CEF Endpoint Application Control Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF:0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

Control Manager

Header (pver)

Appliance version

7.0

Header (eventid)

Device event class ID

  • 0: Allow

  • 1: Block

  • 2: Lockdown

Header (eventName)

Event name

Endpoint Application Control Violation Information

Header (severity)

Severity

3

deviceExternalId

ID

Example: "39"

rt

Log generation time in UTC

Example: "Feb 14 2017 11:14:08 GMT+00:00"

dvchost

Computer name

Example: "localhost"

shost

Client host name

Example: "shost1"

cs1

Product server pattern version

Example: "1297"

suser

Client user name

Example: "TREND\User"

cs2

Client IPv4 address

Example: "10.0.17.6"

c6a3

Client IPv6 address

Example: "fe80::38ca:cd15:443c:40bb%11"

cn1

Client status

  • 1: Rebuilding database

  • 2: Online

  • 3: Offline

filehash

Application file SHA-1 hash

Example: "D6712CAE5EC821F910E14945153AE7871AA536CA"

fname

Application file name

Example: "notepad.exe"

cs3

Application process command line

Example: "notepad.exe"

duser

User name

Example: "Admin004"

cs4

Rule name

Example: "SAMPLE RULE SET"

cs5

Policy name

Example: "SAMPLE POLICY"

act

Policy action

  • 0: Allowed

  • 1: Blocked

  • 2: Reported as allowed

  • 3: Reported as blocked

deviceFacility

Product name

Example: "Trend Micro Endpoint Application Control"

Log sample:

CEF:0|Trend Micro|Control Manager|7.0|EAC:1|Endpoint Applica
tion Control Violation Information|3|deviceExternalId=39 rt=
Jun 27 2012 03:14:03 GMT+00:00 cs1Label=Version cs1=1.299.00
 suser=TMCM\\QA cs2Label=ApplicationControlEvent_ClientIPAdd
ress_V4 cs2=0.0.0.0 cn1Label=Connection_Status cn1=0 fileHas
h=c0869b72C5606D22D92A6AC986686BB87485A25b fname=P2P_TEST.ex
e cs3Label=Command cs3=C:\\P2P_TEST.exe duser=QA cs4Label=Ru
le cs4=Test cs5Label=Policy cs5=TestPolicy act=Blocked devic
eFacility=Trend Micro Endpoint Application Control