CEF key-value table

The following table contains a list of all the CEF key names used to log data from these Forcepoint Email Security logs:

  • Connection
  • Message
  • Policy
  • Delivery
  • Hybrid
  • Audit
  • Console

See Log format reference for details about the specific format of each log.

CEF Key Name Full Name Key Value Forcepoint Email Security Log
act deviceAction Policy action result Message delivery status

Policy

Delivery, Hybrid, Audit

app applicationProtocol Transport protocol Connection, Delivery
cat deviceEventCategory Antispam tool name Policy
cc cc Message header “Cc” Message
cs1 deviceCustomString1 Virus name Policy
deliveryCode n/a Delivery status code Delivery
deliveryCodeInfo n/a Delivery status information Delivery
deviceDirection deviceDirection

Email direction:

inbound/internal = 0

outbound = 1

Policy
deviceFacility deviceFacility Policy name Policy
deviceProcessName deviceProcessName Policy rule name Policy
dst destinationAddress Email destination IP address Delivery
duser destinationUserName Destination (recipient) user name Message, Policy, Delivery, Hybrid
dvc deviceAddress Email appliance IP address Connection, Message, Policy, Delivery, Hybrid, Audit
dvchost deviceHostName Email appliance fully qualified domain name (FQDN) Connection, Message, Policy, Delivery, Hybrid
element n/a Element on the page to which the change was applied Audit
encryptedDelivery n/a Encryption type Delivery
exceptionReason n/a Reason for exception (e.g., DLP policy, file sandbox, antivirus or antispam analysis) Policy
externalID externalID Connection ID Connection, Message, Delivery
fnameAndHash n/a

Message attachments in the format:

<filename>|<filehash>|< triggered/clean/ malicious>

Policy
from from Message header “from” Message, Policy
hybridSpamScore n/a Email hybrid service spam score Policy
in bytesIn Inbound email size Message, Policy, Hybrid
localSpamScore n/a On-premises email spam score Policy
messageID n/a Message ID number Message, Policy, Delivery, Hybrid
msg message Message subject Audit
page n/a Page to which a change was made Audit
reason reason Connection status details Hybrid analysis result Connection Hybrid
replyTo n/a Message header “replyTo” Policy
rt deviceReceiptTime Time of event receipt (format is MMM dd yyyy HH:mm:ss) Connection, Message, Policy, Delivery, Hybrid, Audit
spamScore n/a Email hybrid service spam score Hybrid
spfResult n/a Relay control SPF check result Connection
spriv n/a Role of the user that made a change Audit
src sourceAddress Email source IP address Connection, Delivery, Hybrid, Audit
suser sourceUserName User that made a change Audit
suser sourceUserName Envelope sender Message Policy, Hybrid
to n/a Message header “to” Message
trueSrc n/a True source IP address Message, Policy
url n/a

Message embedded URLs in the format:

<url>|<url category>|<triggered/not triggered>

Policy
x-mailer n/a Email client Message