CEF Sender Filtering/Authentication Logs
|
CEF Key
|
Description
|
Value
|
|
Header (timestamp)
|
Local time in the format: "Mmm dd
hh:mm:ss"
|
Example: Dec 5 05:26:45
|
|
Header (host)
|
Hostname without the domain information
|
Example: internalAP1
|
|
Header (logVer)
|
CEF format version
|
CEF: 0
|
|
Header (vendor)
|
Appliance vendor
|
Trend Micro |
|
Header (pname)
|
Appliance product
|
Deep Discovery Email Inspector |
|
Header (pver)
|
Appliance version
|
Example: 5.1.0.1110
|
|
Header (eventid)
|
Signature ID
|
100137
|
|
Header (eventName)
|
Description
|
SENDER_FILTERING
|
|
Header (severity)
|
Email severity
|
2
|
|
dvc
|
Appliance IP address
|
Example: 10.1.144.199
|
|
dvcmac
|
Appliance MAC address
|
Example: 00:0C:29:6E:CB:F9
|
|
dvchost
|
Appliance host name
|
Example: localhost
|
|
deviceExternalId
|
Appliance GUID
|
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
|
|
rt
|
Log generation time
|
Example: Mar 09 2015 17:05:21 GMT+00:00 (UTC time)
|
|
deviceTranslatedAddress
|
Relay MTA IP address
|
Example: 204.92.31.146
|
|
suser
|
Email sender
|
Example: user2@domain.com
|
|
duser
|
Email recipients
|
Example: user1@domain2.com;test@163.com
|
|
cn1Label
|
Label for event type
|
eventType
|
|
cn1
|
Event type
|
|
|
act
|
The action in the event
|
|
|
cn2Label
|
Label for sender authentication result
|
rfcResult
|
|
cn2
|
Sender authentication result
|
|
|
reason
|
Reason for block action
|
Example: No DNS txt record
|
Log sample:
May 15 16:00:47 localhost CEF:0|Trend Micro|Deep Discovery Email Inspector|3.1.0.1133|100137|SENDER_FILTERING|2|rt=A pr 27 2018 01:59:38 GMT+00:00 cn1Label=eventType cn1=7 cn2 Label=rfcResult cn2=5 dvchost=localhost.localdomain device TranslatedAddress=10.206.155.122 deviceExternalId=15129231 -f1dc-4941-8014-1a1b9fbc9253 dvc=10.206.155.128 act=2 duse r=user1@domain1.com;user2@domain1.com;user223@domain1.com; user4@domain1.com reason=102 suser=user1@domain2.com dvcma c=00:0C:29:8D:2E:74