Contents of syslog messages about traffic processing events

Each syslog message contains the following fields defined by the parameters of the Syslog protocol in the operating system:

date and time of the event;
name of the host where the event happened;
name of the application (the value is always KWTS).

Fields of the syslog message about a traffic processing event, which are defined by application options, have the format <key>="<value>". If a key has multiple values, these values are separated with a comma. A colon is used as the separator between keys.

Example:

Dec 18 12:39:36 squid-server KWTS: type="Response": method="GET": action="Deny": workspace="": http_user_name="example@test.local": http_user_agent="curl/7.29.0": http_user_ip="192.0.2.0": url="http://example.com/EICAR/eicar.com": "eicar.com", rules="access_rules ['LowPriority\Default Access Group\Default Access Rule'], protection_rules ['LowPriority\Default Protection Group\Default Protection Rule']", av-status="Detected", threats="EICAR-Test-File\Deny", ap-status="NotDetected", encrypted="NotDetected", macros="NotDetected"

The keys, as well as their values contained in a message, are presented in the table below.

Information about traffic processing events in a syslog message

Key	Description and possible values
`type`	Type of HTTP message. Its value may be `Request` or `Response`.
`method`	HTTP request method.
`action`	Action taken on a detected object. It can take one of the following values: `Allow` – Allow. `Deny` – Deny. `Redirect` – Redirect.
`workspace`	Name of the workspace associated with the traffic processing event. If there is no workspace, the key is sent with an empty value.
`http_user_name`	User account name.
`http_user_agent`	Client application that initiated the HTTP request.
`http_user_ip`	IP address of the computer from which the HTTP request was sent.
`url`	URL of the web resource that the user requested.
`(partN) "<object name>"`	Name of the scanned object. For a multipart MIME type object, the names of all constituent parts are specified. Each name is sent with a `part` key and a sequence number. The `part` key is followed by the scan results for each constituent part of the object (the `rules`, `av_status`, `ap_status`, `encrypted` and `macros` keys). For example, `part1 "news.pdf" <scan results>: part2 "eicar.com" <scan results>`. If the HTTP message does not contain any objects, `"nofile"` is indicated.
`rules`	Names of triggered access rules and protection rules in the following format: `"access_rules ['<Rule priority>\<Rule group name>\<Rule name>'], protection_rules ['<Rule priority>\<Rule group name>\<Rule name>']"`.
`av_status`	Results of a web resource scan by the Anti-Virus module. The following values are possible: `Detected` – viruses or other threats were found in the object. The names of detected threats and the action taken on an object by the application are separated by commas. For example, `av-status="Detected", threats="EICAR-Test-File\Deny"`. `NotDetected` – the object was scanned, no threats were detected. `NotScanned` – the object was not subjected to a virus scan in accordance with the settings defined in traffic processing rules. `NotAvailable` – a virus scan was not performed because only the URL of the web resource is available. `ScanError` – the scan ended with an error.
`ap_status`	Results of a web resource scan by the Anti-Phishing module. The following values are possible: `Detected` – a phishing link was detected. `NotDetected` – the object was scanned, no threats were detected. `ScanError` – the scan ended with an error.
`encrypted`	Information about encryption of the scanned object. The following values are possible: `Detected` – the object was encrypted. `NotDetected` – the object was not encrypted. `ScanError` – the scan ended with an error.
`macros`	Information about the presence of macros in the scanned object. The following values are possible: `Detected` – the object contains macros. `NotDetected` – the object does not contain macros. `ScanError` – the scan ended with an error.

Page top