Sender Filtering/Authentication Log Messages

Vendor Documentation

Rule Name	Rule Type	Common Event	Classification
Sender Filtering/Authentication Log Messages	Base Rule	Email Message Dropped By Filter	Warning

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Header (logVer)	N/A	N/A	CEF format version.
Header (vendor)	N/A	N/A	Appliance vendor.
Header (pname)	N/A	N/A	Appliance product.
Header (pver	<version>	Text/String	Appliance version.
Header (eventid)	<vmid>	Number	Signature ID.
Header (eventName)	<vendorinfo>	Text/String	Description.
Header (severity)	<severity>	Number	Severity 2: Unavailable 4: Low 6: Medium 8: High
rt	N/A	N/A	Log generation time.
cn1Label	N/A	N/A	eventType.
cn1	<sessiontype>	Number	1: Email reputation 2: DHA protection 3: Bounce attack protection 4: SMTP traffic throttling (IP address) 5: SMTP traffic throttling (emailaddress) 6: SPF 7: DKIM 8: DMARC
cn2Label	N/A	N/A	Label for sender authentication result.
cn2	<result>	Number	1: None 2: Pass 3: Neutral 4: SoftFail 5: Fail 6: TempError 7: PermError
dvchost	<dname>	Text/String	Appliance host name.
deviceTranslatedAddress	N/A	N/A	Relay MTA IP address.
deviceExternalId	N/A	N/A	Appliance GUID.
dvc	<dip>	IP Address	Appliance IP address.
act	<action>	Number	The action in the event 2: Block temporarily 3: Block permanently
duser	<recipient>	Text/String	Email recipients.
reason	<reason>	Number	Reason for block action.
suser	<sender>	Text/String	Email sender.
dvcmac	<dmac>	Text/String	Appliance MAC address.