Syslog message formats

Common Event Format (CEF) and Log Event Extended Format (LEEF) log message formats are slightly different. For example, the "Source User" column in the GUI corresponds to a field named "suser" in CEF; in LEEF, the same field is named "usrName" instead. Log message fields also vary by whether the event originated on the agent or Deep Security Manager and which feature created the log message.

If your syslog messages are being truncated, it may be because you're using User Datagram Protocol (UDP). To prevent truncation, transfer your syslog messages over Transport Layer Security (TLS) instead. For instructions on switching to TLS, see Define a syslog configuration.

Basic syslog format is not supported by the anti-malware, web reputation, integrity monitoring, and application control protection modules.

If the syslog messages are sent from the Manager, there are several differences. In order to preserve the original hostname (the source of the event), a new extension ("dvc" or "dvchost") is present. "dvc" is used if the hostname is an IPv4 address; "dvchost" is used for hostnames and IPv6 addresses. Additionally, the extension "TrendMicroDsTags" is used if the events are tagged (This applies only to auto-tagging with run on future, since events are forwarded via syslog only as they are collected by the manager). The product for logs relayed through the Manager will still read " Deep Security Agent"; however, the product version is the version of the Manager.

CEF syslog message format

All CEF events include dvc=IPv4 Address or dvchost=Hostname (or the IPv6 address) for the purposes of determining the original source of the event. This extension is important for events sent from a virtual appliance or the manager, since in this case the syslog sender of the message is not the originator of the event.

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

To determine whether the log entry comes from the Deep Security Manager or a Deep Security Agent, look at the "Device Product" field:

Sample CEF Log Entry: Jan 18 11:07:53 dsmhost CEF:0|Trend Micro|Deep Security Manager|<DSM version>|600|Administrator Signed In|4|suser=Master...

Events that occur on a VM that is protected by a virtual appliance, but that don't have an in-guest agent, will still be identified as coming from an agent.

To further determine what kind of rule triggered the event, look at the "Signature ID" and "Name" fields:

Sample Log Entry: Mar 19 15:19:15 root CEF:0|Trend Micro|Deep Security Agent|<DSA version>|123|Out Of Allowed Policy|5|cn1=1...

The "Signature ID" value indicates what kind of event has been triggered:

Signature IDs Description
10 Custom intrusion prevention (IPS) rule
20 Log-only firewall rule
21 Deny firewall rule
30 Custom integrity monitoring rule
40 Custom log inspection rule
100-7499 System events
100-199 Policy firewall rule and firewall stateful configuration
200-299 IPS internal errors
300-399 SSL/TLS events
500-899 IPS normalization
1,000,000-1,999,999 Trend Micro IPS rule. The signature ID is the same as the IPS rule ID.
2,000,000-2,999,999 Integrity monitoring rule. The signature ID is the integrity monitoring rule ID + 1,000,000.
3,000,000-3,999,999 Log inspection rule. The signature ID is the log inspection rule ID + 2,000,000.
4,000,000-4,999,999 Anti-malware events. Currently, only these signature IDs are used:
  • 4,000,000
  • 4,000,001
  • 4,000,002
  • 4,000,003
  • 4,000,010
  • 4,000,011
  • 4,000,012
  • 4,000,013
  • 4,000,020
  • 4,000,030
5,000,000-5,999,999 Web reputation events. Currently, only these signature IDs are used:
  • 5,000,000
  • 5,000,001
6,000,000-6,999,999

Application control events. Currently, only these signature IDs are used:

  • 6,001,100
  • 6,001,200
  • 6,002,100
  • 6,002,200

Log entries don't always have all CEF extensions described in the event log format tables below. CEF extensions also may not be always in the same order. If you are using regular expressions (regex) to parse the entries, make sure your expressions do not depend on each key-value pair to exist, or to be in a specific order.
Syslog messages are limited to 64 KB by the syslog protocol specification. If the message is longer, data may be truncated. The basic syslog format is limited to 1 KB.

LEEF 2.0 syslog message format

Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension

Sample LEEF 2.0 Log Entry (DSM System Event Log Sample): LEEF:2.0|Trend Micro|Deep Security Manager|<DSA version>|192|cat=System name=Alert Ended desc=Alert: CPU Warning Threshold Exceeded\nSubject: 10.201.114.164\nSeverity: Warning sev=3 src=10.201.114.164 usrName=System msg=Alert: CPUWarning Threshold Exceeded\nSubject: 10.201.114.164\nSeverity:Warning TrendMicroDsTenant=Primary

Events originating in the Manager

System event log format

Base CEF Format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Manager|<DSM version>|600|User Signed In|3|src=10.52.116.160 suser=admin target=admin msg=User signed in from 2001:db8::5

Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension

Sample LEEF 2.0 Log Entry: LEEF:2.0|Trend Micro|Deep Security Manager|<DSA version>|192|cat=System name=Alert Ended desc=Alert: CPU Warning Threshold Exceeded\nSubject: 10.201.114.164\nSeverity: Warning sev=3 src=10.201.114.164 usrName=System msg=Alert: CPU Warning Threshold Exceeded\nSubject: 10.201.114.164\nSeverity: Warning TrendMicroDsTenant=Primary

LEEF format uses a reserved "sev" key to show severity and "name" for the Name value.
CEF Extension Field LEEF Extension Field Name Description Examples
src src Source IP Address Deep Security Manager IP address. src=10.52.116.23
suser usrName Source User Deep Security Manager administrator's account. suser=MasterAdmin
target target Target Entity The subject of the event. It can be the administrator account logged into Deep Security Manager, or a computer. target=MasterAdmin
target=server01
targetID targetID Target Entity ID The identifier added in the manager. targetID=1
targetType targetType Target Entity Type The event target entity type. targetType=Host
msg msg Details Details of the system event. May contain a verbose description of the event. msg=User password incorrect for username MasterAdmin on an attempt to sign in from 127.0.0.1
msg=A Scan for Recommendations on computer (localhost) has completed...
TrendMicroDsTags TrendMicroDsTags Event Tags Deep Security event tags assigned to the event TrendMicroDsTags=suspicious
TrendMicroDsTenant TrendMicroDsTenant Tenant Name Deep Security tenant TrendMicroDsTenant=Primary
TrendMicroDsTenantId TrendMicroDsTenantId Tenant ID Deep Security tenant ID TrendMicroDsTenantId=0
None sev Severity The severity of the event. 1 is the least severe; 10 is the most severe. sev=3
None cat Category Event category cat=System
None name Name Event name name=Alert Ended
None desc Description Event description desc:Alert: CPU Warning Threshold Exceeded

Events originating in the agent

Anti-malware event format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<DSA version>|4000000|Eicar_test_file|6|cn1=1 cn1Label=Host ID dvchost=hostname cn2=205 cn2Label=Quarantine File Size cs6=ContainerImageName | ContainerName | ContainerID cs6Label=Container filePath=C:\\Users\\trend\\Desktop\\eicar.exe act=Delete msg=Realtime TrendMicroDsMalwareTarget=N/A TrendMicroDsMalwareTargetType=N/TrendMicroDsFileMD5=44D88612FEA8A8F36DE82E1278ABB02F TrendMicroDsFileSHA1=3395856CE81F2B7382DEE72602F798B642F14140 TrendMicroDsFileSHA256=275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F TrendMicroDsDetectionConfidence=95 TrendMicroDsRelevantDetectionNames=Ransom_CERBER.BZC;Ransom_CERBER.C;Ransom_CRYPNISCA.SM

Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension

Sample LEEF Log Entry: LEEF: 2.0|Trend Micro|Deep Security Agent|<DSA version>|4000030|cat=Anti-Malware name=HEU_AEGIS_CRYPT desc=HEU_AEGIS_CRYPT sev=6 cn1=241 cn1Label=Host ID dvc=10.0.0.1 TrendMicroDsTags=FS TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 filePath=C:\\Windows\\System32\\virus.exe act=Terminate msg=Realtime TrendMicroDsMalwareTarget=Multiple TrendMicroDsMalwareTargetType=File System TrendMicroDsFileMD5=1947A1BC0982C5871FA3768CD025453E#011 TrendMicroDsFileSHA1=5AD084DDCD8F80FBF2EE3F0E4F812E812DEE60C1#011 TrendMicroDsFileSHA256=25F231556700749F8F0394CAABDED83C2882317669DA2C01299B45173482FA6E TrendMicroDsDetectionConfidence=95 TrendMicroDsRelevantDetectionNames=Ransom_CERBER.BZC;Ransom_CERBER.C;Ransom_CRYPNISCA.SM

CEF Extension Field LEEF Extension Field Name Description Examples
cn1 cn1 Host Identifier The agent computer's internal unique identifier. cn1=1
cn1Label cn1Label Host ID The name label for the field cn1. cn1Label=Host ID
cn2 cn2 File Size The size of the quarantine file. This extension is included only when the "direct forward" from agent /appliance is selected. cn2=100
cn2Label cn2Label File Size The name label for the field cn2. cn2Label=Quarantine File Size
cs3 cs3 Infected Resource The path of the spyware item. This field is only for spyware detection events. cs3=C:\test\atse_samples\SPYW_Test_Virus.exe
cs3Label cs3Label Infected Resource The name label for the field cs3. This field is only for spyware detection events. cs3Label=Infected Resource
cs4 cs4 Resource Type

Resource Type values:

10=Files and Directories

11=System Registry

12=Internet Cookies

13=Internet URL Shortcut

14=Programs in Memory

15=Program Startup Areas

16=Browser Helper Object

17=Layered Service Provider

18=Hosts File

19=Windows Policy Settings

20=Browser

23=Windows Shell Setting

24=IE Downloaded Program Files

25=Add/Remove Programs

26=Services

other=Other

For example, if there's a spyware file named spy.exe that creates a registry run key to keep its persistence after system reboot, there will be two items in the spyware report: the item for spy.exe has cs4=10 (Files and Directories), and the item for the run key registry has cs4=11 (System Registry).

This field is only for spyware detection events.

cs4=10
cs4Label cd4Label Resource Type The name label for the field cs4. This field is only for spyware detection events. cs4Label=Resource Type
cs5 cs5 Risk Level

Risk level values:

0=Very Low

25=Low

50=Medium

75=High

100=Very High

This field is only for spyware detection events.

cs5=25
cs5Label cs5Label Risk Level The name label for the field cs5. This field is only for spyware detection events. cs5Label=Risk Level
cs6 cs6 Container The image name of the Docker container, container name, and container ID where the malware was detected. cs6=ContainerImageName | ContainerName | ContainerID
cs6Label cs6Label Container

The name label for the field cs6.

cs6Label=Container
filePath filePath File Path The location of the malware file. filePath=C:\\Users\\Mei\\Desktop\\virus.exe
act act Action The action performed by the anti-malware engine. Possible values are: Deny Access, Quarantine, Delete, Pass, Clean, Terminate, and Unspecified. act=Clean
act=Pass
msg msg Message The type of scan. Possible values are: Realtime, Scheduled, and Manual. msg=Realtime
msg=Scheduled
dvc dvc Device address

The IPv4 address for cn1.

Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)

dvc=10.1.144.199
dvchost dvchost Device host name

The hostname or IPv6 address for cn1.

Does not appear if the source is an IPv4 address. (Uses dvc field instead.)

dvchost=www.example.com
dvchost=fe80::f018:a3c6:20f9:afa6%5
TrendMicroDsTags TrendMicroDsTags Events tags Deep Security event tags assigned to the event TrendMicroDsTags=suspicious
TrendMicroDsTenant TrendMicroDsTenant Tenant name Deep Security tenant TrendMicroDsTenant=Primary
TrendMicroDsTenantId TrendMicroDsTenantId Tenant ID Deep Security tenant ID TrendMicroDsTenantId=0
TrendMicroDsMalwareTarget TrendMicroDsMalwareTarget Target(s)

The file, process, or registry key (if any) that the malware was trying to affect. If the malware was trying to affect more than one, this field will contain the value "Multiple."

Only suspicious activity monitoring and unauthorized change monitoring have values for this field.

TrendMicroDsMalwareTarget=N/A
TrendMicroDsMalwareTarget=C:\\Windows\\System32\\cmd.exe
TrendMicroDsMalwareTarget=HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
TrendMicroDsMalwareTarget=Multiple
TrendMicroDsMalwareTargetType TrendMicroDsMalwareTargetType Target Type

The type of system resource that this malware was trying to affect, such as the file system, a process, or Windows registry.

Only suspicious activity monitoring and unauthorized change monitoring have values for this field.

TrendMicroDsMalwareTargetType=N/A
TrendMicroDsMalwareTargetType=Exploit
TrendMicroDsMalwareTargetType=File System
TrendMicroDsMalwareTargetType=Process
TrendMicroDsMalwareTargetType=Registry
TrendMicroDsFileMD5 TrendMicroDsFileMD5 File MD5 The MD5 hash of the file TrendMicroDsFileMD5=1947A1BC0982C5871FA3768CD025453E
TrendMicroDsFileSHA1 TrendMicroDsFileSHA1 File SHA1 The SHA1 hash of the file TrendMicroDsFileSHA1=5AD084DDCD8F80FBF2EE3F0E4F812E812DEE60C1
TrendMicroDsFileSHA256 TrendMicroDsFileSHA256 File SHA256 The SHA256 hash of the file TrendMicroDsFileSHA256=25F231556700749F8F0394CAABDED83C2882317669DA2C01299B45173482FA6E
TrendMicroDsDetectionConfidence TrendMicroDsDetectionConfidence Threat Probability Indicates how closely (in %) the file matched the malware model TrendMicroDsDetectionConfidence=95
TrendMicroDsRelevantDetectionNames TrendMicroDsRelevantDetectionNames Probable Threat Type Indicates the most likely type of threat contained in the file after Predictive Machine Learning compared the analysis to other known threats(separate by semicolon";" ) TrendMicroDsRelevantDetectionNames=Ransom_CERBER.BZC;Ransom_CERBER.C;Ransom_CRYPNISCA.SM
None sev Severity The severity of the event. 1 is the least severe; 10 is the most severe. sev=6
None cat Category Category cat=Anti-Malware
None name Name Event name name=SPYWARE_KEYL_ACTIVE
None desc Description Event description. Anti-malware uses the event name as the description. desc=SPYWARE_KEYL_ACTIVE

Application control event format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Example CEF Log Entry: CEF: 0|Trend Micro|Deep Security Agent|10.2.229|6001200|AppControl detectOnly|6|cn1=202 cn1Label=Host ID dvc=192.168.33.128 TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 fileHash=80D4AC182F97D2AB48EE4310AC51DA5974167C596D133D64A83107B9069745E0 suser=root suid=0 act=detectOnly filePath=/home/user1/Desktop/Directory1//heartbeatSync.sh fsize=20 aggregationType=0 repeatCount=1 cs1=notWhitelisted cs1Label=actionReason cs2=0CC9713BA896193A527213D9C94892D41797EB7C cs2Label=sha1 cs3=7EA8EF10BEB2E9876D4D7F7E5A46CF8D cs3Label=md5

Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension

Example LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|10.0.2883|60|cat=AppControl name=blocked desc=blocked sev=6 cn1=2 cn1Label=Host ID dvc=10.203.156.39 TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 fileHash=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855 suser=root suid=0 act=blocked filePath=/bin/my.jar fsize=123857 aggregationType=0 repeatCount=1 cs1=notWhitelisted cs1Label=actionReason

CEF Extension Field LEEF Extension Field Name Description Examples
cn1 cn1 Host Identifier The agent computer's internal unique identifier. cn1=2
cn1Label cn1Label Host ID The name label for the field cn1. cn1Label=Host ID
cs1 cs1 Reason The reason why application control performed the specified action, such as "notWhitelisted" (the software did not have a matching rule, and application control was configured to block unrecognized software). cs1=notWhitelisted
cs1Label cs1Label   The name label for the field cs1. cs1Label=actionReason
cs2 cs2   If it was calculated, the SHA-1 hash of the file. cs2=156F4CB711FDBD668943711F853FB6DA89581AAD
cs2Label cs2Label   The name label for the field cs2. cs2Label=sha1
cs3 cs3   If it was calculated, the MD5 hash of the file. cs3=4E8701AC951BC4537F8420FDAC7EFBB5
cs3Label cs3Label   The name label for the field cs3. cs3Label=md5
act act Action The action performed by the application control engine. Possible values are: Blocked, Allowed. act=blocked
dvc dvc Device address

The IPv4 address for cn1.

Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)

dvc=10.1.1.10
dvchost dvchost Device host name

The hostname or IPv6 address for cn1.

Does not appear if the source is an IPv4 address. (Uses dvc field instead.)

dvchost=www.example.com
dvchost=2001:db8::5
suid suid User ID The account ID number of the user name. suid=0
suser suser User Name The name of the user account that installed the software on the protected computer. suser=root
TrendMicroDsTenant TrendMicroDsTenant Tenant name Deep Security tenant name. TrendMicroDsTenant=Primary
TrendMicroDsTenantId TrendMicroDsTenantId Tenant ID Deep Security tenant ID number. TrendMicroDsTenantId=0
fileHash fileHash File hash The SHA 256 hash that identifies the software file. fileHash=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855
filePath filePath File Path The location of the malware file. filePath=/bin/my.jar
fsize fsize File Size The file size in bytes. fsize=16
aggregationType aggregationType Aggregation Type

An integer that indicates how the event is aggregated:

  • 0: The event is not aggregated
  • 1: The event is aggregated based on file name, path, and event type.
  • 2: The event is aggregated based on event type.

For information, about event aggregation, see View application control event logs.

aggregationType=2
repeatCount repeatCount Repeat Count The number of occurrences of the event. Non-aggregated events have a value of 1. Aggregated events have a value of 2 or more. repeatCount=4
None sev Severity The severity of the event. 1 is the least severe; 10 is the most severe. sev=6
None cat Category Category cat=AppControl
None name Name Event name name=blocked
None desc Description Event description. Application control uses the action as the description. desc=blocked

Firewall event log format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<DSA version>|20|Log for TCP Port 80|0|cn1=1 cn1Label=Host ID dvc=hostname act=Log dmac=00:50:56:F5:7F:47 smac=00:0C:29:EB:35:DE TrendMicroDsFrameType=IP src=192.168.126.150 dst=72.14.204.147 out=1019 cs3=DF MF cs3Label=Fragmentation Bits proto=TCP spt=49617 dpt=80 cs2=0x00 ACK PSH cs2Label=TCP Flags cnt=1 TrendMicroDsPacketData=AFB...

Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|<DSA version>|21|cat=Firewall name=Remote Domain Enforcement (Split Tunnel) desc=Remote Domain Enforcement (Split Tunnel) sev=5 cn1=37 cn1Label=Host ID dvchost=www.example.com TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 act=Deny dstMAC=67:BF:1B:2F:13:EE srcMAC=78:FD:E7:07:9F:2C TrendMicroDsFrameType=IP src=10.0.110.221 dst=105.152.185.81 out=177 cs3= cs3Label=Fragmentation Bits proto=UDP srcPort=23 dstPort=445 cnt=1

CEF Extension Field LEEF Extension Field Name Description Examples
act act Action act=Log
act=Deny
cn1 cn1 Host Identifier The agent computer's internal unique identifier. cn1=113
cn1Label cn1Label Host ID The name label for the field cn1. cn1Label=Host ID
cnt cnt Repeat Count The number of times this event was sequentially repeated. cnt=8
cs2 cs2 TCP Flags cs2=0x10 ACK
cs2=0x14 ACK RST
cs2Label cs2Label TCP Flags The name label for the field cs2. cs2Label=TCP Flags
cs3 cs3 Packet Fragmentation Information cs3=DF
cs3=MF
cs3=DF MF
cs3Label cs3Label Fragmentation Bits The name label for the field cs3. cs3Label=Fragmentation Bits
cs4 cs4 ICMP Type and Code (For the ICMP protocol only) The ICMP type and code, delimited by a space. cs4=11 0
cs4=8 0
cs4Label cs4Label ICMP The name label for the field cs4. cs4Label=ICMP Type and Code
dmac dstMAC Destination MAC Address MAC address of the destination computer's network interface. dmac= 00:0C:29:2F:09:B3
dpt dstPort Destination Port (For TCP and UDP protocol only) Port number of the destination computer's connection or session. dpt=80
dpt=135
dst dst Destination IP Address IP address of the destination computer. dst=192.168.1.102
dst=10.30.128.2
in in Inbound Bytes Read (For inbound connections only) Number of inbound bytes read. in=137
in=21
out out Outbound Bytes Read (For outbound connections only) Number of outbound bytes read. out=216
out=13
proto proto Transport protocol Name of the transport protocol used. proto=tcp
proto=udp
proto=icmp
smac srcMAC Source MAC Address MAC address of the source computer's network interface. smac= 00:0E:04:2C:02:B3
spt srcPort Source Port (For TCP and UDP protocol only) Port number of the source computer's connection or session. spt=1032
spt=443
src src Source IP Address IP address of the source computer. src=192.168.1.105
src=10.10.251.231
TrendMicroDsFrameType TrendMicroDsFrameType Ethernet frame type Connection ethernet frame type. TrendMicroDsFrameType=IP
TrendMicroDsFrameType=ARP
TrendMicroDsFrameType=RevARP
TrendMicroDsFrameType=NetBEUI
TrendMicroDsPacketData TrendMicroDsPacketData Packet data TrendMicroDsPacketData=AA...BA\=
dvc dvc Device address

The IPv4 address for cn1.

Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)

dvc=10.1.144.199
dvchost dvchost Device host name

The hostname or IPv6 address for cn1.

Does not appear if the source is an IPv4 address. (Uses dvc field instead.)

dvchost=exch01.example.com
dvchost=2001:db8::5
TrendMicroDsTags TrendMicroDsTags Event Tags Deep Security event tags assigned to the event TrendMicroDsTags=suspicious
TrendMicroDsTenant TrendMicroDsTenant Tenant Name Deep Security tenant TrendMicroDsTenant=Primary
TrendMicroDsTenantId TrendMicroDsTenantId Tenant ID Deep Security tenant ID TrendMicroDsTenantId=0
None sev Severity The severity of the event. 1 is the least severe; 10 is the most severe. sev=5
None cat Category Category cat=Firewall
None name Name Event name name=Remote Domain Enforcement (Split Tunnel)
None desc Description Event description. Firewall events use the event name as the description. desc=Remote Domain Enforcement (Split Tunnel)

Integrity monitoring log event format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<DSA version>|30|New Integrity Monitoring Rule|6|cn1=1 cn1Label=Host ID dvchost=hostname act=updated filePath=c:\\windows\\message.dll suser=admin msg=lastModified,sha1,size

Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension

Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|<DSA version>|2002779|cat=Integrity Monitor name=Microsoft Windows - System file modified desc=Microsoft Windows - System file modified sev=8 cn1=37 cn1Label=Host ID dvchost=www.example.com TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 act=updated suser=admin

CEF Extension Field LEEF Extension Field Name Description Examples
act act Action The action detected by the integrity rule. Can contain: created, updated, detected or renamed. act=created
act=deleted
cn1 cn1 Host Identifier The agent computer's internal unique identifier. cn1=113
cn1Label cn1Label Host ID The name label for the field cn1. cn1Label=Host ID
filePath filePath Target Entity The integrity rule target entity. May contain a file or directory path, registry key, etc. filePath=C:\WINDOWS\system32\drivers\etc\hosts
suser suser Source User Deep Security Manager administrator's account. suser=MasterAdmin
msg msg Attribute changes (For "renamed" action only) A list of changed attribute names.
If "Relay via Manager" is selected, all event action types include a full description.
msg=lastModified,sha1,size
oldfilePath oldfilePath Old target entity (For "renamed" action only) The previous integrity rule target entity to capture the rename action from the previous target entity to the new, which is recorded in the filePath field. oldFilePath=C:\WINDOWS\system32\logfiles\ds_agent.log
dvc dvc Device address

The IPv4 address for cn1.

Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)

dvc=10.1.144.199
dvchost dvchost Device host name

The hostname or IPv6 address for cn1.

Does not appear if the source is an IPv4 address. (Uses dvc field instead.)

dvchost=www.example.com
dvchost=2001:db8::5
TrendMicroDsTags TrendMicroDsTags Events tags Deep Security event tags assigned to the event TrendMicroDsTags=suspicious
TrendMicroDsTenant TrendMicroDsTenant Tenant name Deep Security tenant TrendMicroDsTenant=Primary
TrendMicroDsTenantId TrendMicroDsTenantId Tenant ID Deep Security tenant ID TrendMicroDsTenantId=0
None sev Severity The severity of the event. 1 is the least severe; 10 is the most severe. sev=8
None cat Category Category cat=Integrity Monitor
None name Name Event name name=Microsoft Windows - System file modified
None desc Description Event description. Integrity monitoring uses the event name as the description. desc=Microsoft Windows - System file modified

Intrusion prevention event log format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<DSA version>|1001111|Test Intrusion Prevention Rule|3|cn1=1 cn1Label=Host ID dvchost=hostname dmac=00:50:56:F5:7F:47 smac=00:0C:29:EB:35:DE TrendMicroDsFrameType=IP src=192.168.126.150 dst=72.14.204.105 out=1093 cs3=DF MF cs3Label=Fragmentation Bits proto=TCP spt=49786 dpt=80 cs2=0x00 ACK PSH cs2Label=TCP Flags cnt=1 act=IDS:Reset cn3=10 cn3Label=Intrusion Prevention Packet Position cs5=10 cs5Label=Intrusion Prevention Stream Position cs6=8 cs6Label=Intrusion Prevention Flags TrendMicroDsPacketData=R0VUIC9zP3...

Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension

Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|<DSA version>|1000940|cat=Intrusion Prevention name=Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities desc=Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities sev=10 cn1=6 cn1Label=Host ID dvchost=exch01 TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 dstMAC=55:C0:A8:55:FF:41 srcMAC=CA:36:42:B1:78:3D TrendMicroDsFrameType=IP src=10.0.251.84 dst=56.19.41.128 out=166 cs3= cs3Label=Fragmentation Bits proto=ICMP srcPort=0 dstPort=0 cnt=1 act=IDS:Reset cn3=0 cn3Label=DPI Packet Position cs5=0 cs5Label=DPI Stream Position cs6=0 cs6Label=DPI Flags

CEF Extension Field LEEF Extension Field Name Description Examples
act act Action (IPS rules written before Deep Security version 7.5 SP1 could additionally perform Insert, Replace, and Delete actions. These actions are no longer performed. If an older IPS Rule is triggered which still attempts to perform those actions, the event will indicate that the rule was applied in detect-only mode.) act=Block
cn1 cn1 Host Identifier The agent computer's internal unique identifier. cn1=113
cn1Label cn1Label Host ID The name label for the field cn1. cn1Label=Host ID
cn3 cn3 Intrusion Prevention Packet Position Position within packet of data that triggered the event. cn3=37
cn3Label cn3Label Intrusion Prevention Packet Position The name label for the field cn3. cn3Label=Intrusion Prevention Packet Position
cnt cnt Repeat Count The number of times this event was sequentially repeated. cnt=8
cs1 cs1 Intrusion Prevention Filter Note (Optional) A note field which can contain a short binary or text note associated with the payload file. If the value of the note field is all printable ASCII characters, it will be logged as text with spaces converted to underscores. If it contains binary data, it will be logged using Base-64 encoding. cs1=Drop_data
cs1Label cs1Label Intrusion Prevention Note The name label for the field cs1. cs1Label=Intrusion Prevention Note
cs2 cs2 TCP Flags (For the TCP protocol only) The raw TCP flag byte followed by the URG, ACK, PSH, RST, SYN and FIN fields may be present if the TCP header was set. cs2=0x10 ACK
cs2=0x14 ACK RST
cs2Label cs2Label TCP Flags The name label for the field cs2. cs2Label=TCP Flags
cs3 cs3 Packet Fragmentation Information cs3=DF
cs3=MF
cs3=DF MF
cs3Label cs3Label Fragmentation Bits The name label for the field cs3. cs3Label=Fragmentation Bits
cs4 cs4 ICMP Type and Code (For the ICMP protocol only) The ICMP type and code stored in their respective order delimited by a space. cs4=11 0
cs4=8 0
cs4Label cs4Label ICMP The name label for the field cs4. cs4Label=ICMP Type and Code
cs5 cs5 Intrusion Prevention Stream Position Position within stream of data that triggered the event. cs5=128
cs5=20
cs5Label cs5Label Intrusion Prevention Stream Position The name label for the field cs5. cs5Label=Intrusion Prevention Stream Position
cs6 cs6 Intrusion Prevention Filter Flags A combined value that includes the sum of the flag values:

1 - Data truncated - Data could not be logged.
2 - Log Overflow - Log overflowed after this log.
4 - Suppressed - Logs threshold suppressed after this log.
8 - Have Data - Contains packet data
16 - Reference Data - References previously logged data.
The following example would be a summed combination of 1 (Data truncated) and 8 (Have Data):
cs6=9
cs6Label cs6Label Intrusion Prevention Flags The name label for the field cs6. cs6=Intrusion Prevention Filter Flags
dmac dstMAC Destination MAC Address Destination computer network interface MAC address. dmac= 00:0C:29:2F:09:B3
dpt dstPort Destination Port (For TCP and UDP protocol only) Destination computer connection port. dpt=80
dpt=135
dst dst Destination IP Address Destination computer IP Address. dst=192.168.1.102
dst=10.30.128.2
in in Inbound Bytes Read (For inbound connections only) Number of inbound bytes read. in=137
in=21
out out Outbound Bytes Read (For outbound connections only) Number of outbound bytes read. out=216
out=13
proto proto Transport protocol Name of the connection transport protocol used. proto=tcp
proto=udp
proto=icmp
smac srcMAC Source MAC Address Source computer network interface MAC address. smac= 00:0E:04:2C:02:B3
spt srcPort Source Port (For TCP and UDP protocol only) Source computer connection port. spt=1032
spt=443
src src Source IP Address Source computer IP Address. src=192.168.1.105
src=10.10.251.231
TrendMicroDsFrameType TrendMicroDsFrameType Ethernet frame type Connection ethernet frame type. TrendMicroDsFrameType=IP
TrendMicroDsFrameType=ARP
TrendMicroDsFrameType=RevARP
TrendMicroDsFrameType=NetBEUI
TrendMicroDsPacketData TrendMicroDsPacketData Packet data TrendMicroDsPacketData=AA...BA\=
dvc dvc Device address

The IPv4 address for cn1.

Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)

dvc=10.1.144.199
dvchost dvchost Device host name

The hostname or IPv6 address for cn1.

Does not appear if the source is an IPv4 address. (Uses dvc field instead.)

dvchost=www.example.com
dvchost=2001:db8::5
TrendMicroDsTags TrendMicroDsTags Event tags Deep Security event tags assigned to the event TrendMicroDsTags=Suspicious
TrendMicroDsTenant TrendMicroDsTenant Tenant name Deep Security tenant name TrendMicroDsTenant=Primary
TrendMicroDsTenantId TrendMicroDsTenantId Tenant ID Deep Security tenant ID TrendMicroDsTenantId=0
None sev Severity The severity of the event. 1 is the least severe; 10 is the most severe. sev=10
None cat Category Category cat=Intrusion Prevention
None name Name Event name name=Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities
None desc Description Event description. Intrusion prevention events use the event name as the description. desc=Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities

Log inspection event format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<DSA version>|3002795|Microsoft Windows Events|8|cn1=1 cn1Label=Host ID dvchost=hostname cs1Label=LI Description cs1=Multiple Windows Logon Failures fname=Security src=127.0.0.1 duser=(no user) shost=WIN-RM6HM42G65V msg=WinEvtLog Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-RM6HM42G65V: An account failed to log on. Subject: ..

Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension

Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|<DSA version>|3003486|cat=Log Inspection name=Mail Server - MDaemon desc=Server Shutdown. sev=3 cn1=37 cn1Label=Host ID dvchost=exch01.example.com TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 cs1=Server Shutdown. cs1Label=LI Description fname= shost= msg=

CEF Extension Field LEEF Extension Field Name Description Examples
cn1 cn1 Host Identifier The agent computer's internal unique identifier. cn1=113
cn1Label cn1Label Host ID The name label for the field cn1. cn1Label=Host ID
cs1 cs1 Specific Sub-Rule The Log Inspection sub-rule which triggered this event. cs1=Multiple Windows audit failure events
cs1Label cs1Label LI Description The name label for the field cs1. cs1Label=LI Description
duser duser User Information (If parse-able username exists) The name of the target user initiated the log entry. duser=(no user)
duser=NETWORK SERVICE
fname fname Target entity The log inspection rule target entity. May contain a file or directory path, registry key, etc. fname=Application
fname=C:\Program Files\CMS\logs\server0.log
msg msg Details Details of the log inspection event. May contain a verbose description of the detected log event. msg=WinEvtLog: Application: AUDIT_FAILURE(20187): pgEvent: (no user): no domain: SERVER01: Remote login failure for user 'xyz'
shost shost Source Hostname Source computer hostname. shost=webserver01.corp.com
src src Source IP Address Source computer IP address. src=192.168.1.105
src=10.10.251.231
dvc dvc Device address

The IPv4 address for cn1.

Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)

dvc=10.1.144.199
dvchost dvchost Device host name

The hostname or IPv6 address for cn1.

Does not appear if the source is an IPv4 address. (Uses dvc field instead.)

dvchost=www.example.com
dvchost=2001:db8::5
TrendMicroDsTags TrendMicroDsTags Events tags Deep Security event tags assigned to the event TrendMicroDsTags=suspicious
TrendMicroDsTenant TrendMicroDsTenant Tenant name Deep Security tenant TrendMicroDsTenant=Primary
TrendMicroDsTenantId TrendMicroDsTenantId Tenant ID Deep Security tenant ID TrendMicroDsTenantId=0
None sev Severity The severity of the event. 1 is the least severe; 10 is the most severe. sev=3
None cat Category Category cat=Log Inspection
None name Name Event name name=Mail Server - MDaemon
None desc Description Event description. desc=Server Shutdown

Web reputation event format

Base CEF format: CEF:Version|Device Vendor|Device Product|Device Version|Signature ID|Name|Severity|Extension

Sample CEF Log Entry: CEF:0|Trend Micro|Deep Security Agent|<DSA version>|5000000|WebReputation|5|cn1=1 cn1Label=Host ID dvchost=hostname request=example.com msg=Blocked By Admin

Base LEEF 2.0 format: LEEF:2.0|Vendor|Product|Version|EventID|(Delimiter Character, optional if the Delimiter Character is tab)|Extension

Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Agent|<DSA version>|5000000|cat=Web Reputation name=WebReputation desc=WebReputation sev=6 cn1=3 cn1Label=Host ID dvchost=exch01.example.com TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 request=http://yw.olx5x9ny.org.it/HvuauRH/eighgSS.htm msg=Suspicious

CEF Extension Field LEEF Extension Field Name Description Examples
cn1 cn1 Host Identifier The agent computer's internal unique identifier. cn1=1
cn1Label cn1Label Host ID The name label for the field cn1. cn1Label=Host ID
request request Request The URL of the request. request=http://www.example.com/index.php
msg msg Message The type of action. Possible values are: Realtime, Scheduled, and Manual. msg=Realtime
msg=Scheduled
dvc dvc Device address

The IPv4 address for cn1.

Does not appear if the source is an IPv6 address or hostname. (Uses dvchost instead.)

dvc=10.1.144.199
dvchost dvchost Device host name

The hostname or IPv6 address for cn1.

Does not appear if the source is an IPv4 address. (Uses dvc field instead.)

dvchost=www.example.com
dvchost=2001:db8::5
TrendMicroDsTags TrendMicroDsTags Events tags Deep Security event tags assigned to the event TrendMicroDsTags=suspicious
TrendMicroDsTenant TrendMicroDsTenant Tenant name Deep Security tenant TrendMicroDsTenant=Primary
TrendMicroDsTenantId TrendMicroDsTenantId Tenant ID Deep Security tenant ID TrendMicroDsTenantId=0
None sev Severity The severity of the event. 1 is the least severe; 10 is the most severe. sev=6
None cat Category Category cat=Web Reputation
None name Name Event name name=WebReputation
None desc Description Event description. Web reputation uses the event name as the description. desc=WebReputation