Content Mapping Between Log Output and CEF Syslog Type

To enable flexible integration with third-party log management systems, Trend Micro Email Security supports Common Event Format (CEF) as the syslog message format.

Common Event Format (CEF) is an open log management standard created by HP ArcSight. Trend Micro Email Security uses a subset of the CEF dictionary.

The following tables outline syslog content mapping between Trend Micro Email Security log output and CEF syslog types.

Table 1. CEF Detection Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF: 0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

TMES

Header (pver)

Appliance version

Example: 1.0.0.0

Header (eventid)

Signature ID

100101

Header (eventName)

Description

DETECTION

Header (severity)

Email severity

6: Medium

rt

Log generation time

Example: 2018-06-28 03:22:31

cs1Label

Event type

eventType

cs1

Event type

Example: ransomware

cs2Label

Domain name

domainName

cs2

Domain name

Example: example1.com

suser

Email sender

Example: user1@example1.com

duser

Email recipients

Example: user2@example2.com

cs3Label

Email message direction

direction

cs3

Email message direction

  • incoming

  • outgoing

cs4Label

Unique message identifier

messageId

cs4

Unique message identifier

Example: 201605181642138223747@trend.com

msg

Email subject

Example: hello

cn1Label

Email message size

messageSize

cn1

Email message size

Example: 1809

cs5Label

Violated event analysis

policyName

cs5

Violated event analysis

Example: Spam

act

Action in the event

  • Quarantine

  • Bypass

  • Delete Attachment

  • Insert Stamp

  • Tag Subject

  • Change Recipient

  • Delete Message

  • Send Notification

  • Reject

  • Clean

  • BCC

  • Deliver

  • Insert X-Header

  • Encryption in progress

Log sample:

CEF:0|Trend Micro|TMES|1.0.0.0|100101|DETECTION|6|rt=2018-06-28 03:22:31 cs1Label=eventType cs1=ransomware cs2Label=domainName
cs2=example1.com suser=user1@example1.com duser=user2@example2.com cs3Label=direction
cs3=incoming cs4Label=messageId cs4=201605181642138223747@trend.com msg=ransomeware
test1 cn1Label=messageSize cn1=1809 cs5Label=policyName cs5=spam act=Quarantine
Table 2. CEF Audit Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF: 0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

TMES

Header (pver)

Appliance version

Example: 1.0.0.0

Header (eventid)

Signature ID

300101

Header (eventName)

Description

AUDIT

Header (severity)

Email severity

4: Low

rt

Log generation time

Example: 2018-06-28 03:22:31

cs1Label

Account type

accountType

cs1

Account type

  • end user

  • admin

suser

Email sender

Example: user1@example1.com

cs2Label

Event type

eventType

cs2

Event type

Example: End-User Actions

act

Action in the event

Example: User login to End User Console

cs3Label

Domain affected by the event

affectedDomains

cs3

Domain affected by the event

Example: example1.com

Log sample:

CEF:0|Trend Micro|TMES|1.0.0.0|300101|AUDIT|4|rt=2018-06-28 03:22:31 cs1Label=accountType cs1=end user suser=user1@example1.com
cs2Label=eventType cs2=End-User Actions act=User login to End User Console
cs3Label=affectedDomains cs3=