Event Definitions

From UntangleWiki
Revision as of 20:57, 8 October 2015 by Lgraves (talk | contribs) (SystemStatEvent)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

All event data is stored in the Global DB Schema in a relational database. As Untangle and applications process traffic they create Event objects that add and modify content in the database. Each event has it's own class/object with certain fields that modify the database in a certain way.

The list below shows the classes used in the event logging and the column fields available within each event. These can be used to add Alert Events or for other event handling within Untangle.

LoginEvent

Events in this class are created by Directory Connector and inserted to the directory_connector_login_events table.

Column Name Type Description
clientAddr inet The client IP address
loginName text The login name
domain text The AD domain
event text The type of event (I=Login,U=Update,O=Logout)


PrioritizeEvent

Events in this class are created by Bandwidth Control and updated to the sessions table.

Column Name Type Description
priority int The priority given to this session
ruleid integer The matching rule in Bandwidth Control rule


BoxBackupEvent

Events in this class are created by Configuration Backup and inserted to the configuration_backup_events table.

Column Name Type Description
success boolean The result of the backup (true if the backup succeeded, false otherwise)
detail text Text detail of the event


ClassDLogEvent

Events in this class are created by Application Control and inserted to the sessions table.

Column Name Type Description
application text The application according to Application Control
protochain text The protochain according to Application Control
detail text The text detail from the Application Control engine
confidence integer Application Control confidence of this session's identification
ruleid integer The matching rule in Application Control
flagged boolean True if Application Control flagged the session
blocked boolean True if Application Control blocked the session


FailDEvent

Events in this class are created by WAN Failover and inserted to the wan_failover_action_events table.

Column Name Type Description
action Action The action (CONNECTED/DISCONNECTED)
interfaceId integer The interface ID
name text This name of the interface
osName text The O/S name of the interface


FailDTestEvent

Events in this class are created by WAN Failover and inserted to the wan_failover_test_events table.

Column Name Type Description
interfaceId integer The interface ID
name text The name of the interface
osName text The O/S name of the interface
description text The description from the test rule
success boolean The result of the test (true if the test succeeded, false otherwise)


HttpsLogEvent

Events in this class are created by HTTPS Inspector and updated to the sessions table.

Column Name Type Description
ruleid integer The matching rule in HTTPS Inspector rule
status text The status/action of the SSL session (INSPECTED/IGNORED/BLOCKED/UNTRUSTED/ABANDONED)
detail text Additional text detail about the SSL connection (SNI, IP Address)


TunnelStatusEvent

Events in this class are created by IPsec VPN and inserted to the ipsec_tunnel_stats table.

Column Name Type Description
tunnelName text The name of the IPsec tunnel
inBytes bigint The number of bytes received during this time frame
outBytes bigint The number of bytes transmitted during this time frame


VirtualUserEvent

Events in this class are created by IPsec VPN and inserted to the ipsec_user_events table.

Column Name Type Description
clientAddress inet The remote IP address of the client
clientProtocol text The protocol the client used to connect
clientUsername text The username of the client
netInterface text The PPP interface for L2TP connections or the client interface for Xauth connections
netProcess text The PID of the PPP process for L2TP connections or the connection ID for Xauth connections
elapsedTime text The total time the client was connected
netRXbytes bigint The number of bytes received from the client in this connection
netTXbytes bigint The number of bytes sent to the client in this connection
eventId bigint The unique event ID


WebFilterQueryEvent

Events in this class are created by Web Filter and inserted to the http_query_events table.

Column Name Type Description
requestId bigint The HTTP request ID
method HttpMethod The HTTP method
term text The search term
requestUri URI The HTTP URI
host text The HTTP host
contentLength bigint The client-to-server content length


WebCacheEvent

Events in this class are created by Web Cache and inserted to the webcache_stats table.

Column Name Type Description
hitCount bigint The number of cache hits during this time frame
missCount bigint The number of cache misses during this time frame
bypassCount bigint The number of cache user bypasses during this time frame
systemCount bigint The number of cache system bypasses during this time frame
hitBytes bigint The number of bytes saved from cache hits
missBytes bigint The number of bytes not saved from cache misses


AdBlockerEvent

Events in this class are created by Ad Blocker and updated to the Global_DB_schema#http_events table.

Column Name Type Description
requestId bigint The HTTP request ID
action Action This action of Ad Blocker on this request


CookieEvent

Events in this class are created by Ad Blocker and updated to the Global_DB_schema#http_events table.

Column Name Type Description
requestId bigint The HTTP request ID
identification text This name of cookie blocked by Ad Blocker


CaptureRuleEvent

Events in this class are created by Captive Portal and updated to the sessions table.

Column Name Type Description
ruleid integer The matching rule in Captive Portal
captured boolean True if Captive Portal captured the session


CaptureUserEvent

Events in this class are created by Captive Portal and updated to the capture_user_events table.

Column Name Type Description
clientAddr inet The remote IP address of the client
loginName text The login username
authenticationTypeValue text The authorization type for this event
eventValue text The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
policyId bigint The policy ID


FirewallEvent

Events in this class are created by the Firewall App and updated to the sessions table.

Column Name Type Description
ruleId bigint The matching rule in Firewall
blocked boolean True if Firewall blocked the session, false otherwise
flagged boolean True if Firewall flagged the session, false otherwise


HttpRequestEvent

Events in this class are created by http-casing and inserted to the http_events table.

Column Name Type Description
requestId bigint The HTTP request ID
method HttpMethod The HTTP method
requestUri URI The HTTP URI
host text The HTTP host
domain text The HTTP domain (shortened host)
contentLength bigint The client-to-server content length


HttpResponseEvent

Events in this class are created by http-casing and updated to the http_events table.

Column Name Type Description
contentType text The server-to-client content type
contentLength bigint The server-to-client content length


IdpsLogEvent

Events in this class are created by Intrusion Prevention and inserted to the intrusion_prevention_events table.

Column Name Type Description
signatureId bigint This ID of the rule
classificationId bigint The numeric ID for the classtype
ipSource inet The source IP address of the packet
ipDestination inet The destination IP address of the packet
sportltype integer The source port of the packet (if applicable)
dportlcode integer The destination port of the packet (if applicable)
protocol smallint The protocol of the packet
blocked smallint If the packet was blocked/dropped
msg text The "title" or "description" of the rule
classtype text The generalized threat rule grouping (unrelated to gen_id)
category text The application specific grouping


OpenVPNEvent

Events in this class are created by OpenVPN and inserted to the openvpn_events table.

Column Name Type Description
address inet The remote IP address of the client
poolAddress inet The pool IP address of the client
clientName text The name of the client
type EventType The type of the event (CONNECT/DISCONNECT)


OpenVPNStatusEvent

Events in this class are created by OpenVPN and inserted to the openvpn_stats table.

Column Name Type Description
address inet The remote IP address of the client
poolAddress inet The pool IP address of the client
port integer The remote port of the client
clientName text The name of the client
start timestamp Start of the session.
end timestamp End of the session.
bytesRxTotal bigint Total bytes received.
bytesTxTotal bigint Total bytes transmitted.
bytesRxDelta bigint Bytes received since last event.
bytesTxDelta bigint Bytes transmitted since last event.


ProtoFilterEvent

Events in this class are created by Application Control Lite and updated to the sessions table.

Column Name Type Description
protocol text The application protocol according to Application Control Lite
blocked boolean True if Application Control Lite blocked the session


AlertEvent

Events in this class are created by Captive Portal and inserted to the alerts table.

Column Name Type Description
description text The description from the alert rule.
summaryText text The summary text of the alert
json JSONObject The summary JSON representation of the event causing the alert


ShieldEvent

Events in this class are created by Shield and updated to the sessions table.

Column Name Type Description
blocked boolean True if the shield blocked the session, false otherwise


SmtpMessageAddressEvent

Events in this class are created by smtp-casing and updated to the mail_addrs table.

Column Name Type Description
messageId bigint The message ID
kind AddressKind The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
addr text The address of this event


SmtpMessageEvent

Events in this class are created by smtp-casing and updated to the mail_msgs table.

Column Name Type Description
subject text The email subject
messageId bigint The message ID


SpamLogEvent

Events in this class are created by Spam Blocker or Spam Blocker Lite and updated to the mail_msgs and mail_addrs schemas.

Column Name Type Description
messageId bigint The message ID
score float The score of the email according to Spam Blocker
isSpam boolean The spam status of the email according to Spam Blocker
action SpamMessageAction The action taken by Spam Blocker
vendorName text The "vendor name" of the app that logged the event


SpamSmtpTarpitEvent

Events in this class are created by Spam Blocker and inserted to the smtp_tarpit_events table.

Column Name Type Description
hostname text The hostname
ipAddr inet The client IP address
vendorName text The "vendor name" of the app that logged the event


HostTableEvent

Events in this class are created by the base system and inserted to the host_table_updates table.

Column Name Type Description
address inet The host IP address
key text DB column that has been updated
value text Value the DB column was updated to


SystemStatEvent

Events in this class are created by the base system and inserted to the server_events table.

Column Name Type Description
memTotal bigint The total bytes of memory
memFree bigint The number of free bytes of memory
memFreePercent float The amount of free memory by percent.
memCache bigint The number of bytes of memory used for disk cache
memBuffers bigint The number of bytes of memory used for buffers
load1 float The 1-minute CPU load
load5 float The 5-minute CPU load
load15 float The 15-minute CPU load
cpuUser float The user CPU percent utilization
cpuSystem float The system CPU percent utilization
diskTotal bigint The total disk size in bytes
diskFree bigint The free disk space in bytes
diskFreePercent float The free disk space by percent
swapFree bigint The free disk swap in bytes
swapTotal bigint The total swap size in bytes


PenaltyBoxEvent

Events in this class are created by the Bandwidth Control and inserted or updated to the penaltybox table.

Column Name Type Description
address inet The IP address of the host
entryTime timestamp The time the client entered the penalty box
exitTime timestamp The time the client exited the penalty box
reason text The reason for the action


QuotaEvent

Events in this class are created by the Bandwidth Control and inserted or updated to the quotas table.

Column Name Type Description
action integer The action (1=Quota Given, 2=Quota Exceeded)
address inet The IP address of the host
reason text The reason for the action
quotaSize bigint The size of the quota


SessionEvent

Events in this class are created by the base system and inserted to the sessions table.

Column Name Type Description
sessionId bigint The session
bypassed boolean True if the session was bypassed, false otherwise
protocol smallint The IP protocol of session
clientIntf integer The client interface
serverIntf integer The server interface
cClientAddr inet The client-side client IP address
sClientAddr inet The server-side client IP address
cServerAddr inet The client-side server IP address
sServerAddr inet The server-side server IP address
cClientPort integer The client-side client port
sClientPort integer The server-side client port
cServerPort integer The client-side server port
sServerPort integer The server-side server port
username text The username
hostname text The hostname


SessionNatEvent

Events in this class are created by the base system and updated to the sessions table.

Column Name Type Description
serverIntf integer The server interface
sClientAddr inet The server-side client IP address
sServerAddr inet The server-side server IP address
sClientPort integer The server-side client port
sServerPort integer The server-side server port


SessionStatsEvent

Events in this class are created by the base system and updated to the sessions table.

Column Name Type Description
sessionId bigint The session
c2pBytes bigint The number of bytes the client sent to Untangle (client-to-pipeline)
p2sBytes bigint The number of bytes Untangle sent to server (pipeline-to-client)
s2pBytes bigint The number of bytes the server sent to Untangle (client-to-pipeline)
p2cBytes bigint The number of bytes Untangle sent to client (pipeline-to-client)


SettingsChangesEvent

Events in this class are created by the base system and updated to the settings_changes table.

Column Name Type Description
settings_file text The name of the file changed
username text The username logged in at the time of the change
hostname text The remote hostname of the username logged in at the time of the change


VirusFtpEvent

Events in this class are created by Virus Blocker or Virus Blocker Lite and updated to the ftp_events table.

Column Name Type Description
clean boolean The cleanliness of the file according to Virus Blocker
virusName text The name of the malware according to Virus Blocker
uri text The FTP URI


VirusHttpEvent

Events in this class are created by Virus Blocker or Virus Blocker Lite and updated to the http_events table.

Column Name Type Description
requestId bigint The HTTP request ID
clean boolean The cleanliness of the file according to Virus Blocker
virusName text The name of the malware according to Virus Blocker


VirusSmtpEvent

Events in this class are created by Virus Blocker or Virus Blocker Lite and updated to the mail_msgs table.

Column Name Type Description
messageId bigint The message ID
clean boolean The cleanliness of the file according to Virus Blocker
virusName text The name of the malware according to Virus Blocker
action text The action taken by Virus Blocker


WebFilterEvent

Events in this class are created by Web Filter or Web Filter Lite and updated to the http_events table.

Column Name Type Description
blocked boolean If Web Filter blocked this request
flagged boolean If Web Filter flagged this request
reason Reason The reason Web Filter blocked/flagged this request
category text The category according to Web Filter