Kaspersky Secure Mail Gateway
2.1 VA
English
Publishing application events to a SIEM system  >  Content and properties of syslog messages in CEF format  >  ScanLogic group event classes

ScanLogic group event classes

In the body of CEF messages for classes of ScanLogic group events, you can use keys in accordance with their semantics (see the table below).

Permissible values of the fields for classes of ScanLogic group events

Event class

Key

Value

All ScanLogic group classes

cs1

Message ID.

cs1Label

Its value is always MessageId.

src

IP address of the server from which the message was received, in IPv4 format.

c6a2

IP address of the server from which the message was received, in IPv6 format.

act

Final action that was performed on the message.

suser

Mail sender. The address is taken from the SMTP session.

duser

List of message recipients. The addresses are taken from the SMTP session.

cs2

List of rules.

cs2Label

Its value is always Rules.

outcome

Scan status.

KSMGMessageSubject

Message subject.

KSMGRuleNames

Rule names.

KSMGAvDetectionMethods

Detection method.

fileHash

Hash of the MIME part of the message.

KSMGMessageHashType

Hash algorithm.

KSMGBackupResult

Indicates whether the message was sent to Backup.

KSMGApStatus

Result of scan by the Anti-Phishing module.

KSMGMlfStatus

Result of link scan.

KSMGAvStatus

Result of scan by the Anti-Virus module.

KSMGAsStatus

Result of scan by the Anti-Spam module.

KSMGCfStatus

Result of scan by the Content Filtering module.

KSMGMaStatus

Result of Mail Sender Authentication.

KSMGKtStatus

Result of scan by the KATA Protection module.

LMS_EV_SCAN_LOGIC_ALL_NOT_PROCESSED

reason

Reason for the event. Possible values:

  • InternalError
  • Cancelled

LMS_EV_SCAN_LOGIC_AV_STATUS

act

Final action that was performed on the message. Possible values:

  • Skipped
  • Disinfected
  • AttachmentsDeleted
  • Rejected
  • Deleted

cs4

Detection method. Possible values:

  • None
  • Local bases
  • KSN
  • KPSN user data

fsize

Message size.

reason

Reason for the event. Possible values:

  • already processed by another module
  • size-limit
  • nesting-level
  • filename
  • disabled by settings
  • license restriction
  • denylist
  • allowlist
  • personal denylist
  • personal allowlist
  • policy

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • NotDetected
  • Encrypted
  • Error
  • Disinfected
  • Infected

LMS_EV_SCAN_LOGIC_AS_STATUS

act

Final action that was performed on the message. Possible values:

  • Skipped
  • Rejected
  • Deleted

cs3

List of recipients of notifications about triggered rules for which a notification is configured with the original message in an attachment. The addresses are taken from the SMTP session.

cs3Label

Its value is always UnsafeRecipients.

cs4

Detection method. Possible values are subject to change and do not depend on the product version.

cs4Label

Its value is always Method.

fsize

Message size.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • NotDetected
  • Trusted
  • Formal
  • Error
  • ProbableSpam
  • Denylisted
  • Spam
  • MASSMAIL

reason

Reason for the event. Possible values:

  • already processed by another module
  • size-limit
  • nesting-level
  • filename
  • disabled by settings
  • license restriction
  • denylist
  • allowlist
  • personal denylist
  • personal allowlist
  • policy

LMS_EV_SCAN_LOGIC_AP_STATUS

act

Final action that was performed on the message. Possible values:

  • Skipped
  • Rejected
  • Deleted

cs3

List of recipients of notifications about triggered rules for which a notification is configured with the original message in an attachment. The addresses are taken from the SMTP session.

cs3Label

Its value is always UnsafeRecipients.

cs4

Detection method. Possible values:

  • None
  • Local bases
  • KSN
  • KPSN user data
  • Heuristics

cs4Label

Its value is always Method.

fsize

Message size.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • NotDetected
  • Error
  • Phishing

reason

Reason for the event. Possible values:

  • already processed by another module
  • size-limit
  • nesting-level
  • filename
  • disabled by settings
  • license restriction
  • denylist
  • allowlist
  • personal denylist
  • personal allowlist
  • policy

LMS_EV_SCAN_LOGIC_MLF_STATUS

act

Final action that was performed on the message. Possible values:

  • Skipped
  • Rejected
  • Deleted

cs3

List of recipients of notifications about triggered rules for which a notification is configured with the original message in an attachment. The addresses are taken from the SMTP session.

cs3Label

Its value is always UnsafeRecipients.

cs4

Detection method. Possible values:

  • None
  • Local bases
  • KSN
  • KPSN user data

cs4Label

Its value is always Method.

fsize

Message size.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • NotDetected
  • Error
  • Detected

reason

Reason for the event. Possible values:

  • already processed by another module
  • size-limit
  • nesting-level
  • filename
  • disabled by settings
  • license restriction
  • denylist
  • allowlist
  • personal denylist
  • personal allowlist
  • policy

LMS_EV_SCAN_LOGIC_MA_STATUS

act

Final action that was performed on the message. Possible values:

  • Skipped
  • Rejected
  • Deleted

cs3

List of recipients of notifications about triggered rules for which a notification is configured with the original message in an attachment. The addresses are taken from the SMTP session.

cs3Label

Its value is always UnsafeRecipients.

cs4

SPF status. Possible values:

  • NotScanned
  • InternalError
  • None
  • Pass
  • Fail
  • SoftFail
  • Policy
  • Neutral
  • TempError
  • PermError
  • Policy, domain mismatch
  • Ignored, private IP

cs4Label

Its value is always SpfVerdict.

cs5

DKIM status.

cs5Label

Its value is always DkimVerdict.

cs6

DMARC status.

cs6Label

Its value is always DmarcVerdict.

fsize

Message size.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • ViolationNotFound
  • ViolationFound

reason

Reason for the event. Possible values:

  • already processed by another module
  • size-limit
  • nesting-level
  • filename
  • disabled by settings
  • license restriction
  • denylist
  • allowlist
  • personal denylist
  • personal allowlist
  • policy

LMS_EV_SCAN_LOGIC_KT_STATUS

act

Final action that was performed on the message. Possible values:

  • Skipped
  • Rejected
  • Deleted

cs3

List of recipients of notifications about triggered rules for which a notification is configured with the original message in an attachment. The addresses are taken from the SMTP session.

cs3Label

Its value is always UnsafeRecipients.

cs4

Reason for skipping the scan. Possible values:

  • NoReason
  • Filtered
  • Timeout
  • Proceed
  • QueueLimitExceeded
  • Disabled
  • MessageSizeLimitExceeded

cs4Label

Its value is always SkipReason.

cs5

Name of the user account that extracted the message from KATA Quarantine.

cs5Label

Its value is always Account.

fsize

Message size.

outcome

Scan status. Possible values:

  • NotScanned
  • NotDetected
  • Error
  • Detected

reason

Reason for the event. Possible values:

  • already processed by another module
  • size-limit
  • nesting-level
  • filename
  • disabled by settings
  • license restriction
  • denylist
  • allowlist
  • personal denylist
  • personal allowlist
  • policy
  • NotScanned

LMS_EV_SCAN_LOGIC_CF_STATUS

act

Final action that was performed on the message. Possible values:

  • Skipped
  • Disinfected
  • AttachmentsDeleted
  • Rejected
  • Deleted

cs3

List of recipients of notifications about triggered rules for which a notification is configured with the original message in an attachment. The addresses are taken from the SMTP session.

cs3Label

Its value is always UnsafeRecipients.

cs4

List of applied expression names.

cs4Label

The value is always DetectedEntity.

fsize

Message size.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • NotDetected
  • Error
  • MatchedContent

reason

Reason for the event. Possible values:

  • already processed by another module
  • size-limit
  • nesting-level
  • filename
  • disabled by settings
  • license restriction
  • denylist
  • allowlist
  • personal denylist
  • personal allowlist
  • policy

LMS_EV_SCAN_LOGIC_PART_RESULT

cn1

Number of objects disinfected or deleted based on Anti-Virus scan results. For archives only.

cn1Label

Its value is always ObjectsNumber.

cs3

Unscanned files.

cs3Label

Its value is always AvExclude.

cs4

List of names of detected threats.

cs4Label

Its value is always Threats.

cs5

List of triggered Content Filtering expressions.

cs5Label

The value is always AppliedExpressions.

fname

File name.

fsize

Size of the MIME part of the message.

outcome

Scan status. Possible values:

  • BasesError
  • NotDetected
  • Encrypted
  • Error
  • Disinfected
  • Infected

reason

Reason why a scan by the Anti-Virus module was not performed. Possible values:

  • NoReason
  • SizeLimit
  • NestingLevel
  • Filename
  • FileFormat

LMS_EV_SCAN_LOGIC_URL

cs3

URL.

cs3Label

The value is always URL.

LMS_EV_SCAN_LOGIC_MESSAGE_BACKUP

act

Final action that was performed on the message. Possible values:

  • Skipped
  • Disinfected
  • AttachmentsDeleted
  • Rejected
  • Deleted

fsize

Message size.

reason

Reason for the event. Possible values:

  • NoReason
  • AntiSpam
  • AntiVirus
  • ContentFiltering
  • AntiPhishing
  • FailedToBackup
  • PersonalDenyList
  • MessageAuthentication
  • Kata
  • MlfScanning

LMS_EV_SCAN_LOGIC_MESSAGE_RESULT

fsize

Message size.

Each class of ScanLogic group events can contain only keys that are relevant to it (see the table below).

Relevant keys for classes of ScanLogic group events

Event class

Relevant keys

LMS_EV_SCAN_LOGIC_ALL_NOT_PROCESSED

cs1, cs1Label, src, c6a2, act, fsize, suser, duser, KSMGMessageSubject, reason

LMS_EV_SCAN_LOGIC_AS_STATUS

cs1, cs1Label, src, c6a2, act, fsize, suser, duser, KSMGMessageSubject, cs2, cs2Label, cs4, cs4Label, reason, outcome, KSMGRuleNames

LMS_EV_SCAN_LOGIC_AV_STATUS

cs1, cs1Label, src, c6a2, act, fsize, suser, duser, KSMGMessageSubject, cs2, cs2Label, cs3, cs3Label, cs4, reason, outcome, KSMGRuleNames

LMS_EV_SCAN_LOGIC_MLF_STATUS

cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, outcome, KSMGRuleNames

LMS_EV_SCAN_LOGIC_AP_STATUS

cs1, cs1Label, src, c6a2, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, outcome, KSMGRuleNames, KSMGMessageSubject

LMS_EV_SCAN_LOGIC_KT_STATUS

cs1, cs1Label, src, c6a2, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, cs4, cs4Label, cs5, cs5Label, reason, suser, outcome, KSMGMessageSubject, KSMGRuleNames

LMS_EV_SCAN_LOGIC_MA_STATUS

cs1, cs1Label, src, c6a2, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, cs5, cs5Label, cs6, cs6Label, outcome, KSMGMessageSubject, KSMGRuleNames

LMS_EV_SCAN_LOGIC_CF_STATUS

cs1, cs1Label, src, c6a2, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, outcome, KSMGMessageSubject, KSMGRuleNames

LMS_EV_SCAN_LOGIC_PART_RESULT

cs1, cs1Label, src, c6a2, act, suser, duser, reason, outcome, KSMGMessageSubject, KSMGRuleNames, cn1, cn1Label, cs2, cs2Label, cs3, cs3Label, cs4, cs4Label, cs5, cs5Label, fname, fileHash, KSMGMessageHashType, fsize, KSMGAvDetectionMethods

LMS_EV_SCAN_LOGIC_URL

cs1, cs1Label, src, c6a2, suser, duser, KSMGMessageSubject, KSMGRuleNames, cs2, cs2Label, cs3, cs3Label, KSMGApStatus, KSMGMlfStatus

LMS_EV_SCAN_LOGIC_MESSAGE_BACKUP

cs1, cs1Label, src, c6a2, act, fsize, suser, duser, reason, cs2, cs2Label, KSMGMessageSubject, KSMGRuleNames

LMS_EV_SCAN_LOGIC_MESSAGE_RESULT

cs1, cs1Label, src, c6a2, act, suser, duser, KSMGMessageSubject, KSMGRuleNames, KSMGBackupResult, fsize, cs2, cs2Label, KSMGAvStatus, KSMGAsStatus, KSMGApStatus, KSMGMlfStatus, KSMGCfStatus, KSMGMaStatus, KSMGKtStatus

Article ID: 151789, Last review: Mar 13, 2025
Page top