If Kaspersky Scan Engine is configured to write syslog messages in CEF format, the log records about events appears as follows:
CEF:0|Kaspersky Lab|Kaspersky ICAP Server|%VERSION%|%EVENT_CLASS_ID%|%EVENT_NAME%|%SEVERITY%| msg=%EVENT_MSG% src=%CLIENT_IP% dvcpid=%ICAP_SERVER_PID% start=%EVENT_TIME% fileHash=%SCANNED_FILE_HASH% request=%SCANNED_URL% cs1=%SCAN_RESULT% cs1Label=Scan result cs4=%VIRUS_NAME% cs4Label=Virus name cs5=%SCANNED_FILE_SHA256_HASH% cs5Label=SHA256 cs6=%ICAP_MODE% cs6Label=ICAP mode cn1=%REQUEST_LENGTH% cn1Label=Request size
A record has the following fields:
%VERSION%Version of KAV SDK that Kaspersky Scan Engine is based on.
%EVENT_CLASS_ID%Class of the event. Possible values:
1Service event (not related to scanning).
2Error.
3Event related to scanning (for example, a scan result).
%EVENT_NAME%Name of the event. Possible values:
Initializing—KAV SDK initialized.Deinitializing—KAV SDK deinitialized, a watchdog event occurred, or the service process is absent.Update event—Anti-malware databases update started or finished.License event—License status changed.Engine event—Antivirus engine event occurred.Scan result clean—Scanned object considered clean.Scan result detect—Threat was detected.Scan result other—Object was not scanned.%SEVERITY%Importance level of the event. The higher the level, the more important the event. Possible values:
5This value is specified for service events when the scanning starts or if the scan result is CLEAN.
7This value is specified for initialization, deinitialization, and errors.
8This value is specified if the scan result is something other than CLEAN.
%EVENT_MSG%Description of the event. For example, the text of an error message.
%CLIENT_IP%IP address of the ICAP client that sent the scan request to KAV SDK. This field appears only in scan result events (ScanResultClean, ScanResultDetect, ScanResultOther event types).
%ICAP_SERVER_PID%PID of Kaspersky Scan Engine.
%HTTP_USER_NAME%Name of the HTTP client that was specified in the HTTPUserNameICAPHeader parameter of the ICAP mode configuration file. The %HTTP_USER_NAME% field appears only if the value of %EVENT_CLASS_ID% is 3.
%HTTP_USER_IP%IP address of the HTTP client that was specified in the HTTPClientIpICAPHeader parameter of the ICAP mode configuration file. The %HTTP_USER_IP% field appears only if the value of %EVENT_CLASS_ID% is 3.
%EVENT_TIME%Time and date of the event. The time and date are taken from the computer that Kaspersky Scan Engine runs on.
%SCANNED_FILE_HASH%Hash of the object that was passed for scanning to KAV SDK. This field appears only in scan result events (ScanResultClean, ScanResultDetect, ScanResultOther event types).
%SCANNED_URL%URL that was passed for scanning to KAV SDK. This field appears only in scan result events (ScanResultClean, ScanResultDetect, ScanResultOther event types).
%SCAN_RESULT%Scan result. This field appears only in scan result events (ScanResultClean, ScanResultDetect, ScanResultOther event types).
cs1Label=Scan resultField appears only if the value of %EVENT_CLASS_ID% is 3.
%VIRUS_NAME%Name of the threat or legitimate software that can be used by intruders. This field appears only in scan result events (ScanResultClean, ScanResultDetect, ScanResultOther event types).
%SCANNED_FILE_SHA256_HASH%SHA256 hash of object that was passed for scanning to Kaspersky Scan Engine. This field appears only when Kaspersky Scan Engine returns the scan result.
%ICAP_MODE%Specifies whether KAV SDK scanned an object in Request Modification Mode (REQMOD) or Response Modification Mode (RESPMOD). This field appears only in scan result events (ScanResultClean, ScanResultDetect, ScanResultOther event types).
%REQUEST_LENGTH%Length of the body of the message in bytes. This field appears only in scan result events (ScanResultClean, ScanResultDetect, ScanResultOther event types) and if the scanned object is not a URL.