If Kaspersky Scan Engine is configured to write syslog messages in RAW format, the log records about events appear as follows:
<%PRIORITY%>1 %TIMESTAMP% %HTTP_SERVICE_IP% KasperskyHTTPService %HTTP_SERVICE_PID% %MESSAGE_ID% [KL_HTTPD@23668 md5="%SCANNED_FILE_MD5_HASH%"] BOM %MESSAGE%\n
A record has the following fields:
%PRIORITY%Severity level of the event. Possible values:
163This value is specified for errors.
165This value is specified if the scan result is something other than CLEAN.
166This value is specified for service events or if the scan result is CLEAN.
%TIMESTAMP%Date and time of the event in the Coordinated Universal Time (UTC) time zone.
%HTTP_SERVICE_IP%IP address that Kaspersky Scan Engine uses to receive scan requests from clients. If Kaspersky Scan Engine receives scan requests over a UNIX socket, the field contains the host name of the computer that Kaspersky Scan Engine runs on.
%HTTP_SERVICE_PID%PID of Kaspersky Scan Engine.
%MESSAGE_ID%Class of the event. Possible values:
SERVICE_MESSAGEService event.
ERROR_MESSAGEError.
SCAN_RESULT_MESSAGEScan result.
%SCANNED_FILE_MD5_HASH%MD5 hash of the object that was passed for scanning to Kaspersky Scan Engine. This field appears only when Kaspersky Scan Engine returns the scan result.
%MESSAGE%Description of the event. For example, the text of an error message.