CEF Mail Tracking Logs (Accepted Traffic)

Table 1. CEF Mail Tracking Logs (Accepted Traffic)

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF: 0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product

TMES

Header (pver)

Appliance version

Example: 1.0.0.0

Header (eventid)

Signature ID

400101

Header (eventName)

Description

TRACKING

Header (severity)

Email severity

4: Low

rt

Log generation time

Example: 2018-06-28 03:22:31

suser

Email sender

Example: user1@example1.com

duser

Email recipients

Example: user2@example2.com

msg

Email subject

Example: hello

src

Source IP address

Example: 10.1.144.199

deviceTranslatedAddress

Relay MTA IP address

Example: 204.92.31.146

cs1Label

Internal email message ID

mailUuid

cs1

Internal email message ID

Example: 6965222B-13A6-C705-89D4-6251B6C41E03

cs2Label

Email message direction

direction

cs2

Email message direction

  • incoming

  • outgoing

cs3Label

Unique message identifier

messageId

cs3

Unique message identifier

Example: 201605181642138223747@trend.com

cs4Label

Email attachments

attachments

cs4

Email attachments

Example: [["filename", "sha256"], ["filename", "sha256"], ...]

cn1Label

Email message size

messageSize

cn1

Email message size

Example: 1809

act

Action on an email message

  • Bounced

  • Temporary delivery error

  • Deleted

  • Delivered

  • Expired

  • Quarantined

  • Redirected

  • Submitted to sandbox

  • Password analyzing

cs5Label

TLS information

tlsInfo

cs5

TLS information

Example: upstreamTLS: None; downstreamTLS: TLS 1.2

Log sample:

CEF:0|Trend Micro|TMES|1.0.0.0|400101|TRACKING|4|rt=2019-12-10T08:26:46.728Z 
suser=user1@example1.com duser=user2@example2.com msg=DLP--test src=1.1.1.1 
deviceTranslatedAddress=2.2.2.2 cs1Label=mailUuid 
cs1=7ea8f636-c26e-4b78-a341-9b5becb83db7 cs2Label=direction cs2=incoming 
cs3Label=messageId cs3=<201802061558581772031@example.com> 
cn1Label=messageSize cn1=41438 act=Delivered cs4Label=attachments 
cs4=[{"sha256":"f78960148721b59dcb563b9964a4d47e2a834a4259f46cd12db7c1cfe82ff32e"}] 
cs5Label=tlsInfo cs5=upstreamTLS: None; downstreamTLS: TLS 1.2