Information about each alert is transmitted in a separate syslog category (syslog facility) that is not used by the system to deliver messages from other sources. Information about each alert is transmitted as a separate syslog message in CEF format. If the alert was generated by the Targeted Attack Analyzer module, information about that alert is transmitted as multiple separate syslog messages in CEF format.
The default maximum size of a syslog message about an alert is 32 KB. Messages that exceed the maximum size are truncated at the end.
The header of each syslog message about an alert contains the following information:
Current version number: 0
. Current field value: CEF:0
.
Current field value: AO Kaspersky Lab
.
Current field value: Kaspersky Anti Targeted Attack Platform
.
Current field value: 6.0.0-200.
See the table below.
See the table below.
Allowed field values: Low
, Medium
, High
or 0
(for heartbeat
messages).
Example:
|
The body of a syslog message about an alert matches the information about the alert that is displayed in the application web interface. All fields are presented in the "<key>=<value>"
format. Depending on whether the alert occurred in network traffic or mail traffic, and depending on the technology that generated the alert, various keys may be transmitted in the body of a syslog message. If the value is empty, the key is not transmitted.
The keys, as well as their values contained in a message, are presented in the table below.
Information about an alert in syslog messages
Alert type |
Alert name and description |
Key and description of its value |
---|---|---|
|
A file was detected in network traffic. |
|
|
A file was detected in mail traffic. |
|
|
An alert was generated by the Intrusion Detection System module. |
|
|
An alert was generated by URL Reputation technology or Sandbox in network traffic. |
|
|
An alert was generated by URL Reputation technology or Sandbox in mail traffic. |
|
|
An alert was generated by URL Reputation technology in DNS traffic. |
|
|
The alert was generated by the Endpoint Agent component on the user's computer and contains a file. |
|
|
The alert was generated while carrying out an IOC scan of hosts with the Endpoint Agent component for Windows. This type of alert is available if you are using KEDR functionality. |
|
|
Alert resulting from the IOA analysis of events. This type of alert is available if you are using KEDR functionality. |
|
|
The alert was generated while carrying out a YARA scan of hosts with the Endpoint Agent component for Windows. This type of alert is available if you are using KEDR functionality. |
|
|
Periodic message containing the state of components. |
|