Forum Discussion

ggeorgi's avatar
ggeorgi
Level 5
6 years ago

Enterprise Vault for Exchange Mailbox archiving - Data Classification

Hi to all.

I have recently upgraded to 12.3.2 and I need to get familiar with the Data Classification feature.

I have done everything said in the documentation, I have done testing on a single mailbox (I got the report correctly I assume), but I cannot understand how to make searches that proves that there are mails tagged while the classification ran. In the Enterprise Vault search console, there is no "Classification tags" column. Except the EV Search, (and not using the DLP), are there other ways to make those kind of searches? I assume that the Discovery Accelerator is one tool, but I cannot figure out how to utilize the search by tags. I cannot see any Classification tags in the search in DA.

At first I was afraid that I may not have a proper license, but I looked at the license file and found  this:

 

<name>EVRetention</name>

I assume that this is all is needed. Also, I noticed that the Classification folder under the EVCache, is empty. I haven' monitored it while the archiving ran, but during off-archiving hours, it is empty.

Any help or any guide you may have, would be much appreciated. 

I have followed the following guide, but it does not say how to utilize the classification 

https://www.veritas.com/support/en_US/doc/125195407-125230191-0/v11737985-125230191

 

 

  • You need to search for the index property where EV stores the Classification tag you chose. This is the value in parentheses when you're creating the Tag in the Veritas Information Classifier interface:

     

    So if you want to see if your rule applied a Tag type of Index Property to the item, you would go to EV Search, right-click the column headers, choose Columns > Customize Columns, and add a custom column on the Index Property evtag.category, like so:

    (EV index properties are case-sensitive, so make sure you type it in all lower case.)

     

    Once you click Done, you should see your tag appear in the newly created column for any item that was processed by Classification and that matched the appropriate policy.

     

    One other note:

    The Classification folder under EVCache should be empty when archiving is not occurring. This is a temporary folder where item content is written in order to feed it to the Classification engine, and each item's content is deleted immediately after it is classified. At normal performance levels, this all happens too fast to work with these files manually. If you really want to see what EV is doing in this folder, you can change the setting in the VAC under Enterprise Vault Servers > right-click ServerName > Advanced tab > List settings from: Storage > Keep classification files. With this set to On, EV will not delete these files after the items have been classified, so you can inspect them at your leisure, which is useful for troubleshooting. Just make sure to turn this setting back Off when you're done or you risk accidentally filling up the drive.

     

    I hope that helps. It can be tricky to get the hang of it, but the Classification feature is very powerful and can do some really neat things.

     

    ---Chris

  • You need to search for the index property where EV stores the Classification tag you chose. This is the value in parentheses when you're creating the Tag in the Veritas Information Classifier interface:

     

    So if you want to see if your rule applied a Tag type of Index Property to the item, you would go to EV Search, right-click the column headers, choose Columns > Customize Columns, and add a custom column on the Index Property evtag.category, like so:

    (EV index properties are case-sensitive, so make sure you type it in all lower case.)

     

    Once you click Done, you should see your tag appear in the newly created column for any item that was processed by Classification and that matched the appropriate policy.

     

    One other note:

    The Classification folder under EVCache should be empty when archiving is not occurring. This is a temporary folder where item content is written in order to feed it to the Classification engine, and each item's content is deleted immediately after it is classified. At normal performance levels, this all happens too fast to work with these files manually. If you really want to see what EV is doing in this folder, you can change the setting in the VAC under Enterprise Vault Servers > right-click ServerName > Advanced tab > List settings from: Storage > Keep classification files. With this set to On, EV will not delete these files after the items have been classified, so you can inspect them at your leisure, which is useful for troubleshooting. Just make sure to turn this setting back Off when you're done or you risk accidentally filling up the drive.

     

    I hope that helps. It can be tricky to get the hang of it, but the Classification feature is very powerful and can do some really neat things.

     

    ---Chris

    • ggeorgi's avatar
      ggeorgi
      Level 5

      Chris thank you very much.

      This has done the trick, at least to see the mails that were tagged by a Claasification tag. If you excuse me I will ask some more questions and if you can answer, this would be even more great.

      What you mentioned in EVCache\Classification folder, was all clear to me from the beggining. Looking at that folder, was the only way to understand, that some mails were getting classidification tags. I was seeing files get created and disappeared after a few seconds, during the reindexing of an archive I picked for testing. There was no other way to monitor that classification as working. If there is another way to monitor the procedure, please mention it. 

      Is there a way to add the "Classification Tag" column to appear to everybodies EV search page, permanently?

      Is there a way to add the "Classification Tag" the "Select property drop down list", so I can use it without adding it everytime?

      Is there a way to highlight which strings (in the body or in the attachments) caused the Classification Engine to give to that mail the tag, that was assigned? for example, if the tag is "Authentication",  I would want to see highlighted those strings (username and passsword) and be able to easily understand that this the "guilty" part in that particular mail.

      I assume that using the Discovery Accelarator, and I want to search for a particular Classification tag, I will do similar searches like the one you provided in your post. If there is any more hints for the DA, please feel free to provide them.

      Thank you for your time.

      George

       

      • ChrisLangevin's avatar
        ChrisLangevin
        Level 6

        George,

        Not a lot of positive answers for you, but here they are nonetheless.

         

        Is there a way to add the "Classification Tag" column to appear to everybodies EV search page, permanently?

        No. Centralized column set management is not possible in EV Search at this time, whether for Classification-related columns or any others.

         

        Is there a way to add the "Classification Tag" the "Select property drop down list", so I can use it without adding it everytime?

        No. Same reason as above.

         

        Is there a way to highlight which strings (in the body or in the attachments) caused the Classification Engine to give to that mail the tag, that was assigned?

        No.

         

        If there is another way to monitor the procedure, please mention it.

        We have a set of performance counters that track activity by the Classification engine. Check under the "Enterprise Vault Classification" counter set in Performance Monitor or PowerShell (Get-Counter).

         

        If there is any more hints for the DA, please feel free to provide them.

        Same basic idea in DA. Classification stamps the item with an index property, so searching on it is just like searching on any other index property.

         

        --Chris

  • Haven't used it myself, but have you initialized it?

    Initialize-EVClassificationVIC [-PoliciesPath <String>] [-SiteId <String>]

     

    • ggeorgi's avatar
      ggeorgi
      Level 5

      Yeap..... this is written in the guide also....