Events exported to CEF format
To filter the event logs sent to Syslog, create a log category notification with a defined filter.
CEF is a text-based log format developed by ArcSight™. The CEF format includes a CEF header and a CEF extension. The extension contains a list of key-value pairs.
CEF header
Header |
Example |
Description |
---|---|---|
Device Vendor |
ESET |
|
Device Product |
ProtectCloud |
|
Device Version |
10.0.5.1 |
ESET PROTECT version |
Device Event Class ID (Signature ID): |
109 |
Device Event Category unique identifier: •100–199 Threat event •200–299 Firewall event •300–399 HIPS event •400–499 Audit event •500–599 ESET Inspect event •600–699 Blocked files event •700–799 Filtered websites event |
Event Name |
Detected port scanning attack |
A brief description of what happened in the event |
Severity |
5 |
Severity: •2—Information •3—Notice •5—Warning •7—Error •8—Critical •10—Fatal |
CEF extensions common for all categories
Extension name |
Example |
Description |
---|---|---|
cat |
ESET Threat Event |
Event category: •ESET Threat Event •ESET Firewall Event •ESET HIPS Event •ESET RA Audit Event •ESET Inspect Event •ESET Blocked File Event •ESET Filtered Website Event |
dvc |
10.0.12.59 |
IPv4 address of the computer generating the event |
c6a1 |
2001:0db8:85a3:0000:0000:8a2e:0370:7334 |
IPv6 address of the computer generating the event |
c6a1Label |
Device IPv6 Address |
|
dvchost |
COMPUTER02 |
The hostname of the computer with the event |
deviceExternalId |
39e0feee-45e2-476a-b17f-169b592c3645 |
UUID of the computer generating the event |
rt |
Jun 04 2017 14:10:0 |
UTC time of occurrence of the event. The format is %b %d %Y %H:%M:%S |
ESETProtectDeviceGroupName |
All/Lost & found |
The full path to the static group of the computer generating the event. If the path is longer than 255 characters, ESETProtectDeviceGroupName contains only the static group name. |
ESETProtectDeviceOsName |
Microsoft Windows 11 Pro |
Information about the computer´s operating system. |
ESETProtectDeviceGroupDescription |
Lost & found static group |
Static group description. |
CEF extensions by event category
Threat events
Extension name |
Example |
Description |
---|---|---|
cs1 |
W97M/Kojer.A |
Found threat name |
cs1Label |
Threat Name |
|
cs2 |
25898 (20220909) |
Detection Engine version |
cs2Label |
Engine Version |
|
cs3 |
Virus |
Detection type |
cs3Label |
Threat Type |
|
cs4 |
Real-time file system protection |
Scanner ID |
cs4Label |
Scanner ID |
|
cs5 |
virlog.dat |
Scan ID |
cs5Label |
Scan ID |
|
cs6 |
Failed to remove file |
Error message if the action was not successful |
cs6Label |
Action Error |
|
cs7 |
Event occurred on a newly created file |
Short description of what caused the event |
cs7Label |
Circumstances |
|
cs8 |
0000000000000000000000000000000000000000 |
SHA1 hash of the (detection) data stream |
cs8Label |
Hash |
|
act |
Cleaned by deleting file |
Action was taken by the endpoint |
filePath |
file:///C:/Users/Administrator/Downloads/doc/000001_5dc5c46b.DOC |
Object URI |
fileType |
File |
Object type related to the event |
cn1 |
1 |
Detection was handled (1) or was not handled (0) |
cn1Label |
Handled |
|
cn2 |
0 |
Restart is needed (1) or is not needed (0) |
cn2Label |
Restart Needed |
|
suser |
172-MG\\Administrator |
Name of the user account associated with the event |
sprod |
C:\\7-Zip\\7z.exe |
The name of the event source process |
deviceCustomDate1 |
Jun 04 2019 14:10:00 |
|
deviceCustomDate1Label |
FirstSeen |
The time and date when the detection was found for the first time on the machine. The format is %b %d %Y %H:%M:%S |
Firewall events
Extension name |
Example |
Description |
---|---|---|
msg |
TCP Port Scanning attack |
Event name |
src |
127.0.0.1 |
Event source IPv4 address |
c6a2 |
2001:0db8:85a3:0000:0000:8a2e:0370:7334 |
Event source IPv6 address |
c6a2Label |
Source IPv6 Address |
|
spt |
36324 |
Port of the event source |
dst |
127.0.0.2 |
Event destination IPv4 address |
c6a3 |
2001:0db8:85a3:0000:0000:8a2e:0370:7335 |
Event destination IPv6 address |
c6a3Label |
Destination IPv6 Address |
|
dpt |
24 |
Event destination port |
proto |
http |
Protocol |
act |
Blocked |
Action taken |
cn1 |
1 |
Detection was handled (1) or was not handled (0) |
cn1Label |
Handled |
|
suser |
172-MG\\Administrator |
Name of the user account associated with the event |
deviceProcessName |
someApp.exe |
Name of the process associated with the event |
deviceDirection |
1 |
The connection was inbound (0) or outbound (1) |
cnt |
3 |
The number of the same messages generated by the endpoint between two consecutive replications between ESET PROTECT and ESET Management Agent |
cs1 |
|
Rule ID |
cs1Label |
Rule ID |
|
cs2 |
custom_rule_12 |
Rule name |
cs2Label |
Rule Name |
|
cs3 |
Win32/Botnet.generic |
Threat name |
cs3Label |
Threat Name |
|
Firewall event CEF log example:
HIPS events
Extension name |
Example |
Description |
---|---|---|
cs1 |
Suspicious attempt to launch an application |
Rule ID |
cs1Label |
Rule ID |
|
cs2 |
custom_rule_12 |
Rule name |
cs2Label |
Rule Name |
|
cs3 |
C:\\someapp.exe |
Application name |
cs3Label |
Application |
|
cs4 |
Attempt to run a suspicious object |
Operation |
cs4Label |
Operation |
|
cs5 |
C:\\somevirus.exe |
Target |
cs5Label |
Target |
|
act |
Blocked |
Action taken |
cs2 |
custom_rule_12 |
Rule name |
cn1 |
1 |
Detection was handled (1) or was not handled (0) |
cn1Label |
Handled |
|
cnt |
3 |
The number of the same messages generated by the endpoint between two consecutive replications between ESET PROTECT and ESET Management Agent |
Audit events
Extension name |
Example |
Description |
---|---|---|
act |
Login attempt |
Action taking place |
suser |
Administrator |
Security user involved |
duser |
Administrator |
Targeted security user (for example, for login attempts) |
msg |
Authenticating native user 'Administrator' |
A detailed description of the action |
cs1 |
Native user |
Audit log domain |
cs1Label |
Audit Domain |
|
cs2 |
Success |
Action result |
cs2Label |
Result |
|
ESET Inspect events
Extension name |
Example |
Description |
---|---|---|
deviceProcessName |
c:\\imagepath_bin.exe |
Name of the process causing this alarm |
suser |
HP\\home |
Process owner |
cs2 |
custom_rule_12 |
Name of the rule triggering this alarm |
cs2Label |
Rule Name |
|
cs3 |
78C136C80FF3F46C2C98F5C6B3B5BB581F8903A9 |
Alarm SHA1 hash |
cs3Label |
Hash |
|
cs4 |
https://inspect.eset.com:443/console/alarm/126 |
Link to the alarm in the ESET Inspect Web Console |
cs4Label |
EI Console Link |
|
cs5 |
126 |
ID sub-part of the alarm link ($1 in ^http.*/alarm/([0-9]+)$) |
cs5Label |
EI Alarm ID |
|
cn1 |
275 |
Computer severity score |
cn1Label |
ComputerSeverityScore |
|
cn2 |
60 |
Rule severity score |
cn2Label |
SeverityScore |
|
cnt |
3 |
The number of alerts of the same type generated since the last alarm |
ESET Inspect event CEF log example:
Blocked files events
Extension name |
Example |
Description |
---|---|---|
act |
Execution blocked |
Action taken |
cn1 |
1 |
Detection was handled (1) or was not handled (0) |
cn1Label |
Handled |
|
suser |
HP\\home |
Name of the user account associated with the event |
deviceProcessName |
C:\\Windows\\explorer.exe |
Name of the process associated with the event |
cs1 |
78C136C80FF3F46C2C98F5C6B3B5BB581F8903A9 |
SHA1 hash of the blocked file |
cs1Label |
Hash |
|
filePath |
C:\\totalcmd\\TOTALCMD.EXE |
Object URI |
msg |
ESET Inspect |
Blocked file description |
deviceCustomDate1 |
Jun 04 2019 14:10:00 |
|
deviceCustomDate1Label |
FirstSeen |
The time and date when the detection was found for the first time on the machine. The format is %b %d %Y %H:%M:%S |
cs2 |
Blocked by Administrator |
Cause |
cs2Label |
Cause |
|
Blocked files event CEF log example:
Filtered website events
Extension name |
Example |
Description |
---|---|---|
msg |
An attempt to connect to URL |
Event type |
act |
Blocked |
Action taken |
cn1 |
1 |
Detection was handled (1) or was not handled (0) |
cn1Label |
Handled |
|
suser |
Peter |
Name of the user account associated with the event |
deviceProcessName |
Firefox |
Name of the process associated with the event |
cs1 |
Blocked by PUA blacklist |
Rule ID |
cs1Label |
Rule ID |
|
requestUrl |
https://kenmmal.com/ |
URL of blocked request |
dst |
172.17.9.224 |
Event destination IPv4 address |
c6a3 |
2001:0db8:85a3:0000:0000:8a2e:0370:7335 |
Event destination IPv6 address |
c6a3Label |
Destination IPv6 Address |
|
cs2 |
HTTP filter |
Scanner ID |
cs2Label |
Scanner ID |
|
cs3 |
8EECCDD290BE2E99183290FDBE4172EBE3DC7EC5 |
SHA1 hash of the filtered object |
cs3Label |
Hash |
|