Contents and properties of syslog messages in the CEF format

3 July 2024

ID 267200

Information about each detected event is sent immediately after the occurrence of the event as a separate syslog message in the CEF format in UTF-8 encoding.

A CEF message consists of the message body and header.

The CEF message header consists of the following parts:

  • Syslog prefix: <event date and time> <name of the host on which the event occurred>.
  • A sequence of fields separated by "|" characters and separated from the syslog prefix by a space. All fields are required.
    • Format version. Currently, the version number is 0, so the field looks like "CEF:0".
    • Vendor. The value of this field is AO Kaspersky Lab.
    • Application name. The value of this field is Kaspersky Web Traffic Security.
    • Product version. The value of this field is the current version of the product (6.1.0.xxxx).
    • Event class.
    • Event name.
    • Severity level. Can be Low, Medium, or High.

      Example:

      Oct 30, 2021 10:34:23

      host.domain.com CEF:0|AO Kaspersky Lab|Kaspersky Web Traffic Security|6.1.0.1234|LMS_EV_SETTINGS_CHANGED|task settings changed|Low|…

Fields of the syslog message about an event, which are defined by application options, have the format <key>="<value>". If a key has multiple values, these values are separated with a comma. A colon is used as the separator between keys.

The keys and their values contained in the message depend on the class of the event.

The maximum size of a syslog message about a detected event depends on the values of the syslog settings on the server on which Kaspersky Web Traffic Security is installed. You can only configure syslog messages to a single external syslog server.

Character encoding rules in CEF messages:

  • Spaces do not need to be escaped.
  • In the header, the vertical bar character ("|") is used as a separator. If you need to use this character in one of the header fields, you must escape it with a backslash ("\|"). In the message body, you do not need to escape the "|" character.
  • Single backslashes are not allowed in the message header or message body. If you need to use it in a header field, duplicate the character ("\\").
  • In the message body, the "=" character is used as a separator for the "key-value" pair. If you need to use this character in one of the message body fields, you must escape it with a backslash ("\="). In the header, the "=" character does not require escaping.
  • Multi-line values are only allowed for the values in key/value pairs. To indicate a line break, use the "\n" or "\r" characters.

In this section:

Classes of events of the Settings group

Classes of events of the Tasks group

Classes of events of the License group

Classes of events of the Update group

Classes of events of the ICAP group

Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.