TMEF Alert Logs

Views:

TMEF Key

Description

Value

Header (timestamp)

Local time in the format: "Mmm dd hh:mm:ss"

Example: Dec 5 05:26:45

Header (host)

Hostname without the domain information

Example: internalAP1

Header (logVer)

TMEF format version

CEF: 0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Deep Discovery Email Inspector

Header (pver)

Appliance version

Example: 5.1.0.1110

Header (eventid)

Signature ID

300105

Header (eventName)

Description

ALERT_EVENT

Header (severity)

Alert severity

2: Informational
6: Important
8: Critical

cn1

Alert type

0: System event
1: Security event and the event severity is "High", "Medium", or "Low"
2: Security event and the even severity is "High", or "Medium"
3: Security event and the event severity is "High"

cn1Label

Alert type

ruleEventType

cs1

Description

Example: 1 or more messages detected with threats

cs1Label

Description

ruleCriteria

cs2

Triggered value

Example: 35

cs2Label

Triggered value

eventTriggeredValue

cs3

Notification content

Example:

The following
 email messages contain 
threats:

Risk: Medium (Malware) 
Action:  Quarantined
Message ID: <201506190
32243.5923E650365@loca
lhost.ddei-164>
Recipients: fake@test.
com;test@test.com
Sender: test@fake.test
Subject: high_4_file_
507ECC33FA60979F6B97D
84DA47972096185C263
Attachment: 4_file_50
7ECC33FA60979F6B97D84
DA47972096185C263 (MIME
 Base64)
Detected: 2015-05-25 
11:11:00
                    
Alert time: 2015-05-25
 11:11:27 +0800

Note

The maximum length is 20000 characters.

cs3Label

Notification content

ruleContent

deviceGUID

Appliance GUID

Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536

dvc

Appliance IP address

Example: 10.1.144.199

dvchost

Appliance host name

Example: localhost

dvcmac

Appliance MAC address

Example: 00:0C:29:6E:CB:F9

externalId

The logid in the alert database

Example: 1648

Log generation time

Example: Mar 09 2015 17:05:21 GMT+00:00

ruleId

Alert ID

Value between 1 and 15

ruleName

Alert name

Example: Security: Suspicious Messages Identified

Log sample:

May 15 16:00:47 localhost CEF:0|Trend Micro|Deep Discovery Ema
il Inspector|2.5.1.1009|300105|ALERT_EVENT|2|rt=Jun 19 2015 03
:22:58 GMT+00:00 cnt=7 deviceGUID=361a091c-addd-40cf-98e7-710e
43500a66 ruleId=10 cs2Label=ruleContent cs2=The%20number%20of%
20processed%20messages%20reached%20the%20specified%20threshold
%20%281%29.%0A%0AMessages%20processed%3A%207%0AChecking%20inte
rval%3A%200%20minutes%0A%0AAlert%20time%3A%202015-06-19%2003%3
A22%3A58%20%2B0000%0AGenerated%20by%3A%20localhost.ddei-164%20
%2810.204.253.164%29%0AManagement%20console%3A%20https%3A//10.
204.253.164/loginPage.ddei cs1Label=ruleCriteria cs1=At least 
1 messages processed dvchost=localhost.ddei-164 dvc=10.204.253
.164 externalId=1694 ruleName=System: Processing Surge dvcmac=
00:50:56:01:2C:BC cn1Label=ruleEventType cn1=0