LEEF Alert Logs

Views:

LEEF Key

Description

Value

Header (timestamp)

Local time in the format: "Mmm dd hh:mm:ss"

Example: Dec 5 05:26:45

Header (host)

Hostname without the domain information

Example: internalAP1

Header (logVer)

LEEF format version

LEEF: 1.0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Deep Discovery Email Inspector

Header (pver)

Appliance version

Example: 5.1.0.1110

Header (eventName)

Event Name

ALERT_EVENT

deviceGUID

Appliance GUID

Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536

devTime

Log generation time

Example: Jan 28 2015 02:00:36 GMT+00:00

devTimeFormat

Time format

MMM dd yyyy HH:mm:ss z

dvc

Appliance IP address

Example: 10.1.144.199

dvchost

Appliance host name

Example: localhost

dvcmac

Appliance MAC address

Example: 00:0C:29:6E:CB:F9

eventTriggeredValue

Triggered value

Example: 35

externalId

The logid in the alert database

Example: 1648

ruleContent

Notification content

Example:

The following email 
messages contain threats:

Risk: Medium (Malware) 
Action: Quarantined
Message ID: <201506190
32243.5923E650365@loca
lhost.ddei-164>
Recipients: fake@test.
com;test@test.com
Sender: test@fake.test
Subject: high_4_file_5
07ECC33FA60979F6B97D84
DA47972096185C263
Attachment: 4_file_507
ECC33FA60979F6B97D84DA
47972096185C263 (MIME
 Base64)
Detected: 2015-05-25 
11:11:00
                    
Alert time: 2015-05-25 
11:11:27 +0800 
Generated by: localhost.
localdomain (192.168.1.
100)
Management console:
https://192.168.1.100/
loginPage.ddei

Note

The maximum length is 20000 characters.

ruleCriteria

Description

Example: 1 or more messages detected with threats

ruleEventType

Alert type

0: System event
1: Security event and the event severity is "High", "Medium", or "Low"
2: Security event and the even severity is "High", or "Medium"
3: Security event and the event severity is "High"

ruleId

Alert ID

Value between 1 and 15

ruleName

Alert name

Example: Security: Suspicious Messages Identified

sev

Severity

2: Informational
6: Important
8: Critical

Note

When using the LEEF log syntax, separate event attributes with \0x09 as a tab delimiter.

Log sample:

May 15 16:00:47 localhost LEEF:1.0|Trend Micro|Deep Discovery 
Email Inspector|2.5.1.1009|ALERT_EVENT|sev=2\0x09cnt=8\0x09rul
eEventType=0\0x09ruleId=10\0x09ruleCriteria=At least 1 message
s processed\0x09dvchost=localhost.ddei-164\0x09dvc=10.204.253.
164\0x09deviceGUID=361a091c-addd-40cf-98e7-710e43500a66\0x09ex
ternalId=1684\0x09devTime=Jun 19 2015 03:18:48 GMT+00:00\0x09r
uleName=System: Processing Surge\0x09dvcmac=00:50:56:01:2C:BC\
0x09devTimeFormat=MMM dd yyyy HH:mm:ss z\0x09ruleContent=The%2
0number%20of%20processed%20messages%20reached%20the%20specifie
d%20threshold%20%281%29.%0A%0AMessages%20processed%3A%208%0ACh
ecking%20interval%3A%200%20minutes%0A%0AAlert%20time%3A%202015
-06-19%2003%3A18%3A48%20%2B0000%0AGenerated%20by%3A%20localhos
t.ddei-164%20%2810.204.253.164%29%0AManagement%20console%3A%20
https%3A//10.204.253.164/loginPage.ddei