Support

Support for business applications

Kaspersky Secure Mail Gateway

Publishing application events to a SIEM system

Content and properties of syslog messages in CEF format

ScanLogic group event classes

Kaspersky Secure Mail Gateway
Нет результатов
Knowledge Base Online Help
Advice & Solutions FAQ Download Buy Renew Forum Contact support Recovery tools

ScanLogic group event classes

16 April 2024

ID 151789

In the body of CEF messages for classes of ScanLogic group events, you can use keys in accordance with their semantics (see the table below).

Permissible values of the fields for classes of ScanLogic group events

Event class

Key

Value

All ScanLogic group classes

cs1

Message ID.

cs1Label

Its value is always MessageId.

src

IP address of the server from which the message was received, in IPv4 format.

c6a2

IP address of the server from which the message was received, in IPv6 format.

act

Action.

suser

Mail sender. The address is taken from the SMTP session.

duser

List of message recipients. The addresses are taken from the SMTP session.

cs2

List of rules.

cs2Label

Its value is always Rules.

outcome

Scan status.

KSMGMessageSubject

Email subject.

KSMGRuleNames

Rule names.

KSMGAvDetectionMethods

Detection method.

fileHash

Hash of the MIME part of the message.

KSMGMessageHashType

Hash algorithm.

KSMGBackupResult

Indicates whether the message was sent to Backup.

KSMGApStatus

Result of scan by the Anti-Phishing module.

KSMGMlfStatus

Result of link scan.

KSMGAvStatus

Result of scan by the Anti-Virus module.

KSMGAsStatus

Result of scan by the Anti-Spam module.

KSMGCfStatus

Result of scan by the Content Filtering module.

KSMGMaStatus

Result of Mail Sender Authentication.

KSMGKtStatus

Result of scan by the KATA Protection module.

LMS_EV_SCAN_LOGIC_AV_STATUS

act

Action. Possible values:

  • Skipped
  • Disinfected
  • AttachmentsDeleted
  • Rejected
  • Deleted

fsize

Message size.

reason

Reason for the event.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • NotDetected
  • Encrypted
  • Error
  • Disinfected
  • Infected

LMS_EV_SCAN_LOGIC_AS_STATUS

act

Action. Possible values:

  • Skipped
  • Disinfected
  • AttachmentsDeleted
  • Rejected
  • Deleted

cs3

List of recipients of notifications about triggered rules for which a notification is configured with the original message in an attachment. The addresses are taken from the SMTP session.

cs3Label

Its value is always UnsafeRecipients.

cs4

Detection method.

cs4Label

Its value is always Method.

fsize

Message size.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • NotDetected
  • Trusted
  • Formal
  • Error
  • ProbableSpam
  • Denylisted
  • Spam
  • MASSMAIL

reason

Reason for the event.

LMS_EV_SCAN_LOGIC_AP_STATUS

act

Action. Possible values:

  • Skipped
  • Disinfected
  • AttachmentsDeleted
  • Rejected
  • Deleted

cs3

List of recipients of notifications about triggered rules for which a notification is configured with the original message in an attachment. The addresses are taken from the SMTP session.

cs3Label

Its value is always UnsafeRecipients.

cs4

Detection method.

cs4Label

Its value is always Method.

fsize

Message size.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • NotDetected
  • Error
  • Phishing

reason

Reason for the event.

LMS_EV_SCAN_LOGIC_MLF_STATUS

act

Action. Possible values:

  • Skipped
  • Disinfected
  • AttachmentsDeleted
  • Rejected
  • Deleted

cs3

List of recipients of notifications about triggered rules for which a notification is configured with the original message in an attachment. The addresses are taken from the SMTP session.

cs3Label

Its value is always UnsafeRecipients.

Detection method.

cs4Label

Its value is always Method.

fsize

Message size.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • NotDetected
  • Error
  • Detected

reason

Reason for the event.

LMS_EV_SCAN_LOGIC_MA_STATUS

act

Action. Possible values:

  • Skipped
  • Disinfected
  • AttachmentsDeleted
  • Rejected
  • Deleted

cs3

List of recipients of notifications about triggered rules for which a notification is configured with the original message in an attachment. The addresses are taken from the SMTP session.

cs3Label

Its value is always UnsafeRecipients.

cs4

SPF status.

cs4Label

Its value is always SpfVerdict.

cs5

DKIM status.

cs5Label

Its value is always DkimVerdict.

cs6

DMARC status.

cs6Label

Its value is always DmarcVerdict.

fsize

Message size.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • ViolationNotFound
  • ViolationFound

reason

Reason for the event.

LMS_EV_SCAN_LOGIC_KT_STATUS

act

Action. Possible values:

  • Skipped
  • Disinfected
  • AttachmentsDeleted
  • Rejected
  • Deleted

cs3

List of recipients of notifications about triggered rules for which a notification is configured with the original message in an attachment. The addresses are taken from the SMTP session.

cs3Label

Its value is always UnsafeRecipients.

cs4

Reason for skipping the scan.

cs4Label

Its value is always SkipReason.

cs5

Name of the user account that extracted the message from KATA Quarantine.

cs5Label

Its value is always Account.

fsize

Message size.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • NotDetected
  • Error
  • Detected
  • Skipped

reason

Reason for the event.

LMS_EV_SCAN_LOGIC_CF_STATUS

act

Action. Possible values:

  • Skipped
  • Disinfected
  • AttachmentsDeleted
  • Rejected
  • Deleted

cs3

List of recipients of notifications about triggered rules for which a notification is configured with the original message in an attachment. The addresses are taken from the SMTP session.

cs3Label

Its value is always UnsafeRecipients.

cs4

DetectedFileFormat

DetectedFileName

DetectedFileSize

cs4Label

The value is always DetectedEntity.

fsize

Message size.

outcome

Scan status. Possible values:

  • NotScanned
  • BasesError
  • NotDetected
  • Error
  • MatchedContent

reason

Reason for the event.

LMS_EV_SCAN_LOGIC_PART_RESULT

cn1

Number of objects disinfected or deleted based on Anti-Virus scan results. For archives only.

cn1Label

Its value is always ObjectsNumber.

cs3

Unscanned files.

cs3Label

Its value is always AvExclude.

cs4

Names of threats. Filled only if a threat exists.

cs4Label

Its value is always Threats.

cs5

List of triggered Content Filtering expressions.

cs5Label

The value is always AppliedExpressions.

fname

File name.

fsize

Size of the MIME part of the message.

outcome

Scan status.

reason

Reason why a scan by the Anti-Virus module was not performed.

LMS_EV_SCAN_LOGIC_URL

cs3

URL.

cs3Label

The value is always URL.

LMS_EV_SCAN_LOGIC_MESSAGE_BACKUP

act

Action. Possible values:

  • Skipped
  • Disinfected
  • AttachmentsDeleted
  • Rejected
  • Deleted

fsize

Message size.

reason

Reason for the event.

LMS_EV_SCAN_LOGIC_MESSAGE_RESULT

fsize

Message size.

Each class of ScanLogic group events can contain only keys that are relevant to it (see the table below).

Relevant keys for classes of ScanLogic group events

Event class

Relevant keys

LMS_EV_SCAN_LOGIC_ALL_NOT_PROCESSED

cs1, cs1Label, src, c6a2, act, fsize, suser, duser, KSMGMessageSubject, reason

LMS_EV_SCAN_LOGIC_AS_STATUS

cs1, cs1Label, src, c6a2, act, fsize, suser, duser, KSMGMessageSubject, cs2, cs2Label, cs4, cs4Label, reason, outcome, KSMGRuleNames

LMS_EV_SCAN_LOGIC_AV_STATUS

cs1, cs1Label, src, c6a2, act, fsize, suser, duser, KSMGMessageSubject, cs2, cs2Label, cs3, cs3Label, reason, outcome, KSMGRuleNames

LMS_EV_SCAN_LOGIC_MLF_STATUS

cs1, cs1Label, src, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, outcome, KSMGRuleNames

LMS_EV_SCAN_LOGIC_AP_STATUS

cs1, cs1Label, src, c6a2, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, outcome, KSMGRuleNames, KSMGMessageSubject

LMS_EV_SCAN_LOGIC_KT_STATUS

cs1, cs1Label, src, c6a2, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, cs4, cs4Label, cs5, cs5Label, reason, suser, outcome, KSMGMessageSubject, KSMGRuleNames

LMS_EV_SCAN_LOGIC_MA_STATUS

cs1, cs1Label, src, c6a2, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, cs5, cs5Label, cs6, cs6Label, outcome, KSMGMessageSubject, KSMGRuleNames

LMS_EV_SCAN_LOGIC_CF_STATUS

cs1, cs1Label, src, c6a2, act, fsize, suser, duser, cs2, cs2Label, cs3, cs3Label, reason, cs4, cs4Label, outcome, KSMGMessageSubject, KSMGRuleNames

LMS_EV_SCAN_LOGIC_PART_RESULT

cs1, cs1Label, src, c6a2, act, suser, duser, reason, outcome, KSMGMessageSubject, KSMGRuleNames, cn1, cn1Label, cs2, cs2Label, cs3, cs3Label, cs4, cs4Label, cs5, cs5Label, fname, fileHash, KSMGMessageHashType, fsize, KSMGAvDetectionMethods

LMS_EV_SCAN_LOGIC_URL

cs1, cs1Label, src, c6a2, suser, duser, KSMGMessageSubject, KSMGRuleNames, cs2, cs2Label, cs3, cs3Label, KSMGApStatus, KSMGMlfStatus

LMS_EV_SCAN_LOGIC_MESSAGE_BACKUP

cs1, cs1Label, src, c6a2, act, fsize, suser, duser, reason, cs2, cs2Label, KSMGMessageSubject, KSMGRuleNames

LMS_EV_SCAN_LOGIC_MESSAGE_RESULT

cs1, cs1Label, src, c6a2, act, suser, duser, KSMGMessageSubject, KSMGRuleNames, KSMGBackupResult, fsize, cs2, cs2Label, KSMGAvStatus, KSMGAsStatus, KSMGApStatus, KSMGMlfStatus, KSMGCfStatus, KSMGMaStatus, KSMGKtStatus

Kaspersky Endpoint Security for Business Advanced: Adaptive security of your company
Web and device controls. Data encryption. Centralized and convenient management from a single console.
Kaspersky Premium Support (MSA): High‑priority incident processing
Telephone and web ticket support. Fast response, monitoring and health check. Submit a request and activate the contract (MSA).
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.