Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

ScanMail for Exchange (SMEX) 14.0 Syslog content mapping guide

    • Updated:
    • 7 Jun 2019
    • Product/Version:
    • ScanMail for Exchange 14.0
    • ScanMail for Exchange 14.0
    • Platform:
    • N/A N/A
Summary

This guide provides information on log management standards and syntax for implementing Syslog events in SMEX. To enable flexible integration with third-party log management systems, SMEX supports the following Syslog formats:

Log Management SystemDescription
Common Event Format (CEF)CEF is an open log management standard created by HP ArcSight.
Log Event Extended Format (LEEF)LEEF is an event format developed for IBM Security QRadar.
Details
Public

CEF

CEF KeyDescriptionValue
Header (logVer)CEF format versionCEF:0
Header (vendor)Appliance vendorTrend Micro
Header (pname)Appliance productExample: SMEX
Header (pver)Appliance version14
Header (eventid)Signature ID100101
Header (eventName)Event nameVirus Detection
Header (severity)SeverityHigh
rtScan timeExample: Mar 29 2019 08:01:55
cs2LabelMessage found at labelfoundAt
foundAtMessage found atSMTP
Mailbox  
suserMessage sourceExample: sender@win16e16.com
duserMessage destinationExample: reci@win16e16.com
msgMessage subject 
cs4LabelMessage ID labelmessageId
messageIdMessage IDExample: adfcde36-1411-4a0a-865b-f84f79433987@Win16E16-SRV.win16e16.com
actFilter action 
cs1LabelVirus name labelvirusName
virusNameVirus name 
cs6LabelThreat type labelthreatType
threatTypeThreat type 
fnameAttachment file name 
cs3LabelRisk level labelriskLevel
riskLevelRisk level 
catDetected rule category 
cn1LabelRansomware labelisRansomware
isRansomwareIs ransomware or not0 = not ransomware
1 = ransomware

Log sample:

Mar 29 16:02:39 10.204.128.71  2019-03-29T16:02:38+08:00 Win16E16-SRV SMEX[6480]: CEF:0|Trend Micro|SMEX|14.0|100101|Virus Detection|High|rt=Mar 29 2019 08:01:55 cs2Label=foundAt foundAt=SMTP suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=VS Test cs4Label=messageId messageId=adfcde36-1411-4a0a-865b-f84f79433987@Win16E16-SRV.win16e16.com act=Clean fail, quarantine entire message cs1Label=virusName virusName=Eicar_test_file cs6Label=threatType threatType=Viruses fname=eicar.txt cs3Label=riskLevel riskLevel=Suspicious cat= N/A cn1Label=isRansomware isRansomware=0
CEF KeyDescriptionValue
Header (logVer)CEF format versionCEF:0
Header (vendor)Appliance vendorTrend Micro
Header (pname)Appliance productExample: SMEX
Header (pver)Appliance version14
Header (eventid)Signature ID100102
Header (eventName)Event nameAttachment Block
Header (severity)SeverityHigh
rtScan timeExample: Mar 29 2019 09:48:46
cs2LabelMessage found at labelfoundAt
foundAtMessage found atSMTP
Mailbox  
suserMessage sourceExample: sender@win16e16.com
duserMessage destinationExample: reci@win16e16.com
msgMessage subject 
cs4LabelMessage ID labelmessageId
messageIdMessage IDExample: 0b6dcb71-b196-4278-ac71-6ccc908096f9@Win16E16-SRV.win16e16.com
actFilter action 
cs1LabelPolicy name labelpolicyName
policyNamePolicy name 
fnameAttachment file name 

Log sample:

Mar 29 17:48:57 10.204.128.71  2019-03-29T17:48:56+08:00 Win16E16-SRV SMEX[18476]: CEF:0|Trend Micro|SMEX|14.0|100102|Attachment Block|High|rt=Mar 29 2019 09:48:46 cs2Label=foundAt foundAt=SMTP suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=AB Test cs4Label=messageId messageId=0b6dcb71-b196-4278-ac71-6ccc908096f9@Win16E16-SRV.win16e16.com act=Replace with text/file cs1Label=policyName policyName=Password-Protected/Block password protected file fname=AB.zip
CEF KeyDescriptionValue
Header (logVer)CEF format versionCEF:0
Header (vendor)Appliance vendorTrend Micro
Header (pname)Appliance productExample: SMEX
Header (pver)Appliance version14
Header (eventid)Signature ID100107
Header (eventName)Event nameContent Violation
Header (severity)SeverityHigh
rtScan timeExample: Apr 01 2019 02:46:53
cs2LabelMessage found at labelfoundAt
foundAtMessage found atSMTP
Mailbox  
suserMessage sourceExample: sender@win16e16.com
duserMessage destinationExample: reci@win16e16.com
msgMessage subject 
cs4LabelMessage ID labelmessageId
messageIdMessage IDExample: d3c28383-0591-44dd-9649-b0d07e61cf43@Win16E16-SRV.win16e16.com
actFilter action 
cs1LabelPolicy name labelpolicyName
policyNamePolicy name 
fnameAttachment file name 
cs6LabelPolicy reason labelpolicyReason
policyReasonPolicy reason 

Log sample:

Apr  1 10:48:09 10.204.128.71  2019-04-01T10:48:06+08:00 Win16E16-SRV SMEX[23244]: CEF:0|Trend Micro|SMEX|14.0|100107|Content Violation|High|rt=Apr 01 2019 02:46:53 cs2Label=foundAt foundAt=SMTP suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=CF Test cs4Label=messageId messageId=d3c28383-0591-44dd-9649-b0d07e61cf43@Win16E16-SRV.win16e16.com act=Quarantine entire message cs1Label=policyName policyName=PROFANITY fname=cf41.txt cs6Label=policyReason policyReason=ana1;
CEF KeyDescriptionValue
Header (logVer)CEF format versionCEF:0
Header (vendor)Appliance vendorTrend Micro
Header (pname)Appliance productExample: SMEX
Header (pver)Appliance version14
Header (eventid)Signature ID100105
Header (eventName)Event nameDLP Detection
Header (severity)SeverityHigh
rtScan timeExample: Apr 01 2019 03:23:13
cs2LabelMessage found at labelfoundAt
foundAtMessage found atSMTP
  Mailbox
suserMessage sourceExample: sender@win16e16.com
duserMessage destinationExample: reci@win16e16.com
msgMessage subject 
cs4LabelMessage ID labelmessageId
messageIdMessage IDExample: c1b48c9c-9e56-4c14-a394-9b729e8ad6d1@Win16E16-SRV.win16e16.com
actFilter action 
cs1LabelPolicy name labelpolicyName
policyNamePolicy name 
fnameAttachment file name 
cs6LabelPolicy reason labelpolicyReason
policyReasonPolicy reason 

Log sample:

Apr  1 11:23:36 10.204.128.71  2019-04-01T11:23:34+08:00 Win16E16-SRV SMEX[6132]: CEF:0|Trend Micro|SMEX|14.0|100105|DLP Detection|High|rt=Apr 01 2019 03:23:13 cs2Label=foundAt foundAt=SMTP suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=DLP Test cs4Label=messageId messageId=c1b48c9c-9e56-4c14-a394-9b729e8ad6d1@Win16E16-SRV.win16e16.com act=Pass cs1Label=policyName policyName=Data Loss Prevention (GLBA) fname=dlp22.txt cs6Label=policyReason policyReason=US: GLBA
CEF KeyDescriptionValue
Header (logVer)CEF format versionCEF:0
Header (vendor)Appliance vendorTrend Micro
Header (pname)Appliance productExample: SMEX
Header (pver)Appliance version14
Header (eventid)Signature ID100103
Header (eventName)Event nameSpam Detection
Header (severity)SeverityHigh
rtScan timeExample: Apr 01 2019 06:16:09
cs2LabelMessage found at labelfoundAt
foundAtMessage found atSMTP
  Mailbox
suserMessage sourceExample: sender@win16e16.com
duserMessage destinationExample: reci@win16e16.com
msgMessage subject 
actFilter action 
cs1LabelPolicy name labelpolicyName
policyNamePolicy name 

Log sample:

Apr  1 14:16:35 10.204.128.71  2019-04-01T14:16:33+08:00 Win16E16-SRV SMEX[15624]: CEF:0|Trend Micro|SMEX|14.0|100103|Spam Detection|High|rt=Apr 01 2019 06:16:09 cs2Label=foundAt foundAt=SMTP suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=High spam act=Quarantine message to user's spam folder cs1Label=policyName policyName=Spam Mail
CEF KeyDescriptionValue
Header (logVer)CEF format versionCEF:0
Header (vendor)Appliance vendorTrend Micro
Header (pname)Appliance productExample: SMEX
Header (pver)Appliance version14
Header (eventid)Signature ID100106
Header (eventName)Event nameAdvance Spam Detection
Header (severity)SeverityHigh
rtScan timeExample: Apr 01 2019 06:35:14
cs2LabelMessage found at labelfoundAt
foundAtMessage found atSMTP
  Mailbox
suserMessage sourceExample: sender@win16e16.com
duserMessage destinationExample: reci@win16e16.com
msgMessage subject 
cs4LabelMessage ID labelmessageId
messageIdMessage IDExample: 59927c70-4c31-4742-be58-9973c4d5d10d@Win16E16-SRV.win16e16.com
actFilter action 
cs1LabelThreat name labelthreatName
threatNameThreat name 
cs3LabelRisk level labelriskLevel
riskLevelRisk level 
cn1LabelIs ransomware or not labelisRansomware
isRansomwareIs ransomware or not0 = not ransomware
1 = ransomware
catSub type 

Log sample:

Apr  1 14:36:03 10.204.128.71  2019-04-01T14:36:01+08:00 Win16E16-SRV SMEX[6696]: CEF:0|Trend Micro|SMEX|14.0|100106|Advance Spam Detection|High|rt=Apr 01 2019 06:35:14 cs2Label=foundAt foundAt=SMTP suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=SNAPBECTesting cs4Label=messageId messageId=59927c70-4c31-4742-be58-9973c4d5d10d@Win16E16-SRV.win16e16.com act=Quarantine entire message cs1Label=threatName threatName=BEC_CEO-FRAUD.ERS cs3Label=riskLevel riskLevel=No Risk cn1Label=isRansomware isRansomware=0 cat=BEC
CEF KeyDescriptionValue
Header (logVer)CEF format versionCEF:0
Header (vendor)Appliance vendorTrend Micro
Header (pname)Appliance productExample: SMEX
Header (pver)Appliance version14
Header (eventid)Signature ID100104
Header (eventName)Event nameWeb Threat Detection
Header (severity)SeverityHigh
rtScan timeExample: Apr 01 2019 07:10:17
cs2LabelMessage found at labelfoundAt
foundAtMessage found atSMTP
  Mailbox
suserMessage sourceExample: sender@win16e16.com
duserMessage destinationExample: reci@win16e16.com
msgMessage subject 
cs4LabelMessage ID labelmessageId
messageIdMessage IDExample: 476ed59d-46ec-48c3-9561-fb44d02c2c09@Win16E16-SRV.win16e16.com
actFilter action 
cs3LabelRisk level labelriskLevel
riskLevelRisk level 
catURL category 
cn1LabelIs ransomware or not labelisRansomware
isRansomwareIs ransomware or not0 = not ransomware
1 = ransomware
cs6LabelPolicy reason labelpolicyReason
policyReasonPolicy reason 

Log sample:

Apr  1 15:10:36 10.204.128.71  2019-04-01T15:10:34+08:00 Win16E16-SRV SMEX[16780]: CEF:0|Trend Micro|SMEX|14.0|100104|Web Threat Detection|High|rt=Apr 01 2019 07:10:17 cs2Label=foundAt foundAt=SMTP suser=sender@win16e16.com;  duser=reci@win16e16.com;  msg=Suspicious URL:WTP Test cs4Label=messageId messageId=476ed59d-46ec-48c3-9561-fb44d02c2c09@Win16E16-SRV.win16e16.com act=Quarantine message to user's spam folder cs3Label=riskLevel riskLevel=High cat=Spyware cn1Label=isRansomware isRansomware=0 cs6Label=policyReason policyReason=https://wrs21.winshipway.com:443
CEF KeyDescriptionValue
Header (logVer)CEF format versionCEF:0
Header (vendor)Appliance vendorTrend Micro
Header (pname)Appliance productExample: SMEX
Header (pver)Appliance version14
Header (eventid)Signature ID300101
Header (eventName)Event nameEvent Tracking
Header (severity)SeverityLow
shostServer name 
suserUser name 
rtEvent timeExample: Apr 01 2019 07:10:17
src/ c6a1IPv4/IPv6 address 
cs1LabelEvent type labeleventType
eventTypeEvent type 
msgLog description 

Log sample:

Apr  1 15:32:12 10.204.128.71  2019-04-01T15:32:10+08:00 Win16E16-SRV SMEX[23028]: CEF:0|Trend Micro|SMEX|14.0|300101|Event Tracking|Low|shost=WIN16E16-SRV suser=WIN16E16\\admin rt=Apr 01 2019 07:32:07 src=10.204.128.71 cs1Label=eventType eventType=Configuration change msg=Log Forwarding settings have been changed.

LEEF

LEEF KeyDescriptionValue
Header (logVer)LEEF format versionLEEF:1.0
Header (vendor)Appliance vendorTrend Micro
Header (pname)Appliance productSMEX
Header (pver)Appliance versionExample: 14.0
Header (eventName)Event nameVirus Detection
devTimeScan timeExample: Mar 29 2019 08:01:55
foundAtMessage found atSMTP
  Mailbox
usrNameMessage sourceExample: sender@win16e16.com
recipientMessage destinationExample: reci@win16e16.com
msgMessage subject 
messageIdMessage IDExample: adfcde36-1411-4a0a-865b-f84f79433987@Win16E16-SRV.win16e16.com
actFilter action 
virusNameVirus name 
threatTypeThreat type 
filenameAttachment file name 
riskLevelRisk level 
catDetected rule category 
isRansomwareIs ransomware or not0 = not ransomware
1 = ransomware

Log sample:

Mar 29 16:03:18 10.204.128.71  2019-03-29T16:03:17+08:00 Win16E16-SRV SMEX[21464]: LEEF:1.0|Trend Micro|SMEX|14.0|Virus Detection|^|devTime=Mar 29 2019 08:01:55	foundAt=SMTP	usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=VS Test	messageId=adfcde36-1411-4a0a-865b-f84f79433987@Win16E16-SRV.win16e16.com	act=Clean fail, quarantine entire message	virusName=Eicar_test_file	threatType=Viruses	filename=eicar.txt	riskLevel=Suspicious	cat= N/A	isRansomware=0
LEEF KeyDescriptionValue
Header (logVer)LEEF format versionLEEF:1.0
Header (vendor)Appliance vendorTrend Micro
Header (pname)Appliance productSMEX
Header (pver)Appliance versionExample: 14.0
Header (eventName)Event nameAttachment Block
devTimeScan timeExample: Mar 29 2019 09:48:46
foundAtMessage found atSMTP
  Mailbox
usrNameMessage sourceExample: sender@win16e16.com
recipientMessage destinationExample: reci@win16e16.com
msgMessage subject 
messageIdMessage IDExample: 0b6dcb71-b196-4278-ac71-6ccc908096f9@Win16E16-SRV.win16e16.com
actFilter action 
policyNamePolicy name 
filenameAttachment file name 

Log sample:

Mar 29 17:51:09 10.204.128.71  2019-03-29T17:51:08+08:00 Win16E16-SRV SMEX[19132]: LEEF:1.0|Trend Micro|SMEX|14.0|Attachment Block|^|devTime=Mar 29 2019 09:48:46	foundAt=SMTP	usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=AB Test	messageId=0b6dcb71-b196-4278-ac71-6ccc908096f9@Win16E16-SRV.win16e16.com	act=Replace with text/file	policyName=Password-Protected/Block password protected file	filename=AB.zip
LEEF KeyDescriptionValue
Header (logVer)LEEF format versionLEEF:1.0
Header (vendor)Appliance vendorTrend Micro
Header (pname)Appliance productSMEX
Header (pver)Appliance versionExample: 14.0
Header (eventName)Event nameContent Violation
devTimeScan timeExample: Apr 01 2019 02:58:24
foundAtMessage found atSMTP
  Mailbox
usrNameMessage sourceExample: sender@win16e16.com
recipientMessage destinationExample: reci@win16e16.com
msgMessage subject 
messageIdMessage IDExample: 7d06b7a1-1303-41db-b9be-c2e24de2a32b@Win16E16-SRV.win16e16.com
actFilter action 
policyNamePolicy name 
filenameAttachment file name 
policyReasonPolicy reason 

Log sample:

Apr  1 11:09:31 10.204.128.71  2019-04-01T11:09:29+08:00 Win16E16-SRV SMEX[22148]: LEEF:1.0|Trend Micro|SMEX|14.0|Content Violation|^|devTime=Apr 01 2019 02:58:24	foundAt=SMTP	usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=CF Test	messageId=7d06b7a1-1303-41db-b9be-c2e24de2a32b@Win16E16-SRV.win16e16.com	act=Quarantine entire message	policyName=PROFANITY	filename=cf41.txt	policyReason=ana1;
LEEF KeyDescriptionValue
Header (logVer)LEEF format versionLEEF:1.0
Header (vendor)Appliance vendorTrend Micro
Header (pname)Appliance productSMEX
Header (pver)Appliance versionExample: 14.0
Header (eventName)Event nameDLP Detection
devTimeScan timeExample: Apr 01 2019 03:23:13
foundAtMessage found atSMTP
  Mailbox
usrNameMessage sourceExample: sender@win16e16.com
recipientMessage destinationExample: reci@win16e16.com
msgMessage subject 
messageIdMessage IDExample: c1b48c9c-9e56-4c14-a394-9b729e8ad6d1@Win16E16-SRV.win16e16.com
actFilter action 
policyNamePolicy name 
filenameAttachment file name 
policyReasonPolicy reason 

Log sample:

Apr  1 11:23:57 10.204.128.71  2019-04-01T11:23:55+08:00 Win16E16-SRV SMEX[12136]: LEEF:1.0|Trend Micro|SMEX|14.0|DLP Detection|^|devTime=Apr 01 2019 03:23:13	foundAt=SMTP	usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=DLP Test	messageId=c1b48c9c-9e56-4c14-a394-9b729e8ad6d1@Win16E16-SRV.win16e16.com	act=Pass	policyName=Data Loss Prevention (GLBA)	filename=dlp22.txt	policyReason=US: GLBA
LEEF KeyDescriptionValue
Header (logVer)LEEF format versionLEEF:1.0
Header (vendor)Appliance vendorTrend Micro
Header (pname)Appliance productSMEX
Header (pver)Appliance versionExample: 14.0
Header (eventName)Event nameSpam Detection
devTimeScan timeExample: Apr 01 2019 06:16:09
foundAtMessage found atSMTP
  Mailbox
usrNameMessage sourceExample: sender@win16e16.com
recipientMessage destinationExample: reci@win16e16.com
msgMessage subject 
actFilter action 
policyNamePolicy name 

Log sample:

Apr  1 14:18:13 10.204.128.71  2019-04-01T14:18:11+08:00 Win16E16-SRV SMEX[12552]: LEEF:1.0|Trend Micro|SMEX|14.0|Spam Detection|^|devTime=Apr 01 2019 06:16:09	foundAt=SMTP	usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=High spam	act=Quarantine message to user's spam folder	policyName=Spam Mail
LEEF KeyDescriptionValue
Header (logVer)LEEF format versionLEEF:1.0
Header (vendor)Appliance vendorTrend Micro
Header (pname)Appliance productSMEX
Header (pver)Appliance versionExample: 14.0
Header (eventName)Event nameAdvanced Spam Detection
devTimeScan timeExample: Apr 01 2019 06:35:14
foundAtMessage found atSMTP
  Mailbox
usrNameMessage sourceExample: sender@win16e16.com
recipientMessage destinationExample: reci@win16e16.com
msgMessage subject 
messageIdMessage IDExample: 59927c70-4c31-4742-be58-9973c4d5d10d@Win16E16-SRV.win16e16.com
actFilter action 
threatNameThreat name 
riskLevelRisk level 
isRansomwareIs ransomware or not0 = not ransomware
1 = ransomware
catSub type 

Log sample:

Apr  1 14:36:26 10.204.128.71  2019-04-01T14:36:24+08:00 Win16E16-SRV SMEX[10632]: LEEF:1.0|Trend Micro|SMEX|14.0|Advance Spam Detection|^|devTime=Apr 01 2019 06:35:14	foundAt=SMTP	usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=SNAPBECTesting	messageId=59927c70-4c31-4742-be58-9973c4d5d10d@Win16E16-SRV.win16e16.com	act=Quarantine entire message	threatName=BEC_CEO-FRAUD.ERS	riskLevel=No Risk	isRansomware=0	cat=BEC
LEEF KeyDescriptionValue
Header (logVer)LEEF format versionLEEF:1.0
Header (vendor)Appliance vendorTrend Micro
Header (pname)Appliance productSMEX
Header (pver)Appliance versionExample: 14.0
Header (eventName)Event nameWeb Threat Detection
devTimeScan timeExample: Apr 01 2019 07:10:17
foundAtMessage found atSMTP
  Mailbox
usrNameMessage sourceExample: sender@win16e16.com
recipientMessage destinationExample: reci@win16e16.com
msgMessage subject 
messageIdMessage IDExample: 476ed59d-46ec-48c3-9561-fb44d02c2c09@Win16E16-SRV.win16e16.com
actFilter action 
riskLevelRisk level 
catURL category 
isRansomwareIs ransomware or not0 = not ransomware
1 = ransomware
policyReasonPolicy reason 

Log sample:

Apr  1 15:11:13 10.204.128.71  2019-04-01T15:11:10+08:00 Win16E16-SRV SMEX[10656]: LEEF:1.0|Trend Micro|SMEX|14.0|Web Threat Detection|^|devTime=Apr 01 2019 07:10:17	foundAt=SMTP	usrName=sender@win16e16.com; 	recipient=reci@win16e16.com; 	msg=Suspicious URL:WTP Test	messageId=476ed59d-46ec-48c3-9561-fb44d02c2c09@Win16E16-SRV.win16e16.com	act=Quarantine message to user's spam folder	riskLevel=High	cat=Spyware	isRansomware=0	policyReason=https://wrs21.winshipway.com:443
LEEF KeyDescriptionValue
Header (logVer)LEEF format versionLEEF:1.0
Header (vendor)Appliance vendorTrend Micro
Header (pname)Appliance productSMEX
Header (pver)Appliance versionExample: 14.0
Header (eventName)Event nameEvent Tracking
shostServer name 
usrNameUser name 
devTimeEvent timeExample: Apr 01 2019 07:10:17
srcIP address 
eventTypeEvent type 
msgLog description 

Log sample:

Apr  1 15:33:19 10.204.128.71  2019-04-01T15:33:17+08:00 Win16E16-SRV SMEX[22144]: LEEF:1.0|Trend Micro|SMEX|14.0|Event Tracking|^|shost=WIN16E16-SRV	usrName=WIN16E16\\chris	devTime=Apr 01 2019 07:33:04	src=10.204.128.71	eventType=Configuration change	msg=Log Forwarding settings have been changed.
Premium
Internal
Rating:
Category:
Configure
Solution Id:
1122879
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.