CEF Mail Tracking Logs (Accepted Traffic)
|
CEF Key |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF: 0 |
|
Header (vendor) |
Appliance vendor |
Trend Micro |
|
Header (pname) |
Appliance product |
TMES |
|
Header (pver) |
Appliance version |
Example: 1.0.0.0 |
|
Header (eventid) |
Signature ID |
400101 |
|
Header (eventName) |
Description |
TRACKING |
|
Header (severity) |
Email severity |
4 |
|
rt |
Log generation time |
Example: 2019-12-10T08:26:46.728Z |
|
suser |
Email sender |
Example: user1@example1.com |
|
duser |
Email recipients |
Example: user2@example2.com |
|
msg |
Email subject |
Example: hello |
|
src |
Source IP address |
Example: 10.1.144.199 |
|
deviceTranslatedAddress |
Relay MTA IP address |
Example: 204.92.31.146 |
|
cs1Label |
Internal email message ID |
mailUuid |
|
cs1 |
Internal email message ID |
Example: 6965222B-13A6-C705-89D4-6251B6C41E03 |
|
cs2Label |
Email message direction |
direction |
|
cs2 |
Email message direction |
|
|
cs3Label |
Unique message identifier |
messageId |
|
cs3 |
Unique message identifier |
Example: 201605181642138223747@trend.com |
|
cs4Label |
Email attachments |
attachments |
|
cs4 |
Email attachments |
Example: [["filename", "sha256"], ["filename", "sha256"], ...] |
|
cn1Label |
Email message size |
messageSize |
|
cn1 |
Email message size |
Example: 1809 |
|
act |
Action on an email message |
|
|
cs5Label |
TLS information |
tlsInfo |
|
cs5 |
TLS information |
Example: upstreamTLS: None; downstreamTLS: TLS 1.2 |
Log sample:
CEF:0|Trend Micro|TMES|1.0.0.0|400101|TRACKING|4|rt=2019-12-10T08:26:46.728Z
suser=user1@example1.com duser=user2@example2.com msg=DLP--test src=1.1.1.1
deviceTranslatedAddress=2.2.2.2 cs1Label=mailUuid
cs1=7ea8f636-c26e-4b78-a341-9b5becb83db7 cs2Label=direction cs2=incoming
cs3Label=messageId cs3=<201802061558581772031@example.com>
cn1Label=messageSize cn1=41438 act=Delivered cs4Label=attachments
cs4=[{"sha256":"f78960148721b59dcb563b9964a4d47e2a834a4259f46cd12db7c1cfe82ff32e"}]
cs5Label=tlsInfo cs5=upstreamTLS: None; downstreamTLS: TLS 1.2
