Format of CEF logs in ICAP mode

If Kaspersky Scan Engine is configured to write syslog messages in CEF format, the log records about events appears as follows:

CEF:0|Kaspersky Lab|Kaspersky ICAP Server|%VERSION%|%EVENT_CLASS_ID%|%EVENT_NAME%|%SEVERITY%| msg=%EVENT_MSG% src=%CLIENT_IP% dvcpid=%ICAP_SERVER_PID% start=%EVENT_TIME% fileHash=%SCANNED_FILE_HASH% request=%SCANNED_URL% cs1=%SCAN_RESULT% cs1Label=Scan result cs4=%VIRUS_NAME% cs4Label=Virus name cs5=%SCANNED_FILE_SHA256_HASH% cs5Label=SHA256 cs6=%ICAP_MODE% cs6Label=ICAP mode cn1=%REQUEST_LENGTH% cn1Label=Request size

A record has the following fields:

Page top