CEF Device Access Control Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Control Manager

Header (pver)

Appliance version

7.0

Header (eventid)

Event ID

700107

Header (eventName)

Log name

Device Access Control

Header (severity)

Severity

3

rt

The log generation time in UTC

Example: "Feb 14 2017 11:14:08 GMT+00:00"

cs1Label

Corresponding label for the "cs1" field

"Product Entity/Endpoint"

cs1

Server host name

Example: "Sample_OSCE"

shost

Source host name

Example: "shost1"

dvchost

Target host name

Example: "localhost"

cn1Label

Corresponding label for the "cn1" field

"Product"

cn1

Product ID

Example: "OfficeScan"

For more information, see Product ID Mapping Table.

sproc

Target process

Example: "C:\Windows\explorer.exe"

fname

File name

Example: "F:\Autorun.inf"

cn2Label

Corresponding label for the "cn2" field

"Device Type"

cn2

Device type

Example: "0"

  • 0: USB storage device

  • 1: Non-storage USB

  • 2: CD/DVD

  • 3: Floppy disks

  • 4: Network driver

cn3Label

Corresponding label for the "cn3" field

"Permission"

cn3

Permission

Example: "3"

  • 0: Modify

  • 1: Read and execute

  • 2: Read

  • 3: List device content only

  • 4: Block

deviceFacility

Product

Example: "OfficeScan"

Log sample:

CEF:0|Trend Micro|Control Manager|7.0|700107|Device Access C
ontrol|3|rt=Aug 16 2017 04:49:15 GMT+00:00 cs1Label=Product_
Entity/Endpoint cs1=Sample_OSCE shost=shost1 dvchost=localho
st cn1Label=Product cn1=15 sproc=C:\\Windows\\explorer.exe f
name=F:\\Autorun.inf cn2Label=Device_Type cn2=0 cn3Label=Per
mission cn3=3 deviceFacility=OfficeScan