Select the topic
To filter the event logs sent to Syslog, create a log category notification with a defined filter.
CEF is a text-based log format developed by ArcSight™. The CEF format includes a CEF header and a CEF extension. The extension contains a list of key-value pairs.
CEF header
Header | Example | Description |
---|---|---|
Device Vendor | ESET | |
Device Product | Protect | |
Device Version | 10.0.5.1 | ESET PROTECT On-Prem version |
Device Event Class ID (Signature ID): | 109 | Device Event Category unique identifier: •100–199 Threat event •200–299 Firewall event •300–399 HIPS event •400–499 Audit event •500–599 ESET Inspect event •600–699 Blocked files event •700–799 Filtered websites event |
Event Name | Detected port scanning attack | A brief description of what happened in the event |
Severity | 5 | Severity: •2—Information •3—Notice •5—Warning •7—Error •8—Critical •10—Fatal |
CEF extensions common for all categories
Extension name | Example | Description |
---|---|---|
cat | ESET Threat Event | Event category: •ESET Threat Event •ESET Firewall Event •ESET HIPS Event •ESET RA Audit Event •ESET Inspect Event •ESET Blocked File Event •ESET Filtered Website Event |
dvc | 10.0.12.59 | IPv4 address of the computer generating the event |
c6a1 | 2001:0db8:85a3:0000:0000:8a2e:0370:7334 | IPv6 address of the computer generating the event |
c6a1Label | Device IPv6 Address | |
dvchost | COMPUTER02 | The hostname of the computer with the event |
deviceExternalId | 39e0feee-45e2-476a-b17f-169b592c3645 | UUID of the computer generating the event |
rt | Jun 04 2017 14:10:0 | UTC time of occurrence of the event. The format is %b %d %Y %H:%M:%S |
ESETProtectDeviceGroupName | All/Lost & found | The full path to the static group of the computer generating the event. If the path is longer than 255 characters, ESETProtectDeviceGroupName contains only the static group name. |
ESETProtectDeviceOsName | Microsoft Windows 11 Pro | Information about the computer´s operating system. |
ESETProtectDeviceGroupDescription | Lost & found static group | Static group description. |
CEF extensions by event category
Threat events
Extension name | Example | Description |
---|---|---|
cs1 | W97M/Kojer.A | Found threat name |
cs1Label | Threat Name | |
cs2 | 25898 (20220909) | Detection Engine version |
cs2Label | Engine Version | |
cs3 | Virus | Detection type |
cs3Label | Threat Type | |
cs4 | Real-time file system protection | Scanner ID |
cs4Label | Scanner ID | |
cs5 | virlog.dat | Scan ID |
cs5Label | Scan ID | |
cs6 | Failed to remove file | Error message if the action was not successful |
cs6Label | Action Error | |
cs7 | Event occurred on a newly created file | Short description of what caused the event |
cs7Label | Circ*mstances | |
cs8 | 0000000000000000000000000000000000000000 | SHA1 hash of the (detection) data stream |
cs8Label | Hash | |
act | Cleaned by deleting file | Action was taken by the endpoint |
filePath | file:///C:/Users/Administrator/Downloads/doc/000001_5dc5c46b.DOC | Object URI |
fileType | File | Object type related to the event |
cn1 | 1 | Detection was handled (1) or was not handled (0) |
cn1Label | Handled | |
cn2 | Restart is needed (1) or is not needed (0) | |
cn2Label | Restart Needed | |
suser | 172-MG\\Administrator | Name of the user account associated with the event |
sprod | C:\\7-Zip\\7z.exe | The name of the event source process |
deviceCustomDate1 | Jun 04 2019 14:10:00 | |
deviceCustomDate1Label | FirstSeen | The time and date when the detection was found for the first time on the machine. The format is %b %d %Y %H:%M:%S |
Threat event CEF log example:
Firewall events
Extension name | Example | Description |
---|---|---|
msg | TCP Port Scanning attack | Event name |
src | 127.0.0.1 | Event source IPv4 address |
c6a2 | 2001:0db8:85a3:0000:0000:8a2e:0370:7334 | Event source IPv6 address |
c6a2Label | Source IPv6 Address | |
spt | 36324 | Port of the event source |
dst | 127.0.0.2 | Event destination IPv4 address |
c6a3 | 2001:0db8:85a3:0000:0000:8a2e:0370:7335 | Event destination IPv6 address |
c6a3Label | Destination IPv6 Address | |
dpt | 24 | Event destination port |
proto | http | Protocol |
act | Blocked | Action taken |
cn1 | 1 | Detection was handled (1) or was not handled (0) |
cn1Label | Handled | |
suser | 172-MG\\Administrator | Name of the user account associated with the event |
deviceProcessName | someApp.exe | Name of the process associated with the event |
deviceDirection | 1 | The connection was inbound (0) or outbound (1) |
cnt | 3 | The number of the same messages generated by the endpoint between two consecutive replications between ESET PROTECT On-Prem and ESET Management Agent |
cs1 | Rule ID | |
cs1Label | Rule ID | |
cs2 | custom_rule_12 | Rule name |
cs2Label | Rule Name | |
cs3 | Win32/Botnet.generic | Threat name |
cs3Label | Threat Name |
Firewall event CEF log example:
HIPS events
Extension name | Example | Description |
---|---|---|
cs1 | Suspicious attempt to launch an application | Rule ID |
cs1Label | Rule ID | |
cs2 | custom_rule_12 | Rule name |
cs2Label | Rule Name | |
cs3 | C:\\someapp.exe | Application name |
cs3Label | Application | |
cs4 | Attempt to run a suspicious object | Operation |
cs4Label | Operation | |
cs5 | C:\\somevirus.exe | Target |
cs5Label | Target | |
act | Blocked | Action taken |
cs2 | custom_rule_12 | Rule name |
cn1 | 1 | Detection was handled (1) or was not handled (0) |
cn1Label | Handled | |
cnt | 3 | The number of the same messages generated by the endpoint between two consecutive replications between ESET PROTECT On-Prem and ESET Management Agent |
HIPS event CEF log example:
Audit events
Extension name | Example | Description |
---|---|---|
act | Login attempt | Action taking place |
suser | Administrator | Security user involved |
duser | Administrator | Targeted security user (for example, for login attempts) |
msg | Authenticating native user 'Administrator' | A detailed description of the action |
cs1 | Native user | Audit log domain |
cs1Label | Audit Domain | |
cs2 | Success | Action result |
cs2Label | Result |
Audit event CEF log example:
ESET Inspect events
Extension name | Example | Description |
---|---|---|
deviceProcessName | c:\\imagepath_bin.exe | Name of the process causing this alarm |
suser | HP\\home | Process owner |
cs2 | custom_rule_12 | Name of the rule triggering this alarm |
cs2Label | Rule Name | |
cs3 | 78C136C80FF3F46C2C98F5C6B3B5BB581F8903A9 | Alarm SHA1 hash |
cs3Label | Hash | |
cs4 | https://inspect.eset.com:443/console/alarm/126 | Link to the alarm in the ESET Inspect On-Prem Web Console |
cs4Label | EI Console Link | |
cs5 | 126 | ID sub-part of the alarm link ($1 in ^http.*/alarm/([0-9]+)$) |
cs5Label | EI Alarm ID | |
cn1 | 275 | Computer severity score |
cn1Label | ComputerSeverityScore | |
cn2 | 60 | Rule severity score |
cn2Label | SeverityScore | |
cnt | 3 | The number of alerts of the same type generated since the last alarm |
ESET Inspect event CEF log example:
Blocked files events
Extension name | Example | Description |
---|---|---|
act | Execution blocked | Action taken |
cn1 | 1 | Detection was handled (1) or was not handled (0) |
cn1Label | Handled | |
suser | HP\\home | Name of the user account associated with the event |
deviceProcessName | C:\\Windows\\explorer.exe | Name of the process associated with the event |
cs1 | 78C136C80FF3F46C2C98F5C6B3B5BB581F8903A9 | SHA1 hash of the blocked file |
cs1Label | Hash | |
filePath | C:\\totalcmd\\TOTALCMD.EXE | Object URI |
msg | ESET Inspect | Blocked file description |
deviceCustomDate1 | Jun 04 2019 14:10:00 | |
deviceCustomDate1Label | FirstSeen | The time and date when the detection was found for the first time on the machine. The format is %b %d %Y %H:%M:%S |
cs2 | Blocked by Administrator | Cause |
cs2Label | Cause |
Blocked files event CEF log example:
Filtered website events
Extension name | Example | Description |
---|---|---|
msg | An attempt to connect to URL | Event type |
act | Blocked | Action taken |
cn1 | 1 | Detection was handled (1) or was not handled (0) |
cn1Label | Handled | |
suser | Peter | Name of the user account associated with the event |
deviceProcessName | Firefox | Name of the process associated with the event |
cs1 | Blocked by PUA blacklist | Rule ID |
cs1Label | Rule ID | |
requestUrl | https://kenmmal.com/ | URL of blocked request |
dst | 172.17.9.224 | Event destination IPv4 address |
c6a3 | 2001:0db8:85a3:0000:0000:8a2e:0370:7335 | Event destination IPv6 address |
c6a3Label | Destination IPv6 Address | |
cs2 | HTTP filter | Scanner ID |
cs2Label | Scanner ID | |
cs3 | 8EECCDD290BE2E99183290FDBE4172EBE3DC7EC5 | SHA1 hash of the filtered object |
cs3Label | Hash |
Filtered website event CEF log example:
˄˅