Content and properties of syslog messages in CEF format

3 July 2024

ID 151684

Information about each detected event is relayed as a separate syslog message in CEF format with UTF-8 encoding.

A message in CEF format consists of a message body and header. Each Syslog message contains the following fields defined by the Syslog protocol settings in the operating system:

  • Date and time of the event
  • Name of the host where the event occurred
  • Name of the application (always KSMG)

Syslog event message fields defined by the application settings have the <key>="<value>" format. If a key has multiple values, these values are separated with a comma. Keys are separated by a colon.

The keys and their values contained in a message depend on the specific class of the event.

Example:

July 16 10:34:23 host.domain.com

KSMG: CEF:0|AO Kaspersky Lab|Kaspersky Secure Mail Gateway|2.0.0.1234|LMS_EV_SETTINGS_CHANGED|task settings changed|severity|cn1=taskId cn1Label=TaskId cs1=taskName csLabel=TaskName act=created/changed/deleted

The maximum size of a syslog message about a detected event depends on the values of syslog settings on the server on which Kaspersky Secure Mail Gateway is installed. You can configure forwarding of syslog messages to only one external syslog server simultaneously.

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.