<< Click to Display Table of Contents >> Navigation:  Event and Object Analysis > Capture Results Filtering > Filtration Basics > Rules > Actions > SAVE RAW DATA action

Enables or disables saving of the source (raw) data from which the message was received.

Description

The action enables or disables saving of the source (raw) data from which the message was received. If the message was intercepted in HTTP traffic, its source data are the two files containing the HTTP query and the HTTP response. If the message was intercepted in SMTP- or POP3 traffic, its source data is the file with the original email in the EML format.

Saving source data for each message is disabled by default. If saving source data is enabled for messages, the files with its source data will be included in the message as attachments.

Please remember that when source data saving is enabled the stored data amount is increased more than twice, so you may want to use this option only for debugging or when it is imperative to have source data.

Format

<action name="save-raw-data" value="<true/false/1/0>" />

The "name" attribute:

The name attribute contains the action name: name="save-raw-data".

The "value" attribute:

The value="..." specifies the action active status.

true or 1

Enable saving source data for messages.

false or 0

Disable saving source data for messages (if it was previously enabled in the filter).

Example:

Enable saving source data for messages received via HTTP.

<?xml version="1.0" encoding="utf-8"?>
<filter name="Message filter" version="1.0">
 <comment>Message filter.</comment>
 
 <table name="main">
   <rule enabled="1">
     <comment>
       Enable saving source data for messages
       intercepted over the HTTP protocol.
     </comment>
     <match>
       <c name="protocol" value="http" />
     </match>
     <action name="save-raw-data" value="true" />
   </rule>
 
 </table>
</filter>