Contents of syslog messages about traffic processing events

Each syslog message contains the following fields defined by the parameters of the Syslog protocol in the operating system:

Fields of the syslog message about a traffic processing event, which are defined by application options, have the format <key>="<value>". If a key has multiple values, these values are separated with a comma. A colon is used as the separator between keys.

Example:

Oct 9 10:13:06 localhost KWTS: type="Response": method="GET": action="Block": blocked_by_rule="protection_rules [Workspace1/-/Rule2]": processing_time="952": scan_result="Malware": workspace="Workspace1": http_user_name="example@test.local": http_user_agent="curl/7.29.0": http_user_ip="192.0.2.0": url="http://example.com/eicar.com": kata-alert="NotDetected": "eicar.com", filesize="69", kata_upload="SkippedByAction", guid="", rules="access_rules [Workspace1/Group1/Rule1], protection_rules [Workspace1/-/Rule2]", av-status="Detected", threats="EICAR-Test-File/Block", ap-status="NotDetected", mlf-status="NotDetected", encrypted="NotDetected", macros="NotDetected", kata-alert="NotDetected"

The keys, as well as their values contained in a message, are presented in the table below.

Information about traffic processing events in a syslog message

Key

Description and possible values

type

Type of HTTP message. Its value may be Request or Response.

method

HTTP request method.

action

Action taken on a detected object. It can take one of the following values:

  • Allow – Allow.
  • Block – Block.
  • Redirect – Redirect.

blocked_by_rule

Name of the traffic processing rule that caused the web resource to be blocked.

It is displayed in the following format:

  • For bypass rules: "[<Rule name>]"
  • For protection rules and access rules: "[<Workspace name>/<Name of rule group>/<Rule name>]"

redirected_by_rule

Name of the traffic processing rule that caused the user to be redirected to the specified URL.

It is displayed in the following format:

  • For bypass rules: "[<Rule name>]"
  • For access rules: "[<Workspace name>/<Name of rule group>/<Rule name>]"

processing_time

Duration of HTTP message processing, in milliseconds.

The time is counted from the start of processing of the HTTP message header until a record of the completed scan is saved in the application event log and in the Syslog event log.

scan_result

Result of scanning the HTTP message.

If multiple threats are detected, the name of the highest-priority threat is displayed.

If threats were eliminated or were not detected, the highest-priority scan result is displayed (Disinfected, Not detected, Not scanned).

workspace

Name of the workspace associated with the traffic processing event. If there is no workspace, a dash is displayed.

http_user_name

Name of the user account that initiated the HTTP request.

http_user_agent

Client application that initiated the HTTP request.

http_user_ip

IP address of the computer from which the HTTP request was sent.

url

URL of the web resource that the user requested.

kata-alert

Result of scanning a URL to check if it matches objects detected by KATA.

The following values are possible:

  • NotDetected – the URL was scanned, and no threats were detected.
  • Detected – a match with an object in the KATA cache was detected. The object ID, match criterion, and technology are indicated. For example, kata-alert="Detected/128563/Url/Sb".
  • NotScanned/AccessRuleSettings – a scan was not performed because the protection rule is not applied in accordance with the action defined in the access rule.
  • NotScanned/BypassRuleSettings – a scan was not performed because the file was skipped without scanning based on a bypass rule.
  • NotScanned/ProtectionRuleSettings – a scan was not performed because the Skip scanning action is defined for Objects detected by KATA objects in the protection rule.
  • NotScanned/ApplicationSettings – a scan was not performed because the mode for receiving objects detected by KATA or KATA integration is disabled in accordance with the application settings.
  • ScanError/InternalError – the scan ended with an error.

For a multipart MIME type object, information about all constituent parts is provided. For each constituent part, the part key is used with the sequence number, after which all attributes of this constituent part is transmitted (the following keys: filename, filesize, part_mimetype, kata_upload, guid, rules, av_status, ap_status, mlf-status, encrypted, macros and kata-alert).

For example, part1 "news.html", <attributes of constituent part 1>: part2 <attributes of constituent part 2>.

filename

Name of the scanned object.

If the HTTP message does not contain any objects, "nofile" is indicated. In this case, all subsequent fields pertain to the scanned URL.

filesize

Size of the scanned object.

If the HTTP message does not contain objects or the file size is not required for applying rules, "NotApplicable" is indicated.

part_mimetype

MIME type of the multipart object constituent part. The Content-Type header value is used.

If the HTTP message does not contain objects or the MIME type definition is not required for applying rules, "NotApplicable" is indicated.

kata_upload

Result of checking whether an object must be sent to the KATA server.

The following values are possible:

  • NotApplicable – the HTTP message does not contain files.
  • Scheduled – file transmission is scheduled.
  • DisabledBySettings – the mode for sending files to the KATA server or KATA integration is disabled in the application settings.
  • SkippedByAction – the HTTP message was skipped according to the bypass rule without being scanned, or the Block or Redirect action was applied to it.
  • RejectedByFilter – the file does not satisfy the conditions for being sent to the KATA server.
  • Failed/QueueOverflowed – the file must be sent to the KATA server, but transmission could not be scheduled due to a queue overflow.
  • Failed/InternalError – the file must be sent to the KATA server, but transmission could not be scheduled due to an internal error of the application.

guid

ID assigned to an object by the application.

The ID is transmitted only if one of the following statuses was assigned when checking whether the object must be sent to the KATA server:

  • Scheduled.
  • Failed/QueueOverflowed.
  • Failed/InternalError.

For other statuses, the guid field is transmitted with a blank value.

rules

Names of triggered traffic processing rules in the following format:

"bypass_rule [<Rule name>], access_rules [<Workspace name>/<Name of rule group>/<Rule name>], protection_rules [<Workspace name>/<Name of rule group>/<Rule name>]".

If a rule is not associated with a workspace, a dash is displayed instead of the workspace name.

If a rule is not part of a group of rules, a dash is displayed instead of the group name.

If no traffic processing rule has been applied, the default protection policy is applied. The "default_policy [Default Policy]" value is displayed.

av_status

Results of a web resource scan by the Anti-Virus module.

The following values are possible:

  • Detected – viruses or other threats were found in the object. The names of detected threats and the action taken on an object by the application are separated by commas. For example, av-status="Detected", threats="EICAR-Test-File/Block".
  • ScanError/Timeout – the scan ended with an error because the maximum scan duration was exceeded.
  • ScanError/InternalError – the scan ended with an internal error.
  • ScanError/BasesNotLoaded – the scan ended with an error because the Anti-Virus module databases were not loaded.
  • IncompleteScan/MaxNestingLevelReached – a scan was not performed because the nesting level of the scanned archive exceeds the maximum allowed nesting level.
  • IncompleteScan/EncryptedArchive – a scan was not performed because the object is encrypted.
  • Disinfected – threats were detected, and all threats were disinfected.
  • NotDetected – the object was scanned, no threats were detected.
  • NotScanned/AccessRuleSettings – protection rules were not applied to the object in accordance with the action defined in the access rule.
  • NotScanned/BypassRuleSettings – the object was not scanned because a bypass rule was applied to it.
  • NotScanned/ProtectionRuleSettings – the object was not scanned in accordance with the action defined in the protection rule.
  • NotScanned/ApplicationSettings – the object was not scanned in accordance with the defined application settings.

ap_status

Results of a web resource scan by the Anti-Phishing module.

The following values are possible:

  • Detected (local bases) – the link was recognized as a phishing link based on records in the local databases of the application.
  • Detected (KSN) – the link was recognized as a phishing link based on a KSN reputation check.
  • Detected (heuristics) – the link was recognized as a phishing link based on heuristic analysis data.
  • ScanError/Timeout – the scan ended with an error because the maximum scan duration was exceeded.
  • ScanError/InternalError – the scan ended with an internal error.
  • ScanError/BasesNotLoaded – the scan ended with an error because the Anti-Phishing module databases were not loaded.
  • NotDetected – the object was scanned, no threats were detected.
  • NotScanned/AccessRuleSettings – protection rules were not applied to the object in accordance with the action defined in the access rule.
  • NotScanned/BypassRuleSettings – the object was not scanned because a bypass rule was applied to it.
  • NotScanned/ProtectionRuleSettings – the object was not scanned in accordance with the action defined in the protection rule.
  • NotScanned/ApplicationSettings – the object was not scanned in accordance with the defined application settings.

mlf-status

Results of scanning links for malicious objects.

The following values are possible:

  • Detected (local bases) – the link was deemed malicious based on records in the local anti-virus databases.
  • Detected (KSN) – the link was deemed malicious based on a KSN reputation check.
  • ScanError/Timeout – the scan ended with an error because the maximum scan duration was exceeded.
  • ScanError/InternalError – the scan ended with an internal error.
  • ScanError/BasesNotLoaded – the scan ended with an error because the Anti-Phishing module databases were not loaded.
  • NotDetected – the link was scanned, and no threats were detected.
  • NotScanned/AccessRuleSettings – protection rules were not applied to the object in accordance with the action defined in the access rule.
  • NotScanned/BypassRuleSettings – the object was not scanned because a bypass rule was applied to it.
  • NotScanned/ProtectionRuleSettings – the object was not scanned in accordance with the action defined in the protection rule.
  • NotScanned/ApplicationSettings – the object was not scanned in accordance with the defined application settings.

encrypted

Information about encryption of the scanned object.

The following values are possible:

  • Detected – threats were detected.
  • ScanError/Timeout – the scan ended with an error because the maximum scan duration was exceeded.
  • ScanError/InternalError – the scan ended with an internal error.
  • ScanError/BasesNotLoaded – the scan ended with an error because the Anti-Virus module databases were not loaded.
  • NotDetected – the link was scanned, and no threats were detected. NotScanned/ApplicationSettings – the object was not scanned in accordance with the defined application settings.
  • NotScanned/AccessRuleSettings – protection rules were not applied to the object in accordance with the action defined in the access rule.
  • NotScanned/BypassRuleSettings – the object was not scanned because a bypass rule was applied to it.
  • NotScanned/ProtectionRuleSettings – the object was not scanned in accordance with the action defined in the protection rule.
  • NotScanned/ApplicationSettings – the object was not scanned in accordance with the defined application settings.

macros

Information about the presence of macros in the scanned object.

The following values are possible:

  • Detected – macros were detected.
  • ScanError/Timeout – the scan ended with an error because the maximum scan duration was exceeded.
  • ScanError/InternalError – the scan ended with an internal error.
  • ScanError/BasesNotLoaded – the scan ended with an error because the Anti-Virus module databases were not loaded.
  • NotDetected – the object was scanned, and no macros were detected.
  • NotScanned/AccessRuleSettings – protection rules were not applied to the object in accordance with the action defined in the access rule.
  • NotScanned/BypassRuleSettings – the object was not scanned because a bypass rule was applied to it.
  • NotScanned/ProtectionRuleSettings – the object was not scanned in accordance with the action defined in the protection rule.
  • NotScanned/ApplicationSettings – the object was not scanned in accordance with the defined application settings.

kata-alert

Result of scanning a file contained in an HTTP message or a constituent part (for multipart objects) to check if they match objects detected by KATA.

The following values are possible:

  • NotDetected – the URL was scanned, and no threats were detected.
  • Detected – a match with an object in the KATA cache was detected. The object ID, match criterion, and technology are indicated. For example, kata-alert="Detected/124567/Md5/Yara".
  • NotScanned/AccessRuleSettings – a scan was not performed because the protection rule is not applied in accordance with the action defined in the access rule.
  • NotScanned/BypassRuleSettings – a scan was not performed because the file was skipped without scanning based on a bypass rule.
  • NotScanned/ProtectionRuleSettings – a scan was not performed because the Skip scanning action is defined for Objects detected by KATA objects in the protection rule.
  • NotScanned/ApplicationSettings – a scan was not performed because the mode for receiving objects detected by KATA or KATA integration is disabled in accordance with the application settings.
  • ScanError/InternalError – the scan ended with an error.

Page top