| Appendix A - Logs | 547

Data Fields

recv_bytes status message

Type

integer string string

Description

Total number of bytes received

Ultimate state of traffic – accept/deny

Message displayed

Malware Logs

HTTP, HTTPS, FTP Logs are displayed only if Web Protection Module is subscribed.

POP, POPS, IMAP, IMAPS, SMTP and SMTPS Logs are displayed only if Web Protection Module is subscribed.

Message ID

08001

08002

09001

09002

10001

10002

11001

11002

12001

12002

Message

The URL has been blocked as it contained a virus

Access to URL is allowed as it does not contain any virus

FTP data transfer was blocked as it contained a virus

FTP data transfer didn’t have any virus and completed successfully

The mail is infected with a virus detected by the Device

Mail doesn’t contain any virus

The mail is infected with a virus detected by the Device

Mail doesn’t contain any virus

The mail is infected with a virus detected by the Device

Mail doesn’t contain any virus

Log Component

HTTP

HTTP

FTP

FTP

SMTP

SMTP

POP3

POP3

IMAP4

IMAP4

Sample Logs:

device="SFW" date=2017-01-31 time=15:35:15 timezone="IST" device_name="CR750iNG-XP" device_id=C44310050024-P29PUA log_id=030906208001 log_type="Anti-Virus" log_component="HTTP" log_subtype="Virus" status="" priority=Critical fw_rule_id=2 user_name="jsmith" iap=1 av_policy_name="" virus="EICAR-AV-Test" url=http://www.eicar.org/download/eicar.com" domainname="

www.eicar.org

" src_ip=10.198.47.71 src_country_code=R1 dst_ip=213.211.198.62 dst_country_code=DEU protocol="TCP" src_port=11013 dst_port=80 sent_bytes=0 recv_bytes=353

Module-specific Fields

Data Fields

status

Type

string fw_rule_id integer

Description

Ultimate status of traffic – Allowed or

Denied

Firewall Rule ID which is applied on the traffic

Type

string integer string string string string string string string string string string integer string string string string string string string string string string string integer integer integer integer integer quarantine src_domainname dst_domainname src_ip src_country_code dst_ip dst_country_code protocol src_port dst_port sent_bytes recv_bytes

Data Fields

user_name iap av_policy_name from_email_address to_email_address subject mailid mailsize virus

FTP_url

FTP_direction filename filesize filepath ftpcommand url domainname

Description

User name

Policy Code of the Internet Access Policy applied

Malware scanning policy name which is applied on the traffic

Sender email address

Receipeint email address

Signature messsage

Signature classification

Priority of IPS policy

Virus name

FTP URL from which virus was downloaded

Direction of FTP transfer: Upload or

Download

Name of the file that contained virus

Size of the file that contained virus

Path of the file containing virus

FTP command used when virus was found

URL from which virus was downloaded

Domain from which virus was downloaded

Path and filename of the file quarantined

Sender domain name

Receiver domain name

Original Source IP address of traffic

Code of the country to which the source

IP belongs

Original Destination IP address of traffic

Code of the country to which the destination IP belongs

Protocol number of traffic

Original Source Port of TCP and UDP traffic

Original Destination Port of TCP and

UDP traffic

Total number of bytes sent

Total number of bytes received

| Appendix A - Logs | 548