Asignación de eventos en Syslog

Device Vendor

"ESET"

Device Product

"EMSX"

"EMSX" or "ESET Mail Security for MS Exchange Server"

Device Version

e.g. "7.1.10005.0"

Device Event Class ID

e.g. "101"

Device Event Category unique identifier:
100-199 malware
200-299 phish
300-399 spam
400-499 policy

Event Name

e.g. "MailScanResult: malware"

A brief description of what happened in the event:
MailScanResult: malware
MailScanResult: phishing link
MailScanResult: spam
MailScanResult: policy

rt

deviceReceiptTime

Time event was generated

The time at which the event was generated, in milliseconds since Jan 1st 1970

src

sourceAddress

Sender's IP

IP address of the sending mail server

shost

sourceHostName (1023)

Sender's HELO domain

HELO domain of the sending mail server

flexString1

flexString1

Message-ID

Message-ID header from the email

dhost

destinationHostName (1023)

Receiving server

Hostname of the machine that received the communication

msg

message (1023)

Message subject

Subject of the message, from the RFC5233 header "Subject:"

suser

sourceUserName (1023)

SMTP sender

SMTP sender of the email (MAIL FROM)

duser

destinationUserName (1023)

SMTP recipient(s)

SMTP recipient(s) of the email (RCPT TO)

act

deviceAction (63)

Action taken

Action taken (cleaned, quarantined, etc.)

cat

deviceEventCategory (1023)

Detection category

Most significant detection (malware >> phish >> spam >> SPF/DKIM >> policy)

sourceServiceName

sourceServiceName

Type of protection

SMTP Transport agent, On-demand database scan

deviceExternalId

deviceExternalId

Engine version

Anti-Malware engine version, Antispam engine version, e.g. "18620,7730"

cs1

deviceCustomString1

Anti-Malware result

Result of Anti-Malware scan, including threat name

cs1Label

deviceCustomString1Label

"Anti-Malware result"

cs2

deviceCustomString2

Antispam result

Result of Antispam scan, including reason for marking as spam

cs2Label

deviceCustomString2Label

"Antispam result"

cs3

deviceCustomString3

Anti-Phishing result

Result of Anti-Phishing scan, including detected URL

cs3Label

deviceCustomString3Label

"Anti-Phishing result"

cs4

deviceCustomString4

SPF/DKIM/DMARC result

Result of SPF/DKIM/DMARC check, in RFC7601 format

cs4Label

deviceCustomString4Label

"SPF/DKIM/DMARC result"

cs5

deviceCustomString5

"From:" sender

Sender address from RFC5322 header "From:"

cs5Label

deviceCustomString5Label

"From header"

cs6

deviceCustomString6

"To:" and "Cc:" recipients

Recipients addresses from RFC5322 headers "To:" and "Cc:"

cs6Label

deviceCustomString6Label

"To and Cc headers"

fname

filename (1023)

Attachment name

Name of the first detected attachment

fileHash

fileHash (255)

Attachment hash

Hash of the first detected attachment

fsize

fileSize

Attachment size

Size of the first detected attachment

reason

reason (1023)

Rule/policy activated

Name of the policy triggered by the email or it is content

ESETEMSXFileDetails

ESETEMSXFileDetails

File details

Information about all detected attachments, their names, hashes and sizes

end

endTime

Time event has ended

La hora en la que finalizó la actividad, en milisegundos, desde el 1.° de enero de 1970. Resulta útil solo si se usa la tecnología de sandboxing ESET LiveGuard Advanced.

dtz

deviceTimeZone (255)

Timezone of the server

request

requestURL

Detected URL

URL maligna o en la lista negra extraída del cuerpo del correo o de los encabezados del correo. ESET Mail Security no proporciona una única dirección URL en los registros porque varios componentes de detección pueden detectar varias direcciones URL en los mensajes de correo electrónico.