If Kaspersky Scan Engine is configured to write syslog messages in CEF format, the log records about events appears as follows:
CEF:0|Kaspersky Lab|Kaspersky HTTP Service|%VERSION%|%EVENT_CLASS_ID%|%EVENT_NAME%|%SEVERITY%| msg=%EVENT_MSG% src=%CLIENT_IP% dvcpid=%HTTP_SERVICE_PID% sproc=unix_socket dvc=%HTTP_SERVICE_IP% start=%EVENT_TIME% fileHash=%SCANNED_FILE_MD5_HASH% fname=%SCANNED_FILE_NAME% request=%SCANNED_URL% act=%ACTION_MADE% cs1=%SCAN_RESULT% cs1Label=Scan result cs2=%VIRUS_NAME% cs2Label=Virus name\n
A record has the following fields:
%VERSION%
Version of KAV SDK that Kaspersky Scan Engine is based on.
%EVENT_CLASS_ID%
Class of the event. Possible values:
1
Service event (not related to scanning).
2
Event related to errors.
3
Event related to scanning (for example, a scan result).
%EVENT_NAME%
Name of the event. Possible values:
Initializing
—Kaspersky Scan Engine initialized.Deinitializing
—Kaspersky Scan Engine deinitialized.Service event
—Service event occurred.Service error
—Error occurred in the kavhttpd service.Core error
—Error occurred in Kaspersky Anti-Virus Engine.Scan result
—Kaspersky Scan Engine finished scanning an object.%SEVERITY%
Importance level of the event. The higher the level, the more important the event. Possible values:
5
This value is specified for service events, when the scanning starts, or if the scan result is CLEAN
.
7
This value is specified for initialization, deinitialization, and errors.
8
This value is specified if the scan result is something other than CLEAN
.
%EVENT_MSG%
Description of the event. For example, the text of an error message.
%CLIENT_IP%
IP address of the HTTP client that sent the scan request to Kaspersky Scan Engine. This field appears only if the request is sent over a TCP socket and is related to scanning.
%HTTP_SERVICE_PID%
PID of Kaspersky Scan Engine.
%HTTP_SERVICE_IP%
IP address that Kaspersky Scan Engine uses to receive scan requests from clients. This field appears only if Kaspersky Scan Engine receives scan requests over a TCP socket.
%EVENT_TIME%
Time and date of the event. The time and date are taken from the computer that Kaspersky Scan Engine runs on.
sproc=unix_socket
This field appears only if Kaspersky Scan Engine receives scan requests over a UNIX socket.
%SCANNED_FILE_MD5_HASH%
Hash of the object that was passed for scanning to Kaspersky Scan Engine. This field appears only if a client sent a scan request and Kaspersky Scan Engine has finished scanning.
%SCANNED_FILE_NAME%
Name of the scanned file. If the client sent a request to scan a part of RAM, the value of this field is MEMORY_BLOCK
. This field appears only if a client sent a scan request and Kaspersky Scan Engine has finished scanning.
%SCANNED_URL%
URL specified in the X-KAV-ObjectURL
header of the scan request. This field appears only if a client sent a scan request and Kaspersky Scan Engine has finished scanning.
%ACTION_MADE%
Action that was performed on the detected threat or a legitimate software that can be used by intruders. This field appears only in events that contain scan results.
%SCAN_RESULT%
Scan result. This field appears only in events that contain scan results.
cs1Label=Scan result
This field appears only in events that contain scan results.
%VIRUS_NAME%
Name of the detected threat or legitimate software that can be used by intruders. This field appears only if a threat or legitimate software that can be used by intruders was detected.
cs2Label=Virus name
This field appears only if a threat or legitimate software that can be used by intruders was detected.