Format of RAW logs in ICAP mode

If Kaspersky Scan Engine is configured to write syslog messages in RAW format, the log records about events appear as follows:

<%PRIORITY%>1 %TIMESTAMP% %ICAP_SERVICE_IP% KasperskyICAPServer %ICAP_SERVICE_PID% %MESSAGE_ID% [KL_ICAP@23668 icapMode="%ICAP_MODE%" requestLength="%REQUEST_LENGTH%" httpUserName="%HTTP_USER_NAME%" httpUserIP="%HTTP_USER_IP%" sha2="%SCANNED_FILE_SHA256_HASH%" md5="%SCANNED_FILE_MD5_HASH%" request="%SCANNED_URL%"] BOM %MESSAGE%

A record has the following fields:

• %PRIORITY%

  Importance level of the event. Possible values:

  • 163

    This value is specified for errors.

  • 165

    This value is specified if the scan result is something other than CLEAN.

  • 166

    This value is specified for service events or if the scan result is CLEAN.

• %TIMESTAMP%

  Date and time of the event in the Coordinated Universal Time (UTC) time zone.

• %ICAP_SERVICE_IP%

  IP address of the computer that Kaspersky Scan Engine runs on.

• %ICAP_SERVICE_PID%

  PID of the Kaspersky Scan Engine.

• %MESSAGE_ID%

  Class of the event. Possible values:

  • AUDIT_MESSAGE—Audit event.
  • INIT_MESSAGE—KAV SDK initialized.
  • DEINIT_MESSAGE—KAV SDK deinitialized, a watchdog event occurred, or the service process is absent.
  • UPDATE_MESSAGE—Anti-malware databases update started or finished.
  • LICENSE_MESSAGE—License-related event.
  • ENGINE_MESSAGE—Antivirus engine event occurred.
  • SCAN_RESULT_CLEAN_MESSAGE—Scanned object considered clean.
  • SCAN_RESULT_DETECT_MESSAGE—Threat was detected.
  • SCAN_RESULT_OTHER_MESSAGE—Object was not scanned.
• %ICAP_MODE%

  Specifies whether Kaspersky Scan Engine scanned an object in Request Modification Mode (REQMOD) or Response Modification Mode (RESPMOD). This field appears only if the value of %MESSAGE_ID% is SCAN_RESULT_MESSAGE.

• %REQUEST_LENGTH%

  Length of the body of the HTTP message scanned by Kaspersky Scan Engine. This field appears only if the value of %MESSAGE_ID% is SCAN_RESULT_MESSAGE and the scanned object is not a URL.

• %HTTP_USER_NAME%

  Name of the HTTP client that was specified in the HTTPUserNameICAPHeader parameter of the ICAP mode configuration file. The %HTTP_USER_NAME% field appears only if the value of %MESSAGE_ID% is SCAN_RESULT_MESSAGE.

• %HTTP_USER_IP%

  IP address of the HTTP client that was specified in the HTTPClientIpICAPHeader parameter of the ICAP mode configuration file. The %HTTP_USER_IP% field appears only if the value of %MESSAGE_ID% is SCAN_RESULT_MESSAGE.

• %SCANNED_FILE_SHA256_HASH%

  SHA256 hash of the object that was passed for scanning to Kaspersky Scan Engine. This field appears only when Kaspersky Scan Engine returns the scan result.

• %SCANNED_FILE_MD5_HASH%

  MD5 hash of the object that was passed for scanning to Kaspersky Scan Engine. This field appears only when Kaspersky Scan Engine returns the scan result.

• %SCANNED_URL%

  URL address scanned by KAV SDK. The %SCANNED_URL% field appears only in scan result events (SCAN_RESULT_CLEAN_MESSAGE, SCAN_RESULT_DETECT_MESSAGE, SCAN_RESULT_OTHER_MESSAGE event types).

• %MESSAGE%

  Description of the event. For example, the text of an error message.