LEEF Sender Filtering/Authentication Logs

Views:

LEEF Key	Description	Value
Header (timestamp)	Local time in the format: "Mmm dd hh:mm:ss"	Example: Dec 5 05:26:45
Header (host)	Hostname without the domain information	Example: internalAP1
Header (logVer)	CEF format version	1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Deep Discovery Email Inspector
Header (pver)	Appliance version	Example: 5.1.0.1110
Header (eventName)	Description	SENDER_FILTERING
sev	Email severity	2
dvc	Appliance IP address	Examples: IPV4:192.168.10.1 IPv6:2620:0101:4002:0401::131
dvcmac	Appliance MAC address	Example: 00:0C:29:6E:CB:F9
dvchost	Appliance host name	Example: localhost
deviceGUID	Appliance GUID	Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
devTime	Log generation time	Example: Mar 09 2015 17:05:21 GMT+00:00 (UTC time)
devTimeFormat	Time format	MMM dd yyyy HH:mm:ss z
deviceTranslatedAddress	Relay MTA IP address	Example: 204.92.31.146
suser	Email sender	Example: user2@domain.com
duser	Email recipients	Example: user1@domain2.com;test@163.com
eventType	Event type	1: Email reputation 2: DHA protection 3: Bounce attack protection 4: SMTP traffic throttling (IP address) 5: SMTP traffic throttling (email address) 6: SPF 7: DKIM 8: DMARC
act	The action in the event	2: Block temporarily 3: Block permanently
rfcResult	Sender authentication result	1: None 2: Pass 3: Neutral 4: SoftFail 5: Fail 6: TempError 7: PermError
reason	Reason for block action	Example: No DNS txt record

Log sample:

May 15 16:00:4 7 internalbeta LEEF:1.0|Trend Micro|Deep Di
scovery Email Inspector|3.1.0.1147|SENDER_FILTERING|sev=2<
009>deviceGUID=15129231-f1dc-4941-8014-1a1b9fbc9253<009>rf
cResult=5<009>eventType=6<009>deviceTranslatedAddress=10.2
06.155.122<009>dvchost=localhost.localdomain<009>dvc=10.20
6.155.128<009>act=2<009>duser=user1@domain.com<009>reason=
56<009>devTime=May 15 2018 08:15:31 GMT+00:00<009>suser=us
er2@domain2.com<009>dvcmac=00:0C:29:8D:2E:74<009>devTimeFo
rmat=MMM dd yyyy HH:mm:ss z