Contents of syslog messages about traffic processing events

Each syslog message contains the following fields defined by the parameters of the Syslog protocol in the operating system:

Fields of the syslog message about a traffic processing event, which are defined by application options, have the format <key>="<value>". If a key has multiple values, these values are separated with a comma. A colon is used as the separator between keys.

Example:

Dec 18 12:39:36 squid-server KWTS: type="Response": method="GET": action="Deny": workspace="": http_user_name="example@test.local": http_user_agent="curl/7.29.0": http_user_ip="192.0.2.0": url="http://example.com/EICAR/eicar.com": "eicar.com", rules="access_rules ['LowPriority\Default Access Group\Default Access Rule'], protection_rules ['LowPriority\Default Protection Group\Default Protection Rule']", av-status="Detected", threats="EICAR-Test-File\Deny", ap-status="NotDetected", encrypted="NotDetected", macros="NotDetected"

The keys, as well as their values contained in a message, are presented in the table below.

Information about traffic processing events in a syslog message

Key

Description and possible values

type

Type of HTTP message. Its value may be Request or Response.

method

HTTP request method.

action

Action taken on a detected object. It can take one of the following values:

  • Allow – Allow.
  • Deny – Deny.
  • Redirect – Redirect.

workspace

Name of the workspace associated with the traffic processing event. If there is no workspace, the key is sent with an empty value.

http_user_name

User account name.

http_user_agent

Client application that initiated the HTTP request.

http_user_ip

IP address of the computer from which the HTTP request was sent.

url

URL of the web resource that the user requested.

(partN) "<object name>"

Name of the scanned object.

For a multipart MIME type object, the names of all constituent parts are specified. Each name is sent with a part key and a sequence number. The part key is followed by the scan results for each constituent part of the object (the rules, av_status, ap_status, encrypted and macros keys).

For example, part1 "news.pdf" <scan results>: part2 "eicar.com" <scan results>.

If the HTTP message does not contain any objects, "nofile" is indicated.

rules

Names of triggered access rules and protection rules in the following format:

"access_rules ['<Rule priority>\<Rule group name>\<Rule name>'], protection_rules ['<Rule priority>\<Rule group name>\<Rule name>']".

av_status

Results of a web resource scan by the Anti-Virus module.

The following values are possible:

  • Detected – viruses or other threats were found in the object. The names of detected threats and the action taken on an object by the application are separated by commas. For example, av-status="Detected", threats="EICAR-Test-File\Deny".
  • NotDetected – the object was scanned, no threats were detected.
  • NotScanned – the object was not subjected to a virus scan in accordance with the settings defined in traffic processing rules.
  • NotAvailable – a virus scan was not performed because only the URL of the web resource is available.
  • ScanError – the scan ended with an error.

ap_status

Results of a web resource scan by the Anti-Phishing module.

The following values are possible:

  • Detected – a phishing link was detected.
  • NotDetected – the object was scanned, no threats were detected.
  • ScanError – the scan ended with an error.

encrypted

Information about encryption of the scanned object.

The following values are possible:

  • Detected – the object was encrypted.
  • NotDetected – the object was not encrypted.
  • ScanError – the scan ended with an error.

macros

Information about the presence of macros in the scanned object.

The following values are possible:

  • Detected – the object contains macros.
  • NotDetected – the object does not contain macros.
  • ScanError – the scan ended with an error.

Page top