Database Schema: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
No edit summary
(6 intermediate revisions by one other user not shown)
Line 1: Line 1:
= Database Tables =
= Database Tables =


== admin_logins ==  
== configuration_backup_events ==  
<section begin='admin_logins' />
<section begin='configuration_backup_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 15: Line 15:
|The time of the event
|The time of the event
|-
|-
|login
|success
|Login
|Success
|boolean
|The result of the backup (true if the backup succeeded, false otherwise)
|-
|description
|Text detail of the event
|text
|text
|The login name
|Text detail of the event
|-
|-
|local
|destination
|Local
|Destination
|boolean
|text
|True if it is a login attempt through a local process
|The location of the backup
|-
|-
|client_addr
|event_id
|Client Address
|Event ID
|inet
|bigint
|The client IP address
|The unique event ID
|-
|succeeded
|Succeeded
|boolean
|True if the login succeeded, false otherwise
|-
|reason
|Reason
|character(1)
|The reason for the login (if applicable)
|-
|-
|}
|}
<section end='admin_logins' />
<section end='configuration_backup_events' />
()


 
== http_events ==  
== sessions ==  
<section begin='http_events' />
<section begin='sessions' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 53: Line 48:
!Description
!Description
|-
|-
|session_id
|request_id
|Session ID
|Request ID
|bigint
|bigint
|The session
|The HTTP request ID
|-
|-
|time_stamp
|time_stamp
Line 63: Line 58:
|The time of the event
|The time of the event
|-
|-
|end_time
|session_id
|End Time
|Session ID
|timestamp without time zone
|bigint
|The time the session ended
|The session
|-
|-
|bypassed
|client_intf
|Bypassed
|Client Interface
|boolean
|True if the session was bypassed, false otherwise
|-
|entitled
|Entitled
|boolean
|True if the session is entitled to premium functionality
|-
|protocol
|Protocol
|smallint
|smallint
|The IP protocol of session
|The client interface
|-
|-
|icmp_type
|server_intf
|ICMP Type
|Server Interface
|smallint
|smallint
|The ICMP type of session if ICMP
|The server interface
|-
|-
|hostname
|c_client_addr
|Hostname
|Client-side Client Address
|text
|inet
|The hostname of the local address
|The client-side client IP address
|-
|-
|username
|s_client_addr
|Username
|Server-side Client Address
|text
|inet
|The username associated with this session
|The server-side client IP address
|-
|policy_id
|Policy ID
|smallint
|The policy
|-
|policy_rule_id
|Policy Rule ID
|smallint
|The ID of the matching policy rule (0 means none)
|-
|c_client_addr
|Client-side Client Address
|inet
|The client-side client IP address
|-
|-
|c_server_addr
|c_server_addr
Line 118: Line 88:
|The client-side server IP address
|The client-side server IP address
|-
|-
|c_server_port
|s_server_addr
|Client-side Server Port
|Server-side Server Address
|integer
|inet
|The client-side server port
|The server-side server IP address
|-
|-
|c_client_port
|c_client_port
Line 128: Line 98:
|The client-side client port
|The client-side client port
|-
|-
|s_client_addr
|s_client_port
|Server-side Client Address
|Server-side Client Port
|inet
|integer
|The server-side client IP address
|The server-side client port
|-
|-
|s_server_addr
|c_server_port
|Server-side Server Address
|Client-side Server Port
|inet
|integer
|The server-side server IP address
|The client-side server port
|-
|-
|s_server_port
|s_server_port
Line 142: Line 112:
|integer
|integer
|The server-side server port
|The server-side server port
|-
|s_client_port
|Server-side Client Port
|integer
|The server-side client port
|-
|client_intf
|Client Interface
|smallint
|The client interface
|-
|server_intf
|Server Interface
|smallint
|The server interface
|-
|-
|client_country
|client_country
Line 188: Line 143:
|The server Longitude
|The server Longitude
|-
|-
|c2p_bytes
|policy_id
|From-Client Bytes
|Policy ID
|bigint
|smallint
|The number of bytes the client sent to Untangle (client-to-pipeline)
|The policy
|-
|-
|p2c_bytes
|username
|To-Client Bytes
|Username
|bigint
|text
|The number of bytes Untangle sent to client (pipeline-to-client)
|The username associated with this session
|-
|-
|s2p_bytes
|hostname
|From-Server Bytes
|Hostname
|bigint
|text
|The number of bytes the server sent to Untangle (client-to-pipeline)
|The hostname of the local address
|-
|-
|p2s_bytes
|method
|To-Server Bytes
|Method
|bigint
|character(1)
|The number of bytes Untangle sent to server (pipeline-to-client)
|The HTTP method
|-
|-
|filter_prefix
|uri
|Filter Block
|URI
|text
|text
|The network filter that blocked the connection (filter,shield,invalid)
|The HTTP URI
|-
|-
|firewall_blocked
|host
|Firewall Blocked
|Host
|boolean
|text
|True if Firewall blocked the session, false otherwise
|The HTTP host
|-
|-
|firewall_flagged
|domain
|Firewall Flagged
|Domain
|boolean
|text
|True if Firewall flagged the session, false otherwise
|The HTTP domain (shortened host)
|-
|-
|firewall_rule_index
|referer
|Firewall Rule ID
|Referer
|integer
|The matching rule in Firewall (if any)
|-
|application_control_lite_protocol
|Application Control Lite Protocol
|text
|text
|The application protocol according to Application Control Lite
|The Referer URL
|-
|-
|application_control_lite_blocked
|c2s_content_length
|Application Control Lite Blocked
|Client-to-server Content Length
|boolean
|bigint
|True if Application Control Lite blocked the session
|The client-to-server content length
|-
|-
|captive_portal_blocked
|s2c_content_length
|Captive Portal Blocked
|Server-to-client Content Length
|boolean
|bigint
|True if Captive Portal blocked the session
|The server-to-client content length
|-
|-
|captive_portal_rule_index
|s2c_content_type
|Captive Portal Rule ID
|Server-to-client Content Type
|integer
|The matching rule in Captive Portal (if any)
|-
|application_control_application
|Application Control Application
|text
|text
|The application according to Application Control
|The server-to-client content type
|-
|-
|application_control_protochain
|s2c_content_filename
|Application Control Protochain
|Server-to-client Content Disposition Filename
|text
|text
|The protochain according to Application Control
|The server-to-client content disposition filename
|-
|-
|application_control_category
|ad_blocker_cookie_ident
|Application Control Category
|Ad Blocker Cookie
|text
|text
|The category according to Application Control
|This name of cookie blocked by Ad Blocker
|-
|-
|application_control_blocked
|ad_blocker_action
|Application Control Blocked
|Ad Blocker Action
|boolean
|character(1)
|True if Application Control blocked the session
|This action of Ad Blocker on this request
|-
|-
|application_control_flagged
|web_filter_reason
|Application Control Flagged
|Web Filter Reason
|boolean
|character(1)
|True if Application Control flagged the session
|This reason Web Filter blocked/flagged this request
|-
|web_filter_category_id
|Web Filter Category Id
|smallint
|This numeric category according to Web Filter
|-
|-
|application_control_confidence
|web_filter_rule_id
|Application Control Confidence
|Web Filter Rule Id
|integer
|smallint
|True if Application Control confidence of this session's identification
|This numeric rule according to Web Filter
|-
|-
|application_control_ruleid
|web_filter_blocked
|Application Control Rule ID
|Web Filter Blocked
|integer
|boolean
|The matching rule in Application Control (if any)
|If Web Filter blocked this request
|-
|-
|application_control_detail
|web_filter_flagged
|Application Control Detail
|Web Filter Flagged
|text
|boolean
|The text detail from the Application Control engine
|If Web Filter flagged this request
|-
|-
|bandwidth_control_priority
|virus_blocker_lite_clean
|Bandwidth Control Priority
|Virus Blocker Lite Clean
|integer
|boolean
|The priority given to this session
|The cleanliness of the file according to Virus Blocker Lite
|-
|-
|bandwidth_control_rule
|virus_blocker_lite_name
|Bandwidth Control Rule ID
|Virus Blocker Lite Name
|integer
|text
|The matching rule in Bandwidth Control rule (if any)
|The name of the malware according to Virus Blocker Lite
|-
|-
|ssl_inspector_ruleid
|virus_blocker_clean
|SSL Inspector Rule ID
|Virus Blocker Clean
|integer
|boolean
|The matching rule in SSL Inspector rule (if any)
|The cleanliness of the file according to Virus Blocker
|-
|-
|ssl_inspector_status
|virus_blocker_name
|SSL Inspector Status
|Virus Blocker Name
|text
|text
|The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED)
|The name of the malware according to Virus Blocker
|-
|-
|ssl_inspector_detail
|threat_prevention_blocked
|SSL Inspector Detail
|Threat Prevention Blocked
|text
|boolean
|Additional text detail about the SSL connection (SNI, IP Address)
|If Threat Prevention blocked this request
|-
|-
|local_addr
|threat_prevention_flagged
|Local Address
|Threat Prevention Flagged
|inet
|boolean
|The IP address of the local participant
|If Threat Prevention flagged this request
|-
|threat_prevention_rule_id
|Threat Prevention Rule Id
|integer
|This numeric rule according to Threat Prevention
|-
|-
|remote_addr
|threat_prevention_reputation
|Remote Address
|Threat Prevention Reputation
|inet
|smallint
|The IP address of the remote participant
|This numeric threat reputation
|-
|-
|tags
|threat_prevention_categories
|Tags
|Threat Prevention Categories
|text
|integer
|The tags on this session
|This bitmask of threat categories
|-
|-
|}
|}
<section end='sessions' />
<section end='http_events' />
()


 
== intrusion_prevention_events ==  
== session_minutes ==  
<section begin='intrusion_prevention_events' />
<section begin='session_minutes' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 340: Line 295:
!Type
!Type
!Description
!Description
|-
|session_id
|Session ID
|bigint
|The session
|-
|-
|time_stamp
|time_stamp
Line 351: Line 301:
|The time of the event
|The time of the event
|-
|-
|c2s_bytes
|sig_id
|From-Client Bytes
|Signature ID
|bigint
|bigint
|The number of bytes the client sent
|This ID of the rule
|-
|-
|s2c_bytes
|gen_id
|From-Server Bytes
|Grouping ID
|bigint
|bigint
|The number of bytes the server sent
|The grouping ID for the rule, The gen_id + sig_id specify the rule's unique identifier
|-
|-
|start_time
|class_id
|Start Time
|Classtype ID
|timestamp without time zone
|bigint
|The start time of the session
|The numeric ID for the classtype
|-
|-
|end_time
|source_addr
|End Time
|Source Address
|timestamp without time zone
|inet
|The time the session ended
|The source IP address of the packet
|-
|-
|bypassed
|source_port
|Bypassed
|Source Port
|boolean
|integer
|True if the session was bypassed, false otherwise
|The source port of the packet (if applicable)
|-
|-
|entitled
|dest_addr
|Entitled
|Destination Address
|boolean
|inet
|True if the session is entitled to premium functionality
|The destination IP address of the packet
|-
|dest_port
|Destination Port
|integer
|The destination port of the packet (if applicable)
|-
|-
|protocol
|protocol
|Protocol
|Protocol
|smallint
|integer
|The IP protocol of session
|The protocol of the packet
|-
|-
|icmp_type
|blocked
|ICMP Type
|Blocked
|smallint
|boolean
|The ICMP type of session if ICMP
|If the packet was blocked/dropped
|-
|-
|hostname
|category
|Hostname
|Category
|text
|text
|The hostname of the local address
|The application specific grouping for the signature
|-
|-
|username
|classtype
|Username
|Classtype
|text
|text
|The username associated with this session
|The generalized threat signature grouping (unrelated to gen_id)
|-
|-
|policy_id
|msg
|Policy ID
|Message
|smallint
|text
|The policy
|The "title" or "description" of the signature
|-
|-
|policy_rule_id
|rid
|Policy Rule ID
|Rule ID
|smallint
|text
|The ID of the matching policy rule (0 means none)
|The rule id
|-
|-
|c_client_addr
|rule_id
|Client-side Client Address
|Rule ID
|inet
|text
|The client-side client IP address
|The rule id
|-
|-
|c_server_addr
|}
|Client-side Server Address
<section end='intrusion_prevention_events' />
|inet
()
|The client-side server IP address
 
== smtp_tarpit_events ==
<section begin='smtp_tarpit_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|c_server_port
|time_stamp
|Client-side Server Port
|Timestamp
|integer
|timestamp without time zone
|The client-side server port
|The time of the event
|-
|-
|c_client_port
|ipaddr
|Client-side Client Port
|Client Address
|integer
|The client-side client port
|-
|s_client_addr
|Server-side Client Address
|inet
|inet
|The server-side client IP address
|The client IP address
|-
|-
|s_server_addr
|hostname
|Server-side Server Address
|Hostname
|inet
|text
|The server-side server IP address
|The hostname of the local address
|-
|-
|s_server_port
|policy_id
|Server-side Server Port
|Policy ID
|integer
|bigint
|The server-side server port
|The policy
|-
|-
|s_client_port
|vendor_name
|Server-side Client Port
|Vendor Name
|integer
|character varying(255)
|The server-side client port
|The "vendor name" of the app that logged the event
|-
|-
|client_intf
|event_id
|Client Interface
|Event ID
|smallint
|bigint
|The client interface
|The unique event ID
|-
|-
|server_intf
|}
|Server Interface
<section end='smtp_tarpit_events' />
|smallint
()
|The server interface
 
== ipsec_user_events ==
<section begin='ipsec_user_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|client_country
|event_id
|Client Country
|Event ID
|text
|bigint
|The client Country
|The unique event ID
|-
|-
|client_latitude
|time_stamp
|Client Latitude
|Timestamp
|real
|timestamp without time zone
|The client Latitude
|The time of the event
|-
|-
|client_longitude
|connect_stamp
|Client Longitude
|Connect Time
|real
|timestamp without time zone
|The client Longitude
|The time the connection started
|-
|-
|server_country
|goodbye_stamp
|Server Country
|End Time
|text
|timestamp without time zone
|The server Country
|The time the connection ended
|-
|-
|server_latitude
|client_address
|Server Latitude
|Client Address
|real
|text
|The server Latitude
|The remote IP address of the client
|-
|-
|server_longitude
|client_protocol
|Server Longitude
|Client Protocol
|real
|text
|The server Longitude
|The protocol the client used to connect
|-
|-
|filter_prefix
|client_username
|Filter Block
|Client Username
|text
|text
|The network filter that blocked the connection (filter,shield,invalid)
|The username of the client
|-
|-
|firewall_blocked
|net_process
|Firewall Blocked
|Net Process
|boolean
|text
|True if Firewall blocked the session, false otherwise
|The PID of the PPP process for L2TP connections or the connection ID for Xauth connections
|-
|-
|firewall_flagged
|net_interface
|Firewall Flagged
|Net Interface
|boolean
|text
|True if Firewall flagged the session, false otherwise
|The PPP interface for L2TP connections or the client interface for Xauth connections
|-
|-
|firewall_rule_index
|elapsed_time
|Firewall Rule ID
|Elapsed Time
|integer
|The matching rule in Firewall (if any)
|-
|application_control_lite_protocol
|Application Control Lite Protocol
|text
|text
|The application protocol according to Application Control Lite
|The total time the client was connected
|-
|-
|application_control_lite_blocked
|rx_bytes
|Application Control Lite Blocked
|Bytes Received
|boolean
|bigint
|True if Application Control Lite blocked the session
|The number of bytes received from the client in this connection
|-
|-
|captive_portal_blocked
|tx_bytes
|Captive Portal Blocked
|Bytes Sent
|boolean
|bigint
|True if Captive Portal blocked the session
|The number of bytes sent to the client in this connection
|-
|-
|captive_portal_rule_index
|}
|Captive Portal Rule ID
<section end='ipsec_user_events' />
|integer
()
|The matching rule in Captive Portal (if any)
 
== ipsec_vpn_events ==
<section begin='ipsec_vpn_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|-
|application_control_application
|local_address
|Application Control Application
|Local Address
|text
|text
|The application according to Application Control
|The local address of the tunnel
|-
|-
|application_control_protochain
|remote_address
|Application Control Protochain
|Remote Address
|text
|text
|The protochain according to Application Control
|The remote address of the tunnel
|-
|-
|application_control_category
|tunnel_description
|Application Control Category
|Tunnel Description
|text
|text
|The category according to Application Control
|The description of the tunnel
|-
|-
|application_control_blocked
|event_type
|Application Control Blocked
|Event Type
|boolean
|text
|True if Application Control blocked the session
|The type of the event (CONNECT,DISCONNECT)
|-
|-
|application_control_flagged
|}
|Application Control Flagged
<section end='ipsec_vpn_events' />
|boolean
()
|True if Application Control flagged the session
 
== ipsec_tunnel_stats ==
<section begin='ipsec_tunnel_stats' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|application_control_confidence
|time_stamp
|Application Control Confidence
|Timestamp
|integer
|timestamp without time zone
|True if Application Control confidence of this session's identification
|The time of the event
|-
|-
|application_control_ruleid
|tunnel_name
|Application Control Rule ID
|Tunnel Name
|integer
|The matching rule in Application Control (if any)
|-
|application_control_detail
|Application Control Detail
|text
|text
|The text detail from the Application Control engine
|The name of the IPsec tunnel
|-
|-
|bandwidth_control_priority
|in_bytes
|Bandwidth Control Priority
|In Bytes
|integer
|bigint
|The priority given to this session
|The number of bytes received during this time frame
|-
|-
|bandwidth_control_rule
|out_bytes
|Bandwidth Control Rule ID
|Out Bytes
|integer
|bigint
|The matching rule in Bandwidth Control rule (if any)
|The number of bytes transmitted during this time frame
|-
|-
|ssl_inspector_ruleid
|event_id
|SSL Inspector Rule ID
|Event ID
|integer
|bigint
|The matching rule in SSL Inspector rule (if any)
|The unique event ID
|-
|-
|ssl_inspector_status
|}
|SSL Inspector Status
<section end='ipsec_tunnel_stats' />
|text
()
|The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED)
|-
|ssl_inspector_detail
|SSL Inspector Detail
|text
|Additional text detail about the SSL connection (SNI, IP Address)
|-
|local_addr
|Local Address
|inet
|The IP address of the local participant
|-
|remote_addr
|Remote Address
|inet
|The IP address of the remote participant
|-
|tags
|Tags
|text
|The tags on this session
|-
|}
<section end='session_minutes' />


 
== http_query_events ==  
== quotas ==  
<section begin='http_query_events' />
<section begin='quotas' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 623: Line 580:
!Type
!Type
!Description
!Description
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|-
|time_stamp
|time_stamp
Line 629: Line 591:
|The time of the event
|The time of the event
|-
|-
|action
|session_id
|Action
|Session ID
|integer
|The action (1=Quota Given, 2=Quota Exceeded)
|-
|size
|Size
|bigint
|bigint
|The size of the quota
|The session
|-
|-
|reason
|client_intf
|Reason
|Client Interface
|text
|smallint
|The reason for the action
|The client interface
|-
|-
|entity
|server_intf
|Entity
|Server Interface
|text
|smallint
|The IP entity given the quota (address/username)
|The server interface
|-
|-
|}
|c_client_addr
<section end='quotas' />
|Client-side Client Address
 
|inet
 
|The client-side client IP address
== host_table_updates ==
<section begin='host_table_updates' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|address
|s_client_addr
|Address
|Server-side Client Address
|inet
|inet
|The IP address of the host
|The server-side client IP address
|-
|-
|key
|c_server_addr
|Key
|Client-side Server Address
|text
|inet
|The key being updated
|The client-side server IP address
|-
|-
|value
|s_server_addr
|Value
|Server-side Server Address
|text
|inet
|The new value for the key
|The server-side server IP address
|-
|c_client_port
|Client-side Client Port
|integer
|The client-side client port
|-
|-
|time_stamp
|s_client_port
|Timestamp
|Server-side Client Port
|timestamp without time zone
|integer
|The time of the event
|The server-side client port
|-
|-
|old_value
|c_server_port
|Old Value
|Client-side Server Port
|text
|integer
|The old value for the key
|The client-side server port
|-
|-
|}
|s_server_port
<section end='host_table_updates' />
|Server-side Server Port
 
|integer
 
|The server-side server port
== device_table_updates ==
<section begin='device_table_updates' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|mac_address
|policy_id
|MAC Address
|Policy ID
|text
|bigint
|The MAC address of the device
|The policy
|-
|-
|key
|username
|Key
|Username
|text
|text
|The key being updated
|The username associated with this session
|-
|-
|value
|hostname
|Value
|Hostname
|text
|text
|The new value for the key
|The hostname of the local address
|-
|-
|time_stamp
|request_id
|Timestamp
|Request ID
|timestamp without time zone
|bigint
|The time of the event
|The HTTP request ID
|-
|method
|Method
|character(1)
|The HTTP method
|-
|-
|old_value
|uri
|Old Value
|URI
|text
|text
|The old value for the key
|The HTTP URI
|-
|-
|}
|term
<section end='device_table_updates' />
|Search Term
 
|text
 
|The search term
== alerts ==
<section begin='alerts' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|host
|Timestamp
|Host
|timestamp without time zone
|text
|The time of the event
|The HTTP host
|-
|c2s_content_length
|Client-to-server Content Length
|bigint
|The client-to-server content length
|-
|s2c_content_length
|Server-to-client Content Length
|bigint
|The server-to-client content length
|-
|-
|description
|s2c_content_type
|Text detail of the event
|Server-to-client Content Type
|text
|text
|The description from the alert rule.
|The server-to-client content type
|-
|-
|summary_text
|blocked
|Summary Text
|Blocked
|text
|boolean
|The summary text of the alert
|If Web Filter blocked this search term
|-
|-
|json
|flagged
|JSON Text
|Flagged
|text
|boolean
|The summary JSON representation of the event causing the alert
|If Web Filter flagged this search term
|-
|-
|}
|}
<section end='alerts' />
<section end='http_query_events' />
()


 
== admin_logins ==  
== settings_changes ==  
<section begin='admin_logins' />
<section begin='settings_changes' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 776: Line 729:
|The time of the event
|The time of the event
|-
|-
|settings_file
|login
|Settings File
|Login
|text
|text
|The name of the file changed
|The login name
|-
|-
|username
|local
|Username
|Local
|text
|boolean
|The username logged in at the time of the change
|True if it is a login attempt through a local process
|-
|-
|hostname
|client_addr
|Hostname
|Client Address
|text
|inet
|The remote hostname
|The client IP address
|-
|-
|}
|succeeded
<section end='settings_changes' />
|Succeeded
|boolean
|True if the login succeeded, false otherwise
|-
|reason
|Reason
|character(1)
|The reason for the login (if applicable)
|-
|}
<section end='admin_logins' />
()


 
== sessions ==  
== wan_failover_test_events ==  
<section begin='sessions' />
<section begin='wan_failover_test_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 803: Line 766:
!Type
!Type
!Description
!Description
|-
|session_id
|Session ID
|bigint
|The session
|-
|-
|time_stamp
|time_stamp
Line 809: Line 777:
|The time of the event
|The time of the event
|-
|-
|interface_id
|end_time
|Interface ID
|End Time
|integer
|timestamp without time zone
|This interface ID
|The time the session ended
|-
|-
|name
|bypassed
|Interface Name
|Bypassed
|text
|boolean
|This name of the interface
|True if the session was bypassed, false otherwise
|-
|-
|description
|entitled
|Text detail of the event
|Entitled
|text
|boolean
|The description from the test rule
|True if the session is entitled to premium functionality
|-
|-
|success
|protocol
|Success
|Protocol
|boolean
|smallint
|The result of the test (true if the test succeeded, false otherwise)
|The IP protocol of session
|-
|-
|event_id
|icmp_type
|Event ID
|ICMP Type
|bigint
|smallint
|The unique event ID
|The ICMP type of session if ICMP
|-
|-
|}
|hostname
<section end='wan_failover_test_events' />
|Hostname
 
|text
 
|The hostname of the local address
== wan_failover_action_events ==
<section begin='wan_failover_action_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|username
|Timestamp
|Username
|timestamp without time zone
|text
|The time of the event
|The username associated with this session
|-
|-
|interface_id
|policy_id
|Interface ID
|Policy ID
|integer
|smallint
|This interface ID
|The policy
|-
|-
|action
|policy_rule_id
|Action
|Policy Rule ID
|text
|smallint
|This action (CONNECTED,DISCONNECTED)
|The ID of the matching policy rule (0 means none)
|-
|-
|os_name
|local_addr
|Interface O/S Name
|Local Address
|text
|inet
|This O/S name of the interface
|The IP address of the local participant
|-
|remote_addr
|Remote Address
|inet
|The IP address of the remote participant
|-
|-
|name
|c_client_addr
|Interface Name
|Client-side Client Address
|text
|inet
|This name of the interface
|The client-side client IP address
|-
|-
|event_id
|c_server_addr
|Event ID
|Client-side Server Address
|bigint
|inet
|The unique event ID
|The client-side server IP address
|-
|-
|}
|c_server_port
<section end='wan_failover_action_events' />
|Client-side Server Port
 
|integer
 
|The client-side server port
== mail_msgs ==
<section begin='mail_msgs' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|c_client_port
|Timestamp
|Client-side Client Port
|timestamp without time zone
|integer
|The time of the event
|The client-side client port
|-
|-
|session_id
|s_client_addr
|Session ID
|Server-side Client Address
|bigint
|inet
|The session
|The server-side client IP address
|-
|-
|client_intf
|s_server_addr
|Client Interface
|Server-side Server Address
|inet
|The server-side server IP address
|-
|s_server_port
|Server-side Server Port
|integer
|The server-side server port
|-
|s_client_port
|Server-side Client Port
|integer
|The server-side client port
|-
|client_intf
|Client Interface
|smallint
|smallint
|The client interface
|The client interface
Line 910: Line 882:
|The server interface
|The server interface
|-
|-
|c_client_addr
|client_country
|Client-side Client Address
|Client Country
|inet
|text
|The client-side client IP address
|The client Country
|-
|-
|s_client_addr
|client_latitude
|Server-side Client Address
|Client Latitude
|inet
|real
|The server-side client IP address
|The client Latitude
|-
|-
|c_server_addr
|client_longitude
|Client-side Server Address
|Client Longitude
|inet
|real
|The client-side server IP address
|The client Longitude
|-
|-
|s_server_addr
|server_country
|Server-side Server Address
|Server Country
|inet
|text
|The server-side server IP address
|The server Country
|-
|-
|c_client_port
|server_latitude
|Client-side Client Port
|Server Latitude
|integer
|real
|The client-side client port
|The server Latitude
|-
|-
|s_client_port
|server_longitude
|Server-side Client Port
|Server Longitude
|integer
|real
|The server-side client port
|The server Longitude
|-
|-
|c_server_port
|c2p_bytes
|Client-side Server Port
|From-Client Bytes
|integer
|bigint
|The client-side server port
|The number of bytes the client sent to Untangle (client-to-pipeline)
|-
|-
|s_server_port
|p2c_bytes
|Server-side Server Port
|To-Client Bytes
|integer
|bigint
|The server-side server port
|The number of bytes Untangle sent to client (pipeline-to-client)
|-
|-
|policy_id
|s2p_bytes
|Policy ID
|From-Server Bytes
|bigint
|bigint
|The policy
|The number of bytes the server sent to Untangle (client-to-pipeline)
|-
|-
|username
|p2s_bytes
|Username
|To-Server Bytes
|text
|The username associated with this session
|-
|msg_id
|Message ID
|bigint
|bigint
|The message ID
|The number of bytes Untangle sent to server (pipeline-to-client)
|-
|-
|subject
|filter_prefix
|Subject
|Filter Block
|text
|text
|The email subject
|The network filter that blocked the connection (filter,shield,invalid)
|-
|-
|hostname
|firewall_blocked
|Hostname
|Firewall Blocked
|text
|boolean
|The hostname of the local address
|True if Firewall blocked the session, false otherwise
|-
|-
|event_id
|firewall_flagged
|Event ID
|Firewall Flagged
|bigint
|boolean
|The unique event ID
|True if Firewall flagged the session, false otherwise
|-
|-
|sender
|firewall_rule_index
|Sender
|Firewall Rule ID
|text
|integer
|The address of the sender
|The matching rule in Firewall (if any)
|-
|-
|receiver
|threat_prevention_blocked
|Receiver
|Threat Prevention Blocked
|text
|boolean
|The address of the receiver
|If Threat Prevention blocked
|-
|-
|virus_blocker_lite_clean
|threat_prevention_flagged
|Virus Blocker Lite Clean
|Threat Prevention Flagged
|boolean
|boolean
|The cleanliness of the file according to Virus Blocker Lite
|If Threat Prevention flagged
|-
|-
|virus_blocker_lite_name
|threat_prevention_reason
|Virus Blocker Lite Name
|Threat Prevention Reason
|text
|character(1)
|The name of the malware according to Virus Blocker Lite
|Threat Prevention reason
|-
|-
|virus_blocker_clean
|threat_prevention_rule_id
|Virus Blocker Clean
|Threat Prevention Rule Id
|boolean
|integer
|The cleanliness of the file according to Virus Blocker
|Numeric rule id of Threat Prevention
|-
|-
|virus_blocker_name
|threat_prevention_client_reputation
|Virus Blocker Name
|Threat Prevention Client Reputation
|text
|smallint
|The name of the malware according to Virus Blocker
|Numeric client reputation of Threat Prevention
|-
|-
|spam_blocker_lite_score
|threat_prevention_client_categories
|Spam Blocker Lite Score
|Threat Prevention Client Categories
|real
|integer
|The score of the email according to Spam Blocker Lite
|Bitmask client categories of Threat Prevention
|-
|-
|spam_blocker_lite_is_spam
|threat_prevention_server_reputation
|Spam Blocker Lite Spam
|Threat Prevention Server Reputation
|boolean
|smallint
|The spam status of the email according to Spam Blocker Lite
|Numeric server reputation of Threat Prevention
|-
|-
|spam_blocker_lite_tests_string
|threat_prevention_server_categories
|Spam Blocker Lite Tests
|Threat Prevention Server Categories
|text
|integer
|The tess results for Spam Blocker Lite
|Bitmask server categories of Threat Prevention
|-
|-
|spam_blocker_lite_action
|application_control_lite_protocol
|Spam Blocker Lite Action
|Application Control Lite Protocol
|character(1)
|text
|The action taken by Spam Blocker Lite
|The application protocol according to Application Control Lite
|-
|-
|spam_blocker_score
|application_control_lite_blocked
|Spam Blocker Score
|Application Control Lite Blocked
|real
|boolean
|The score of the email according to Spam Blocker
|True if Application Control Lite blocked the session
|-
|-
|spam_blocker_is_spam
|captive_portal_blocked
|Spam Blocker Spam
|Captive Portal Blocked
|boolean
|boolean
|The spam status of the email according to Spam Blocker
|True if Captive Portal blocked the session
|-
|captive_portal_rule_index
|Captive Portal Rule ID
|integer
|The matching rule in Captive Portal (if any)
|-
|-
|spam_blocker_tests_string
|application_control_application
|Spam Blocker Tests
|Application Control Application
|text
|text
|The tess results for Spam Blocker
|The application according to Application Control
|-
|-
|spam_blocker_action
|application_control_protochain
|Spam Blocker Action
|Application Control Protochain
|character(1)
|text
|The action taken by Spam Blocker
|The protochain according to Application Control
|-
|-
|phish_blocker_score
|application_control_category
|Phish Blocker Score
|Application Control Category
|real
|text
|The score of the email according to Phish Blocker
|The category according to Application Control
|-
|-
|phish_blocker_is_spam
|application_control_blocked
|Phish Blocker Phish
|Application Control Blocked
|boolean
|boolean
|The phish status of the email according to Phish Blocker
|True if Application Control blocked the session
|-
|-
|phish_blocker_tests_string
|application_control_flagged
|Phish Blocker Tests
|Application Control Flagged
|text
|boolean
|The tess results for Phish Blocker
|True if Application Control flagged the session
|-
|-
|phish_blocker_action
|application_control_confidence
|Phish Blocker Action
|Application Control Confidence
|character(1)
|integer
|The action taken by Phish Blocker
|True if Application Control confidence of this session's identification
|-
|-
|}
|application_control_ruleid
<section end='mail_msgs' />
|Application Control Rule ID
 
|integer
 
|The matching rule in Application Control (if any)
== mail_addrs ==
<section begin='mail_addrs' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|application_control_detail
|Timestamp
|Application Control Detail
|timestamp without time zone
|text
|The time of the event
|The text detail from the Application Control engine
|-
|-
|session_id
|bandwidth_control_priority
|Session ID
|Bandwidth Control Priority
|bigint
|integer
|The session
|The priority given to this session
|-
|-
|client_intf
|bandwidth_control_rule
|Client Interface
|Bandwidth Control Rule ID
|smallint
|integer
|The client interface
|The matching rule in Bandwidth Control rule (if any)
|-
|-
|server_intf
|ssl_inspector_ruleid
|Server Interface
|SSL Inspector Rule ID
|smallint
|integer
|The server interface
|The matching rule in SSL Inspector rule (if any)
|-
|-
|c_client_addr
|ssl_inspector_status
|Client-side Client Address
|SSL Inspector Status
|inet
|text
|The client-side client IP address
|The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED)
|-
|-
|s_client_addr
|ssl_inspector_detail
|Server-side Client Address
|SSL Inspector Detail
|inet
|text
|The server-side client IP address
|Additional text detail about the SSL connection (SNI, IP Address)
|-
|-
|c_server_addr
|tags
|Client-side Server Address
|Tags
|inet
|text
|The client-side server IP address
|The tags on this session
|-
|-
|s_server_addr
|}
|Server-side Server Address
<section end='sessions' />
|inet
()
|The server-side server IP address
 
== session_minutes ==
<section begin='session_minutes' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|c_client_port
|session_id
|Client-side Client Port
|Session ID
|integer
|bigint
|The client-side client port
|The session
|-
|-
|s_client_port
|time_stamp
|Server-side Client Port
|Timestamp
|integer
|timestamp without time zone
|The server-side client port
|The time of the event
|-
|-
|c_server_port
|c2s_bytes
|Client-side Server Port
|From-Client Bytes
|integer
|bigint
|The client-side server port
|The number of bytes the client sent
|-
|-
|s_server_port
|s2c_bytes
|Server-side Server Port
|From-Server Bytes
|integer
|The server-side server port
|-
|policy_id
|Policy ID
|bigint
|bigint
|The policy
|The number of bytes the server sent
|-
|-
|username
|start_time
|Username
|Start Time
|text
|timestamp without time zone
|The username associated with this session
|The start time of the session
|-
|-
|msg_id
|end_time
|Message ID
|End Time
|bigint
|timestamp without time zone
|The message ID
|The time the session ended
|-
|-
|subject
|bypassed
|Subject
|Bypassed
|text
|boolean
|The email subject
|True if the session was bypassed, false otherwise
|-
|-
|addr
|entitled
|Address
|Entitled
|text
|boolean
|The address of this event
|True if the session is entitled to premium functionality
|-
|-
|addr_name
|protocol
|Address Name
|Protocol
|text
|smallint
|The name for this address
|The IP protocol of session
|-
|-
|addr_kind
|icmp_type
|Address Kind
|ICMP Type
|character(1)
|smallint
|The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
|The ICMP type of session if ICMP
|-
|-
|hostname
|hostname
Line 1,183: Line 1,150:
|The hostname of the local address
|The hostname of the local address
|-
|-
|event_id
|username
|Event ID
|Username
|bigint
|The unique event ID
|-
|sender
|Sender
|text
|text
|The address of the sender
|The username associated with this session
|-
|-
|virus_blocker_lite_clean
|policy_id
|Virus Blocker Lite Clean
|Policy ID
|boolean
|smallint
|The cleanliness of the file according to Virus Blocker Lite
|The policy
|-
|-
|virus_blocker_lite_name
|policy_rule_id
|Virus Blocker Lite Name
|Policy Rule ID
|text
|smallint
|The name of the malware according to Virus Blocker Lite
|The ID of the matching policy rule (0 means none)
|-
|-
|virus_blocker_clean
|local_addr
|Virus Blocker Clean
|Local Address
|boolean
|inet
|The cleanliness of the file according to Virus Blocker
|The IP address of the local participant
|-
|-
|virus_blocker_name
|remote_addr
|Virus Blocker Name
|Remote Address
|text
|inet
|The name of the malware according to Virus Blocker
|The IP address of the remote participant
|-
|-
|spam_blocker_lite_score
|c_client_addr
|Spam Blocker Lite Score
|Client-side Client Address
|real
|inet
|The score of the email according to Spam Blocker Lite
|The client-side client IP address
|-
|-
|spam_blocker_lite_is_spam
|c_server_addr
|Spam Blocker Lite Spam
|Client-side Server Address
|boolean
|inet
|The spam status of the email according to Spam Blocker Lite
|The client-side server IP address
|-
|-
|spam_blocker_lite_action
|c_server_port
|Spam Blocker Lite Action
|Client-side Server Port
|character(1)
|integer
|The action taken by Spam Blocker Lite
|The client-side server port
|-
|-
|spam_blocker_lite_tests_string
|c_client_port
|Spam Blocker Lite Tests
|Client-side Client Port
|text
|integer
|The tess results for Spam Blocker Lite
|The client-side client port
|-
|-
|spam_blocker_score
|s_client_addr
|Spam Blocker Score
|Server-side Client Address
|real
|inet
|The score of the email according to Spam Blocker
|The server-side client IP address
|-
|-
|spam_blocker_is_spam
|s_server_addr
|Spam Blocker Spam
|Server-side Server Address
|boolean
|inet
|The spam status of the email according to Spam Blocker
|The server-side server IP address
|-
|-
|spam_blocker_action
|s_server_port
|Spam Blocker Action
|Server-side Server Port
|character(1)
|integer
|The action taken by Spam Blocker
|The server-side server port
|-
|-
|spam_blocker_tests_string
|s_client_port
|Spam Blocker Tests
|Server-side Client Port
|text
|integer
|The tess results for Spam Blocker
|The server-side client port
|-
|-
|phish_blocker_score
|client_intf
|Phish Blocker Score
|Client Interface
|real
|smallint
|The score of the email according to Phish Blocker
|The client interface
|-
|-
|phish_blocker_is_spam
|server_intf
|Phish Blocker Phish
|Server Interface
|boolean
|smallint
|The phish status of the email according to Phish Blocker
|The server interface
|-
|-
|phish_blocker_tests_string
|client_country
|Phish Blocker Tests
|Client Country
|text
|text
|The tess results for Phish Blocker
|The client Country
|-
|-
|phish_blocker_action
|client_latitude
|Phish Blocker Action
|Client Latitude
|character(1)
|real
|The action taken by Phish Blocker
|The client Latitude
|-
|-
|}
|client_longitude
<section end='mail_addrs' />
|Client Longitude
 
|real
 
|The client Longitude
== smtp_tarpit_events ==
<section begin='smtp_tarpit_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|server_country
|Timestamp
|Server Country
|timestamp without time zone
|text
|The time of the event
|The server Country
|-
|server_latitude
|Server Latitude
|real
|The server Latitude
|-
|-
|ipaddr
|server_longitude
|Client Address
|Server Longitude
|inet
|real
|The client IP address
|The server Longitude
|-
|-
|hostname
|filter_prefix
|Hostname
|Filter Block
|text
|text
|The hostname of the local address
|The network filter that blocked the connection (filter,shield,invalid)
|-
|-
|policy_id
|firewall_blocked
|Policy ID
|Firewall Blocked
|bigint
|boolean
|The policy
|True if Firewall blocked the session, false otherwise
|-
|-
|vendor_name
|firewall_flagged
|Vendor Name
|Firewall Flagged
|character varying(255)
|boolean
|The "vendor name" of the app that logged the event
|True if Firewall flagged the session, false otherwise
|-
|-
|event_id
|firewall_rule_index
|Event ID
|Firewall Rule ID
|bigint
|integer
|The unique event ID
|The matching rule in Firewall (if any)
|-
|-
|}
|threat_prevention_blocked
<section end='smtp_tarpit_events' />
|Threat Prevention Blocked
 
|boolean
 
|If Threat Prevention blocked
== http_events ==
<section begin='http_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|request_id
|threat_prevention_flagged
|Request ID
|Threat Prevention Flagged
|bigint
|boolean
|The HTTP request ID
|If Threat Prevention flagged
|-
|-
|time_stamp
|threat_prevention_reason
|Timestamp
|Threat Prevention Reason
|timestamp without time zone
|character(1)
|The time of the event
|Threat Prevention reason
|-
|-
|session_id
|threat_prevention_rule_id
|Session ID
|Threat Prevention Rule Id
|bigint
|integer
|The session
|Numeric rule id of Threat Prevention
|-
|-
|client_intf
|threat_prevention_client_reputation
|Client Interface
|Threat Prevention Client Reputation
|smallint
|smallint
|The client interface
|Numeric client reputation of Threat Prevention
|-
|threat_prevention_client_categories
|Threat Prevention Client Categories
|integer
|Bitmask client categories of Threat Prevention
|-
|-
|server_intf
|threat_prevention_server_reputation
|Server Interface
|Threat Prevention Server Reputation
|smallint
|smallint
|The server interface
|Numeric server reputation of Threat Prevention
|-
|-
|c_client_addr
|threat_prevention_server_categories
|Client-side Client Address
|Threat Prevention Server Categories
|inet
|integer
|The client-side client IP address
|Bitmask server categories of Threat Prevention
|-
|-
|s_client_addr
|application_control_lite_protocol
|Server-side Client Address
|Application Control Lite Protocol
|inet
|text
|The server-side client IP address
|The application protocol according to Application Control Lite
|-
|-
|c_server_addr
|application_control_lite_blocked
|Client-side Server Address
|Application Control Lite Blocked
|inet
|boolean
|The client-side server IP address
|True if Application Control Lite blocked the session
|-
|-
|s_server_addr
|captive_portal_blocked
|Server-side Server Address
|Captive Portal Blocked
|inet
|boolean
|The server-side server IP address
|True if Captive Portal blocked the session
|-
|-
|c_client_port
|captive_portal_rule_index
|Client-side Client Port
|Captive Portal Rule ID
|integer
|integer
|The client-side client port
|The matching rule in Captive Portal (if any)
|-
|-
|s_client_port
|application_control_application
|Server-side Client Port
|Application Control Application
|integer
|text
|The server-side client port
|The application according to Application Control
|-
|-
|c_server_port
|application_control_protochain
|Client-side Server Port
|Application Control Protochain
|integer
|text
|The client-side server port
|The protochain according to Application Control
|-
|-
|s_server_port
|application_control_category
|Server-side Server Port
|Application Control Category
|integer
|text
|The server-side server port
|The category according to Application Control
|-
|-
|policy_id
|application_control_blocked
|Policy ID
|Application Control Blocked
|smallint
|boolean
|The policy
|True if Application Control blocked the session
|-
|-
|username
|application_control_flagged
|Username
|Application Control Flagged
|text
|boolean
|The username associated with this session
|True if Application Control flagged the session
|-
|-
|hostname
|application_control_confidence
|Hostname
|Application Control Confidence
|text
|integer
|The hostname of the local address
|True if Application Control confidence of this session's identification
|-
|-
|method
|application_control_ruleid
|Method
|Application Control Rule ID
|character(1)
|integer
|The HTTP method
|The matching rule in Application Control (if any)
|-
|-
|uri
|application_control_detail
|URI
|Application Control Detail
|text
|text
|The HTTP URI
|The text detail from the Application Control engine
|-
|-
|host
|bandwidth_control_priority
|Host
|Bandwidth Control Priority
|text
|integer
|The HTTP host
|The priority given to this session
|-
|-
|domain
|bandwidth_control_rule
|Domain
|Bandwidth Control Rule ID
|text
|integer
|The HTTP domain (shortened host)
|The matching rule in Bandwidth Control rule (if any)
|-
|-
|referer
|ssl_inspector_ruleid
|Referer
|SSL Inspector Rule ID
|integer
|The matching rule in SSL Inspector rule (if any)
|-
|ssl_inspector_status
|SSL Inspector Status
|text
|text
|The Referer URL
|The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED)
|-
|-
|c2s_content_length
|ssl_inspector_detail
|Client-to-server Content Length
|SSL Inspector Detail
|bigint
|The client-to-server content length
|-
|s2c_content_length
|Server-to-client Content Length
|bigint
|The server-to-client content length
|-
|s2c_content_type
|Server-to-client Content Type
|text
|text
|The server-to-client content type
|Additional text detail about the SSL connection (SNI, IP Address)
|-
|-
|ad_blocker_cookie_ident
|tags
|Ad Blocker Cookie
|Tags
|text
|text
|This name of cookie blocked by Ad Blocker
|The tags on this session
|-
|-
|ad_blocker_action
|}
|Ad Blocker Action
<section end='session_minutes' />
|character(1)
()
|This action of Ad Blocker on this request
 
== quotas ==
<section begin='quotas' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|web_filter_reason
|time_stamp
|Web Filter Reason
|Timestamp
|character(1)
|timestamp without time zone
|This reason Web Filter blocked/flagged this request
|The time of the event
|-
|-
|web_filter_category_id
|entity
|Web Filter Category ID
|Entity
|int
|text
|This category ID according to Web Filter
|The IP entity given the quota (address/username)
|-
|-
|web_filter_blocked
|action
|Web Filter Blocked
|Action
|boolean
|integer
|If Web Filter blocked this request
|The action (1=Quota Given, 2=Quota Exceeded)
|-
|-
|web_filter_flagged
|size
|Web Filter Flagged
|Size
|boolean
|bigint
|If Web Filter flagged this request
|The size of the quota
|-
|-
|virus_blocker_lite_clean
|reason
|Virus Blocker Lite Clean
|Reason
|boolean
|The cleanliness of the file according to Virus Blocker Lite
|-
|virus_blocker_lite_name
|Virus Blocker Lite Name
|text
|text
|The name of the malware according to Virus Blocker Lite
|The reason for the action
|-
|virus_blocker_clean
|Virus Blocker Clean
|boolean
|The cleanliness of the file according to Virus Blocker
|-
|virus_blocker_name
|Virus Blocker Name
|text
|The name of the malware according to Virus Blocker
|-
|-
|}
|}
<section end='http_events' />
<section end='quotas' />
()


== ftp_events ==  
== host_table_updates ==  
<section begin='ftp_events' />
<section begin='host_table_updates' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,511: Line 1,456:
!Description
!Description
|-
|-
|event_id
|address
|Event ID
|Address
|bigint
|inet
|The unique event ID
|The IP address of the host
|-
|key
|Key
|text
|The key being updated
|-
|value
|Value
|text
|The new value for the key
|-
|old_value
|Old Value
|text
|The old value for the key
|-
|-
|time_stamp
|time_stamp
Line 1,521: Line 1,481:
|The time of the event
|The time of the event
|-
|-
|session_id
|}
|Session ID
<section end='host_table_updates' />
|bigint
()
|The session
 
== device_table_updates ==
<section begin='device_table_updates' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|client_intf
|mac_address
|Client Interface
|MAC Address
|smallint
|text
|The client interface
|The MAC address of the device
|-
|-
|server_intf
|key
|Server Interface
|Key
|smallint
|text
|The server interface
|The key being updated
|-
|-
|c_client_addr
|value
|Client-side Client Address
|Value
|inet
|text
|The client-side client IP address
|The new value for the key
|-
|-
|s_client_addr
|old_value
|Server-side Client Address
|Old Value
|inet
|text
|The server-side client IP address
|The old value for the key
|-
|-
|c_server_addr
|time_stamp
|Client-side Server Address
|Timestamp
|inet
|timestamp without time zone
|The client-side server IP address
|The time of the event
|-
|-
|s_server_addr
|}
|Server-side Server Address
<section end='device_table_updates' />
|inet
()
|The server-side server IP address
 
== user_table_updates ==
<section begin='user_table_updates' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|policy_id
|username
|Policy ID
|bigint
|The policy
|-
|username
|Username
|Username
|text
|text
|The username associated with this session
|The username
|-
|-
|hostname
|key
|Hostname
|Key
|text
|text
|The hostname of the local address
|The key being updated
|-
|-
|request_id
|value
|Request ID
|Value
|bigint
|text
|The FTP request ID
|The new value for the key
|-
|-
|method
|old_value
|Method
|Old Value
|character(1)
|The FTP method
|-
|uri
|URI
|text
|text
|The FTP URI
|The old value for the key
|-
|-
|virus_blocker_lite_clean
|time_stamp
|Virus Blocker Lite Clean
|Timestamp
|boolean
|timestamp without time zone
|The cleanliness of the file according to Virus Blocker Lite
|The time of the event
|-
|virus_blocker_lite_name
|Virus Blocker Lite Name
|text
|The name of the malware according to Virus Blocker Lite
|-
|virus_blocker_clean
|Virus Blocker Clean
|boolean
|The cleanliness of the file according to Virus Blocker
|-
|virus_blocker_name
|Virus Blocker Name
|text
|The name of the malware according to Virus Blocker
|-
|-
|}
|}
<section end='ftp_events' />
<section end='user_table_updates' />
()


 
== alerts ==  
== ipsec_user_events ==  
<section begin='alerts' />
<section begin='ipsec_user_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,618: Line 1,569:
!Type
!Type
!Description
!Description
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|-
|time_stamp
|time_stamp
Line 1,629: Line 1,575:
|The time of the event
|The time of the event
|-
|-
|connect_stamp
|description
|Connect Time
|Text detail of the event
|timestamp without time zone
|The time the connection started
|-
|goodbye_stamp
|End Time
|timestamp without time zone
|The time the connection ended
|-
|client_address
|Client Address
|text
|text
|The remote IP address of the client
|The description from the alert rule.
|-
|-
|client_protocol
|summary_text
|Client Protocol
|Summary Text
|text
|text
|The protocol the client used to connect
|The summary text of the alert
|-
|-
|client_username
|json
|Client Username
|JSON Text
|text
|text
|The username of the client
|The summary JSON representation of the event causing the alert
|-
|-
|net_process
|}
|Net Process
<section end='alerts' />
|text
()
|The PID of the PPP process for L2TP connections or the connection ID for Xauth connections
 
|-
== settings_changes ==  
|net_interface
<section begin='settings_changes' />
|Net Interface
|text
|The PPP interface for L2TP connections or the client interface for Xauth connections
|-
|elapsed_time
|Elapsed Time
|text
|The total time the client was connected
|-
|rx_bytes
|Bytes Received
|bigint
|The number of bytes received from the client in this connection
|-
|tx_bytes
|Bytes Sent
|bigint
|The number of bytes sent to the client in this connection
|-
|}
<section end='ipsec_user_events' />
 
 
== ipsec_tunnel_stats ==  
<section begin='ipsec_tunnel_stats' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,697: Line 1,608:
|The time of the event
|The time of the event
|-
|-
|tunnel_name
|settings_file
|Tunnel Name
|Settings File
|text
|text
|The name of the IPsec tunnel
|The name of the file changed
|-
|-
|in_bytes
|username
|In Bytes
|Username
|bigint
|text
|The number of bytes received during this time frame
|The username logged in at the time of the change
|-
|-
|out_bytes
|hostname
|Out Bytes
|Hostname
|bigint
|text
|The number of bytes transmitted during this time frame
|The remote hostname
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|-
|}
|}
<section end='ipsec_tunnel_stats' />
<section end='settings_changes' />
()


 
== web_cache_stats ==  
== interface_stat_events ==  
<section begin='web_cache_stats' />
<section begin='interface_stat_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,735: Line 1,641:
|The time of the event
|The time of the event
|-
|-
|interface_id
|hits
|Interface ID
|Hits
|integer
|bigint
|The interface ID
|The number of cache hits during this time frame
|-
|misses
|Misses
|bigint
|The number of cache misses during this time frame
|-
|-
|rx_rate
|bypasses
|Rx Rate
|Bypasses
|double precision
|bigint
|The RX rate (bytes/s)
|The number of cache user bypasses during this time frame
|-
|-
|tx_rate
|systems
|Tx Rate
|System bypasses
|double precision
|bigint
|The TX rate (bytes/s)
|The number of cache system bypasses during this time frame
|-
|-
|}
|hit_bytes
<section end='interface_stat_events' />
|Hit Bytes
 
|bigint
 
|The number of bytes saved from cache hits
== configuration_backup_events ==  
|-
<section begin='configuration_backup_events' />
|miss_bytes
|Miss Bytes
|bigint
|The number of bytes not saved from cache misses
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|}
<section end='web_cache_stats' />
()
 
== server_events ==  
<section begin='server_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,768: Line 1,694:
|The time of the event
|The time of the event
|-
|-
|success
|load_1
|Success
|CPU load (1-min)
|boolean
|numeric(6,2)
|The result of the backup (true if the backup succeeded, false otherwise)
|The 1-minute CPU load
|-
|-
|description
|load_5
|Text detail of the event
|CPU load (5-min)
|text
|numeric(6,2)
|Text detail of the event
|The 5-minute CPU load
|-
|load_15
|CPU load (15-min)
|numeric(6,2)
|The 15-minute CPU load
|-
|cpu_user
|CPU User Utilization
|numeric(6,3)
|The user CPU percent utilization
|-
|-
|destination
|cpu_system
|Destination
|CPU System Utilization
|text
|numeric(6,3)
|The location of the backup
|The system CPU percent utilization
|-
|-
|event_id
|mem_total
|Event ID
|Total Memory
|bigint
|bigint
|The unique event ID
|The total bytes of memory
|-
|-
|}
|mem_free
<section end='configuration_backup_events' />
|Memory Free
 
|bigint
 
|The number of free bytes of memory
== directory_connector_login_events ==
<section begin='directory_connector_login_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|disk_total
|Timestamp
|Disk Size
|timestamp without time zone
|bigint
|The time of the event
|The total disk size in bytes
|-
|-
|login_name
|disk_free
|Login Name
|Disk Free
|text
|bigint
|The login name
|The free disk space in bytes
|-
|-
|domain
|swap_total
|Domain
|Swap Size
|text
|bigint
|The AD domain
|The total swap size in bytes
|-
|-
|type
|swap_free
|Type
|Swap Free
|text
|bigint
|The type of event (I=Login,U=Update,O=Logout)
|The free disk swap in bytes
|-
|-
|client_addr
|active_hosts
|Client Address
|Active Hosts
|inet
|integer
|The client IP address
|The number of active hosts
|-
|-
|}
|}
<section end='directory_connector_login_events' />
<section end='server_events' />
()


 
== interface_stat_events ==  
== server_events ==  
<section begin='interface_stat_events' />
<section begin='server_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,844: Line 1,772:
|The time of the event
|The time of the event
|-
|-
|load_1
|interface_id
|CPU load (1-min)
|Interface ID
|numeric(6,2)
|integer
|The 1-minute CPU load
|The interface ID
|-
|-
|load_5
|rx_rate
|CPU load (5-min)
|Rx Rate
|numeric(6,2)
|double precision
|The 5-minute CPU load
|The RX rate (bytes/s)
|-
|-
|load_15
|rx_bytes
|CPU load (15-min)
|Bytes Received
|numeric(6,2)
|bigint
|The 15-minute CPU load
|The number of bytes received from the client in this connection
|-
|-
|cpu_user
|tx_rate
|CPU User Utilization
|Tx Rate
|numeric(6,3)
|double precision
|The user CPU percent utilization
|The TX rate (bytes/s)
|-
|-
|cpu_system
|tx_bytes
|CPU System Utilization
|Bytes Sent
|numeric(6,3)
|bigint
|The system CPU percent utilization
|The number of bytes sent to the client in this connection
|-
|-
|mem_total
|}
|Total Memory
<section end='interface_stat_events' />
|bigint
()
|The total bytes of memory
 
== mail_msgs ==
<section begin='mail_msgs' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|mem_free
|time_stamp
|Memory Free
|Timestamp
|bigint
|timestamp without time zone
|The number of free bytes of memory
|The time of the event
|-
|-
|disk_total
|session_id
|Disk Size
|Session ID
|bigint
|bigint
|The total disk size in bytes
|The session
|-
|-
|disk_free
|client_intf
|Disk Free
|Client Interface
|bigint
|smallint
|The free disk space in bytes
|The client interface
|-
|-
|swap_total
|server_intf
|Swap Size
|Server Interface
|bigint
|smallint
|The total swap size in bytes
|The server interface
|-
|-
|swap_free
|c_client_addr
|Swap Free
|Client-side Client Address
|bigint
|inet
|The free disk swap in bytes
|The client-side client IP address
|-
|-
|active_hosts
|s_client_addr
|Active Hosts
|Server-side Client Address
|integer
|inet
|The number of active hosts
|The server-side client IP address
|-
|-
|}
|c_server_addr
<section end='server_events' />
|Client-side Server Address
 
|inet
 
|The client-side server IP address
== web_cache_stats ==
<section begin='web_cache_stats' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|s_server_addr
|Timestamp
|Server-side Server Address
|timestamp without time zone
|inet
|The time of the event
|The server-side server IP address
|-
|-
|hits
|c_client_port
|Hits
|Client-side Client Port
|bigint
|integer
|The number of cache hits during this time frame
|The client-side client port
|-
|-
|misses
|s_client_port
|Misses
|Server-side Client Port
|bigint
|integer
|The number of cache misses during this time frame
|The server-side client port
|-
|c_server_port
|Client-side Server Port
|integer
|The client-side server port
|-
|-
|bypasses
|s_server_port
|Bypasses
|Server-side Server Port
|bigint
|integer
|The number of cache user bypasses during this time frame
|The server-side server port
|-
|-
|systems
|policy_id
|System bypasses
|Policy ID
|bigint
|bigint
|The number of cache system bypasses during this time frame
|The policy
|-
|-
|hit_bytes
|username
|Hit Bytes
|Username
|bigint
|text
|The number of bytes saved from cache hits
|The username associated with this session
|-
|-
|miss_bytes
|msg_id
|Miss Bytes
|Message ID
|bigint
|bigint
|The number of bytes not saved from cache misses
|The message ID
|-
|-
|event_id
|subject
|Event ID
|Subject
|bigint
|text
|The unique event ID
|The email subject
|-
|-
|}
|hostname
<section end='web_cache_stats' />
|Hostname
 
|text
 
|The hostname of the local address
== http_query_events ==
<section begin='http_query_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|event_id
|event_id
Line 1,975: Line 1,900:
|The unique event ID
|The unique event ID
|-
|-
|time_stamp
|sender
|Timestamp
|Sender
|timestamp without time zone
|text
|The time of the event
|The address of the sender
|-
|-
|session_id
|receiver
|Session ID
|Receiver
|bigint
|text
|The session
|The address of the receiver
|-
|-
|client_intf
|virus_blocker_lite_clean
|Client Interface
|Virus Blocker Lite Clean
|smallint
|boolean
|The client interface
|The cleanliness of the file according to Virus Blocker Lite
|-
|-
|server_intf
|virus_blocker_lite_name
|Server Interface
|Virus Blocker Lite Name
|smallint
|text
|The server interface
|The name of the malware according to Virus Blocker Lite
|-
|-
|c_client_addr
|virus_blocker_clean
|Client-side Client Address
|Virus Blocker Clean
|inet
|boolean
|The client-side client IP address
|The cleanliness of the file according to Virus Blocker
|-
|-
|s_client_addr
|virus_blocker_name
|Server-side Client Address
|Virus Blocker Name
|inet
|text
|The server-side client IP address
|The name of the malware according to Virus Blocker
|-
|-
|c_server_addr
|spam_blocker_lite_score
|Client-side Server Address
|Spam Blocker Lite Score
|inet
|real
|The client-side server IP address
|The score of the email according to Spam Blocker Lite
|-
|-
|s_server_addr
|spam_blocker_lite_is_spam
|Server-side Server Address
|Spam Blocker Lite Spam
|inet
|boolean
|The server-side server IP address
|The spam status of the email according to Spam Blocker Lite
|-
|-
|c_client_port
|spam_blocker_lite_tests_string
|Client-side Client Port
|Spam Blocker Lite Tests
|integer
|text
|The client-side client port
|The tess results for Spam Blocker Lite
|-
|-
|s_client_port
|spam_blocker_lite_action
|Server-side Client Port
|Spam Blocker Lite Action
|integer
|character(1)
|The server-side client port
|The action taken by Spam Blocker Lite
|-
|-
|c_server_port
|spam_blocker_score
|Client-side Server Port
|Spam Blocker Score
|integer
|real
|The client-side server port
|The score of the email according to Spam Blocker
|-
|-
|s_server_port
|spam_blocker_is_spam
|Server-side Server Port
|Spam Blocker Spam
|integer
|boolean
|The server-side server port
|The spam status of the email according to Spam Blocker
|-
|-
|policy_id
|spam_blocker_tests_string
|Policy ID
|Spam Blocker Tests
|bigint
|The policy
|-
|username
|Username
|text
|text
|The username associated with this session
|The tess results for Spam Blocker
|-
|-
|hostname
|spam_blocker_action
|Hostname
|Spam Blocker Action
|text
|character(1)
|The hostname of the local address
|The action taken by Spam Blocker
|-
|-
|request_id
|phish_blocker_score
|Request ID
|Phish Blocker Score
|bigint
|real
|The HTTP request ID
|The score of the email according to Phish Blocker
|-
|-
|method
|phish_blocker_is_spam
|Method
|Phish Blocker Phish
|character(1)
|boolean
|The HTTP method
|The phish status of the email according to Phish Blocker
|-
|-
|uri
|phish_blocker_tests_string
|URI
|Phish Blocker Tests
|text
|text
|The HTTP URI
|The tess results for Phish Blocker
|-
|-
|term
|phish_blocker_action
|Search Term
|Phish Blocker Action
|text
|character(1)
|The search term
|The action taken by Phish Blocker
|-
|host
|Host
|text
|The HTTP host
|-
|c2s_content_length
|Client-to-server Content Length
|bigint
|The client-to-server content length
|-
|s2c_content_length
|Server-to-client Content Length
|bigint
|The server-to-client content length
|-
|s2c_content_type
|Server-to-client Content Type
|text
|The server-to-client content type
|-
|-
|}
|}
<section end='http_query_events' />
<section end='mail_msgs' />
()


 
== mail_addrs ==  
== captive_portal_user_events ==  
<section begin='mail_addrs' />
<section begin='captive_portal_user_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 2,108: Line 2,008:
|The time of the event
|The time of the event
|-
|-
|policy_id
|session_id
|Policy ID
|Session ID
|bigint
|bigint
|The policy
|The session
|-
|-
|event_id
|client_intf
|Event ID
|Client Interface
|bigint
|smallint
|The unique event ID
|The client interface
|-
|-
|login_name
|server_intf
|Login Name
|Server Interface
|text
|smallint
|The login username
|The server interface
|-
|-
|event_info
|c_client_addr
|Event Type
|Client-side Client Address
|text
|inet
|The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
|The client-side client IP address
|-
|-
|auth_type
|s_client_addr
|Authorization Type
|Server-side Client Address
|text
|inet
|The authorization type for this event
|The server-side client IP address
|-
|-
|client_addr
|c_server_addr
|Client Address
|Client-side Server Address
|text
|inet
|The remote IP address of the client
|The client-side server IP address
|-
|-
|}
|s_server_addr
<section end='captive_portal_user_events' />
|Server-side Server Address
 
|inet
 
|The server-side server IP address
== openvpn_stats ==
<section begin='openvpn_stats' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|c_client_port
|Timestamp
|Client-side Client Port
|timestamp without time zone
|integer
|The time of the event
|The client-side client port
|-
|-
|start_time
|s_client_port
|Start Time
|Server-side Client Port
|timestamp without time zone
|integer
|The time the OpenVPN session started
|The server-side client port
|-
|-
|end_time
|c_server_port
|End Time
|Client-side Server Port
|timestamp without time zone
|integer
|The time the OpenVPN session ended
|The client-side server port
|-
|-
|rx_bytes
|s_server_port
|Bytes Received
|Server-side Server Port
|bigint
|integer
|The total bytes received from the client during this session
|The server-side server port
|-
|-
|tx_bytes
|policy_id
|Bytes Sent
|Policy ID
|bigint
|bigint
|The total bytes sent to the client during this session
|The policy
|-
|-
|remote_address
|username
|Remote Address
|Username
|inet
|text
|The remote IP address of the client
|The username associated with this session
|-
|-
|pool_address
|msg_id
|Pool Address
|Message ID
|inet
|bigint
|The pool IP address of the client
|The message ID
|-
|-
|remote_port
|subject
|Remote Port
|Subject
|integer
|text
|The remote port of the client
|The email subject
|-
|-
|client_name
|addr
|Client Name
|Address
|text
|text
|The name of the client
|The address of this event
|-
|-
|event_id
|addr_name
|Address Name
|text
|The name for this address
|-
|addr_kind
|Address Kind
|character(1)
|The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
|-
|hostname
|Hostname
|text
|The hostname of the local address
|-
|event_id
|Event ID
|Event ID
|bigint
|bigint
|The unique event ID
|The unique event ID
|-
|-
|}
|sender
<section end='openvpn_stats' />
|Sender
 
|text
 
|The address of the sender
== openvpn_events ==
<section begin='openvpn_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|virus_blocker_lite_clean
|Timestamp
|Virus Blocker Lite Clean
|timestamp without time zone
|boolean
|The time of the event
|The cleanliness of the file according to Virus Blocker Lite
|-
|-
|remote_address
|virus_blocker_lite_name
|Remote Address
|Virus Blocker Lite Name
|inet
|text
|The remote IP address of the client
|The name of the malware according to Virus Blocker Lite
|-
|-
|pool_address
|virus_blocker_clean
|Pool Address
|Virus Blocker Clean
|inet
|boolean
|The pool IP address of the client
|The cleanliness of the file according to Virus Blocker
|-
|-
|client_name
|virus_blocker_name
|Client Name
|Virus Blocker Name
|text
|text
|The name of the client
|The name of the malware according to Virus Blocker
|-
|-
|type
|spam_blocker_lite_score
|Type
|Spam Blocker Lite Score
|text
|real
|The type of the event (CONNECT,DISCONNECT)
|The score of the email according to Spam Blocker Lite
|-
|-
|}
|spam_blocker_lite_is_spam
<section end='openvpn_events' />
|Spam Blocker Lite Spam
 
|boolean
 
|The spam status of the email according to Spam Blocker Lite
== intrusion_prevention_events ==
<section begin='intrusion_prevention_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|spam_blocker_lite_action
|Timestamp
|Spam Blocker Lite Action
|timestamp without time zone
|character(1)
|The time of the event
|The action taken by Spam Blocker Lite
|-
|-
|sig_id
|spam_blocker_lite_tests_string
|Signature ID
|Spam Blocker Lite Tests
|bigint
|text
|This ID of the rule
|The tess results for Spam Blocker Lite
|-
|-
|gen_id
|spam_blocker_score
|Grouping ID
|Spam Blocker Score
|bigint
|real
|The grouping ID for the rule, The gen_id + sig_id specify the rule's unique identifier
|The score of the email according to Spam Blocker
|-
|-
|class_id
|spam_blocker_is_spam
|Classtype ID
|Spam Blocker Spam
|bigint
|boolean
|The numeric ID for the classtype
|The spam status of the email according to Spam Blocker
|-
|-
|source_addr
|spam_blocker_action
|Source Address
|Spam Blocker Action
|inet
|character(1)
|The source IP address of the packet
|The action taken by Spam Blocker
|-
|-
|source_port
|spam_blocker_tests_string
|Source Port
|Spam Blocker Tests
|integer
|text
|The source port of the packet (if applicable)
|The tess results for Spam Blocker
|-
|-
|dest_addr
|phish_blocker_score
|Destination Address
|Phish Blocker Score
|inet
|real
|The destination IP address of the packet
|The score of the email according to Phish Blocker
|-
|-
|dest_port
|phish_blocker_is_spam
|Destination Port
|Phish Blocker Phish
|integer
|The destination port of the packet (if applicable)
|-
|protocol
|Protocol
|integer
|The protocol of the packet
|-
|blocked
|Blocked
|boolean
|boolean
|If the packet was blocked/dropped
|The phish status of the email according to Phish Blocker
|-
|-
|category
|phish_blocker_tests_string
|Category
|Phish Blocker Tests
|text
|text
|The application specific grouping
|The tess results for Phish Blocker
|-
|-
|classtype
|phish_blocker_action
|Classtype
|Phish Blocker Action
|text
|character(1)
|The generalized threat rule grouping (unrelated to gen_id)
|The action taken by Phish Blocker
|-
|msg
|Message
|text
|The "title" or "description" of the rule
|-
|-
|}
|}
<section end='intrusion_prevention_events' />
<section end='mail_addrs' />
()


 
== ftp_events ==  
== syslog ==  
<section begin='ftp_events' />
<section begin='syslog' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 2,329: Line 2,205:
!Type
!Type
!Description
!Description
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|-
|time_stamp
|time_stamp
Line 2,335: Line 2,216:
|The time of the event
|The time of the event
|-
|-
|description
|session_id
|Text detail of the event
|Session ID
|text
|bigint
|The description from the alert rule.
|The session
|-
|-
|summary_text
|client_intf
|Summary Text
|Client Interface
|text
|smallint
|The summary text of the alert
|The client interface
|-
|-
|json
|server_intf
|JSON Text
|Server Interface
|text
|smallint
|The summary JSON representation of the event causing the alert
|The server interface
|-
|-
|}
|c_client_addr
<section end='syslog' />
|Client-side Client Address
 
|inet
 
|The client-side client IP address
== user_table_updates ==
<section begin='user_table_updates' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|username
|s_client_addr
|Username
|Server-side Client Address
|text
|inet
|The username
|The server-side client IP address
|-
|-
|key
|c_server_addr
|Key
|Client-side Server Address
|text
|inet
|The key being updated
|The client-side server IP address
|-
|s_server_addr
|Server-side Server Address
|inet
|The server-side server IP address
|-
|policy_id
|Policy ID
|bigint
|The policy
|-
|-
|value
|username
|Value
|Username
|text
|text
|The new value for the key
|The username associated with this session
|-
|-
|old_value
|hostname
|Old Value
|Hostname
|text
|text
|The old value for the key
|The hostname of the local address
|-
|-
|time_stamp
|request_id
|Timestamp
|Request ID
|timestamp without time zone
|bigint
|The time of the event
|The FTP request ID
|-
|method
|Method
|character(1)
|The FTP method
|-
|uri
|URI
|text
|The FTP URI
|-
|virus_blocker_lite_clean
|Virus Blocker Lite Clean
|boolean
|The cleanliness of the file according to Virus Blocker Lite
|-
|virus_blocker_lite_name
|Virus Blocker Lite Name
|text
|The name of the malware according to Virus Blocker Lite
|-
|virus_blocker_clean
|Virus Blocker Clean
|boolean
|The cleanliness of the file according to Virus Blocker
|-
|virus_blocker_name
|Virus Blocker Name
|text
|The name of the malware according to Virus Blocker
|-
|-
|}
|}
<section end='user_table_updates' />
<section end='ftp_events' />
()
 
== tunnel_vpn_events ==
<section begin='tunnel_vpn_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|tunnel_name
|Tunnel Name
|text
|The name the tunnel
|-
|server_address
|Server IP Address
|text
|The address of the remote server
|-
|local_address
|Local Address
|text
|The local address assigned the client
|-
|event_type
|Event Type
|text
|The type of the event (CONNECT,DISCONNECT)
|-
|}
<section end='tunnel_vpn_events' />
()
 
== tunnel_vpn_stats ==
<section begin='tunnel_vpn_stats' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|tunnel_name
|Tunnel Name
|text
|The name of the Tunnel VPN tunnel
|-
|in_bytes
|In Bytes
|bigint
|The number of bytes received during this time frame
|-
|out_bytes
|Out Bytes
|bigint
|The number of bytes transmitted during this time frame
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|}
<section end='tunnel_vpn_stats' />
()
 
== wan_failover_test_events ==
<section begin='wan_failover_test_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|interface_id
|Interface ID
|integer
|This interface ID
|-
|name
|Interface Name
|text
|This name of the interface
|-
|description
|Text detail of the event
|text
|The description from the test rule
|-
|success
|Success
|boolean
|The result of the test (true if the test succeeded, false otherwise)
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|}
<section end='wan_failover_test_events' />
()
 
== wan_failover_action_events ==
<section begin='wan_failover_action_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|interface_id
|Interface ID
|integer
|This interface ID
|-
|action
|Action
|text
|This action (CONNECTED,DISCONNECTED)
|-
|os_name
|Interface O/S Name
|text
|This O/S name of the interface
|-
|name
|Interface Name
|text
|This name of the interface
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|}
<section end='wan_failover_action_events' />
()
 
== directory_connector_login_events ==
<section begin='directory_connector_login_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|login_name
|Login Name
|text
|The login name
|-
|domain
|Domain
|text
|The AD domain
|-
|type
|Type
|text
|The type of event (I=Login,U=Update,O=Logout)
|-
|client_addr
|Client Address
|inet
|The client IP address
|-
|login_type
|Login Type
|text
|The login type
|-
|}
<section end='directory_connector_login_events' />
()
 
== captive_portal_user_events ==
<section begin='captive_portal_user_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|policy_id
|Policy ID
|bigint
|The policy
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|login_name
|Login Name
|text
|The login username
|-
|event_info
|Event Type
|text
|The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
|-
|auth_type
|Authorization Type
|text
|The authorization type for this event
|-
|client_addr
|Client Address
|text
|The remote IP address of the client
|-
|}
<section end='captive_portal_user_events' />
()
 
== openvpn_stats ==
<section begin='openvpn_stats' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|start_time
|Start Time
|timestamp without time zone
|The time the OpenVPN session started
|-
|end_time
|End Time
|timestamp without time zone
|The time the OpenVPN session ended
|-
|rx_bytes
|Bytes Received
|bigint
|The total bytes received from the client during this session
|-
|tx_bytes
|Bytes Sent
|bigint
|The total bytes sent to the client during this session
|-
|remote_address
|Remote Address
|inet
|The remote IP address of the client
|-
|pool_address
|Pool Address
|inet
|The pool IP address of the client
|-
|remote_port
|Remote Port
|integer
|The remote port of the client
|-
|client_name
|Client Name
|text
|The name of the client
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|}
<section end='openvpn_stats' />
()
 
== openvpn_events ==
<section begin='openvpn_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|remote_address
|Remote Address
|inet
|The remote IP address of the client
|-
|pool_address
|Pool Address
|inet
|The pool IP address of the client
|-
|client_name
|Client Name
|text
|The name of the client
|-
|type
|Type
|text
|The type of the event (CONNECT,DISCONNECT)
|-
|}
<section end='openvpn_events' />
()

Revision as of 14:44, 19 February 2020

Database Tables

configuration_backup_events

<section begin='configuration_backup_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
success Success boolean The result of the backup (true if the backup succeeded, false otherwise)
description Text detail of the event text Text detail of the event
destination Destination text The location of the backup
event_id Event ID bigint The unique event ID

<section end='configuration_backup_events' /> ()

http_events

<section begin='http_events' />

Column Name Human Name Type Description
request_id Request ID bigint The HTTP request ID
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
c_client_port Client-side Client Port integer The client-side client port
s_client_port Server-side Client Port integer The server-side client port
c_server_port Client-side Server Port integer The client-side server port
s_server_port Server-side Server Port integer The server-side server port
client_country Client Country text The client Country
client_latitude Client Latitude real The client Latitude
client_longitude Client Longitude real The client Longitude
server_country Server Country text The server Country
server_latitude Server Latitude real The server Latitude
server_longitude Server Longitude real The server Longitude
policy_id Policy ID smallint The policy
username Username text The username associated with this session
hostname Hostname text The hostname of the local address
method Method character(1) The HTTP method
uri URI text The HTTP URI
host Host text The HTTP host
domain Domain text The HTTP domain (shortened host)
referer Referer text The Referer URL
c2s_content_length Client-to-server Content Length bigint The client-to-server content length
s2c_content_length Server-to-client Content Length bigint The server-to-client content length
s2c_content_type Server-to-client Content Type text The server-to-client content type
s2c_content_filename Server-to-client Content Disposition Filename text The server-to-client content disposition filename
ad_blocker_cookie_ident Ad Blocker Cookie text This name of cookie blocked by Ad Blocker
ad_blocker_action Ad Blocker Action character(1) This action of Ad Blocker on this request
web_filter_reason Web Filter Reason character(1) This reason Web Filter blocked/flagged this request
web_filter_category_id Web Filter Category Id smallint This numeric category according to Web Filter
web_filter_rule_id Web Filter Rule Id smallint This numeric rule according to Web Filter
web_filter_blocked Web Filter Blocked boolean If Web Filter blocked this request
web_filter_flagged Web Filter Flagged boolean If Web Filter flagged this request
virus_blocker_lite_clean Virus Blocker Lite Clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name Virus Blocker Lite Name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean Virus Blocker Clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name Virus Blocker Name text The name of the malware according to Virus Blocker
threat_prevention_blocked Threat Prevention Blocked boolean If Threat Prevention blocked this request
threat_prevention_flagged Threat Prevention Flagged boolean If Threat Prevention flagged this request
threat_prevention_rule_id Threat Prevention Rule Id integer This numeric rule according to Threat Prevention
threat_prevention_reputation Threat Prevention Reputation smallint This numeric threat reputation
threat_prevention_categories Threat Prevention Categories integer This bitmask of threat categories

<section end='http_events' /> ()

intrusion_prevention_events

<section begin='intrusion_prevention_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
sig_id Signature ID bigint This ID of the rule
gen_id Grouping ID bigint The grouping ID for the rule, The gen_id + sig_id specify the rule's unique identifier
class_id Classtype ID bigint The numeric ID for the classtype
source_addr Source Address inet The source IP address of the packet
source_port Source Port integer The source port of the packet (if applicable)
dest_addr Destination Address inet The destination IP address of the packet
dest_port Destination Port integer The destination port of the packet (if applicable)
protocol Protocol integer The protocol of the packet
blocked Blocked boolean If the packet was blocked/dropped
category Category text The application specific grouping for the signature
classtype Classtype text The generalized threat signature grouping (unrelated to gen_id)
msg Message text The "title" or "description" of the signature
rid Rule ID text The rule id
rule_id Rule ID text The rule id

<section end='intrusion_prevention_events' /> ()

smtp_tarpit_events

<section begin='smtp_tarpit_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
ipaddr Client Address inet The client IP address
hostname Hostname text The hostname of the local address
policy_id Policy ID bigint The policy
vendor_name Vendor Name character varying(255) The "vendor name" of the app that logged the event
event_id Event ID bigint The unique event ID

<section end='smtp_tarpit_events' /> ()

ipsec_user_events

<section begin='ipsec_user_events' />

Column Name Human Name Type Description
event_id Event ID bigint The unique event ID
time_stamp Timestamp timestamp without time zone The time of the event
connect_stamp Connect Time timestamp without time zone The time the connection started
goodbye_stamp End Time timestamp without time zone The time the connection ended
client_address Client Address text The remote IP address of the client
client_protocol Client Protocol text The protocol the client used to connect
client_username Client Username text The username of the client
net_process Net Process text The PID of the PPP process for L2TP connections or the connection ID for Xauth connections
net_interface Net Interface text The PPP interface for L2TP connections or the client interface for Xauth connections
elapsed_time Elapsed Time text The total time the client was connected
rx_bytes Bytes Received bigint The number of bytes received from the client in this connection
tx_bytes Bytes Sent bigint The number of bytes sent to the client in this connection

<section end='ipsec_user_events' /> ()

ipsec_vpn_events

<section begin='ipsec_vpn_events' />

Column Name Human Name Type Description
event_id Event ID bigint The unique event ID
time_stamp Timestamp timestamp without time zone The time of the event
local_address Local Address text The local address of the tunnel
remote_address Remote Address text The remote address of the tunnel
tunnel_description Tunnel Description text The description of the tunnel
event_type Event Type text The type of the event (CONNECT,DISCONNECT)

<section end='ipsec_vpn_events' /> ()

ipsec_tunnel_stats

<section begin='ipsec_tunnel_stats' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
tunnel_name Tunnel Name text The name of the IPsec tunnel
in_bytes In Bytes bigint The number of bytes received during this time frame
out_bytes Out Bytes bigint The number of bytes transmitted during this time frame
event_id Event ID bigint The unique event ID

<section end='ipsec_tunnel_stats' /> ()

http_query_events

<section begin='http_query_events' />

Column Name Human Name Type Description
event_id Event ID bigint The unique event ID
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
c_client_port Client-side Client Port integer The client-side client port
s_client_port Server-side Client Port integer The server-side client port
c_server_port Client-side Server Port integer The client-side server port
s_server_port Server-side Server Port integer The server-side server port
policy_id Policy ID bigint The policy
username Username text The username associated with this session
hostname Hostname text The hostname of the local address
request_id Request ID bigint The HTTP request ID
method Method character(1) The HTTP method
uri URI text The HTTP URI
term Search Term text The search term
host Host text The HTTP host
c2s_content_length Client-to-server Content Length bigint The client-to-server content length
s2c_content_length Server-to-client Content Length bigint The server-to-client content length
s2c_content_type Server-to-client Content Type text The server-to-client content type
blocked Blocked boolean If Web Filter blocked this search term
flagged Flagged boolean If Web Filter flagged this search term

<section end='http_query_events' /> ()

admin_logins

<section begin='admin_logins' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
login Login text The login name
local Local boolean True if it is a login attempt through a local process
client_addr Client Address inet The client IP address
succeeded Succeeded boolean True if the login succeeded, false otherwise
reason Reason character(1) The reason for the login (if applicable)

<section end='admin_logins' /> ()

sessions

<section begin='sessions' />

Column Name Human Name Type Description
session_id Session ID bigint The session
time_stamp Timestamp timestamp without time zone The time of the event
end_time End Time timestamp without time zone The time the session ended
bypassed Bypassed boolean True if the session was bypassed, false otherwise
entitled Entitled boolean True if the session is entitled to premium functionality
protocol Protocol smallint The IP protocol of session
icmp_type ICMP Type smallint The ICMP type of session if ICMP
hostname Hostname text The hostname of the local address
username Username text The username associated with this session
policy_id Policy ID smallint The policy
policy_rule_id Policy Rule ID smallint The ID of the matching policy rule (0 means none)
local_addr Local Address inet The IP address of the local participant
remote_addr Remote Address inet The IP address of the remote participant
c_client_addr Client-side Client Address inet The client-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
c_server_port Client-side Server Port integer The client-side server port
c_client_port Client-side Client Port integer The client-side client port
s_client_addr Server-side Client Address inet The server-side client IP address
s_server_addr Server-side Server Address inet The server-side server IP address
s_server_port Server-side Server Port integer The server-side server port
s_client_port Server-side Client Port integer The server-side client port
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
client_country Client Country text The client Country
client_latitude Client Latitude real The client Latitude
client_longitude Client Longitude real The client Longitude
server_country Server Country text The server Country
server_latitude Server Latitude real The server Latitude
server_longitude Server Longitude real The server Longitude
c2p_bytes From-Client Bytes bigint The number of bytes the client sent to Untangle (client-to-pipeline)
p2c_bytes To-Client Bytes bigint The number of bytes Untangle sent to client (pipeline-to-client)
s2p_bytes From-Server Bytes bigint The number of bytes the server sent to Untangle (client-to-pipeline)
p2s_bytes To-Server Bytes bigint The number of bytes Untangle sent to server (pipeline-to-client)
filter_prefix Filter Block text The network filter that blocked the connection (filter,shield,invalid)
firewall_blocked Firewall Blocked boolean True if Firewall blocked the session, false otherwise
firewall_flagged Firewall Flagged boolean True if Firewall flagged the session, false otherwise
firewall_rule_index Firewall Rule ID integer The matching rule in Firewall (if any)
threat_prevention_blocked Threat Prevention Blocked boolean If Threat Prevention blocked
threat_prevention_flagged Threat Prevention Flagged boolean If Threat Prevention flagged
threat_prevention_reason Threat Prevention Reason character(1) Threat Prevention reason
threat_prevention_rule_id Threat Prevention Rule Id integer Numeric rule id of Threat Prevention
threat_prevention_client_reputation Threat Prevention Client Reputation smallint Numeric client reputation of Threat Prevention
threat_prevention_client_categories Threat Prevention Client Categories integer Bitmask client categories of Threat Prevention
threat_prevention_server_reputation Threat Prevention Server Reputation smallint Numeric server reputation of Threat Prevention
threat_prevention_server_categories Threat Prevention Server Categories integer Bitmask server categories of Threat Prevention
application_control_lite_protocol Application Control Lite Protocol text The application protocol according to Application Control Lite
application_control_lite_blocked Application Control Lite Blocked boolean True if Application Control Lite blocked the session
captive_portal_blocked Captive Portal Blocked boolean True if Captive Portal blocked the session
captive_portal_rule_index Captive Portal Rule ID integer The matching rule in Captive Portal (if any)
application_control_application Application Control Application text The application according to Application Control
application_control_protochain Application Control Protochain text The protochain according to Application Control
application_control_category Application Control Category text The category according to Application Control
application_control_blocked Application Control Blocked boolean True if Application Control blocked the session
application_control_flagged Application Control Flagged boolean True if Application Control flagged the session
application_control_confidence Application Control Confidence integer True if Application Control confidence of this session's identification
application_control_ruleid Application Control Rule ID integer The matching rule in Application Control (if any)
application_control_detail Application Control Detail text The text detail from the Application Control engine
bandwidth_control_priority Bandwidth Control Priority integer The priority given to this session
bandwidth_control_rule Bandwidth Control Rule ID integer The matching rule in Bandwidth Control rule (if any)
ssl_inspector_ruleid SSL Inspector Rule ID integer The matching rule in SSL Inspector rule (if any)
ssl_inspector_status SSL Inspector Status text The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED)
ssl_inspector_detail SSL Inspector Detail text Additional text detail about the SSL connection (SNI, IP Address)
tags Tags text The tags on this session

<section end='sessions' /> ()

session_minutes

<section begin='session_minutes' />

Column Name Human Name Type Description
session_id Session ID bigint The session
time_stamp Timestamp timestamp without time zone The time of the event
c2s_bytes From-Client Bytes bigint The number of bytes the client sent
s2c_bytes From-Server Bytes bigint The number of bytes the server sent
start_time Start Time timestamp without time zone The start time of the session
end_time End Time timestamp without time zone The time the session ended
bypassed Bypassed boolean True if the session was bypassed, false otherwise
entitled Entitled boolean True if the session is entitled to premium functionality
protocol Protocol smallint The IP protocol of session
icmp_type ICMP Type smallint The ICMP type of session if ICMP
hostname Hostname text The hostname of the local address
username Username text The username associated with this session
policy_id Policy ID smallint The policy
policy_rule_id Policy Rule ID smallint The ID of the matching policy rule (0 means none)
local_addr Local Address inet The IP address of the local participant
remote_addr Remote Address inet The IP address of the remote participant
c_client_addr Client-side Client Address inet The client-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
c_server_port Client-side Server Port integer The client-side server port
c_client_port Client-side Client Port integer The client-side client port
s_client_addr Server-side Client Address inet The server-side client IP address
s_server_addr Server-side Server Address inet The server-side server IP address
s_server_port Server-side Server Port integer The server-side server port
s_client_port Server-side Client Port integer The server-side client port
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
client_country Client Country text The client Country
client_latitude Client Latitude real The client Latitude
client_longitude Client Longitude real The client Longitude
server_country Server Country text The server Country
server_latitude Server Latitude real The server Latitude
server_longitude Server Longitude real The server Longitude
filter_prefix Filter Block text The network filter that blocked the connection (filter,shield,invalid)
firewall_blocked Firewall Blocked boolean True if Firewall blocked the session, false otherwise
firewall_flagged Firewall Flagged boolean True if Firewall flagged the session, false otherwise
firewall_rule_index Firewall Rule ID integer The matching rule in Firewall (if any)
threat_prevention_blocked Threat Prevention Blocked boolean If Threat Prevention blocked
threat_prevention_flagged Threat Prevention Flagged boolean If Threat Prevention flagged
threat_prevention_reason Threat Prevention Reason character(1) Threat Prevention reason
threat_prevention_rule_id Threat Prevention Rule Id integer Numeric rule id of Threat Prevention
threat_prevention_client_reputation Threat Prevention Client Reputation smallint Numeric client reputation of Threat Prevention
threat_prevention_client_categories Threat Prevention Client Categories integer Bitmask client categories of Threat Prevention
threat_prevention_server_reputation Threat Prevention Server Reputation smallint Numeric server reputation of Threat Prevention
threat_prevention_server_categories Threat Prevention Server Categories integer Bitmask server categories of Threat Prevention
application_control_lite_protocol Application Control Lite Protocol text The application protocol according to Application Control Lite
application_control_lite_blocked Application Control Lite Blocked boolean True if Application Control Lite blocked the session
captive_portal_blocked Captive Portal Blocked boolean True if Captive Portal blocked the session
captive_portal_rule_index Captive Portal Rule ID integer The matching rule in Captive Portal (if any)
application_control_application Application Control Application text The application according to Application Control
application_control_protochain Application Control Protochain text The protochain according to Application Control
application_control_category Application Control Category text The category according to Application Control
application_control_blocked Application Control Blocked boolean True if Application Control blocked the session
application_control_flagged Application Control Flagged boolean True if Application Control flagged the session
application_control_confidence Application Control Confidence integer True if Application Control confidence of this session's identification
application_control_ruleid Application Control Rule ID integer The matching rule in Application Control (if any)
application_control_detail Application Control Detail text The text detail from the Application Control engine
bandwidth_control_priority Bandwidth Control Priority integer The priority given to this session
bandwidth_control_rule Bandwidth Control Rule ID integer The matching rule in Bandwidth Control rule (if any)
ssl_inspector_ruleid SSL Inspector Rule ID integer The matching rule in SSL Inspector rule (if any)
ssl_inspector_status SSL Inspector Status text The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED)
ssl_inspector_detail SSL Inspector Detail text Additional text detail about the SSL connection (SNI, IP Address)
tags Tags text The tags on this session

<section end='session_minutes' /> ()

quotas

<section begin='quotas' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
entity Entity text The IP entity given the quota (address/username)
action Action integer The action (1=Quota Given, 2=Quota Exceeded)
size Size bigint The size of the quota
reason Reason text The reason for the action

<section end='quotas' /> ()

host_table_updates

<section begin='host_table_updates' />

Column Name Human Name Type Description
address Address inet The IP address of the host
key Key text The key being updated
value Value text The new value for the key
old_value Old Value text The old value for the key
time_stamp Timestamp timestamp without time zone The time of the event

<section end='host_table_updates' /> ()

device_table_updates

<section begin='device_table_updates' />

Column Name Human Name Type Description
mac_address MAC Address text The MAC address of the device
key Key text The key being updated
value Value text The new value for the key
old_value Old Value text The old value for the key
time_stamp Timestamp timestamp without time zone The time of the event

<section end='device_table_updates' /> ()

user_table_updates

<section begin='user_table_updates' />

Column Name Human Name Type Description
username Username text The username
key Key text The key being updated
value Value text The new value for the key
old_value Old Value text The old value for the key
time_stamp Timestamp timestamp without time zone The time of the event

<section end='user_table_updates' /> ()

alerts

<section begin='alerts' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
description Text detail of the event text The description from the alert rule.
summary_text Summary Text text The summary text of the alert
json JSON Text text The summary JSON representation of the event causing the alert

<section end='alerts' /> ()

settings_changes

<section begin='settings_changes' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
settings_file Settings File text The name of the file changed
username Username text The username logged in at the time of the change
hostname Hostname text The remote hostname

<section end='settings_changes' /> ()

web_cache_stats

<section begin='web_cache_stats' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
hits Hits bigint The number of cache hits during this time frame
misses Misses bigint The number of cache misses during this time frame
bypasses Bypasses bigint The number of cache user bypasses during this time frame
systems System bypasses bigint The number of cache system bypasses during this time frame
hit_bytes Hit Bytes bigint The number of bytes saved from cache hits
miss_bytes Miss Bytes bigint The number of bytes not saved from cache misses
event_id Event ID bigint The unique event ID

<section end='web_cache_stats' /> ()

server_events

<section begin='server_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
load_1 CPU load (1-min) numeric(6,2) The 1-minute CPU load
load_5 CPU load (5-min) numeric(6,2) The 5-minute CPU load
load_15 CPU load (15-min) numeric(6,2) The 15-minute CPU load
cpu_user CPU User Utilization numeric(6,3) The user CPU percent utilization
cpu_system CPU System Utilization numeric(6,3) The system CPU percent utilization
mem_total Total Memory bigint The total bytes of memory
mem_free Memory Free bigint The number of free bytes of memory
disk_total Disk Size bigint The total disk size in bytes
disk_free Disk Free bigint The free disk space in bytes
swap_total Swap Size bigint The total swap size in bytes
swap_free Swap Free bigint The free disk swap in bytes
active_hosts Active Hosts integer The number of active hosts

<section end='server_events' /> ()

interface_stat_events

<section begin='interface_stat_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
interface_id Interface ID integer The interface ID
rx_rate Rx Rate double precision The RX rate (bytes/s)
rx_bytes Bytes Received bigint The number of bytes received from the client in this connection
tx_rate Tx Rate double precision The TX rate (bytes/s)
tx_bytes Bytes Sent bigint The number of bytes sent to the client in this connection

<section end='interface_stat_events' /> ()

mail_msgs

<section begin='mail_msgs' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
c_client_port Client-side Client Port integer The client-side client port
s_client_port Server-side Client Port integer The server-side client port
c_server_port Client-side Server Port integer The client-side server port
s_server_port Server-side Server Port integer The server-side server port
policy_id Policy ID bigint The policy
username Username text The username associated with this session
msg_id Message ID bigint The message ID
subject Subject text The email subject
hostname Hostname text The hostname of the local address
event_id Event ID bigint The unique event ID
sender Sender text The address of the sender
receiver Receiver text The address of the receiver
virus_blocker_lite_clean Virus Blocker Lite Clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name Virus Blocker Lite Name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean Virus Blocker Clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name Virus Blocker Name text The name of the malware according to Virus Blocker
spam_blocker_lite_score Spam Blocker Lite Score real The score of the email according to Spam Blocker Lite
spam_blocker_lite_is_spam Spam Blocker Lite Spam boolean The spam status of the email according to Spam Blocker Lite
spam_blocker_lite_tests_string Spam Blocker Lite Tests text The tess results for Spam Blocker Lite
spam_blocker_lite_action Spam Blocker Lite Action character(1) The action taken by Spam Blocker Lite
spam_blocker_score Spam Blocker Score real The score of the email according to Spam Blocker
spam_blocker_is_spam Spam Blocker Spam boolean The spam status of the email according to Spam Blocker
spam_blocker_tests_string Spam Blocker Tests text The tess results for Spam Blocker
spam_blocker_action Spam Blocker Action character(1) The action taken by Spam Blocker
phish_blocker_score Phish Blocker Score real The score of the email according to Phish Blocker
phish_blocker_is_spam Phish Blocker Phish boolean The phish status of the email according to Phish Blocker
phish_blocker_tests_string Phish Blocker Tests text The tess results for Phish Blocker
phish_blocker_action Phish Blocker Action character(1) The action taken by Phish Blocker

<section end='mail_msgs' /> ()

mail_addrs

<section begin='mail_addrs' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
c_client_port Client-side Client Port integer The client-side client port
s_client_port Server-side Client Port integer The server-side client port
c_server_port Client-side Server Port integer The client-side server port
s_server_port Server-side Server Port integer The server-side server port
policy_id Policy ID bigint The policy
username Username text The username associated with this session
msg_id Message ID bigint The message ID
subject Subject text The email subject
addr Address text The address of this event
addr_name Address Name text The name for this address
addr_kind Address Kind character(1) The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
hostname Hostname text The hostname of the local address
event_id Event ID bigint The unique event ID
sender Sender text The address of the sender
virus_blocker_lite_clean Virus Blocker Lite Clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name Virus Blocker Lite Name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean Virus Blocker Clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name Virus Blocker Name text The name of the malware according to Virus Blocker
spam_blocker_lite_score Spam Blocker Lite Score real The score of the email according to Spam Blocker Lite
spam_blocker_lite_is_spam Spam Blocker Lite Spam boolean The spam status of the email according to Spam Blocker Lite
spam_blocker_lite_action Spam Blocker Lite Action character(1) The action taken by Spam Blocker Lite
spam_blocker_lite_tests_string Spam Blocker Lite Tests text The tess results for Spam Blocker Lite
spam_blocker_score Spam Blocker Score real The score of the email according to Spam Blocker
spam_blocker_is_spam Spam Blocker Spam boolean The spam status of the email according to Spam Blocker
spam_blocker_action Spam Blocker Action character(1) The action taken by Spam Blocker
spam_blocker_tests_string Spam Blocker Tests text The tess results for Spam Blocker
phish_blocker_score Phish Blocker Score real The score of the email according to Phish Blocker
phish_blocker_is_spam Phish Blocker Phish boolean The phish status of the email according to Phish Blocker
phish_blocker_tests_string Phish Blocker Tests text The tess results for Phish Blocker
phish_blocker_action Phish Blocker Action character(1) The action taken by Phish Blocker

<section end='mail_addrs' /> ()

ftp_events

<section begin='ftp_events' />

Column Name Human Name Type Description
event_id Event ID bigint The unique event ID
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
policy_id Policy ID bigint The policy
username Username text The username associated with this session
hostname Hostname text The hostname of the local address
request_id Request ID bigint The FTP request ID
method Method character(1) The FTP method
uri URI text The FTP URI
virus_blocker_lite_clean Virus Blocker Lite Clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name Virus Blocker Lite Name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean Virus Blocker Clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name Virus Blocker Name text The name of the malware according to Virus Blocker

<section end='ftp_events' /> ()

tunnel_vpn_events

<section begin='tunnel_vpn_events' />

Column Name Human Name Type Description
event_id Event ID bigint The unique event ID
time_stamp Timestamp timestamp without time zone The time of the event
tunnel_name Tunnel Name text The name the tunnel
server_address Server IP Address text The address of the remote server
local_address Local Address text The local address assigned the client
event_type Event Type text The type of the event (CONNECT,DISCONNECT)

<section end='tunnel_vpn_events' /> ()

tunnel_vpn_stats

<section begin='tunnel_vpn_stats' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
tunnel_name Tunnel Name text The name of the Tunnel VPN tunnel
in_bytes In Bytes bigint The number of bytes received during this time frame
out_bytes Out Bytes bigint The number of bytes transmitted during this time frame
event_id Event ID bigint The unique event ID

<section end='tunnel_vpn_stats' /> ()

wan_failover_test_events

<section begin='wan_failover_test_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
interface_id Interface ID integer This interface ID
name Interface Name text This name of the interface
description Text detail of the event text The description from the test rule
success Success boolean The result of the test (true if the test succeeded, false otherwise)
event_id Event ID bigint The unique event ID

<section end='wan_failover_test_events' /> ()

wan_failover_action_events

<section begin='wan_failover_action_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
interface_id Interface ID integer This interface ID
action Action text This action (CONNECTED,DISCONNECTED)
os_name Interface O/S Name text This O/S name of the interface
name Interface Name text This name of the interface
event_id Event ID bigint The unique event ID

<section end='wan_failover_action_events' /> ()

directory_connector_login_events

<section begin='directory_connector_login_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
login_name Login Name text The login name
domain Domain text The AD domain
type Type text The type of event (I=Login,U=Update,O=Logout)
client_addr Client Address inet The client IP address
login_type Login Type text The login type

<section end='directory_connector_login_events' /> ()

captive_portal_user_events

<section begin='captive_portal_user_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
policy_id Policy ID bigint The policy
event_id Event ID bigint The unique event ID
login_name Login Name text The login username
event_info Event Type text The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
auth_type Authorization Type text The authorization type for this event
client_addr Client Address text The remote IP address of the client

<section end='captive_portal_user_events' /> ()

openvpn_stats

<section begin='openvpn_stats' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
start_time Start Time timestamp without time zone The time the OpenVPN session started
end_time End Time timestamp without time zone The time the OpenVPN session ended
rx_bytes Bytes Received bigint The total bytes received from the client during this session
tx_bytes Bytes Sent bigint The total bytes sent to the client during this session
remote_address Remote Address inet The remote IP address of the client
pool_address Pool Address inet The pool IP address of the client
remote_port Remote Port integer The remote port of the client
client_name Client Name text The name of the client
event_id Event ID bigint The unique event ID

<section end='openvpn_stats' /> ()

openvpn_events

<section begin='openvpn_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
remote_address Remote Address inet The remote IP address of the client
pool_address Pool Address inet The pool IP address of the client
client_name Client Name text The name of the client
type Type text The type of the event (CONNECT,DISCONNECT)

<section end='openvpn_events' /> ()