Format of CEF logs in HTTP mode

If Kaspersky Scan Engine is configured to write syslog messages in CEF format, the log records about events appears as follows:

CEF:0|Kaspersky Lab|Kaspersky HTTP Service|%VERSION%|%EVENT_CLASS_ID%|%EVENT_NAME%|%SEVERITY%| msg=%EVENT_MSG% src=%CLIENT_IP% dvcpid=%HTTP_SERVICE_PID% sproc=unix_socket dvc=%HTTP_SERVICE_IP% start=%EVENT_TIME% fileHash=%SCANNED_FILE_MD5_HASH% fname=%SCANNED_FILE_NAME% request=%SCANNED_URL% act=%ACTION_MADE% cs1=%SCAN_RESULT% cs1Label=Scan result cs2=%VIRUS_NAME% cs2Label=Virus name\n

A record has the following fields:

• %VERSION%

  Version of KAV SDK that Kaspersky Scan Engine is based on.

• %EVENT_CLASS_ID%

  Class of the event. Possible values:

  • 1

    Service event (not related to scanning).

  • 2

    Event related to errors.

  • 3

    Event related to scanning (for example, a scan result).

• %EVENT_NAME%

  Name of the event. Possible values:

  • Initializing—Kaspersky Scan Engine initialized.
  • Deinitializing—Kaspersky Scan Engine deinitialized.
  • Service event—Service event occurred.
  • Service error—Error occurred in the kavhttpd service.
  • Core error—Error occurred in Kaspersky Anti-Virus Engine.
  • Scan result—Kaspersky Scan Engine finished scanning an object.
• %SEVERITY%

  Importance level of the event. The higher the level, the more important the event. Possible values:

  • 5

    This value is specified for service events, when the scanning starts, or if the scan result is CLEAN.

  • 7

    This value is specified for initialization, deinitialization, and errors.

  • 8

    This value is specified if the scan result is something other than CLEAN.

• %EVENT_MSG%

  Description of the event. For example, the text of an error message.

• %CLIENT_IP%

  IP address of the HTTP client that sent the scan request to Kaspersky Scan Engine. This field appears only if the request is sent over a TCP socket and is related to scanning.

• %HTTP_SERVICE_PID%

  PID of Kaspersky Scan Engine.

• %HTTP_SERVICE_IP%

  IP address that Kaspersky Scan Engine uses to receive scan requests from clients. This field appears only if Kaspersky Scan Engine receives scan requests over a TCP socket.

• %EVENT_TIME%

  Time and date of the event. The time and date are taken from the computer that Kaspersky Scan Engine runs on.

• sproc=unix_socket

  This field appears only if Kaspersky Scan Engine receives scan requests over a UNIX socket.

• %SCANNED_FILE_MD5_HASH%

  Hash of the object that was passed for scanning to Kaspersky Scan Engine. This field appears only if a client sent a scan request and Kaspersky Scan Engine has finished scanning.

• %SCANNED_FILE_NAME%

  Name of the scanned file. If the client sent a request to scan a part of RAM, the value of this field is MEMORY_BLOCK. This field appears only if a client sent a scan request and Kaspersky Scan Engine has finished scanning.

• %SCANNED_URL%

  URL specified in the X-KAV-ObjectURL header of the scan request. This field appears only if a client sent a scan request and Kaspersky Scan Engine has finished scanning.

• %ACTION_MADE%

  Action that was performed on the detected threat or a legitimate software that can be used by intruders. This field appears only in events that contain scan results.

• %SCAN_RESULT%

  Scan result. This field appears only in events that contain scan results.

• cs1Label=Scan result

  This field appears only in events that contain scan results.

• %VIRUS_NAME%

  Name of the detected threat or legitimate software that can be used by intruders. This field appears only if a threat or legitimate software that can be used by intruders was detected.

• cs2Label=Virus name

  This field appears only if a threat or legitimate software that can be used by intruders was detected.

Page top