If Kaspersky Scan Engine is configured to write syslog messages in CEF format, the log records about events appears as follows:
CEF:0|Kaspersky|Scan Engine ICAP Service|%VERSION%|%EVENT_CLASS_ID%|%EVENT_NAME%|%SEVERITY%| msg=%EVENT_MSG% src=%CLIENT_IP% dvcpid=%ICAP_SERVER_PID% dvc=%HTTP_SERVICE_IP% dvchost=%HOSTNAME% cs2=%HTTP_USER_NAME% cs2Label=X-Client-Username cs3=%HTTP_USER_IP% cs3Label=X-Client-IP start=%EVENT_TIME% fileHash=%SCANNED_FILE_HASH% request=%SCANNED_URL% cs1=%SCAN_RESULT% cs1Label=Scan result cs4=%VIRUS_NAME% cs4Label=Virus name cs5=%SCANNED_FILE_SHA256_HASH% cs5Label=SHA256 cs6=%ICAP_MODE% cs6Label=ICAP mode cn1=%REQUEST_LENGTH% cn1Label=Request size flexString1=%SDK_VERSION% flexString1Label=Anti-Virus Engine version
A record has the following fields:
%VERSION%
Version of Kaspersky Scan Engine.
%EVENT_CLASS_ID%
Class of the event. Possible values:
1
Service event (not related to scanning).
2
Event related to errors.
3
Event related to scanning (for example, a scan result).
%EVENT_NAME%
Name of the event. Possible values:
Initializing
—Kaspersky Scan Engine initialized.Deinitializing
—Kaspersky Scan Engine deinitialized, a watchdog event occurred, or the service process is absent.Update event
—Anti-malware databases update started or finished.License event
—License-related event.Engine event
—Antivirus engine event occurred.Scan result clean
—Scanned object considered clean.Scan result detect
—Threat was detected.Scan result other
—Object was not scanned.Audit
—System audit event occurred.%SEVERITY%
Importance level of the event. The higher the level, the more important the event. Possible values:
3
This value is specified for system audit events, informational level.
5
This value is specified for service events when the scanning starts or if the scan result is CLEAN
.
6
This value is specified for system audit events, warning level.
7
This value is specified for initialization, deinitialization, and errors.
8
This value is specified for system audit events (critical level) and if the scan result is something other than CLEAN
. These events are considered dangerous.
%EVENT_MSG%
Description of the event. For example, the text of an error message.
%CLIENT_IP%
IP address of the ICAP client that sent the scan request to Kaspersky Scan Engine. This field appears only in scan result events (ScanResultClean
, ScanResultDetect
, ScanResultOther
event types).
%ICAP_SERVER_PID%
PID of Kaspersky Scan Engine.
%HTTP_SERVICE_IP%
IP address that Kaspersky Scan Engine uses to receive scan requests from clients. This field appears only if syslog logging in CEF format is enabled.
%HOSTNAME%
Host name of the computer on which Kaspersky Scan Engine is working. This field appears only if syslog logging in CEF format is enabled.
%HTTP_USER_NAME%
Name of the HTTP client specified in a custom request header field. The name of this request header field is specified in the HTTPUserNameICAPHeader
element of the ICAP mode configuration file.
The cs2
(%HTTP_USER_NAME%
) and cs2Label
fields appear only if the value of %EVENT_CLASS_ID%
is 3, and if the HTTPUserNameICAPHeader
element in the ICAP mode configuration file exists and is not empty. If the HTTPUserNameICAPHeader
element does not exist or is empty, the cs2
(%HTTP_USER_NAME%
) and cs2Label
fields are absent in the Syslog message.
If the value of the custom header field is empty (the HTTP client name is not specified in the request), the cs2
value (%HTTP_USER_NAME%
) in the Syslog message is "-".
%HTTP_USER_IP%
IP address of the HTTP client specified in a custom request header field. The name of this request header field is specified in the HTTPClientIpICAPHeader
element of the ICAP mode configuration file.
The cs3
(%HTTP_USER_IP%
) and cs3Label
fields appear only if the value of %EVENT_CLASS_ID%
is 3, and if the HTTPClientIpICAPHeader
element in the ICAP mode configuration file exists and is not empty. If the HTTPClientIpICAPHeader
element does not exist or is empty, the cs3
(%HTTP_USER_IP%
) and cs3Label
fields are absent in the Syslog message.
If the value of the custom header field is empty (the IP address of the HTTP client is not specified in the request), the cs3
value (%HTTP_USER_IP%
) in the Syslog message is "-".
%EVENT_TIME%
Time and date of the event. The time and date are taken from the computer that Kaspersky Scan Engine runs on.
%SCANNED_FILE_HASH%
Hash of the object that was passed for scanning to Kaspersky Scan Engine. This field appears only in scan result events (ScanResultClean
, ScanResultDetect
, ScanResultOther
event types).
%SCANNED_URL%
URL that was passed for scanning to Kaspersky Scan Engine. This field appears only in scan result events (ScanResultClean
, ScanResultDetect
, ScanResultOther
event types).
%SCAN_RESULT%
Scan result. This field appears only in scan result events (ScanResultClean
, ScanResultDetect
, ScanResultOther
event types).
cs1Label=Scan result
Field appears only if the value of %EVENT_CLASS_ID%
is 3
.
%VIRUS_NAME%
Name of the threat or legitimate software that can be used by intruders. This field appears only in scan result events (ScanResultClean
, ScanResultDetect
, ScanResultOther
event types).
%SCANNED_FILE_SHA256_HASH%
SHA256 hash of object that was passed for scanning to Kaspersky Scan Engine. This field appears only when Kaspersky Scan Engine returns the scan result.
%ICAP_MODE%
Specifies whether Kaspersky Scan Engine scanned an object in Request Modification Mode (REQMOD) or Response Modification Mode (RESPMOD). This field appears only in scan result events (ScanResultClean
, ScanResultDetect
, ScanResultOther
event types).
%REQUEST_LENGTH%
Length of the body of the message in bytes. This field appears only in scan result events (ScanResultClean
, ScanResultDetect
, ScanResultOther
event types) and if the scanned object is not a URL.
%SDK_VERSION%
Version of KAV SDK that Kaspersky Scan Engine is based on.