Views:

CEF

Security Risk Scan Logs

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Example: SMEX
Header (pver)	Appliance version	14
Header (eventid)	Signature ID	100101
Header (eventName)	Event name	Virus Detection
Header (severity)	Severity	High
rt	Scan time	Example: Mar 29 2019 08:01:55
cs2Label	Message found at label	foundAt
foundAt	Message found at	SMTP
Mailbox
suser	Message source	Example: sender@win16e16.com
duser	Message destination	Example: reci@win16e16.com
msg	Message subject
cs4Label	Message ID label	messageId
messageId	Message ID	Example: adfcde36-1411-4a0a-865b-f84f79433987@Win16E16-SRV.win16e16.com
act	Filter action
cs1Label	Virus name label	virusName
virusName	Virus name
cs6Label	Threat type label	threatType
threatType	Threat type
fname	Attachment file name
cs3Label	Risk level label	riskLevel
riskLevel	Risk level
cat	Detected rule category
cn1Label	Ransomware label	isRansomware
isRansomware	Is ransomware or not	0 = not ransomware 1 = ransomware

Log sample:

Mar 29 16:02:39 10.204.128.71  2019-03-29T16:02:38+08:00 Win16E16-SRV SMEX[6480]: CEF:0|Trend Micro|SMEX|14.0|100101|Virus Detection|High|rt=Mar 29 2019 08:01:55 cs2Label=foundAt foundAt=SMTP
 suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=VS Test cs4Label=messageId messageId=adfcde36-1411-4a0a-865b-f84f79433987@Win16E16-SRV.win16e16.com act=Clean fail, quarantine entire message
 cs1Label=virusName virusName=Eicar_test_file cs6Label=threatType threatType=Viruses fname=eicar.txt cs3Label=riskLevel riskLevel=Suspicious cat= N/A cn1Label=isRansomware isRansomware=0

Attachment Blocking Logs

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Example: SMEX
Header (pver)	Appliance version	14
Header (eventid)	Signature ID	100102
Header (eventName)	Event name	Attachment Block
Header (severity)	Severity	High
rt	Scan time	Example: Mar 29 2019 09:48:46
cs2Label	Message found at label	foundAt
foundAt	Message found at	SMTP
Mailbox
suser	Message source	Example: sender@win16e16.com
duser	Message destination	Example: reci@win16e16.com
msg	Message subject
cs4Label	Message ID label	messageId
messageId	Message ID	Example: 0b6dcb71-b196-4278-ac71-6ccc908096f9@Win16E16-SRV.win16e16.com
act	Filter action
cs1Label	Policy name label	policyName
policyName	Policy name
fname	Attachment file name

Log sample:

Mar 29 17:48:57 10.204.128.71  2019-03-29T17:48:56+08:00 Win16E16-SRV SMEX[18476]: CEF:0|Trend Micro|SMEX|14.0|100102|Attachment Block|High|rt=Mar 29 2019 09:48:46 cs2Label=foundAt foundAt=SMTP
 suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=AB Test cs4Label=messageId messageId=0b6dcb71-b196-4278-ac71-6ccc908096f9@Win16E16-SRV.win16e16.com act=Replace with text/file
 cs1Label=policyName policyName=Password-Protected/Block password protected file fname=AB.zip

Content Filtering Logs

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Example: SMEX
Header (pver)	Appliance version	14
Header (eventid)	Signature ID	100107
Header (eventName)	Event name	Content Violation
Header (severity)	Severity	High
rt	Scan time	Example: Apr 01 2019 02:46:53
cs2Label	Message found at label	foundAt
foundAt	Message found at	SMTP
Mailbox
suser	Message source	Example: sender@win16e16.com
duser	Message destination	Example: reci@win16e16.com
msg	Message subject
cs4Label	Message ID label	messageId
messageId	Message ID	Example: d3c28383-0591-44dd-9649-b0d07e61cf43@Win16E16-SRV.win16e16.com
act	Filter action
cs1Label	Policy name label	policyName
policyName	Policy name
fname	Attachment file name
cs6Label	Policy reason label	policyReason
policyReason	Policy reason

Log sample:

Apr  1 10:48:09 10.204.128.71  2019-04-01T10:48:06+08:00 Win16E16-SRV SMEX[23244]: CEF:0|Trend Micro|SMEX|14.0|100107|Content Violation|High|rt=Apr 01 2019 02:46:53 cs2Label=foundAt foundAt=SMTP
 suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=CF Test cs4Label=messageId messageId=d3c28383-0591-44dd-9649-b0d07e61cf43@Win16E16-SRV.win16e16.com act=Quarantine entire message
 cs1Label=policyName policyName=PROFANITY fname=cf41.txt cs6Label=policyReason policyReason=ana1;

Data Loss Prevention Logs

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Example: SMEX
Header (pver)	Appliance version	14
Header (eventid)	Signature ID	100105
Header (eventName)	Event name	DLP Detection
Header (severity)	Severity	High
rt	Scan time	Example: Apr 01 2019 03:23:13
cs2Label	Message found at label	foundAt
foundAt	Message found at	SMTP
		Mailbox
suser	Message source	Example: sender@win16e16.com
duser	Message destination	Example: reci@win16e16.com
msg	Message subject
cs4Label	Message ID label	messageId
messageId	Message ID	Example: c1b48c9c-9e56-4c14-a394-9b729e8ad6d1@Win16E16-SRV.win16e16.com
act	Filter action
cs1Label	Policy name label	policyName
policyName	Policy name
fname	Attachment file name
cs6Label	Policy reason label	policyReason
policyReason	Policy reason

Log sample:

Apr  1 11:23:36 10.204.128.71  2019-04-01T11:23:34+08:00 Win16E16-SRV SMEX[6132]: CEF:0|Trend Micro|SMEX|14.0|100105|DLP Detection|High|rt=Apr 01 2019 03:23:13 cs2Label=foundAt foundAt=SMTP
 suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=DLP Test cs4Label=messageId messageId=c1b48c9c-9e56-4c14-a394-9b729e8ad6d1@Win16E16-SRV.win16e16.com act=Pass
 cs1Label=policyName policyName=Data Loss Prevention (GLBA) fname=dlp22.txt cs6Label=policyReason policyReason=US: GLBA

Spam Prevention Logs

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Example: SMEX
Header (pver)	Appliance version	14
Header (eventid)	Signature ID	100103
Header (eventName)	Event name	Spam Detection
Header (severity)	Severity	High
rt	Scan time	Example: Apr 01 2019 06:16:09
cs2Label	Message found at label	foundAt
foundAt	Message found at	SMTP
		Mailbox
suser	Message source	Example: sender@win16e16.com
duser	Message destination	Example: reci@win16e16.com
msg	Message subject
act	Filter action
cs1Label	Policy name label	policyName
policyName	Policy name

Log sample:

Apr  1 14:16:35 10.204.128.71  2019-04-01T14:16:33+08:00 Win16E16-SRV SMEX[15624]: CEF:0|Trend Micro|SMEX|14.0|100103|Spam Detection|High|rt=Apr 01 2019 06:16:09 cs2Label=foundAt foundAt=SMTP
 suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=High spam act=Quarantine message to user's spam folder cs1Label=policyName policyName=Spam Mail

Advanced Spam Prevention Logs

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Example: SMEX
Header (pver)	Appliance version	14
Header (eventid)	Signature ID	100106
Header (eventName)	Event name	Advance Spam Detection
Header (severity)	Severity	High
rt	Scan time	Example: Apr 01 2019 06:35:14
cs2Label	Message found at label	foundAt
foundAt	Message found at	SMTP
		Mailbox
suser	Message source	Example: sender@win16e16.com
duser	Message destination	Example: reci@win16e16.com
msg	Message subject
cs4Label	Message ID label	messageId
messageId	Message ID	Example: 59927c70-4c31-4742-be58-9973c4d5d10d@Win16E16-SRV.win16e16.com
act	Filter action
cs1Label	Threat name label	threatName
threatName	Threat name
cs3Label	Risk level label	riskLevel
riskLevel	Risk level
cn1Label	Is ransomware or not label	isRansomware
isRansomware	Is ransomware or not	0 = not ransomware 1 = ransomware
cat	Sub type

Log sample:

Apr  1 14:36:03 10.204.128.71  2019-04-01T14:36:01+08:00 Win16E16-SRV SMEX[6696]: CEF:0|Trend Micro|SMEX|14.0|100106|Advance Spam Detection|High|rt=Apr 01 2019 06:35:14 cs2Label=foundAt foundAt=SMTP
 suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=SNAPBECTesting cs4Label=messageId messageId=59927c70-4c31-4742-be58-9973c4d5d10d@Win16E16-SRV.win16e16.com act=Quarantine entire message
 cs1Label=threatName threatName=BEC_CEO-FRAUD.ERS cs3Label=riskLevel riskLevel=No Risk cn1Label=isRansomware isRansomware=0 cat=BEC

Web Reputation Logs

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Example: SMEX
Header (pver)	Appliance version	14
Header (eventid)	Signature ID	100104
Header (eventName)	Event name	Web Threat Detection
Header (severity)	Severity	High
rt	Scan time	Example: Apr 01 2019 07:10:17
cs2Label	Message found at label	foundAt
foundAt	Message found at	SMTP
		Mailbox
suser	Message source	Example: sender@win16e16.com
duser	Message destination	Example: reci@win16e16.com
msg	Message subject
cs4Label	Message ID label	messageId
messageId	Message ID	Example: 476ed59d-46ec-48c3-9561-fb44d02c2c09@Win16E16-SRV.win16e16.com
act	Filter action
cs3Label	Risk level label	riskLevel
riskLevel	Risk level
cat	URL category
cn1Label	Is ransomware or not label	isRansomware
isRansomware	Is ransomware or not	0 = not ransomware 1 = ransomware
cs6Label	Policy reason label	policyReason
policyReason	Policy reason

Log sample:

Apr  1 15:10:36 10.204.128.71  2019-04-01T15:10:34+08:00 Win16E16-SRV SMEX[16780]: CEF:0|Trend Micro|SMEX|14.0|100104|Web Threat Detection|High|rt=Apr 01 2019 07:10:17 cs2Label=foundAt foundAt=SMTP
 suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=Suspicious URL:WTP Test cs4Label=messageId messageId=476ed59d-46ec-48c3-9561-fb44d02c2c09@Win16E16-SRV.win16e16.com act=Quarantine message to user's spam folder
 cs3Label=riskLevel riskLevel=High cat=Spyware cn1Label=isRansomware isRansomware=0 cs6Label=policyReason policyReason=https://wrs21.winshipway.com:443

Event Tracking Logs

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Example: SMEX
Header (pver)	Appliance version	14
Header (eventid)	Signature ID	300101
Header (eventName)	Event name	Event Tracking
Header (severity)	Severity	Low
shost	Server name
suser	User name
rt	Event time	Example: Apr 01 2019 07:10:17
src/ c6a1	IPv4/IPv6 address
cs1Label	Event type label	eventType
eventType	Event type
msg	Log description

Log sample:

Apr  1 15:32:12 10.204.128.71  2019-04-01T15:32:10+08:00 Win16E16-SRV SMEX[23028]: CEF:0|Trend Micro|SMEX|14.0|300101|Event Tracking|Low|shost=WIN16E16-SRV
 suser=WIN16E16\\admin rt=Apr 01 2019 07:32:07 src=10.204.128.71 cs1Label=eventType eventType=Configuration change msg=Log Forwarding settings have been changed.

LEEF

Security Risk Scan Logs

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF:1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	SMEX
Header (pver)	Appliance version	Example: 14.0
Header (eventName)	Event name	Virus Detection
devTime	Scan time	Example: Mar 29 2019 08:01:55
foundAt	Message found at	SMTP
		Mailbox
usrName	Message source	Example: sender@win16e16.com
recipient	Message destination	Example: reci@win16e16.com
msg	Message subject
messageId	Message ID	Example: adfcde36-1411-4a0a-865b-f84f79433987@Win16E16-SRV.win16e16.com
act	Filter action
virusName	Virus name
threatType	Threat type
filename	Attachment file name
riskLevel	Risk level
cat	Detected rule category
isRansomware	Is ransomware or not	0 = not ransomware 1 = ransomware

Log sample:

Mar 29 16:03:18 10.204.128.71  2019-03-29T16:03:17+08:00 Win16E16-SRV SMEX[21464]: LEEF:1.0|Trend Micro|SMEX|14.0|Virus Detection|^|devTime=Mar 29 2019 08:01:55	foundAt=SMTP	usrName=sender@win16e16.com;
 	recipient=reci@win16e16.com; 	msg=VS Test	messageId=adfcde36-1411-4a0a-865b-f84f79433987@Win16E16-SRV.win16e16.com	act=Clean fail, quarantine entire message	virusName=Eicar_test_file
	threatType=Viruses	filename=eicar.txt	riskLevel=Suspicious	cat= N/A	isRansomware=0

Attachment Blocking Logs

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF:1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	SMEX
Header (pver)	Appliance version	Example: 14.0
Header (eventName)	Event name	Attachment Block
devTime	Scan time	Example: Mar 29 2019 09:48:46
foundAt	Message found at	SMTP
		Mailbox
usrName	Message source	Example: sender@win16e16.com
recipient	Message destination	Example: reci@win16e16.com
msg	Message subject
messageId	Message ID	Example: 0b6dcb71-b196-4278-ac71-6ccc908096f9@Win16E16-SRV.win16e16.com
act	Filter action
policyName	Policy name
filename	Attachment file name

Log sample:

Mar 29 17:51:09 10.204.128.71  2019-03-29T17:51:08+08:00 Win16E16-SRV SMEX[19132]: LEEF:1.0|Trend Micro|SMEX|14.0|Attachment Block|^|devTime=Mar 29 2019 09:48:46	foundAt=SMTP	usrName=sender@win16e16.com;
 	recipient=reci@win16e16.com; 	msg=AB Test	messageId=0b6dcb71-b196-4278-ac71-6ccc908096f9@Win16E16-SRV.win16e16.com	act=Replace with text/file	policyName=Password-Protected/Block password protected file	filename=AB.zip

Attachment Blocking Logs

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF:1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	SMEX
Header (pver)	Appliance version	Example: 14.0
Header (eventName)	Event name	Content Violation
devTime	Scan time	Example: Apr 01 2019 02:58:24
foundAt	Message found at	SMTP
		Mailbox
usrName	Message source	Example: sender@win16e16.com
recipient	Message destination	Example: reci@win16e16.com
msg	Message subject
messageId	Message ID	Example: 7d06b7a1-1303-41db-b9be-c2e24de2a32b@Win16E16-SRV.win16e16.com
act	Filter action
policyName	Policy name
filename	Attachment file name
policyReason	Policy reason

Log sample:

Apr  1 11:09:31 10.204.128.71  2019-04-01T11:09:29+08:00 Win16E16-SRV SMEX[22148]: LEEF:1.0|Trend Micro|SMEX|14.0|Content Violation|^|devTime=Apr 01 2019 02:58:24	foundAt=SMTP
	usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=CF Test	messageId=7d06b7a1-1303-41db-b9be-c2e24de2a32b@Win16E16-SRV.win16e16.com	act=Quarantine entire message	policyName=PROFANITY	filename=cf41.txt	policyReason=ana1;

Data Loss Prevention Logs

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF:1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	SMEX
Header (pver)	Appliance version	Example: 14.0
Header (eventName)	Event name	DLP Detection
devTime	Scan time	Example: Apr 01 2019 03:23:13
foundAt	Message found at	SMTP
		Mailbox
usrName	Message source	Example: sender@win16e16.com
recipient	Message destination	Example: reci@win16e16.com
msg	Message subject
messageId	Message ID	Example: c1b48c9c-9e56-4c14-a394-9b729e8ad6d1@Win16E16-SRV.win16e16.com
act	Filter action
policyName	Policy name
filename	Attachment file name
policyReason	Policy reason

Log sample:

Apr  1 11:23:57 10.204.128.71  2019-04-01T11:23:55+08:00 Win16E16-SRV SMEX[12136]: LEEF:1.0|Trend Micro|SMEX|14.0|DLP Detection|^|devTime=Apr 01 2019 03:23:13	foundAt=SMTP
usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=DLP Test	messageId=c1b48c9c-9e56-4c14-a394-9b729e8ad6d1@Win16E16-SRV.win16e16.com	act=Pass	policyName=Data Loss Prevention (GLBA)	filename=dlp22.txt	policyReason=US: GLBA

Spam Prevention Logs

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF:1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	SMEX
Header (pver)	Appliance version	Example: 14.0
Header (eventName)	Event name	Spam Detection
devTime	Scan time	Example: Apr 01 2019 06:16:09
foundAt	Message found at	SMTP
		Mailbox
usrName	Message source	Example: sender@win16e16.com
recipient	Message destination	Example: reci@win16e16.com
msg	Message subject
act	Filter action
policyName	Policy name

Log sample:

Apr  1 14:18:13 10.204.128.71  2019-04-01T14:18:11+08:00 Win16E16-SRV SMEX[12552]: LEEF:1.0|Trend Micro|SMEX|14.0|Spam Detection|^|devTime=Apr 01 2019 06:16:09	foundAt=SMTP
	usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=High spam	act=Quarantine message to user's spam folder	policyName=Spam Mail

Advanced Spam Prevention Logs

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF:1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	SMEX
Header (pver)	Appliance version	Example: 14.0
Header (eventName)	Event name	Advanced Spam Detection
devTime	Scan time	Example: Apr 01 2019 06:35:14
foundAt	Message found at	SMTP
		Mailbox
usrName	Message source	Example: sender@win16e16.com
recipient	Message destination	Example: reci@win16e16.com
msg	Message subject
messageId	Message ID	Example: 59927c70-4c31-4742-be58-9973c4d5d10d@Win16E16-SRV.win16e16.com
act	Filter action
threatName	Threat name
riskLevel	Risk level
isRansomware	Is ransomware or not	0 = not ransomware 1 = ransomware
cat	Sub type

Log sample:

Apr  1 14:36:26 10.204.128.71  2019-04-01T14:36:24+08:00 Win16E16-SRV SMEX[10632]: LEEF:1.0|Trend Micro|SMEX|14.0|Advance Spam Detection|^|devTime=Apr 01 2019 06:35:14	foundAt=SMTP
	usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=SNAPBECTesting	messageId=59927c70-4c31-4742-be58-9973c4d5d10d@Win16E16-SRV.win16e16.com	act=Quarantine entire message	threatName=BEC_CEO-FRAUD.ERS	riskLevel=No Risk	isRansomware=0	cat=BEC

Web Reputation Logs

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF:1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	SMEX
Header (pver)	Appliance version	Example: 14.0
Header (eventName)	Event name	Web Threat Detection
devTime	Scan time	Example: Apr 01 2019 07:10:17
foundAt	Message found at	SMTP
		Mailbox
usrName	Message source	Example: sender@win16e16.com
recipient	Message destination	Example: reci@win16e16.com
msg	Message subject
messageId	Message ID	Example: 476ed59d-46ec-48c3-9561-fb44d02c2c09@Win16E16-SRV.win16e16.com
act	Filter action
riskLevel	Risk level
cat	URL category
isRansomware	Is ransomware or not	0 = not ransomware 1 = ransomware
policyReason	Policy reason

Log sample:

Apr  1 15:11:13 10.204.128.71  2019-04-01T15:11:10+08:00 Win16E16-SRV SMEX[10656]: LEEF:1.0|Trend Micro|SMEX|14.0|Web Threat Detection|^|devTime=Apr 01 2019 07:10:17	foundAt=SMTP
	usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=Suspicious URL:WTP Test	messageId=476ed59d-46ec-48c3-9561-fb44d02c2c09@Win16E16-SRV.win16e16.com	act=Quarantine message to user's spam folder
	riskLevel=High	cat=Spyware	isRansomware=0	policyReason=https://wrs21.winshipway.com:443

Event Tracking Logs

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF:1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	SMEX
Header (pver)	Appliance version	Example: 14.0
Header (eventName)	Event name	Event Tracking
shost	Server name
usrName	User name
devTime	Event time	Example: Apr 01 2019 07:10:17
src	IP address
eventType	Event type
msg	Log description

Log sample:

Apr  1 15:33:19 10.204.128.71  2019-04-01T15:33:17+08:00 Win16E16-SRV SMEX[22144]: LEEF:1.0|Trend Micro|SMEX|14.0|Event Tracking|^|shost=WIN16E16-SRV	usrName=WIN16E16\\chris	devTime=Apr 01 2019 07:33:04
	src=10.204.128.71	eventType=Configuration change	msg=Log Forwarding settings have been changed.

Keywords: scanmail SIEM,SMEX SIEM,scanmail syslog,smex syslog,syslog guide scanmail,syslog guide smex

ScanMail for Exchange (SMEX) 14.0 Syslog content mapping guide

Product / Version includes:

ScanMail for Exchange14.0

Last updated: 2021/08/28

Solution ID: KA-0009378

Category: Configure

Summary

This guide provides information on log management standards and syntax for implementing Syslog events in SMEX. To enable flexible integration with third-party log management systems, SMEX supports the following Syslog formats:

Log Management System	Description
Common Event Format (CEF)	CEF is an open log management standard created by HP ArcSight.
Log Event Extended Format (LEEF)	LEEF is an event format developed for IBM Security QRadar.

CEF

EXPAND ALL

Security Risk Scan Logs

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Example: SMEX
Header (pver)	Appliance version	14
Header (eventid)	Signature ID	100101
Header (eventName)	Event name	Virus Detection
Header (severity)	Severity	High
rt	Scan time	Example: Mar 29 2019 08:01:55
cs2Label	Message found at label	foundAt
foundAt	Message found at	SMTP
Mailbox
suser	Message source	Example: sender@win16e16.com
duser	Message destination	Example: reci@win16e16.com
msg	Message subject
cs4Label	Message ID label	messageId
messageId	Message ID	Example: adfcde36-1411-4a0a-865b-f84f79433987@Win16E16-SRV.win16e16.com
act	Filter action
cs1Label	Virus name label	virusName
virusName	Virus name
cs6Label	Threat type label	threatType
threatType	Threat type
fname	Attachment file name
cs3Label	Risk level label	riskLevel
riskLevel	Risk level
cat	Detected rule category
cn1Label	Ransomware label	isRansomware
isRansomware	Is ransomware or not	0 = not ransomware 1 = ransomware

Log sample:

Mar 29 16:02:39 10.204.128.71  2019-03-29T16:02:38+08:00 Win16E16-SRV SMEX[6480]: CEF:0|Trend Micro|SMEX|14.0|100101|Virus Detection|High|rt=Mar 29 2019 08:01:55 cs2Label=foundAt foundAt=SMTP
 suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=VS Test cs4Label=messageId messageId=adfcde36-1411-4a0a-865b-f84f79433987@Win16E16-SRV.win16e16.com act=Clean fail, quarantine entire message
 cs1Label=virusName virusName=Eicar_test_file cs6Label=threatType threatType=Viruses fname=eicar.txt cs3Label=riskLevel riskLevel=Suspicious cat= N/A cn1Label=isRansomware isRansomware=0

Attachment Blocking Logs

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Example: SMEX
Header (pver)	Appliance version	14
Header (eventid)	Signature ID	100102
Header (eventName)	Event name	Attachment Block
Header (severity)	Severity	High
rt	Scan time	Example: Mar 29 2019 09:48:46
cs2Label	Message found at label	foundAt
foundAt	Message found at	SMTP
Mailbox
suser	Message source	Example: sender@win16e16.com
duser	Message destination	Example: reci@win16e16.com
msg	Message subject
cs4Label	Message ID label	messageId
messageId	Message ID	Example: 0b6dcb71-b196-4278-ac71-6ccc908096f9@Win16E16-SRV.win16e16.com
act	Filter action
cs1Label	Policy name label	policyName
policyName	Policy name
fname	Attachment file name

Log sample:

Mar 29 17:48:57 10.204.128.71  2019-03-29T17:48:56+08:00 Win16E16-SRV SMEX[18476]: CEF:0|Trend Micro|SMEX|14.0|100102|Attachment Block|High|rt=Mar 29 2019 09:48:46 cs2Label=foundAt foundAt=SMTP
 suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=AB Test cs4Label=messageId messageId=0b6dcb71-b196-4278-ac71-6ccc908096f9@Win16E16-SRV.win16e16.com act=Replace with text/file
 cs1Label=policyName policyName=Password-Protected/Block password protected file fname=AB.zip

Content Filtering Logs

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Example: SMEX
Header (pver)	Appliance version	14
Header (eventid)	Signature ID	100107
Header (eventName)	Event name	Content Violation
Header (severity)	Severity	High
rt	Scan time	Example: Apr 01 2019 02:46:53
cs2Label	Message found at label	foundAt
foundAt	Message found at	SMTP
Mailbox
suser	Message source	Example: sender@win16e16.com
duser	Message destination	Example: reci@win16e16.com
msg	Message subject
cs4Label	Message ID label	messageId
messageId	Message ID	Example: d3c28383-0591-44dd-9649-b0d07e61cf43@Win16E16-SRV.win16e16.com
act	Filter action
cs1Label	Policy name label	policyName
policyName	Policy name
fname	Attachment file name
cs6Label	Policy reason label	policyReason
policyReason	Policy reason

Log sample:

Apr  1 10:48:09 10.204.128.71  2019-04-01T10:48:06+08:00 Win16E16-SRV SMEX[23244]: CEF:0|Trend Micro|SMEX|14.0|100107|Content Violation|High|rt=Apr 01 2019 02:46:53 cs2Label=foundAt foundAt=SMTP
 suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=CF Test cs4Label=messageId messageId=d3c28383-0591-44dd-9649-b0d07e61cf43@Win16E16-SRV.win16e16.com act=Quarantine entire message
 cs1Label=policyName policyName=PROFANITY fname=cf41.txt cs6Label=policyReason policyReason=ana1;

Data Loss Prevention Logs

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Example: SMEX
Header (pver)	Appliance version	14
Header (eventid)	Signature ID	100105
Header (eventName)	Event name	DLP Detection
Header (severity)	Severity	High
rt	Scan time	Example: Apr 01 2019 03:23:13
cs2Label	Message found at label	foundAt
foundAt	Message found at	SMTP
		Mailbox
suser	Message source	Example: sender@win16e16.com
duser	Message destination	Example: reci@win16e16.com
msg	Message subject
cs4Label	Message ID label	messageId
messageId	Message ID	Example: c1b48c9c-9e56-4c14-a394-9b729e8ad6d1@Win16E16-SRV.win16e16.com
act	Filter action
cs1Label	Policy name label	policyName
policyName	Policy name
fname	Attachment file name
cs6Label	Policy reason label	policyReason
policyReason	Policy reason

Log sample:

Apr  1 11:23:36 10.204.128.71  2019-04-01T11:23:34+08:00 Win16E16-SRV SMEX[6132]: CEF:0|Trend Micro|SMEX|14.0|100105|DLP Detection|High|rt=Apr 01 2019 03:23:13 cs2Label=foundAt foundAt=SMTP
 suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=DLP Test cs4Label=messageId messageId=c1b48c9c-9e56-4c14-a394-9b729e8ad6d1@Win16E16-SRV.win16e16.com act=Pass
 cs1Label=policyName policyName=Data Loss Prevention (GLBA) fname=dlp22.txt cs6Label=policyReason policyReason=US: GLBA

Spam Prevention Logs

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Example: SMEX
Header (pver)	Appliance version	14
Header (eventid)	Signature ID	100103
Header (eventName)	Event name	Spam Detection
Header (severity)	Severity	High
rt	Scan time	Example: Apr 01 2019 06:16:09
cs2Label	Message found at label	foundAt
foundAt	Message found at	SMTP
		Mailbox
suser	Message source	Example: sender@win16e16.com
duser	Message destination	Example: reci@win16e16.com
msg	Message subject
act	Filter action
cs1Label	Policy name label	policyName
policyName	Policy name

Log sample:

Apr  1 14:16:35 10.204.128.71  2019-04-01T14:16:33+08:00 Win16E16-SRV SMEX[15624]: CEF:0|Trend Micro|SMEX|14.0|100103|Spam Detection|High|rt=Apr 01 2019 06:16:09 cs2Label=foundAt foundAt=SMTP
 suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=High spam act=Quarantine message to user's spam folder cs1Label=policyName policyName=Spam Mail

Advanced Spam Prevention Logs

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Example: SMEX
Header (pver)	Appliance version	14
Header (eventid)	Signature ID	100106
Header (eventName)	Event name	Advance Spam Detection
Header (severity)	Severity	High
rt	Scan time	Example: Apr 01 2019 06:35:14
cs2Label	Message found at label	foundAt
foundAt	Message found at	SMTP
		Mailbox
suser	Message source	Example: sender@win16e16.com
duser	Message destination	Example: reci@win16e16.com
msg	Message subject
cs4Label	Message ID label	messageId
messageId	Message ID	Example: 59927c70-4c31-4742-be58-9973c4d5d10d@Win16E16-SRV.win16e16.com
act	Filter action
cs1Label	Threat name label	threatName
threatName	Threat name
cs3Label	Risk level label	riskLevel
riskLevel	Risk level
cn1Label	Is ransomware or not label	isRansomware
isRansomware	Is ransomware or not	0 = not ransomware 1 = ransomware
cat	Sub type

Log sample:

Apr  1 14:36:03 10.204.128.71  2019-04-01T14:36:01+08:00 Win16E16-SRV SMEX[6696]: CEF:0|Trend Micro|SMEX|14.0|100106|Advance Spam Detection|High|rt=Apr 01 2019 06:35:14 cs2Label=foundAt foundAt=SMTP
 suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=SNAPBECTesting cs4Label=messageId messageId=59927c70-4c31-4742-be58-9973c4d5d10d@Win16E16-SRV.win16e16.com act=Quarantine entire message
 cs1Label=threatName threatName=BEC_CEO-FRAUD.ERS cs3Label=riskLevel riskLevel=No Risk cn1Label=isRansomware isRansomware=0 cat=BEC

Web Reputation Logs

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Example: SMEX
Header (pver)	Appliance version	14
Header (eventid)	Signature ID	100104
Header (eventName)	Event name	Web Threat Detection
Header (severity)	Severity	High
rt	Scan time	Example: Apr 01 2019 07:10:17
cs2Label	Message found at label	foundAt
foundAt	Message found at	SMTP
		Mailbox
suser	Message source	Example: sender@win16e16.com
duser	Message destination	Example: reci@win16e16.com
msg	Message subject
cs4Label	Message ID label	messageId
messageId	Message ID	Example: 476ed59d-46ec-48c3-9561-fb44d02c2c09@Win16E16-SRV.win16e16.com
act	Filter action
cs3Label	Risk level label	riskLevel
riskLevel	Risk level
cat	URL category
cn1Label	Is ransomware or not label	isRansomware
isRansomware	Is ransomware or not	0 = not ransomware 1 = ransomware
cs6Label	Policy reason label	policyReason
policyReason	Policy reason

Log sample:

Apr  1 15:10:36 10.204.128.71  2019-04-01T15:10:34+08:00 Win16E16-SRV SMEX[16780]: CEF:0|Trend Micro|SMEX|14.0|100104|Web Threat Detection|High|rt=Apr 01 2019 07:10:17 cs2Label=foundAt foundAt=SMTP
 suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=Suspicious URL:WTP Test cs4Label=messageId messageId=476ed59d-46ec-48c3-9561-fb44d02c2c09@Win16E16-SRV.win16e16.com act=Quarantine message to user's spam folder
 cs3Label=riskLevel riskLevel=High cat=Spyware cn1Label=isRansomware isRansomware=0 cs6Label=policyReason policyReason=https://wrs21.winshipway.com:443

Event Tracking Logs

CEF Key	Description	Value
Header (logVer)	CEF format version	CEF:0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	Example: SMEX
Header (pver)	Appliance version	14
Header (eventid)	Signature ID	300101
Header (eventName)	Event name	Event Tracking
Header (severity)	Severity	Low
shost	Server name
suser	User name
rt	Event time	Example: Apr 01 2019 07:10:17
src/ c6a1	IPv4/IPv6 address
cs1Label	Event type label	eventType
eventType	Event type
msg	Log description

Log sample:

Apr  1 15:32:12 10.204.128.71  2019-04-01T15:32:10+08:00 Win16E16-SRV SMEX[23028]: CEF:0|Trend Micro|SMEX|14.0|300101|Event Tracking|Low|shost=WIN16E16-SRV
 suser=WIN16E16\\admin rt=Apr 01 2019 07:32:07 src=10.204.128.71 cs1Label=eventType eventType=Configuration change msg=Log Forwarding settings have been changed.

LEEF

Security Risk Scan Logs

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF:1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	SMEX
Header (pver)	Appliance version	Example: 14.0
Header (eventName)	Event name	Virus Detection
devTime	Scan time	Example: Mar 29 2019 08:01:55
foundAt	Message found at	SMTP
		Mailbox
usrName	Message source	Example: sender@win16e16.com
recipient	Message destination	Example: reci@win16e16.com
msg	Message subject
messageId	Message ID	Example: adfcde36-1411-4a0a-865b-f84f79433987@Win16E16-SRV.win16e16.com
act	Filter action
virusName	Virus name
threatType	Threat type
filename	Attachment file name
riskLevel	Risk level
cat	Detected rule category
isRansomware	Is ransomware or not	0 = not ransomware 1 = ransomware

Log sample:

Mar 29 16:03:18 10.204.128.71  2019-03-29T16:03:17+08:00 Win16E16-SRV SMEX[21464]: LEEF:1.0|Trend Micro|SMEX|14.0|Virus Detection|^|devTime=Mar 29 2019 08:01:55	foundAt=SMTP	usrName=sender@win16e16.com;
 	recipient=reci@win16e16.com; 	msg=VS Test	messageId=adfcde36-1411-4a0a-865b-f84f79433987@Win16E16-SRV.win16e16.com	act=Clean fail, quarantine entire message	virusName=Eicar_test_file
	threatType=Viruses	filename=eicar.txt	riskLevel=Suspicious	cat= N/A	isRansomware=0

Attachment Blocking Logs

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF:1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	SMEX
Header (pver)	Appliance version	Example: 14.0
Header (eventName)	Event name	Attachment Block
devTime	Scan time	Example: Mar 29 2019 09:48:46
foundAt	Message found at	SMTP
		Mailbox
usrName	Message source	Example: sender@win16e16.com
recipient	Message destination	Example: reci@win16e16.com
msg	Message subject
messageId	Message ID	Example: 0b6dcb71-b196-4278-ac71-6ccc908096f9@Win16E16-SRV.win16e16.com
act	Filter action
policyName	Policy name
filename	Attachment file name

Log sample:

Mar 29 17:51:09 10.204.128.71  2019-03-29T17:51:08+08:00 Win16E16-SRV SMEX[19132]: LEEF:1.0|Trend Micro|SMEX|14.0|Attachment Block|^|devTime=Mar 29 2019 09:48:46	foundAt=SMTP	usrName=sender@win16e16.com;
 	recipient=reci@win16e16.com; 	msg=AB Test	messageId=0b6dcb71-b196-4278-ac71-6ccc908096f9@Win16E16-SRV.win16e16.com	act=Replace with text/file	policyName=Password-Protected/Block password protected file	filename=AB.zip

Attachment Blocking Logs

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF:1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	SMEX
Header (pver)	Appliance version	Example: 14.0
Header (eventName)	Event name	Content Violation
devTime	Scan time	Example: Apr 01 2019 02:58:24
foundAt	Message found at	SMTP
		Mailbox
usrName	Message source	Example: sender@win16e16.com
recipient	Message destination	Example: reci@win16e16.com
msg	Message subject
messageId	Message ID	Example: 7d06b7a1-1303-41db-b9be-c2e24de2a32b@Win16E16-SRV.win16e16.com
act	Filter action
policyName	Policy name
filename	Attachment file name
policyReason	Policy reason

Log sample:

Apr  1 11:09:31 10.204.128.71  2019-04-01T11:09:29+08:00 Win16E16-SRV SMEX[22148]: LEEF:1.0|Trend Micro|SMEX|14.0|Content Violation|^|devTime=Apr 01 2019 02:58:24	foundAt=SMTP
	usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=CF Test	messageId=7d06b7a1-1303-41db-b9be-c2e24de2a32b@Win16E16-SRV.win16e16.com	act=Quarantine entire message	policyName=PROFANITY	filename=cf41.txt	policyReason=ana1;

Data Loss Prevention Logs

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF:1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	SMEX
Header (pver)	Appliance version	Example: 14.0
Header (eventName)	Event name	DLP Detection
devTime	Scan time	Example: Apr 01 2019 03:23:13
foundAt	Message found at	SMTP
		Mailbox
usrName	Message source	Example: sender@win16e16.com
recipient	Message destination	Example: reci@win16e16.com
msg	Message subject
messageId	Message ID	Example: c1b48c9c-9e56-4c14-a394-9b729e8ad6d1@Win16E16-SRV.win16e16.com
act	Filter action
policyName	Policy name
filename	Attachment file name
policyReason	Policy reason

Log sample:

Apr  1 11:23:57 10.204.128.71  2019-04-01T11:23:55+08:00 Win16E16-SRV SMEX[12136]: LEEF:1.0|Trend Micro|SMEX|14.0|DLP Detection|^|devTime=Apr 01 2019 03:23:13	foundAt=SMTP
usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=DLP Test	messageId=c1b48c9c-9e56-4c14-a394-9b729e8ad6d1@Win16E16-SRV.win16e16.com	act=Pass	policyName=Data Loss Prevention (GLBA)	filename=dlp22.txt	policyReason=US: GLBA

Spam Prevention Logs

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF:1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	SMEX
Header (pver)	Appliance version	Example: 14.0
Header (eventName)	Event name	Spam Detection
devTime	Scan time	Example: Apr 01 2019 06:16:09
foundAt	Message found at	SMTP
		Mailbox
usrName	Message source	Example: sender@win16e16.com
recipient	Message destination	Example: reci@win16e16.com
msg	Message subject
act	Filter action
policyName	Policy name

Log sample:

Apr  1 14:18:13 10.204.128.71  2019-04-01T14:18:11+08:00 Win16E16-SRV SMEX[12552]: LEEF:1.0|Trend Micro|SMEX|14.0|Spam Detection|^|devTime=Apr 01 2019 06:16:09	foundAt=SMTP
	usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=High spam	act=Quarantine message to user's spam folder	policyName=Spam Mail

Advanced Spam Prevention Logs

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF:1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	SMEX
Header (pver)	Appliance version	Example: 14.0
Header (eventName)	Event name	Advanced Spam Detection
devTime	Scan time	Example: Apr 01 2019 06:35:14
foundAt	Message found at	SMTP
		Mailbox
usrName	Message source	Example: sender@win16e16.com
recipient	Message destination	Example: reci@win16e16.com
msg	Message subject
messageId	Message ID	Example: 59927c70-4c31-4742-be58-9973c4d5d10d@Win16E16-SRV.win16e16.com
act	Filter action
threatName	Threat name
riskLevel	Risk level
isRansomware	Is ransomware or not	0 = not ransomware 1 = ransomware
cat	Sub type

Log sample:

Apr  1 14:36:26 10.204.128.71  2019-04-01T14:36:24+08:00 Win16E16-SRV SMEX[10632]: LEEF:1.0|Trend Micro|SMEX|14.0|Advance Spam Detection|^|devTime=Apr 01 2019 06:35:14	foundAt=SMTP
	usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=SNAPBECTesting	messageId=59927c70-4c31-4742-be58-9973c4d5d10d@Win16E16-SRV.win16e16.com	act=Quarantine entire message	threatName=BEC_CEO-FRAUD.ERS	riskLevel=No Risk	isRansomware=0	cat=BEC

Web Reputation Logs

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF:1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	SMEX
Header (pver)	Appliance version	Example: 14.0
Header (eventName)	Event name	Web Threat Detection
devTime	Scan time	Example: Apr 01 2019 07:10:17
foundAt	Message found at	SMTP
		Mailbox
usrName	Message source	Example: sender@win16e16.com
recipient	Message destination	Example: reci@win16e16.com
msg	Message subject
messageId	Message ID	Example: 476ed59d-46ec-48c3-9561-fb44d02c2c09@Win16E16-SRV.win16e16.com
act	Filter action
riskLevel	Risk level
cat	URL category
isRansomware	Is ransomware or not	0 = not ransomware 1 = ransomware
policyReason	Policy reason

Log sample:

Apr  1 15:11:13 10.204.128.71  2019-04-01T15:11:10+08:00 Win16E16-SRV SMEX[10656]: LEEF:1.0|Trend Micro|SMEX|14.0|Web Threat Detection|^|devTime=Apr 01 2019 07:10:17	foundAt=SMTP
	usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=Suspicious URL:WTP Test	messageId=476ed59d-46ec-48c3-9561-fb44d02c2c09@Win16E16-SRV.win16e16.com	act=Quarantine message to user's spam folder
	riskLevel=High	cat=Spyware	isRansomware=0	policyReason=https://wrs21.winshipway.com:443

Event Tracking Logs

LEEF Key	Description	Value
Header (logVer)	LEEF format version	LEEF:1.0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product	SMEX
Header (pver)	Appliance version	Example: 14.0
Header (eventName)	Event name	Event Tracking
shost	Server name
usrName	User name
devTime	Event time	Example: Apr 01 2019 07:10:17
src	IP address
eventType	Event type
msg	Log description

Log sample:

Apr  1 15:33:19 10.204.128.71  2019-04-01T15:33:17+08:00 Win16E16-SRV SMEX[22144]: LEEF:1.0|Trend Micro|SMEX|14.0|Event Tracking|^|shost=WIN16E16-SRV	usrName=WIN16E16\\chris	devTime=Apr 01 2019 07:33:04
	src=10.204.128.71	eventType=Configuration change	msg=Log Forwarding settings have been changed.

Was this article helpful?