What format are Content Analysis Syslog messages?

book

Article ID: 169263

calendar_today

Updated On:

Products

Content Analysis Software - CA

Issue/Introduction

Third-party applications used to read the Syslog output will need to know the format of the Syslog message. The fields in the message are customized to the trigger that caused the event (for example, a virus was found or a file was blocked),

Resolution

The basic format of the Syslog message that is generated by the Content Analysis appliance is:

%PRI, %TIMESTAMP, %HOSTNAME, %APP-NAME, %PROCID, %MSG,

%MSG is where CA will add its data regarding the event. The format of the MSG depends on the trigger that caused the Syslog message to be sent. The triggers and MSG formats are listed below.
 
Virus found

%TIMESTAMP, %HWSERIALNUMBER, %APPNAME, %APPVERSION, %AVVENDOR, %AVENGINEVERS, %AVPATTERNVERS, (%AVPATTERNDATE), %MACHINENAME, %MACHINEIP, %SERVER, %CLIENT, %VIRUS, %URL,

File was passed through without being scanned

%REASON, %ACTION, %TIMESTAMP, %HWSERIALNUMBER, %APPNAME, %APPVERSION, %AVVENDOR, %AVENGINEVERS, %AVPATTERNVERS, (%AVPATTERNDATE), %MACHINENAME, %MACHINEIP, %SERVER, %CLIENT, %URL,

File was blocked (exclude virus case)

%REASON, %ACTION, %TIMESTAMP, %HWSERIALNUMBER, %APPNAME, %APPVERSION, %AVVENDOR, %AVENGINEVERS, %AVPATTERNVERS, (%AVPATTERNDATE), %MACHINENAME, %MACHINEIP, %SERVER, %CLIENT, %URL,

Anti-virus update failed

%TIMESTAMP, %AVVENDOR, %MACHINEIP, %AVENGINEVERS, %AVPATTERNVERS, %AVPATTERNDATE,

Anti-virus update succeeded

%TIMESTAMP, %AVVENDOR, %MACHINEIP, %AVENGINEVERS, %AVPATTERNVERS, %AVPATTERNDATE,

Intelligent connection traffic monitoring (ICTM)

%REASON, %TIMESTAMP, %HWSERIALNUMBER, %APPNAME, %APPVERSION, %MACHINENAME, %MACHINEIP, %URL,

Reboot

%MACHINENAME, %MACHINEIP, %REASON,

Sandboxing threat admin alert (Asynchronous)

%TIMESTAMP, %HWSERIALNUMBER, %APPNAME, %APPVERSION, %SANBOX_VENDOR, %MACHINENAME, %MACHINEIP, %SERVER, %CLIENT, %THREAT_SCORE, %URL, %THREAT_HTML_URL, %FIREEYE_THREAT_HTML_URL, %COUNTERTACK_TEXT_DETAILS, %COUNTERETACK_URL,

Sandboxing threat alert

%REASON, %ACTION, %TIMESTAMP, %HWSERIALNUMBER, %APPNAME, %APPVERSION, %MACHINENAME, %MACHINEIP, %SERVER, %CLIENT, %URL, %THREAT_HTML_URL, %FIREEYE_THREAT_HTML_URL,

File reputation threat alert

%REASON, %ACTION, %TIMESTAMP, %HWSERIALNUMBER, %APPNAME, %APPVERSION, %MACHINENAME, %MACHINEIP, %SERVER, %CLIENT, %URL,

Static analysis threat alert

%REASON, %ACTION, %TIMESTAMP, %HWSERIALNUMBER, %APPNAME, %APPVERSION, %AVENGINEVERS, %MACHINENAME, %MACHINEIP, %SERVER, %CLIENT, %URL, %CYLANCE_SCORE, %CYLANCE_DETAILS,