Difference between revisions of "Database Schema"

From UntangleWiki
Jump to: navigation, search
(sessions)
 
Line 1: Line 1:
 
[[Category:Reports]]
 
[[Category:Reports]]
 
The global DB schema shows the tables and columns used for tracking all logged events in Untangle. These can be used to add conditions to reports and event logs and in the reporting system to create or edit reports.
 
The global DB schema shows the tables and columns used for tracking all logged events in Untangle. These can be used to add conditions to reports and event logs and in the reporting system to create or edit reports.
 +
= Database Tables =
  
== sessions ==
+
== admin_logins ==  
<section begin='sessions' />
+
<section begin='admin_logins' />
  
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Report Condition [Column Name]
+
!Column Name
 
!Type
 
!Type
 
!Description
 
!Description
 
|-
 
|-
|Session Id [session_id]
+
|time_stamp
|bigint
 
|The session Unique session id. (Example: 95143416767254. This number can be referenced to other events/sessions with the same number.)
 
|-
 
|Timestamp [time_stamp]
 
 
|timestamp without time zone
 
|timestamp without time zone
|The time of the event (Example: 2016-01-13 2:22:08 pm)
+
|The time of the event
 
 
 
|-
 
|-
|End Timestamp [end_time]
+
|login
|timestamp without time zone
+
|text
|The time the session ended (Example: 2016-01-13 2:22:08 pm)
+
|The login name
 
|-
 
|-
|Bypassed [bypassed]
+
|local
 
|boolean
 
|boolean
|True if the session was bypassed, false otherwise
+
|True if it is a login attempt through a local process
 
|-
 
|-
|filter_prefix / Filter Prefix [filter_prefix]
+
|client_addr
|text
+
|inet
|The network filter that blocked the connection
+
|The client IP address
 
|-
 
|-
|Protocol [protocol]
+
|succeeded
|smallint
+
|boolean
|The IP protocol of session (Example: UDP (17), TCP (6), ICMP (1).)
+
|True if the login succeeded, false otherwise
 
|-
 
|-
|Hostname [hostname]
+
|reason
|text
+
|character(1)
|The hostname (Internal Device name (my-pc, officecomputer, conferanceroompc))
+
|The reason for the login (if applicable)
 
|-
 
|-
|Username [username]
+
|}
|text
+
<section end='admin_logins' />
|The username (Username associated with the event Examples: Jason, Jben)
+
 
 +
 
 +
== sessions ==
 +
<section begin='sessions' />
 +
 
 +
{| border="1" cellpadding="2" width="90%%" align="center"
 +
!Column Name
 +
!Type
 +
!Description
 
|-
 
|-
|Policy Id [policy_id]
+
|session_id
|smallint
+
|bigint
|The policy (Name of rack (Policy) along with the number. Example: Marketing (5) The number and name of the policy can be found in the Policy Manager application.)
+
|The session
 
|-
 
|-
|Client [c_client_addr]
+
|time_stamp
|inet
+
|timestamp without time zone
|The client-side client IP address (Internal devices IP address. Example: 192.168.3.1)
+
|The time of the event
 
|-
 
|-
|Original Server [c_server_addr]
+
|end_time
|inet
+
|timestamp without time zone
|The client-side server IP address (Server IP first used for connection. Example: 8.8.8.8)
+
|The time the session ended
 
|-
 
|-
|Original Server Port [c_server_port]
+
|bypassed
|integer
+
|boolean
|The client-side server port (Server port first used for connection. Example: 22,21,80,443)
+
|True if the session was bypassed, false otherwise
 
|-
 
|-
|Client Port [c_client_port]
+
|entitled
|integer
+
|boolean
|The client-side client port (Port used by the Client device for current session. Example: 22,21,80,443)
+
|True if the session is entitled to premium functionality
 
|-
 
|-
|New Client [s_client_addr]
+
|protocol
|inet
+
|smallint
|The server-side client IP address (IP of the external interface used for connection)
+
|The IP protocol of session
 
|-
 
|-
|Server [s_server_addr]
+
|icmp_type
|inet
+
|smallint
|The server-side server IP address (IP being used to connect to server. (Server can be defined as the device the connection is being made to. This can be a internal or external address.))
+
|The ICMP type of session if ICMP
 
|-
 
|-
|Server Port [s_server_port]
+
|hostname
|integer
+
|text
|The server-side server port (Port being used to connect to server. (Server can be defined as the device the connection is being made to. This can be a internal or external address.) )
+
|The hostname
 
|-
 
|-
|New Client Port [s_client_port]
+
|username
|integer
+
|text
|The server-side client port (Port used for connection with Client [c_client_addr])
+
|The username
 
|-
 
|-
|Client Interface [client_intf]
+
|policy_id
 
|smallint
 
|smallint
|The client interface (Interface number used for connection to client device. Example:  1. This number can be found and correlated with the interface in the Config>Network> Interfaces section.)
+
|The policy
 
|-
 
|-
|Server Interface [server_intf]
+
|c_client_addr
|smallint
+
|inet
|The server interface (Interface number used for connection to server. Example:  1.  This number can be found and correlated with the interface in the Config>Network> Interfaces section.)
+
|The client-side client IP address
 
|-
 
|-
|From-Client Bytes [c2p_bytes]
+
|c_server_addr
|bigint
+
|inet
|The number of bytes the client sent to Untangle (client-to-pipeline) (Example: 96120)
+
|The client-side server IP address
 
|-
 
|-
|To-Client Bytes [p2c_bytes]
+
|c_server_port
|bigint
+
|integer
|The number of bytes Untangle sent to client (pipeline-to-client) (Example: 96120)
+
|The client-side server port
 
|-
 
|-
|From-Server Bytes [s2p_bytes]
+
|c_client_port
|bigint
+
|integer
|The number of bytes the server sent to Untangle (client-to-pipeline) (Example: 96120)
+
|The client-side client port
 
|-
 
|-
|To-Server Bytes [p2s_bytes]
+
|s_client_addr
|bigint
+
|inet
|The number of bytes Untangle sent to server (pipeline-to-client)
+
|The server-side client IP address
 
|-
 
|-
|Shield Blocked [shield_blocked]
+
|s_server_addr
|boolean
+
|inet
|True if the shield blocked the session, false otherwise
+
|The server-side server IP address
 
|-
 
|-
|Blocked (Firewall) [firewall_blocked]
+
|s_server_port
|boolean
+
|integer
|True if Firewall blocked the session, false otherwise
+
|The server-side server port
 
|-
 
|-
|Flagged (Firewall) [firewall_flagged]
+
|s_client_port
|boolean
 
|True if Firewall flagged the session, false otherwise
 
|-
 
|Rule Id (Firewall) [firewall_rule_index]
 
 
|integer
 
|integer
|The matching rule in Firewall (if any) (Example: 500004. ID can be correlated with rule in the Firewall Application. ID will be 0 if no match)
+
|The server-side client port
 
|-
 
|-
|Protocol (Application Control Lite)[application_control_lite_protocol]
+
|client_intf
|text
+
|smallint
|The application protocol according to Application Control Lite (Example: BITTORRE. Name can be correlated back to Applications in Application Control lite for more details. )
+
|The client interface
 
|-
 
|-
|Blocked (Application Control Lite) [application_control_lite_blocked]
+
|server_intf
|boolean
+
|smallint
|True if Application Control Lite blocked the session
+
|The server interface
 +
|-
 +
|c2p_bytes
 +
|bigint
 +
|The number of bytes the client sent to Untangle (client-to-pipeline)
 
|-
 
|-
|Captured (Captive Portal) [captive_portal_blocked]
+
|p2c_bytes
|boolean
+
|bigint
|True if Captive Portal blocked the session
+
|The number of bytes Untangle sent to client (pipeline-to-client)
 
|-
 
|-
|Rule Id (Captive Portal) [captive_portal_rule_index]
+
|s2p_bytes
|integer
+
|bigint
|The matching rule in Captive Portal (if any) (Example: 5000001. ID Can be correlated back to Capture rule in the Captive Portal application. )
+
|The number of bytes the server sent to Untangle (client-to-pipeline)
 
|-
 
|-
|Application (Application Control) [application_control_application]
+
|p2s_bytes
|text
+
|bigint
|The application according to Application Control (Example: BITTORRE. Name can be correlated back to Applications in Application Control for more details. )
+
|The number of bytes Untangle sent to server (pipeline-to-client)
 
|-
 
|-
|ProtoChain (Application Control) [application_control_protochain]
+
|filter_prefix
 
|text
 
|text
|The protochain according to Application Control ( Example: /UDP/BITTORRE)
+
|The network filter that blocked the connection
 
|-
 
|-
|Blocked (Application Control) [application_control_blocked]
+
|shield_blocked
 
|boolean
 
|boolean
|True if Application Control blocked the session
+
|True if the shield blocked the session, false otherwise
 
|-
 
|-
|Flagged (Application Control) [application_control_flagged]
+
|firewall_blocked
 
|boolean
 
|boolean
|True if Application Control flagged the session
+
|True if Firewall blocked the session, false otherwise
 
|-
 
|-
|Confidence (Application Control) [application_control_confidence]
+
|firewall_flagged
|integer
+
|boolean
|100 if Application Control confidence of this session's identification 0 if not.
+
|True if Firewall flagged the session, false otherwise
 
|-
 
|-
|Rule Id (Application Control) [application_control_ruleid]
+
|firewall_rule_index
 
|integer
 
|integer
|The matching rule in Application Control (if any) (Example: 500001. ID Can be correlated back to Rule in the Application Control application.)
+
|The matching rule in Firewall (if any)
 
|-
 
|-
|Detail (Application Control) [application_control_detail]
+
|application_control_lite_protocol
 
|text
 
|text
|The text detail from the Application Control engine (Example: *.google.com, i.ytimg.com)
+
|The application protocol according to Application Control Lite
 
|-
 
|-
|Priority (Bandwidth Control) [bandwidth_control_priority]
+
|application_control_lite_blocked
|integer
+
|boolean
|The priority given to this session (Example: Very High, High, Medium, Low, Limited, Limited More, Limited Severely)
+
|True if Application Control Lite blocked the session
 
|-
 
|-
|Rule (Bandwidth Control) [bandwidth_control_rule])
+
|captive_portal_blocked
|integer
+
|boolean
|The matching rule in Bandwidth Control rule (if any) (Example: 500001. ID Can be correlated back to Rule in the Bandwidth Control application.)
+
|True if Captive Portal blocked the session
 
|-
 
|-
|Rule Id (HTTPS Inspector) [ssl_inspector_ruleid]
+
|captive_portal_rule_index
 
|integer
 
|integer
|The matching rule in HTTPS Inspector rule (if any) (Example: 500001. ID Can be correlated back to Rule in theHttps Inspector application.)
+
|The matching rule in Captive Portal (if any)
 
|-
 
|-
|Status (HTTPS Inspector) [ssl_inspector_status]
+
|application_control_application
 
|text
 
|text
|The status/action of the SSL session (INSPECTED/IGNORED/BLOCKED/UNTRUSTED/ABANDONED)
+
|The application according to Application Control
 
|-
 
|-
|Detail (HTTPS Inspector) [ssl_inspector_detail]
+
|application_control_protochain
 
|text
 
|text
|Additional text detail about the SSL connection (SNI, IP Address) (Example: clients4.google.com)
+
|The protochain according to Application Control
 
|-
 
|-
|ICMP Type [icmp_type]
+
|application_control_category
|smallint
+
|text
|The ICMP type of session if ICMP (Example:ICMPV6)
+
|The category according to Application Control
 
|-
 
|-
|}
+
|application_control_blocked
<section end='sessions' />
+
|boolean
 
+
|True if Application Control blocked the session
== openvpn_events ==
 
<section begin='openvpn_events' />
 
 
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
!Column Name
 
!Type
 
!Description
 
 
|-
 
|-
|time_stamp
+
|application_control_flagged
|timestamp without time zone
+
|boolean
|The time of the event
+
|True if Application Control flagged the session
 
|-
 
|-
|remote_address
+
|application_control_confidence
|inet
+
|integer
|The remote IP address of the client
+
|True if Application Control confidence of this session's identification
 
|-
 
|-
|pool_address
+
|application_control_ruleid
|inet
+
|integer
|The pool IP address of the client
+
|The matching rule in Application Control (if any)
 +
|-
 +
|application_control_detail
 +
|text
 +
|The text detail from the Application Control engine
 +
|-
 +
|bandwidth_control_priority
 +
|integer
 +
|The priority given to this session
 +
|-
 +
|bandwidth_control_rule
 +
|integer
 +
|The matching rule in Bandwidth Control rule (if any)
 +
|-
 +
|ssl_inspector_ruleid
 +
|integer
 +
|The matching rule in HTTPS Inspector rule (if any)
 
|-
 
|-
|client_name
+
|ssl_inspector_status
 
|text
 
|text
|The name of the client
+
|The status/action of the SSL session (INSPECTED/IGNORED/BLOCKED/UNTRUSTED/ABANDONED)
 
|-
 
|-
|type
+
|ssl_inspector_detail
 
|text
 
|text
|The type of the event (CONNECT/DISCONNECT)
+
|Additional text detail about the SSL connection (SNI, IP Address)
 
|-
 
|-
 
|}
 
|}
<section end='openvpn_events' />
+
<section end='sessions' />
  
  
== openvpn_stats ==
+
== penaltybox ==  
<section begin='openvpn_stats' />
+
<section begin='penaltybox' />
  
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
{| border="1" cellpadding="2" width="90%%" align="center"
Line 230: Line 243:
 
!Description
 
!Description
 
|-
 
|-
|time_stamp
+
|address
|timestamp without time zone
+
|inet
|The time of the event
+
|The IP address of the host
 +
|-
 +
|reason
 +
|text
 +
|The reason for the action
 
|-
 
|-
 
|start_time
 
|start_time
 
|timestamp without time zone
 
|timestamp without time zone
|The time the OpenVPN session started
+
|The time the client entered the penalty box
 
|-
 
|-
 
|end_time
 
|end_time
 
|timestamp without time zone
 
|timestamp without time zone
|The time the OpenVPN session ended
+
|The time the client exited the penalty box
 
|-
 
|-
|rx_bytes
+
|time_stamp
|bigint
+
|timestamp without time zone
|The total bytes received from the client during this session
+
|The time of the event
 
|-
 
|-
|tx_bytes
+
|}
|bigint
+
<section end='penaltybox' />
|The total bytes sent to the client during this session
+
 
 +
 
 +
== quotas ==
 +
<section begin='quotas' />
 +
 
 +
{| border="1" cellpadding="2" width="90%%" align="center"
 +
!Column Name
 +
!Type
 +
!Description
 
|-
 
|-
|remote_address
+
|time_stamp
|inet
+
|timestamp without time zone
|The remote IP address of the client
+
|The time of the event
 
|-
 
|-
|pool_address
+
|address
 
|inet
 
|inet
|The pool IP address of the client
+
|The IP address of the host
 
|-
 
|-
|remote_port
+
|action
 
|integer
 
|integer
|The remote port of the client
+
|The action (1=Quota Given, 2=Quota Exceeded)
 +
|-
 +
|size
 +
|bigint
 +
|The size of the quota
 
|-
 
|-
|client_name
+
|reason
 
|text
 
|text
|The name of the client
+
|The reason for the action
|-
 
|event_id
 
|bigint
 
|The unique event ID
 
 
|-
 
|-
 
|}
 
|}
<section end='openvpn_stats' />
+
<section end='quotas' />
  
  
== ipsec_user_events ==
+
== host_table_updates ==  
<section begin='ipsec_user_events' />
+
<section begin='host_table_updates' />
  
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
{| border="1" cellpadding="2" width="90%%" align="center"
Line 282: Line 307:
 
!Description
 
!Description
 
|-
 
|-
|event_id
+
|address
|bigint
+
|inet
|The unique event ID
+
|The IP address of the host
 +
|-
 +
|key
 +
|text
 +
|The key being updated
 +
|-
 +
|value
 +
|text
 +
|The new value for the key
 
|-
 
|-
 
|time_stamp
 
|time_stamp
Line 290: Line 323:
 
|The time of the event
 
|The time of the event
 
|-
 
|-
|connect_stamp
+
|}
|timestamp without time zone
+
<section end='host_table_updates' />
|The time the connection started
+
 
|-
+
 
|goodbye_stamp
+
== device_table_updates ==
|timestamp without time zone
+
<section begin='device_table_updates' />
|The time the connection ended
+
 
 +
{| border="1" cellpadding="2" width="90%%" align="center"
 +
!Column Name
 +
!Type
 +
!Description
 
|-
 
|-
|client_address
+
|mac_address
 
|text
 
|text
|The remote IP address of the client
+
|The MAC address of the device
 
|-
 
|-
|client_protocol
+
|key
 
|text
 
|text
|The protocol the client used to connect
+
|The key being updated
 
|-
 
|-
|client_username
+
|value
 
|text
 
|text
|The username of the client
+
|The new value for the key
 
|-
 
|-
|net_process
+
|time_stamp
|text
+
|timestamp without time zone
|The PID of the PPP process for L2TP connections or the connection ID for Xauth connections
+
|The time of the event
 
|-
 
|-
|net_interface
+
|}
|text
+
<section end='device_table_updates' />
|The PPP interface for L2TP connections or the client interface for Xauth connections
+
 
|-
+
 
|elapsed_time
+
== alerts ==  
|text
+
<section begin='alerts' />
|The total time the client was connected
 
|-
 
|rx_bytes
 
|bigint
 
|The number of bytes received from the client in this connection
 
|-
 
|tx_bytes
 
|bigint
 
|The number of bytes sent to the client in this connection
 
|-
 
|}
 
<section end='ipsec_user_events' />
 
 
 
 
 
== ipsec_tunnel_stats ==
 
<section begin='ipsec_tunnel_stats' />
 
  
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
{| border="1" cellpadding="2" width="90%%" align="center"
Line 346: Line 367:
 
|The time of the event
 
|The time of the event
 
|-
 
|-
|tunnel_name
+
|description
 
|text
 
|text
|The name of the IPsec tunnel
+
|The description from the alert rule.
 
|-
 
|-
|in_bytes
+
|summary_text
|bigint
+
|text
|The number of bytes received during this time frame
+
|The summary text of the alert
 
|-
 
|-
|out_bytes
+
|json
|bigint
+
|text
|The number of bytes transmitted during this time frame
+
|The summary JSON representation of the event causing the alert
|-
 
|event_id
 
|bigint
 
|The unique event ID
 
 
|-
 
|-
 
|}
 
|}
<section end='ipsec_tunnel_stats' />
+
<section end='alerts' />
  
  
== smtp_tarpit_events ==
+
== settings_changes ==  
<section begin='smtp_tarpit_events' />
+
<section begin='settings_changes' />
  
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
{| border="1" cellpadding="2" width="90%%" align="center"
Line 378: Line 395:
 
|The time of the event
 
|The time of the event
 
|-
 
|-
|ipaddr
+
|settings_file
|inet
+
|text
|The client IP address
+
|The name of the file changed
 +
|-
 +
|username
 +
|text
 +
|The username logged in at the time of the change
 
|-
 
|-
 
|hostname
 
|hostname
 
|text
 
|text
|The hostname
+
|The remote hostname
|-
 
|policy_id
 
|bigint
 
|The policy
 
|-
 
|vendor_name
 
|character varying(255)
 
|The "vendor name" of the app that logged the event
 
|-
 
|event_id
 
|bigint
 
|The unique event ID
 
 
|-
 
|-
 
|}
 
|}
<section end='smtp_tarpit_events' />
+
<section end='settings_changes' />
  
  
== server_events ==
+
== wan_failover_action_events ==  
<section begin='server_events' />
+
<section begin='wan_failover_action_events' />
  
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
{| border="1" cellpadding="2" width="90%%" align="center"
Line 414: Line 423:
 
|The time of the event
 
|The time of the event
 
|-
 
|-
|load_1
+
|interface_id
|numeric(6,2)
+
|integer
|The 1-minute CPU load
+
|This interface ID
 
|-
 
|-
|load_5
+
|action
|numeric(6,2)
+
|text
|The 5-minute CPU load
+
|This action (CONNECTED/DISCONNECTED)
 
|-
 
|-
|load_15
+
|os_name
|numeric(6,2)
+
|text
|The 15-minute CPU load
+
|This O/S name of the interface
 
|-
 
|-
|cpu_user
+
|name
|numeric(6,3)
+
|text
|The user CPU percent utilization
+
|This name of the interface
 
|-
 
|-
|cpu_system
+
|event_id
|numeric(6,3)
 
|The system CPU percent utilization
 
|-
 
|mem_total
 
 
|bigint
 
|bigint
|The total bytes of memory
+
|The unique event ID
 
|-
 
|-
|mem_free
+
|}
|bigint
+
<section end='wan_failover_action_events' />
|The number of free bytes of memory
 
|-
 
|disk_total
 
|bigint
 
|The total disk size in bytes
 
|-
 
|disk_free
 
|bigint
 
|The free disk space in bytes
 
|-
 
|swap_total
 
|bigint
 
|The total swap size in bytes
 
|-
 
|swap_free
 
|bigint
 
|The free disk swap in bytes
 
|-
 
|}
 
<section end='server_events' />
 
  
  
== webcache_stats ==
+
== wan_failover_test_events ==  
<section begin='webcache_stats' />
+
<section begin='wan_failover_test_events' />
  
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
{| border="1" cellpadding="2" width="90%%" align="center"
Line 474: Line 459:
 
|The time of the event
 
|The time of the event
 
|-
 
|-
|hits
+
|interface_id
|bigint
+
|integer
|The number of cache hits during this time frame
+
|This interface ID
 
|-
 
|-
|misses
+
|name
|bigint
+
|text
|The number of cache misses during this time frame
+
|This name of the interface
 
|-
 
|-
|bypasses
+
|description
|bigint
+
|text
|The number of cache user bypasses during this time frame
+
|The description from the test rule
 
|-
 
|-
|systems
+
|success
|bigint
+
|boolean
|The number of cache system bypasses during this time frame
+
|The result of the test (true if the test succeeded, false otherwise)
|-
 
|hit_bytes
 
|bigint
 
|The number of bytes saved from cache hits
 
|-
 
|miss_bytes
 
|bigint
 
|The number of bytes not saved from cache misses
 
 
|-
 
|-
 
|event_id
 
|event_id
Line 503: Line 480:
 
|-
 
|-
 
|}
 
|}
<section end='webcache_stats' />
+
<section end='wan_failover_test_events' />
  
  
== http_query_events ==
+
== mail_msgs ==  
<section begin='http_query_events' />
+
<section begin='mail_msgs' />
  
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
{| border="1" cellpadding="2" width="90%%" align="center"
Line 513: Line 490:
 
!Type
 
!Type
 
!Description
 
!Description
|-
 
|event_id
 
|bigint
 
|The unique event ID
 
 
|-
 
|-
 
|time_stamp
 
|time_stamp
Line 573: Line 546:
 
|text
 
|text
 
|The username
 
|The username
 +
|-
 +
|msg_id
 +
|bigint
 +
|The message ID
 +
|-
 +
|subject
 +
|text
 +
|The email subject
 
|-
 
|-
 
|hostname
 
|hostname
Line 578: Line 559:
 
|The hostname
 
|The hostname
 
|-
 
|-
|request_id
+
|event_id
 
|bigint
 
|bigint
|The HTTP request ID
+
|The unique event ID
 
|-
 
|-
|method
+
|sender
|character(1)
+
|text
|The HTTP method
+
|The address of the sender
 
|-
 
|-
|uri
+
|receiver
 
|text
 
|text
|The HTTP URI
+
|The address of the receiver
 
|-
 
|-
|term
+
|virus_blocker_lite_clean
|text
+
|boolean
|The search term
+
|The cleanliness of the file according to Virus Blocker Lite
 
|-
 
|-
|host
+
|virus_blocker_lite_name
 
|text
 
|text
|The HTTP host
+
|The name of the malware according to Virus Blocker Lite
 
|-
 
|-
|c2s_content_length
+
|virus_blocker_clean
|bigint
+
|boolean
|The client-to-server content length
+
|The cleanliness of the file according to Virus Blocker
 
|-
 
|-
|s2c_content_length
+
|virus_blocker_name
|bigint
 
|The server-to-client content length
 
|-
 
|s2c_content_type
 
 
|text
 
|text
|The server-to-client content type
+
|The name of the malware according to Virus Blocker
 
|-
 
|-
|}
+
|spam_blocker_lite_score
<section end='http_query_events' />
+
|real
 
+
|The score of the email according to Spam Blocker Lite
 
 
== configuration_backup_events ==
 
<section begin='configuration_backup_events' />
 
 
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
!Column Name
 
!Type
 
!Description
 
 
|-
 
|-
|time_stamp
+
|spam_blocker_lite_is_spam
|timestamp without time zone
 
|The time of the event
 
|-
 
|success
 
 
|boolean
 
|boolean
|The result of the backup (true if the backup succeeded, false otherwise)
+
|The spam status of the email according to Spam Blocker Lite
 
|-
 
|-
|description
+
|spam_blocker_lite_tests_string
 
|text
 
|text
|Text detail of the event
+
|The tess results for Spam Blocker Lite
 
|-
 
|-
|event_id
+
|spam_blocker_lite_action
|bigint
+
|character(1)
|The unique event ID
+
|The action taken by Spam Blocker Lite
 
|-
 
|-
|}
+
|spam_blocker_score
<section end='configuration_backup_events' />
+
|real
 
+
|The score of the email according to Spam Blocker
 
 
== capture_user_events ==
 
<section begin='capture_user_events' />
 
 
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
!Column Name
 
!Type
 
!Description
 
 
|-
 
|-
|time_stamp
+
|spam_blocker_is_spam
|timestamp without time zone
+
|boolean
|The time of the event
+
|The spam status of the email according to Spam Blocker
 
|-
 
|-
|policy_id
+
|spam_blocker_tests_string
|bigint
+
|text
|The policy
+
|The tess results for Spam Blocker
 
|-
 
|-
|event_id
+
|spam_blocker_action
|bigint
+
|character(1)
|The unique event ID
+
|The action taken by Spam Blocker
 
|-
 
|-
|login_name
+
|phish_blocker_score
|text
+
|real
|The login username
+
|The score of the email according to Phish Blocker
 
|-
 
|-
|event_info
+
|phish_blocker_is_spam
|text
+
|boolean
|The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
+
|The phish status of the email according to Phish Blocker
 
|-
 
|-
|auth_type
+
|phish_blocker_tests_string
 
|text
 
|text
|The authorization type for this event
+
|The tess results for Phish Blocker
 
|-
 
|-
|client_addr
+
|phish_blocker_action
|text
+
|character(1)
|The remote IP address of the client
+
|The action taken by Phish Blocker
 
|-
 
|-
 
|}
 
|}
<section end='capture_user_events' />
+
<section end='mail_msgs' />
  
  
== ftp_events ==
+
== mail_addrs ==  
<section begin='ftp_events' />
+
<section begin='mail_addrs' />
  
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
{| border="1" cellpadding="2" width="90%%" align="center"
Line 689: Line 646:
 
!Type
 
!Type
 
!Description
 
!Description
|-
 
|event_id
 
|bigint
 
|The unique event ID
 
 
|-
 
|-
 
|time_stamp
 
|time_stamp
Line 725: Line 678:
 
|inet
 
|inet
 
|The server-side server IP address
 
|The server-side server IP address
 +
|-
 +
|c_client_port
 +
|integer
 +
|The client-side client port
 +
|-
 +
|s_client_port
 +
|integer
 +
|The server-side client port
 +
|-
 +
|c_server_port
 +
|integer
 +
|The client-side server port
 +
|-
 +
|s_server_port
 +
|integer
 +
|The server-side server port
 
|-
 
|-
 
|policy_id
 
|policy_id
Line 734: Line 703:
 
|The username
 
|The username
 
|-
 
|-
|hostname
+
|msg_id
|text
+
|bigint
|The hostname
+
|The message ID
 
|-
 
|-
|request_id
+
|subject
|bigint
+
|text
|The FTP request ID
+
|The email subject
 
|-
 
|-
|method
+
|addr
|character(1)
+
|text
|The FTP method
+
|The address of this event
 
|-
 
|-
|uri
+
|addr_name
 
|text
 
|text
|The FTP URI
+
|The name for this address
 
|-
 
|-
|virus_blocker_lite_clean
+
|addr_kind
|boolean
+
|character(1)
|The cleanliness of the file according to Virus Blocker Lite
+
|The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
 
|-
 
|-
|virus_blocker_lite_name
+
|hostname
 +
|text
 +
|The hostname
 +
|-
 +
|event_id
 +
|bigint
 +
|The unique event ID
 +
|-
 +
|sender
 +
|text
 +
|The address of the sender
 +
|-
 +
|virus_blocker_lite_clean
 +
|boolean
 +
|The cleanliness of the file according to Virus Blocker Lite
 +
|-
 +
|virus_blocker_lite_name
 
|text
 
|text
 
|The name of the malware according to Virus Blocker Lite
 
|The name of the malware according to Virus Blocker Lite
Line 766: Line 751:
 
|The name of the malware according to Virus Blocker
 
|The name of the malware according to Virus Blocker
 
|-
 
|-
|}
+
|spam_blocker_lite_score
<section end='ftp_events' />
+
|real
 
+
|The score of the email according to Spam Blocker Lite
 
+
|-
== mail_addrs ==
+
|spam_blocker_lite_is_spam
<section begin='mail_addrs' />
+
|boolean
 
+
|The spam status of the email according to Spam Blocker Lite
{| border="1" cellpadding="2" width="90%%" align="center"
 
!Column Name
 
!Type
 
!Description
 
 
|-
 
|-
|time_stamp
+
|spam_blocker_lite_action
|timestamp without time zone
+
|character(1)
|The time of the event
+
|The action taken by Spam Blocker Lite
 
|-
 
|-
|session_id
+
|spam_blocker_lite_tests_string
|bigint
+
|text
|The session
+
|The tess results for Spam Blocker Lite
 
|-
 
|-
|client_intf
+
|spam_blocker_score
|smallint
+
|real
|The client interface
+
|The score of the email according to Spam Blocker
 
|-
 
|-
|server_intf
+
|spam_blocker_is_spam
|smallint
+
|boolean
|The server interface
+
|The spam status of the email according to Spam Blocker
 
|-
 
|-
|c_client_addr
+
|spam_blocker_action
|inet
+
|character(1)
|The client-side client IP address
+
|The action taken by Spam Blocker
 
|-
 
|-
|s_client_addr
+
|spam_blocker_tests_string
|inet
+
|text
|The server-side client IP address
+
|The tess results for Spam Blocker
 
|-
 
|-
|c_server_addr
+
|phish_blocker_score
|inet
+
|real
|The client-side server IP address
+
|The score of the email according to Phish Blocker
 
|-
 
|-
|s_server_addr
+
|phish_blocker_is_spam
|inet
+
|boolean
|The server-side server IP address
+
|The phish status of the email according to Phish Blocker
 
|-
 
|-
|c_client_port
+
|phish_blocker_tests_string
|integer
+
|text
|The client-side client port
+
|The tess results for Phish Blocker
 
|-
 
|-
|s_client_port
+
|phish_blocker_action
|integer
+
|character(1)
|The server-side client port
+
|The action taken by Phish Blocker
 
|-
 
|-
|c_server_port
+
|}
|integer
+
<section end='mail_addrs' />
|The client-side server port
+
 
 +
 
 +
== smtp_tarpit_events ==
 +
<section begin='smtp_tarpit_events' />
 +
 
 +
{| border="1" cellpadding="2" width="90%%" align="center"
 +
!Column Name
 +
!Type
 +
!Description
 
|-
 
|-
|s_server_port
+
|time_stamp
|integer
+
|timestamp without time zone
|The server-side server port
+
|The time of the event
 +
|-
 +
|ipaddr
 +
|inet
 +
|The client IP address
 +
|-
 +
|hostname
 +
|text
 +
|The hostname
 
|-
 
|-
 
|policy_id
 
|policy_id
Line 830: Line 827:
 
|The policy
 
|The policy
 
|-
 
|-
|username
+
|vendor_name
|text
+
|character varying(255)
|The username
+
|The "vendor name" of the app that logged the event
 
|-
 
|-
|msg_id
+
|event_id
 
|bigint
 
|bigint
|The message ID
+
|The unique event ID
 
|-
 
|-
|subject
+
|}
|text
+
<section end='smtp_tarpit_events' />
|The email subject
+
 
 +
 
 +
== http_events ==
 +
<section begin='http_events' />
 +
 
 +
{| border="1" cellpadding="2" width="90%%" align="center"
 +
!Column Name
 +
!Type
 +
!Description
 
|-
 
|-
|addr
+
|request_id
|text
+
|bigint
|The address of this event
+
|The HTTP request ID
 
|-
 
|-
|addr_name
+
|time_stamp
|text
+
|timestamp without time zone
|The name for this address
+
|The time of the event
 
|-
 
|-
|addr_kind
+
|session_id
|character(1)
+
|bigint
|The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
+
|The session
 
|-
 
|-
|hostname
+
|client_intf
|text
+
|smallint
|The hostname
+
|The client interface
 
|-
 
|-
|event_id
+
|server_intf
|bigint
+
|smallint
|The unique event ID
+
|The server interface
 
|-
 
|-
|sender
+
|c_client_addr
|text
+
|inet
|The address of the sender
+
|The client-side client IP address
 
|-
 
|-
|virus_blocker_lite_clean
+
|s_client_addr
|boolean
+
|inet
|The cleanliness of the file according to Virus Blocker Lite
+
|The server-side client IP address
 
|-
 
|-
|virus_blocker_lite_name
+
|c_server_addr
|text
+
|inet
|The name of the malware according to Virus Blocker Lite
+
|The client-side server IP address
 
|-
 
|-
|virus_blocker_clean
+
|s_server_addr
|boolean
+
|inet
|The cleanliness of the file according to Virus Blocker
+
|The server-side server IP address
 
|-
 
|-
|virus_blocker_name
+
|c_client_port
|text
+
|integer
|The name of the malware according to Virus Blocker
+
|The client-side client port
 
|-
 
|-
|spam_blocker_lite_score
+
|s_client_port
|real
+
|integer
|The score of the email according to Spam Blocker Lite
+
|The server-side client port
 
|-
 
|-
|spam_blocker_lite_is_spam
+
|c_server_port
|boolean
+
|integer
|The spam status of the email according to Spam Blocker Lite
+
|The client-side server port
 
|-
 
|-
|spam_blocker_lite_action
+
|s_server_port
|character(1)
+
|integer
|The action taken by Spam Blocker Lite
+
|The server-side server port
 +
|-
 +
|policy_id
 +
|smallint
 +
|The policy
 
|-
 
|-
|spam_blocker_lite_tests_string
+
|username
 
|text
 
|text
|The tess results for Spam Blocker Lite
+
|The username
 
|-
 
|-
|spam_blocker_score
+
|hostname
|real
+
|text
|The score of the email according to Spam Blocker
+
|The hostname
 
|-
 
|-
|spam_blocker_is_spam
+
|method
|boolean
 
|The spam status of the email according to Spam Blocker
 
|-
 
|spam_blocker_action
 
 
|character(1)
 
|character(1)
|The action taken by Spam Blocker
+
|The HTTP method
 
|-
 
|-
|spam_blocker_tests_string
+
|uri
 
|text
 
|text
|The tess results for Spam Blocker
+
|The HTTP URI
 
|-
 
|-
|phish_blocker_score
+
|host
|real
+
|text
|The score of the email according to Phish Blocker
+
|The HTTP host
 
|-
 
|-
|phish_blocker_is_spam
+
|domain
|boolean
 
|The phish status of the email according to Phish Blocker
 
|-
 
|phish_blocker_tests_string
 
 
|text
 
|text
|The tess results for Phish Blocker
+
|The HTTP domain (shortened host)
 
|-
 
|-
|phish_blocker_action
+
|c2s_content_length
|character(1)
+
|bigint
|The action taken by Phish Blocker
+
|The client-to-server content length
 
|-
 
|-
|}
+
|s2c_content_length
<section end='mail_addrs' />
+
|bigint
 
+
|The server-to-client content length
 
 
== mail_msgs ==
 
<section begin='mail_msgs' />
 
 
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
!Column Name
 
!Type
 
!Description
 
 
|-
 
|-
|time_stamp
+
|s2c_content_type
|timestamp without time zone
+
|text
|The time of the event
+
|The server-to-client content type
 
|-
 
|-
|session_id
+
|ad_blocker_cookie_ident
|bigint
+
|text
|The session
+
|This name of cookie blocked by Ad Blocker
 
|-
 
|-
|client_intf
+
|ad_blocker_action
|smallint
+
|character(1)
|The client interface
+
|This action of Ad Blocker on this request
 
|-
 
|-
|server_intf
+
|web_filter_lite_reason
|smallint
+
|character(1)
|The server interface
+
|This reason Web Filter Lite blocked/flagged this request
 
|-
 
|-
|c_client_addr
+
|web_filter_lite_category
|inet
+
|text
|The client-side client IP address
+
|This category according to Web Filter Lite
 
|-
 
|-
|s_client_addr
+
|web_filter_lite_blocked
|inet
+
|boolean
|The server-side client IP address
+
|If Web Filter Lite blocked this request
 
|-
 
|-
|c_server_addr
+
|web_filter_lite_flagged
|inet
+
|boolean
|The client-side server IP address
+
|If Web Filter Lite flagged this request
 
|-
 
|-
|s_server_addr
+
|web_filter_reason
|inet
+
|character(1)
|The server-side server IP address
+
|This reason Web Filter blocked/flagged this request
 
|-
 
|-
|c_client_port
+
|web_filter_category
|integer
+
|text
|The client-side client port
+
|This category according to Web Filter
 
|-
 
|-
|s_client_port
+
|web_filter_blocked
|integer
+
|boolean
|The server-side client port
+
|If Web Filter blocked this request
 
|-
 
|-
|c_server_port
+
|web_filter_flagged
|integer
+
|boolean
|The client-side server port
+
|If Web Filter flagged this request
 
|-
 
|-
|s_server_port
+
|virus_blocker_lite_clean
|integer
+
|boolean
|The server-side server port
+
|The cleanliness of the file according to Virus Blocker Lite
 
|-
 
|-
|policy_id
+
|virus_blocker_lite_name
|bigint
 
|The policy
 
|-
 
|username
 
 
|text
 
|text
|The username
+
|The name of the malware according to Virus Blocker Lite
 
|-
 
|-
|msg_id
+
|virus_blocker_clean
|bigint
+
|boolean
|The message ID
+
|The cleanliness of the file according to Virus Blocker
 
|-
 
|-
|subject
+
|virus_blocker_name
 
|text
 
|text
|The email subject
+
|The name of the malware according to Virus Blocker
 
|-
 
|-
|hostname
+
|referer
 
|text
 
|text
|The hostname
+
|The Referer URL
 
|-
 
|-
|event_id
+
|}
|bigint
+
<section end='http_events' />
|The unique event ID
+
 
 +
 
 +
== ftp_events ==
 +
<section begin='ftp_events' />
 +
 
 +
{| border="1" cellpadding="2" width="90%%" align="center"
 +
!Column Name
 +
!Type
 +
!Description
 
|-
 
|-
|sender
+
|event_id
|text
+
|bigint
|The address of the sender
+
|The unique event ID
 
|-
 
|-
|receiver
+
|time_stamp
|text
+
|timestamp without time zone
|The address of the receiver
+
|The time of the event
 
|-
 
|-
|virus_blocker_lite_clean
+
|session_id
|boolean
+
|bigint
|The cleanliness of the file according to Virus Blocker Lite
+
|The session
 
|-
 
|-
|virus_blocker_lite_name
+
|client_intf
|text
+
|smallint
|The name of the malware according to Virus Blocker Lite
+
|The client interface
 
|-
 
|-
|virus_blocker_clean
+
|server_intf
|boolean
+
|smallint
|The cleanliness of the file according to Virus Blocker
+
|The server interface
 
|-
 
|-
|virus_blocker_name
+
|c_client_addr
|text
+
|inet
|The name of the malware according to Virus Blocker
+
|The client-side client IP address
 
|-
 
|-
|spam_blocker_lite_score
+
|s_client_addr
|real
+
|inet
|The score of the email according to Spam Blocker Lite
+
|The server-side client IP address
 
|-
 
|-
|spam_blocker_lite_is_spam
+
|c_server_addr
|boolean
+
|inet
|The spam status of the email according to Spam Blocker Lite
+
|The client-side server IP address
 
|-
 
|-
|spam_blocker_lite_tests_string
+
|s_server_addr
|text
+
|inet
|The tess results for Spam Blocker Lite
+
|The server-side server IP address
 
|-
 
|-
|spam_blocker_lite_action
+
|policy_id
|character(1)
+
|bigint
|The action taken by Spam Blocker Lite
+
|The policy
 
|-
 
|-
|spam_blocker_score
+
|username
|real
+
|text
|The score of the email according to Spam Blocker
+
|The username
 
|-
 
|-
|spam_blocker_is_spam
+
|hostname
|boolean
 
|The spam status of the email according to Spam Blocker
 
|-
 
|spam_blocker_tests_string
 
 
|text
 
|text
|The tess results for Spam Blocker
+
|The hostname
 
|-
 
|-
|spam_blocker_action
+
|request_id
 +
|bigint
 +
|The FTP request ID
 +
|-
 +
|method
 
|character(1)
 
|character(1)
|The action taken by Spam Blocker
+
|The FTP method
 
|-
 
|-
|phish_blocker_score
+
|uri
|real
+
|text
|The score of the email according to Phish Blocker
+
|The FTP URI
 
|-
 
|-
|phish_blocker_is_spam
+
|virus_blocker_lite_clean
 
|boolean
 
|boolean
|The phish status of the email according to Phish Blocker
+
|The cleanliness of the file according to Virus Blocker Lite
 
|-
 
|-
|phish_blocker_tests_string
+
|virus_blocker_lite_name
 
|text
 
|text
|The tess results for Phish Blocker
+
|The name of the malware according to Virus Blocker Lite
 
|-
 
|-
|phish_blocker_action
+
|virus_blocker_clean
|character(1)
+
|boolean
|The action taken by Phish Blocker
+
|The cleanliness of the file according to Virus Blocker
 +
|-
 +
|virus_blocker_name
 +
|text
 +
|The name of the malware according to Virus Blocker
 
|-
 
|-
 
|}
 
|}
<section end='mail_msgs' />
+
<section end='ftp_events' />
  
  
== http_events ==
+
== ipsec_user_events ==  
<section begin='http_events' />
+
<section begin='ipsec_user_events' />
  
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,098: Line 1,099:
 
!Description
 
!Description
 
|-
 
|-
|request_id
+
|event_id
 
|bigint
 
|bigint
|The HTTP request ID
+
|The unique event ID
 
|-
 
|-
 
|time_stamp
 
|time_stamp
Line 1,106: Line 1,107:
 
|The time of the event
 
|The time of the event
 
|-
 
|-
|session_id
+
|connect_stamp
|bigint
+
|timestamp without time zone
|The session
+
|The time the connection started
 
|-
 
|-
|client_intf
+
|goodbye_stamp
|smallint
+
|timestamp without time zone
|The client interface
+
|The time the connection ended
 
|-
 
|-
|server_intf
+
|client_address
|smallint
+
|text
|The server interface
+
|The remote IP address of the client
 
|-
 
|-
|c_client_addr
+
|client_protocol
|inet
+
|text
|The client-side client IP address
+
|The protocol the client used to connect
 
|-
 
|-
|s_client_addr
+
|client_username
|inet
+
|text
|The server-side client IP address
+
|The username of the client
 
|-
 
|-
|c_server_addr
+
|net_process
|inet
+
|text
|The client-side server IP address
+
|The PID of the PPP process for L2TP connections or the connection ID for Xauth connections
 
|-
 
|-
|s_server_addr
+
|net_interface
|inet
+
|text
|The server-side server IP address
+
|The PPP interface for L2TP connections or the client interface for Xauth connections
 
|-
 
|-
|c_client_port
+
|elapsed_time
|integer
+
|text
|The client-side client port
+
|The total time the client was connected
 
|-
 
|-
|s_client_port
+
|rx_bytes
|integer
+
|bigint
|The server-side client port
+
|The number of bytes received from the client in this connection
 
|-
 
|-
|c_server_port
+
|tx_bytes
|integer
+
|bigint
|The client-side server port
+
|The number of bytes sent to the client in this connection
 
|-
 
|-
|s_server_port
+
|}
|integer
+
<section end='ipsec_user_events' />
|The server-side server port
+
 
|-
+
 
|policy_id
+
== configuration_backup_events ==
|smallint
+
<section begin='configuration_backup_events' />
|The policy
+
 
 +
{| border="1" cellpadding="2" width="90%%" align="center"
 +
!Column Name
 +
!Type
 +
!Description
 +
|-
 +
|time_stamp
 +
|timestamp without time zone
 +
|The time of the event
 +
|-
 +
|success
 +
|boolean
 +
|The result of the backup (true if the backup succeeded, false otherwise)
 
|-
 
|-
|username
+
|description
 
|text
 
|text
|The username
+
|Text detail of the event
 
|-
 
|-
|hostname
+
|destination
 
|text
 
|text
|The hostname
+
|The location of the backup
 
|-
 
|-
|method
+
|event_id
|character(1)
+
|bigint
|The HTTP method
+
|The unique event ID
 
|-
 
|-
|uri
+
|}
|text
+
<section end='configuration_backup_events' />
|The HTTP URI
+
 
 +
 
 +
== ipsec_tunnel_stats ==
 +
<section begin='ipsec_tunnel_stats' />
 +
 
 +
{| border="1" cellpadding="2" width="90%%" align="center"
 +
!Column Name
 +
!Type
 +
!Description
 
|-
 
|-
|host
+
|time_stamp
|text
+
|timestamp without time zone
|The HTTP host
+
|The time of the event
 
|-
 
|-
|domain
+
|tunnel_name
 
|text
 
|text
|The HTTP domain (shortened host)
+
|The name of the IPsec tunnel
 
|-
 
|-
|c2s_content_length
+
|in_bytes
 
|bigint
 
|bigint
|The client-to-server content length
+
|The number of bytes received during this time frame
 
|-
 
|-
|s2c_content_length
+
|out_bytes
 
|bigint
 
|bigint
|The server-to-client content length
+
|The number of bytes transmitted during this time frame
 
|-
 
|-
|s2c_content_type
+
|event_id
|text
+
|bigint
|The server-to-client content type
+
|The unique event ID
 
|-
 
|-
|ad_blocker_cookie_ident
+
|}
|text
+
<section end='ipsec_tunnel_stats' />
|This name of cookie blocked by Ad Blocker
+
 
 +
 
 +
== server_events ==
 +
<section begin='server_events' />
 +
 
 +
{| border="1" cellpadding="2" width="90%%" align="center"
 +
!Column Name
 +
!Type
 +
!Description
 
|-
 
|-
|ad_blocker_action
+
|time_stamp
|character(1)
+
|timestamp without time zone
|This action of Ad Blocker on this request
+
|The time of the event
 
|-
 
|-
|web_filter_lite_reason
+
|load_1
|character(1)
+
|numeric(6,2)
|This reason Web Filter Lite blocked/flagged this request
+
|The 1-minute CPU load
 
|-
 
|-
|web_filter_lite_category
+
|load_5
|text
+
|numeric(6,2)
|This category according to Web Filter Lite
+
|The 5-minute CPU load
 
|-
 
|-
|web_filter_lite_blocked
+
|load_15
|boolean
+
|numeric(6,2)
|If Web Filter Lite blocked this request
+
|The 15-minute CPU load
 
|-
 
|-
|web_filter_lite_flagged
+
|cpu_user
|boolean
+
|numeric(6,3)
|If Web Filter Lite flagged this request
+
|The user CPU percent utilization
 
|-
 
|-
|web_filter_reason
+
|cpu_system
|character(1)
+
|numeric(6,3)
|This reason Web Filter blocked/flagged this request
+
|The system CPU percent utilization
 
|-
 
|-
|web_filter_category
+
|mem_total
|text
+
|bigint
|This category according to Web Filter
+
|The total bytes of memory
 
|-
 
|-
|web_filter_blocked
+
|mem_free
|boolean
+
|bigint
|If Web Filter blocked this request
+
|The number of free bytes of memory
 
|-
 
|-
|web_filter_flagged
+
|disk_total
|boolean
+
|bigint
|If Web Filter flagged this request
+
|The total disk size in bytes
 
|-
 
|-
|virus_blocker_lite_clean
+
|disk_free
|boolean
+
|bigint
|The cleanliness of the file according to Virus Blocker Lite
+
|The free disk space in bytes
 
|-
 
|-
|virus_blocker_lite_name
+
|swap_total
|text
+
|bigint
|The name of the malware according to Virus Blocker Lite
+
|The total swap size in bytes
 
|-
 
|-
|virus_blocker_clean
+
|swap_free
|boolean
+
|bigint
|The cleanliness of the file according to Virus Blocker
+
|The free disk swap in bytes
 
|-
 
|-
|virus_blocker_name
+
|active_hosts
|text
+
|integer
|The name of the malware according to Virus Blocker
+
|The number of active hosts
 
|-
 
|-
 
|}
 
|}
<section end='http_events' />
+
<section end='server_events' />
  
  
== directory_connector_login_events ==
+
== captive_portal_user_events ==  
<section begin='directory_connector_login_events' />
+
<section begin='captive_portal_user_events' />
  
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,262: Line 1,291:
 
|The time of the event
 
|The time of the event
 
|-
 
|-
|login_name
+
|policy_id
|text
+
|bigint
|The login name
+
|The policy
 +
|-
 +
|event_id
 +
|bigint
 +
|The unique event ID
 +
|-
 +
|login_name
 +
|text
 +
|The login username
 
|-
 
|-
|domain
+
|event_info
 
|text
 
|text
|The AD domain
+
|The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
 
|-
 
|-
|type
+
|auth_type
 
|text
 
|text
|The type of event (I=Login,U=Update,O=Logout)
+
|The authorization type for this event
 
|-
 
|-
 
|client_addr
 
|client_addr
|inet
+
|text
|The client IP address
+
|The remote IP address of the client
 
|-
 
|-
 
|}
 
|}
<section end='directory_connector_login_events' />
+
<section end='captive_portal_user_events' />
  
  
== wan_failover_action_events ==
+
== directory_connector_login_events ==  
<section begin='wan_failover_action_events' />
+
<section begin='directory_connector_login_events' />
  
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,294: Line 1,331:
 
|The time of the event
 
|The time of the event
 
|-
 
|-
|interface_id
+
|login_name
|integer
+
|text
|This interface ID
+
|The login name
 
|-
 
|-
|action
+
|domain
 
|text
 
|text
|This action (CONNECTED/DISCONNECTED)
+
|The AD domain
 
|-
 
|-
|os_name
+
|type
 
|text
 
|text
|This O/S name of the interface
+
|The type of event (I=Login,U=Update,O=Logout)
 
|-
 
|-
|name
+
|client_addr
|text
+
|inet
|This name of the interface
+
|The client IP address
|-
 
|event_id
 
|bigint
 
|The unique event ID
 
 
|-
 
|-
 
|}
 
|}
<section end='wan_failover_action_events' />
+
<section end='directory_connector_login_events' />
  
  
== intrusion_prevention_events ==
+
== web_cache_stats ==  
<section begin='intrusion_prevention_events' />
+
<section begin='web_cache_stats' />
  
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,330: Line 1,363:
 
|The time of the event
 
|The time of the event
 
|-
 
|-
|sig_id
+
|hits
 
|bigint
 
|bigint
|This ID of the rule
+
|The number of cache hits during this time frame
 
|-
 
|-
|gen_id
+
|misses
 
|bigint
 
|bigint
|The grouping ID for the rule, The gen_id + sig_id specify the rule's unique identifier
+
|The number of cache misses during this time frame
 
|-
 
|-
|class_id
+
|bypasses
 
|bigint
 
|bigint
|The numeric ID for the classtype
+
|The number of cache user bypasses during this time frame
 
|-
 
|-
|source_addr
+
|systems
|inet
+
|bigint
|The source IP address of the packet
+
|The number of cache system bypasses during this time frame
 
|-
 
|-
|source_port
+
|hit_bytes
|integer
+
|bigint
|The source port of the packet (if applicable)
+
|The number of bytes saved from cache hits
 
|-
 
|-
|dest_addr
+
|miss_bytes
|inet
+
|bigint
|The destination IP address of the packet
+
|The number of bytes not saved from cache misses
 
|-
 
|-
|dest_port
+
|event_id
|integer
+
|bigint
|The destination port of the packet (if applicable)
+
|The unique event ID
|-
 
|protocol
 
|integer
 
|The protocol of the packet
 
|-
 
|blocked
 
|boolean
 
|If the packet was blocked/dropped
 
|-
 
|category
 
|text
 
|The application specific grouping
 
|-
 
|classtype
 
|text
 
|The generalized threat rule grouping (unrelated to gen_id)
 
|-
 
|msg
 
|text
 
|The "title" or "description" of the rule
 
 
|-
 
|-
 
|}
 
|}
<section end='intrusion_prevention_events' />
+
<section end='web_cache_stats' />
  
  
== wan_failover_test_events ==
+
== http_query_events ==  
<section begin='wan_failover_test_events' />
+
<section begin='http_query_events' />
  
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,389: Line 1,402:
 
!Type
 
!Type
 
!Description
 
!Description
 +
|-
 +
|event_id
 +
|bigint
 +
|The unique event ID
 
|-
 
|-
 
|time_stamp
 
|time_stamp
Line 1,394: Line 1,411:
 
|The time of the event
 
|The time of the event
 
|-
 
|-
|interface_id
+
|session_id
|integer
+
|bigint
|This interface ID
+
|The session
 
|-
 
|-
|name
+
|client_intf
|text
+
|smallint
|This name of the interface
+
|The client interface
 
|-
 
|-
|description
+
|server_intf
|text
+
|smallint
|The description from the test rule
+
|The server interface
 
|-
 
|-
|success
+
|c_client_addr
|boolean
+
|inet
|The result of the test (true if the test succeeded, false otherwise)
+
|The client-side client IP address
 
|-
 
|-
|event_id
+
|s_client_addr
|bigint
+
|inet
|The unique event ID
+
|The server-side client IP address
 
|-
 
|-
|}
+
|c_server_addr
<section end='wan_failover_test_events' />
+
|inet
 
+
|The client-side server IP address
 
 
== settings_changes ==
 
<section begin='settings_changes' />
 
 
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
!Column Name
 
!Type
 
!Description
 
 
|-
 
|-
|time_stamp
+
|s_server_addr
|timestamp without time zone
+
|inet
|The time of the event
+
|The server-side server IP address
 +
|-
 +
|c_client_port
 +
|integer
 +
|The client-side client port
 +
|-
 +
|s_client_port
 +
|integer
 +
|The server-side client port
 +
|-
 +
|c_server_port
 +
|integer
 +
|The client-side server port
 +
|-
 +
|s_server_port
 +
|integer
 +
|The server-side server port
 
|-
 
|-
|settings_file
+
|policy_id
|text
+
|bigint
|The name of the file changed
+
|The policy
 
|-
 
|-
 
|username
 
|username
 
|text
 
|text
|The username logged in at the time of the change
+
|The username
 
|-
 
|-
 
|hostname
 
|hostname
 
|text
 
|text
|The remote hostname
+
|The hostname
 
|-
 
|-
|}
+
|request_id
<section end='settings_changes' />
+
|bigint
 
+
|The HTTP request ID
 
 
== alerts ==
 
<section begin='alerts' />
 
 
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
!Column Name
 
!Type
 
!Description
 
 
|-
 
|-
|time_stamp
+
|method
|timestamp without time zone
+
|character(1)
|The time of the event
+
|The HTTP method
 
|-
 
|-
|description
+
|uri
 
|text
 
|text
|The description from the alert rule.
+
|The HTTP URI
 
|-
 
|-
|summary_text
+
|term
 
|text
 
|text
|The summary text of the alert
+
|The search term
 
|-
 
|-
|json
+
|host
 +
|text
 +
|The HTTP host
 +
|-
 +
|c2s_content_length
 +
|bigint
 +
|The client-to-server content length
 +
|-
 +
|s2c_content_length
 +
|bigint
 +
|The server-to-client content length
 +
|-
 +
|s2c_content_type
 
|text
 
|text
|The summary JSON representation of the event causing the alert
+
|The server-to-client content type
 
|-
 
|-
 
|}
 
|}
<section end='alerts' />
+
<section end='http_query_events' />
  
  
== host_table_updates ==
+
== openvpn_stats ==  
<section begin='host_table_updates' />
+
<section begin='openvpn_stats' />
  
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,482: Line 1,511:
 
!Description
 
!Description
 
|-
 
|-
|address
+
|time_stamp
|inet
+
|timestamp without time zone
|The IP address of the host
+
|The time of the event
 
|-
 
|-
|key
+
|start_time
|text
+
|timestamp without time zone
|The key being updated
+
|The time the OpenVPN session started
 
|-
 
|-
|value
+
|end_time
|text
 
|The new value for the key
 
|-
 
|time_stamp
 
 
|timestamp without time zone
 
|timestamp without time zone
|The time of the event
+
|The time the OpenVPN session ended
 
|-
 
|-
|}
+
|rx_bytes
<section end='host_table_updates' />
+
|bigint
 
+
|The total bytes received from the client during this session
 
 
== quotas ==
 
<section begin='quotas' />
 
 
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
!Column Name
 
!Type
 
!Description
 
 
|-
 
|-
|time_stamp
+
|tx_bytes
|timestamp without time zone
+
|bigint
|The time of the event
+
|The total bytes sent to the client during this session
 +
|-
 +
|remote_address
 +
|inet
 +
|The remote IP address of the client
 
|-
 
|-
|address
+
|pool_address
 
|inet
 
|inet
|The IP address of the host
+
|The pool IP address of the client
 
|-
 
|-
|action
+
|remote_port
 
|integer
 
|integer
|The action (1=Quota Given, 2=Quota Exceeded)
+
|The remote port of the client
 +
|-
 +
|client_name
 +
|text
 +
|The name of the client
 
|-
 
|-
|size
+
|event_id
 
|bigint
 
|bigint
|The size of the quota
+
|The unique event ID
|-
 
|reason
 
|text
 
|The reason for the action
 
 
|-
 
|-
 
|}
 
|}
<section end='quotas' />
+
<section end='openvpn_stats' />
  
  
== penaltybox ==
+
== openvpn_events ==  
<section begin='penaltybox' />
+
<section begin='openvpn_events' />
  
 
{| border="1" cellpadding="2" width="90%%" align="center"
 
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,542: Line 1,563:
 
!Description
 
!Description
 
|-
 
|-
|address
+
|time_stamp
 +
|timestamp without time zone
 +
|The time of the event
 +
|-
 +
|remote_address
 +
|inet
 +
|The remote IP address of the client
 +
|-
 +
|pool_address
 
|inet
 
|inet
|The IP address of the host
+
|The pool IP address of the client
 
|-
 
|-
|reason
+
|client_name
 
|text
 
|text
|The reason for the action
+
|The name of the client
|-
 
|start_time
 
|timestamp without time zone
 
|The time the client entered the penalty box
 
 
|-
 
|-
|end_time
+
|type
|timestamp without time zone
+
|text
|The time the client exited the penalty box
+
|The type of the event (CONNECT/DISCONNECT)
 +
|-
 +
|}
 +
<section end='openvpn_events' />
 +
 
 +
 
 +
== intrusion_prevention_events ==
 +
<section begin='intrusion_prevention_events' />
 +
 
 +
{| border="1" cellpadding="2" width="90%%" align="center"
 +
!Column Name
 +
!Type
 +
!Description
 
|-
 
|-
 
|time_stamp
 
|time_stamp
Line 1,562: Line 1,599:
 
|The time of the event
 
|The time of the event
 
|-
 
|-
|}
+
|sig_id
<section end='penaltybox' />
+
|bigint
 
+
|This ID of the rule
 
+
|-
== admin_logins ==
+
|gen_id
<section begin='admin_logins' />
+
|bigint
 +
|The grouping ID for the rule, The gen_id + sig_id specify the rule's unique identifier
 +
|-
 +
|class_id
 +
|bigint
 +
|The numeric ID for the classtype
 +
|-
 +
|source_addr
 +
|inet
 +
|The source IP address of the packet
 +
|-
 +
|source_port
 +
|integer
 +
|The source port of the packet (if applicable)
 +
|-
 +
|dest_addr
 +
|inet
 +
|The destination IP address of the packet
 +
|-
 +
|dest_port
 +
|integer
 +
|The destination port of the packet (if applicable)
 +
|-
 +
|protocol
 +
|integer
 +
|The protocol of the packet
 +
|-
 +
|blocked
 +
|boolean
 +
|If the packet was blocked/dropped
 +
|-
 +
|category
 +
|text
 +
|The application specific grouping
 +
|-
 +
|classtype
 +
|text
 +
|The generalized threat rule grouping (unrelated to gen_id)
 +
|-
 +
|msg
 +
|text
 +
|The "title" or "description" of the rule
 +
|-
 +
|}
 +
<section end='intrusion_prevention_events' />
 +
 
 +
 
 +
== interface_stat_events ==  
 +
<section begin='interface_stat_events' />
  
{| border="1" cellpadding="2" width="90%%" align="center"
+
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
+
!Column Name
!Type
+
!Type
!Description
+
!Description
|-
+
|-
|time_stamp
+
|time_stamp
|timestamp without time zone
+
|timestamp without time zone
|The time of the event
+
|The time of the event
 +
|-
 +
|interface_id
 +
|integer
 +
|The interface ID
 
|-
 
|-
|login
+
|rx_rate
|text
+
|double precision
|The login name
+
|The RX rate (bytes/s)
 
|-
 
|-
|local
+
|tx_rate
|boolean
+
|double precision
|True if it is a login attempt through a local process
+
|The TX rate (bytes/s)
|-
 
|client_addr
 
|inet
 
|The client IP address
 
|-
 
|succeeded
 
|boolean
 
|True if the login succeeded, false otherwise
 
|-
 
|reason
 
|character(1)
 
|The reason for the login (if applicable)
 
 
|-
 
|-
 
|}
 
|}
<section end='admin_logins' />
+
<section end='interface_stat_events' />

Revision as of 04:26, 26 February 2016

The global DB schema shows the tables and columns used for tracking all logged events in Untangle. These can be used to add conditions to reports and event logs and in the reporting system to create or edit reports.

Database Tables

admin_logins


Column Name Type Description
time_stamp timestamp without time zone The time of the event
login text The login name
local boolean True if it is a login attempt through a local process
client_addr inet The client IP address
succeeded boolean True if the login succeeded, false otherwise
reason character(1) The reason for the login (if applicable)


sessions


Column Name Type Description
session_id bigint The session
time_stamp timestamp without time zone The time of the event
end_time timestamp without time zone The time the session ended
bypassed boolean True if the session was bypassed, false otherwise
entitled boolean True if the session is entitled to premium functionality
protocol smallint The IP protocol of session
icmp_type smallint The ICMP type of session if ICMP
hostname text The hostname
username text The username
policy_id smallint The policy
c_client_addr inet The client-side client IP address
c_server_addr inet The client-side server IP address
c_server_port integer The client-side server port
c_client_port integer The client-side client port
s_client_addr inet The server-side client IP address
s_server_addr inet The server-side server IP address
s_server_port integer The server-side server port
s_client_port integer The server-side client port
client_intf smallint The client interface
server_intf smallint The server interface
c2p_bytes bigint The number of bytes the client sent to Untangle (client-to-pipeline)
p2c_bytes bigint The number of bytes Untangle sent to client (pipeline-to-client)
s2p_bytes bigint The number of bytes the server sent to Untangle (client-to-pipeline)
p2s_bytes bigint The number of bytes Untangle sent to server (pipeline-to-client)
filter_prefix text The network filter that blocked the connection
shield_blocked boolean True if the shield blocked the session, false otherwise
firewall_blocked boolean True if Firewall blocked the session, false otherwise
firewall_flagged boolean True if Firewall flagged the session, false otherwise
firewall_rule_index integer The matching rule in Firewall (if any)
application_control_lite_protocol text The application protocol according to Application Control Lite
application_control_lite_blocked boolean True if Application Control Lite blocked the session
captive_portal_blocked boolean True if Captive Portal blocked the session
captive_portal_rule_index integer The matching rule in Captive Portal (if any)
application_control_application text The application according to Application Control
application_control_protochain text The protochain according to Application Control
application_control_category text The category according to Application Control
application_control_blocked boolean True if Application Control blocked the session
application_control_flagged boolean True if Application Control flagged the session
application_control_confidence integer True if Application Control confidence of this session's identification
application_control_ruleid integer The matching rule in Application Control (if any)
application_control_detail text The text detail from the Application Control engine
bandwidth_control_priority integer The priority given to this session
bandwidth_control_rule integer The matching rule in Bandwidth Control rule (if any)
ssl_inspector_ruleid integer The matching rule in HTTPS Inspector rule (if any)
ssl_inspector_status text The status/action of the SSL session (INSPECTED/IGNORED/BLOCKED/UNTRUSTED/ABANDONED)
ssl_inspector_detail text Additional text detail about the SSL connection (SNI, IP Address)


penaltybox


Column Name Type Description
address inet The IP address of the host
reason text The reason for the action
start_time timestamp without time zone The time the client entered the penalty box
end_time timestamp without time zone The time the client exited the penalty box
time_stamp timestamp without time zone The time of the event


quotas


Column Name Type Description
time_stamp timestamp without time zone The time of the event
address inet The IP address of the host
action integer The action (1=Quota Given, 2=Quota Exceeded)
size bigint The size of the quota
reason text The reason for the action


host_table_updates


Column Name Type Description
address inet The IP address of the host
key text The key being updated
value text The new value for the key
time_stamp timestamp without time zone The time of the event


device_table_updates


Column Name Type Description
mac_address text The MAC address of the device
key text The key being updated
value text The new value for the key
time_stamp timestamp without time zone The time of the event


alerts


Column Name Type Description
time_stamp timestamp without time zone The time of the event
description text The description from the alert rule.
summary_text text The summary text of the alert
json text The summary JSON representation of the event causing the alert


settings_changes


Column Name Type Description
time_stamp timestamp without time zone The time of the event
settings_file text The name of the file changed
username text The username logged in at the time of the change
hostname text The remote hostname


wan_failover_action_events


Column Name Type Description
time_stamp timestamp without time zone The time of the event
interface_id integer This interface ID
action text This action (CONNECTED/DISCONNECTED)
os_name text This O/S name of the interface
name text This name of the interface
event_id bigint The unique event ID


wan_failover_test_events


Column Name Type Description
time_stamp timestamp without time zone The time of the event
interface_id integer This interface ID
name text This name of the interface
description text The description from the test rule
success boolean The result of the test (true if the test succeeded, false otherwise)
event_id bigint The unique event ID


mail_msgs


Column Name Type Description
time_stamp timestamp without time zone The time of the event
session_id bigint The session
client_intf smallint The client interface
server_intf smallint The server interface
c_client_addr inet The client-side client IP address
s_client_addr inet The server-side client IP address
c_server_addr inet The client-side server IP address
s_server_addr inet The server-side server IP address
c_client_port integer The client-side client port
s_client_port integer The server-side client port
c_server_port integer The client-side server port
s_server_port integer The server-side server port
policy_id bigint The policy
username text The username
msg_id bigint The message ID
subject text The email subject
hostname text The hostname
event_id bigint The unique event ID
sender text The address of the sender
receiver text The address of the receiver
virus_blocker_lite_clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name text The name of the malware according to Virus Blocker
spam_blocker_lite_score real The score of the email according to Spam Blocker Lite
spam_blocker_lite_is_spam boolean The spam status of the email according to Spam Blocker Lite
spam_blocker_lite_tests_string text The tess results for Spam Blocker Lite
spam_blocker_lite_action character(1) The action taken by Spam Blocker Lite
spam_blocker_score real The score of the email according to Spam Blocker
spam_blocker_is_spam boolean The spam status of the email according to Spam Blocker
spam_blocker_tests_string text The tess results for Spam Blocker
spam_blocker_action character(1) The action taken by Spam Blocker
phish_blocker_score real The score of the email according to Phish Blocker
phish_blocker_is_spam boolean The phish status of the email according to Phish Blocker
phish_blocker_tests_string text The tess results for Phish Blocker
phish_blocker_action character(1) The action taken by Phish Blocker


mail_addrs


Column Name Type Description
time_stamp timestamp without time zone The time of the event
session_id bigint The session
client_intf smallint The client interface
server_intf smallint The server interface
c_client_addr inet The client-side client IP address
s_client_addr inet The server-side client IP address
c_server_addr inet The client-side server IP address
s_server_addr inet The server-side server IP address
c_client_port integer The client-side client port
s_client_port integer The server-side client port
c_server_port integer The client-side server port
s_server_port integer The server-side server port
policy_id bigint The policy
username text The username
msg_id bigint The message ID
subject text The email subject
addr text The address of this event
addr_name text The name for this address
addr_kind character(1) The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
hostname text The hostname
event_id bigint The unique event ID
sender text The address of the sender
virus_blocker_lite_clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name text The name of the malware according to Virus Blocker
spam_blocker_lite_score real The score of the email according to Spam Blocker Lite
spam_blocker_lite_is_spam boolean The spam status of the email according to Spam Blocker Lite
spam_blocker_lite_action character(1) The action taken by Spam Blocker Lite
spam_blocker_lite_tests_string text The tess results for Spam Blocker Lite
spam_blocker_score real The score of the email according to Spam Blocker
spam_blocker_is_spam boolean The spam status of the email according to Spam Blocker
spam_blocker_action character(1) The action taken by Spam Blocker
spam_blocker_tests_string text The tess results for Spam Blocker
phish_blocker_score real The score of the email according to Phish Blocker
phish_blocker_is_spam boolean The phish status of the email according to Phish Blocker
phish_blocker_tests_string text The tess results for Phish Blocker
phish_blocker_action character(1) The action taken by Phish Blocker


smtp_tarpit_events


Column Name Type Description
time_stamp timestamp without time zone The time of the event
ipaddr inet The client IP address
hostname text The hostname
policy_id bigint The policy
vendor_name character varying(255) The "vendor name" of the app that logged the event
event_id bigint The unique event ID


http_events


Column Name Type Description
request_id bigint The HTTP request ID
time_stamp timestamp without time zone The time of the event
session_id bigint The session
client_intf smallint The client interface
server_intf smallint The server interface
c_client_addr inet The client-side client IP address
s_client_addr inet The server-side client IP address
c_server_addr inet The client-side server IP address
s_server_addr inet The server-side server IP address
c_client_port integer The client-side client port
s_client_port integer The server-side client port
c_server_port integer The client-side server port
s_server_port integer The server-side server port
policy_id smallint The policy
username text The username
hostname text The hostname
method character(1) The HTTP method
uri text The HTTP URI
host text The HTTP host
domain text The HTTP domain (shortened host)
c2s_content_length bigint The client-to-server content length
s2c_content_length bigint The server-to-client content length
s2c_content_type text The server-to-client content type
ad_blocker_cookie_ident text This name of cookie blocked by Ad Blocker
ad_blocker_action character(1) This action of Ad Blocker on this request
web_filter_lite_reason character(1) This reason Web Filter Lite blocked/flagged this request
web_filter_lite_category text This category according to Web Filter Lite
web_filter_lite_blocked boolean If Web Filter Lite blocked this request
web_filter_lite_flagged boolean If Web Filter Lite flagged this request
web_filter_reason character(1) This reason Web Filter blocked/flagged this request
web_filter_category text This category according to Web Filter
web_filter_blocked boolean If Web Filter blocked this request
web_filter_flagged boolean If Web Filter flagged this request
virus_blocker_lite_clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name text The name of the malware according to Virus Blocker
referer text The Referer URL


ftp_events


Column Name Type Description
event_id bigint The unique event ID
time_stamp timestamp without time zone The time of the event
session_id bigint The session
client_intf smallint The client interface
server_intf smallint The server interface
c_client_addr inet The client-side client IP address
s_client_addr inet The server-side client IP address
c_server_addr inet The client-side server IP address
s_server_addr inet The server-side server IP address
policy_id bigint The policy
username text The username
hostname text The hostname
request_id bigint The FTP request ID
method character(1) The FTP method
uri text The FTP URI
virus_blocker_lite_clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name text The name of the malware according to Virus Blocker


ipsec_user_events


Column Name Type Description
event_id bigint The unique event ID
time_stamp timestamp without time zone The time of the event
connect_stamp timestamp without time zone The time the connection started
goodbye_stamp timestamp without time zone The time the connection ended
client_address text The remote IP address of the client
client_protocol text The protocol the client used to connect
client_username text The username of the client
net_process text The PID of the PPP process for L2TP connections or the connection ID for Xauth connections
net_interface text The PPP interface for L2TP connections or the client interface for Xauth connections
elapsed_time text The total time the client was connected
rx_bytes bigint The number of bytes received from the client in this connection
tx_bytes bigint The number of bytes sent to the client in this connection


configuration_backup_events


Column Name Type Description
time_stamp timestamp without time zone The time of the event
success boolean The result of the backup (true if the backup succeeded, false otherwise)
description text Text detail of the event
destination text The location of the backup
event_id bigint The unique event ID


ipsec_tunnel_stats


Column Name Type Description
time_stamp timestamp without time zone The time of the event
tunnel_name text The name of the IPsec tunnel
in_bytes bigint The number of bytes received during this time frame
out_bytes bigint The number of bytes transmitted during this time frame
event_id bigint The unique event ID


server_events


Column Name Type Description
time_stamp timestamp without time zone The time of the event
load_1 numeric(6,2) The 1-minute CPU load
load_5 numeric(6,2) The 5-minute CPU load
load_15 numeric(6,2) The 15-minute CPU load
cpu_user numeric(6,3) The user CPU percent utilization
cpu_system numeric(6,3) The system CPU percent utilization
mem_total bigint The total bytes of memory
mem_free bigint The number of free bytes of memory
disk_total bigint The total disk size in bytes
disk_free bigint The free disk space in bytes
swap_total bigint The total swap size in bytes
swap_free bigint The free disk swap in bytes
active_hosts integer The number of active hosts


captive_portal_user_events


Column Name Type Description
time_stamp timestamp without time zone The time of the event
policy_id bigint The policy
event_id bigint The unique event ID
login_name text The login username
event_info text The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
auth_type text The authorization type for this event
client_addr text The remote IP address of the client


directory_connector_login_events


Column Name Type Description
time_stamp timestamp without time zone The time of the event
login_name text The login name
domain text The AD domain
type text The type of event (I=Login,U=Update,O=Logout)
client_addr inet The client IP address


web_cache_stats


Column Name Type Description
time_stamp timestamp without time zone The time of the event
hits bigint The number of cache hits during this time frame
misses bigint The number of cache misses during this time frame
bypasses bigint The number of cache user bypasses during this time frame
systems bigint The number of cache system bypasses during this time frame
hit_bytes bigint The number of bytes saved from cache hits
miss_bytes bigint The number of bytes not saved from cache misses
event_id bigint The unique event ID


http_query_events


Column Name Type Description
event_id bigint The unique event ID
time_stamp timestamp without time zone The time of the event
session_id bigint The session
client_intf smallint The client interface
server_intf smallint The server interface
c_client_addr inet The client-side client IP address
s_client_addr inet The server-side client IP address
c_server_addr inet The client-side server IP address
s_server_addr inet The server-side server IP address
c_client_port integer The client-side client port
s_client_port integer The server-side client port
c_server_port integer The client-side server port
s_server_port integer The server-side server port
policy_id bigint The policy
username text The username
hostname text The hostname
request_id bigint The HTTP request ID
method character(1) The HTTP method
uri text The HTTP URI
term text The search term
host text The HTTP host
c2s_content_length bigint The client-to-server content length
s2c_content_length bigint The server-to-client content length
s2c_content_type text The server-to-client content type


openvpn_stats


Column Name Type Description
time_stamp timestamp without time zone The time of the event
start_time timestamp without time zone The time the OpenVPN session started
end_time timestamp without time zone The time the OpenVPN session ended
rx_bytes bigint The total bytes received from the client during this session
tx_bytes bigint The total bytes sent to the client during this session
remote_address inet The remote IP address of the client
pool_address inet The pool IP address of the client
remote_port integer The remote port of the client
client_name text The name of the client
event_id bigint The unique event ID


openvpn_events


Column Name Type Description
time_stamp timestamp without time zone The time of the event
remote_address inet The remote IP address of the client
pool_address inet The pool IP address of the client
client_name text The name of the client
type text The type of the event (CONNECT/DISCONNECT)


intrusion_prevention_events


Column Name Type Description
time_stamp timestamp without time zone The time of the event
sig_id bigint This ID of the rule
gen_id bigint The grouping ID for the rule, The gen_id + sig_id specify the rule's unique identifier
class_id bigint The numeric ID for the classtype
source_addr inet The source IP address of the packet
source_port integer The source port of the packet (if applicable)
dest_addr inet The destination IP address of the packet
dest_port integer The destination port of the packet (if applicable)
protocol integer The protocol of the packet
blocked boolean If the packet was blocked/dropped
category text The application specific grouping
classtype text The generalized threat rule grouping (unrelated to gen_id)
msg text The "title" or "description" of the rule


interface_stat_events


Column Name Type Description
time_stamp timestamp without time zone The time of the event
interface_id integer The interface ID
rx_rate double precision The RX rate (bytes/s)
tx_rate double precision The TX rate (bytes/s)