Events exported to CEF format | ESET PROTECT On-Prem 11.1 (2024)

Select the topic

To filter the event logs sent to Syslog, create a log category notification with a defined filter.

CEF is a text-based log format developed by ArcSight™. The CEF format includes a CEF header and a CEF extension. The extension contains a list of key-value pairs.

CEF header

Header	Example	Description
Device Vendor	ESET
Device Product	Protect
Device Version	10.0.5.1	ESET PROTECT On-Prem version
Device Event Class ID (Signature ID):	109	Device Event Category unique identifier: •100–199 Threat event •200–299 Firewall event •300–399 HIPS event •400–499 Audit event •500–599 ESET Inspect event •600–699 Blocked files event •700–799 Filtered websites event
Event Name	Detected port scanning attack	A brief description of what happened in the event
Severity	5	Severity: •2—Information •3—Notice •5—Warning •7—Error •8—Critical •10—Fatal

CEF extensions common for all categories

Extension name	Example	Description
cat	ESET Threat Event	Event category: •ESET Threat Event •ESET Firewall Event •ESET HIPS Event •ESET RA Audit Event •ESET Inspect Event •ESET Blocked File Event •ESET Filtered Website Event
dvc	10.0.12.59	IPv4 address of the computer generating the event
c6a1	2001:0db8:85a3:0000:0000:8a2e:0370:7334	IPv6 address of the computer generating the event
c6a1Label	Device IPv6 Address
dvchost	COMPUTER02	The hostname of the computer with the event
deviceExternalId	39e0feee-45e2-476a-b17f-169b592c3645	UUID of the computer generating the event
rt	Jun 04 2017 14:10:0	UTC time of occurrence of the event. The format is %b %d %Y %H:%M:%S
ESETProtectDeviceGroupName	All/Lost & found	The full path to the static group of the computer generating the event. If the path is longer than 255 characters, ESETProtectDeviceGroupName contains only the static group name.
ESETProtectDeviceOsName	Microsoft Windows 11 Pro	Information about the computer´s operating system.
ESETProtectDeviceGroupDescription	Lost & found static group	Static group description.

CEF extensions by event category

Threat events

Extension name	Example	Description
cs1	W97M/Kojer.A	Found threat name
cs1Label	Threat Name
cs2	25898 (20220909)	Detection Engine version
cs2Label	Engine Version
cs3	Virus	Detection type
cs3Label	Threat Type
cs4	Real-time file system protection	Scanner ID
cs4Label	Scanner ID
cs5	virlog.dat	Scan ID
cs5Label	Scan ID
cs6	Failed to remove file	Error message if the action was not successful
cs6Label	Action Error
cs7	Event occurred on a newly created file	Short description of what caused the event
cs7Label	Circ*mstances
cs8	0000000000000000000000000000000000000000	SHA1 hash of the (detection) data stream
cs8Label	Hash
act	Cleaned by deleting file	Action was taken by the endpoint
filePath	file:///C:/Users/Administrator/Downloads/doc/000001_5dc5c46b.DOC	Object URI
fileType	File	Object type related to the event
cn1	1	Detection was handled (1) or was not handled (0)
cn1Label	Handled
cn2		Restart is needed (1) or is not needed (0)
cn2Label	Restart Needed
suser	172-MG\\Administrator	Name of the user account associated with the event
sprod	C:\\7-Zip\\7z.exe	The name of the event source process
deviceCustomDate1	Jun 04 2019 14:10:00
deviceCustomDate1Label	FirstSeen	The time and date when the detection was found for the first time on the machine. The format is %b %d %Y %H:%M:%S

Threat event CEF log example:

Firewall events

Extension name	Example	Description
msg	TCP Port Scanning attack	Event name
src	127.0.0.1	Event source IPv4 address
c6a2	2001:0db8:85a3:0000:0000:8a2e:0370:7334	Event source IPv6 address
c6a2Label	Source IPv6 Address
spt	36324	Port of the event source
dst	127.0.0.2	Event destination IPv4 address
c6a3	2001:0db8:85a3:0000:0000:8a2e:0370:7335	Event destination IPv6 address
c6a3Label	Destination IPv6 Address
dpt	24	Event destination port
proto	http	Protocol
act	Blocked	Action taken
cn1	1	Detection was handled (1) or was not handled (0)
cn1Label	Handled
suser	172-MG\\Administrator	Name of the user account associated with the event
deviceProcessName	someApp.exe	Name of the process associated with the event
deviceDirection	1	The connection was inbound (0) or outbound (1)
cnt	3	The number of the same messages generated by the endpoint between two consecutive replications between ESET PROTECT On-Prem and ESET Management Agent
cs1		Rule ID
cs1Label	Rule ID
cs2	custom_rule_12	Rule name
cs2Label	Rule Name
cs3	Win32/Botnet.generic	Threat name
cs3Label	Threat Name

Firewall event CEF log example:

HIPS events

Extension name	Example	Description
cs1	Suspicious attempt to launch an application	Rule ID
cs1Label	Rule ID
cs2	custom_rule_12	Rule name
cs2Label	Rule Name
cs3	C:\\someapp.exe	Application name
cs3Label	Application
cs4	Attempt to run a suspicious object	Operation
cs4Label	Operation
cs5	C:\\somevirus.exe	Target
cs5Label	Target
act	Blocked	Action taken
cs2	custom_rule_12	Rule name
cn1	1	Detection was handled (1) or was not handled (0)
cn1Label	Handled
cnt	3	The number of the same messages generated by the endpoint between two consecutive replications between ESET PROTECT On-Prem and ESET Management Agent

HIPS event CEF log example:

Audit events

Extension name	Example	Description
act	Login attempt	Action taking place
suser	Administrator	Security user involved
duser	Administrator	Targeted security user (for example, for login attempts)
msg	Authenticating native user 'Administrator'	A detailed description of the action
cs1	Native user	Audit log domain
cs1Label	Audit Domain
cs2	Success	Action result
cs2Label	Result

Audit event CEF log example:

ESET Inspect events

Extension name	Example	Description
deviceProcessName	c:\\imagepath_bin.exe	Name of the process causing this alarm
suser	HP\\home	Process owner
cs2	custom_rule_12	Name of the rule triggering this alarm
cs2Label	Rule Name
cs3	78C136C80FF3F46C2C98F5C6B3B5BB581F8903A9	Alarm SHA1 hash
cs3Label	Hash
cs4	https://inspect.eset.com:443/console/alarm/126	Link to the alarm in the ESET Inspect On-Prem Web Console
cs4Label	EI Console Link
cs5	126	ID sub-part of the alarm link ($1 in ^http.*/alarm/([0-9]+)$)
cs5Label	EI Alarm ID
cn1	275	Computer severity score
cn1Label	ComputerSeverityScore
cn2	60	Rule severity score
cn2Label	SeverityScore
cnt	3	The number of alerts of the same type generated since the last alarm

ESET Inspect event CEF log example:

Blocked files events

Extension name	Example	Description
act	Execution blocked	Action taken
cn1	1	Detection was handled (1) or was not handled (0)
cn1Label	Handled
suser	HP\\home	Name of the user account associated with the event
deviceProcessName	C:\\Windows\\explorer.exe	Name of the process associated with the event
cs1	78C136C80FF3F46C2C98F5C6B3B5BB581F8903A9	SHA1 hash of the blocked file
cs1Label	Hash
filePath	C:\\totalcmd\\TOTALCMD.EXE	Object URI
msg	ESET Inspect	Blocked file description
deviceCustomDate1	Jun 04 2019 14:10:00
deviceCustomDate1Label	FirstSeen	The time and date when the detection was found for the first time on the machine. The format is %b %d %Y %H:%M:%S
cs2	Blocked by Administrator	Cause
cs2Label	Cause

Blocked files event CEF log example:

Filtered website events

Extension name	Example	Description
msg	An attempt to connect to URL	Event type
act	Blocked	Action taken
cn1	1	Detection was handled (1) or was not handled (0)
cn1Label	Handled
suser	Peter	Name of the user account associated with the event
deviceProcessName	Firefox	Name of the process associated with the event
cs1	Blocked by PUA blacklist	Rule ID
cs1Label	Rule ID
requestUrl	https://kenmmal.com/	URL of blocked request
dst	172.17.9.224	Event destination IPv4 address
c6a3	2001:0db8:85a3:0000:0000:8a2e:0370:7335	Event destination IPv6 address
c6a3Label	Destination IPv6 Address
cs2	HTTP filter	Scanner ID
cs2Label	Scanner ID
cs3	8EECCDD290BE2E99183290FDBE4172EBE3DC7EC5	SHA1 hash of the filtered object
cs3Label	Hash

Filtered website event CEF log example:

˄˅