Audit events are logged in CEF format if all of the following conditions are satisfied:
Information about each detected audit event is relayed as a separate syslog message in CEF format with UTF-8 encoding. The event logging category is specified in the Settings → Logs and events → Syslog → CEF format → Enable the CEF log format section.
A message in CEF format consists of a message body and header. Each Syslog message contains the following fields defined by the Syslog protocol settings in the operating system:
Syslog event message fields defined by the application settings have the <key>="<value>" format. If a key has multiple values, these values are separated with a comma.
The keys and their values contained in a message depend on the specific class of the event.
Example: Aug 14 17:07:42 host.domain.com KSMG: CEF:0|AO Kaspersky Lab|Kaspersky Secure Mail Gateway|2.1.1.1234|LMS_AUDIT_DICTIONARY|Dictionary created|<severity>|externalId=<external ID> outcome=success dst=0.0.0.0 dpt=9045 cn1Label=EventPart cn1=1 cn2Label=TotalEventParts cn2=1 KSMGAccountType=<account type> src=0.0.0.1 suser=<username> KSMGUserRole=<role> cs1Label=ChangedSettings cs1=attachmentFormats.officeCategory.spreadsheetSubcategory.officeOds[][False];content.attachmentFormats.unknown[][False];content.texts.regexList.Added[r3];content.texts.textList.Added[t1];content.texts.wildcardList.Added[w2];content.type[][Text];description[][];element_type[][Text];id[][18];name[][Dictionary_11]; cn3Label=DictionaryID cn3=18 cs2Label=DictionaryName cs2=Dictionary_11 |
The maximum size of a syslog message about a detected event depends on the values of syslog settings on the server on which KSMG is installed.
Page top