ESET Online Help

Search English
Select the topic

Log files

Log files contain information about important program events that have occurred, provide an overview of scan results, detected threats, etc. Logs are an essential tool in system analysis, threat detection and troubleshooting. Logging is performed actively in the background with no user interaction. Information is recorded based on the current log verbosity settings. You can view text messages and logs directly from the ESET Mail Security environment or export them for viewing elsewhere.

Choose the appropriate log type from the drop-down menu. The following logs are available:


The Detections log offers detailed information about infiltrations detected by ESET Mail Security modules. The information includes the time of detection, name of infiltration, location, the performed action and the name of the user logged in at the time the infiltration was detected.

Double-click any log entry to display its details in a separate window. You can create a detection exclusion if required by right-clicking a log record (detection) and clicking Create exclusion. Open the exclusion wizard with pre-defined criteria. If there is a name of a detection next to an excluded file, it means that the file is only excluded for the given detection. If that file becomes infected later with other malware, it will be detected.


All important actions performed by ESET Mail Security are recorded in the event log. The event log contains information about events and errors that have occurred in the program. It is designed to help system administrators and users resolve problems. Often the information found here can help you find a solution for a problem occurring in the program.

Computer scan

All scan results are displayed in this window. Each line corresponds to a single computer control. Double-click any entry to view the details of the respective scan.

Blocked files

Contains records of files that were blocked and could not be accessible. The protocol shows the reason and the source module that blocked the file, as well as the application and user that executed the file.

Sent files

Contains records of files Cloud-based protection, ESET LiveGuard and ESET LiveGrid®.

Audit logs

Contains records of changes in configuration or protection state and create snapshots for later reference. Right-click any record of setting changes type and select Show from the context menu to display detailed information about the performed change. If you want to you previous setting select Restore. You can also use Delete all to remove log records. If you want to deactivate Audit logging, navigate to Advanced setup > Tools > Log files > Audit log.


Contains records of specific rules that are marked for recording. The protocol shows the application that called the operation, the result (whether the rule was permitted or prohibited) and the name of the rule created.

Network protection

Contains records of files that were blocked by Botnet protection and IDS (Network attack protection).

Filtered websites

List of websites that were blocked by Web access protection and Anti-phishing mail protection. These logs display the time, URL, user and application that opened a connection to the specific website.

Device control

Contains records of removable media or devices that were connected to the computer. Only devices with a Device control rule will be recorded to the log file. If the rule does not match a connected device, a log entry for a connected device will not be created. Here you can also see details such as device type, serial number, vendor name and media size (if available).

Mail server protection

All messages detected by ESET Mail Security as infiltration or as a spam are recorded here. These logs apply to following protection types: Antispam, Anti-Phishing, Sender spoofing protection, Rules and Anti-Malware.

When you double-click an item, a window will open with Additional information about the detected email message, such as IP address, HELO domain, Message ID, and Scan type showing the protection layer it was detected on.Also, you can see the result of Anti-Malware, Anti-Phishing and Antispam scan and the reason why it was detected or whether a Rule was activated.


Not all processed messages are being logged into a Mail server protection log. However, all of the messages that were actually modified (deleted attachment, custom string added to a message header, etc.) are written into the log.

Mailbox database scan

Contains the version of the detection engine, date, scanned location, number of scanned objects, number of threats found, number of rule hits and time of completion.

SMTP protection

All messages that have been evaluated using the greylisting method. SPF and Backscatter are also displayed here. Each record contains HELO Domain, IP sender's and recipient's address, Actions statuses (rejected, rejected [not verified] and verified incoming messages). There are a new action to add subdomain in the greylisting whitelist, see table below

Hyper-V scan

Contains a list of Hyper-V scan results. Double-click any entry to view the details of the respective scan.


Context menu (right-click) enables you to choose an action with selected log record:




See also


Shows more detailed information about the selected log in a new window (same as double-click).



Filter same records

This activates log filtering, showing only records of the same type as the one selected.

Ctrl + Shift + F



After clicking this option, the Log filtering window will allow you to define filtering criteria for specific log entries.


Log filtering

Enable filter

Activates filter settings. The first time you activate filtering, you must define settings.



Disable filter

Turns filtering off (same as clicking the switch at the bottom).




Copies information of selected/highlighted record(s) into the clipboard.

Ctrl + C


Copy all

Copies information from all records in the window.




Deletes selected/highlighted record(s) - this action requires administrator privileges.



Delete all

Deletes all record(s) in the window - this action requires administrator privileges.




Exports information of selected/highlighted record(s) into an XML file.



Export all...

Exports all the information in the window into an XML file.




Opens Find in log window and lets you define search criteria. You can use the find feature to locate a specific record even while filtering is on.

Ctrl + F

Find in log

Find next

Finds the next occurrence of your defined search criteria.



Find previous

Finds the previous occurrence.

Shift + F3


Create exclusion

To exclude objects from cleaning using the detection name, path or its hash.


Create exclusion


Add IP address to greylisting whitelist

Adds sender's IP address to the IP whitelist. You can find the IP whitelist under Greylisting and SPF section of Filtering and verification. This applies to items logged by Greylisting or SPF.



Add domain to greylisting and SPF whitelist

Adds sender's domain to the Domain to IP whitelist. Only domain is added, subdomain is ignored. For example, if sender's address is, only is added to the whitelist. You can find the Domain to IP whitelist under Greylisting and SPF section of Filtering and verification. This applies to items logged by Greylisting.



Add subdomain to greylisting  and SPF whitelist

Adds sender's subdomain to the Domain to IP whitelist. Whole domain is added, including its subdomain (for example This gives you more flexibility for filtering, if required. You can find the Domain to IP whitelist under Greylisting and SPF section of Filtering and verification. This applies to items logged by Greylisting.