Database Schema: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
No edit summary
(3 intermediate revisions by one other user not shown)
Line 1: Line 1:
[[Category:Reports]]
= Database Tables =


All [[Reports]] data is stored in the database. All [[Events]] will add or modify data in the database.
== admin_logins ==  
 
<section begin='admin_logins' />
Data is stored in large fully-denormalized tables. For example, there is a ''http_events'' table that has one row per HTTP request and all the metadata associated with that HTTP request.
 
Below is the schema definition of all tables in the database.
 
== ipsec_tunnel_stats ==  
<section begin='ipsec_tunnel_stats' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 21: Line 15:
|The time of the event
|The time of the event
|-
|-
|tunnel_name
|login
|Tunnel Name
|Login
|text
|text
|The name of the IPsec tunnel
|The login name
|-
|-
|in_bytes
|local
|In Bytes
|Local
|bigint
|boolean
|The number of bytes received during this time frame
|True if it is a login attempt through a local process
|-
|-
|out_bytes
|client_addr
|Out Bytes
|Client Address
|bigint
|inet
|The number of bytes transmitted during this time frame
|The client IP address
|-
|-
|event_id
|succeeded
|Event ID
|Succeeded
|bigint
|boolean
|The unique event ID
|True if the login succeeded, false otherwise
|-
|reason
|Reason
|character(1)
|The reason for the login (if applicable)
|-
|-
|}
|}
<section end='ipsec_tunnel_stats' />
<section end='admin_logins' />




== ipsec_user_events ==  
== sessions ==  
<section begin='ipsec_user_events' />
<section begin='sessions' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 54: Line 53:
!Description
!Description
|-
|-
|event_id
|session_id
|Event ID
|Session ID
|bigint
|bigint
|The unique event ID
|The session
|-
|-
|time_stamp
|time_stamp
Line 64: Line 63:
|The time of the event
|The time of the event
|-
|-
|connect_stamp
|end_time
|Connect Time
|timestamp without time zone
|The time the connection started
|-
|goodbye_stamp
|End Time
|End Time
|timestamp without time zone
|timestamp without time zone
|The time the connection ended
|The time the session ended
|-
|-
|client_address
|bypassed
|Client Address
|Bypassed
|text
|boolean
|The remote IP address of the client
|True if the session was bypassed, false otherwise
|-
|entitled
|Entitled
|boolean
|True if the session is entitled to premium functionality
|-
|protocol
|Protocol
|smallint
|The IP protocol of session
|-
|-
|client_protocol
|icmp_type
|Client Protocol
|ICMP Type
|text
|smallint
|The protocol the client used to connect
|The ICMP type of session if ICMP
|-
|-
|client_username
|hostname
|Client Username
|Hostname
|text
|text
|The username of the client
|The hostname of the local address
|-
|-
|net_process
|username
|Net Process
|Username
|text
|text
|The PID of the PPP process for L2TP connections or the connection ID for Xauth connections
|The username associated with this session
|-
|-
|net_interface
|policy_id
|Net Interface
|Policy ID
|text
|smallint
|The PPP interface for L2TP connections or the client interface for Xauth connections
|The policy
|-
|-
|elapsed_time
|policy_rule_id
|Elapsed Time
|Policy Rule ID
|text
|smallint
|The total time the client was connected
|The ID of the matching policy rule (0 means none)
|-
|-
|rx_bytes
|c_client_addr
|Bytes Received
|Client-side Client Address
|bigint
|inet
|The number of bytes received from the client in this connection
|The client-side client IP address
|-
|-
|tx_bytes
|c_server_addr
|Bytes Sent
|Client-side Server Address
|bigint
|inet
|The number of bytes sent to the client in this connection
|The client-side server IP address
|-
|-
|}
|c_server_port
<section end='ipsec_user_events' />
|Client-side Server Port
 
|integer
 
|The client-side server port
== http_events ==
<section begin='http_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|request_id
|c_client_port
|Request ID
|Client-side Client Port
|bigint
|integer
|The HTTP request ID
|The client-side client port
|-
|-
|time_stamp
|s_client_addr
|Timestamp
|Server-side Client Address
|timestamp without time zone
|inet
|The time of the event
|The server-side client IP address
|-
|s_server_addr
|Server-side Server Address
|inet
|The server-side server IP address
|-
|s_server_port
|Server-side Server Port
|integer
|The server-side server port
|-
|-
|session_id
|s_client_port
|Session ID
|Server-side Client Port
|bigint
|integer
|The session
|The server-side client port
|-
|-
|client_intf
|client_intf
Line 152: Line 158:
|The server interface
|The server interface
|-
|-
|c_client_addr
|client_country
|Client-side Client Address
|Client Country
|inet
|text
|The client-side client IP address
|The client Country
|-
|-
|s_client_addr
|client_latitude
|Server-side Client Address
|Client Latitude
|inet
|real
|The server-side client IP address
|The client Latitude
|-
|-
|c_server_addr
|client_longitude
|Client-side Server Address
|Client Longitude
|inet
|real
|The client-side server IP address
|The client Longitude
|-
|-
|s_server_addr
|server_country
|Server-side Server Address
|Server Country
|inet
|text
|The server-side server IP address
|The server Country
|-
|-
|c_client_port
|server_latitude
|Client-side Client Port
|Server Latitude
|integer
|real
|The client-side client port
|The server Latitude
|-
|-
|s_client_port
|server_longitude
|Server-side Client Port
|Server Longitude
|integer
|real
|The server-side client port
|The server Longitude
|-
|-
|c_server_port
|c2p_bytes
|Client-side Server Port
|From-Client Bytes
|integer
|bigint
|The client-side server port
|The number of bytes the client sent to Untangle (client-to-pipeline)
|-
|-
|s_server_port
|p2c_bytes
|Server-side Server Port
|To-Client Bytes
|integer
|bigint
|The server-side server port
|The number of bytes Untangle sent to client (pipeline-to-client)
|-
|-
|policy_id
|s2p_bytes
|Policy ID
|From-Server Bytes
|smallint
|bigint
|The policy
|The number of bytes the server sent to Untangle (client-to-pipeline)
|-
|-
|username
|p2s_bytes
|Username
|To-Server Bytes
|text
|bigint
|The username associated with this session
|The number of bytes Untangle sent to server (pipeline-to-client)
|-
|-
|hostname
|filter_prefix
|Hostname
|Filter Block
|text
|text
|The hostname of the local address
|The network filter that blocked the connection (filter,shield,invalid)
|-
|-
|method
|firewall_blocked
|Method
|Firewall Blocked
|character(1)
|boolean
|The HTTP method
|True if Firewall blocked the session, false otherwise
|-
|-
|uri
|firewall_flagged
|URI
|Firewall Flagged
|text
|boolean
|The HTTP URI
|True if Firewall flagged the session, false otherwise
|-
|-
|host
|firewall_rule_index
|Host
|Firewall Rule ID
|integer
|The matching rule in Firewall (if any)
|-
|application_control_lite_protocol
|Application Control Lite Protocol
|text
|text
|The HTTP host
|The application protocol according to Application Control Lite
|-
|-
|domain
|application_control_lite_blocked
|Domain
|Application Control Lite Blocked
|text
|boolean
|The HTTP domain (shortened host)
|True if Application Control Lite blocked the session
|-
|-
|referer
|captive_portal_blocked
|Referer
|Captive Portal Blocked
|text
|boolean
|The Referer URL
|True if Captive Portal blocked the session
|-
|-
|c2s_content_length
|captive_portal_rule_index
|Client-to-server Content Length
|Captive Portal Rule ID
|bigint
|integer
|The client-to-server content length
|The matching rule in Captive Portal (if any)
|-
|-
|s2c_content_length
|application_control_application
|Server-to-client Content Length
|Application Control Application
|bigint
|The server-to-client content length
|-
|s2c_content_type
|Server-to-client Content Type
|text
|text
|The server-to-client content type
|The application according to Application Control
|-
|-
|ad_blocker_cookie_ident
|application_control_protochain
|Ad Blocker Cookie
|Application Control Protochain
|text
|text
|This name of cookie blocked by Ad Blocker
|The protochain according to Application Control
|-
|-
|ad_blocker_action
|application_control_category
|Ad Blocker Action
|Application Control Category
|character(1)
|This action of Ad Blocker on this request
|-
|web_filter_lite_reason
|Web Filter Lite Reason
|character(1)
|This reason Web Filter Lite blocked/flagged this request
|-
|web_filter_lite_category
|Web Filter Lite Category
|text
|text
|This category according to Web Filter Lite
|The category according to Application Control
|-
|-
|web_filter_lite_blocked
|application_control_blocked
|Web Filter Lite Blocked
|Application Control Blocked
|boolean
|boolean
|If Web Filter Lite blocked this request
|True if Application Control blocked the session
|-
|-
|web_filter_lite_flagged
|application_control_flagged
|Web Filter Lite Flagged
|Application Control Flagged
|boolean
|boolean
|If Web Filter Lite flagged this request
|True if Application Control flagged the session
|-
|-
|web_filter_reason
|application_control_confidence
|Web Filter Reason
|Application Control Confidence
|character(1)
|integer
|This reason Web Filter blocked/flagged this request
|True if Application Control confidence of this session's identification
|-
|application_control_ruleid
|Application Control Rule ID
|integer
|The matching rule in Application Control (if any)
|-
|-
|web_filter_category
|application_control_detail
|Web Filter Category
|Application Control Detail
|text
|text
|This category according to Web Filter
|The text detail from the Application Control engine
|-
|-
|web_filter_blocked
|bandwidth_control_priority
|Web Filter Blocked
|Bandwidth Control Priority
|boolean
|integer
|If Web Filter blocked this request
|The priority given to this session
|-
|-
|web_filter_flagged
|bandwidth_control_rule
|Web Filter Flagged
|Bandwidth Control Rule ID
|boolean
|integer
|If Web Filter flagged this request
|The matching rule in Bandwidth Control rule (if any)
|-
|-
|virus_blocker_lite_clean
|ssl_inspector_ruleid
|Virus Blocker Lite Clean
|SSL Inspector Rule ID
|boolean
|integer
|The cleanliness of the file according to Virus Blocker Lite
|The matching rule in SSL Inspector rule (if any)
|-
|-
|virus_blocker_lite_name
|ssl_inspector_status
|Virus Blocker Lite Name
|SSL Inspector Status
|text
|text
|The name of the malware according to Virus Blocker Lite
|The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED)
|-
|-
|virus_blocker_clean
|ssl_inspector_detail
|Virus Blocker Clean
|SSL Inspector Detail
|boolean
|The cleanliness of the file according to Virus Blocker
|-
|virus_blocker_name
|Virus Blocker Name
|text
|text
|The name of the malware according to Virus Blocker
|Additional text detail about the SSL connection (SNI, IP Address)
|-
|-
|}
|local_addr
<section end='http_events' />
|Local Address
 
|inet
 
|The IP address of the local participant
== captive_portal_user_events ==  
|-
<section begin='captive_portal_user_events' />
|remote_addr
|Remote Address
|inet
|The IP address of the remote participant
|-
|tags
|Tags
|text
|The tags on this session
|-
|}
<section end='sessions' />
 
 
== session_minutes ==  
<section begin='session_minutes' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 329: Line 340:
!Type
!Type
!Description
!Description
|-
|session_id
|Session ID
|bigint
|The session
|-
|-
|time_stamp
|time_stamp
Line 335: Line 351:
|The time of the event
|The time of the event
|-
|-
|policy_id
|c2s_bytes
|Policy ID
|From-Client Bytes
|bigint
|bigint
|The policy
|The number of bytes the client sent
|-
|-
|event_id
|s2c_bytes
|Event ID
|From-Server Bytes
|bigint
|bigint
|The unique event ID
|The number of bytes the server sent
|-
|-
|login_name
|start_time
|Login Name
|Start Time
|text
|timestamp without time zone
|The login username
|The start time of the session
|-
|-
|event_info
|end_time
|Event Type
|End Time
|text
|timestamp without time zone
|The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
|The time the session ended
|-
|-
|auth_type
|bypassed
|Authorization Type
|Bypassed
|text
|boolean
|The authorization type for this event
|True if the session was bypassed, false otherwise
|-
|-
|client_addr
|entitled
|Client Address
|Entitled
|text
|boolean
|The remote IP address of the client
|True if the session is entitled to premium functionality
|-
|-
|}
|protocol
<section end='captive_portal_user_events' />
|Protocol
 
|smallint
 
|The IP protocol of session
== server_events ==
<section begin='server_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|icmp_type
|Timestamp
|ICMP Type
|timestamp without time zone
|smallint
|The time of the event
|The ICMP type of session if ICMP
|-
|-
|load_1
|hostname
|CPU load (1-min)
|Hostname
|numeric(6,2)
|text
|The 1-minute CPU load
|The hostname of the local address
|-
|-
|load_5
|username
|CPU load (5-min)
|Username
|numeric(6,2)
|text
|The 5-minute CPU load
|The username associated with this session
|-
|-
|load_15
|policy_id
|CPU load (15-min)
|Policy ID
|numeric(6,2)
|smallint
|The 15-minute CPU load
|The policy
|-
|-
|cpu_user
|policy_rule_id
|CPU User Utilization
|Policy Rule ID
|numeric(6,3)
|smallint
|The user CPU percent utilization
|The ID of the matching policy rule (0 means none)
|-
|-
|cpu_system
|c_client_addr
|CPU System Utilization
|Client-side Client Address
|numeric(6,3)
|inet
|The system CPU percent utilization
|The client-side client IP address
|-
|-
|mem_total
|c_server_addr
|Total Memory
|Client-side Server Address
|bigint
|inet
|The total bytes of memory
|The client-side server IP address
|-
|-
|mem_free
|c_server_port
|Memory Free
|Client-side Server Port
|bigint
|integer
|The number of free bytes of memory
|The client-side server port
|-
|-
|disk_total
|c_client_port
|Disk Size
|Client-side Client Port
|bigint
|integer
|The total disk size in bytes
|The client-side client port
|-
|-
|disk_free
|s_client_addr
|Disk Free
|Server-side Client Address
|bigint
|inet
|The free disk space in bytes
|The server-side client IP address
|-
|-
|swap_total
|s_server_addr
|Swap Size
|Server-side Server Address
|bigint
|inet
|The total swap size in bytes
|The server-side server IP address
|-
|-
|swap_free
|s_server_port
|Swap Free
|Server-side Server Port
|bigint
|integer
|The free disk swap in bytes
|The server-side server port
|-
|-
|active_hosts
|s_client_port
|Active Hosts
|Server-side Client Port
|integer
|integer
|The number of active hosts
|The server-side client port
|-
|client_intf
|Client Interface
|smallint
|The client interface
|-
|-
|}
|server_intf
<section end='server_events' />
|Server Interface
 
|smallint
 
|The server interface
== interface_stat_events ==
<section begin='interface_stat_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|client_country
|Timestamp
|Client Country
|timestamp without time zone
|text
|The time of the event
|The client Country
|-
|-
|interface_id
|client_latitude
|Interface ID
|Client Latitude
|integer
|real
|The interface ID
|The client Latitude
|-
|-
|rx_rate
|client_longitude
|Rx Rate
|Client Longitude
|double precision
|real
|The RX rate (bytes/s)
|The client Longitude
|-
|-
|tx_rate
|server_country
|Tx Rate
|Server Country
|double precision
|text
|The TX rate (bytes/s)
|The server Country
|-
|-
|}
|server_latitude
<section end='interface_stat_events' />
|Server Latitude
 
|real
 
|The server Latitude
== openvpn_stats ==
<section begin='openvpn_stats' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|server_longitude
|Timestamp
|Server Longitude
|timestamp without time zone
|real
|The time of the event
|The server Longitude
|-
|-
|start_time
|filter_prefix
|Start Time
|Filter Block
|timestamp without time zone
|text
|The time the OpenVPN session started
|The network filter that blocked the connection (filter,shield,invalid)
|-
|-
|end_time
|firewall_blocked
|End Time
|Firewall Blocked
|timestamp without time zone
|boolean
|The time the OpenVPN session ended
|True if Firewall blocked the session, false otherwise
|-
|-
|rx_bytes
|firewall_flagged
|Bytes Received
|Firewall Flagged
|bigint
|boolean
|The total bytes received from the client during this session
|True if Firewall flagged the session, false otherwise
|-
|-
|tx_bytes
|firewall_rule_index
|Bytes Sent
|Firewall Rule ID
|bigint
|integer
|The total bytes sent to the client during this session
|The matching rule in Firewall (if any)
|-
|application_control_lite_protocol
|Application Control Lite Protocol
|text
|The application protocol according to Application Control Lite
|-
|-
|remote_address
|application_control_lite_blocked
|Remote Address
|Application Control Lite Blocked
|inet
|boolean
|The remote IP address of the client
|True if Application Control Lite blocked the session
|-
|-
|pool_address
|captive_portal_blocked
|Pool Address
|Captive Portal Blocked
|inet
|boolean
|The pool IP address of the client
|True if Captive Portal blocked the session
|-
|-
|remote_port
|captive_portal_rule_index
|Remote Port
|Captive Portal Rule ID
|integer
|integer
|The remote port of the client
|The matching rule in Captive Portal (if any)
|-
|-
|client_name
|application_control_application
|Client Name
|Application Control Application
|text
|text
|The name of the client
|The application according to Application Control
|-
|-
|event_id
|application_control_protochain
|Event ID
|Application Control Protochain
|bigint
|text
|The unique event ID
|The protochain according to Application Control
|-
|-
|}
|application_control_category
<section end='openvpn_stats' />
|Application Control Category
 
|text
 
|The category according to Application Control
== openvpn_events ==
<section begin='openvpn_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|application_control_blocked
|Timestamp
|Application Control Blocked
|timestamp without time zone
|boolean
|The time of the event
|True if Application Control blocked the session
|-
|application_control_flagged
|Application Control Flagged
|boolean
|True if Application Control flagged the session
|-
|-
|remote_address
|application_control_confidence
|Remote Address
|Application Control Confidence
|inet
|integer
|The remote IP address of the client
|True if Application Control confidence of this session's identification
|-
|-
|pool_address
|application_control_ruleid
|Pool Address
|Application Control Rule ID
|inet
|integer
|The pool IP address of the client
|The matching rule in Application Control (if any)
|-
|-
|client_name
|application_control_detail
|Client Name
|Application Control Detail
|text
|text
|The name of the client
|The text detail from the Application Control engine
|-
|-
|type
|bandwidth_control_priority
|Type
|Bandwidth Control Priority
|text
|integer
|The type of the event (CONNECT/DISCONNECT)
|The priority given to this session
|-
|-
|}
|bandwidth_control_rule
<section end='openvpn_events' />
|Bandwidth Control Rule ID
 
|integer
 
|The matching rule in Bandwidth Control rule (if any)
== mail_msgs ==
<section begin='mail_msgs' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|ssl_inspector_ruleid
|Timestamp
|SSL Inspector Rule ID
|timestamp without time zone
|integer
|The time of the event
|The matching rule in SSL Inspector rule (if any)
|-
|-
|session_id
|ssl_inspector_status
|Session ID
|SSL Inspector Status
|bigint
|text
|The session
|The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED)
|-
|-
|client_intf
|ssl_inspector_detail
|Client Interface
|SSL Inspector Detail
|smallint
|text
|The client interface
|Additional text detail about the SSL connection (SNI, IP Address)
|-
|-
|server_intf
|local_addr
|Server Interface
|Local Address
|smallint
|The server interface
|-
|c_client_addr
|Client-side Client Address
|inet
|inet
|The client-side client IP address
|The IP address of the local participant
|-
|-
|s_client_addr
|remote_addr
|Server-side Client Address
|Remote Address
|inet
|inet
|The server-side client IP address
|The IP address of the remote participant
|-
|-
|c_server_addr
|tags
|Client-side Server Address
|Tags
|inet
|text
|The client-side server IP address
|The tags on this session
|-
|}
<section end='session_minutes' />
 
 
== quotas ==
<section begin='quotas' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|s_server_addr
|time_stamp
|Server-side Server Address
|Timestamp
|inet
|timestamp without time zone
|The server-side server IP address
|The time of the event
|-
|-
|c_client_port
|action
|Client-side Client Port
|Action
|integer
|integer
|The client-side client port
|The action (1=Quota Given, 2=Quota Exceeded)
|-
|-
|s_client_port
|size
|Server-side Client Port
|Size
|integer
|The server-side client port
|-
|c_server_port
|Client-side Server Port
|integer
|The client-side server port
|-
|s_server_port
|Server-side Server Port
|integer
|The server-side server port
|-
|policy_id
|Policy ID
|bigint
|bigint
|The policy
|The size of the quota
|-
|-
|username
|reason
|Username
|Reason
|text
|text
|The username associated with this session
|The reason for the action
|-
|-
|msg_id
|entity
|Message ID
|Entity
|bigint
|text
|The message ID
|The IP entity given the quota (address/username)
|-
|-
|subject
|}
|Subject
<section end='quotas' />
 
 
== host_table_updates ==
<section begin='host_table_updates' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|address
|Address
|inet
|The IP address of the host
|-
|key
|Key
|text
|text
|The email subject
|The key being updated
|-
|-
|hostname
|value
|Hostname
|Value
|text
|text
|The hostname of the local address
|The new value for the key
|-
|-
|event_id
|time_stamp
|Event ID
|Timestamp
|bigint
|timestamp without time zone
|The unique event ID
|The time of the event
|-
|-
|sender
|old_value
|Sender
|Old Value
|text
|text
|The address of the sender
|The old value for the key
|-
|}
<section end='host_table_updates' />
 
 
== device_table_updates ==
<section begin='device_table_updates' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|receiver
|mac_address
|Receiver
|MAC Address
|text
|text
|The address of the receiver
|The MAC address of the device
|-
|-
|virus_blocker_lite_clean
|key
|Virus Blocker Lite Clean
|Key
|boolean
|text
|The cleanliness of the file according to Virus Blocker Lite
|The key being updated
|-
|-
|virus_blocker_lite_name
|value
|Virus Blocker Lite Name
|Value
|text
|text
|The name of the malware according to Virus Blocker Lite
|The new value for the key
|-
|-
|virus_blocker_clean
|time_stamp
|Virus Blocker Clean
|Timestamp
|boolean
|timestamp without time zone
|The cleanliness of the file according to Virus Blocker
|The time of the event
|-
|-
|virus_blocker_name
|old_value
|Virus Blocker Name
|Old Value
|text
|text
|The name of the malware according to Virus Blocker
|The old value for the key
|-
|-
|spam_blocker_lite_score
|}
|Spam Blocker Lite Score
<section end='device_table_updates' />
|real
 
|The score of the email according to Spam Blocker Lite
 
|-
== alerts ==
|spam_blocker_lite_is_spam
<section begin='alerts' />
|Spam Blocker Lite Spam
 
|boolean
{| border="1" cellpadding="2" width="90%%" align="center"
|The spam status of the email according to Spam Blocker Lite
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|-
|spam_blocker_lite_tests_string
|description
|Spam Blocker Lite Tests
|Text detail of the event
|text
|text
|The tess results for Spam Blocker Lite
|The description from the alert rule.
|-
|-
|spam_blocker_lite_action
|summary_text
|Spam Blocker Lite Action
|Summary Text
|character(1)
|text
|The action taken by Spam Blocker Lite
|The summary text of the alert
|-
|-
|spam_blocker_score
|json
|Spam Blocker Score
|JSON Text
|real
|text
|The score of the email according to Spam Blocker
|The summary JSON representation of the event causing the alert
|-
|}
<section end='alerts' />
 
 
== settings_changes ==
<section begin='settings_changes' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|spam_blocker_is_spam
|time_stamp
|Spam Blocker Spam
|Timestamp
|boolean
|timestamp without time zone
|The spam status of the email according to Spam Blocker
|The time of the event
|-
|-
|spam_blocker_tests_string
|settings_file
|Spam Blocker Tests
|Settings File
|text
|text
|The tess results for Spam Blocker
|The name of the file changed
|-
|-
|spam_blocker_action
|username
|Spam Blocker Action
|Username
|character(1)
|text
|The action taken by Spam Blocker
|The username logged in at the time of the change
|-
|-
|phish_blocker_score
|hostname
|Phish Blocker Score
|Hostname
|real
|The score of the email according to Phish Blocker
|-
|phish_blocker_is_spam
|Phish Blocker Phish
|boolean
|The phish status of the email according to Phish Blocker
|-
|phish_blocker_tests_string
|Phish Blocker Tests
|text
|text
|The tess results for Phish Blocker
|The remote hostname
|-
|phish_blocker_action
|Phish Blocker Action
|character(1)
|The action taken by Phish Blocker
|-
|-
|}
|}
<section end='mail_msgs' />
<section end='settings_changes' />




== mail_addrs ==  
== wan_failover_test_events ==  
<section begin='mail_addrs' />
<section begin='wan_failover_test_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 788: Line 809:
|The time of the event
|The time of the event
|-
|-
|session_id
|interface_id
|Session ID
|Interface ID
|bigint
|integer
|The session
|This interface ID
|-
|-
|client_intf
|name
|Client Interface
|Interface Name
|smallint
|text
|The client interface
|This name of the interface
|-
|-
|server_intf
|description
|Server Interface
|Text detail of the event
|smallint
|text
|The server interface
|The description from the test rule
|-
|-
|c_client_addr
|success
|Client-side Client Address
|Success
|inet
|boolean
|The client-side client IP address
|The result of the test (true if the test succeeded, false otherwise)
|-
|-
|s_client_addr
|event_id
|Server-side Client Address
|Event ID
|inet
|bigint
|The server-side client IP address
|The unique event ID
|-
|-
|c_server_addr
|}
|Client-side Server Address
<section end='wan_failover_test_events' />
|inet
 
|The client-side server IP address
 
== wan_failover_action_events ==
<section begin='wan_failover_action_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|s_server_addr
|time_stamp
|Server-side Server Address
|Timestamp
|inet
|timestamp without time zone
|The server-side server IP address
|The time of the event
|-
|-
|c_client_port
|interface_id
|Client-side Client Port
|Interface ID
|integer
|integer
|The client-side client port
|This interface ID
|-
|-
|s_client_port
|action
|Server-side Client Port
|Action
|integer
|text
|The server-side client port
|This action (CONNECTED,DISCONNECTED)
|-
|-
|c_server_port
|os_name
|Client-side Server Port
|Interface O/S Name
|integer
|text
|The client-side server port
|This O/S name of the interface
|-
|-
|s_server_port
|name
|Server-side Server Port
|Interface Name
|integer
|text
|The server-side server port
|This name of the interface
|-
|-
|policy_id
|event_id
|Policy ID
|Event ID
|bigint
|bigint
|The policy
|The unique event ID
|-
|}
<section end='wan_failover_action_events' />
 
 
== mail_msgs ==
<section begin='mail_msgs' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|username
|time_stamp
|Username
|Timestamp
|text
|timestamp without time zone
|The username associated with this session
|The time of the event
|-
|-
|msg_id
|session_id
|Message ID
|Session ID
|bigint
|bigint
|The message ID
|The session
|-
|-
|subject
|client_intf
|Subject
|Client Interface
|text
|smallint
|The email subject
|The client interface
|-
|-
|addr
|server_intf
|Address
|Server Interface
|text
|smallint
|The address of this event
|The server interface
|-
|-
|addr_name
|c_client_addr
|Address Name
|Client-side Client Address
|text
|inet
|The name for this address
|The client-side client IP address
|-
|-
|addr_kind
|s_client_addr
|Address Kind
|Server-side Client Address
|character(1)
|inet
|The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
|The server-side client IP address
|-
|-
|hostname
|c_server_addr
|Hostname
|Client-side Server Address
|text
|inet
|The hostname of the local address
|The client-side server IP address
|-
|-
|event_id
|s_server_addr
|Event ID
|Server-side Server Address
|bigint
|inet
|The unique event ID
|The server-side server IP address
|-
|-
|sender
|c_client_port
|Sender
|Client-side Client Port
|text
|integer
|The address of the sender
|The client-side client port
|-
|-
|virus_blocker_lite_clean
|s_client_port
|Virus Blocker Lite Clean
|Server-side Client Port
|boolean
|integer
|The cleanliness of the file according to Virus Blocker Lite
|The server-side client port
|-
|-
|virus_blocker_lite_name
|c_server_port
|Virus Blocker Lite Name
|Client-side Server Port
|text
|integer
|The name of the malware according to Virus Blocker Lite
|The client-side server port
|-
|s_server_port
|Server-side Server Port
|integer
|The server-side server port
|-
|-
|virus_blocker_clean
|policy_id
|Virus Blocker Clean
|Policy ID
|boolean
|bigint
|The cleanliness of the file according to Virus Blocker
|The policy
|-
|-
|virus_blocker_name
|username
|Virus Blocker Name
|Username
|text
|text
|The name of the malware according to Virus Blocker
|The username associated with this session
|-
|-
|spam_blocker_lite_score
|msg_id
|Spam Blocker Lite Score
|Message ID
|real
|bigint
|The score of the email according to Spam Blocker Lite
|The message ID
|-
|subject
|Subject
|text
|The email subject
|-
|-
|spam_blocker_lite_is_spam
|hostname
|Spam Blocker Lite Spam
|Hostname
|boolean
|text
|The spam status of the email according to Spam Blocker Lite
|The hostname of the local address
|-
|-
|spam_blocker_lite_action
|event_id
|Spam Blocker Lite Action
|Event ID
|character(1)
|bigint
|The action taken by Spam Blocker Lite
|The unique event ID
|-
|-
|spam_blocker_lite_tests_string
|sender
|Spam Blocker Lite Tests
|Sender
|text
|text
|The tess results for Spam Blocker Lite
|The address of the sender
|-
|-
|spam_blocker_score
|receiver
|Spam Blocker Score
|Receiver
|real
|text
|The score of the email according to Spam Blocker
|The address of the receiver
|-
|-
|spam_blocker_is_spam
|virus_blocker_lite_clean
|Spam Blocker Spam
|Virus Blocker Lite Clean
|boolean
|boolean
|The spam status of the email according to Spam Blocker
|The cleanliness of the file according to Virus Blocker Lite
|-
|-
|spam_blocker_action
|virus_blocker_lite_name
|Spam Blocker Action
|Virus Blocker Lite Name
|character(1)
|The action taken by Spam Blocker
|-
|spam_blocker_tests_string
|Spam Blocker Tests
|text
|text
|The tess results for Spam Blocker
|The name of the malware according to Virus Blocker Lite
|-
|-
|phish_blocker_score
|virus_blocker_clean
|Phish Blocker Score
|Virus Blocker Clean
|real
|boolean
|The score of the email according to Phish Blocker
|The cleanliness of the file according to Virus Blocker
|-
|-
|phish_blocker_is_spam
|virus_blocker_name
|Phish Blocker Phish
|Virus Blocker Name
|text
|The name of the malware according to Virus Blocker
|-
|spam_blocker_lite_score
|Spam Blocker Lite Score
|real
|The score of the email according to Spam Blocker Lite
|-
|spam_blocker_lite_is_spam
|Spam Blocker Lite Spam
|boolean
|boolean
|The phish status of the email according to Phish Blocker
|The spam status of the email according to Spam Blocker Lite
|-
|-
|phish_blocker_tests_string
|spam_blocker_lite_tests_string
|Phish Blocker Tests
|Spam Blocker Lite Tests
|text
|text
|The tess results for Phish Blocker
|The tess results for Spam Blocker Lite
|-
|-
|phish_blocker_action
|spam_blocker_lite_action
|Phish Blocker Action
|Spam Blocker Lite Action
|character(1)
|character(1)
|The action taken by Phish Blocker
|The action taken by Spam Blocker Lite
|-
|-
|}
|spam_blocker_score
<section end='mail_addrs' />
|Spam Blocker Score
 
|real
 
|The score of the email according to Spam Blocker
== smtp_tarpit_events ==
<section begin='smtp_tarpit_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|spam_blocker_is_spam
|Timestamp
|Spam Blocker Spam
|timestamp without time zone
|boolean
|The time of the event
|The spam status of the email according to Spam Blocker
|-
|-
|ipaddr
|spam_blocker_tests_string
|Client Address
|Spam Blocker Tests
|inet
|The client IP address
|-
|hostname
|Hostname
|text
|text
|The hostname of the local address
|The tess results for Spam Blocker
|-
|-
|policy_id
|spam_blocker_action
|Policy ID
|Spam Blocker Action
|bigint
|character(1)
|The policy
|The action taken by Spam Blocker
|-
|phish_blocker_score
|Phish Blocker Score
|real
|The score of the email according to Phish Blocker
|-
|phish_blocker_is_spam
|Phish Blocker Phish
|boolean
|The phish status of the email according to Phish Blocker
|-
|-
|vendor_name
|phish_blocker_tests_string
|Vendor Name
|Phish Blocker Tests
|character varying(255)
|text
|The "vendor name" of the app that logged the event
|The tess results for Phish Blocker
|-
|-
|event_id
|phish_blocker_action
|Event ID
|Phish Blocker Action
|bigint
|character(1)
|The unique event ID
|The action taken by Phish Blocker
|-
|-
|}
|}
<section end='smtp_tarpit_events' />
<section end='mail_msgs' />




== ftp_events ==  
== mail_addrs ==  
<section begin='ftp_events' />
<section begin='mail_addrs' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,028: Line 1,082:
!Type
!Type
!Description
!Description
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|-
|time_stamp
|time_stamp
Line 1,073: Line 1,122:
|inet
|inet
|The server-side server IP address
|The server-side server IP address
|-
|c_client_port
|Client-side Client Port
|integer
|The client-side client port
|-
|s_client_port
|Server-side Client Port
|integer
|The server-side client port
|-
|c_server_port
|Client-side Server Port
|integer
|The client-side server port
|-
|s_server_port
|Server-side Server Port
|integer
|The server-side server port
|-
|-
|policy_id
|policy_id
Line 1,084: Line 1,153:
|The username associated with this session
|The username associated with this session
|-
|-
|hostname
|msg_id
|Hostname
|Message ID
|text
|The hostname of the local address
|-
|request_id
|Request ID
|bigint
|bigint
|The FTP request ID
|The message ID
|-
|-
|method
|subject
|Method
|Subject
|character(1)
|text
|The FTP method
|The email subject
|-
|-
|uri
|addr
|URI
|Address
|text
|text
|The FTP URI
|The address of this event
|-
|-
|virus_blocker_lite_clean
|addr_name
|Virus Blocker Lite Clean
|Address Name
|boolean
|text
|The cleanliness of the file according to Virus Blocker Lite
|The name for this address
|-
|addr_kind
|Address Kind
|character(1)
|The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
|-
|hostname
|Hostname
|text
|The hostname of the local address
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|sender
|Sender
|text
|The address of the sender
|-
|virus_blocker_lite_clean
|Virus Blocker Lite Clean
|boolean
|The cleanliness of the file according to Virus Blocker Lite
|-
|-
|virus_blocker_lite_name
|virus_blocker_lite_name
Line 1,124: Line 1,213:
|The name of the malware according to Virus Blocker
|The name of the malware according to Virus Blocker
|-
|-
|}
|spam_blocker_lite_score
<section end='ftp_events' />
|Spam Blocker Lite Score
 
|real
 
|The score of the email according to Spam Blocker Lite
== wan_failover_test_events ==
<section begin='wan_failover_test_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|spam_blocker_lite_is_spam
|Timestamp
|Spam Blocker Lite Spam
|timestamp without time zone
|boolean
|The time of the event
|The spam status of the email according to Spam Blocker Lite
|-
|-
|interface_id
|spam_blocker_lite_action
|Interface ID
|Spam Blocker Lite Action
|integer
|character(1)
|This interface ID
|The action taken by Spam Blocker Lite
|-
|-
|name
|spam_blocker_lite_tests_string
|Interface Name
|Spam Blocker Lite Tests
|text
|text
|This name of the interface
|The tess results for Spam Blocker Lite
|-
|-
|description
|spam_blocker_score
|Text detail of the event
|Spam Blocker Score
|text
|real
|The description from the test rule
|The score of the email according to Spam Blocker
|-
|-
|success
|spam_blocker_is_spam
|Success
|Spam Blocker Spam
|boolean
|boolean
|The result of the test (true if the test succeeded, false otherwise)
|The spam status of the email according to Spam Blocker
|-
|spam_blocker_action
|Spam Blocker Action
|character(1)
|The action taken by Spam Blocker
|-
|-
|event_id
|spam_blocker_tests_string
|Event ID
|Spam Blocker Tests
|bigint
|text
|The unique event ID
|The tess results for Spam Blocker
|-
|-
|}
|phish_blocker_score
<section end='wan_failover_test_events' />
|Phish Blocker Score
 
|real
 
|The score of the email according to Phish Blocker
== wan_failover_action_events ==  
|-
<section begin='wan_failover_action_events' />
|phish_blocker_is_spam
|Phish Blocker Phish
|boolean
|The phish status of the email according to Phish Blocker
|-
|phish_blocker_tests_string
|Phish Blocker Tests
|text
|The tess results for Phish Blocker
|-
|phish_blocker_action
|Phish Blocker Action
|character(1)
|The action taken by Phish Blocker
|-
|}
<section end='mail_addrs' />
 
 
== smtp_tarpit_events ==  
<section begin='smtp_tarpit_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,185: Line 1,291:
|The time of the event
|The time of the event
|-
|-
|interface_id
|ipaddr
|Interface ID
|Client Address
|integer
|inet
|This interface ID
|The client IP address
|-
|-
|action
|hostname
|Action
|Hostname
|text
|text
|This action (CONNECTED/DISCONNECTED)
|The hostname of the local address
|-
|-
|os_name
|policy_id
|Interface O/S Name
|Policy ID
|text
|bigint
|This O/S name of the interface
|The policy
|-
|-
|name
|vendor_name
|Interface Name
|Vendor Name
|text
|character varying(255)
|This name of the interface
|The "vendor name" of the app that logged the event
|-
|-
|event_id
|event_id
Line 1,211: Line 1,317:
|-
|-
|}
|}
<section end='wan_failover_action_events' />
<section end='smtp_tarpit_events' />




== intrusion_prevention_events ==  
== http_events ==  
<section begin='intrusion_prevention_events' />
<section begin='http_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,223: Line 1,329:
!Description
!Description
|-
|-
|time_stamp
|request_id
|Timestamp
|Request ID
|bigint
|The HTTP request ID
|-
|time_stamp
|Timestamp
|timestamp without time zone
|timestamp without time zone
|The time of the event
|The time of the event
|-
|-
|sig_id
|session_id
|Signature ID
|Session ID
|bigint
|bigint
|This ID of the rule
|The session
|-
|-
|gen_id
|client_intf
|Grouping ID
|Client Interface
|bigint
|smallint
|The grouping ID for the rule, The gen_id + sig_id specify the rule's unique identifier
|The client interface
|-
|-
|class_id
|server_intf
|Classtype ID
|Server Interface
|bigint
|smallint
|The numeric ID for the classtype
|The server interface
|-
|-
|source_addr
|c_client_addr
|Source Address
|Client-side Client Address
|inet
|inet
|The source IP address of the packet
|The client-side client IP address
|-
|s_client_addr
|Server-side Client Address
|inet
|The server-side client IP address
|-
|-
|source_port
|c_server_addr
|Source Port
|Client-side Server Address
|integer
|inet
|The source port of the packet (if applicable)
|The client-side server IP address
|-
|-
|dest_addr
|s_server_addr
|Destination Address
|Server-side Server Address
|inet
|inet
|The destination IP address of the packet
|The server-side server IP address
|-
|-
|dest_port
|c_client_port
|Destination Port
|Client-side Client Port
|integer
|integer
|The destination port of the packet (if applicable)
|The client-side client port
|-
|-
|protocol
|s_client_port
|Protocol
|Server-side Client Port
|integer
|integer
|The protocol of the packet
|The server-side client port
|-
|-
|blocked
|c_server_port
|Blocked
|Client-side Server Port
|boolean
|integer
|If the packet was blocked/dropped
|The client-side server port
|-
|s_server_port
|Server-side Server Port
|integer
|The server-side server port
|-
|-
|category
|policy_id
|Category
|Policy ID
|text
|smallint
|The application specific grouping
|The policy
|-
|-
|classtype
|username
|Classtype
|Username
|text
|text
|The generalized threat rule grouping (unrelated to gen_id)
|The username associated with this session
|-
|-
|msg
|hostname
|Message
|Hostname
|text
|text
|The "title" or "description" of the rule
|The hostname of the local address
|-
|-
|}
|method
<section end='intrusion_prevention_events' />
|Method
 
|character(1)
 
|The HTTP method
== web_cache_stats ==
<section begin='web_cache_stats' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|uri
|Timestamp
|URI
|timestamp without time zone
|text
|The time of the event
|The HTTP URI
|-
|-
|hits
|host
|Hits
|Host
|bigint
|text
|The number of cache hits during this time frame
|The HTTP host
|-
|-
|misses
|domain
|Misses
|Domain
|bigint
|text
|The number of cache misses during this time frame
|The HTTP domain (shortened host)
|-
|-
|bypasses
|referer
|Bypasses
|Referer
|bigint
|text
|The number of cache user bypasses during this time frame
|The Referer URL
|-
|-
|systems
|c2s_content_length
|System bypasses
|Client-to-server Content Length
|bigint
|bigint
|The number of cache system bypasses during this time frame
|The client-to-server content length
|-
|-
|hit_bytes
|s2c_content_length
|Hit Bytes
|Server-to-client Content Length
|bigint
|bigint
|The number of bytes saved from cache hits
|The server-to-client content length
|-
|-
|miss_bytes
|s2c_content_type
|Miss Bytes
|Server-to-client Content Type
|bigint
|text
|The number of bytes not saved from cache misses
|The server-to-client content type
|-
|-
|event_id
|ad_blocker_cookie_ident
|Event ID
|Ad Blocker Cookie
|bigint
|text
|The unique event ID
|This name of cookie blocked by Ad Blocker
|-
|-
|}
|ad_blocker_action
<section end='web_cache_stats' />
|Ad Blocker Action
 
|character(1)
 
|This action of Ad Blocker on this request
== http_query_events ==
<section begin='http_query_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|event_id
|web_filter_reason
|Event ID
|Web Filter Reason
|bigint
|character(1)
|The unique event ID
|This reason Web Filter blocked/flagged this request
|-
|-
|time_stamp
|web_filter_category_id
|Timestamp
|Web Filter Category ID
|timestamp without time zone
|int
|The time of the event
|This category ID according to Web Filter
|-
|-
|session_id
|web_filter_blocked
|Session ID
|Web Filter Blocked
|bigint
|boolean
|The session
|If Web Filter blocked this request
|-
|-
|client_intf
|web_filter_flagged
|Client Interface
|Web Filter Flagged
|smallint
|boolean
|The client interface
|If Web Filter flagged this request
|-
|-
|server_intf
|virus_blocker_lite_clean
|Server Interface
|Virus Blocker Lite Clean
|smallint
|boolean
|The server interface
|The cleanliness of the file according to Virus Blocker Lite
|-
|-
|c_client_addr
|virus_blocker_lite_name
|Client-side Client Address
|Virus Blocker Lite Name
|inet
|text
|The client-side client IP address
|The name of the malware according to Virus Blocker Lite
|-
|-
|s_client_addr
|virus_blocker_clean
|Server-side Client Address
|Virus Blocker Clean
|inet
|boolean
|The server-side client IP address
|The cleanliness of the file according to Virus Blocker
|-
|-
|c_server_addr
|virus_blocker_name
|Client-side Server Address
|Virus Blocker Name
|inet
|text
|The client-side server IP address
|The name of the malware according to Virus Blocker
|-
|-
|s_server_addr
|}
|Server-side Server Address
<section end='http_events' />
|inet
 
|The server-side server IP address
== ftp_events ==
<section begin='ftp_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|c_client_port
|event_id
|Client-side Client Port
|Event ID
|integer
|bigint
|The client-side client port
|The unique event ID
|-
|-
|s_client_port
|time_stamp
|Server-side Client Port
|Timestamp
|integer
|timestamp without time zone
|The server-side client port
|The time of the event
|-
|-
|c_server_port
|session_id
|Client-side Server Port
|Session ID
|integer
|bigint
|The client-side server port
|The session
|-
|-
|s_server_port
|client_intf
|Server-side Server Port
|Client Interface
|integer
|smallint
|The server-side server port
|The client interface
|-
|-
|policy_id
|server_intf
|Policy ID
|Server Interface
|bigint
|smallint
|The policy
|The server interface
|-
|-
|username
|c_client_addr
|Username
|Client-side Client Address
|text
|inet
|The username associated with this session
|The client-side client IP address
|-
|-
|hostname
|s_client_addr
|Hostname
|Server-side Client Address
|text
|inet
|The hostname of the local address
|The server-side client IP address
|-
|c_server_addr
|Client-side Server Address
|inet
|The client-side server IP address
|-
|s_server_addr
|Server-side Server Address
|inet
|The server-side server IP address
|-
|policy_id
|Policy ID
|bigint
|The policy
|-
|username
|Username
|text
|The username associated with this session
|-
|hostname
|Hostname
|text
|The hostname of the local address
|-
|-
|request_id
|request_id
|Request ID
|Request ID
|bigint
|bigint
|The HTTP request ID
|The FTP request ID
|-
|-
|method
|method
|Method
|Method
|character(1)
|character(1)
|The HTTP method
|The FTP method
|-
|-
|uri
|uri
|URI
|URI
|text
|text
|The HTTP URI
|The FTP URI
|-
|-
|term
|virus_blocker_lite_clean
|Search Term
|Virus Blocker Lite Clean
|text
|boolean
|The search term
|The cleanliness of the file according to Virus Blocker Lite
|-
|-
|host
|virus_blocker_lite_name
|Host
|Virus Blocker Lite Name
|text
|text
|The HTTP host
|The name of the malware according to Virus Blocker Lite
|-
|-
|c2s_content_length
|virus_blocker_clean
|Client-to-server Content Length
|Virus Blocker Clean
|bigint
|boolean
|The client-to-server content length
|The cleanliness of the file according to Virus Blocker
|-
|-
|s2c_content_length
|virus_blocker_name
|Server-to-client Content Length
|Virus Blocker Name
|bigint
|The server-to-client content length
|-
|s2c_content_type
|Server-to-client Content Type
|text
|text
|The server-to-client content type
|The name of the malware according to Virus Blocker
|-
|-
|}
|}
<section end='http_query_events' />
<section end='ftp_events' />




== directory_connector_login_events ==  
== ipsec_user_events ==  
<section begin='directory_connector_login_events' />
<section begin='ipsec_user_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,486: Line 1,618:
!Type
!Type
!Description
!Description
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|-
|time_stamp
|time_stamp
Line 1,492: Line 1,629:
|The time of the event
|The time of the event
|-
|-
|login_name
|connect_stamp
|Login Name
|Connect Time
|text
|timestamp without time zone
|The login name
|The time the connection started
|-
|goodbye_stamp
|End Time
|timestamp without time zone
|The time the connection ended
|-
|-
|domain
|client_address
|Domain
|Client Address
|text
|text
|The AD domain
|The remote IP address of the client
|-
|-
|type
|client_protocol
|Type
|Client Protocol
|text
|text
|The type of event (I=Login,U=Update,O=Logout)
|The protocol the client used to connect
|-
|-
|client_addr
|client_username
|Client Address
|Client Username
|inet
|text
|The client IP address
|The username of the client
|-
|-
|}
|net_process
<section end='directory_connector_login_events' />
|Net Process
 
|text
 
|The PID of the PPP process for L2TP connections or the connection ID for Xauth connections
== admin_logins ==
<section begin='admin_logins' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|net_interface
|Timestamp
|Net Interface
|timestamp without time zone
|text
|The time of the event
|The PPP interface for L2TP connections or the client interface for Xauth connections
|-
|-
|login
|elapsed_time
|Login
|Elapsed Time
|text
|text
|The login name
|The total time the client was connected
|-
|-
|local
|rx_bytes
|Local
|Bytes Received
|boolean
|bigint
|True if it is a login attempt through a local process
|The number of bytes received from the client in this connection
|-
|-
|client_addr
|tx_bytes
|Client Address
|Bytes Sent
|inet
|bigint
|The client IP address
|The number of bytes sent to the client in this connection
|-
|-
|succeeded
|}
|Succeeded
<section end='ipsec_user_events' />
|boolean
 
|True if the login succeeded, false otherwise
|-
|reason
|Reason
|character(1)
|The reason for the login (if applicable)
|-
|}
<section end='admin_logins' />


 
== ipsec_tunnel_stats ==  
== sessions ==  
<section begin='ipsec_tunnel_stats' />
<section begin='sessions' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,567: Line 1,691:
!Type
!Type
!Description
!Description
|-
|session_id
|Session ID
|bigint
|The session
|-
|-
|time_stamp
|time_stamp
Line 1,578: Line 1,697:
|The time of the event
|The time of the event
|-
|-
|end_time
|tunnel_name
|End Time
|Tunnel Name
|timestamp without time zone
|text
|The time the session ended
|The name of the IPsec tunnel
|-
|-
|bypassed
|in_bytes
|Bypassed
|In Bytes
|boolean
|bigint
|True if the session was bypassed, false otherwise
|The number of bytes received during this time frame
|-
|-
|entitled
|out_bytes
|Entitled
|Out Bytes
|boolean
|bigint
|True if the session is entitled to premium functionality
|The number of bytes transmitted during this time frame
|-
|-
|protocol
|event_id
|Protocol
|Event ID
|smallint
|bigint
|The IP protocol of session
|The unique event ID
|-
|-
|icmp_type
|}
|ICMP Type
<section end='ipsec_tunnel_stats' />
|smallint
 
|The ICMP type of session if ICMP
 
|-
== interface_stat_events ==
|hostname
<section begin='interface_stat_events' />
|Hostname
 
|text
{| border="1" cellpadding="2" width="90%%" align="center"
|The hostname of the local address
!Column Name
!Human Name
!Type
!Description
|-
|-
|username
|time_stamp
|Username
|Timestamp
|text
|timestamp without time zone
|The username associated with this session
|The time of the event
|-
|-
|policy_id
|interface_id
|Policy ID
|Interface ID
|smallint
|integer
|The policy
|The interface ID
|-
|-
|policy_rule_id
|rx_rate
|Policy Rule ID
|Rx Rate
|smallint
|double precision
|The ID of the matching policy rule (0 means none)
|The RX rate (bytes/s)
|-
|-
|local_addr
|tx_rate
|Local Address
|Tx Rate
|inet
|double precision
|The IP address of the local participant
|The TX rate (bytes/s)
|-
|-
|remote_addr
|}
|Remote Address
<section end='interface_stat_events' />
|inet
 
|The IP address of the remote participant
 
== configuration_backup_events ==
<section begin='configuration_backup_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|c_client_addr
|time_stamp
|Client-side Client Address
|Timestamp
|inet
|timestamp without time zone
|The client-side client IP address
|The time of the event
|-
|-
|c_server_addr
|success
|Client-side Server Address
|Success
|inet
|boolean
|The client-side server IP address
|The result of the backup (true if the backup succeeded, false otherwise)
|-
|-
|c_server_port
|description
|Client-side Server Port
|Text detail of the event
|integer
|text
|The client-side server port
|Text detail of the event
|-
|-
|c_client_port
|destination
|Client-side Client Port
|Destination
|integer
|text
|The client-side client port
|The location of the backup
|-
|-
|s_client_addr
|event_id
|Server-side Client Address
|Event ID
|inet
|bigint
|The server-side client IP address
|The unique event ID
|-
|-
|s_server_addr
|}
|Server-side Server Address
<section end='configuration_backup_events' />
|inet
 
|The server-side server IP address
 
== directory_connector_login_events ==
<section begin='directory_connector_login_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|s_server_port
|time_stamp
|Server-side Server Port
|Timestamp
|integer
|timestamp without time zone
|The server-side server port
|The time of the event
|-
|-
|s_client_port
|login_name
|Server-side Client Port
|Login Name
|integer
|text
|The server-side client port
|The login name
|-
|-
|client_intf
|domain
|Client Interface
|Domain
|smallint
|text
|The client interface
|The AD domain
|-
|-
|server_intf
|type
|Server Interface
|Type
|smallint
|The server interface
|-
|client_country
|Client Country
|text
|text
|The client Country
|The type of event (I=Login,U=Update,O=Logout)
|-
|-
|client_latitude
|client_addr
|Client Latitude
|Client Address
|real
|inet
|The client Latitude
|The client IP address
|-
|-
|client_longitude
|}
|Client Longitude
<section end='directory_connector_login_events' />
|real
 
|The client Longitude
 
== server_events ==
<section begin='server_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|server_country
|time_stamp
|Server Country
|Timestamp
|text
|timestamp without time zone
|The server Country
|The time of the event
|-
|-
|server_latitude
|load_1
|Server Latitude
|CPU load (1-min)
|real
|numeric(6,2)
|The server Latitude
|The 1-minute CPU load
|-
|-
|server_longitude
|load_5
|Server Longitude
|CPU load (5-min)
|real
|numeric(6,2)
|The server Longitude
|The 5-minute CPU load
|-
|load_15
|CPU load (15-min)
|numeric(6,2)
|The 15-minute CPU load
|-
|cpu_user
|CPU User Utilization
|numeric(6,3)
|The user CPU percent utilization
|-
|-
|c2p_bytes
|cpu_system
|From-Client Bytes
|CPU System Utilization
|bigint
|numeric(6,3)
|The number of bytes the client sent to Untangle (client-to-pipeline)
|The system CPU percent utilization
|-
|-
|p2c_bytes
|mem_total
|To-Client Bytes
|Total Memory
|bigint
|bigint
|The number of bytes Untangle sent to client (pipeline-to-client)
|The total bytes of memory
|-
|-
|s2p_bytes
|mem_free
|From-Server Bytes
|Memory Free
|bigint
|bigint
|The number of bytes the server sent to Untangle (client-to-pipeline)
|The number of free bytes of memory
|-
|-
|p2s_bytes
|disk_total
|To-Server Bytes
|Disk Size
|bigint
|bigint
|The number of bytes Untangle sent to server (pipeline-to-client)
|The total disk size in bytes
|-
|-
|filter_prefix
|disk_free
|Filter Block
|Disk Free
|text
|bigint
|The network filter that blocked the connection
|The free disk space in bytes
|-
|-
|firewall_blocked
|swap_total
|Firewall Blocked
|Swap Size
|boolean
|bigint
|True if Firewall blocked the session, false otherwise
|The total swap size in bytes
|-
|-
|firewall_flagged
|swap_free
|Firewall Flagged
|Swap Free
|boolean
|bigint
|True if Firewall flagged the session, false otherwise
|The free disk swap in bytes
|-
|-
|firewall_rule_index
|active_hosts
|Firewall Rule ID
|Active Hosts
|integer
|integer
|The matching rule in Firewall (if any)
|The number of active hosts
|-
|-
|application_control_lite_protocol
|}
|Application Control Lite Protocol
<section end='server_events' />
|text
 
|The application protocol according to Application Control Lite
 
== web_cache_stats ==
<section begin='web_cache_stats' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|application_control_lite_blocked
|time_stamp
|Application Control Lite Blocked
|Timestamp
|boolean
|timestamp without time zone
|True if Application Control Lite blocked the session
|The time of the event
|-
|-
|captive_portal_blocked
|hits
|Captive Portal Blocked
|Hits
|boolean
|bigint
|True if Captive Portal blocked the session
|The number of cache hits during this time frame
|-
|-
|captive_portal_rule_index
|misses
|Captive Portal Rule ID
|Misses
|integer
|bigint
|The matching rule in Captive Portal (if any)
|The number of cache misses during this time frame
|-
|-
|application_control_application
|bypasses
|Application Control Application
|Bypasses
|text
|bigint
|The application according to Application Control
|The number of cache user bypasses during this time frame
|-
|-
|application_control_protochain
|systems
|Application Control Protochain
|System bypasses
|text
|bigint
|The protochain according to Application Control
|The number of cache system bypasses during this time frame
|-
|-
|application_control_category
|hit_bytes
|Application Control Category
|Hit Bytes
|text
|bigint
|The category according to Application Control
|The number of bytes saved from cache hits
|-
|-
|application_control_blocked
|miss_bytes
|Application Control Blocked
|Miss Bytes
|boolean
|bigint
|True if Application Control blocked the session
|The number of bytes not saved from cache misses
|-
|-
|application_control_flagged
|event_id
|Application Control Flagged
|Event ID
|boolean
|bigint
|True if Application Control flagged the session
|The unique event ID
|-
|-
|application_control_confidence
|}
|Application Control Confidence
<section end='web_cache_stats' />
|integer
 
|True if Application Control confidence of this session's identification
 
|-
== http_query_events ==
|application_control_ruleid
<section begin='http_query_events' />
|Application Control Rule ID
 
|integer
{| border="1" cellpadding="2" width="90%%" align="center"
|The matching rule in Application Control (if any)
!Column Name
!Human Name
!Type
!Description
|-
|-
|application_control_detail
|event_id
|Application Control Detail
|Event ID
|text
|bigint
|The text detail from the Application Control engine
|The unique event ID
|-
|-
|bandwidth_control_priority
|time_stamp
|Bandwidth Control Priority
|Timestamp
|integer
|timestamp without time zone
|The priority given to this session
|The time of the event
|-
|-
|bandwidth_control_rule
|session_id
|Bandwidth Control Rule ID
|Session ID
|integer
|bigint
|The matching rule in Bandwidth Control rule (if any)
|The session
|-
|-
|ssl_inspector_ruleid
|client_intf
|SSL Inspector Rule ID
|Client Interface
|integer
|smallint
|The matching rule in SSL Inspector rule (if any)
|The client interface
|-
|-
|ssl_inspector_status
|server_intf
|SSL Inspector Status
|Server Interface
|text
|smallint
|The status/action of the SSL session (INSPECTED/IGNORED/BLOCKED/UNTRUSTED/ABANDONED)
|The server interface
|-
|-
|ssl_inspector_detail
|c_client_addr
|SSL Inspector Detail
|Client-side Client Address
|text
|inet
|Additional text detail about the SSL connection (SNI, IP Address)
|The client-side client IP address
|-
|-
|}
|s_client_addr
<section end='sessions' />
|Server-side Client Address
 
|inet
 
|The server-side client IP address
== session_minutes ==
<section begin='session_minutes' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|session_id
|c_server_addr
|Session ID
|Client-side Server Address
|bigint
|inet
|The session
|The client-side server IP address
|-
|-
|time_stamp
|s_server_addr
|Timestamp
|Server-side Server Address
|timestamp without time zone
|inet
|The time of the event
|The server-side server IP address
|-
|-
|c2s_bytes
|c_client_port
|From-Client Bytes
|Client-side Client Port
|bigint
|integer
|The number of bytes the client sent
|The client-side client port
|-
|-
|s2c_bytes
|s_client_port
|From-Server Bytes
|Server-side Client Port
|bigint
|integer
|The number of bytes the server sent
|The server-side client port
|-
|-
|start_time
|c_server_port
|Start Time
|Client-side Server Port
|timestamp without time zone
|integer
|The start time of the session
|The client-side server port
|-
|-
|end_time
|s_server_port
|End Time
|Server-side Server Port
|timestamp without time zone
|integer
|The time the session ended
|The server-side server port
|-
|-
|bypassed
|policy_id
|Bypassed
|Policy ID
|boolean
|bigint
|True if the session was bypassed, false otherwise
|The policy
|-
|-
|entitled
|username
|Entitled
|Username
|boolean
|text
|True if the session is entitled to premium functionality
|The username associated with this session
|-
|protocol
|Protocol
|smallint
|The IP protocol of session
|-
|icmp_type
|ICMP Type
|smallint
|The ICMP type of session if ICMP
|-
|-
|hostname
|hostname
Line 1,906: Line 2,050:
|The hostname of the local address
|The hostname of the local address
|-
|-
|username
|request_id
|Username
|Request ID
|text
|bigint
|The username associated with this session
|The HTTP request ID
|-
|-
|policy_id
|method
|Policy ID
|Method
|smallint
|character(1)
|The policy
|The HTTP method
|-
|-
|policy_rule_id
|uri
|Policy Rule ID
|URI
|smallint
|text
|The ID of the matching policy rule (0 means none)
|The HTTP URI
|-
|-
|local_addr
|term
|Local Address
|Search Term
|inet
|text
|The IP address of the local participant
|The search term
|-
|-
|remote_addr
|host
|Remote Address
|Host
|inet
|text
|The IP address of the remote participant
|The HTTP host
|-
|-
|c_client_addr
|c2s_content_length
|Client-side Client Address
|Client-to-server Content Length
|inet
|bigint
|The client-side client IP address
|The client-to-server content length
|-
|-
|c_server_addr
|s2c_content_length
|Client-side Server Address
|Server-to-client Content Length
|inet
|bigint
|The client-side server IP address
|The server-to-client content length
|-
|-
|c_server_port
|s2c_content_type
|Client-side Server Port
|Server-to-client Content Type
|integer
|text
|The client-side server port
|The server-to-client content type
|-
|-
|c_client_port
|}
|Client-side Client Port
<section end='http_query_events' />
|integer
 
|The client-side client port
 
|-
== captive_portal_user_events ==
|s_client_addr
<section begin='captive_portal_user_events' />
|Server-side Client Address
 
|inet
{| border="1" cellpadding="2" width="90%%" align="center"
|The server-side client IP address
!Column Name
!Human Name
!Type
!Description
|-
|-
|s_server_addr
|time_stamp
|Server-side Server Address
|Timestamp
|inet
|timestamp without time zone
|The server-side server IP address
|The time of the event
|-
|-
|s_server_port
|policy_id
|Server-side Server Port
|Policy ID
|integer
|bigint
|The server-side server port
|The policy
|-
|-
|s_client_port
|event_id
|Server-side Client Port
|Event ID
|integer
|bigint
|The server-side client port
|The unique event ID
|-
|-
|client_intf
|login_name
|Client Interface
|Login Name
|smallint
|text
|The client interface
|The login username
|-
|-
|server_intf
|event_info
|Server Interface
|Event Type
|smallint
|text
|The server interface
|The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
|-
|-
|client_country
|auth_type
|Client Country
|Authorization Type
|text
|text
|The client Country
|The authorization type for this event
|-
|-
|client_latitude
|client_addr
|Client Latitude
|Client Address
|real
|text
|The client Latitude
|The remote IP address of the client
|-
|-
|client_longitude
|}
|Client Longitude
<section end='captive_portal_user_events' />
|real
 
|The client Longitude
 
== openvpn_stats ==
<section begin='openvpn_stats' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|server_country
|time_stamp
|Server Country
|Timestamp
|text
|timestamp without time zone
|The server Country
|The time of the event
|-
|-
|server_latitude
|start_time
|Server Latitude
|Start Time
|real
|timestamp without time zone
|The server Latitude
|The time the OpenVPN session started
|-
|-
|server_longitude
|end_time
|Server Longitude
|End Time
|real
|timestamp without time zone
|The server Longitude
|The time the OpenVPN session ended
|-
|-
|filter_prefix
|rx_bytes
|Filter Block
|Bytes Received
|text
|bigint
|The network filter that blocked the connection
|The total bytes received from the client during this session
|-
|-
|firewall_blocked
|tx_bytes
|Firewall Blocked
|Bytes Sent
|boolean
|bigint
|True if Firewall blocked the session, false otherwise
|The total bytes sent to the client during this session
|-
|-
|firewall_flagged
|remote_address
|Firewall Flagged
|Remote Address
|boolean
|inet
|True if Firewall flagged the session, false otherwise
|The remote IP address of the client
|-
|-
|firewall_rule_index
|pool_address
|Firewall Rule ID
|Pool Address
|inet
|The pool IP address of the client
|-
|remote_port
|Remote Port
|integer
|integer
|The matching rule in Firewall (if any)
|The remote port of the client
|-
|-
|application_control_lite_protocol
|client_name
|Application Control Lite Protocol
|Client Name
|text
|text
|The application protocol according to Application Control Lite
|The name of the client
|-
|-
|application_control_lite_blocked
|event_id
|Application Control Lite Blocked
|Event ID
|boolean
|bigint
|True if Application Control Lite blocked the session
|The unique event ID
|-
|-
|captive_portal_blocked
|}
|Captive Portal Blocked
<section end='openvpn_stats' />
|boolean
 
|True if Captive Portal blocked the session
 
|-
== openvpn_events ==
|captive_portal_rule_index
<section begin='openvpn_events' />
|Captive Portal Rule ID
 
|integer
{| border="1" cellpadding="2" width="90%%" align="center"
|The matching rule in Captive Portal (if any)
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|-
|application_control_application
|remote_address
|Application Control Application
|Remote Address
|text
|inet
|The application according to Application Control
|The remote IP address of the client
|-
|-
|application_control_protochain
|pool_address
|Application Control Protochain
|Pool Address
|text
|inet
|The protochain according to Application Control
|The pool IP address of the client
|-
|-
|application_control_category
|client_name
|Application Control Category
|Client Name
|text
|text
|The category according to Application Control
|The name of the client
|-
|-
|application_control_blocked
|type
|Application Control Blocked
|Type
|boolean
|text
|True if Application Control blocked the session
|The type of the event (CONNECT,DISCONNECT)
|-
|-
|application_control_flagged
|}
|Application Control Flagged
<section end='openvpn_events' />
|boolean
 
|True if Application Control flagged the session
 
== intrusion_prevention_events ==
<section begin='intrusion_prevention_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|application_control_confidence
|time_stamp
|Application Control Confidence
|Timestamp
|integer
|timestamp without time zone
|True if Application Control confidence of this session's identification
|The time of the event
|-
|-
|application_control_ruleid
|sig_id
|Application Control Rule ID
|Signature ID
|integer
|bigint
|The matching rule in Application Control (if any)
|This ID of the rule
|-
|-
|application_control_detail
|gen_id
|Application Control Detail
|Grouping ID
|text
|bigint
|The text detail from the Application Control engine
|The grouping ID for the rule, The gen_id + sig_id specify the rule's unique identifier
|-
|-
|bandwidth_control_priority
|class_id
|Bandwidth Control Priority
|Classtype ID
|integer
|bigint
|The priority given to this session
|The numeric ID for the classtype
|-
|-
|bandwidth_control_rule
|source_addr
|Bandwidth Control Rule ID
|Source Address
|inet
|The source IP address of the packet
|-
|source_port
|Source Port
|integer
|integer
|The matching rule in Bandwidth Control rule (if any)
|The source port of the packet (if applicable)
|-
|dest_addr
|Destination Address
|inet
|The destination IP address of the packet
|-
|-
|ssl_inspector_ruleid
|dest_port
|SSL Inspector Rule ID
|Destination Port
|integer
|integer
|The matching rule in SSL Inspector rule (if any)
|The destination port of the packet (if applicable)
|-
|-
|ssl_inspector_status
|protocol
|SSL Inspector Status
|Protocol
|text
|integer
|The status/action of the SSL session (INSPECTED/IGNORED/BLOCKED/UNTRUSTED/ABANDONED)
|The protocol of the packet
|-
|-
|ssl_inspector_detail
|blocked
|SSL Inspector Detail
|Blocked
|text
|boolean
|Additional text detail about the SSL connection (SNI, IP Address)
|If the packet was blocked/dropped
|-
|category
|Category
|text
|The application specific grouping
|-
|classtype
|Classtype
|text
|The generalized threat rule grouping (unrelated to gen_id)
|-
|msg
|Message
|text
|The "title" or "description" of the rule
|-
|-
|}
|}
<section end='session_minutes' />
<section end='intrusion_prevention_events' />




== penaltybox ==  
== syslog ==  
<section begin='penaltybox' />
<section begin='syslog' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 2,129: Line 2,330:
!Description
!Description
|-
|-
|address
|time_stamp
|Address
|Timestamp
|inet
|timestamp without time zone
|The IP address of the host
|The time of the event
|-
|-
|reason
|description
|Reason
|Text detail of the event
|text
|text
|The reason for the action
|The description from the alert rule.
|-
|-
|start_time
|summary_text
|Start Time
|Summary Text
|timestamp without time zone
|text
|The time the client entered the penalty box
|The summary text of the alert
|-
|-
|end_time
|json
|End Time
|JSON Text
|timestamp without time zone
|text
|The time the client exited the penalty box
|The summary JSON representation of the event causing the alert
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|-
|}
|}
<section end='penaltybox' />
<section end='syslog' />




== quotas ==  
== user_table_updates ==  
<section begin='quotas' />
<section begin='user_table_updates' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 2,167: Line 2,363:
!Description
!Description
|-
|-
|time_stamp
|username
|Timestamp
|Username
|timestamp without time zone
|text
|The time of the event
|The username
|-
|-
|address
|key
|Address
|Key
|inet
|The IP address of the host
|-
|action
|Action
|integer
|The action (1=Quota Given, 2=Quota Exceeded)
|-
|size
|Size
|bigint
|The size of the quota
|-
|reason
|Reason
|text
|text
|The reason for the action
|The key being updated
|-
|}
<section end='quotas' />
 
 
== host_table_updates ==
<section begin='host_table_updates' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|address
|Address
|inet
|The IP address of the host
|-
|key
|Key
|text
|The key being updated
|-
|value
|Value
|text
|The new value for the key
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|}
<section end='host_table_updates' />
 
 
== device_table_updates ==
<section begin='device_table_updates' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|mac_address
|MAC Address
|text
|The MAC address of the device
|-
|key
|Key
|text
|The key being updated
|-
|value
|Value
|text
|The new value for the key
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|}
<section end='device_table_updates' />
 
 
== alerts ==
<section begin='alerts' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|description
|Text detail of the event
|text
|The description from the alert rule.
|-
|summary_text
|Summary Text
|text
|The summary text of the alert
|-
|json
|JSON Text
|text
|The summary JSON representation of the event causing the alert
|-
|}
<section end='alerts' />
 
 
== configuration_backup_events ==
<section begin='configuration_backup_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|value
|Timestamp
|Value
|timestamp without time zone
|The time of the event
|-
|success
|Success
|boolean
|The result of the backup (true if the backup succeeded, false otherwise)
|-
|description
|Text detail of the event
|text
|text
|Text detail of the event
|The new value for the key
|-
|-
|destination
|old_value
|Destination
|Old Value
|text
|text
|The location of the backup
|The old value for the key
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|}
<section end='configuration_backup_events' />
 
 
== settings_changes ==
<section begin='settings_changes' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|time_stamp
Line 2,346: Line 2,387:
|timestamp without time zone
|timestamp without time zone
|The time of the event
|The time of the event
|-
|settings_file
|Settings File
|text
|The name of the file changed
|-
|username
|Username
|text
|The username logged in at the time of the change
|-
|hostname
|Hostname
|text
|The remote hostname
|-
|-
|}
|}
<section end='settings_changes' />
<section end='user_table_updates' />

Revision as of 21:47, 21 August 2019

Database Tables

admin_logins

<section begin='admin_logins' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
login Login text The login name
local Local boolean True if it is a login attempt through a local process
client_addr Client Address inet The client IP address
succeeded Succeeded boolean True if the login succeeded, false otherwise
reason Reason character(1) The reason for the login (if applicable)

<section end='admin_logins' />


sessions

<section begin='sessions' />

Column Name Human Name Type Description
session_id Session ID bigint The session
time_stamp Timestamp timestamp without time zone The time of the event
end_time End Time timestamp without time zone The time the session ended
bypassed Bypassed boolean True if the session was bypassed, false otherwise
entitled Entitled boolean True if the session is entitled to premium functionality
protocol Protocol smallint The IP protocol of session
icmp_type ICMP Type smallint The ICMP type of session if ICMP
hostname Hostname text The hostname of the local address
username Username text The username associated with this session
policy_id Policy ID smallint The policy
policy_rule_id Policy Rule ID smallint The ID of the matching policy rule (0 means none)
c_client_addr Client-side Client Address inet The client-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
c_server_port Client-side Server Port integer The client-side server port
c_client_port Client-side Client Port integer The client-side client port
s_client_addr Server-side Client Address inet The server-side client IP address
s_server_addr Server-side Server Address inet The server-side server IP address
s_server_port Server-side Server Port integer The server-side server port
s_client_port Server-side Client Port integer The server-side client port
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
client_country Client Country text The client Country
client_latitude Client Latitude real The client Latitude
client_longitude Client Longitude real The client Longitude
server_country Server Country text The server Country
server_latitude Server Latitude real The server Latitude
server_longitude Server Longitude real The server Longitude
c2p_bytes From-Client Bytes bigint The number of bytes the client sent to Untangle (client-to-pipeline)
p2c_bytes To-Client Bytes bigint The number of bytes Untangle sent to client (pipeline-to-client)
s2p_bytes From-Server Bytes bigint The number of bytes the server sent to Untangle (client-to-pipeline)
p2s_bytes To-Server Bytes bigint The number of bytes Untangle sent to server (pipeline-to-client)
filter_prefix Filter Block text The network filter that blocked the connection (filter,shield,invalid)
firewall_blocked Firewall Blocked boolean True if Firewall blocked the session, false otherwise
firewall_flagged Firewall Flagged boolean True if Firewall flagged the session, false otherwise
firewall_rule_index Firewall Rule ID integer The matching rule in Firewall (if any)
application_control_lite_protocol Application Control Lite Protocol text The application protocol according to Application Control Lite
application_control_lite_blocked Application Control Lite Blocked boolean True if Application Control Lite blocked the session
captive_portal_blocked Captive Portal Blocked boolean True if Captive Portal blocked the session
captive_portal_rule_index Captive Portal Rule ID integer The matching rule in Captive Portal (if any)
application_control_application Application Control Application text The application according to Application Control
application_control_protochain Application Control Protochain text The protochain according to Application Control
application_control_category Application Control Category text The category according to Application Control
application_control_blocked Application Control Blocked boolean True if Application Control blocked the session
application_control_flagged Application Control Flagged boolean True if Application Control flagged the session
application_control_confidence Application Control Confidence integer True if Application Control confidence of this session's identification
application_control_ruleid Application Control Rule ID integer The matching rule in Application Control (if any)
application_control_detail Application Control Detail text The text detail from the Application Control engine
bandwidth_control_priority Bandwidth Control Priority integer The priority given to this session
bandwidth_control_rule Bandwidth Control Rule ID integer The matching rule in Bandwidth Control rule (if any)
ssl_inspector_ruleid SSL Inspector Rule ID integer The matching rule in SSL Inspector rule (if any)
ssl_inspector_status SSL Inspector Status text The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED)
ssl_inspector_detail SSL Inspector Detail text Additional text detail about the SSL connection (SNI, IP Address)
local_addr Local Address inet The IP address of the local participant
remote_addr Remote Address inet The IP address of the remote participant
tags Tags text The tags on this session

<section end='sessions' />


session_minutes

<section begin='session_minutes' />

Column Name Human Name Type Description
session_id Session ID bigint The session
time_stamp Timestamp timestamp without time zone The time of the event
c2s_bytes From-Client Bytes bigint The number of bytes the client sent
s2c_bytes From-Server Bytes bigint The number of bytes the server sent
start_time Start Time timestamp without time zone The start time of the session
end_time End Time timestamp without time zone The time the session ended
bypassed Bypassed boolean True if the session was bypassed, false otherwise
entitled Entitled boolean True if the session is entitled to premium functionality
protocol Protocol smallint The IP protocol of session
icmp_type ICMP Type smallint The ICMP type of session if ICMP
hostname Hostname text The hostname of the local address
username Username text The username associated with this session
policy_id Policy ID smallint The policy
policy_rule_id Policy Rule ID smallint The ID of the matching policy rule (0 means none)
c_client_addr Client-side Client Address inet The client-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
c_server_port Client-side Server Port integer The client-side server port
c_client_port Client-side Client Port integer The client-side client port
s_client_addr Server-side Client Address inet The server-side client IP address
s_server_addr Server-side Server Address inet The server-side server IP address
s_server_port Server-side Server Port integer The server-side server port
s_client_port Server-side Client Port integer The server-side client port
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
client_country Client Country text The client Country
client_latitude Client Latitude real The client Latitude
client_longitude Client Longitude real The client Longitude
server_country Server Country text The server Country
server_latitude Server Latitude real The server Latitude
server_longitude Server Longitude real The server Longitude
filter_prefix Filter Block text The network filter that blocked the connection (filter,shield,invalid)
firewall_blocked Firewall Blocked boolean True if Firewall blocked the session, false otherwise
firewall_flagged Firewall Flagged boolean True if Firewall flagged the session, false otherwise
firewall_rule_index Firewall Rule ID integer The matching rule in Firewall (if any)
application_control_lite_protocol Application Control Lite Protocol text The application protocol according to Application Control Lite
application_control_lite_blocked Application Control Lite Blocked boolean True if Application Control Lite blocked the session
captive_portal_blocked Captive Portal Blocked boolean True if Captive Portal blocked the session
captive_portal_rule_index Captive Portal Rule ID integer The matching rule in Captive Portal (if any)
application_control_application Application Control Application text The application according to Application Control
application_control_protochain Application Control Protochain text The protochain according to Application Control
application_control_category Application Control Category text The category according to Application Control
application_control_blocked Application Control Blocked boolean True if Application Control blocked the session
application_control_flagged Application Control Flagged boolean True if Application Control flagged the session
application_control_confidence Application Control Confidence integer True if Application Control confidence of this session's identification
application_control_ruleid Application Control Rule ID integer The matching rule in Application Control (if any)
application_control_detail Application Control Detail text The text detail from the Application Control engine
bandwidth_control_priority Bandwidth Control Priority integer The priority given to this session
bandwidth_control_rule Bandwidth Control Rule ID integer The matching rule in Bandwidth Control rule (if any)
ssl_inspector_ruleid SSL Inspector Rule ID integer The matching rule in SSL Inspector rule (if any)
ssl_inspector_status SSL Inspector Status text The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED)
ssl_inspector_detail SSL Inspector Detail text Additional text detail about the SSL connection (SNI, IP Address)
local_addr Local Address inet The IP address of the local participant
remote_addr Remote Address inet The IP address of the remote participant
tags Tags text The tags on this session

<section end='session_minutes' />


quotas

<section begin='quotas' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
action Action integer The action (1=Quota Given, 2=Quota Exceeded)
size Size bigint The size of the quota
reason Reason text The reason for the action
entity Entity text The IP entity given the quota (address/username)

<section end='quotas' />


host_table_updates

<section begin='host_table_updates' />

Column Name Human Name Type Description
address Address inet The IP address of the host
key Key text The key being updated
value Value text The new value for the key
time_stamp Timestamp timestamp without time zone The time of the event
old_value Old Value text The old value for the key

<section end='host_table_updates' />


device_table_updates

<section begin='device_table_updates' />

Column Name Human Name Type Description
mac_address MAC Address text The MAC address of the device
key Key text The key being updated
value Value text The new value for the key
time_stamp Timestamp timestamp without time zone The time of the event
old_value Old Value text The old value for the key

<section end='device_table_updates' />


alerts

<section begin='alerts' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
description Text detail of the event text The description from the alert rule.
summary_text Summary Text text The summary text of the alert
json JSON Text text The summary JSON representation of the event causing the alert

<section end='alerts' />


settings_changes

<section begin='settings_changes' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
settings_file Settings File text The name of the file changed
username Username text The username logged in at the time of the change
hostname Hostname text The remote hostname

<section end='settings_changes' />


wan_failover_test_events

<section begin='wan_failover_test_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
interface_id Interface ID integer This interface ID
name Interface Name text This name of the interface
description Text detail of the event text The description from the test rule
success Success boolean The result of the test (true if the test succeeded, false otherwise)
event_id Event ID bigint The unique event ID

<section end='wan_failover_test_events' />


wan_failover_action_events

<section begin='wan_failover_action_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
interface_id Interface ID integer This interface ID
action Action text This action (CONNECTED,DISCONNECTED)
os_name Interface O/S Name text This O/S name of the interface
name Interface Name text This name of the interface
event_id Event ID bigint The unique event ID

<section end='wan_failover_action_events' />


mail_msgs

<section begin='mail_msgs' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
c_client_port Client-side Client Port integer The client-side client port
s_client_port Server-side Client Port integer The server-side client port
c_server_port Client-side Server Port integer The client-side server port
s_server_port Server-side Server Port integer The server-side server port
policy_id Policy ID bigint The policy
username Username text The username associated with this session
msg_id Message ID bigint The message ID
subject Subject text The email subject
hostname Hostname text The hostname of the local address
event_id Event ID bigint The unique event ID
sender Sender text The address of the sender
receiver Receiver text The address of the receiver
virus_blocker_lite_clean Virus Blocker Lite Clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name Virus Blocker Lite Name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean Virus Blocker Clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name Virus Blocker Name text The name of the malware according to Virus Blocker
spam_blocker_lite_score Spam Blocker Lite Score real The score of the email according to Spam Blocker Lite
spam_blocker_lite_is_spam Spam Blocker Lite Spam boolean The spam status of the email according to Spam Blocker Lite
spam_blocker_lite_tests_string Spam Blocker Lite Tests text The tess results for Spam Blocker Lite
spam_blocker_lite_action Spam Blocker Lite Action character(1) The action taken by Spam Blocker Lite
spam_blocker_score Spam Blocker Score real The score of the email according to Spam Blocker
spam_blocker_is_spam Spam Blocker Spam boolean The spam status of the email according to Spam Blocker
spam_blocker_tests_string Spam Blocker Tests text The tess results for Spam Blocker
spam_blocker_action Spam Blocker Action character(1) The action taken by Spam Blocker
phish_blocker_score Phish Blocker Score real The score of the email according to Phish Blocker
phish_blocker_is_spam Phish Blocker Phish boolean The phish status of the email according to Phish Blocker
phish_blocker_tests_string Phish Blocker Tests text The tess results for Phish Blocker
phish_blocker_action Phish Blocker Action character(1) The action taken by Phish Blocker

<section end='mail_msgs' />


mail_addrs

<section begin='mail_addrs' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
c_client_port Client-side Client Port integer The client-side client port
s_client_port Server-side Client Port integer The server-side client port
c_server_port Client-side Server Port integer The client-side server port
s_server_port Server-side Server Port integer The server-side server port
policy_id Policy ID bigint The policy
username Username text The username associated with this session
msg_id Message ID bigint The message ID
subject Subject text The email subject
addr Address text The address of this event
addr_name Address Name text The name for this address
addr_kind Address Kind character(1) The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
hostname Hostname text The hostname of the local address
event_id Event ID bigint The unique event ID
sender Sender text The address of the sender
virus_blocker_lite_clean Virus Blocker Lite Clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name Virus Blocker Lite Name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean Virus Blocker Clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name Virus Blocker Name text The name of the malware according to Virus Blocker
spam_blocker_lite_score Spam Blocker Lite Score real The score of the email according to Spam Blocker Lite
spam_blocker_lite_is_spam Spam Blocker Lite Spam boolean The spam status of the email according to Spam Blocker Lite
spam_blocker_lite_action Spam Blocker Lite Action character(1) The action taken by Spam Blocker Lite
spam_blocker_lite_tests_string Spam Blocker Lite Tests text The tess results for Spam Blocker Lite
spam_blocker_score Spam Blocker Score real The score of the email according to Spam Blocker
spam_blocker_is_spam Spam Blocker Spam boolean The spam status of the email according to Spam Blocker
spam_blocker_action Spam Blocker Action character(1) The action taken by Spam Blocker
spam_blocker_tests_string Spam Blocker Tests text The tess results for Spam Blocker
phish_blocker_score Phish Blocker Score real The score of the email according to Phish Blocker
phish_blocker_is_spam Phish Blocker Phish boolean The phish status of the email according to Phish Blocker
phish_blocker_tests_string Phish Blocker Tests text The tess results for Phish Blocker
phish_blocker_action Phish Blocker Action character(1) The action taken by Phish Blocker

<section end='mail_addrs' />


smtp_tarpit_events

<section begin='smtp_tarpit_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
ipaddr Client Address inet The client IP address
hostname Hostname text The hostname of the local address
policy_id Policy ID bigint The policy
vendor_name Vendor Name character varying(255) The "vendor name" of the app that logged the event
event_id Event ID bigint The unique event ID

<section end='smtp_tarpit_events' />


http_events

<section begin='http_events' />

Column Name Human Name Type Description
request_id Request ID bigint The HTTP request ID
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
c_client_port Client-side Client Port integer The client-side client port
s_client_port Server-side Client Port integer The server-side client port
c_server_port Client-side Server Port integer The client-side server port
s_server_port Server-side Server Port integer The server-side server port
policy_id Policy ID smallint The policy
username Username text The username associated with this session
hostname Hostname text The hostname of the local address
method Method character(1) The HTTP method
uri URI text The HTTP URI
host Host text The HTTP host
domain Domain text The HTTP domain (shortened host)
referer Referer text The Referer URL
c2s_content_length Client-to-server Content Length bigint The client-to-server content length
s2c_content_length Server-to-client Content Length bigint The server-to-client content length
s2c_content_type Server-to-client Content Type text The server-to-client content type
ad_blocker_cookie_ident Ad Blocker Cookie text This name of cookie blocked by Ad Blocker
ad_blocker_action Ad Blocker Action character(1) This action of Ad Blocker on this request
web_filter_reason Web Filter Reason character(1) This reason Web Filter blocked/flagged this request
web_filter_category_id Web Filter Category ID int This category ID according to Web Filter
web_filter_blocked Web Filter Blocked boolean If Web Filter blocked this request
web_filter_flagged Web Filter Flagged boolean If Web Filter flagged this request
virus_blocker_lite_clean Virus Blocker Lite Clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name Virus Blocker Lite Name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean Virus Blocker Clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name Virus Blocker Name text The name of the malware according to Virus Blocker

<section end='http_events' />

ftp_events

<section begin='ftp_events' />

Column Name Human Name Type Description
event_id Event ID bigint The unique event ID
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
policy_id Policy ID bigint The policy
username Username text The username associated with this session
hostname Hostname text The hostname of the local address
request_id Request ID bigint The FTP request ID
method Method character(1) The FTP method
uri URI text The FTP URI
virus_blocker_lite_clean Virus Blocker Lite Clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name Virus Blocker Lite Name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean Virus Blocker Clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name Virus Blocker Name text The name of the malware according to Virus Blocker

<section end='ftp_events' />


ipsec_user_events

<section begin='ipsec_user_events' />

Column Name Human Name Type Description
event_id Event ID bigint The unique event ID
time_stamp Timestamp timestamp without time zone The time of the event
connect_stamp Connect Time timestamp without time zone The time the connection started
goodbye_stamp End Time timestamp without time zone The time the connection ended
client_address Client Address text The remote IP address of the client
client_protocol Client Protocol text The protocol the client used to connect
client_username Client Username text The username of the client
net_process Net Process text The PID of the PPP process for L2TP connections or the connection ID for Xauth connections
net_interface Net Interface text The PPP interface for L2TP connections or the client interface for Xauth connections
elapsed_time Elapsed Time text The total time the client was connected
rx_bytes Bytes Received bigint The number of bytes received from the client in this connection
tx_bytes Bytes Sent bigint The number of bytes sent to the client in this connection

<section end='ipsec_user_events' />


ipsec_tunnel_stats

<section begin='ipsec_tunnel_stats' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
tunnel_name Tunnel Name text The name of the IPsec tunnel
in_bytes In Bytes bigint The number of bytes received during this time frame
out_bytes Out Bytes bigint The number of bytes transmitted during this time frame
event_id Event ID bigint The unique event ID

<section end='ipsec_tunnel_stats' />


interface_stat_events

<section begin='interface_stat_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
interface_id Interface ID integer The interface ID
rx_rate Rx Rate double precision The RX rate (bytes/s)
tx_rate Tx Rate double precision The TX rate (bytes/s)

<section end='interface_stat_events' />


configuration_backup_events

<section begin='configuration_backup_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
success Success boolean The result of the backup (true if the backup succeeded, false otherwise)
description Text detail of the event text Text detail of the event
destination Destination text The location of the backup
event_id Event ID bigint The unique event ID

<section end='configuration_backup_events' />


directory_connector_login_events

<section begin='directory_connector_login_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
login_name Login Name text The login name
domain Domain text The AD domain
type Type text The type of event (I=Login,U=Update,O=Logout)
client_addr Client Address inet The client IP address

<section end='directory_connector_login_events' />


server_events

<section begin='server_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
load_1 CPU load (1-min) numeric(6,2) The 1-minute CPU load
load_5 CPU load (5-min) numeric(6,2) The 5-minute CPU load
load_15 CPU load (15-min) numeric(6,2) The 15-minute CPU load
cpu_user CPU User Utilization numeric(6,3) The user CPU percent utilization
cpu_system CPU System Utilization numeric(6,3) The system CPU percent utilization
mem_total Total Memory bigint The total bytes of memory
mem_free Memory Free bigint The number of free bytes of memory
disk_total Disk Size bigint The total disk size in bytes
disk_free Disk Free bigint The free disk space in bytes
swap_total Swap Size bigint The total swap size in bytes
swap_free Swap Free bigint The free disk swap in bytes
active_hosts Active Hosts integer The number of active hosts

<section end='server_events' />


web_cache_stats

<section begin='web_cache_stats' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
hits Hits bigint The number of cache hits during this time frame
misses Misses bigint The number of cache misses during this time frame
bypasses Bypasses bigint The number of cache user bypasses during this time frame
systems System bypasses bigint The number of cache system bypasses during this time frame
hit_bytes Hit Bytes bigint The number of bytes saved from cache hits
miss_bytes Miss Bytes bigint The number of bytes not saved from cache misses
event_id Event ID bigint The unique event ID

<section end='web_cache_stats' />


http_query_events

<section begin='http_query_events' />

Column Name Human Name Type Description
event_id Event ID bigint The unique event ID
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
c_client_port Client-side Client Port integer The client-side client port
s_client_port Server-side Client Port integer The server-side client port
c_server_port Client-side Server Port integer The client-side server port
s_server_port Server-side Server Port integer The server-side server port
policy_id Policy ID bigint The policy
username Username text The username associated with this session
hostname Hostname text The hostname of the local address
request_id Request ID bigint The HTTP request ID
method Method character(1) The HTTP method
uri URI text The HTTP URI
term Search Term text The search term
host Host text The HTTP host
c2s_content_length Client-to-server Content Length bigint The client-to-server content length
s2c_content_length Server-to-client Content Length bigint The server-to-client content length
s2c_content_type Server-to-client Content Type text The server-to-client content type

<section end='http_query_events' />


captive_portal_user_events

<section begin='captive_portal_user_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
policy_id Policy ID bigint The policy
event_id Event ID bigint The unique event ID
login_name Login Name text The login username
event_info Event Type text The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
auth_type Authorization Type text The authorization type for this event
client_addr Client Address text The remote IP address of the client

<section end='captive_portal_user_events' />


openvpn_stats

<section begin='openvpn_stats' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
start_time Start Time timestamp without time zone The time the OpenVPN session started
end_time End Time timestamp without time zone The time the OpenVPN session ended
rx_bytes Bytes Received bigint The total bytes received from the client during this session
tx_bytes Bytes Sent bigint The total bytes sent to the client during this session
remote_address Remote Address inet The remote IP address of the client
pool_address Pool Address inet The pool IP address of the client
remote_port Remote Port integer The remote port of the client
client_name Client Name text The name of the client
event_id Event ID bigint The unique event ID

<section end='openvpn_stats' />


openvpn_events

<section begin='openvpn_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
remote_address Remote Address inet The remote IP address of the client
pool_address Pool Address inet The pool IP address of the client
client_name Client Name text The name of the client
type Type text The type of the event (CONNECT,DISCONNECT)

<section end='openvpn_events' />


intrusion_prevention_events

<section begin='intrusion_prevention_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
sig_id Signature ID bigint This ID of the rule
gen_id Grouping ID bigint The grouping ID for the rule, The gen_id + sig_id specify the rule's unique identifier
class_id Classtype ID bigint The numeric ID for the classtype
source_addr Source Address inet The source IP address of the packet
source_port Source Port integer The source port of the packet (if applicable)
dest_addr Destination Address inet The destination IP address of the packet
dest_port Destination Port integer The destination port of the packet (if applicable)
protocol Protocol integer The protocol of the packet
blocked Blocked boolean If the packet was blocked/dropped
category Category text The application specific grouping
classtype Classtype text The generalized threat rule grouping (unrelated to gen_id)
msg Message text The "title" or "description" of the rule

<section end='intrusion_prevention_events' />


syslog

<section begin='syslog' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
description Text detail of the event text The description from the alert rule.
summary_text Summary Text text The summary text of the alert
json JSON Text text The summary JSON representation of the event causing the alert

<section end='syslog' />


user_table_updates

<section begin='user_table_updates' />

Column Name Human Name Type Description
username Username text The username
key Key text The key being updated
value Value text The new value for the key
old_value Old Value text The old value for the key
time_stamp Timestamp timestamp without time zone The time of the event

<section end='user_table_updates' />

Retrieved from "https://wiki.edge.arista.com/index.php?title=Database_Schema&oldid=26785"