Event Definitions
All event data is stored in the Global DB Schema in a relational database. As Untangle and applications process traffic they create Event objects that add and modify content in the database. Each event has it's own class/object with certain fields that modify the database in a certain way.
The list below shows the classes used in the event logging and the column fields available within each event. These can be used to add Alert Events or for other event handling within Untangle.
Contents
- 1 LoginEvent
- 2 PrioritizeEvent
- 3 BoxBackupEvent
- 4 ClassDLogEvent
- 5 FailDEvent
- 6 FailDTestEvent
- 7 HttpsLogEvent
- 8 TunnelStatusEvent
- 9 VirtualUserEvent
- 10 WebFilterQueryEvent
- 11 WebCacheEvent
- 12 AdBlockerEvent
- 13 CookieEvent
- 14 CaptureRuleEvent
- 15 CaptureUserEvent
- 16 FirewallEvent
- 17 HttpRequestEvent
- 18 HttpResponseEvent
- 19 IdpsLogEvent
- 20 OpenVPNEvent
- 21 OpenVPNStatusEvent
- 22 ProtoFilterEvent
- 23 AlertEvent
- 24 ShieldEvent
- 25 SmtpMessageAddressEvent
- 26 SmtpMessageEvent
- 27 SpamLogEvent
- 28 SpamSmtpTarpitEvent
- 29 HostTableEvent
- 30 SystemStatEvent
- 31 PenaltyBoxEvent
- 32 QuotaEvent
- 33 SessionEvent
- 34 SessionNatEvent
- 35 SessionStatsEvent
- 36 SettingsChangesEvent
- 37 VirusFtpEvent
- 38 VirusHttpEvent
- 39 VirusSmtpEvent
- 40 WebFilterEvent
LoginEvent
Events in this class are created by Directory Connector and inserted to the directory_connector_login_events table.
| Column Name | Type | Description |
|---|---|---|
| clientAddr | inet | The client IP address |
| loginName | text | The login name |
| domain | text | The AD domain |
| event | text | The type of event (I=Login,U=Update,O=Logout) |
PrioritizeEvent
Events in this class are created by Bandwidth Control and updated to the sessions table.
| Column Name | Type | Description |
|---|---|---|
| priority | int | The priority given to this session |
| ruleid | integer | The matching rule in Bandwidth Control rule |
BoxBackupEvent
Events in this class are created by Configuration Backup and inserted to the configuration_backup_events table.
| Column Name | Type | Description |
|---|---|---|
| success | boolean | The result of the backup (true if the backup succeeded, false otherwise) |
| detail | text | Text detail of the event |
ClassDLogEvent
Events in this class are created by Application Control and inserted to the sessions table.
| Column Name | Type | Description |
|---|---|---|
| application | text | The application according to Application Control |
| protochain | text | The protochain according to Application Control |
| detail | text | The text detail from the Application Control engine |
| confidence | integer | Application Control confidence of this session's identification |
| ruleid | integer | The matching rule in Application Control |
| flagged | boolean | True if Application Control flagged the session |
| blocked | boolean | True if Application Control blocked the session |
FailDEvent
Events in this class are created by WAN Failover and inserted to the wan_failover_action_events table.
| Column Name | Type | Description |
|---|---|---|
| action | Action | The action (CONNECTED/DISCONNECTED) |
| interfaceId | integer | The interface ID |
| name | text | This name of the interface |
| osName | text | The O/S name of the interface |
FailDTestEvent
Events in this class are created by WAN Failover and inserted to the wan_failover_test_events table.
| Column Name | Type | Description |
|---|---|---|
| interfaceId | integer | The interface ID |
| name | text | The name of the interface |
| osName | text | The O/S name of the interface |
| description | text | The description from the test rule |
| success | boolean | The result of the test (true if the test succeeded, false otherwise) |
HttpsLogEvent
Events in this class are created by HTTPS Inspector and updated to the sessions table.
| Column Name | Type | Description |
|---|---|---|
| ruleid | integer | The matching rule in HTTPS Inspector rule |
| status | text | The status/action of the SSL session (INSPECTED/IGNORED/BLOCKED/UNTRUSTED/ABANDONED) |
| detail | text | Additional text detail about the SSL connection (SNI, IP Address) |
TunnelStatusEvent
Events in this class are created by IPsec VPN and inserted to the ipsec_tunnel_stats table.
| Column Name | Type | Description |
|---|---|---|
| tunnelName | text | The name of the IPsec tunnel |
| inBytes | bigint | The number of bytes received during this time frame |
| outBytes | bigint | The number of bytes transmitted during this time frame |
VirtualUserEvent
Events in this class are created by IPsec VPN and inserted to the ipsec_user_events table.
| Column Name | Type | Description |
|---|---|---|
| clientAddress | inet | The remote IP address of the client |
| clientProtocol | text | The protocol the client used to connect |
| clientUsername | text | The username of the client |
| netInterface | text | The PPP interface for L2TP connections or the client interface for Xauth connections |
| netProcess | text | The PID of the PPP process for L2TP connections or the connection ID for Xauth connections |
| elapsedTime | text | The total time the client was connected |
| netRXbytes | bigint | The number of bytes received from the client in this connection |
| netTXbytes | bigint | The number of bytes sent to the client in this connection |
| eventId | bigint | The unique event ID |
WebFilterQueryEvent
Events in this class are created by Web Filter and inserted to the http_query_events table.
| Column Name | Type | Description |
|---|---|---|
| requestId | bigint | The HTTP request ID |
| method | HttpMethod | The HTTP method |
| term | text | The search term |
| requestUri | URI | The HTTP URI |
| host | text | The HTTP host |
| contentLength | bigint | The client-to-server content length |
WebCacheEvent
Events in this class are created by Web Cache and inserted to the webcache_stats table.
| Column Name | Type | Description |
|---|---|---|
| hitCount | bigint | The number of cache hits during this time frame |
| missCount | bigint | The number of cache misses during this time frame |
| bypassCount | bigint | The number of cache user bypasses during this time frame |
| systemCount | bigint | The number of cache system bypasses during this time frame |
| hitBytes | bigint | The number of bytes saved from cache hits |
| missBytes | bigint | The number of bytes not saved from cache misses |
AdBlockerEvent
Events in this class are created by Ad Blocker and updated to the Global_DB_schema#http_events table.
| Column Name | Type | Description |
|---|---|---|
| requestId | bigint | The HTTP request ID |
| action | Action | This action of Ad Blocker on this request |
CookieEvent
Events in this class are created by Ad Blocker and updated to the Global_DB_schema#http_events table.
| Column Name | Type | Description |
|---|---|---|
| requestId | bigint | The HTTP request ID |
| identification | text | This name of cookie blocked by Ad Blocker |
CaptureRuleEvent
Events in this class are created by Captive Portal and updated to the sessions table.
| Column Name | Type | Description |
|---|---|---|
| ruleid | integer | The matching rule in Captive Portal |
| captured | boolean | True if Captive Portal captured the session |
CaptureUserEvent
Events in this class are created by Captive Portal and updated to the capture_user_events table.
| Column Name | Type | Description |
|---|---|---|
| clientAddr | inet | The remote IP address of the client |
| loginName | text | The login username |
| authenticationTypeValue | text | The authorization type for this event |
| eventValue | text | The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT) |
| policyId | bigint | The policy ID |
FirewallEvent
Events in this class are created by the Firewall App and updated to the sessions table.
| Column Name | Type | Description |
|---|---|---|
| ruleId | bigint | The matching rule in Firewall |
| blocked | boolean | True if Firewall blocked the session, false otherwise |
| flagged | boolean | True if Firewall flagged the session, false otherwise |
HttpRequestEvent
Events in this class are created by http-casing and inserted to the http_events table.
| Column Name | Type | Description |
|---|---|---|
| requestId | bigint | The HTTP request ID |
| method | HttpMethod | The HTTP method |
| requestUri | URI | The HTTP URI |
| host | text | The HTTP host |
| domain | text | The HTTP domain (shortened host) |
| contentLength | bigint | The client-to-server content length |
HttpResponseEvent
Events in this class are created by http-casing and updated to the http_events table.
| Column Name | Type | Description |
|---|---|---|
| contentType | text | The server-to-client content type |
| contentLength | bigint | The server-to-client content length |
IdpsLogEvent
Events in this class are created by Intrusion Prevention and inserted to the intrusion_prevention_events table.
| Column Name | Type | Description |
|---|---|---|
| signatureId | bigint | This ID of the rule |
| classificationId | bigint | The numeric ID for the classtype |
| ipSource | inet | The source IP address of the packet |
| ipDestination | inet | The destination IP address of the packet |
| sportltype | integer | The source port of the packet (if applicable) |
| dportlcode | integer | The destination port of the packet (if applicable) |
| protocol | smallint | The protocol of the packet |
| blocked | smallint | If the packet was blocked/dropped |
| msg | text | The "title" or "description" of the rule |
| classtype | text | The generalized threat rule grouping (unrelated to gen_id) |
| category | text | The application specific grouping |
OpenVPNEvent
Events in this class are created by OpenVPN and inserted to the openvpn_events table.
| Column Name | Type | Description |
|---|---|---|
| address | inet | The remote IP address of the client |
| poolAddress | inet | The pool IP address of the client |
| clientName | text | The name of the client |
| type | EventType | The type of the event (CONNECT/DISCONNECT) |
OpenVPNStatusEvent
Events in this class are created by OpenVPN and inserted to the openvpn_stats table.
| Column Name | Type | Description |
|---|---|---|
| address | inet | The remote IP address of the client |
| poolAddress | inet | The pool IP address of the client |
| port | integer | The remote port of the client |
| clientName | text | The name of the client |
| start | timestamp | Start of the session. |
| end | timestamp | End of the session. |
| bytesRxTotal | bigint | Total bytes received. |
| bytesTxTotal | bigint | Total bytes transmitted. |
| bytesRxDelta | bigint | Bytes received since last event. |
| bytesTxDelta | bigint | Bytes transmitted since last event. |
ProtoFilterEvent
Events in this class are created by Application Control Lite and updated to the sessions table.
| Column Name | Type | Description |
|---|---|---|
| protocol | text | The application protocol according to Application Control Lite |
| blocked | boolean | True if Application Control Lite blocked the session |
AlertEvent
Events in this class are created by Captive Portal and inserted to the alerts table.
| Column Name | Type | Description |
|---|---|---|
| description | text | The description from the alert rule. |
| summaryText | text | The summary text of the alert |
| json | JSONObject | The summary JSON representation of the event causing the alert |
ShieldEvent
Events in this class are created by Shield and updated to the sessions table.
| Column Name | Type | Description |
|---|---|---|
| blocked | boolean | True if the shield blocked the session, false otherwise |
SmtpMessageAddressEvent
Events in this class are created by smtp-casing and updated to the mail_addrs table.
| Column Name | Type | Description |
|---|---|---|
| messageId | bigint | The message ID |
| kind | AddressKind | The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown) |
| addr | text | The address of this event |
SmtpMessageEvent
Events in this class are created by smtp-casing and updated to the mail_msgs table.
| Column Name | Type | Description |
|---|---|---|
| subject | text | The email subject |
| messageId | bigint | The message ID |
SpamLogEvent
Events in this class are created by Spam Blocker or Spam Blocker Lite and updated to the mail_msgs and mail_addrs schemas.
| Column Name | Type | Description |
|---|---|---|
| messageId | bigint | The message ID |
| score | float | The score of the email according to Spam Blocker |
| isSpam | boolean | The spam status of the email according to Spam Blocker |
| action | SpamMessageAction | The action taken by Spam Blocker |
| vendorName | text | The "vendor name" of the app that logged the event |
SpamSmtpTarpitEvent
Events in this class are created by Spam Blocker and inserted to the smtp_tarpit_events table.
| Column Name | Type | Description |
|---|---|---|
| hostname | text | The hostname |
| ipAddr | inet | The client IP address |
| vendorName | text | The "vendor name" of the app that logged the event |
HostTableEvent
Events in this class are created by the base system and inserted to the host_table_updates table.
| Column Name | Type | Description |
|---|---|---|
| address | inet | The host IP address |
| key | text | DB column that has been updated |
| value | text | Value the DB column was updated to |
SystemStatEvent
Events in this class are created by the base system and inserted to the server_events table.
| Column Name | Type | Description |
|---|---|---|
| memTotal | bigint | The total bytes of memory |
| memFree | bigint | The number of free bytes of memory |
| memFreePercent | float | The amount of free memory by percent. |
| memCache | bigint | The number of bytes of memory used for disk cache |
| memBuffers | bigint | The number of bytes of memory used for buffers |
| load1 | float | The 1-minute CPU load |
| load5 | float | The 5-minute CPU load |
| load15 | float | The 15-minute CPU load |
| cpuUser | float | The user CPU percent utilization |
| cpuSystem | float | The system CPU percent utilization |
| diskTotal | bigint | The total disk size in bytes |
| diskFree | bigint | The free disk space in bytes |
| diskFreePercent | float | The free disk space by percent |
| swapFree | bigint | The free disk swap in bytes |
| swapTotal | bigint | The total swap size in bytes |
PenaltyBoxEvent
Events in this class are created by the Bandwidth Control and inserted or updated to the penaltybox table.
| Column Name | Type | Description |
|---|---|---|
| address | inet | The IP address of the host |
| entryTime | timestamp | The time the client entered the penalty box |
| exitTime | timestamp | The time the client exited the penalty box |
| reason | text | The reason for the action |
QuotaEvent
Events in this class are created by the Bandwidth Control and inserted or updated to the quotas table.
| Column Name | Type | Description |
|---|---|---|
| action | integer | The action (1=Quota Given, 2=Quota Exceeded) |
| address | inet | The IP address of the host |
| reason | text | The reason for the action |
| quotaSize | bigint | The size of the quota |
SessionEvent
Events in this class are created by the base system and inserted to the sessions table.
| Column Name | Type | Description |
|---|---|---|
| sessionId | bigint | The session |
| bypassed | boolean | True if the session was bypassed, false otherwise |
| protocol | smallint | The IP protocol of session |
| clientIntf | integer | The client interface |
| serverIntf | integer | The server interface |
| cClientAddr | inet | The client-side client IP address |
| sClientAddr | inet | The server-side client IP address |
| cServerAddr | inet | The client-side server IP address |
| sServerAddr | inet | The server-side server IP address |
| cClientPort | integer | The client-side client port |
| sClientPort | integer | The server-side client port |
| cServerPort | integer | The client-side server port |
| sServerPort | integer | The server-side server port |
| username | text | The username |
| hostname | text | The hostname |
SessionNatEvent
Events in this class are created by the base system and updated to the sessions table.
| Column Name | Type | Description |
|---|---|---|
| serverIntf | integer | The server interface |
| sClientAddr | inet | The server-side client IP address |
| sServerAddr | inet | The server-side server IP address |
| sClientPort | integer | The server-side client port |
| sServerPort | integer | The server-side server port |
SessionStatsEvent
Events in this class are created by the base system and updated to the sessions table.
| Column Name | Type | Description |
|---|---|---|
| sessionId | bigint | The session |
| c2pBytes | bigint | The number of bytes the client sent to Untangle (client-to-pipeline) |
| p2sBytes | bigint | The number of bytes Untangle sent to server (pipeline-to-client) |
| s2pBytes | bigint | The number of bytes the server sent to Untangle (client-to-pipeline) |
| p2cBytes | bigint | The number of bytes Untangle sent to client (pipeline-to-client) |
SettingsChangesEvent
Events in this class are created by the base system and updated to the settings_changes table.
| Column Name | Type | Description |
|---|---|---|
| settings_file | text | The name of the file changed |
| username | text | The username logged in at the time of the change |
| hostname | text | The remote hostname of the username logged in at the time of the change |
VirusFtpEvent
Events in this class are created by Virus Blocker or Virus Blocker Lite and updated to the ftp_events table.
| Column Name | Type | Description |
|---|---|---|
| clean | boolean | The cleanliness of the file according to Virus Blocker |
| virusName | text | The name of the malware according to Virus Blocker |
| uri | text | The FTP URI |
VirusHttpEvent
Events in this class are created by Virus Blocker or Virus Blocker Lite and updated to the http_events table.
| Column Name | Type | Description |
|---|---|---|
| requestId | bigint | The HTTP request ID |
| clean | boolean | The cleanliness of the file according to Virus Blocker |
| virusName | text | The name of the malware according to Virus Blocker |
VirusSmtpEvent
Events in this class are created by Virus Blocker or Virus Blocker Lite and updated to the mail_msgs table.
| Column Name | Type | Description |
|---|---|---|
| messageId | bigint | The message ID |
| clean | boolean | The cleanliness of the file according to Virus Blocker |
| virusName | text | The name of the malware according to Virus Blocker |
| action | text | The action taken by Virus Blocker |
WebFilterEvent
Events in this class are created by Web Filter or Web Filter Lite and updated to the http_events table.
| Column Name | Type | Description |
|---|---|---|
| blocked | boolean | If Web Filter blocked this request |
| flagged | boolean | If Web Filter flagged this request |
| reason | Reason | The reason Web Filter blocked/flagged this request |
| category | text | The category according to Web Filter |
