Contents of syslog messages about traffic processing events
13 December 2023
ID 179953
Each syslog message contains the following fields defined by the parameters of the Syslog protocol in the operating system:
- date and time of the event;
- name of the host where the event happened;
- name of the application (the value is always
KWTS
).
Fields of the syslog message about a traffic processing event, which are defined by application options, have the format <key>="<value>"
. If a key has multiple values, these values are separated with a comma. A colon is used as the separator between keys.
Example:
|
The keys, as well as their values contained in a message, are presented in the table below.
Information about traffic processing events in a syslog message
Key | Description and possible values |
---|---|
| Type of HTTP message. Its value may be |
| HTTP request method. |
| Action taken on a detected object. It can take one of the following values:
|
| Name of the traffic processing rule that caused the web resource to be blocked. It is displayed in the following format:
|
| Name of the traffic processing rule that caused the user to be redirected to the specified URL. It is displayed in the following format:
|
| Duration of HTTP message processing, in milliseconds. The time is counted from the start of processing of the HTTP message header until a record of the completed scan is saved in the application event log and in the Syslog event log. |
| Result of scanning the HTTP message. If multiple threats are detected, the name of the highest-priority threat is displayed. If threats were eliminated or were not detected, the highest-priority scan result is displayed (Disinfected, Not detected, Not scanned). |
| Name of the workspace associated with the traffic processing event. If there is no workspace, a dash is displayed. |
| Name of the user account that initiated the HTTP request. |
| Client application that initiated the HTTP request. |
| IP address of the computer from which the HTTP request was sent. |
| URL of the web resource that the user requested. |
| Result of scanning a URL to check if it matches objects detected by KATA. The following values are possible:
|
For a multipart MIME type object, information about all constituent parts is provided. For each constituent part, the For example, | |
| Name of the scanned object. If the HTTP message does not contain any objects, |
| Size of the scanned object. If the HTTP message does not contain objects or the file size is not required for applying rules, |
| MIME type of the multipart object constituent part. The Content-Type header value is used. If the HTTP message does not contain objects or the MIME type definition is not required for applying rules, |
| Result of checking whether an object must be sent to the KATA server. The following values are possible:
|
| ID assigned to an object by the application. The ID is transmitted only if one of the following statuses was assigned when checking whether the object must be sent to the KATA server:
For other statuses, the |
| Names of triggered traffic processing rules in the following format:
If a rule is not associated with a workspace, a dash is displayed instead of the workspace name. If a rule is not part of a group of rules, a dash is displayed instead of the group name. If no traffic processing rule has been applied, the default protection policy is applied. The |
| Results of a web resource scan by the Anti-Virus module. The following values are possible:
|
| Results of a web resource scan by the Anti-Phishing module. The following values are possible:
|
| Results of scanning links for malicious objects. The following values are possible:
|
| Information about encryption of the scanned object. The following values are possible:
|
| Information about the presence of macros in the scanned object. The following values are possible:
|
| Result of scanning a file contained in an HTTP message or a constituent part (for multipart objects) to check if they match objects detected by KATA. The following values are possible:
|