What format are Content Analysis Syslog messages?

Article Id: 169263

Status: Published

Updated On: 13-05-2017 12:30

Legacy Id: TECH246132

Products:

Content Analysis Software - CA

Issue/Introduction:

Third-party applications used to read the Syslog output will need to know the format of the Syslog message. The fields in the message are customized to the trigger that caused the event (for example, a virus was found or a file was blocked),

Resolution:

The basic format of the Syslog message that is generated by the Content Analysis appliance is:

%PRI, %TIMESTAMP, %HOSTNAME, %APP-NAME, %PROCID, %MSG,

%MSG is where CA will add its data regarding the event. The format of the MSG depends on the trigger that caused the Syslog message to be sent. The triggers and MSG formats are listed below.

Virus found

%TIMESTAMP, %HWSERIALNUMBER, %APPNAME, %APPVERSION, %AVVENDOR, %AVENGINEVERS, %AVPATTERNVERS, (%AVPATTERNDATE), %MACHINENAME, %MACHINEIP, %SERVER, %CLIENT, %VIRUS, %URL,

File was passed through without being scanned

%REASON, %ACTION, %TIMESTAMP, %HWSERIALNUMBER, %APPNAME, %APPVERSION, %AVVENDOR, %AVENGINEVERS, %AVPATTERNVERS, (%AVPATTERNDATE), %MACHINENAME, %MACHINEIP, %SERVER, %CLIENT, %URL,

File was blocked (exclude virus case)

%REASON, %ACTION, %TIMESTAMP, %HWSERIALNUMBER, %APPNAME, %APPVERSION, %AVVENDOR, %AVENGINEVERS, %AVPATTERNVERS, (%AVPATTERNDATE), %MACHINENAME, %MACHINEIP, %SERVER, %CLIENT, %URL,

Anti-virus update failed

%TIMESTAMP, %AVVENDOR, %MACHINEIP, %AVENGINEVERS, %AVPATTERNVERS, %AVPATTERNDATE,

Anti-virus update succeeded

%TIMESTAMP, %AVVENDOR, %MACHINEIP, %AVENGINEVERS, %AVPATTERNVERS, %AVPATTERNDATE,

Intelligent connection traffic monitoring (ICTM)

%REASON, %TIMESTAMP, %HWSERIALNUMBER, %APPNAME, %APPVERSION, %MACHINENAME, %MACHINEIP, %URL,

Reboot

%MACHINENAME, %MACHINEIP, %REASON,

Sandboxing threat admin alert (Asynchronous)

%TIMESTAMP, %HWSERIALNUMBER, %APPNAME, %APPVERSION, %SANBOX_VENDOR, %MACHINENAME, %MACHINEIP, %SERVER, %CLIENT, %THREAT_SCORE, %URL, %THREAT_HTML_URL, %FIREEYE_THREAT_HTML_URL, %COUNTERTACK_TEXT_DETAILS, %COUNTERETACK_URL,

Sandboxing threat alert

%REASON, %ACTION, %TIMESTAMP, %HWSERIALNUMBER, %APPNAME, %APPVERSION, %MACHINENAME, %MACHINEIP, %SERVER, %CLIENT, %URL, %THREAT_HTML_URL, %FIREEYE_THREAT_HTML_URL,

File reputation threat alert

%REASON, %ACTION, %TIMESTAMP, %HWSERIALNUMBER, %APPNAME, %APPVERSION, %MACHINENAME, %MACHINEIP, %SERVER, %CLIENT, %URL,

Static analysis threat alert

%REASON, %ACTION, %TIMESTAMP, %HWSERIALNUMBER, %APPNAME, %APPVERSION, %AVENGINEVERS, %MACHINENAME, %MACHINEIP, %SERVER, %CLIENT, %URL, %CYLANCE_SCORE, %CYLANCE_DETAILS,