Format of RAW logs in ICAP mode

If Kaspersky Scan Engine is configured to write syslog messages in RAW format, the log records about events appear as follows:

<%PRIORITY%>1 %TIMESTAMP% %ICAP_SERVICE_IP% KasperskyICAPServer %ICAP_SERVICE_PID% %MESSAGE_ID% [KL_ICAP@23668 icapMode="%ICAP_MODE%" requestLength="%REQUEST_LENGTH%" httpUserName="%HTTP_USER_NAME%" httpUserIP="%HTTP_USER_IP%" sha2="%SCANNED_FILE_SHA256_HASH%" md5="%SCANNED_FILE_MD5_HASH%"] BOM %MESSAGE%

A record has the following fields:

• %PRIORITY%

  Importance level of the event. Possible values:

  • 163

    This value is specified for errors.

  • 165

    This value is specified if the the scan result is something other than CLEAN.

  • 166

    This value is specified for service events or if the scan result is CLEAN.

• %TIMESTAMP%

  Date and time of the event in the Coordinated Universal Time (UTC) time zone.

• %ICAP_SERVICE_IP%

  IP address of the computer that Kaspersky Scan Engine runs on.

• %ICAP_SERVICE_PID%

  PID of the Kaspersky Scan Engine.

• %MESSAGE_ID%

  Class of the event. Possible values:

  • SERVICE_MESSAGE

    Service event.

  • ERROR_MESSAGE

    Error message.

  • SCAN_RESULT_MESSAGE

    Scan result.

• %ICAP_MODE%

  Specifies whether Kaspersky Scan Engine scanned an object in Request Modification Mode (REQMOD) or Response Modification Mode (RESPMOD). This field appears only if the value of %MESSAGE_ID% is SCAN_RESULT_MESSAGE.

• %REQUEST_LENGTH%

  Length of the body of the HTTP message scanned by Kaspersky Scan Engine. This field appears only if the value of %MESSAGE_ID% is SCAN_RESULT_MESSAGE and the scanned object is not a URL.

• %HTTP_USER_NAME%

  Name of the HTTP client that was specified in the HTTPUserNameICAPHeader parameter of the ICAP mode configuration file. The %HTTP_USER_NAME% field appears only if the value of %MESSAGE_ID% is SCAN_RESULT_MESSAGE.

• %HTTP_USER_IP%

  IP address of the HTTP client that was specified in the HTTPClientIpICAPHeader parameter of the ICAP mode configuration file. The %HTTP_USER_IP% field appears only if the value of %MESSAGE_ID% is SCAN_RESULT_MESSAGE.

• %SCANNED_FILE_SHA256_HASH%

  SHA256 hash of the object that was passed for scanning to Kaspersky Scan Engine. This field appears only when Kaspersky Scan Engine returns the scan result.

• %SCANNED_FILE_MD5_HASH%

  MD5 hash of the object that was passed for scanning to Kaspersky Scan Engine. This field appears only when Kaspersky Scan Engine returns the scan result.

• %MESSAGE%

  Description of the event, for example, the text of an error message.

Writing syslog messages in RAW format is available starting from Kaspersky Scan Engine version 1.0.1.51.

Page top