Contents and properties of syslog messages in the CEF format
December 13, 2023
ID 267200
Information about each detected event is sent immediately after the occurrence of the event as a separate syslog message in the CEF format in UTF-8 encoding.
A CEF message consists of the message body and header.
The CEF message header consists of the following parts:
- Syslog prefix:
<event date and time>
<name of the host on which the event occurred>
. - A sequence of fields separated by "|" characters and separated from the syslog prefix by a space. All fields are required.
- Format version. Currently, the version number is 0, so the field looks like "CEF:0".
- Vendor. The value of this field is
AO Kaspersky Lab
. - Application name. The value of this field is
Kaspersky Web Traffic Security
. - Product version. The value of this field is the current version of the product (
6.1.0.xxxx
). - Event class.
- Event name.
- Severity level. Can be
Low
,Medium
, orHigh
.Example:
Oct 30, 2021 10:34:23
host.domain.com CEF:0|AO Kaspersky Lab|Kaspersky Web Traffic Security|6.1.0.1234|LMS_EV_SETTINGS_CHANGED|task settings changed|Low|…
Fields of the syslog message about an event, which are defined by application options, have the format <key>="<value>"
. If a key has multiple values, these values are separated with a comma. A colon is used as the separator between keys.
The keys and their values contained in the message depend on the class of the event.
The maximum size of a syslog message about a detected event depends on the values of the syslog settings on the server on which Kaspersky Web Traffic Security is installed. You can only configure syslog messages to a single external syslog server.
Character encoding rules in CEF messages:
- Spaces do not need to be escaped.
- In the header, the vertical bar character ("|") is used as a separator. If you need to use this character in one of the header fields, you must escape it with a backslash ("\|"). In the message body, you do not need to escape the "|" character.
- Single backslashes are not allowed in the message header or message body. If you need to use it in a header field, duplicate the character ("\\").
- In the message body, the "=" character is used as a separator for the "key-value" pair. If you need to use this character in one of the message body fields, you must escape it with a backslash ("\="). In the header, the "=" character does not require escaping.
- Multi-line values are only allowed for the values in key/value pairs. To indicate a line break, use the "\n" or "\r" characters.