CEF key-value table
The following table contains a list of all the CEF key names used to log data from these Forcepoint Email Security logs:
- Connection
- Message
- Policy
- Delivery
- Hybrid
- Audit
- Console
See Log format reference for details about the specific format of each log.
CEF Key Name | Full Name | Key Value | Forcepoint Email Security Log |
---|---|---|---|
act | deviceAction | Policy action result Message delivery status |
Policy Delivery, Hybrid, Audit |
app | applicationProtocol | Transport protocol | Connection, Delivery |
cat | deviceEventCategory | Antispam tool name | Policy |
cc | cc | Message header “Cc” | Message |
cs1 | deviceCustomString1 | Virus name | Policy |
deliveryCode | n/a | Delivery status code | Delivery |
deliveryCodeInfo | n/a | Delivery status information | Delivery |
deviceDirection | deviceDirection |
Email direction: inbound/internal = 0 outbound = 1 |
Policy |
deviceFacility | deviceFacility | Policy name | Policy |
deviceProcessName | deviceProcessName | Policy rule name | Policy |
dst | destinationAddress | Email destination IP address | Delivery |
duser | destinationUserName | Destination (recipient) user name | Message, Policy, Delivery, Hybrid |
dvc | deviceAddress | Email appliance IP address | Connection, Message, Policy, Delivery, Hybrid, Audit |
dvchost | deviceHostName | Email appliance fully qualified domain name (FQDN) | Connection, Message, Policy, Delivery, Hybrid |
element | n/a | Element on the page to which the change was applied | Audit |
encryptedDelivery | n/a | Encryption type | Delivery |
exceptionReason | n/a | Reason for exception (e.g., DLP policy, file sandbox, antivirus or antispam analysis) | Policy |
externalID | externalID | Connection ID | Connection, Message, Delivery |
fnameAndHash | n/a |
Message attachments in the format: <filename>|<filehash>|< triggered/clean/ malicious> |
Policy |
from | from | Message header “from” | Message, Policy |
hybridSpamScore | n/a | Email hybrid service spam score | Policy |
in | bytesIn | Inbound email size | Message, Policy, Hybrid |
localSpamScore | n/a | On-premises email spam score | Policy |
messageID | n/a | Message ID number | Message, Policy, Delivery, Hybrid |
msg | message | Message subject | Audit |
page | n/a | Page to which a change was made | Audit |
reason | reason | Connection status details Hybrid analysis result | Connection Hybrid |
replyTo | n/a | Message header “replyTo” | Policy |
rt | deviceReceiptTime | Time of event receipt (format is MMM dd yyyy HH:mm:ss) | Connection, Message, Policy, Delivery, Hybrid, Audit |
spamScore | n/a | Email hybrid service spam score | Hybrid |
spfResult | n/a | Relay control SPF check result | Connection |
spriv | n/a | Role of the user that made a change | Audit |
src | sourceAddress | Email source IP address | Connection, Delivery, Hybrid, Audit |
suser | sourceUserName | User that made a change | Audit |
suser | sourceUserName | Envelope sender | Message Policy, Hybrid |
to | n/a | Message header “to” | Message |
trueSrc | n/a | True source IP address | Message, Policy |
url | n/a |
Message embedded URLs in the format: <url>|<url category>|<triggered/not triggered> |
Policy |
x-mailer | n/a | Email client | Message |