Event Definitions: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
m (Dmorris moved page Events to Event Definitions without leaving a redirect)
No edit summary
Line 29: Line 29:
|String
|String
|The key
|The key
|-
|oldValue
|String
|The old value
|-
|-
|timeStamp
|timeStamp
Line 66: Line 70:
|String
|String
|The MAC address
|The MAC address
|-
|oldValue
|String
|The old value
|-
|-
|timeStamp
|timeStamp
Line 78: Line 86:




== PenaltyBoxEvent ==
== UserTableEvent ==
<section begin='PenaltyBoxEvent' />
<section begin='UserTableEvent' />


These events are created by the [[Bandwidth Control]] and inserted to the [[Database_Schema#penaltybox|penaltybox]] table.
These events are created by the base system and inserted to the [[Database_Schema#user_table_updates|user_table_updates]] table when the user table is modified.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 87: Line 95:
! Type
! Type
! Description
! Description
|-
|action
|int
|The action
|-
|address
|InetAddress
|The address
|-
|-
|class
|class
Line 100: Line 100:
|The class name
|The class name
|-
|-
|entryTime
|key
|Timestamp
|String
|The entry time
|The key
|-
|-
|exitTime
|oldValue
|Timestamp
|String
|The exit time
|The old value
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|username
|String
|The username
|-
|value
|String
|The value
|}
|}
<section end='PenaltyBoxEvent' />
<section end='UserTableEvent' />




Line 148: Line 156:
|long
|long
|The number of bytes sent from the server to Untangle
|The number of bytes sent from the server to Untangle
|-
|sessionEvent
|SessionEvent
|The session event
|-
|-
|sessionId
|sessionId
Line 170: Line 182:
! Description
! Description
|-
|-
|cClientAddr
|CClientAddr
|InetAddress
|InetAddress
|The client-side (pre-NAT) client address
|The client-side (pre-NAT) client address
|-
|-
|cClientPort
|CClientPort
|Integer
|Integer
|The client-side (pre-NAT) client port
|The client-side (pre-NAT) client port
|-
|-
|cServerAddr
|CServerAddr
|InetAddress
|InetAddress
|The client-side (pre-NAT) server address
|The client-side (pre-NAT) server address
|-
|-
|cServerPort
|CServerPort
|Integer
|Integer
|The client-side (pre-NAT) server port
|The client-side (pre-NAT) server port
|-
|-
|sClientAddr
|SClientAddr
|InetAddress
|InetAddress
|The server-side (post-NAT) client address
|The server-side (post-NAT) client address
|-
|-
|sClientPort
|SClientPort
|Integer
|Integer
|The server-side (post-NAT) client port
|The server-side (post-NAT) client port
|-
|-
|sServerAddr
|SServerAddr
|InetAddress
|InetAddress
|The server-side (post-NAT) server address
|The server-side (post-NAT) server address
|-
|-
|sServerPort
|SServerPort
|Integer
|Integer
|The server-side (post-NAT) server port
|The server-side (post-NAT) server port
Line 285: Line 297:
|Long
|Long
|The session ID
|The session ID
|-
|tagsString
|String
|The string value of all tags
|-
|-
|timeStamp
|timeStamp
Line 340: Line 356:
! Description
! Description
|-
|-
|sClientAddr
|SClientAddr
|InetAddress
|InetAddress
|The server-side (post-NAT) client address
|The server-side (post-NAT) client address
|-
|-
|sClientPort
|SClientPort
|Integer
|Integer
|The server-side (post-NAT) client port
|The server-side (post-NAT) client port
|-
|-
|sServerAddr
|SServerAddr
|InetAddress
|InetAddress
|The server-side (post-NAT) server address
|The server-side (post-NAT) server address
|-
|-
|sServerPort
|SServerPort
|Integer
|Integer
|The server-side (post-NAT) server port
|The server-side (post-NAT) server port
Line 363: Line 379:
|Integer
|Integer
|The server interface ID
|The server interface ID
|-
|sessionEvent
|SessionEvent
|The session event
|-
|-
|timeStamp
|timeStamp
Line 384: Line 404:
|int
|int
|The action (1=Quota Given, 2=Quota Exceeded)
|The action (1=Quota Given, 2=Quota Exceeded)
|-
|address
|InetAddress
|The address
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
|-
|entity
|String
|The entity
|-
|-
|quotaSize
|quotaSize
Line 441: Line 461:




== LogEvent ==
== AdminLoginEvent ==
<section begin='LogEvent' />
<section begin='AdminLoginEvent' />


These base class for all events.
These events are created by the base system and inserted to the [[Database_Schema#user_table_updates|admin_logins]] table when an administrator login is attempted or successful.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 454: Line 474:
|Class
|Class
|The class name
|The class name
|-
|clientAddress
|InetAddress
|The client address
|-
|local
|boolean
|1 if login is done via local console, 0 otherwise
|-
|login
|String
|The login username
|-
|reason
|String
|The reason
|-
|succeeded
|boolean
|1 if successful, 0 otherwise
|-
|-
|timeStamp
|timeStamp
Line 459: Line 499:
|The timestamp
|The timestamp
|}
|}
<section end='LogEvent' />
<section end='AdminLoginEvent' />




== InterfaceStatEvent ==
== AlertEvent ==
<section begin='InterfaceStatEvent' />
<section begin='AlertEvent' />


These events are created by the base system and inserted to the [[Database_Schema#settings_changes|interface_stat_events]] table periodically with interface stats.
These events are created by [[Reports]] and inserted to the [[Database_Schema#alerts|alerts]] table when an alert fires.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 471: Line 511:
! Type
! Type
! Description
! Description
|-
|causalRule
|EventRule
|The causal rule
|-
|cause
|LogEvent
|The cause
|-
|-
|class
|class
Line 476: Line 524:
|The class name
|The class name
|-
|-
|interfaceId
|description
|int
|String
|The interface ID
|The description
|-
|eventSent
|Boolean
|True if the event was sent, false otherwise
|-
|json
|String
|The JSON string
|-
|-
|rxRate
|summaryText
|double
|String
|The RX rate in byte/s
|The summary text
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|txRate
|double
|The TX rate in byte/s
|}
|}
<section end='InterfaceStatEvent' />
<section end='AlertEvent' />




== SystemStatEvent ==
== LogEvent ==
<section begin='SystemStatEvent' />
<section begin='LogEvent' />


These events are created by the base system and inserted to the [[Database_Schema#server_events|server_events]] table periodically.
These base class for all events.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 505: Line 557:
! Description
! Description
|-
|-
|activeHosts
|class
|int
|Class
|The active host count
|The class name
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='LogEvent' />
 
 
== InterfaceStatEvent ==
<section begin='InterfaceStatEvent' />
 
These events are created by the base system and inserted to the [[Database_Schema#settings_changes|interface_stat_events]] table periodically with interface stats.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|-
|class
|class
Line 513: Line 582:
|The class name
|The class name
|-
|-
|cpuSystem
|interfaceId
|float
|int
|The system CPU utilization
|The interface ID
|-
|-
|cpuUser
|rxBytes
|float
|double
|The user CPU utilization
|The total of received bytes
|-
|-
|diskFree
|rxRate
|long
|double
|The amount of disk free
|The RX rate in byte/s
|-
|-
|diskFreePercent
|timeStamp
|float
|Timestamp
|The percentage of disk free
|The timestamp
|-
|-
|diskTotal
|txBytes
|long
|double
|The total size of the disk
|The total of transmitted bytes
|-
|-
|diskUsed
|txRate
|long
|double
|The amount of disk used
|The TX rate in byte/s
|}
<section end='InterfaceStatEvent' />
 
 
== SystemStatEvent ==
<section begin='SystemStatEvent' />
 
These events are created by the base system and inserted to the [[Database_Schema#server_events|server_events]] table periodically.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|activeHosts
|int
|The active host count
|-
|-
|diskUsedPercent
|class
|float
|Class
|The percentage of disk used
|The class name
|-
|-
|load1
|cpuSystem
|float
|float
|The 1-minute CPU load
|The system CPU utilization
|-
|-
|load15
|cpuUser
|float
|The user CPU utilization
|-
|diskFree
|long
|The amount of disk free
|-
|diskFreePercent
|float
|The percentage of disk free
|-
|diskTotal
|long
|The total size of the disk
|-
|diskUsed
|long
|The amount of disk used
|-
|diskUsedPercent
|float
|The percentage of disk used
|-
|load1
|float
|The 1-minute CPU load
|-
|load15
|float
|float
|The 15-minute CPU load
|The 15-minute CPU load
Line 608: Line 722:




== TunnelStatusEvent ==
== CaptivePortalUserEvent ==
<section begin='TunnelStatusEvent' />
<section begin='CaptivePortalUserEvent' />
 
These events are created by [[IPsec VPN]] and inserted to the [[Database_Schema#ipsec_tunnel_stats|ipsec_tunnel_stats]] table periodically.


These events are created by [[Captive Portal]] and inserted to the [[Database_Schema#captive_portal_user_events|captive_portal_user_events]] table when Captive Portal user takes amconsole:
{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Attribute Name
! Type
! Type
! Description
! Description
|-
|authenticationType
|CaptivePortalSettings$AuthenticationType
|The authentication type
|-
|authenticationTypeValue
|String
|The authentication type as a string
|-
|-
|class
|class
Line 622: Line 743:
|The class name
|The class name
|-
|-
|inBytes
|clientAddr
|long
|String
|The number of bytes received from this tunnel
|The client address
|-
|-
|outBytes
|event
|long
|CaptivePortalUserEvent$EventType
|The number of bytes sent in this tunnel
|The event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
|-
|-
|timeStamp
|eventValue
|Timestamp
|String
|The timestamp
|The event value as a string (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
|-
|-
|tunnelName
|loginName
|String
|String
|The name of this tunnel
|The login name
|-
|policyId
|Integer
|The policy ID
|-
|timeStamp
|Timestamp
|The timestamp
|}
|}
<section end='TunnelStatusEvent' />
<section end='CaptivePortalUserEvent' />




== VirtualUserEvent ==
== CaptureRuleEvent ==
<section begin='VirtualUserEvent' />
<section begin='CaptureRuleEvent' />


These events are created by [[IPsec VPN]] and inserted to the [[Database_Schema#ipsec_user_events|ipsec_user_events]] table when a user event occurs.
These events are created by [[Captive Portal]] and update the [[Database_Schema#sessions|sessions]] table when Captive Portal processes a session.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 650: Line 779:
! Type
! Type
! Description
! Description
|-
|captured
|boolean
|True if captured, false otherwise
|-
|-
|class
|class
Line 655: Line 788:
|The class name
|The class name
|-
|-
|clientAddress
|ruleId
|InetAddress
|Integer
|The client address
|The rule ID
|-
|-
|clientProtocol
|sessionEvent
|String
|SessionEvent
|The client protocol
|The session event
|-
|clientUsername
|String
|The client username
|-
|elapsedTime
|String
|The elapsed time
|-
|eventId
|Long
|The event ID
|-
|netInterface
|String
|The net interface
|-
|netProcess
|String
|The net process
|-
|netRXbytes
|Long
|The number of RX (received) bytes
|-
|netTXbytes
|Long
|The number of TX (transmitted) bytes
|-
|-
|timeStamp
|timeStamp
Line 695: Line 800:
|The timestamp
|The timestamp
|}
|}
<section end='VirtualUserEvent' />
<section end='CaptureRuleEvent' />




== AlertEvent ==
== TunnelStatusEvent ==
<section begin='AlertEvent' />
<section begin='TunnelStatusEvent' />


These events are created by [[Reports]] and inserted to the [[Database_Schema#alerts|alerts]] table when an alert fires.
These events are created by [[IPsec VPN]] and inserted to the [[Database_Schema#ipsec_tunnel_stats|ipsec_tunnel_stats]] table periodically.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 707: Line 812:
! Type
! Type
! Description
! Description
|-
|cause
|LogEvent
|The cause
|-
|-
|class
|class
Line 716: Line 817:
|The class name
|The class name
|-
|-
|description
|inBytes
|String
|long
|The description
|The number of bytes received from this tunnel
|-
|-
|json
|outBytes
|JSONObject
|long
|The JSON string
|The number of bytes sent in this tunnel
|-
|summaryText
|String
|The summary text
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|tunnelName
|String
|The name of this tunnel
|}
|}
<section end='AlertEvent' />
<section end='TunnelStatusEvent' />




== ConfigurationBackupEvent ==
== VirtualUserEvent ==
<section begin='ConfigurationBackupEvent' />
<section begin='VirtualUserEvent' />


These events are created by [[Configuration Backup]] and inserted to the [[Database_Schema#configuratio_backup_events|configuratio_backup_events]] table when a backup occurs.
These events are created by [[IPsec VPN]] and inserted to the [[Database_Schema#ipsec_user_events|ipsec_user_events]] table when a user event occurs.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 749: Line 850:
|The class name
|The class name
|-
|-
|destination
|clientAddress
|InetAddress
|The client address
|-
|clientProtocol
|String
|String
|The destination
|The client protocol
|-
|-
|detail
|clientUsername
|String
|String
|The details
|The client username
|-
|-
|success
|elapsedTime
|boolean
|String
|True if successful, false otherwise
|The elapsed time
|-
|-
|timeStamp
|eventId
|Timestamp
|Long
|The timestamp
|The event ID
|-
|netInterface
|String
|The net interface
|-
|netProcess
|String
|The net process
|-
|netRXbytes
|Long
|The number of RX (received) bytes
|-
|netTXbytes
|Long
|The number of TX (transmitted) bytes
|-
|timeStamp
|Timestamp
|The timestamp
|}
|}
<section end='ConfigurationBackupEvent' />
<section end='VirtualUserEvent' />




== WebCacheEvent ==
== ConfigurationBackupEvent ==
<section begin='WebCacheEvent' />
<section begin='ConfigurationBackupEvent' />


These events are created by [[Web Cache]] and inserted to the [[Database_Schema#web_cache_stats|web_cache_stats]] table periodically.
These events are created by [[Configuration Backup]] and inserted to the [[Database_Schema#configuratio_backup_events|configuratio_backup_events]] table when a backup occurs.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 778: Line 903:
! Description
! Description
|-
|-
|bypassCount
|class
|long
|Class
|The number of bypasses
|-
|class
|Class
|The class name
|The class name
|-
|-
|hitBytes
|destination
|long
|String
|The number of bytes worth of hits
|The destination
|-
|-
|hitCount
|detail
|long
|String
|The number of hits
|The details
|-
|-
|missBytes
|success
|long
|boolean
|The number of bytes worth of misses
|True if successful, false otherwise
|-
|-
|missCount
|timeStamp
|long
|Timestamp
|The number of misses
|The timestamp
|-
|}
|policyId
<section end='ConfigurationBackupEvent' />
|Long
|The policy ID
|-
|systemCount
|long
|The number of system bypasses
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='WebCacheEvent' />




== PrioritizeEvent ==
== IntrusionPreventionLogEvent ==
<section begin='PrioritizeEvent' />
<section begin='IntrusionPreventionLogEvent' />


These events are created by the [[Bandwidth Control]] and update the [[Database_Schema#sessions|session]] table when a session is prioritized.
These events are created by [[Intrusion Prevention]] and inserted to the [[Database_Schema#intrusion_prevention_events|intrusion_prevention_events]] table when a rule matches.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 826: Line 935:
! Type
! Type
! Description
! Description
|-
|blocked
|short
|1 if blocked, 0 otherwise
|-
|category
|String
|The category
|-
|-
|class
|class
Line 831: Line 948:
|The class name
|The class name
|-
|-
|priority
|classificationId
|long
|The classification ID
|-
|classtype
|String
|The classtype
|-
|dportIcode
|int
|int
|The priority
|The dportIcode
|-
|-
|ruleId
|eventId
|int
|long
|The rule ID
|The event ID
|-
|-
|sessionEvent
|eventMicrosecond
|SessionEvent
|long
|The session event
|The event microsecond
|-
|-
|timeStamp
|eventSecond
|Timestamp
|long
|The timestamp
|The event second
|}
<section end='PrioritizeEvent' />
 
 
== HttpResponseEvent ==
<section begin='HttpResponseEvent' />
 
These events are created by HTTP subsystem and update the [[Database_Schema#http_events|http_events]] table when a web response happens.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|-
|class
|eventType
|Class
|long
|The class name
|The event type
|-
|-
|contentLength
|generatorId
|long
|long
|The content length
|The generator ID
|-
|-
|contentType
|impact
|String
|short
|The content type
|The impact
|-
|-
|httpRequestEvent
|impactFlag
|HttpRequestEvent
|short
|The corresponding HTTP request event
|The impact flag
|-
|-
|requestLine
|ipDestination
|RequestLine
|InetAddress
|The request line
|The IP address destination
|-
|-
|timeStamp
|ipSource
|Timestamp
|InetAddress
|The timestamp
|The IP address source
|}
<section end='HttpResponseEvent' />
 
 
== HttpRequestEvent ==
<section begin='HttpRequestEvent' />
 
These events are created by HTTP subsystem and inserted to the [[Database_Schema#http_events|http_events]] table when a web request happens.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|-
|class
|mplsLabel
|Class
|long
|The class name
|The mplsLabel
|-
|-
|contentLength
|msg
|long
|String
|The content length
|The msg
|-
|-
|domain
|padding
|String
|int
|The domain
|The padding
|-
|-
|host
|priorityId
|String
|long
|The host
|The priority ID
|-
|-
|method
|protocol
|HttpMethod
|short
|The HTTP method
|The protocol
|-
|-
|referer
|sensorId
|String
|long
|The referer
|The sensor ID
|-
|-
|requestId
|signatureId
|Long
|long
|The request ID
|The signature ID
|-
|-
|requestUri
|signatureRevision
|URI
|long
|The request URI
|The signature revision
|-
|-
|sessionEvent
|sportItype
|SessionEvent
|int
|The session event
|The sportItype
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|vlanId
|int
|The VLAN Id
|}
|}
<section end='HttpRequestEvent' />
<section end='IntrusionPreventionLogEvent' />




== ApplicationControlLiteEvent ==
== SslInspectorLogEvent ==
<section begin='ApplicationControlLiteEvent' />
<section begin='SslInspectorLogEvent' />


These events are created by [[Application Control Lite]] and update the [[Database_Schema#sessions|sessions]] table when application control lite identifies a session.
These events are created by [[SSL Inspector]] and update the [[Database_Schema#sessions|sessions]] table when a session is processed by SSL Inspector.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 950: Line 1,053:
! Description
! Description
|-
|-
|blocked
|class
|boolean
|True if blocked, false otherwise
|-
|class
|Class
|Class
|The class name
|The class name
|-
|-
|protocol
|detail
|String
|String
|The protocol
|The details
|-
|ruleId
|Integer
|The rule ID
|-
|sessionEvent
|SessionEvent
|The session event
|-
|-
|sessionId
|status
|Long
|String
|The session ID
|The status
|-
|-
|timeStamp
|timeStamp
Line 970: Line 1,077:
|The timestamp
|The timestamp
|}
|}
<section end='ApplicationControlLiteEvent' />
<section end='SslInspectorLogEvent' />




== FirewallEvent ==
== ApplicationControlLiteEvent ==
<section begin='FirewallEvent' />
<section begin='ApplicationControlLiteEvent' />


These events are created by [[Firewall]] and update the [[Database_Schema#sessions|sessions]] table when a firewall rule matches a session.
These events are created by [[Application Control Lite]] and update the [[Database_Schema#sessions|sessions]] table when application control lite identifies a session.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 991: Line 1,098:
|The class name
|The class name
|-
|-
|flagged
|protocol
|boolean
|String
|True if flagged, false otherwise
|The protocol
|-
|ruleId
|long
|The rule ID
|-
|-
|sessionId
|sessionId
Line 1,007: Line 1,110:
|The timestamp
|The timestamp
|}
|}
<section end='FirewallEvent' />
<section end='ApplicationControlLiteEvent' />




== WebFilterQueryEvent ==
== ApplicationControlLogEvent ==
<section begin='WebFilterQueryEvent' />
<section begin='ApplicationControlLogEvent' />


These events are created by [[Web Filter]] and inserted to the [[Database_Schema#http_query_events|http_query_events]] table when web filter processes a search engine search.
These events are created by [[Application Control]] and update the [[Database_Schema#sessions|sessions]] table when application control identifies a session.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,019: Line 1,122:
! Type
! Type
! Description
! Description
|-
|application
|String
|The application
|-
|blocked
|boolean
|True if blocked, false otherwise
|-
|category
|String
|The category
|-
|-
|class
|class
Line 1,024: Line 1,139:
|The class name
|The class name
|-
|-
|contentLength
|confidence
|long
|Integer
|The content length
|The confidence (0-100)
|-
|-
|host
|detail
|String
|String
|The host
|The details
|-
|-
|method
|flagged
|HttpMethod
|boolean
|The method
|True if flagged, false otherwise
|-
|-
|nodeName
|protochain
|String
|String
|The name of the application
|The protochain
|-
|-
|requestId
|ruleId
|Long
|Integer
|The request ID
|The rule ID
|-
|requestUri
|URI
|The request URI
|-
|-
|sessionEvent
|sessionEvent
Line 1,052: Line 1,163:
|The session event
|The session event
|-
|-
|term
|state
|String
|Integer
|The search term/phrase
|The state
|-
|-
|timeStamp
|timeStamp
Line 1,060: Line 1,171:
|The timestamp
|The timestamp
|}
|}
<section end='WebFilterQueryEvent' />
<section end='ApplicationControlLogEvent' />




== WebFilterEvent ==
== CookieEvent ==
<section begin='WebFilterEvent' />
<section begin='CookieEvent' />


These events are created by [[Web Filter]] and update the [[Database_Schema#http_events|http_events]] table when web filter processes a web request.
These events are created by [[Ad Blocker]] and update the [[Database_Schema#http_events|http_events]] table when a cookie is blocked.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,072: Line 1,183:
! Type
! Type
! Description
! Description
|-
|blocked
|Boolean
|True if blocked, false otherwise
|-
|category
|String
|The category
|-
|-
|class
|class
Line 1,085: Line 1,188:
|The class name
|The class name
|-
|-
|flagged
|identification
|Boolean
|True if flagged, false otherwise
|-
|nodeName
|String
|String
|The name of the application
|The identification string
|-
|-
|reason
|requestId
|Reason
|Long
|The reason
|The request ID
|-
|sessionEvent
|SessionEvent
|The session event
|-
|-
|timeStamp
|timeStamp
Line 1,101: Line 1,204:
|The timestamp
|The timestamp
|}
|}
<section end='WebFilterEvent' />
<section end='CookieEvent' />




== ApplicationControlLogEvent ==
== AdBlockerEvent ==
<section begin='ApplicationControlLogEvent' />
<section begin='AdBlockerEvent' />


These events are created by [[Application Control]] and update the [[Database_Schema#sessions|sessions]] table when application control identifies a session.
These events are created by [[Ad Blocker]] and update the [[Database_Schema#http_events|http_events]] table when an ad is blocked.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,114: Line 1,217:
! Description
! Description
|-
|-
|application
|action
|String
|Action
|The application
|The action
|-
|blocked
|boolean
|True if blocked, false otherwise
|-
|category
|String
|The category
|-
|-
|class
|class
Line 1,130: Line 1,225:
|The class name
|The class name
|-
|-
|confidence
|reason
|Integer
|String
|The confidence (0-100)
|The reason
|-
|-
|detail
|requestId
|String
|Long
|The details
|The request ID
|-
|flagged
|boolean
|True if flagged, false otherwise
|-
|protochain
|String
|The protochain
|-
|ruleId
|Integer
|The rule ID
|-
|sessionEvent
|SessionEvent
|The session event
|-
|state
|Integer
|The state
|-
|-
|timeStamp
|timeStamp
Line 1,162: Line 1,237:
|The timestamp
|The timestamp
|}
|}
<section end='ApplicationControlLogEvent' />
<section end='AdBlockerEvent' />




== SslInspectorLogEvent ==
== WebFilterQueryEvent ==
<section begin='SslInspectorLogEvent' />
<section begin='WebFilterQueryEvent' />


These events are created by [[SSL Inspector]] and update the [[Database_Schema#sessions|sessions]] table when a session is processed by SSL Inspector.
These events are created by [[Web Filter]] and inserted to the [[Database_Schema#http_query_events|http_query_events]] table when web filter processes a search engine search.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,174: Line 1,249:
! Type
! Type
! Description
! Description
|-
|appName
|String
|The name of the application
|-
|-
|class
|class
Line 1,179: Line 1,258:
|The class name
|The class name
|-
|-
|detail
|contentLength
|long
|The content length
|-
|host
|String
|String
|The details
|The host
|-
|method
|HttpMethod
|The method
|-
|requestId
|Long
|The request ID
|-
|-
|ruleId
|requestUri
|Integer
|URI
|The rule ID
|The request URI
|-
|-
|sessionEvent
|sessionEvent
Line 1,191: Line 1,282:
|The session event
|The session event
|-
|-
|status
|term
|String
|String
|The status
|The search term/phrase
|-
|-
|timeStamp
|timeStamp
Line 1,199: Line 1,290:
|The timestamp
|The timestamp
|}
|}
<section end='SslInspectorLogEvent' />
<section end='WebFilterQueryEvent' />




== SpamSmtpTarpitEvent ==
== WebFilterEvent ==
<section begin='SpamSmtpTarpitEvent' />
<section begin='WebFilterEvent' />


These events are created by [[Spam Blocker]] and inserted to the [[Database_Schema#smtp_tarpit_events|smtp_tarpit_events]] table when a session is tarpitted.
These events are created by [[Web Filter]] and update the [[Database_Schema#http_events|http_events]] table when web filter processes a web request.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,212: Line 1,303:
! Description
! Description
|-
|-
|iPAddr
|appName
|InetAddress
|String
|The IP address
|The name of the application
|-
|blocked
|Boolean
|True if blocked, false otherwise
|-
|category
|String
|The category
|-
|-
|class
|class
Line 1,220: Line 1,319:
|The class name
|The class name
|-
|-
|hostname
|flagged
|String
|Boolean
|The hostname
|True if flagged, false otherwise
|-
|-
|sessionEvent
|reason
|Reason
|The reason
|-
|requestLine
|RequestLine
|The request line
|-
|sessionEvent
|SessionEvent
|SessionEvent
|The session event
|The session event
|-
|sessionId
|Long
|The session ID
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|vendorName
|String
|The application name
|}
|}
<section end='SpamSmtpTarpitEvent' />
<section end='WebFilterEvent' />




== SpamLogEvent ==
== PrioritizeEvent ==
<section begin='SpamLogEvent' />
<section begin='PrioritizeEvent' />


These events are created by [[Spam Blocker]] and update the [[Database_Schema#mail_msgs|mail_msgs]] table when an email is scanned.
These events are created by the [[Bandwidth Control]] and update the [[Database_Schema#sessions|session]] table when a session is prioritized.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,252: Line 1,351:
! Type
! Type
! Description
! Description
|-
|action
|SpamMessageAction
|The action
|-
|-
|class
|class
Line 1,261: Line 1,356:
|The class name
|The class name
|-
|-
|clientAddr
|priority
|InetAddress
|int
|The client address
|The priority
|-
|-
|clientPort
|ruleId
|int
|int
|The client port
|The rule ID
|-
|-
|messageId
|sessionEvent
|Long
|SessionEvent
|The message ID
|The session event
|-
|-
|receiver
|timeStamp
|String
|Timestamp
|The receiver
|The timestamp
|}
<section end='PrioritizeEvent' />
 
 
== WanFailoverTestEvent ==
<section begin='WanFailoverTestEvent' />
 
These events are created by [[WAN Failover]] and inserted to the [[Database_Schema#wan_failover_test_events|wan_failover_test_events]] table when a test is run.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|-
|score
|class
|float
|Class
|The score
|The class name
|-
|-
|sender
|description
|String
|String
|The sender
|The description
|-
|-
|serverAddr
|interfaceId
|InetAddress
|The server address
|-
|serverPort
|int
|int
|The server port
|The interface ID
|-
|-
|smtpMessageEvent
|name
|SmtpMessageEvent
|String
|The parent SMTP message event
|The test name
|-
|-
|isSpam
|osName
|boolean
|True if spam, false otherwise
|-
|subject
|String
|String
|The subject
|The O/S interface name
|-
|-
|testsString
|success
|String
|Boolean
|The tests string from the spam engine
|True if successful, false otherwise
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|vendorName
|String
|The application name
|}
|}
<section end='SpamLogEvent' />
<section end='WanFailoverTestEvent' />




== SpamSmtpTarpitEvent ==
== WanFailoverEvent ==
<section begin='SpamSmtpTarpitEvent' />
<section begin='WanFailoverEvent' />


These events are created by [[Spam Blocker]] and inserted to the [[Database_Schema#smtp_tarpit_events|smtp_tarpit_events]] table when a session is tarpitted.
These events are created by [[WAN Failover]] and inserted to the [[Database_Schema#wan_failover_action_events|wan_failover_action_events]] table when WAN Failover takes an action.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,330: Line 1,426:
! Description
! Description
|-
|-
|iPAddr
|action
|InetAddress
|WanFailoverEvent$Action
|The IP address
|The action
|-
|-
|class
|class
Line 1,338: Line 1,434:
|The class name
|The class name
|-
|-
|hostname
|interfaceId
|int
|The interface ID
|-
|name
|String
|String
|The hostname
|The name
|-
|-
|sessionEvent
|osName
|SessionEvent
|String
|The session event
|The O/S interface name
|-
|sessionId
|Long
|The session ID
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|vendorName
|String
|The application name
|}
|}
<section end='SpamSmtpTarpitEvent' />
<section end='WanFailoverEvent' />




== SpamLogEvent ==
== SpamSmtpTarpitEvent ==
<section begin='SpamLogEvent' />
<section begin='SpamSmtpTarpitEvent' />


These events are created by [[Spam Blocker]] and update the [[Database_Schema#mail_msgs|mail_msgs]] table when an email is scanned.
These events are created by [[Spam Blocker]] and inserted to the [[Database_Schema#smtp_tarpit_events|smtp_tarpit_events]] table when a session is tarpitted.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,371: Line 1,463:
! Description
! Description
|-
|-
|action
|IPAddr
|SpamMessageAction
|InetAddress
|The action
|The IP address
|-
|-
|class
|class
Line 1,379: Line 1,471:
|The class name
|The class name
|-
|-
|clientAddr
|hostname
|InetAddress
|String
|The client address
|The hostname
|-
|-
|clientPort
|sessionEvent
|int
|SessionEvent
|The client port
|The session event
|-
|-
|messageId
|sessionId
|Long
|Long
|The message ID
|The session ID
|-
|-
|receiver
|timeStamp
|String
|Timestamp
|The receiver
|The timestamp
|-
|-
|score
|vendorName
|float
|The score
|-
|sender
|String
|String
|The sender
|The application name
|-
|}
|serverAddr
<section end='SpamSmtpTarpitEvent' />
 
 
== SpamLogEvent ==
<section begin='SpamLogEvent' />
 
These events are created by [[Spam Blocker]] and update the [[Database_Schema#mail_msgs|mail_msgs]] table when an email is scanned.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|action
|SpamMessageAction
|The action
|-
|class
|Class
|The class name
|-
|clientAddr
|InetAddress
|InetAddress
|The server address
|The client address
|-
|-
|serverPort
|clientPort
|int
|int
|The server port
|The client port
|-
|-
|smtpMessageEvent
|messageId
|SmtpMessageEvent
|Long
|The message ID
|-
|receiver
|String
|The receiver
|-
|score
|float
|The score
|-
|sender
|String
|The sender
|-
|serverAddr
|InetAddress
|The server address
|-
|serverPort
|int
|The server port
|-
|smtpMessageEvent
|SmtpMessageEvent
|The parent SMTP message event
|The parent SMTP message event
|-
|-
Line 1,438: Line 1,571:




== CookieEvent ==
== FirewallEvent ==
<section begin='CookieEvent' />
<section begin='FirewallEvent' />


These events are created by [[Ad Blocker]] and update the [[Database_Schema#http_events|http_events]] table when a cookie is blocked.
These events are created by [[Firewall]] and update the [[Database_Schema#sessions|sessions]] table when a firewall rule matches a session.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,447: Line 1,580:
! Type
! Type
! Description
! Description
|-
|blocked
|boolean
|True if blocked, false otherwise
|-
|-
|class
|class
Line 1,452: Line 1,589:
|The class name
|The class name
|-
|-
|identification
|flagged
|String
|boolean
|The identification string
|True if flagged, false otherwise
|-
|ruleId
|long
|The rule ID
|-
|-
|requestId
|sessionId
|Long
|Long
|The request ID
|The session ID
|-
|sessionEvent
|SessionEvent
|The session event
|-
|-
|timeStamp
|timeStamp
Line 1,468: Line 1,605:
|The timestamp
|The timestamp
|}
|}
<section end='CookieEvent' />
<section end='FirewallEvent' />




== AdBlockerEvent ==
== LoginEvent ==
<section begin='AdBlockerEvent' />
<section begin='LoginEvent' />


These events are created by [[Ad Blocker]] and update the [[Database_Schema#http_events|http_events]] table when an ad is blocked.
These events are created by [[Directory Connector]] and inserted to the [[Database_Schema#directory_connector_login_events|directory_connector_login_events]] table for each login.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,481: Line 1,618:
! Description
! Description
|-
|-
|action
|class
|Action
|The action
|-
|class
|Class
|Class
|The class name
|The class name
|-
|-
|reason
|clientAddr
|InetAddress
|The client address
|-
|domain
|String
|The domain
|-
|event
|String
|String
|The reason
|The event
|-
|-
|requestId
|loginName
|Long
|String
|The request ID
|The login name
|-
|-
|timeStamp
|timeStamp
Line 1,501: Line 1,642:
|The timestamp
|The timestamp
|}
|}
<section end='AdBlockerEvent' />
<section end='LoginEvent' />




== IntrusionPreventionLogEvent ==
== SmtpMessageAddressEvent ==
<section begin='IntrusionPreventionLogEvent' />
<section begin='SmtpMessageAddressEvent' />


These events are created by [[Intrusion Prevention]] and inserted to the [[Database_Schema#intrusion_prevention_events|intrusion_prevention_events]] table when a rule matches.
These events are created by SMTP subsystem and inserted to the [[Database_Schema#mail_addrs|mail_addrs]] table for each address on each email.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,514: Line 1,655:
! Description
! Description
|-
|-
|blocked
|addr
|short
|1 if blocked, 0 otherwise
|-
|category
|String
|String
|The category
|The address
|-
|-
|class
|class
Line 1,526: Line 1,663:
|The class name
|The class name
|-
|-
|classificationId
|kind
|long
|AddressKind
|The classification ID
|The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
|-
|messageId
|Long
|The message ID
|-
|-
|classtype
|personal
|String
|String
|The classtype
|personal
|-
|-
|dportIcode
|timeStamp
|int
|Timestamp
|The dportIcode
|The timestamp
|-
|}
|eventId
<section end='SmtpMessageAddressEvent' />
|long
 
|The event ID
 
== SmtpMessageEvent ==
<section begin='SmtpMessageEvent' />
 
These events are created by SMTP subsystem and inserted to the [[Database_Schema#mail_msgs|mail_msgs]] table for each email.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|-
|eventMicrosecond
|addresses
|long
|Set
|The event microsecond
|The addresses
|-
|-
|eventSecond
|class
|long
|Class
|The event second
|The class name
|-
|-
|eventType
|envelopeFromAddress
|long
|String
|The event type
|The envelop FROM address
|-
|-
|generatorId
|envelopeToAddress
|long
|String
|The generator ID
|The envelope TO address
|-
|-
|impact
|messageId
|short
|Long
|The impact
|The message ID
|-
|-
|impactFlag
|receiver
|short
|String
|The impact flag
|The receiver
|-
|-
|ipDestination
|sender
|InetAddress
|String
|The IP address destination
|The sender
|-
|-
|ipSource
|sessionEvent
|InetAddress
|SessionEvent
|The IP address source
|The session event
|-
|-
|mplsLabel
|sessionId
|long
|Long
|The mplsLabel
|The session ID
|-
|-
|msg
|subject
|String
|String
|The msg
|The subject
|-
|-
|padding
|timeStamp
|int
|Timestamp
|The padding
|The timestamp
|-
|-
|priorityId
|tmpFile
|long
|File
|The priority ID
|The /tmp file
|-
|}
|protocol
<section end='SmtpMessageEvent' />
|short
 
|The protocol
 
|-
== VirusSmtpEvent ==
|sensorId
<section begin='VirusSmtpEvent' />
|long
 
|The sensor ID
These events are created by [[Virus Blocker]] and update the [[Database_Schema#mail_msgs|mail_msgs]] table when Virus Blocker scans an email.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|-
|signatureId
|action
|long
|String
|The signature ID
|The action
|-
|-
|signatureRevision
|appName
|long
|String
|The signature revision
|The name of the application
|-
|-
|sportItype
|class
|int
|Class
|The sportItype
|The class name
|-
|-
|timeStamp
|clean
|boolean
|True if clean, false otherwise
|-
|messageId
|Long
|The message ID
|-
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|-
|vlanId
|virusName
|int
|String
|The VLAN Id
|The virus name, if not clean
|}
|}
<section end='IntrusionPreventionLogEvent' />
<section end='VirusSmtpEvent' />




== WanFailoverTestEvent ==
== VirusFtpEvent ==
<section begin='WanFailoverTestEvent' />
<section begin='VirusFtpEvent' />


These events are created by [[WAN Failover]] and inserted to the [[Database_Schema#wan_failover_test_events|wan_failover_test_events]] table when a test is run.
These events are created by [[Virus Blocker]] and update the [[Database_Schema#ftp_events|ftp_events]] table when Virus Blocker scans an FTP transfer.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,630: Line 1,793:
! Type
! Type
! Description
! Description
|-
|appName
|String
|The name of the application
|-
|-
|class
|class
Line 1,635: Line 1,802:
|The class name
|The class name
|-
|-
|description
|clean
|String
|boolean
|The description
|True if clean, false otherwise
|-
|-
|interfaceId
|sessionEvent
|int
|SessionEvent
|The interface ID
|The session event
|-
|timeStamp
|Timestamp
|The timestamp
|-
|-
|name
|uri
|String
|String
|The test name
|The URI
|-
|-
|osName
|virusName
|String
|String
|The O/S interface name
|The virus name, if not clean
|-
|success
|Boolean
|True if successful, false otherwise
|-
|timeStamp
|Timestamp
|The timestamp
|}
|}
<section end='WanFailoverTestEvent' />
<section end='VirusFtpEvent' />




== WanFailoverEvent ==
== VirusHttpEvent ==
<section begin='WanFailoverEvent' />
<section begin='VirusHttpEvent' />


These events are created by [[WAN Failover]] and inserted to the [[Database_Schema#wan_failover_action_events|wan_failover_action_events]] table when WAN Failover takes an action.
These events are created by [[Virus Blocker]] and update the [[Database_Schema#http_events|http_events]] table when Virus Blocker scans an HTTP transfer.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,672: Line 1,835:
! Description
! Description
|-
|-
|action
|appName
|WanFailoverEvent$Action
|String
|The action
|The name of the application
|-
|-
|class
|class
Line 1,680: Line 1,843:
|The class name
|The class name
|-
|-
|interfaceId
|clean
|int
|boolean
|The interface ID
|True if clean, false otherwise
|-
|-
|name
|requestId
|String
|Long
|The name
|The request ID
|-
|osName
|String
|The O/S interface name
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|virusName
|String
|The virus name, if not clean
|}
|}
<section end='WanFailoverEvent' />
<section end='VirusHttpEvent' />




== CaptivePortalUserEvent ==
== SpamSmtpTarpitEvent ==
<section begin='CaptivePortalUserEvent' />
<section begin='SpamSmtpTarpitEvent' />


These events are created by [[Captive Portal]] and inserted to the [[Database_Schema#captive_portal_user_events|captive_portal_user_events]] table when Captive Portal user takes an action.
These events are created by [[Spam Blocker]] and inserted to the [[Database_Schema#smtp_tarpit_events|smtp_tarpit_events]] table when a session is tarpitted.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,709: Line 1,872:
! Description
! Description
|-
|-
|authenticationType
|IPAddr
|CaptivePortalSettings$AuthenticationType
|InetAddress
|The authentication type
|The IP address
|-
|authenticationTypeValue
|String
|The authentication type as a string
|-
|-
|class
|class
Line 1,721: Line 1,880:
|The class name
|The class name
|-
|-
|clientAddr
|hostname
|InetAddress
|String
|The client address
|The hostname
|-
|-
|event
|sessionEvent
|CaptivePortalUserEvent$EventType
|SessionEvent
|The event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
|The session event
|-
|-
|eventValue
|sessionId
|String
|Long
|The event value as a string (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
|The session ID
|-
|loginName
|String
|The login name
|-
|policyId
|Integer
|The policy ID
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|vendorName
|String
|The application name
|}
|}
<section end='CaptivePortalUserEvent' />
<section end='SpamSmtpTarpitEvent' />




== CaptureRuleEvent ==
== SpamLogEvent ==
<section begin='CaptureRuleEvent' />
<section begin='SpamLogEvent' />


These events are created by [[Captive Portal]] and update the [[Database_Schema#sessions|sessions]] table when Captive Portal processes a session.
These events are created by [[Spam Blocker]] and update the [[Database_Schema#mail_msgs|mail_msgs]] table when an email is scanned.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,758: Line 1,913:
! Description
! Description
|-
|-
|captured
|action
|boolean
|SpamMessageAction
|True if captured, false otherwise
|The action
|-
|-
|class
|class
Line 1,766: Line 1,921:
|The class name
|The class name
|-
|-
|ruleId
|clientAddr
|Integer
|InetAddress
|The rule ID
|The client address
|-
|-
|sessionEvent
|clientPort
|SessionEvent
|int
|The session event
|The client port
|-
|-
|timeStamp
|messageId
|Timestamp
|Long
|The timestamp
|The message ID
|}
<section end='CaptureRuleEvent' />
 
 
== VirusSmtpEvent ==
<section begin='VirusSmtpEvent' />
 
These events are created by [[Virus Blocker]] and update the [[Database_Schema#mail_msgs|mail_msgs]] table when Virus Blocker scans an email.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|-
|action
|receiver
|String
|String
|The action
|The receiver
|-
|-
|class
|score
|Class
|float
|The class name
|The score
|-
|-
|clean
|sender
|boolean
|String
|True if clean, false otherwise
|The sender
|-
|-
|messageId
|serverAddr
|Long
|InetAddress
|The message ID
|The server address
|-
|-
|nodeName
|serverPort
|String
|int
|The name of the application
|The server port
|-
|-
|timeStamp
|smtpMessageEvent
|Timestamp
|SmtpMessageEvent
|The timestamp
|The parent SMTP message event
|-
|-
|virusName
|isSpam
|boolean
|True if spam, false otherwise
|-
|subject
|String
|The subject
|-
|testsString
|String
|The tests string from the spam engine
|-
|timeStamp
|Timestamp
|The timestamp
|-
|vendorName
|String
|String
|The virus name, if not clean
|The application name
|}
|}
<section end='VirusSmtpEvent' />
<section end='SpamLogEvent' />




== VirusFtpEvent ==
== HttpResponseEvent ==
<section begin='VirusFtpEvent' />
<section begin='HttpResponseEvent' />


These events are created by [[Virus Blocker]] and update the [[Database_Schema#ftp_events|ftp_events]] table when Virus Blocker scans an FTP transfer.
These events are created by HTTP subsystem and update the [[Database_Schema#http_events|http_events]] table when a web response happens.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,836: Line 1,994:
|The class name
|The class name
|-
|-
|clean
|contentLength
|boolean
|long
|True if clean, false otherwise
|The content length
|-
|-
|nodeName
|contentType
|String
|String
|The name of the application
|The content type
|-
|httpRequestEvent
|HttpRequestEvent
|The corresponding HTTP request event
|-
|-
|sessionEvent
|requestLine
|SessionEvent
|RequestLine
|The session event
|The request line
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|uri
|String
|The URI
|-
|virusName
|String
|The virus name, if not clean
|}
|}
<section end='VirusFtpEvent' />
<section end='HttpResponseEvent' />




== VirusHttpEvent ==
== HttpRequestEvent ==
<section begin='VirusHttpEvent' />
<section begin='HttpRequestEvent' />


These events are created by [[Virus Blocker]] and update the [[Database_Schema#http_events|http_events]] table when Virus Blocker scans an HTTP transfer.
These events are created by HTTP subsystem and inserted to the [[Database_Schema#http_events|http_events]] table when a web request happens.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,877: Line 2,031:
|The class name
|The class name
|-
|-
|clean
|contentLength
|boolean
|long
|True if clean, false otherwise
|The content length
|-
|domain
|String
|The domain
|-
|host
|String
|The host
|-
|method
|HttpMethod
|The HTTP method
|-
|-
|nodeName
|referer
|String
|String
|The name of the application
|The referer
|-
|-
|requestId
|requestId
|Long
|Long
|The request ID
|The request ID
|-
|requestUri
|URI
|The request URI
|-
|sessionEvent
|SessionEvent
|The session event
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|virusName
|String
|The virus name, if not clean
|}
|}
<section end='VirusHttpEvent' />
<section end='HttpRequestEvent' />




Line 1,998: Line 2,168:




== SmtpMessageAddressEvent ==
== WebCacheEvent ==
<section begin='SmtpMessageAddressEvent' />
<section begin='WebCacheEvent' />


These events are created by SMTP subsystem and inserted to the [[Database_Schema#mail_addrs|mail_addrs]] table for each address on each email.
These events are created by [[Web Cache]] and inserted to the [[Database_Schema#web_cache_stats|web_cache_stats]] table periodically.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 2,008: Line 2,178:
! Description
! Description
|-
|-
|addr
|bypassCount
|String
|long
|The address
|The number of bypasses
|-
|-
|class
|class
Line 2,016: Line 2,186:
|The class name
|The class name
|-
|-
|kind
|hitBytes
|AddressKind
|long
|The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
|The number of bytes worth of hits
|-
|-
|messageId
|hitCount
|Long
|long
|The message ID
|The number of hits
|-
|-
|personal
|missBytes
|String
|long
|personal
|The number of bytes worth of misses
|-
|-
|timeStamp
|missCount
|Timestamp
|long
|The timestamp
|The number of misses
|}
<section end='SmtpMessageAddressEvent' />
 
 
== SmtpMessageEvent ==
<section begin='SmtpMessageEvent' />
 
These events are created by SMTP subsystem and inserted to the [[Database_Schema#mail_msgs|mail_msgs]] table for each email.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|addresses
|Set
|The addresses
|-
|class
|Class
|The class name
|-
|envelopeFromAddress
|String
|The envelop FROM address
|-
|envelopeToAddress
|String
|The envelope TO address
|-
|messageId
|Long
|The message ID
|-
|receiver
|String
|The receiver
|-
|sender
|String
|The sender
|-
|sessionEvent
|SessionEvent
|The session event
|-
|sessionId
|Long
|The session ID
|-
|subject
|String
|The subject
|-
|timeStamp
|Timestamp
|The timestamp
|-
|tmpFile
|File
|The /tmp file
|}
<section end='SmtpMessageEvent' />
 
 
== LoginEvent ==
<section begin='LoginEvent' />
 
These events are created by [[Directory Connector]] and inserted to the [[Database_Schema#directory_connector_login_events|directory_connector_login_events]] table for each login.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|-
|class
|policyId
|Class
|Long
|The class name
|The policy ID
|-
|-
|clientAddr
|systemCount
|InetAddress
|long
|The client address
|The number of system bypasses
|-
|domain
|String
|The domain
|-
|event
|String
|The event
|-
|loginName
|String
|The login name
|-
|-
|timeStamp
|timeStamp
Line 2,130: Line 2,214:
|The timestamp
|The timestamp
|}
|}
<section end='LoginEvent' />
<section end='WebCacheEvent' />

Revision as of 18:17, 10 August 2017

All event data is stored in the Database Schema in a relational database. As Untangle and applications process traffic they create Event objects that add and modify content in the database. Each event has it's own class/object with certain fields that modify the database in a certain way.

The list below shows the classes used in the event logging and the attributes of each event object. These can be used to add alerts in Reports or for other event handling within Untangle.

HostTableEvent

<section begin='HostTableEvent' />

These events are created by the base system and inserted to the host_table_updates table when the host table is modified.

Attribute Name Type Description
address InetAddress The address
class Class The class name
key String The key
oldValue String The old value
timeStamp Timestamp The timestamp
value String The value

<section end='HostTableEvent' />


DeviceTableEvent

<section begin='DeviceTableEvent' />

These events are created by the base system and inserted to the device_table_updates table when the device list is modified.

Attribute Name Type Description
class Class The class name
device DeviceTableEntry The Device
key String The key
macAddress String The MAC address
oldValue String The old value
timeStamp Timestamp The timestamp
value String The value

<section end='DeviceTableEvent' />


UserTableEvent

<section begin='UserTableEvent' />

These events are created by the base system and inserted to the user_table_updates table when the user table is modified.

Attribute Name Type Description
class Class The class name
key String The key
oldValue String The old value
timeStamp Timestamp The timestamp
username String The username
value String The value

<section end='UserTableEvent' />


SessionStatsEvent

<section begin='SessionStatsEvent' />

These events are created by the base system and update the sessions table when a session ends with the updated stats.

Attribute Name Type Description
c2pBytes long The number of bytes sent from the client to Untangle
class Class The class name
endTime long The end time/date
p2cBytes long The number of bytes sent to the client from Untangle
p2sBytes long The number of bytes sent to the server from Untangle
s2pBytes long The number of bytes sent from the server to Untangle
sessionEvent SessionEvent The session event
sessionId Long The session ID
timeStamp Timestamp The timestamp

<section end='SessionStatsEvent' />


SessionEvent

<section begin='SessionEvent' />

These events are created by the base system and update the sessions table each time a session is created.

Attribute Name Type Description
CClientAddr InetAddress The client-side (pre-NAT) client address
CClientPort Integer The client-side (pre-NAT) client port
CServerAddr InetAddress The client-side (pre-NAT) server address
CServerPort Integer The client-side (pre-NAT) server port
SClientAddr InetAddress The server-side (post-NAT) client address
SClientPort Integer The server-side (post-NAT) client port
SServerAddr InetAddress The server-side (post-NAT) server address
SServerPort Integer The server-side (post-NAT) server port
bypassed boolean True if bypassed, false otherwise
class Class The class name
clientCountry String The client country
clientIntf Integer The client interface ID
clientLatitude Double The client latitude
clientLongitude Double The client longitude
entitled boolean The entitled status
filterPrefix String The filter prefix if blocked by the filter rules
hostname String The hostname
icmpType Short The ICMP type
localAddr InetAddress The local host address
policyId Integer The policy ID
policyRuleId Integer The policy rule ID
protocol Short The protocol
protocolName String The protocol name
remoteAddr InetAddress The remote host address
serverCountry String The server country
serverIntf Integer The server interface ID
serverLatitude Double The server latitude
serverLongitude Double The server longitude
sessionId Long The session ID
tagsString String The string value of all tags
timeStamp Timestamp The timestamp
username String The username

<section end='SessionEvent' />


SessionMinuteEvent

<section begin='SessionMinuteEvent' />

These events are created by the base system and update the session_minutes table each minute a session exists.

Attribute Name Type Description
c2sBytes long The number of bytes sent from the client to the server
class Class The class name
s2cBytes long The number of bytes sent from the server to the client
sessionId long The session ID
timeStamp Timestamp The timestamp

<section end='SessionMinuteEvent' />


SessionNatEvent

<section begin='SessionNatEvent' />

These events are created by the base system and update the sessions table each time a session is NATd with the post-NAT information.

Attribute Name Type Description
SClientAddr InetAddress The server-side (post-NAT) client address
SClientPort Integer The server-side (post-NAT) client port
SServerAddr InetAddress The server-side (post-NAT) server address
SServerPort Integer The server-side (post-NAT) server port
class Class The class name
serverIntf Integer The server interface ID
sessionEvent SessionEvent The session event
timeStamp Timestamp The timestamp

<section end='SessionNatEvent' />


QuotaEvent

<section begin='QuotaEvent' />

These events are created by the Bandwidth Control and inserted or update the quotas table when quotas are given or exceeded.

Attribute Name Type Description
action int The action (1=Quota Given, 2=Quota Exceeded)
class Class The class name
entity String The entity
quotaSize long The quota size
reason String The reason
timeStamp Timestamp The timestamp

<section end='QuotaEvent' />


SettingsChangesEvent

<section begin='SettingsChangesEvent' />

These events are created by the base system and inserted to the settings_changes table when settings are changed.

Attribute Name Type Description
class Class The class name
hostname String The hostname
settingsFile String The settings file
timeStamp Timestamp The timestamp
username String The username

<section end='SettingsChangesEvent' />


AdminLoginEvent

<section begin='AdminLoginEvent' />

These events are created by the base system and inserted to the admin_logins table when an administrator login is attempted or successful.

Attribute Name Type Description
class Class The class name
clientAddress InetAddress The client address
local boolean 1 if login is done via local console, 0 otherwise
login String The login username
reason String The reason
succeeded boolean 1 if successful, 0 otherwise
timeStamp Timestamp The timestamp

<section end='AdminLoginEvent' />


AlertEvent

<section begin='AlertEvent' />

These events are created by Reports and inserted to the alerts table when an alert fires.

Attribute Name Type Description
causalRule EventRule The causal rule
cause LogEvent The cause
class Class The class name
description String The description
eventSent Boolean True if the event was sent, false otherwise
json String The JSON string
summaryText String The summary text
timeStamp Timestamp The timestamp

<section end='AlertEvent' />


LogEvent

<section begin='LogEvent' />

These base class for all events.

Attribute Name Type Description
class Class The class name
timeStamp Timestamp The timestamp

<section end='LogEvent' />


InterfaceStatEvent

<section begin='InterfaceStatEvent' />

These events are created by the base system and inserted to the interface_stat_events table periodically with interface stats.

Attribute Name Type Description
class Class The class name
interfaceId int The interface ID
rxBytes double The total of received bytes
rxRate double The RX rate in byte/s
timeStamp Timestamp The timestamp
txBytes double The total of transmitted bytes
txRate double The TX rate in byte/s

<section end='InterfaceStatEvent' />


SystemStatEvent

<section begin='SystemStatEvent' />

These events are created by the base system and inserted to the server_events table periodically.

Attribute Name Type Description
activeHosts int The active host count
class Class The class name
cpuSystem float The system CPU utilization
cpuUser float The user CPU utilization
diskFree long The amount of disk free
diskFreePercent float The percentage of disk free
diskTotal long The total size of the disk
diskUsed long The amount of disk used
diskUsedPercent float The percentage of disk used
load1 float The 1-minute CPU load
load15 float The 15-minute CPU load
load5 float The 5-minute CPU load
memBuffers long The amount of memory used by buffers
memCache long The amount of memory used by cache
memFree long The amount of free memory
memFreePercent float The percentage of total memory that is free
memTotal long The total amount of memory
memUsed long The amount of used memory
memUsedPercent float The percentage of total memory that is used
swapFree long The amount of free swap
swapFreePercent float The percentage of total swap that is free
swapTotal long The total size of swap
swapUsed long The amount of used swap
swapUsedPercent float The percentage of total swap that is used
timeStamp Timestamp The timestamp

<section end='SystemStatEvent' />


CaptivePortalUserEvent

<section begin='CaptivePortalUserEvent' />

These events are created by Captive Portal and inserted to the captive_portal_user_events table when Captive Portal user takes amconsole:

Attribute Name Type Description
authenticationType CaptivePortalSettings$AuthenticationType The authentication type
authenticationTypeValue String The authentication type as a string
class Class The class name
clientAddr String The client address
event CaptivePortalUserEvent$EventType The event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
eventValue String The event value as a string (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
loginName String The login name
policyId Integer The policy ID
timeStamp Timestamp The timestamp

<section end='CaptivePortalUserEvent' />


CaptureRuleEvent

<section begin='CaptureRuleEvent' />

These events are created by Captive Portal and update the sessions table when Captive Portal processes a session.

Attribute Name Type Description
captured boolean True if captured, false otherwise
class Class The class name
ruleId Integer The rule ID
sessionEvent SessionEvent The session event
timeStamp Timestamp The timestamp

<section end='CaptureRuleEvent' />


TunnelStatusEvent

<section begin='TunnelStatusEvent' />

These events are created by IPsec VPN and inserted to the ipsec_tunnel_stats table periodically.

Attribute Name Type Description
class Class The class name
inBytes long The number of bytes received from this tunnel
outBytes long The number of bytes sent in this tunnel
timeStamp Timestamp The timestamp
tunnelName String The name of this tunnel

<section end='TunnelStatusEvent' />


VirtualUserEvent

<section begin='VirtualUserEvent' />

These events are created by IPsec VPN and inserted to the ipsec_user_events table when a user event occurs.

Attribute Name Type Description
class Class The class name
clientAddress InetAddress The client address
clientProtocol String The client protocol
clientUsername String The client username
elapsedTime String The elapsed time
eventId Long The event ID
netInterface String The net interface
netProcess String The net process
netRXbytes Long The number of RX (received) bytes
netTXbytes Long The number of TX (transmitted) bytes
timeStamp Timestamp The timestamp

<section end='VirtualUserEvent' />


ConfigurationBackupEvent

<section begin='ConfigurationBackupEvent' />

These events are created by Configuration Backup and inserted to the configuratio_backup_events table when a backup occurs.

Attribute Name Type Description
class Class The class name
destination String The destination
detail String The details
success boolean True if successful, false otherwise
timeStamp Timestamp The timestamp

<section end='ConfigurationBackupEvent' />


IntrusionPreventionLogEvent

<section begin='IntrusionPreventionLogEvent' />

These events are created by Intrusion Prevention and inserted to the intrusion_prevention_events table when a rule matches.

Attribute Name Type Description
blocked short 1 if blocked, 0 otherwise
category String The category
class Class The class name
classificationId long The classification ID
classtype String The classtype
dportIcode int The dportIcode
eventId long The event ID
eventMicrosecond long The event microsecond
eventSecond long The event second
eventType long The event type
generatorId long The generator ID
impact short The impact
impactFlag short The impact flag
ipDestination InetAddress The IP address destination
ipSource InetAddress The IP address source
mplsLabel long The mplsLabel
msg String The msg
padding int The padding
priorityId long The priority ID
protocol short The protocol
sensorId long The sensor ID
signatureId long The signature ID
signatureRevision long The signature revision
sportItype int The sportItype
timeStamp Timestamp The timestamp
vlanId int The VLAN Id

<section end='IntrusionPreventionLogEvent' />


SslInspectorLogEvent

<section begin='SslInspectorLogEvent' />

These events are created by SSL Inspector and update the sessions table when a session is processed by SSL Inspector.

Attribute Name Type Description
class Class The class name
detail String The details
ruleId Integer The rule ID
sessionEvent SessionEvent The session event
status String The status
timeStamp Timestamp The timestamp

<section end='SslInspectorLogEvent' />


ApplicationControlLiteEvent

<section begin='ApplicationControlLiteEvent' />

These events are created by Application Control Lite and update the sessions table when application control lite identifies a session.

Attribute Name Type Description
blocked boolean True if blocked, false otherwise
class Class The class name
protocol String The protocol
sessionId Long The session ID
timeStamp Timestamp The timestamp

<section end='ApplicationControlLiteEvent' />


ApplicationControlLogEvent

<section begin='ApplicationControlLogEvent' />

These events are created by Application Control and update the sessions table when application control identifies a session.

Attribute Name Type Description
application String The application
blocked boolean True if blocked, false otherwise
category String The category
class Class The class name
confidence Integer The confidence (0-100)
detail String The details
flagged boolean True if flagged, false otherwise
protochain String The protochain
ruleId Integer The rule ID
sessionEvent SessionEvent The session event
state Integer The state
timeStamp Timestamp The timestamp

<section end='ApplicationControlLogEvent' />


CookieEvent

<section begin='CookieEvent' />

These events are created by Ad Blocker and update the http_events table when a cookie is blocked.

Attribute Name Type Description
class Class The class name
identification String The identification string
requestId Long The request ID
sessionEvent SessionEvent The session event
timeStamp Timestamp The timestamp

<section end='CookieEvent' />


AdBlockerEvent

<section begin='AdBlockerEvent' />

These events are created by Ad Blocker and update the http_events table when an ad is blocked.

Attribute Name Type Description
action Action The action
class Class The class name
reason String The reason
requestId Long The request ID
timeStamp Timestamp The timestamp

<section end='AdBlockerEvent' />


WebFilterQueryEvent

<section begin='WebFilterQueryEvent' />

These events are created by Web Filter and inserted to the http_query_events table when web filter processes a search engine search.

Attribute Name Type Description
appName String The name of the application
class Class The class name
contentLength long The content length
host String The host
method HttpMethod The method
requestId Long The request ID
requestUri URI The request URI
sessionEvent SessionEvent The session event
term String The search term/phrase
timeStamp Timestamp The timestamp

<section end='WebFilterQueryEvent' />


WebFilterEvent

<section begin='WebFilterEvent' />

These events are created by Web Filter and update the http_events table when web filter processes a web request.

Attribute Name Type Description
appName String The name of the application
blocked Boolean True if blocked, false otherwise
category String The category
class Class The class name
flagged Boolean True if flagged, false otherwise
reason Reason The reason
requestLine RequestLine The request line
sessionEvent SessionEvent The session event
timeStamp Timestamp The timestamp

<section end='WebFilterEvent' />


PrioritizeEvent

<section begin='PrioritizeEvent' />

These events are created by the Bandwidth Control and update the session table when a session is prioritized.

Attribute Name Type Description
class Class The class name
priority int The priority
ruleId int The rule ID
sessionEvent SessionEvent The session event
timeStamp Timestamp The timestamp

<section end='PrioritizeEvent' />


WanFailoverTestEvent

<section begin='WanFailoverTestEvent' />

These events are created by WAN Failover and inserted to the wan_failover_test_events table when a test is run.

Attribute Name Type Description
class Class The class name
description String The description
interfaceId int The interface ID
name String The test name
osName String The O/S interface name
success Boolean True if successful, false otherwise
timeStamp Timestamp The timestamp

<section end='WanFailoverTestEvent' />


WanFailoverEvent

<section begin='WanFailoverEvent' />

These events are created by WAN Failover and inserted to the wan_failover_action_events table when WAN Failover takes an action.

Attribute Name Type Description
action WanFailoverEvent$Action The action
class Class The class name
interfaceId int The interface ID
name String The name
osName String The O/S interface name
timeStamp Timestamp The timestamp

<section end='WanFailoverEvent' />


SpamSmtpTarpitEvent

<section begin='SpamSmtpTarpitEvent' />

These events are created by Spam Blocker and inserted to the smtp_tarpit_events table when a session is tarpitted.

Attribute Name Type Description
IPAddr InetAddress The IP address
class Class The class name
hostname String The hostname
sessionEvent SessionEvent The session event
sessionId Long The session ID
timeStamp Timestamp The timestamp
vendorName String The application name

<section end='SpamSmtpTarpitEvent' />


SpamLogEvent

<section begin='SpamLogEvent' />

These events are created by Spam Blocker and update the mail_msgs table when an email is scanned.

Attribute Name Type Description
action SpamMessageAction The action
class Class The class name
clientAddr InetAddress The client address
clientPort int The client port
messageId Long The message ID
receiver String The receiver
score float The score
sender String The sender
serverAddr InetAddress The server address
serverPort int The server port
smtpMessageEvent SmtpMessageEvent The parent SMTP message event
isSpam boolean True if spam, false otherwise
subject String The subject
testsString String The tests string from the spam engine
timeStamp Timestamp The timestamp
vendorName String The application name

<section end='SpamLogEvent' />


FirewallEvent

<section begin='FirewallEvent' />

These events are created by Firewall and update the sessions table when a firewall rule matches a session.

Attribute Name Type Description
blocked boolean True if blocked, false otherwise
class Class The class name
flagged boolean True if flagged, false otherwise
ruleId long The rule ID
sessionId Long The session ID
timeStamp Timestamp The timestamp

<section end='FirewallEvent' />


LoginEvent

<section begin='LoginEvent' />

These events are created by Directory Connector and inserted to the directory_connector_login_events table for each login.

Attribute Name Type Description
class Class The class name
clientAddr InetAddress The client address
domain String The domain
event String The event
loginName String The login name
timeStamp Timestamp The timestamp

<section end='LoginEvent' />


SmtpMessageAddressEvent

<section begin='SmtpMessageAddressEvent' />

These events are created by SMTP subsystem and inserted to the mail_addrs table for each address on each email.

Attribute Name Type Description
addr String The address
class Class The class name
kind AddressKind The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
messageId Long The message ID
personal String personal
timeStamp Timestamp The timestamp

<section end='SmtpMessageAddressEvent' />


SmtpMessageEvent

<section begin='SmtpMessageEvent' />

These events are created by SMTP subsystem and inserted to the mail_msgs table for each email.

Attribute Name Type Description
addresses Set The addresses
class Class The class name
envelopeFromAddress String The envelop FROM address
envelopeToAddress String The envelope TO address
messageId Long The message ID
receiver String The receiver
sender String The sender
sessionEvent SessionEvent The session event
sessionId Long The session ID
subject String The subject
timeStamp Timestamp The timestamp
tmpFile File The /tmp file

<section end='SmtpMessageEvent' />


VirusSmtpEvent

<section begin='VirusSmtpEvent' />

These events are created by Virus Blocker and update the mail_msgs table when Virus Blocker scans an email.

Attribute Name Type Description
action String The action
appName String The name of the application
class Class The class name
clean boolean True if clean, false otherwise
messageId Long The message ID
timeStamp Timestamp The timestamp
virusName String The virus name, if not clean

<section end='VirusSmtpEvent' />


VirusFtpEvent

<section begin='VirusFtpEvent' />

These events are created by Virus Blocker and update the ftp_events table when Virus Blocker scans an FTP transfer.

Attribute Name Type Description
appName String The name of the application
class Class The class name
clean boolean True if clean, false otherwise
sessionEvent SessionEvent The session event
timeStamp Timestamp The timestamp
uri String The URI
virusName String The virus name, if not clean

<section end='VirusFtpEvent' />


VirusHttpEvent

<section begin='VirusHttpEvent' />

These events are created by Virus Blocker and update the http_events table when Virus Blocker scans an HTTP transfer.

Attribute Name Type Description
appName String The name of the application
class Class The class name
clean boolean True if clean, false otherwise
requestId Long The request ID
timeStamp Timestamp The timestamp
virusName String The virus name, if not clean

<section end='VirusHttpEvent' />


SpamSmtpTarpitEvent

<section begin='SpamSmtpTarpitEvent' />

These events are created by Spam Blocker and inserted to the smtp_tarpit_events table when a session is tarpitted.

Attribute Name Type Description
IPAddr InetAddress The IP address
class Class The class name
hostname String The hostname
sessionEvent SessionEvent The session event
sessionId Long The session ID
timeStamp Timestamp The timestamp
vendorName String The application name

<section end='SpamSmtpTarpitEvent' />


SpamLogEvent

<section begin='SpamLogEvent' />

These events are created by Spam Blocker and update the mail_msgs table when an email is scanned.

Attribute Name Type Description
action SpamMessageAction The action
class Class The class name
clientAddr InetAddress The client address
clientPort int The client port
messageId Long The message ID
receiver String The receiver
score float The score
sender String The sender
serverAddr InetAddress The server address
serverPort int The server port
smtpMessageEvent SmtpMessageEvent The parent SMTP message event
isSpam boolean True if spam, false otherwise
subject String The subject
testsString String The tests string from the spam engine
timeStamp Timestamp The timestamp
vendorName String The application name

<section end='SpamLogEvent' />


HttpResponseEvent

<section begin='HttpResponseEvent' />

These events are created by HTTP subsystem and update the http_events table when a web response happens.

Attribute Name Type Description
class Class The class name
contentLength long The content length
contentType String The content type
httpRequestEvent HttpRequestEvent The corresponding HTTP request event
requestLine RequestLine The request line
timeStamp Timestamp The timestamp

<section end='HttpResponseEvent' />


HttpRequestEvent

<section begin='HttpRequestEvent' />

These events are created by HTTP subsystem and inserted to the http_events table when a web request happens.

Attribute Name Type Description
class Class The class name
contentLength long The content length
domain String The domain
host String The host
method HttpMethod The HTTP method
referer String The referer
requestId Long The request ID
requestUri URI The request URI
sessionEvent SessionEvent The session event
timeStamp Timestamp The timestamp

<section end='HttpRequestEvent' />


OpenVpnEvent

<section begin='OpenVpnEvent' />

These events are created by OpenVPN and update the openvpn_events table when OpenVPN processes a client action.

Attribute Name Type Description
address InetAddress The address
class Class The class name
clientName String The client name
poolAddress InetAddress The pool address
timeStamp Timestamp The timestamp
type OpenVpnEvent$EventType The type

<section end='OpenVpnEvent' />


OpenVpnStatusEvent

<section begin='OpenVpnStatusEvent' />

These events are created by OpenVPN and update the openvpn_stats table periodically.

Attribute Name Type Description
address InetAddress The address
bytesRxDelta long The delta number of RX (received) bytes from the previous event
bytesRxTotal long The total number of RX (received) bytes
bytesTxDelta long The delta number of TX (transmitted) bytes from the previous event
bytesTxTotal long The total number of TX (transmitted) bytes
class Class The class name
clientName String The client name
end Timestamp The end
poolAddress InetAddress The pool address
port int The port
start Timestamp The start
timeStamp Timestamp The timestamp

<section end='OpenVpnStatusEvent' />


WebCacheEvent

<section begin='WebCacheEvent' />

These events are created by Web Cache and inserted to the web_cache_stats table periodically.

Attribute Name Type Description
bypassCount long The number of bypasses
class Class The class name
hitBytes long The number of bytes worth of hits
hitCount long The number of hits
missBytes long The number of bytes worth of misses
missCount long The number of misses
policyId Long The policy ID
systemCount long The number of system bypasses
timeStamp Timestamp The timestamp

<section end='WebCacheEvent' />