The SOC log level has been introduced to support easier parsing or exporting data to 3rd party aggregators, such as Syslog. The SOC log level has the following entries:
| Event | Log identifier | Fields |
|---|---|---|
| Email received | email.receive | email_id, ip_address, sender, recipients, subject, processing_id, message_id |
| Email refused | email.refuse | ip_address, sender, recipient, response |
| Email scanned Email rescanned | email.scan email.rescan | email_id, sender, recipients, subject, processing_id, message_id, classifications, scan_result, anti_spam_result, rule_name, scan_result_details , batch_id |
| Email completed | email.complete | email_id, sender, recipients, subject, processing_id, message_id, classifications, status |
| Email quarantined | email.quarantine | email_id, sender, recipients, subject, processing_id, message_id, classifications |
| Email retrying | email.retry | email_id , sender, recipients, subject, processing_id, message_id, classifications, retry_count, next_retry |
| Email failed | email.failure | email_id, sender, recipients, subject, processing_id, message_id, classifications |
processing_id: Unique message identifier on the Email Gateway Security REST API (internal; for support).
message_id: The Message-ID field according to RFC 5322 that contains a single unique message identifier.
email_id: Unique message identifier inside Email Gateway Security (internal; for support).
classifications: Classifications according to Email classifications.
scan_result: Overall scan result by MetaDefender Core. The value may be Allowed or Blocked based on the setting in the Allowed processing results on MetaDefender Core image below.
antispam_result: Anti-spam and Anti-phishing classifications according to Spam classifications and Phishing classifications respectively.
scan_result_details: scan details (URLs, data IDs, verdicts, etc.) on MetaDefender Core for each email component (headers, bodies, each attachments).
status: Status of the email according to Processing status values.
retry_count: Number of retry attempts have done in case of a processing or delivery failure.
next_retry: The time of the next retry attempt in case of a processing or delivery failure.
batch_id: The identifier of the MetaDefender Core side batch that combines the components of the email.
Allowed processing results on MetaDefender Core
Certain SOC level logs contain parameters of that entry. For example the ip_address parameter below:
Sep 23 10:32:06 UTC LE11-D8766 CEF:0|OPSWAT|MDEMAIL|6.1.2RC1|email.receive|Email receive, email_id='804cc4c0-226f-45bc-800f-29a88ee94caf', ip_address='127.0.0.1', message_id='e842c3d7-0694-4ba5-97f1-03eed504f62a@remo.te', processing_id='a9b68d415e754798b63ab274f47177f4', recipients='joe@loc.al', sender='dan@remo.te', subject='bec'|5|OMStid=6976 OMSmsgid=0
The values of these parameters might contain the delimiter single qoute ' character. In these cases the single quote ' characters are escaped by doubling each single qoute character (e.g. ''' , '''''' , etc.).
