Security messages in CEF format consists of the body and a header.
You cannot change the format of CEF messages by adding, modifying, or removing fields.
The header of each event has seven required fields, separated by |
characters:
CEF:0
. Corresponding field in KUMA: Extra
Kaspersky
. Corresponding field in KUMA: DeviceVendor
.Kaspersky NGFW
. Corresponding field in KUMA: DeviceProduct
.DeviceVersion
.DeviceEventClassID
.Possible values:
Firewall
DNS Security
Web Control
SSL Inspection
URL Antivirus
File Anti-Virus
IDPS
Explicit Proxy
Service
Name
.Possible values:
Firewall
:Session start
Session end
Detect
Detect
Exclusion
Decryption error
Exclusion
Detect
Exclusion
Detect
Exclusion
Detect
Rules schedule
Cert
KSN
DB
Connection
Severity
. Not used, the value of the field is Unknown
.In some logs, the severity is indicated in the Priority
field.
SpaceID
.Possible values:
Management events
System events
Dataplane events
Service events
Example: CEF:0|Kaspersky|Kaspersky NGFW|1.1.0.0|Firewall|Session start|Unknown |
All fields of the CEF message body have the <key>=<value>
format. If a key has multiple values, these values are separated by commas. Colons separate keys.
Keys and values contained in a message depend on the type of event.
For more information about the data model of the normalized event in KUMA, see the KUMA Help.
In the session log for ICMP traffic, the spc
and dpt
keys show the ICMP ID value.