Support

Support for business applications

Kaspersky Scan Engine

Using Kaspersky Scan Engine in HTTP mode

Logging in HTTP mode

Format of CEF logs in HTTP mode
Kaspersky Scan Engine
Нет результатов
Knowledge Base Online Help
FAQ System requirements Forum Contact support Recovery tools Product videos

Format of CEF logs in HTTP mode

March 5, 2024

ID 186767

If Kaspersky Scan Engine is configured to write syslog messages in CEF format, the log records about events appears as follows:

CEF:0|Kaspersky|Scan Engine HTTP Service|%VERSION%|%EVENT_CLASS_ID%|%EVENT_NAME%|%SEVERITY%| msg=%EVENT_MSG% src=%CLIENT_IP% dvcpid=%HTTP_SERVICE_PID% sproc=unix_socket dvc=%HTTP_SERVICE_IP% dvchost=%HOSTNAME% start=%EVENT_TIME% fileHash=%SCANNED_FILE_MD5_HASH% fname=%SCANNED_FILE_NAME% request=%SCANNED_URL% act=%ACTION_MADE% cs1=%SCAN_RESULT% cs1Label=Scan result cs2=%VIRUS_NAME% cs2Label=Virus name flexString1=%SDK_VERSION% flexString1Label=Anti-Virus Engine version

A record has the following fields:

  • %VERSION%

    Version of Kaspersky Scan Engine.

  • %EVENT_CLASS_ID%

    Class of the event. Possible values:

    • 1

      Service event (not related to scanning).

    • 2

      Event related to errors.

    • 3

      Event related to scanning (for example, a scan result).

  • %EVENT_NAME%

    Name of the event. Possible values:

    • Initializing—Kaspersky Scan Engine initialized.
    • Deinitializing—Kaspersky Scan Engine deinitialized.
    • Service event—Service event occurred.
    • Service error—Error occurred in the kavhttpd service.
    • Core error—Error occurred in Kaspersky Anti-Virus Engine.
    • Scan result—Kaspersky Scan Engine finished scanning an object.
    • AuditSystem audit event occurred.
  • %SEVERITY%

    Importance level of the event. The higher the level, the more important the event. Possible values:

    • 3

      This value is specified for system audit events, informational level.

    • 5

      This value is specified for service events, when the scanning starts, or if the scan result is CLEAN.

    • 6

      This value is specified for system audit events, warning level.

    • 7

      This value is specified for initialization, deinitialization, and errors.

    • 8

      This value is specified for system audit events (critical level) and if the scan result is something other than CLEAN. These events are considered dangerous.

  • %EVENT_MSG%

    Description of the event. For example, the text of an error message.

  • %CLIENT_IP%

    IP address of the HTTP client that sent the scan request to Kaspersky Scan Engine. This field appears only if the request is sent over a TCP socket and is related to scanning.

  • %HTTP_SERVICE_PID%

    PID of Kaspersky Scan Engine.

  • %HTTP_SERVICE_IP%

    IP address that Kaspersky Scan Engine uses to receive scan requests from clients. This field appears only if Kaspersky Scan Engine receives scan requests over a TCP socket.

  • %HOSTNAME%

    Host name of the computer on which Kaspersky Scan Engine is working. This field appears only if syslog logging in CEF format is enabled.

  • %EVENT_TIME%

    Time and date of the event. The time and date are taken from the computer that Kaspersky Scan Engine runs on.

  • sproc=unix_socket

    This field appears only if Kaspersky Scan Engine receives scan requests over a UNIX socket.

  • %SCANNED_FILE_MD5_HASH%

    Hash of the object that was passed for scanning to Kaspersky Scan Engine. This field appears only if a client sent a scan request and Kaspersky Scan Engine has finished scanning.

  • %SCANNED_FILE_NAME%

    Name of the scanned file. If the client sent a request to scan a part of RAM, the value of this field is MEMORY_BLOCK. This field appears only if a client sent a scan request and Kaspersky Scan Engine has finished scanning.

  • %SCANNED_URL%

    URL specified in the X-KAV-ObjectURL header of the scan request. This field appears only if a client sent a scan request and Kaspersky Scan Engine has finished scanning.

  • %ACTION_MADE%

    Action that was performed on the detected threat or a legitimate software that can be used by intruders. This field appears only in events that contain scan results.

  • %SCAN_RESULT%

    Scan result. This field appears only in events that contain scan results.

  • cs1Label=Scan result

    This field appears only in events that contain scan results.

  • %VIRUS_NAME%

    Name of the detected threat or legitimate software that can be used by intruders. This field appears only if a threat or legitimate software that can be used by intruders was detected.

  • cs2Label=Virus name

    This field appears only if a threat or legitimate software that can be used by intruders was detected.

  • %SDK_VERSION%

    Version of KAV SDK that Kaspersky Scan Engine is based on.

Kaspersky Professional Services
Implementation services. Health check and security system configuration. Contact us if you need expert help.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.