CEF Alert Logs

Views:

CEF Key

Description

Value

Header (timestamp)

Local time in the format: "Mmm dd hh:mm:ss"

Example: Dec 5 05:26:45

Header (host)

Hostname without the domain information

Example: internalAP1

Header (logVer)

CEF format version

CEF: 0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Deep Discovery Email Inspector

Header (pver)

Appliance version

Example: 5.1.0.1110

Header (eventid)

Signature ID

300105

Header (eventName)

Description

ALERT_EVENT

Header (severity)

Alert severity

2: Informational
6: Important
8: Critical

cs1

Alert name

Example: Security: Suspicious Messages Identified

cs1Label

Alert name

ruleName

cs2

Description

Example: 1 or more messages detected with threats

cs2Label

Description

ruleCriteria

cs3

Triggered value

Example: 35

cs3Label

Triggered value

eventTriggeredValue

cs4

Notification content

Example:

The following 
email messages contain 
threats:

Risk: Medium (Malware) 
Action:  Quarantined
Message ID: <201506190
32243.5923E650365@loca
lhost.ddei-164>
Recipients: fake@test.
com;test@test.com
Sender: test@fake.test
Subject: high_4_file_
507ECC33FA60979F6B97D
84DA47972096185C263
Attachment: 4_file_50
7ECC33FA60979F6B97D84D
A47972096185C263 (MIME
 Base64)
Detected: 2015-05-25 
11:11:00
                    
Alert time: 2015-05-25 
11:11:27 +0800

Note

The maximum length is 1023 characters.

cs4Label

Notification content

ruleContent

deviceExternalId

Appliance GUID

Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536

dvc

Appliance IP address

Example: 10.1.144.199

dvchost

Appliance host name

Example: localhost

dvcmac

Appliance MAC address

Example: 00:0C:29:6E:CB:F9

externalId

The logid in the alert database

Example: 1648

Log generation time

Example: Mar 09 2015 17:05:21 GMT+00:00

Log sample:

May 15 16:00:47 localhost CEF:0|Trend Micro|Deep Discovery 
Email Inspector|2.5.1.1009|300105|ALERT_EVENT|6|rt=Jun 16 2
015 09:26:25 GMT+00:00 cs1Label=ruleName cs1=Security: Thre
at Messages cnt=1 cs2Label=ruleCriteria cs2=At least 1 thre
at message detected externalId=1299 cs3Label=ruleContent cs
3=The%20following%20email%20messages%20contain%20threats%3A
%0A%0A%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3
D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%
3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D
%3D%3D%3D%0ARisk%3A%20Medium%20%28Malware%29%0AAction%3A%20
%20Quarantined%0AMessage%20ID%3A%20%3C20150616092610.B56A66
503C6%40localhost.ddei-164%3E%0ARecipients%3A%20fake%40test
.com%3Btest%40test.com%0ASender%3A%20test%40fake.test%0ASub
ject%3A%20temail%20-%20Copyaaa... dvcmac=00:50:56:01:2C:BC 
dvchost=localhost.ddei-164 deviceExternalId=361a091c-addd-
40cf-98e7-710e43500a66 dvc=10.204.253.164