Format of CEF logs in ICAP mode

If Kaspersky Scan Engine is configured to write syslog messages in CEF format, the log records about events appears as follows:

CEF:0|Kaspersky Lab|Kaspersky ICAP Server|%VERSION%|%EVENT_CLASS_ID%|%EVENT_NAME%|%SEVERITY%| msg=%EVENT_MSG% src=%CLIENT_IP% dvcpid=%ICAP_SERVER_PID% cs2=%HTTP_USER_NAME% cs2Label=X-Client-Username cs3=%HTTP_USER_IP% cs3Label=X-Client-IP start=%EVENT_TIME% fileHash=%SCANNED_FILE_HASH% request=%SCANNED_URL% cs1=%SCAN_RESULT% cs1Label=Scan result cs4=%VIRUS_NAME% cs4Label=Virus name cs5=%SCANNED_FILE_SHA256_HASH% cs5Label=SHA256

A record has the following fields:

• %VERSION%

  Version of KAV SDK that Kaspersky Scan Engine is based on.

• %EVENT_CLASS_ID%

  Class of the event. Possible values:

  • 1

    Service event (not related to scanning).

  • 2

    Error.

  • 3

    Event related to scanning (for example, a scan result).

• %EVENT_NAME%

  Name of the event. Possible values:

  • Initializing—Kaspersky Scan Engine initialized.
  • Deinitializing—Kaspersky Scan Engine deinitialized.
  • Service event—Service event occurred.
  • Core error—Error occurred.
  • Start scanning memory—Kaspersky Scan Engine started to scan a part of the RAM.
  • Start checking URL—Kaspersky Scan Engine started to scan a URL.
  • Scan result—Kaspersky Scan Engine finished scanning an object.
• %SEVERITY%

  Importance level of the event. The higher the level, the more important the event. Possible values:

  • 5

    This value is specified for service events, when the scanning starts, or if the the scan result is CLEAN.

  • 7

    This value is specified for initialization, deinitialization, and errors.

  • 8

    This value is specified if the the scan result is something other than CLEAN.

• %EVENT_MSG%

  Description of the event, for example, the text of an error message.

• %CLIENT_IP%

  IP address of the ICAP client that sent the scan request to Kaspersky Scan Engine. This field appears only if the value of %EVENT_CLASS_ID% is 3.

• %ICAP_SERVER_PID%

  PID of Kaspersky Scan Engine.

• %HTTP_USER_NAME%

  Name of the HTTP client that were specified in the HTTPUserNameICAPHeader parameter of the ICAP mode configuration file. The %HTTP_USER_NAME% field appears only if the value of %EVENT_CLASS_ID% is 3.

• %HTTP_USER_IP%

  IP address of the HTTP client that were specified in the HTTPClientIpICAPHeader parameter of the ICAP mode configuration file. The %HTTP_USER_IP% field appears only if the value of %EVENT_CLASS_ID% is 3.

• %EVENT_TIME%

  Time and date of the event. The time and date are taken from the computer that Kaspersky Scan Engine runs on.

• %SCANNED_FILE_HASH%

  Hash of the object that was passed for scanning to Kaspersky Scan Engine. This field appears only if the value of %EVENT_CLASS_ID% is 3.

• %SCANNED_URL%

  URL that was passed for scanning to Kaspersky Scan Engine. This field appears only if the value of %EVENT_CLASS_ID% is 3.

• %SCAN_RESULT%

  Scan result. This field appears only if the value of %EVENT_CLASS_ID% is 3.

• cs1Label=Scan result

  Field appears only if the value of %EVENT_CLASS_ID% is 3.

• %VIRUS_NAME%

  Name of the threat or legitimate software that can be used by intruders. This field appears only if the value of %EVENT_CLASS_ID% is 3.

• %SCANNED_FILE_SHA256_HASH%

  SHA256 hash of object that was passed for scanning to Kaspersky Scan Engine. This field appears only when Kaspersky Scan Engine returns the scan result.

Writing syslog messages in CEF format is available starting from Kaspersky Scan Engine version 1.0.1.51.

Page top