If Kaspersky Scan Engine is configured to write syslog messages in RAW format, the log records about events appear as follows:
<%PRIORITY%>1 %TIMESTAMP% %ICAP_SERVICE_IP% KasperskyICAPServer %ICAP_SERVICE_PID% %MESSAGE_ID% [KL_ICAP@23668 icapMode="%ICAP_MODE%" requestLength="%REQUEST_LENGTH%" httpUserName="%HTTP_USER_NAME%" httpUserIP="%HTTP_USER_IP%" sha2="%SCANNED_FILE_SHA256_HASH%" md5="%SCANNED_FILE_MD5_HASH%" request="%SCANNED_URL%"] BOM %MESSAGE%
A record has the following fields:
%PRIORITY%
Importance level of the event. Possible values:
163
This value is specified for errors.
165
This value is specified if the scan result is something other than CLEAN
.
166
This value is specified for service events or if the scan result is CLEAN
.
%TIMESTAMP%
Date and time of the event in the Coordinated Universal Time (UTC) time zone.
%ICAP_SERVICE_IP%
IP address of the computer that Kaspersky Scan Engine runs on.
%ICAP_SERVICE_PID%
PID of the Kaspersky Scan Engine.
%MESSAGE_ID%
Class of the event. Possible values:
INIT_MESSAGE
—KAV SDK initialized.DEINIT_MESSAGE
—KAV SDK deinitialized, a watchdog event occurred, or the service process is absent.UPDATE_MESSAGE
—Anti-malware databases update started or finished.LICENSE_MESSAGE
—License status changed.ENGINE_MESSAGE
—Antivirus engine event occurred.SCAN_RESULT_CLEAN_MESSAGE
—Scanned object considered clean.SCAN_RESULT_DETECT_MESSAGE
—Threat was detected.SCAN_RESULT_OTHER_MESSAGE
—Object was not scanned.%ICAP_MODE%
Specifies whether Kaspersky Scan Engine scanned an object in Request Modification Mode (REQMOD) or Response Modification Mode (RESPMOD). This field appears only if the value of %MESSAGE_ID%
is SCAN_RESULT_MESSAGE
.
%REQUEST_LENGTH%
Length of the body of the HTTP message scanned by Kaspersky Scan Engine. This field appears only if the value of %MESSAGE_ID%
is SCAN_RESULT_MESSAGE
and the scanned object is not a URL.
%HTTP_USER_NAME%
Name of the HTTP client that was specified in the HTTPUserNameICAPHeader
parameter of the ICAP mode configuration file. The %HTTP_USER_NAME%
field appears only if the value of %MESSAGE_ID%
is SCAN_RESULT_MESSAGE
.
%HTTP_USER_IP%
IP address of the HTTP client that was specified in the HTTPClientIpICAPHeader
parameter of the ICAP mode configuration file. The %HTTP_USER_IP%
field appears only if the value of %MESSAGE_ID%
is SCAN_RESULT_MESSAGE
.
%SCANNED_FILE_SHA256_HASH%
SHA256 hash of the object that was passed for scanning to Kaspersky Scan Engine. This field appears only when Kaspersky Scan Engine returns the scan result.
%SCANNED_FILE_MD5_HASH%
MD5 hash of the object that was passed for scanning to Kaspersky Scan Engine. This field appears only when Kaspersky Scan Engine returns the scan result.
%SCANNED_URL%
URL address scanned by KAV SDK. The %SCANNED_URL%
field appears only in scan result events (SCAN_RESULT_CLEAN_MESSAGE
, SCAN_RESULT_DETECT_MESSAGE
, SCAN_RESULT_OTHER_MESSAGE
event types).
%MESSAGE%
Description of the event. For example, the text of an error message.