Format of RAW logs in HTTP mode

If Kaspersky Scan Engine is configured to write syslog messages in RAW format, the log records about events appear as follows:

<%PRIORITY%>1 %TIMESTAMP% %HTTP_SERVICE_IP% KasperskyHTTPService %HTTP_SERVICE_PID% %MESSAGE_ID% - BOM %MESSAGE%\n

A record has the following fields:

• %PRIORITY%

  Severity level of the event. Possible values:

  • 163

    This value is specified for errors.

  • 165

    This value is specified if the scan result is something other than CLEAN.

  • 166

    This value is specified for service events or if the scan result is CLEAN.

• %TIMESTAMP%

  Date and time of the event in the Coordinated Universal Time (UTC) time zone.

• %HTTP_SERVICE_IP%

  IP address that Kaspersky Scan Engine uses to receive scan requests from clients. If Kaspersky Scan Engine receives scan requests over a UNIX socket, the field contains the host name of the computer that Kaspersky Scan Engine runs on.

• %HTTP_SERVICE_PID%

  PID of Kaspersky Scan Engine.

• %MESSAGE_ID%

  Class of the event. Possible values:

  • AUDIT_MESSAGE

    Audit event.

  • SERVICE_MESSAGE

    Service event.

  • ERROR_MESSAGE

    Error.

  • SCAN_RESULT_CLEAN_MESSAGE

    Scanned object is considered clean.

  • SCAN_RESULT_DETECT_MESSAGE

    Threat was detected.

  • SCAN_RESULT_OTHER_MESSAGE

    Object was not scanned.

• %MESSAGE%

  Description of the event. For example, the text of an error message.