It says: take the following property type 0x007D (0x007d: Message header) and associate it with the “Header” tag. Lately we will use this tag (see above Custom Properties content)

Here are some other property types (some of them are guesswork)

But what I have to do in case if my attribute isn’t in the Message Header? In this case I’d recommend you to use OutlookSpy or similar product to determine the correct property type.

IMPORTANT: if you look into Outlookspy trying to find Message Header, you will find there 0x007D001E tag. You have to use in Custom Properties 0x007D instead. Otherwise your rule won’t work.

outlookspy1

Don’t forget to restart your EV tasks all the time when you do changes in Custom Properties and Custom Filtering files.

And the latest what you need to know is how to configure Trace Log. It is well explained in Symantec EV documentation. Analyzing afterwards tracing logs you can understand which part doesn’t work.

For example:

2961     11:35:29.134     [9596]  (JournalTask)      <7620> EV:L     [CustomRules][CRule] Evaluating item againstMoveDeletedItemsIfSuccess rule…

Comment: Great. EV recognized your rule.

2962     11:35:29.134     [9596]  (JournalTask)      <7620> EV:L     [CustomRules][CNamedPropClause] testing against ANY of 1 NamedProps

Comment: EV starts analyzing header against my rule.

2963     11:35:29.134     [9596]  (JournalTask)      <7620> EV:L     [CustomRules][CNamedPropClause] : success DID NOT MATCH  received: from servername (ip 134.56.51.36) by servername (ip 102.236.56.47) with microsoft smtp server id 14.3.169.1; mon, 12 may 2014| 11:32:44 +0200|content-type: application/ms-tnef; name=”winmail.dat”|content-transfer-encoding: binary|from: “user1)” <user1@domain.level>|to: “user2″|<user2@domain.level>|subject: mapiattribute 1/3-05/12/2014 11:32:44|thread-topic: mapiattribute 1/3-05/12/2014 11:32:44|thread-index: aqhbxdo+sllibg3/gzpuir9ss9mxow==|date: mon, 12 may 2014 09:32:44 +0000|message-id: <8f98cad6-c802-425e-a166-3c2ae6cb7219@servername.domain.level>|x-ms-has-attach: yes|x-ms-tnef-correlator: <8f98cad6-c802-425e-a166-3c2ae6cb7219@server.domain.level>|mime-version: 1.0|x-si-jrda-result: success

Comment: despite of negative result I have something positive here. EV found my target word “success” and was trying to compare it with property value. So, it means that EV also indexed value.

But why do I have “DID NOT MATCH”?

Because the target word “success” isn’t framed with wildcards from both side  “*success*”. In my case is enough to frame it with one side only.

It’s time to test new configuration.

Journal mailbox looks like on a picture below.

Email with subject: “Test01…” has specific attribute and will be moved to Deleted Items during archiving. Email with subject :”Test02…” will be archived as usual.

JounralMbx

Start EV task:

archiving

In 2 sec check Deleted Items folder:

Result

I wish you good luck with testing.