Kaspersky Scan Engine
1.0
Using Kaspersky Scan Engine in ICAP mode  >  Logging in ICAP mode  >  Format of RAW logs in ICAP mode

Format of RAW logs in ICAP mode

If Kaspersky Scan Engine is configured to write syslog messages in RAW format, the log records about events appear as follows:

<%PRIORITY%>1 %TIMESTAMP% %ICAP_SERVICE_IP% KasperskyICAPServer %ICAP_SERVICE_PID% %MESSAGE_ID% [KL_ICAP@23668 icapMode="%ICAP_MODE%" requestLength="%REQUEST_LENGTH%" httpUserName="%HTTP_USER_NAME%" httpUserIP="%HTTP_USER_IP%" sha2="%SCANNED_FILE_SHA256_HASH%" md5="%SCANNED_FILE_MD5_HASH%"] BOM %MESSAGE%

A record has the following fields:

  • %PRIORITY%

    Importance level of the event. Possible values:

    • 163

      This value is specified for errors.

    • 165

      This value is specified if the the scan result is something other than CLEAN.

    • 166

      This value is specified for service events or if the scan result is CLEAN.

  • %TIMESTAMP%

    Date and time of the event in the Coordinated Universal Time (UTC) time zone.

  • %ICAP_SERVICE_IP%

    IP address of the computer that Kaspersky Scan Engine runs on.

  • %ICAP_SERVICE_PID%

    PID of the Kaspersky Scan Engine.

  • %MESSAGE_ID%

    Class of the event. Possible values:

    • SERVICE_MESSAGE

      Service event.

    • ERROR_MESSAGE

      Error message.

    • SCAN_RESULT_MESSAGE

      Scan result.

  • %ICAP_MODE%

    Specifies whether Kaspersky Scan Engine scanned an object in Request Modification Mode (REQMOD) or Response Modification Mode (RESPMOD). This field appears only if the value of %MESSAGE_ID% is SCAN_RESULT_MESSAGE.

  • %REQUEST_LENGTH%

    Length of the body of the HTTP message scanned by Kaspersky Scan Engine. This field appears only if the value of %MESSAGE_ID% is SCAN_RESULT_MESSAGE and the scanned object is not a URL.

  • %HTTP_USER_NAME%

    Name of the HTTP client that was specified in the HTTPUserNameICAPHeader parameter of the ICAP mode configuration file. The %HTTP_USER_NAME% field appears only if the value of %MESSAGE_ID% is SCAN_RESULT_MESSAGE.

  • %HTTP_USER_IP%

    IP address of the HTTP client that was specified in the HTTPClientIpICAPHeader parameter of the ICAP mode configuration file. The %HTTP_USER_IP% field appears only if the value of %MESSAGE_ID% is SCAN_RESULT_MESSAGE.

  • %SCANNED_FILE_SHA256_HASH%

    SHA256 hash of the object that was passed for scanning to Kaspersky Scan Engine. This field appears only when Kaspersky Scan Engine returns the scan result.

  • %SCANNED_FILE_MD5_HASH%

    MD5 hash of the object that was passed for scanning to Kaspersky Scan Engine. This field appears only when Kaspersky Scan Engine returns the scan result.

  • %MESSAGE%

    Description of the event, for example, the text of an error message.

Writing syslog messages in RAW format is available starting from Kaspersky Scan Engine version 1.0.1.51.

Article ID: 186652, Last review: Aug 28, 2024
Page top