TMEF Sender Filtering/Authentication Logs

Views:

TMEF Key	Description	Value
Header (timestamp)	Local time in the format: "Mmm dd hh:mm:ss"	Example: Dec 5 05:26:45
Header (host)	Hostname without the domain information	Example: internalAP1
Header (logVer)	CEF format version	1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Deep Discovery Email Inspector
Header (pver)	Appliance version	Example: 5.1.0.1110
Header (eventid)	Signature ID	100137
Header (eventName)	Description	SENDER_FILTERING
Header (severity)	Email severity	2
dvc	Appliance IP address	Examples: IPV4:192.168.10.1 IPv6:2620:0101:4002:0401::131
dvcmac	Appliance MAC address	Example: 00:0C:29:6E:CB:F9
dvchost	Appliance host name	Example: localhost
deviceGUID	Appliance GUID	Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
rt	Log generation time	Example: Mar 09 2015 17:05:21 GMT+00:00 (UTC time)
deviceTranslatedAddress	Relay MTA IP address	Example: 204.92.31.146
suser	Email sender	Example: user2@domain.com
duser	Email recipients	Example: user1@domain2.com;test@163.com
cn1Label	Label for event type	eventType
cn1	Event type	1: Email reputation 2: DHA protection 3: Bounce attack protection 4: SMTP traffic throttling (IP address) 5: SMTP traffic throttling (email address) 6: SPF 7: DKIM 8: DMARC
act	The action in the event	2: Block temporarily 3: Block permanently
cn2Label	Label for sender authentication result	rfcResult
cn2	Sender authentication result	1: None 2: Pass 3: Neutral 4: SoftFail 5: Fail 6: TempError 7: PermError
reason	Reason for block action	Example: No DNS txt record

Log sample:

May 15 16:08:12  internalbeta CEF:0|Trend Micro|Deep Discovery
 Email Inspector|3.1.0.1147|100137|SENDER_FILTERING|2|rt=May 1
5 2018 08:20:01 GMT+00:00 cn1Label=eventType cn1=7 cn2Label=
rfcResult cn2=5 deviceTranslatedAddress=10.206.155.122 dvchost
=localhost.localdomain dvc=10.206.155.128 act=2 duser=user1@do
main.com reason=102 deviceGUID=15129231-f1dc-4941-8014-1a1b9fb
c9253 suser=user1@domain2.com dvcmac=00:0C:29:8D:2E:74