Format of RAW logs in HTTP mode
April 24, 2024
ID 186769
If Kaspersky Scan Engine is configured to write syslog messages in RAW format, the log records about events appear as follows:
<%PRIORITY%>1 %TIMESTAMP% %HTTP_SERVICE_IP% KasperskyHTTPService %HTTP_SERVICE_PID% %MESSAGE_ID% - BOM %MESSAGE%\n
A record has the following fields:
%PRIORITY%
Severity level of the event. Possible values:
163
This value is specified for errors.
165
This value is specified if the scan result is something other than
CLEAN
.166
This value is specified for service events or if the scan result is
CLEAN
.
%TIMESTAMP%
Date and time of the event in the Coordinated Universal Time (UTC) time zone.
%HTTP_SERVICE_IP%
IP address that Kaspersky Scan Engine uses to receive scan requests from clients. If Kaspersky Scan Engine receives scan requests over a UNIX socket, the field contains the host name of the computer that Kaspersky Scan Engine runs on.
%HTTP_SERVICE_PID%
PID of Kaspersky Scan Engine.
%MESSAGE_ID%
Class of the event. Possible values:
AUDIT_MESSAGE
Audit event.
SERVICE_MESSAGE
Service event.
ERROR_MESSAGE
Error.
SCAN_RESULT_CLEAN_MESSAGE
Scanned object is considered clean.
SCAN_RESULT_DETECT_MESSAGE
Threat was detected.
SCAN_RESULT_OTHER_MESSAGE
Object was not scanned.
%MESSAGE%
Description of the event. For example, the text of an error message.