Security event format

Security messages in CEF format consists of the body and a header.

You cannot change the format of CEF messages by adding, modifying, or removing fields.

The header of each event has seven required fields, separated by | characters:

• Format version. The current format version is 0, so the value is CEF:0. Corresponding field in KUMA: Extra
• Vendor. The value of this field is Kaspersky. Corresponding field in KUMA: DeviceVendor.
• Application name. The value of this field is set to Kaspersky NGFW. Corresponding field in KUMA: DeviceProduct.
• Solution version. This value of this field is the current version of the solution. Corresponding field in KUMA: DeviceVersion.
• Event class. Corresponding field in KUMA: DeviceEventClassID.

  Possible values:

  • For the session log, Firewall
  • For the DNS Security log, DNS Security
  • For the Web Control log, Web Control
  • For the encrypted traffic scan log, SSL Inspection
  • For the URL Anti-Virus log, URL Antivirus
  • For Stream and Object Anti-Virus logs, File Anti-Virus
  • For the Intrusion Detection and Prevention System log, IDPS
  • For the explicit proxy log, Explicit Proxy
  • For the service event log, Service
  • For the audit event log, depending on the type of security event, Authentication Event, Account management, Traffic filtering management, IP address settings, MAC address settings, General functions settings, Security functions management, Journal management
  • Settings modified
• Event type. Corresponding field in KUMA: Name.

  Possible values:

  • For the session log, Firewall:
    • If it is an event about a session starting, the value is Session start
    • If it is an event about a session ending, the value is Session end
  • For the DNS Security log:
    • Detect
  • For the Web Control log:
    • Detect
    • Exclusion
  • For the encrypted traffic scan log:
    • Decryption error
    • Exclusion
  • For the URL Anti-Virus log:
    • Detect
    • Exclusion
  • For the Object Anti-Virus log:
    • Detect
    • Exclusion

• For the IDPS log:
  • Detect
• For the service event log:
  • Rules schedule
  • Cert
  • KSN
  • DB
• For the explicit proxy logs:
  • Connection
• For audit logs:
  • Successful Authentication
  • User Account Modified
  • Security Rule
  • IP address
  • MAC address
  • Decryption rule
  • Logging settings

• Severity. Corresponding field in KUMA: Severity. Not used, the value of the field is Unknown.

  In some logs, the severity is indicated in the Priority field.

• Journal name. Entered manually in KUMA. Corresponding field in KUMA: SpaceID.

  Possible values:

  • For the audit event log, Management events
  • For the system event log, System events
  • For the logs of security engines, firewall, and SSL inspection, Dataplane events
  • For the service event log, Service events

    Example: CEF:0|Kaspersky|Kaspersky NGFW|1.1.0.0|Firewall|Session start|Unknown

All fields of the CEF message body have the <key>=<value> format. If a key has multiple values, these values are separated by commas. Colons separate keys.

Keys and values contained in a message depend on the type of event.

For more information about the data model of the normalized event in KUMA, see the KUMA Help.

In the session log for ICMP traffic, the spc and dpt keys show the ICMP ID value.

In this section Audit events Firewall events Web Control events DNS Security events URL Anti-Virus events Stream and Object Anti-Virus events SSL inspection events IDPS log Service events

Page top