Format of RAW logs in ICAP mode
5 March 2024
ID 186652
If Kaspersky Scan Engine is configured to write syslog messages in RAW format, the log records about events appear as follows:
<%PRIORITY%>1 %TIMESTAMP% %ICAP_SERVICE_IP% KasperskyICAPServer %ICAP_SERVICE_PID% %MESSAGE_ID% [KL_ICAP@23668 icapMode="%ICAP_MODE%" requestLength="%REQUEST_LENGTH%" httpUserName="%HTTP_USER_NAME%" httpUserIP="%HTTP_USER_IP%" sha2="%SCANNED_FILE_SHA256_HASH%" md5="%SCANNED_FILE_MD5_HASH%" request="%SCANNED_URL%"] BOM %MESSAGE%
A record has the following fields:
%PRIORITY%
Importance level of the event. Possible values:
163
This value is specified for errors.
165
This value is specified if the scan result is something other than
CLEAN
.166
This value is specified for service events or if the scan result is
CLEAN
.
%TIMESTAMP%
Date and time of the event in the Coordinated Universal Time (UTC) time zone.
%ICAP_SERVICE_IP%
IP address of the computer that Kaspersky Scan Engine runs on.
%ICAP_SERVICE_PID%
PID of the Kaspersky Scan Engine.
%MESSAGE_ID%
Class of the event. Possible values:
AUDIT_MESSAGE
—Audit event.INIT_MESSAGE
—KAV SDK initialized.DEINIT_MESSAGE
—KAV SDK deinitialized, a watchdog event occurred, or the service process is absent.UPDATE_MESSAGE
—Anti-malware databases update started or finished.LICENSE_MESSAGE
—License-related event.ENGINE_MESSAGE
—Antivirus engine event occurred.SCAN_RESULT_CLEAN_MESSAGE
—Scanned object considered clean.SCAN_RESULT_DETECT_MESSAGE
—Threat was detected.SCAN_RESULT_OTHER_MESSAGE
—Object was not scanned.
%ICAP_MODE%
Specifies whether Kaspersky Scan Engine scanned an object in Request Modification Mode (REQMOD) or Response Modification Mode (RESPMOD). This field appears only if the value of
%MESSAGE_ID%
isSCAN_RESULT_MESSAGE
.%REQUEST_LENGTH%
Length of the body of the HTTP message scanned by Kaspersky Scan Engine. This field appears only if the value of
%MESSAGE_ID%
isSCAN_RESULT_MESSAGE
and the scanned object is not a URL.%HTTP_USER_NAME%
Name of the HTTP client that was specified in the
HTTPUserNameICAPHeader
parameter of the ICAP mode configuration file. The%HTTP_USER_NAME%
field appears only if the value of%MESSAGE_ID%
isSCAN_RESULT_MESSAGE
.%HTTP_USER_IP%
IP address of the HTTP client that was specified in the
HTTPClientIpICAPHeader
parameter of the ICAP mode configuration file. The%HTTP_USER_IP%
field appears only if the value of%MESSAGE_ID%
isSCAN_RESULT_MESSAGE
.%SCANNED_FILE_SHA256_HASH%
SHA256 hash of the object that was passed for scanning to Kaspersky Scan Engine. This field appears only when Kaspersky Scan Engine returns the scan result.
%SCANNED_FILE_MD5_HASH%
MD5 hash of the object that was passed for scanning to Kaspersky Scan Engine. This field appears only when Kaspersky Scan Engine returns the scan result.
%SCANNED_URL%
URL address scanned by KAV SDK. The
%SCANNED_URL%
field appears only in scan result events (SCAN_RESULT_CLEAN_MESSAGE
,SCAN_RESULT_DETECT_MESSAGE
,SCAN_RESULT_OTHER_MESSAGE
event types).%MESSAGE%
Description of the event. For example, the text of an error message.