Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Sample CEF and Syslog Notifications

Sample CEF, LEEF, and Syslog notification examples are shown for various event types in this section.

The definitions for each of the <extension> field keys per event type are provided in the section CEF Extension Field Key=Value Pair Definitions


Be aware that if a value is null, the label will still display in the notification; for example, dst= and filename remain blank in the CEF message:

CEF Phishing Event Examples:

Phishing events are included in CEF/Syslog. Here are few examples:

Example 1: Email with Both Malicious URL and Attachment

Example 2: Email Sent to Multiple Recipients with Malicious Attachment

Example 3: Email Sent to Multiple Recipients with Multiple Bad URLs (Separated by Space) and Attachment

Example 4: Infection Event for which Identity Information is Obtained from Active Directory

CEF System Health Notification Example:

Syslog System Health Notification Example:


The priority value in syslog headers from pcaps is “134”. The Juniper ATP Appliance mirrors the output of CEF for the fields supported by Syslog to generate Syslog output

CEF Download (DL) Malware Event Notification Examples

Syslog Download (DL) Malware Event Notification Examples

CEF HTTP Malware Event Notification Example

LEEF Event Examples

LEEF log for Download

LEEF log for 3rd party log ingestion (Virus scan log from Symantec)

LEEF for email with both phishing links and also a malicious attachment