CEF key-value table
The following table contains a list of all the CEF key names used to log data from these Forcepoint Email Security logs:
- Connection
- Message
- Policy
- Delivery
- Hybrid
- Audit
- Console
See Log format reference for details about the specific format of each log.
| CEF Key Name | Full Name | Key Value | Forcepoint Email Security Log |
|---|---|---|---|
| act | deviceAction | Policy action result Message delivery status |
Policy Delivery, Hybrid, Audit |
| app | applicationProtocol | Transport protocol | Connection, Delivery |
| cat | deviceEventCategory | Antispam tool name | Policy |
| cc | cc | Message header “Cc” | Message |
| cs1 | deviceCustomString1 | Virus name | Policy |
| deliveryCode | n/a | Delivery status code | Delivery |
| deliveryCodeInfo | n/a | Delivery status information | Delivery |
| deviceDirection | deviceDirection |
Email direction: inbound/internal = 0 outbound = 1 |
Policy |
| deviceFacility | deviceFacility | Policy name | Policy |
| deviceProcessName | deviceProcessName | Policy rule name | Policy |
| dst | destinationAddress | Email destination IP address | Delivery |
| duser | destinationUserName | Destination (recipient) user name | Message, Policy, Delivery, Hybrid |
| dvc | deviceAddress | Email appliance IP address | Connection, Message, Policy, Delivery, Hybrid, Audit |
| dvchost | deviceHostName | Email appliance fully qualified domain name (FQDN) | Connection, Message, Policy, Delivery, Hybrid |
| element | n/a | Element on the page to which the change was applied | Audit |
| encryptedDelivery | n/a | Encryption type | Delivery |
| exceptionReason | n/a | Reason for exception (e.g., DLP policy, file sandbox, antivirus or antispam analysis) | Policy |
| externalID | externalID | Connection ID | Connection, Message, Delivery |
| fnameAndHash | n/a |
Message attachments in the format: <filename>|<filehash>|< triggered/clean/ malicious> |
Policy |
| from | from | Message header “from” | Message, Policy |
| hybridSpamScore | n/a | Email hybrid service spam score | Policy |
| in | bytesIn | Inbound email size | Message, Policy, Hybrid |
| localSpamScore | n/a | On-premises email spam score | Policy |
| messageID | n/a | Message ID number | Message, Policy, Delivery, Hybrid |
| msg | message | Message subject | Audit |
| page | n/a | Page to which a change was made | Audit |
| reason | reason | Connection status details Hybrid analysis result | Connection Hybrid |
| replyTo | n/a | Message header “replyTo” | Policy |
| rt | deviceReceiptTime | Time of event receipt (format is MMM dd yyyy HH:mm:ss) | Connection, Message, Policy, Delivery, Hybrid, Audit |
| spamScore | n/a | Email hybrid service spam score | Hybrid |
| spfResult | n/a | Relay control SPF check result | Connection |
| spriv | n/a | Role of the user that made a change | Audit |
| src | sourceAddress | Email source IP address | Connection, Delivery, Hybrid, Audit |
| suser | sourceUserName | User that made a change | Audit |
| suser | sourceUserName | Envelope sender | Message Policy, Hybrid |
| to | n/a | Message header “to” | Message |
| trueSrc | n/a | True source IP address | Message, Policy |
| url | n/a |
Message embedded URLs in the format: <url>|<url category>|<triggered/not triggered> |
Policy |
| x-mailer | n/a | Email client | Message |