Syslog Content Mapping - CEF

Understand the content mapping between Internet Access log output and CEF syslog format.

CEF Internet Access On-Premises Gateway Logs

CEF Key

Description

Type

Value

Header (logVer)

CEF format version

String

CEF:0

Header (vendor)

Appliance product vendor

String

Trend Micro

Header (pname)

Product name

String

Zero Trust Secure Access - Internet Access

Header (pver)

Appliance version

String

Example: 1.0.0.2000

Header (eventid)

Unique identifier per event type

String

Example: 100000

Header (eventName)

Category of the event

String

Activity Log

Header (severity)

Risk level

Integer

  • 0: act=allow/analyze

  • 1: act=monitor/warn/override

  • 2: act=block

rt

UTC timestamp of log generation

Timestamp

Example: Jul 05 2018 07:54:15 +0000

act

Action taken for the violation

String

  • allow

  • monitor

  • block

  • warn

  • override

  • analyze

app

Application protocol

String

Example: HTTP

cat

URL category

String

Example: Search Engines/Portals

customerExternalId

Company ID

String

Example: 7800fcab-7611-416c-9ab4-721b7bd6b076

suser

User Principal Name

String

Example: user_name@example.com

devicePayloadId

GUID of this event log

String

Example: aabb2233-a1b1-41dc-9abc-3f45ab290b0a

deviceExternalId

GUID of the endpoint with the Secure Access Module installed

String

Example: 66f0cb71-4150-4437-ba8b-91151bb12345

shost

Hostname of the endpoint with the Secure Access Module installed

String

Example: my laptop

dvchost

Host name of the serving on-premises gateway

String

Example: US_Office_on_premise_GW

dst

Destination IP address of a request

String

Example: 54.231.184.240

src

Source IP address of a request

String

Example: 10.204.214.188

out

Size of a request

Integer

Unit: bytes

Example: 501

in

Size of a response

Integer

Unit: bytes

Example: 220529

dproc

Application name

String

Example: Google

destinationServiceName

App & action name of granular access control

String

Example: OneDrive download file

cn1

Malware type

Integer

  • 1: Virus

  • 2: Spyware

  • 3: Joke

  • 4: Trojan

  • 5: Test_Virus

  • 6: Packer

  • 7: Generic

  • 8: Other

  • 9: Botnet

cn1Label

Corresponding label for the "cn1" field

String

malwareType

cn2

Web Reputation Services score

Integer

Example: 81

cn2Label

Corresponding label for the "cn2" field

String

wrsScore

cn3

Detection type

Integer

  • 0: No matched Zero Trust Secure Access rule

  • 1: Missing or invalid client certificate

  • 2: Untrusted server certificate

  • 3: Zero Trust Secure Access

  • 4: HTTPS inspection exception

  • 5: HTTPS inspection failure

  • 6: HTTPS bypass at inspection failure

  • 9: Approved URLs

  • 10: Blocked URLs

  • 15: Private IP address access

  • 20: Web Reputation

  • 21: URL Filtering

  • 30: Restricted file type

  • 33: Restricted MIME type

  • 34: Restricted file extension type

  • 40: Anti-malware scan

  • 41: File scan exception

  • 45: Predictive Machine Learning

  • 50: Botnet

  • 60: Application Control

  • 70: Virtual Analyzer submission

  • 90: Suspicious Object Blocked List

  • 100: Data Loss Prevention

  • 110: Ransomware

  • 120: Risk Control

  • 130: Non-compliant device

cn3label

Corresponding label for the "cn3" field

String

detectionType

cs1

Malware name

String

Example: HEUR_OLEXP.B

cs1Label

Corresponding label for the "cs1" field

String

malwareName

cs2

Policy name

String

Example: default

cs2Label

Corresponding label for the "cs2" field

String

policyName

cs3

Profile name

String

Example: default

cs3Label

Corresponding label for the "cs3" field

String

profileName

cs4

Data Loss Prevention template name

String

Example: HIPAA, PII

cs4Label

Corresponding label for the "cs4" field

String

dlpDetails

cs5

File SHA-256

String

Example: ba9edecdd09de1307714564c24409bd25508e22fe11c768053a08f173f263e93

cs5Label

Corresponding label for the "cs5" field

String

fileHashSha256

cs6

User group name

String

Example: R&D

cs6Label

Corresponding label for the "cs6" field

String

userGroupName

fname

File name

String

Example: example.doc

fileType

File type

String

Example: Microsoft Words

fsize

File size

Integer

Unit: bytes

Example: 12,345

fileHash

File SHA-1

String

Example: 3f21be4521b5278fb14b8f47afcabe08a17dc504

dhost

Domain name of a request

String

Example: www.example.com

type

Indicate whether HTTPS inspection failed (Applicable to HTTPS requests only)

Integer

  • 0: Successful

  • 1: Unsuccessful

requestClientApplication

User agent of a request

String

Example: Mozilla/5.0

requestMethod

HTTP/HTTPS request method

String

Example: GET

requestContext

MIME Type of a request payload

String

Example: text/html

reason

MIME Type of a response payload

String

Example: text/html

outcome

Status or response code of a request

String

Example: 200

proto

Network protocol for data transmission

String

Example: TCP

request

Full URL of a request

String

Example: https://www.example.com/page.html
Parent topic: Deploying an Internet Access On-Premises Gateway