Event Definitions: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
No edit summary
No edit summary
 
(One intermediate revision by the same user not shown)
Line 153: Line 153:




== SpamLogEvent ==
== PrioritizeEvent ==
<section begin='SpamLogEvent' />
<section begin='PrioritizeEvent' />


These events are created by [[Spam Blocker]] and update the [[Database_Schema#mail_msgs|mail_msgs]] table when an email is scanned.
These events are created by the [[Bandwidth Control]] and update the [[Database_Schema#sessions|session]] table when a session is prioritized.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 162: Line 162:
! Type
! Type
! Description
! Description
getAction
|-
|action
|SpamMessageAction
|The action
getClass
getClass
|-
|-
Line 172: Line 167:
|Class
|Class
|The class name
|The class name
getClientAddr
getPartitionTablePostfix
getPriority
|-
|-
|clientAddr
|priority
|InetAddress
|int
|The client address
|The priority
getClientPort
getRuleId
|-
|-
|clientPort
|ruleId
|int
|int
|The client port
|The rule ID
getMessageId
getSessionEvent
|-
|-
|messageId
|sessionEvent
|Long
|SessionEvent
|The message ID
|The session event
getPartitionTablePostfix
getTag
getReceiver
getTimeStamp
|-
|-
|receiver
|timeStamp
|Timestamp
|The timestamp
|}
<section end='PrioritizeEvent' />
 
 
== VirusFtpEvent ==
<section begin='VirusFtpEvent' />
 
These events are created by [[Virus Blocker]] and update the [[Database_Schema#ftp_events|ftp_events]] table when Virus Blocker scans an FTP transfer.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getAppName
|-
|appName
|String
|String
|The receiver
|The name of the application
getScore
getClass
|-
|-
|score
|class
|float
|Class
|The score
|The class name
getSender
getClean
|-
|-
|sender
|clean
|String
|The sender
getServerAddr
|-
|serverAddr
|InetAddress
|The server address
getServerPort
|-
|serverPort
|int
|The server port
getSmtpMessageEvent
|-
|smtpMessageEvent
|SmtpMessageEvent
|The parent SMTP message event
isSpam
|-
|isSpam
|boolean
|boolean
|True if spam, false otherwise
|True if clean, false otherwise
getSubject
getPartitionTablePostfix
getSessionEvent
|-
|-
|subject
|sessionEvent
|String
|SessionEvent
|The subject
|The session event
getTag
getTag
getTestsString
|-
|testsString
|String
|The tests string from the spam engine
getTimeStamp
getTimeStamp
|-
|-
Line 239: Line 229:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getVendorName
getUri
|-
|-
|vendorName
|uri
|String
|String
|The application name
|The URI
getVirusName
|-
|virusName
|String
|The virus name, if not clean
|}
|}
<section end='SpamLogEvent' />
<section end='VirusFtpEvent' />




== SpamSmtpTarpitEvent ==
== VirusHttpEvent ==
<section begin='SpamSmtpTarpitEvent' />
<section begin='VirusHttpEvent' />


These events are created by [[Spam Blocker]] and inserted to the [[Database_Schema#smtp_tarpit_events|smtp_tarpit_events]] table when a session is tarpitted.
These events are created by [[Virus Blocker]] and update the [[Database_Schema#http_events|http_events]] table when Virus Blocker scans an HTTP transfer.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 257: Line 252:
! Type
! Type
! Description
! Description
getIPAddr
getAppName
|-
|-
|IPAddr
|appName
|InetAddress
|String
|The IP address
|The name of the application
getClass
getClass
|-
|-
Line 267: Line 262:
|Class
|Class
|The class name
|The class name
getHostname
getClean
|-
|-
|hostname
|clean
|String
|boolean
|The hostname
|True if clean, false otherwise
getPartitionTablePostfix
getPartitionTablePostfix
getRequestLine
|-
|requestLine
|RequestLine
|The request line
getSessionEvent
getSessionEvent
|-
|-
Line 278: Line 278:
|SessionEvent
|SessionEvent
|The session event
|The session event
getSessionId
getTag
getTimeStamp
|-
|-
|sessionId
|timeStamp
|Long
|The session ID
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getVendorName
getVirusName
|-
|-
|vendorName
|virusName
|String
|String
|The application name
|The virus name, if not clean
|}
|}
<section end='SpamSmtpTarpitEvent' />
<section end='VirusHttpEvent' />




== OpenVpnStatusEvent ==
== VirusSmtpEvent ==
<section begin='OpenVpnStatusEvent' />
<section begin='VirusSmtpEvent' />


These events are created by [[OpenVPN]] and update the [[Database_Schema#openvpn_stats|openvpn_stats]] table periodically.
These events are created by [[Virus Blocker]] and update the [[Database_Schema#mail_msgs|mail_msgs]] table when Virus Blocker scans an email.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 307: Line 302:
! Type
! Type
! Description
! Description
getAddress
getAction
|-
|-
|address
|action
|InetAddress
|String
|The address
|The action
getBytesRxDelta
getAppName
|-
|-
|bytesRxDelta
|appName
|long
|String
|The delta number of RX (received) bytes from the previous event
|The name of the application
getBytesRxTotal
getClass
|-
|bytesRxTotal
|long
|The total number of RX (received) bytes
getBytesTxDelta
|-
|bytesTxDelta
|long
|The delta number of TX (transmitted) bytes from the previous event
getBytesTxTotal
|-
|bytesTxTotal
|long
|The total number of TX (transmitted) bytes
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getClientName
getClean
|-
|-
|clientName
|clean
|String
|boolean
|The client name
|True if clean, false otherwise
getEnd
getMessageId
|-
|-
|end
|messageId
|Timestamp
|Long
|The end
|The message ID
getPartitionTablePostfix
getPartitionTablePostfix
getPoolAddress
getTag
getTimeStamp
|-
|-
|poolAddress
|timeStamp
|InetAddress
|Timestamp
|The pool address
|The timestamp
getPort
getVirusName
|-
|-
|port
|virusName
|int
|String
|The port
|The virus name, if not clean
getStart
|-
|start
|Timestamp
|The start
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
|}
<section end='OpenVpnStatusEvent' />
<section end='VirusSmtpEvent' />




== OpenVpnEvent ==
== FirewallEvent ==
<section begin='OpenVpnEvent' />
<section begin='FirewallEvent' />


These events are created by [[OpenVPN]] and update the [[Database_Schema#openvpn_events|openvpn_events]] table when OpenVPN processes a client action.
These events are created by [[Firewall]] and update the [[Database_Schema#sessions|sessions]] table when a firewall rule matches a session.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 382: Line 352:
! Type
! Type
! Description
! Description
getAddress
getBlocked
|-
|-
|address
|blocked
|InetAddress
|boolean
|The address
|True if blocked, false otherwise
getClass
getClass
|-
|-
Line 392: Line 362:
|Class
|Class
|The class name
|The class name
getClientName
getFlagged
|-
|-
|clientName
|flagged
|String
|boolean
|The client name
|True if flagged, false otherwise
getPartitionTablePostfix
getPartitionTablePostfix
getPoolAddress
getRuleId
|-
|ruleId
|long
|The rule ID
getSessionId
|-
|-
|poolAddress
|sessionId
|InetAddress
|Long
|The pool address
|The session ID
getTag
getTag
getTimeStamp
getTimeStamp
Line 409: Line 384:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getType
|-
|type
|OpenVpnEvent$EventType
|The type
|}
|}
<section end='OpenVpnEvent' />
<section end='FirewallEvent' />




== ApplicationControlLiteEvent ==
== OpenVpnStatusEvent ==
<section begin='ApplicationControlLiteEvent' />
<section begin='OpenVpnStatusEvent' />


These events are created by [[Application Control Lite]] and update the [[Database_Schema#sessions|sessions]] table when application control lite identifies a session.
These events are created by [[OpenVPN]] and update the [[Database_Schema#openvpn_stats|openvpn_stats]] table periodically.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 427: Line 397:
! Type
! Type
! Description
! Description
getBlocked
getAddress
|-
|-
|blocked
|address
|boolean
|InetAddress
|True if blocked, false otherwise
|The address
getBytesRxDelta
|-
|bytesRxDelta
|long
|The delta number of RX (received) bytes from the previous event
getBytesRxTotal
|-
|bytesRxTotal
|long
|The total number of RX (received) bytes
getBytesTxDelta
|-
|bytesTxDelta
|long
|The delta number of TX (transmitted) bytes from the previous event
getBytesTxTotal
|-
|bytesTxTotal
|long
|The total number of TX (transmitted) bytes
getClass
getClass
|-
|-
Line 437: Line 427:
|Class
|Class
|The class name
|The class name
getPartitionTablePostfix
getClientName
getProtocol
|-
|-
|protocol
|clientName
|String
|String
|The protocol
|The client name
getSessionId
getEnd
|-
|-
|sessionId
|end
|Long
|Timestamp
|The session ID
|The end
getPartitionTablePostfix
getPoolAddress
|-
|poolAddress
|InetAddress
|The pool address
getPort
|-
|port
|int
|The port
getStart
|-
|start
|Timestamp
|The start
getTag
getTag
getTimeStamp
getTimeStamp
Line 455: Line 460:
|The timestamp
|The timestamp
|}
|}
<section end='ApplicationControlLiteEvent' />
<section end='OpenVpnStatusEvent' />




== FirewallEvent ==
== OpenVpnEvent ==
<section begin='FirewallEvent' />
<section begin='OpenVpnEvent' />


These events are created by [[Firewall]] and update the [[Database_Schema#sessions|sessions]] table when a firewall rule matches a session.
These events are created by [[OpenVPN]] and update the [[Database_Schema#openvpn_events|openvpn_events]] table when OpenVPN processes a client action.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 467: Line 472:
! Type
! Type
! Description
! Description
getBlocked
getAddress
|-
|-
|blocked
|address
|boolean
|InetAddress
|True if blocked, false otherwise
|The address
getClass
getClass
|-
|-
Line 477: Line 482:
|Class
|Class
|The class name
|The class name
getFlagged
getClientName
|-
|-
|flagged
|clientName
|boolean
|String
|True if flagged, false otherwise
|The client name
getPartitionTablePostfix
getPartitionTablePostfix
getRuleId
getPoolAddress
|-
|-
|ruleId
|poolAddress
|long
|InetAddress
|The rule ID
|The pool address
getSessionId
|-
|sessionId
|Long
|The session ID
getTag
getTag
getTimeStamp
getTimeStamp
Line 499: Line 499:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getType
|-
|type
|OpenVpnEvent$EventType
|The type
|}
|}
<section end='FirewallEvent' />
<section end='OpenVpnEvent' />




== PrioritizeEvent ==
== AdminLoginEvent ==
<section begin='PrioritizeEvent' />
<section begin='AdminLoginEvent' />


These events are created by the [[Bandwidth Control]] and update the [[Database_Schema#sessions|session]] table when a session is prioritized.
These events are created by the base system and inserted to the [[Database_Schema#user_table_updates|admin_logins]] table when an administrator login is attempted or successful.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 517: Line 522:
|Class
|Class
|The class name
|The class name
getPartitionTablePostfix
getClientAddress
getPriority
|-
|-
|priority
|clientAddress
|int
|InetAddress
|The priority
|The client address
getRuleId
getLocal
|-
|local
|boolean
|1 if login is done via local console, 0 otherwise
getLogin
|-
|login
|String
|The login username
getPartitionTablePostfix
getReason
|-
|-
|ruleId
|reason
|int
|String
|The rule ID
|The reason
getSessionEvent
getSucceeded
|-
|-
|sessionEvent
|succeeded
|SessionEvent
|boolean
|The session event
|1 if successful, 0 otherwise
getTag
getTag
getTimeStamp
getTimeStamp
Line 540: Line 555:
|The timestamp
|The timestamp
|}
|}
<section end='PrioritizeEvent' />
<section end='AdminLoginEvent' />




== AdBlockerEvent ==
== AlertEvent ==
<section begin='AdBlockerEvent' />
<section begin='AlertEvent' />


These events are created by [[Ad Blocker]] and update the [[Database_Schema#http_events|http_events]] table when an ad is blocked.
These events are created by [[Reports]] and inserted to the [[Database_Schema#alerts|alerts]] table when an alert fires.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 552: Line 567:
! Type
! Type
! Description
! Description
getAction
getCausalRule
|-
|-
|action
|causalRule
|Action
|EventRule
|The action
|The causal rule
getCause
|-
|cause
|LogEvent
|The cause
getClass
getClass
|-
|-
Line 562: Line 582:
|Class
|Class
|The class name
|The class name
getDescription
|-
|description
|String
|The description
getEventSent
|-
|eventSent
|Boolean
|True if the event was sent, false otherwise
getJson
|-
|json
|String
|The JSON string
getPartitionTablePostfix
getPartitionTablePostfix
getReason
getSummaryText
|-
|-
|reason
|summaryText
|String
|String
|The reason
|The summary text
getRequestId
|-
|requestId
|Long
|The request ID
getTag
getTag
getTimeStamp
getTimeStamp
Line 580: Line 610:
|The timestamp
|The timestamp
|}
|}
<section end='AdBlockerEvent' />
<section end='AlertEvent' />




== CookieEvent ==
== InterfaceStatEvent ==
<section begin='CookieEvent' />
<section begin='InterfaceStatEvent' />


These events are created by [[Ad Blocker]] and update the [[Database_Schema#http_events|http_events]] table when a cookie is blocked.
These events are created by the base system and inserted to the [[Database_Schema#settings_changes|interface_stat_events]] table periodically with interface stats.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 597: Line 627:
|Class
|Class
|The class name
|The class name
getIdentification
getInterfaceId
|-
|-
|identification
|interfaceId
|String
|int
|The identification string
|The interface ID
getPartitionTablePostfix
getPartitionTablePostfix
getRequestId
getRxBytes
|-
|-
|requestId
|rxBytes
|Long
|double
|The request ID
|The total of received bytes
getSessionEvent
getRxRate
|-
|-
|sessionEvent
|rxRate
|SessionEvent
|double
|The session event
|The RX rate in byte/s
getTag
getTag
getTimeStamp
getTimeStamp
Line 619: Line 649:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|}
getTxBytes
<section end='CookieEvent' />
|-
 
|txBytes
 
|double
== VirusFtpEvent ==
|The total of transmitted bytes
<section begin='VirusFtpEvent' />
getTxRate
|-
|txRate
|double
|The TX rate in byte/s
|}
<section end='InterfaceStatEvent' />
 
 
== LogEvent ==
<section begin='LogEvent' />


These events are created by [[Virus Blocker]] and update the [[Database_Schema#ftp_events|ftp_events]] table when Virus Blocker scans an FTP transfer.
These base class for all events.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 632: Line 672:
! Type
! Type
! Description
! Description
getAppName
|-
|appName
|String
|The name of the application
getClass
getClass
|-
|-
Line 642: Line 677:
|Class
|Class
|The class name
|The class name
getClean
|-
|clean
|boolean
|True if clean, false otherwise
getPartitionTablePostfix
getPartitionTablePostfix
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getTag
getTag
getTimeStamp
getTimeStamp
Line 659: Line 684:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getUri
|}
|-
<section end='LogEvent' />
|uri
 
|String
 
|The URI
== SystemStatEvent ==
getVirusName
<section begin='SystemStatEvent' />
|-
|virusName
|String
|The virus name, if not clean
|}
<section end='VirusFtpEvent' />


 
These events are created by the base system and inserted to the [[Database_Schema#server_events|server_events]] table periodically.
== VirusHttpEvent ==
<section begin='VirusHttpEvent' />
 
These events are created by [[Virus Blocker]] and update the [[Database_Schema#http_events|http_events]] table when Virus Blocker scans an HTTP transfer.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 682: Line 697:
! Type
! Type
! Description
! Description
getAppName
getActiveHosts
|-
|-
|appName
|activeHosts
|String
|int
|The name of the application
|The active host count
getClass
getClass
|-
|-
Line 692: Line 707:
|Class
|Class
|The class name
|The class name
getClean
getCpuSystem
|-
|-
|clean
|cpuSystem
|boolean
|float
|True if clean, false otherwise
|The system CPU utilization
getPartitionTablePostfix
getCpuUser
getRequestLine
|-
|-
|requestLine
|cpuUser
|RequestLine
|float
|The request line
|The user CPU utilization
getSessionEvent
getDiskFree
|-
|diskFree
|long
|The amount of disk free
getDiskFreePercent
|-
|-
|sessionEvent
|diskFreePercent
|SessionEvent
|float
|The session event
|The percentage of disk free
getTag
getDiskTotal
getTimeStamp
|-
|-
|timeStamp
|diskTotal
|Timestamp
|long
|The timestamp
|The total size of the disk
getVirusName
getDiskUsed
|-
|-
|virusName
|diskUsed
|String
|long
|The virus name, if not clean
|The amount of disk used
|}
getDiskUsedPercent
<section end='VirusHttpEvent' />
 
 
== VirusSmtpEvent ==
<section begin='VirusSmtpEvent' />
 
These events are created by [[Virus Blocker]] and update the [[Database_Schema#mail_msgs|mail_msgs]] table when Virus Blocker scans an email.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getAction
|-
|-
|action
|diskUsedPercent
|String
|float
|The action
|The percentage of disk used
getAppName
getLoad1
|-
|-
|appName
|load1
|String
|float
|The name of the application
|The 1-minute CPU load
getClass
getLoad15
|-
|-
|class
|load15
|Class
|float
|The class name
|The 15-minute CPU load
getClean
getLoad5
|-
|-
|clean
|load5
|boolean
|float
|True if clean, false otherwise
|The 5-minute CPU load
getMessageId
getMemBuffers
|-
|memBuffers
|long
|The amount of memory used by buffers
getMemCache
|-
|-
|messageId
|memCache
|Long
|long
|The message ID
|The amount of memory used by cache
getPartitionTablePostfix
getMemFree
getTag
getTimeStamp
|-
|-
|timeStamp
|memFree
|Timestamp
|long
|The timestamp
|The amount of free memory
getVirusName
getMemFreePercent
|-
|-
|virusName
|memFreePercent
|String
|float
|The virus name, if not clean
|The percentage of total memory that is free
|}
getMemTotal
<section end='VirusSmtpEvent' />
 
 
== FirewallEvent ==
<section begin='FirewallEvent' />
 
These events are created by [[Firewall]] and update the [[Database_Schema#sessions|sessions]] table when a firewall rule matches a session.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getBlocked
|-
|-
|blocked
|memTotal
|boolean
|long
|True if blocked, false otherwise
|The total amount of memory
getClass
getMemUsed
|-
|-
|class
|memUsed
|Class
|long
|The class name
|The amount of used memory
getFlagged
getMemUsedPercent
|-
|-
|flagged
|memUsedPercent
|boolean
|float
|True if flagged, false otherwise
|The percentage of total memory that is used
getPartitionTablePostfix
getPartitionTablePostfix
getRuleId
getSwapFree
|-
|-
|ruleId
|swapFree
|long
|long
|The rule ID
|The amount of free swap
getSessionId
getSwapFreePercent
|-
|swapFreePercent
|float
|The percentage of total swap that is free
getSwapTotal
|-
|swapTotal
|long
|The total size of swap
getSwapUsed
|-
|swapUsed
|long
|The amount of used swap
getSwapUsedPercent
|-
|-
|sessionId
|swapUsedPercent
|Long
|float
|The session ID
|The percentage of total swap that is used
getTag
getTag
getTimeStamp
getTimeStamp
Line 815: Line 825:
|The timestamp
|The timestamp
|}
|}
<section end='FirewallEvent' />
<section end='SystemStatEvent' />




== OpenVpnStatusEvent ==
== HostTableEvent ==
<section begin='OpenVpnStatusEvent' />
<section begin='HostTableEvent' />


These events are created by [[OpenVPN]] and update the [[Database_Schema#openvpn_stats|openvpn_stats]] table periodically.
These events are created by the base system and inserted to the [[Database_Schema#host_table_updates|host_table_updates]] table when the host table is modified.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 832: Line 842:
|InetAddress
|InetAddress
|The address
|The address
getBytesRxDelta
getClass
|-
|-
|bytesRxDelta
|class
|long
|Class
|The delta number of RX (received) bytes from the previous event
getBytesRxTotal
|-
|bytesRxTotal
|long
|The total number of RX (received) bytes
getBytesTxDelta
|-
|bytesTxDelta
|long
|The delta number of TX (transmitted) bytes from the previous event
getBytesTxTotal
|-
|bytesTxTotal
|long
|The total number of TX (transmitted) bytes
getClass
|-
|class
|Class
|The class name
|The class name
getClientName
getKey
|-
|-
|clientName
|key
|String
|String
|The client name
|The key
getEnd
getOldValue
|-
|-
|end
|oldValue
|Timestamp
|String
|The end
|The old value
getPartitionTablePostfix
getPartitionTablePostfix
getPoolAddress
getTag
getTimeStamp
|-
|-
|poolAddress
|timeStamp
|InetAddress
|The pool address
getPort
|-
|port
|int
|The port
getStart
|-
|start
|Timestamp
|Timestamp
|The start
|The timestamp
getTag
getValue
getTimeStamp
|-
|-
|timeStamp
|value
|Timestamp
|String
|The timestamp
|The value
|}
|}
<section end='OpenVpnStatusEvent' />
<section end='HostTableEvent' />




== OpenVpnEvent ==
== DeviceTableEvent ==
<section begin='OpenVpnEvent' />
<section begin='DeviceTableEvent' />


These events are created by [[OpenVPN]] and update the [[Database_Schema#openvpn_events|openvpn_events]] table when OpenVPN processes a client action.
These events are created by the base system and inserted to the [[Database_Schema#device_table_updates|device_table_updates]] table when the device list is modified.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 902: Line 882:
! Type
! Type
! Description
! Description
getAddress
|-
|address
|InetAddress
|The address
getClass
getClass
|-
|-
Line 912: Line 887:
|Class
|Class
|The class name
|The class name
getClientName
getDevice
|-
|-
|clientName
|device
|DeviceTableEntry
|The Device
getKey
|-
|key
|String
|The key
getMacAddress
|-
|macAddress
|String
|The MAC address
getOldValue
|-
|oldValue
|String
|String
|The client name
|The old value
getPartitionTablePostfix
getPartitionTablePostfix
getPoolAddress
|-
|poolAddress
|InetAddress
|The pool address
getTag
getTag
getTimeStamp
getTimeStamp
Line 929: Line 914:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getType
getValue
|-
|-
|type
|value
|OpenVpnEvent$EventType
|String
|The type
|The value
|}
|}
<section end='OpenVpnEvent' />
<section end='DeviceTableEvent' />




== AdminLoginEvent ==
== SettingsChangesEvent ==
<section begin='AdminLoginEvent' />
<section begin='SettingsChangesEvent' />


These events are created by the base system and inserted to the [[Database_Schema#user_table_updates|admin_logins]] table when an administrator login is attempted or successful.
These events are created by the base system and inserted to the [[Database_Schema#settings_changes|settings_changes]] table when settings are changed.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 952: Line 937:
|Class
|Class
|The class name
|The class name
getClientAddress
getHostname
|-
|-
|clientAddress
|hostname
|InetAddress
|The client address
getLocal
|-
|local
|boolean
|1 if login is done via local console, 0 otherwise
getLogin
|-
|login
|String
|String
|The login username
|The hostname
getPartitionTablePostfix
getPartitionTablePostfix
getReason
getSettingsFile
|-
|-
|reason
|settingsFile
|String
|String
|The reason
|The settings file
getSucceeded
|-
|succeeded
|boolean
|1 if successful, 0 otherwise
getTag
getTag
getTimeStamp
getTimeStamp
Line 984: Line 954:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getUsername
|-
|username
|String
|The username
|}
|}
<section end='AdminLoginEvent' />
<section end='SettingsChangesEvent' />




== AlertEvent ==
== UserTableEvent ==
<section begin='AlertEvent' />
<section begin='UserTableEvent' />


These events are created by [[Reports]] and inserted to the [[Database_Schema#alerts|alerts]] table when an alert fires.
These events are created by the base system and inserted to the [[Database_Schema#user_table_updates|user_table_updates]] table when the user table is modified.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 997: Line 972:
! Type
! Type
! Description
! Description
getCausalRule
|-
|causalRule
|EventRule
|The causal rule
getCause
|-
|cause
|LogEvent
|The cause
getClass
getClass
|-
|-
Line 1,012: Line 977:
|Class
|Class
|The class name
|The class name
getDescription
getKey
|-
|-
|description
|key
|String
|String
|The description
|The key
getEventSent
getOldValue
|-
|-
|eventSent
|oldValue
|Boolean
|True if the event was sent, false otherwise
getJson
|-
|json
|String
|String
|The JSON string
|The old value
getPartitionTablePostfix
getPartitionTablePostfix
getSummaryText
|-
|summaryText
|String
|The summary text
getTag
getTag
getTimeStamp
getTimeStamp
Line 1,039: Line 994:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|}
getUsername
<section end='AlertEvent' />
|-
|username
|String
|The username
getValue
|-
|value
|String
|The value
|}
<section end='UserTableEvent' />




== InterfaceStatEvent ==
== SessionMinuteEvent ==
<section begin='InterfaceStatEvent' />
<section begin='SessionMinuteEvent' />


These events are created by the base system and inserted to the [[Database_Schema#settings_changes|interface_stat_events]] table periodically with interface stats.
These events are created by the base system and update the [[Database_Schema#sessions|session_minutes]] table each minute a session exists.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,052: Line 1,017:
! Type
! Type
! Description
! Description
getC2sBytes
|-
|c2sBytes
|long
|The number of bytes sent from the client to the server
getClass
getClass
|-
|-
Line 1,057: Line 1,027:
|Class
|Class
|The class name
|The class name
getInterfaceId
|-
|interfaceId
|int
|The interface ID
getPartitionTablePostfix
getPartitionTablePostfix
getRxBytes
getS2cBytes
|-
|-
|rxBytes
|s2cBytes
|double
|long
|The total of received bytes
|The number of bytes sent from the server to the client
getRxRate
getSessionId
|-
|-
|rxRate
|sessionId
|double
|long
|The RX rate in byte/s
|The session ID
getTag
getTag
getTimeStamp
getTimeStamp
Line 1,079: Line 1,044:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getTxBytes
|-
|txBytes
|double
|The total of transmitted bytes
getTxRate
|-
|txRate
|double
|The TX rate in byte/s
|}
|}
<section end='InterfaceStatEvent' />
<section end='SessionMinuteEvent' />




== LogEvent ==
== SessionEvent ==
<section begin='LogEvent' />
<section begin='SessionEvent' />


These base class for all events.
These events are created by the base system and update the [[Database_Schema#sessions|sessions]] table each time a session is created.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,102: Line 1,057:
! Type
! Type
! Description
! Description
getClass
getCClientAddr
|-
|-
|class
|CClientAddr
|Class
|InetAddress
|The class name
|The client-side (pre-NAT) client address
getPartitionTablePostfix
getCClientPort
getTag
getTimeStamp
|-
|-
|timeStamp
|CClientPort
|Timestamp
|Integer
|The timestamp
|The client-side (pre-NAT) client port
|}
getCServerAddr
<section end='LogEvent' />
 
 
== SystemStatEvent ==
<section begin='SystemStatEvent' />
 
These events are created by the base system and inserted to the [[Database_Schema#server_events|server_events]] table periodically.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getActiveHosts
|-
|-
|activeHosts
|CServerAddr
|int
|InetAddress
|The active host count
|The client-side (pre-NAT) server address
getClass
getCServerPort
|-
|-
|class
|CServerPort
|Class
|Integer
|The class name
|The client-side (pre-NAT) server port
getCpuSystem
getSClientAddr
|-
|-
|cpuSystem
|SClientAddr
|float
|InetAddress
|The system CPU utilization
|The server-side (post-NAT) client address
getCpuUser
getSClientPort
|-
|-
|cpuUser
|SClientPort
|float
|Integer
|The user CPU utilization
|The server-side (post-NAT) client port
getDiskFree
getSServerAddr
|-
|-
|diskFree
|SServerAddr
|long
|InetAddress
|The amount of disk free
|The server-side (post-NAT) server address
getDiskFreePercent
getSServerPort
|-
|-
|diskFreePercent
|SServerPort
|float
|Integer
|The percentage of disk free
|The server-side (post-NAT) server port
getDiskTotal
getBypassed
|-
|-
|diskTotal
|bypassed
|long
|boolean
|The total size of the disk
|True if bypassed, false otherwise
getDiskUsed
getClass
|-
|-
|diskUsed
|class
|long
|Class
|The amount of disk used
|The class name
getDiskUsedPercent
getClientCountry
|-
|-
|diskUsedPercent
|clientCountry
|float
|String
|The percentage of disk used
|The client country
getLoad1
getClientIntf
|-
|-
|load1
|clientIntf
|float
|Integer
|The 1-minute CPU load
|The client interface ID
getLoad15
getClientLatitude
|-
|-
|load15
|clientLatitude
|float
|Double
|The 15-minute CPU load
|The client latitude
getLoad5
getClientLongitude
|-
|-
|load5
|clientLongitude
|float
|Double
|The 5-minute CPU load
|The client longitude
getMemBuffers
getEntitled
|-
|-
|memBuffers
|entitled
|long
|boolean
|The amount of memory used by buffers
|The entitled status
getMemCache
getFilterPrefix
|-
|-
|memCache
|filterPrefix
|long
|String
|The amount of memory used by cache
|The filter prefix if blocked by the filter rules
getMemFree
getHostname
|-
|-
|memFree
|hostname
|long
|String
|The amount of free memory
|The hostname
getMemFreePercent
getIcmpType
|-
|-
|memFreePercent
|icmpType
|float
|Short
|The percentage of total memory that is free
|The ICMP type
getMemTotal
getLocalAddr
|-
|-
|memTotal
|localAddr
|long
|InetAddress
|The total amount of memory
|The local host address
getMemUsed
getPartitionTablePostfix
getPolicyId
|-
|-
|memUsed
|policyId
|long
|Integer
|The amount of used memory
|The policy ID
getMemUsedPercent
getPolicyRuleId
|-
|-
|memUsedPercent
|policyRuleId
|float
|Integer
|The percentage of total memory that is used
|The policy rule ID
getPartitionTablePostfix
getProtocol
getSwapFree
|-
|-
|swapFree
|protocol
|long
|Short
|The amount of free swap
|The protocol
getSwapFreePercent
getProtocolName
|-
|-
|swapFreePercent
|protocolName
|float
|String
|The percentage of total swap that is free
|The protocol name
getSwapTotal
getRemoteAddr
|-
|-
|swapTotal
|remoteAddr
|long
|InetAddress
|The total size of swap
|The remote host address
getSwapUsed
getServerCountry
|-
|serverCountry
|String
|The server country
getServerIntf
|-
|serverIntf
|Integer
|The server interface ID
getServerLatitude
|-
|serverLatitude
|Double
|The server latitude
getServerLongitude
|-
|-
|swapUsed
|serverLongitude
|long
|Double
|The amount of used swap
|The server longitude
getSwapUsedPercent
getSessionId
|-
|-
|swapUsedPercent
|sessionId
|float
|Long
|The percentage of total swap that is used
|The session ID
getTag
getTag
getTimeStamp
getTagsString
|-
|tagsString
|String
|The string value of all tags
getTimeStamp
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getUsername
|-
|username
|String
|The username
|}
|}
<section end='SystemStatEvent' />
<section end='SessionEvent' />




== SessionMinuteEvent ==
== SessionStatsEvent ==
<section begin='SessionMinuteEvent' />
<section begin='SessionStatsEvent' />


These events are created by the base system and update the [[Database_Schema#sessions|session_minutes]] table each minute a session exists.
These events are created by the base system and update the [[Database_Schema#sessions|sessions]] table when a session ends with the updated stats.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,267: Line 1,232:
! Type
! Type
! Description
! Description
getC2sBytes
getC2pBytes
|-
|-
|c2sBytes
|c2pBytes
|long
|long
|The number of bytes sent from the client to the server
|The number of bytes sent from the client to Untangle
getClass
getClass
|-
|-
Line 1,277: Line 1,242:
|Class
|Class
|The class name
|The class name
getPartitionTablePostfix
getEndTime
getS2cBytes
|-
|-
|s2cBytes
|endTime
|long
|long
|The number of bytes sent from the server to the client
|The end time/date
getSessionId
getP2cBytes
|-
|-
|sessionId
|p2cBytes
|long
|long
|The session ID
|The number of bytes sent to the client from Untangle
getTag
getP2sBytes
|-
|p2sBytes
|long
|The number of bytes sent to the server from Untangle
getPartitionTablePostfix
getS2pBytes
|-
|s2pBytes
|long
|The number of bytes sent from the server to Untangle
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getSessionId
|-
|sessionId
|Long
|The session ID
getTag
getTimeStamp
getTimeStamp
|-
|-
Line 1,295: Line 1,280:
|The timestamp
|The timestamp
|}
|}
<section end='SessionMinuteEvent' />
<section end='SessionStatsEvent' />




== SessionEvent ==
== SessionNatEvent ==
<section begin='SessionEvent' />
<section begin='SessionNatEvent' />


These events are created by the base system and update the [[Database_Schema#sessions|sessions]] table each time a session is created.
These events are created by the base system and update the [[Database_Schema#sessions|sessions]] table each time a session is NATd with the post-NAT information.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,307: Line 1,292:
! Type
! Type
! Description
! Description
getCClientAddr
getSClientAddr
|-
|-
|CClientAddr
|SClientAddr
|InetAddress
|InetAddress
|The client-side (pre-NAT) client address
|The server-side (post-NAT) client address
getCClientPort
getSClientPort
|-
|-
|CClientPort
|SClientPort
|Integer
|The client-side (pre-NAT) client port
getCServerAddr
|-
|CServerAddr
|InetAddress
|The client-side (pre-NAT) server address
getCServerPort
|-
|CServerPort
|Integer
|The client-side (pre-NAT) server port
getSClientAddr
|-
|SClientAddr
|InetAddress
|The server-side (post-NAT) client address
getSClientPort
|-
|SClientPort
|Integer
|Integer
|The server-side (post-NAT) client port
|The server-side (post-NAT) client port
Line 1,347: Line 1,312:
|Integer
|Integer
|The server-side (post-NAT) server port
|The server-side (post-NAT) server port
getBypassed
|-
|bypassed
|boolean
|True if bypassed, false otherwise
getClass
getClass
|-
|-
Line 1,357: Line 1,317:
|Class
|Class
|The class name
|The class name
getClientCountry
getPartitionTablePostfix
getServerIntf
|-
|-
|clientCountry
|serverIntf
|String
|The client country
getClientIntf
|-
|clientIntf
|Integer
|Integer
|The client interface ID
|The server interface ID
getClientLatitude
getSessionEvent
|-
|-
|clientLatitude
|sessionEvent
|Double
|SessionEvent
|The client latitude
|The session event
getClientLongitude
getTag
getTimeStamp
|-
|-
|clientLongitude
|timeStamp
|Double
|Timestamp
|The client longitude
|The timestamp
getEntitled
|}
<section end='SessionNatEvent' />
 
 
== QuotaEvent ==
<section begin='QuotaEvent' />
 
These events are created by the [[Bandwidth Control]] and inserted or update the [[Database_Schema#quotas|quotas]] table when quotas are given or exceeded.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getAction
|-
|-
|entitled
|action
|boolean
|int
|The entitled status
|The action (1=Quota Given, 2=Quota Exceeded)
getFilterPrefix
getClass
|-
|-
|filterPrefix
|class
|String
|Class
|The filter prefix if blocked by the filter rules
|The class name
getHostname
getEntity
|-
|-
|hostname
|entity
|String
|String
|The hostname
|The entity
getIcmpType
|-
|icmpType
|Short
|The ICMP type
getLocalAddr
|-
|localAddr
|InetAddress
|The local host address
getPartitionTablePostfix
getPartitionTablePostfix
getPolicyId
getQuotaSize
|-
|-
|policyId
|quotaSize
|Integer
|long
|The policy ID
|The quota size
getPolicyRuleId
getReason
|-
|-
|policyRuleId
|reason
|Integer
|String
|The policy rule ID
|The reason
getProtocol
getTag
getTimeStamp
|-
|-
|protocol
|timeStamp
|Short
|Timestamp
|The protocol
|The timestamp
getProtocolName
|}
<section end='QuotaEvent' />
 
 
== SmtpMessageAddressEvent ==
<section begin='SmtpMessageAddressEvent' />
 
These events are created by SMTP subsystem and inserted to the [[Database_Schema#mail_addrs|mail_addrs]] table for each address on each email.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getAddr
|-
|-
|protocolName
|addr
|String
|String
|The protocol name
|The address
getRemoteAddr
getClass
|-
|-
|remoteAddr
|class
|InetAddress
|Class
|The remote host address
|The class name
getServerCountry
getKind
|-
|-
|serverCountry
|kind
|String
|AddressKind
|The server country
|The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
getServerIntf
getMessageId
|-
|-
|serverIntf
|messageId
|Integer
|Long
|The server interface ID
|The message ID
getServerLatitude
getPartitionTablePostfix
getPersonal
|-
|-
|serverLatitude
|personal
|Double
|String
|The server latitude
|personal
getServerLongitude
|-
|serverLongitude
|Double
|The server longitude
getSessionId
|-
|sessionId
|Long
|The session ID
getTag
getTag
getTimeStamp
getTimeStamp
Line 1,459: Line 1,424:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getUsername
|}
|-
<section end='SmtpMessageAddressEvent' />
|username
|String
|The username
|}
<section end='SessionEvent' />




== SessionStatsEvent ==
== SmtpMessageEvent ==
<section begin='SessionStatsEvent' />
<section begin='SmtpMessageEvent' />


These events are created by the base system and update the [[Database_Schema#sessions|sessions]] table when a session ends with the updated stats.
These events are created by SMTP subsystem and inserted to the [[Database_Schema#mail_msgs|mail_msgs]] table for each email.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,477: Line 1,437:
! Type
! Type
! Description
! Description
getC2pBytes
getAddresses
|-
|-
|c2pBytes
|addresses
|long
|Set
|The number of bytes sent from the client to Untangle
|The addresses
getClass
getClass
|-
|-
Line 1,487: Line 1,447:
|Class
|Class
|The class name
|The class name
getEndTime
getEnvelopeFromAddress
|-
|-
|endTime
|envelopeFromAddress
|long
|String
|The end time/date
|The envelop FROM address
getP2cBytes
getEnvelopeToAddress
|-
|-
|p2cBytes
|envelopeToAddress
|long
|String
|The number of bytes sent to the client from Untangle
|The envelope TO address
getP2sBytes
getMessageId
|-
|-
|p2sBytes
|messageId
|long
|Long
|The number of bytes sent to the server from Untangle
|The message ID
getPartitionTablePostfix
getPartitionTablePostfix
getS2pBytes
getReceiver
|-
|receiver
|String
|The receiver
getSender
|-
|sender
|String
|The sender
getSessionEvent
|-
|-
|s2pBytes
|sessionEvent
|long
|SessionEvent
|The number of bytes sent from the server to Untangle
|The session event
getSessionId
getSessionId
|-
|-
Line 1,513: Line 1,483:
|Long
|Long
|The session ID
|The session ID
getSubject
|-
|subject
|String
|The subject
getTag
getTag
getTimeStamp
getTimeStamp
Line 1,519: Line 1,494:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getTmpFile
|-
|tmpFile
|File
|The /tmp file
|}
|}
<section end='SessionStatsEvent' />
<section end='SmtpMessageEvent' />




== SessionNatEvent ==
== CaptureRuleEvent ==
<section begin='SessionNatEvent' />
<section begin='CaptureRuleEvent' />


These events are created by the base system and update the [[Database_Schema#sessions|sessions]] table each time a session is NATd with the post-NAT information.
These events are created by [[Captive Portal]] and update the [[Database_Schema#sessions|sessions]] table when Captive Portal processes a session.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,532: Line 1,512:
! Type
! Type
! Description
! Description
getSClientAddr
getCaptured
|-
|-
|SClientAddr
|captured
|InetAddress
|boolean
|The server-side (post-NAT) client address
|True if captured, false otherwise
getSClientPort
|-
|SClientPort
|Integer
|The server-side (post-NAT) client port
getSServerAddr
|-
|SServerAddr
|InetAddress
|The server-side (post-NAT) server address
getSServerPort
|-
|SServerPort
|Integer
|The server-side (post-NAT) server port
getClass
getClass
|-
|-
Line 1,558: Line 1,523:
|The class name
|The class name
getPartitionTablePostfix
getPartitionTablePostfix
getServerIntf
getRuleId
|-
|-
|serverIntf
|ruleId
|Integer
|Integer
|The server interface ID
|The rule ID
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getTag
getTag
getTimeStamp
getTimeStamp
Line 1,570: Line 1,540:
|The timestamp
|The timestamp
|}
|}
<section end='SessionNatEvent' />
<section end='CaptureRuleEvent' />




== QuotaEvent ==
== CaptivePortalUserEvent ==
<section begin='QuotaEvent' />
<section begin='CaptivePortalUserEvent' />


These events are created by the [[Bandwidth Control]] and inserted or update the [[Database_Schema#quotas|quotas]] table when quotas are given or exceeded.
These events are created by [[Captive Portal]] and inserted to the [[Database_Schema#captive_portal_user_events|captive_portal_user_events]] table when Captive Portal user takes an action.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,582: Line 1,552:
! Type
! Type
! Description
! Description
getAction
getAuthenticationType
|-
|-
|action
|authenticationType
|int
|CaptivePortalSettings$AuthenticationType
|The action (1=Quota Given, 2=Quota Exceeded)
|The authentication type
getAddress
getAuthenticationTypeValue
|-
|-
|address
|authenticationTypeValue
|InetAddress
|String
|The address
|The authentication type as a string
getClass
getClass
|-
|-
Line 1,597: Line 1,567:
|Class
|Class
|The class name
|The class name
getPartitionTablePostfix
getClientAddr
getQuotaSize
|-
|-
|quotaSize
|clientAddr
|long
|String
|The quota size
|The client address
getReason
getEvent
|-
|-
|reason
|event
|String
|CaptivePortalUserEvent$EventType
|The reason
|The event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
getEventValue
|-
|eventValue
|String
|The event value as a string (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
getLoginName
|-
|loginName
|String
|The login name
getPartitionTablePostfix
getPolicyId
|-
|policyId
|Integer
|The policy ID
getTag
getTag
getTimeStamp
getTimeStamp
Line 1,615: Line 1,600:
|The timestamp
|The timestamp
|}
|}
<section end='QuotaEvent' />
<section end='CaptivePortalUserEvent' />




== HostTableEvent ==
== AdBlockerEvent ==
<section begin='HostTableEvent' />
<section begin='AdBlockerEvent' />


These events are created by the base system and inserted to the [[Database_Schema#host_table_updates|host_table_updates]] table when the host table is modified.
These events are created by [[Ad Blocker]] and update the [[Database_Schema#http_events|http_events]] table when an ad is blocked.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,627: Line 1,612:
! Type
! Type
! Description
! Description
getAddress
getAction
|-
|-
|address
|action
|InetAddress
|Action
|The address
|The action
getClass
getClass
|-
|-
Line 1,637: Line 1,622:
|Class
|Class
|The class name
|The class name
getKey
getPartitionTablePostfix
getReason
|-
|-
|key
|reason
|String
|String
|The key
|The reason
getOldValue
getRequestId
|-
|-
|oldValue
|requestId
|String
|Long
|The old value
|The request ID
getPartitionTablePostfix
getTag
getTag
getTimeStamp
getTimeStamp
Line 1,654: Line 1,639:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getValue
|-
|value
|String
|The value
|}
|}
<section end='HostTableEvent' />
<section end='AdBlockerEvent' />




== DeviceTableEvent ==
== CookieEvent ==
<section begin='DeviceTableEvent' />
<section begin='CookieEvent' />


These events are created by the base system and inserted to the [[Database_Schema#device_table_updates|device_table_updates]] table when the device list is modified.
These events are created by [[Ad Blocker]] and update the [[Database_Schema#http_events|http_events]] table when a cookie is blocked.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,677: Line 1,657:
|Class
|Class
|The class name
|The class name
getDevice
getIdentification
|-
|-
|device
|identification
|DeviceTableEntry
|The Device
getKey
|-
|key
|String
|String
|The key
|The identification string
getMacAddress
getPartitionTablePostfix
getRequestId
|-
|-
|macAddress
|requestId
|String
|Long
|The MAC address
|The request ID
getOldValue
getSessionEvent
|-
|-
|oldValue
|sessionEvent
|String
|SessionEvent
|The old value
|The session event
getPartitionTablePostfix
getTag
getTag
getTimeStamp
getTimeStamp
Line 1,704: Line 1,679:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getValue
|-
|value
|String
|The value
|}
|}
<section end='DeviceTableEvent' />
<section end='CookieEvent' />




== SettingsChangesEvent ==
== HttpRequestEvent ==
<section begin='SettingsChangesEvent' />
<section begin='HttpRequestEvent' />


These events are created by the base system and inserted to the [[Database_Schema#settings_changes|settings_changes]] table when settings are changed.
These events are created by HTTP subsystem and inserted to the [[Database_Schema#http_events|http_events]] table when a web request happens.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,727: Line 1,697:
|Class
|Class
|The class name
|The class name
getHostname
getContentLength
|-
|-
|hostname
|contentLength
|String
|long
|The hostname
|The content length
getDomain
|-
|domain
|String
|The domain
getHost
|-
|host
|String
|The host
getMethod
|-
|method
|HttpMethod
|The HTTP method
getPartitionTablePostfix
getPartitionTablePostfix
getSettingsFile
getReferer
|-
|-
|settingsFile
|referer
|String
|String
|The settings file
|The referer
getRequestId
|-
|requestId
|Long
|The request ID
getRequestUri
|-
|requestUri
|URI
|The request URI
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getTag
getTag
getTimeStamp
getTimeStamp
Line 1,744: Line 1,744:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getUsername
|}
|-
<section end='HttpRequestEvent' />
|username
|String
|The username
|}
<section end='SettingsChangesEvent' />




== UserTableEvent ==
== HttpResponseEvent ==
<section begin='UserTableEvent' />
<section begin='HttpResponseEvent' />


These events are created by the base system and inserted to the [[Database_Schema#user_table_updates|user_table_updates]] table when the user table is modified.
These events are created by HTTP subsystem and update the [[Database_Schema#http_events|http_events]] table when a web response happens.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,767: Line 1,762:
|Class
|Class
|The class name
|The class name
getKey
getContentFilename
|-
|-
|key
|contentFilename
|String
|String
|The key
|The content filename
getOldValue
getContentLength
|-
|contentLength
|long
|The content length
getContentType
|-
|-
|oldValue
|contentType
|String
|String
|The old value
|The content type
getHttpRequestEvent
|-
|httpRequestEvent
|HttpRequestEvent
|The corresponding HTTP request event
getPartitionTablePostfix
getPartitionTablePostfix
getTag
getRequestLine
getTimeStamp
|-
|requestLine
|RequestLine
|The request line
getTag
getTimeStamp
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getUsername
|-
|username
|String
|The username
getValue
|-
|value
|String
|The value
|}
|}
<section end='UserTableEvent' />
<section end='HttpResponseEvent' />




== SessionMinuteEvent ==
== WebCacheEvent ==
<section begin='SessionMinuteEvent' />
<section begin='WebCacheEvent' />


These events are created by the base system and update the [[Database_Schema#sessions|session_minutes]] table each minute a session exists.
These events are created by [[Web Cache]] and inserted to the [[Database_Schema#web_cache_stats|web_cache_stats]] table periodically.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,807: Line 1,807:
! Type
! Type
! Description
! Description
getC2sBytes
getBypassCount
|-
|-
|c2sBytes
|bypassCount
|long
|long
|The number of bytes sent from the client to the server
|The number of bypasses
getClass
getClass
|-
|-
Line 1,817: Line 1,817:
|Class
|Class
|The class name
|The class name
getPartitionTablePostfix
getHitBytes
getS2cBytes
|-
|-
|s2cBytes
|hitBytes
|long
|long
|The number of bytes sent from the server to the client
|The number of bytes worth of hits
getSessionId
getHitCount
|-
|hitCount
|long
|The number of hits
getMissBytes
|-
|missBytes
|long
|The number of bytes worth of misses
getMissCount
|-
|missCount
|long
|The number of misses
getPartitionTablePostfix
getPolicyId
|-
|policyId
|Long
|The policy ID
getSystemCount
|-
|-
|sessionId
|systemCount
|long
|long
|The session ID
|The number of system bypasses
getTag
getTag
getTimeStamp
getTimeStamp
Line 1,835: Line 1,855:
|The timestamp
|The timestamp
|}
|}
<section end='SessionMinuteEvent' />
<section end='WebCacheEvent' />




== SessionEvent ==
== TunnelVpnStatusEvent ==
<section begin='SessionEvent' />
<section begin='TunnelVpnStatusEvent' />


These events are created by the base system and update the [[Database_Schema#sessions|sessions]] table each time a session is created.
These events are created by [[Tunnel VPN]] and inserted to the [[Database_Schema#tunnel_vpn_stats|tunnel_vpn_stats]] table periodically.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,847: Line 1,867:
! Type
! Type
! Description
! Description
getCClientAddr
getClass
|-
|-
|CClientAddr
|class
|InetAddress
|Class
|The client-side (pre-NAT) client address
|The class name
getCClientPort
getInBytes
|-
|-
|CClientPort
|inBytes
|Integer
|long
|The client-side (pre-NAT) client port
|The number of bytes received from this tunnel
getCServerAddr
getOutBytes
|-
|-
|CServerAddr
|outBytes
|InetAddress
|long
|The client-side (pre-NAT) server address
|The number of bytes sent in this tunnel
getCServerPort
getPartitionTablePostfix
getTag
getTimeStamp
|-
|-
|CServerPort
|timeStamp
|Integer
|Timestamp
|The client-side (pre-NAT) server port
|The timestamp
getSClientAddr
getTunnelName
|-
|-
|SClientAddr
|tunnelName
|InetAddress
|String
|The server-side (post-NAT) client address
|The name of this tunnel
getSClientPort
|}
|-
<section end='TunnelVpnStatusEvent' />
|SClientPort
 
|Integer
 
|The server-side (post-NAT) client port
== TunnelVpnEvent ==
getSServerAddr
<section begin='TunnelVpnEvent' />
|-
 
|SServerAddr
These events are created by [[Tunnel VPN]] and inserted to the [[Database_Schema#tunnel_vpn_events|tunnel_vpn_events]] table when a tunnel connection event occurs.
|InetAddress
 
|The server-side (post-NAT) server address
{| border="1" cellpadding="2" width="90%" align="center"
getSServerPort
! Attribute Name
|-
! Type
|SServerPort
! Description
|Integer
|The server-side (post-NAT) server port
getBypassed
|-
|bypassed
|boolean
|True if bypassed, false otherwise
getClass
getClass
|-
|-
Line 1,897: Line 1,912:
|Class
|Class
|The class name
|The class name
getClientCountry
getEventType
|-
|-
|clientCountry
|eventType
|String
|TunnelVpnEvent$EventType
|The client country
|The event type
getClientIntf
getLocalAddress
|-
|-
|clientIntf
|localAddress
|Integer
|InetAddress
|The client interface ID
|The local host address
getClientLatitude
getPartitionTablePostfix
getServerAddress
|-
|-
|clientLatitude
|serverAddress
|Double
|InetAddress
|The client latitude
|The server address
getClientLongitude
getTag
getTimeStamp
|-
|-
|clientLongitude
|timeStamp
|Double
|Timestamp
|The client longitude
|The timestamp
getEntitled
getTunnelName
|-
|-
|entitled
|tunnelName
|boolean
|The entitled status
getFilterPrefix
|-
|filterPrefix
|String
|String
|The filter prefix if blocked by the filter rules
|The name of this tunnel
getHostname
|}
<section end='TunnelVpnEvent' />
 
 
== IntrusionPreventionLogEvent ==
<section begin='IntrusionPreventionLogEvent' />
 
These events are created by [[Intrusion Prevention]] and inserted to the [[Database_Schema#intrusion_prevention_events|intrusion_prevention_events]] table when a rule matches.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getBlocked
|-
|blocked
|boolean
|True if blocked, false otherwise
getCategory
|-
|-
|hostname
|category
|String
|String
|The hostname
|The category
getIcmpType
getClass
|-
|-
|icmpType
|class
|Short
|Class
|The ICMP type
|The class name
getLocalAddr
getClassificationId
|-
|-
|localAddr
|classificationId
|InetAddress
|long
|The local host address
|The classification ID
getPartitionTablePostfix
getClasstype
getPolicyId
|-
|-
|policyId
|classtype
|Integer
|String
|The policy ID
|The classtype
getPolicyRuleId
getDportIcode
|-
|-
|policyRuleId
|dportIcode
|Integer
|int
|The policy rule ID
|The dportIcode
getProtocol
getEventId
|-
|-
|protocol
|eventId
|Short
|long
|The protocol
|The event ID
getProtocolName
getEventMicrosecond
|-
|-
|protocolName
|eventMicrosecond
|String
|long
|The protocol name
|The event microsecond
getRemoteAddr
getEventSecond
|-
|remoteAddr
|InetAddress
|The remote host address
getServerCountry
|-
|-
|serverCountry
|eventSecond
|String
|long
|The server country
|The event second
getServerIntf
getEventType
|-
|-
|serverIntf
|eventType
|Integer
|long
|The server interface ID
|The event type
getServerLatitude
getGeneratorId
|-
|-
|serverLatitude
|generatorId
|Double
|long
|The server latitude
|The generator ID
getServerLongitude
getImpact
|-
|-
|serverLongitude
|impact
|Double
|short
|The server longitude
|The impact
getSessionId
getImpactFlag
|-
|-
|sessionId
|impactFlag
|Long
|short
|The session ID
|The impact flag
getTag
getIpDestination
getTagsString
|-
|ipDestination
|InetAddress
|The IP address destination
getIpSource
|-
|-
|tagsString
|ipSource
|String
|InetAddress
|The string value of all tags
|The IP address source
getTimeStamp
getMplsLabel
|-
|-
|timeStamp
|mplsLabel
|Timestamp
|long
|The timestamp
|The mplsLabel
getUsername
getMsg
|-
|-
|username
|msg
|String
|String
|The username
|The msg
|}
getPadding
<section end='SessionEvent' />
|-
 
|padding
 
|int
== SessionStatsEvent ==
|The padding
<section begin='SessionStatsEvent' />
getPartitionTablePostfix
 
getPriorityId
These events are created by the base system and update the [[Database_Schema#sessions|sessions]] table when a session ends with the updated stats.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getC2pBytes
|-
|-
|c2pBytes
|priorityId
|long
|long
|The number of bytes sent from the client to Untangle
|The priority ID
getClass
getProtocol
|-
|protocol
|short
|The protocol
getRid
|-
|-
|class
|rid
|Class
|String
|The class name
|Rule ID
getEndTime
getSensorId
|-
|-
|endTime
|sensorId
|long
|long
|The end time/date
|The sensor ID
getP2cBytes
getSignatureId
|-
|-
|p2cBytes
|signatureId
|long
|long
|The number of bytes sent to the client from Untangle
|The signature ID
getP2sBytes
getSignatureRevision
|-
|-
|p2sBytes
|signatureRevision
|long
|long
|The number of bytes sent to the server from Untangle
|The signature revision
getPartitionTablePostfix
getSportItype
getS2pBytes
|-
|-
|s2pBytes
|sportItype
|long
|int
|The number of bytes sent from the server to Untangle
|The sportItype
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getSessionId
|-
|sessionId
|Long
|The session ID
getTag
getTag
getTimeStamp
getTimeStamp
Line 2,069: Line 2,084:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getVlanId
|-
|vlanId
|int
|The VLAN Id
|}
|}
<section end='SessionStatsEvent' />
<section end='IntrusionPreventionLogEvent' />




== SessionNatEvent ==
== ApplicationControlLogEvent ==
<section begin='SessionNatEvent' />
<section begin='ApplicationControlLogEvent' />


These events are created by the base system and update the [[Database_Schema#sessions|sessions]] table each time a session is NATd with the post-NAT information.
These events are created by [[Application Control]] and update the [[Database_Schema#sessions|sessions]] table when application control identifies a session.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 2,082: Line 2,102:
! Type
! Type
! Description
! Description
getSClientAddr
getApplication
|-
|-
|SClientAddr
|application
|InetAddress
|String
|The server-side (post-NAT) client address
|The application
getSClientPort
getBlocked
|-
|-
|SClientPort
|blocked
|Integer
|boolean
|The server-side (post-NAT) client port
|True if blocked, false otherwise
getSServerAddr
getCategory
|-
|-
|SServerAddr
|category
|InetAddress
|String
|The server-side (post-NAT) server address
|The category
getSServerPort
|-
|SServerPort
|Integer
|The server-side (post-NAT) server port
getClass
getClass
|-
|-
Line 2,107: Line 2,122:
|Class
|Class
|The class name
|The class name
getConfidence
|-
|confidence
|Integer
|The confidence (0-100)
getDetail
|-
|detail
|String
|The details
getFlagged
|-
|flagged
|boolean
|True if flagged, false otherwise
getPartitionTablePostfix
getPartitionTablePostfix
getServerIntf
getProtochain
|-
|protochain
|String
|The protochain
getRuleId
|-
|-
|serverIntf
|ruleId
|Integer
|Integer
|The server interface ID
|The rule ID
getSessionEvent
getSessionEvent
|-
|-
Line 2,118: Line 2,153:
|SessionEvent
|SessionEvent
|The session event
|The session event
getState
|-
|state
|Integer
|The state
getTag
getTag
getTimeStamp
getTimeStamp
Line 2,125: Line 2,165:
|The timestamp
|The timestamp
|}
|}
<section end='SessionNatEvent' />
<section end='ApplicationControlLogEvent' />




== QuotaEvent ==
== LoginEvent ==
<section begin='QuotaEvent' />
<section begin='LoginEvent' />


These events are created by the [[Bandwidth Control]] and inserted or update the [[Database_Schema#quotas|quotas]] table when quotas are given or exceeded.
These events are created by [[Directory Connector]] and inserted to the [[Database_Schema#directory_connector_login_events|directory_connector_login_events]] table for each login.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 2,137: Line 2,177:
! Type
! Type
! Description
! Description
getAction
|-
|action
|int
|The action (1=Quota Given, 2=Quota Exceeded)
getClass
getClass
|-
|-
Line 2,147: Line 2,182:
|Class
|Class
|The class name
|The class name
getEntity
getClientAddr
|-
|clientAddr
|InetAddress
|The client address
getDomain
|-
|domain
|String
|The domain
getEvent
|-
|-
|entity
|event
|String
|String
|The entity
|The event
getPartitionTablePostfix
getLoginName
getQuotaSize
|-
|-
|quotaSize
|loginName
|long
|String
|The quota size
|The login name
getReason
getLoginType
|-
|-
|reason
|loginType
|String
|String
|The reason
|W = Windows login, A=Active Directory, R=RADIUS, T=test
getPartitionTablePostfix
getTag
getTag
getTimeStamp
getTimeStamp
Line 2,170: Line 2,215:
|The timestamp
|The timestamp
|}
|}
<section end='QuotaEvent' />
<section end='LoginEvent' />




== SmtpMessageAddressEvent ==
== WebFilterEvent ==
<section begin='SmtpMessageAddressEvent' />
<section begin='WebFilterEvent' />


These events are created by SMTP subsystem and inserted to the [[Database_Schema#mail_addrs|mail_addrs]] table for each address on each email.
These events are created by [[Web Filter]] and update the [[Database_Schema#http_events|http_events]] table when web filter processes a web request.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 2,182: Line 2,227:
! Type
! Type
! Description
! Description
getAddr
getAppName
|-
|appName
|String
|The name of the application
getBlocked
|-
|blocked
|Boolean
|True if blocked, false otherwise
getCategory
|-
|-
|addr
|category
|String
|String
|The address
|The category
getCategoryId
|-
|categoryId
|Integer
|Numeric value of matching category
getClass
getClass
|-
|-
Line 2,192: Line 2,252:
|Class
|Class
|The class name
|The class name
getKind
getFlagged
|-
|-
|kind
|flagged
|AddressKind
|Boolean
|The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
|True if flagged, false otherwise
getMessageId
getPartitionTablePostfix
getReason
|-
|reason
|Reason
|The reason
getRequestLine
|-
|-
|messageId
|requestLine
|Long
|RequestLine
|The message ID
|The request line
getPartitionTablePostfix
getRuleId
getPersonal
|-
|ruleId
|Integer
|The rule ID
getSessionEvent
|-
|-
|personal
|sessionEvent
|String
|SessionEvent
|personal
|The session event
getTag
getTag
getTimeStamp
getTimeStamp
Line 2,215: Line 2,285:
|The timestamp
|The timestamp
|}
|}
<section end='SmtpMessageAddressEvent' />
<section end='WebFilterEvent' />




== SmtpMessageEvent ==
== WebFilterQueryEvent ==
<section begin='SmtpMessageEvent' />
<section begin='WebFilterQueryEvent' />


These events are created by SMTP subsystem and inserted to the [[Database_Schema#mail_msgs|mail_msgs]] table for each email.
These events are created by [[Web Filter]] and inserted to the [[Database_Schema#http_query_events|http_query_events]] table when web filter processes a search engine search.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 2,227: Line 2,297:
! Type
! Type
! Description
! Description
getAddresses
getAppName
|-
|-
|addresses
|appName
|Set
|String
|The addresses
|The name of the application
getBlocked
|-
|blocked
|Boolean
|True if blocked, false otherwise
getClass
getClass
|-
|-
Line 2,237: Line 2,312:
|Class
|Class
|The class name
|The class name
getEnvelopeFromAddress
getContentLength
|-
|contentLength
|long
|The content length
getFlagged
|-
|-
|envelopeFromAddress
|flagged
|String
|Boolean
|The envelop FROM address
|True if flagged, false otherwise
getEnvelopeToAddress
getHost
|-
|-
|envelopeToAddress
|host
|String
|String
|The envelope TO address
|The host
getMessageId
getMethod
|-
|-
|messageId
|method
|Long
|HttpMethod
|The message ID
|The method
getPartitionTablePostfix
getPartitionTablePostfix
getReceiver
getRequestId
|-
|-
|receiver
|requestId
|String
|Long
|The receiver
|The request ID
getSender
getRequestUri
|-
|-
|sender
|requestUri
|String
|URI
|The sender
|The request URI
getSessionEvent
getSessionEvent
|-
|-
Line 2,268: Line 2,348:
|SessionEvent
|SessionEvent
|The session event
|The session event
getSessionId
getTag
getTerm
|-
|-
|sessionId
|term
|Long
|The session ID
getSubject
|-
|subject
|String
|String
|The subject
|The search term/phrase
getTag
getTimeStamp
getTimeStamp
|-
|-
Line 2,284: Line 2,359:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getTmpFile
|-
|tmpFile
|File
|The /tmp file
|}
|}
<section end='SmtpMessageEvent' />
<section end='WebFilterQueryEvent' />




== CaptureRuleEvent ==
== WanFailoverTestEvent ==
<section begin='CaptureRuleEvent' />
<section begin='WanFailoverTestEvent' />


These events are created by [[Captive Portal]] and update the [[Database_Schema#sessions|sessions]] table when Captive Portal processes a session.
These events are created by [[WAN Failover]] and inserted to the [[Database_Schema#wan_failover_test_events|wan_failover_test_events]] table when a test is run.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 2,302: Line 2,372:
! Type
! Type
! Description
! Description
getCaptured
|-
|captured
|boolean
|True if captured, false otherwise
getClass
getClass
|-
|-
Line 2,312: Line 2,377:
|Class
|Class
|The class name
|The class name
getPartitionTablePostfix
getDescription
getRuleId
|-
|description
|String
|The description
getInterfaceId
|-
|-
|ruleId
|interfaceId
|Integer
|int
|The rule ID
|The interface ID
getSessionEvent
getName
|-
|-
|sessionEvent
|name
|SessionEvent
|String
|The session event
|The test name
getTag
getOsName
getTimeStamp
|-
|-
|timeStamp
|osName
|Timestamp
|String
|The timestamp
|The O/S interface name
|}
getPartitionTablePostfix
<section end='CaptureRuleEvent' />
getSuccess
|-
|success
|Boolean
|True if successful, false otherwise
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='WanFailoverTestEvent' />




== CaptivePortalUserEvent ==
== WanFailoverEvent ==
<section begin='CaptivePortalUserEvent' />
<section begin='WanFailoverEvent' />


These events are created by [[Captive Portal]] and inserted to the [[Database_Schema#captive_portal_user_events|captive_portal_user_events]] table when Captive Portal user takes an action.
These events are created by [[WAN Failover]] and inserted to the [[Database_Schema#wan_failover_action_events|wan_failover_action_events]] table when WAN Failover takes an action.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 2,342: Line 2,422:
! Type
! Type
! Description
! Description
getAuthenticationType
getAction
|-
|-
|authenticationType
|action
|CaptivePortalSettings$AuthenticationType
|WanFailoverEvent$Action
|The authentication type
|The action
getAuthenticationTypeValue
|-
|authenticationTypeValue
|String
|The authentication type as a string
getClass
getClass
|-
|-
Line 2,357: Line 2,432:
|Class
|Class
|The class name
|The class name
getClientAddr
getInterfaceId
|-
|-
|clientAddr
|interfaceId
|String
|int
|The client address
|The interface ID
getEvent
getName
|-
|-
|event
|name
|CaptivePortalUserEvent$EventType
|The event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
getEventValue
|-
|eventValue
|String
|String
|The event value as a string (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
|The name
getLoginName
getOsName
|-
|-
|loginName
|osName
|String
|String
|The login name
|The O/S interface name
getPartitionTablePostfix
getPartitionTablePostfix
getPolicyId
|-
|policyId
|Integer
|The policy ID
getTag
getTag
getTimeStamp
getTimeStamp
Line 2,390: Line 2,455:
|The timestamp
|The timestamp
|}
|}
<section end='CaptivePortalUserEvent' />
<section end='WanFailoverEvent' />




== AdBlockerEvent ==
== ThreatPreventionEvent ==
<section begin='AdBlockerEvent' />
<section begin='ThreatPreventionEvent' />


These events are created by [[Ad Blocker]] and update the [[Database_Schema#http_events|http_events]] table when an ad is blocked.
These events are created by [[Threat Prevention]] and inserted to the [[Database_Schema#sessions|sessions]] table for each threat lookup.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 2,402: Line 2,467:
! Type
! Type
! Description
! Description
getAction
getBlocked
|-
|-
|action
|blocked
|Action
|boolean
|The action
|True if blocked, false otherwise
getClass
getClass
|-
|-
Line 2,412: Line 2,477:
|Class
|Class
|The class name
|The class name
getClientCategories
|-
|clientCategories
|int
|Client threat categories
getClientReputation
|-
|clientReputation
|int
|Client threat reputation
getFlagged
|-
|flagged
|boolean
|True if flagged, false otherwise
getPartitionTablePostfix
getPartitionTablePostfix
getReason
getRuleId
|-
|ruleId
|long
|The rule ID
getServerCategories
|-
|serverCategories
|int
|Server threat categories
getServerReputation
|-
|-
|reason
|serverReputation
|String
|int
|The reason
|Server threat reputation
getRequestId
getSessionId
|-
|-
|requestId
|sessionId
|Long
|Long
|The request ID
|The session ID
getTag
getTag
getTimeStamp
getTimeStamp
Line 2,430: Line 2,520:
|The timestamp
|The timestamp
|}
|}
<section end='AdBlockerEvent' />
<section end='ThreatPreventionEvent' />




== CookieEvent ==
== ThreatPreventionHttpEvent ==
<section begin='CookieEvent' />
<section begin='ThreatPreventionHttpEvent' />


These events are created by [[Ad Blocker]] and update the [[Database_Schema#http_events|http_events]] table when a cookie is blocked.
These events are created by [[Threat Prevention]] and inserted to the [[Database_Schema#http_events|http_events]] table for each threat lookup.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 2,442: Line 2,532:
! Type
! Type
! Description
! Description
getClass
getBlocked
|-
|-
|class
|blocked
|Boolean
|True if blocked, false otherwise
getCategories
|-
|categories
|Integer
|Server threat categories
getClass
|-
|class
|Class
|Class
|The class name
|The class name
getIdentification
getFlagged
|-
|-
|identification
|flagged
|String
|Boolean
|The identification string
|True if flagged, false otherwise
getPartitionTablePostfix
getPartitionTablePostfix
getRequestId
getReputation
|-
|reputation
|Integer
|Server threat reputation
getRequestLine
|-
|requestLine
|RequestLine
|The request line
getRuleId
|-
|-
|requestId
|ruleId
|Long
|Integer
|The request ID
|The rule ID
getSessionEvent
getSessionEvent
|-
|-
Line 2,470: Line 2,580:
|The timestamp
|The timestamp
|}
|}
<section end='CookieEvent' />
<section end='ThreatPreventionHttpEvent' />




== HttpRequestEvent ==
== SpamLogEvent ==
<section begin='HttpRequestEvent' />
<section begin='SpamLogEvent' />


These events are created by HTTP subsystem and inserted to the [[Database_Schema#http_events|http_events]] table when a web request happens.
These events are created by [[Spam Blocker]] and update the [[Database_Schema#mail_msgs|mail_msgs]] table when an email is scanned.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 2,482: Line 2,592:
! Type
! Type
! Description
! Description
getClass
getAction
|-
|action
|SpamMessageAction
|The action
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getContentLength
getClientAddr
|-
|-
|contentLength
|clientAddr
|long
|InetAddress
|The content length
|The client address
getDomain
getClientPort
|-
|-
|domain
|clientPort
|String
|int
|The domain
|The client port
getHost
getMessageId
|-
|-
|host
|messageId
|String
|Long
|The host
|The message ID
getMethod
|-
|method
|HttpMethod
|The HTTP method
getPartitionTablePostfix
getPartitionTablePostfix
getReferer
getReceiver
|-
|-
|referer
|receiver
|String
|String
|The referer
|The receiver
getRequestId
getScore
|-
|score
|float
|The score
getSender
|-
|-
|requestId
|sender
|Long
|String
|The request ID
|The sender
getRequestUri
getServerAddr
|-
|-
|requestUri
|serverAddr
|URI
|InetAddress
|The request URI
|The server address
getSessionEvent
getServerPort
|-
|-
|sessionEvent
|serverPort
|SessionEvent
|int
|The session event
|The server port
getTag
getSmtpMessageEvent
getTimeStamp
|-
|-
|timeStamp
|smtpMessageEvent
|Timestamp
|SmtpMessageEvent
|The timestamp
|The parent SMTP message event
|}
isSpam
<section end='HttpRequestEvent' />
|-
|isSpam
|boolean
|True if spam, false otherwise
getSubject
|-
|subject
|String
|The subject
getTag
getTestsString
|-
|testsString
|String
|The tests string from the spam engine
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
getVendorName
|-
|vendorName
|String
|The application name
|}
<section end='SpamLogEvent' />




== HttpResponseEvent ==
== SpamSmtpTarpitEvent ==
<section begin='HttpResponseEvent' />
<section begin='SpamSmtpTarpitEvent' />


These events are created by HTTP subsystem and update the [[Database_Schema#http_events|http_events]] table when a web response happens.
These events are created by [[Spam Blocker]] and inserted to the [[Database_Schema#smtp_tarpit_events|smtp_tarpit_events]] table when a session is tarpitted.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 2,547: Line 2,687:
! Type
! Type
! Description
! Description
getIPAddr
|-
|IPAddr
|InetAddress
|The IP address
getClass
getClass
|-
|-
Line 2,552: Line 2,697:
|Class
|Class
|The class name
|The class name
getContentFilename
getHostname
|-
|-
|contentFilename
|hostname
|String
|String
|The content filename
|The hostname
getContentLength
getPartitionTablePostfix
getSessionEvent
|-
|-
|contentLength
|sessionEvent
|long
|SessionEvent
|The content length
|The session event
getContentType
getSessionId
|-
|-
|contentType
|sessionId
|String
|Long
|The content type
|The session ID
getHttpRequestEvent
getTag
getTimeStamp
|-
|-
|httpRequestEvent
|timeStamp
|HttpRequestEvent
|Timestamp
|The corresponding HTTP request event
|The timestamp
getPartitionTablePostfix
getVendorName
getRequestLine
|-
|-
|requestLine
|vendorName
|RequestLine
|String
|The request line
|The application name
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
|}
<section end='HttpResponseEvent' />
<section end='SpamSmtpTarpitEvent' />




== WebCacheEvent ==
== ConfigurationBackupEvent ==
<section begin='WebCacheEvent' />
<section begin='ConfigurationBackupEvent' />


These events are created by [[Web Cache]] and inserted to the [[Database_Schema#web_cache_stats|web_cache_stats]] table periodically.
These events are created by [[Configuration Backup]] and inserted to the [[Database_Schema#configuratio_backup_events|configuratio_backup_events]] table when a backup occurs.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 2,597: Line 2,737:
! Type
! Type
! Description
! Description
getBypassCount
|-
|bypassCount
|long
|The number of bypasses
getClass
getClass
|-
|-
Line 2,607: Line 2,742:
|Class
|Class
|The class name
|The class name
getHitBytes
getDestination
|-
|-
|hitBytes
|destination
|long
|String
|The number of bytes worth of hits
|The destination
getHitCount
getDetail
|-
|-
|hitCount
|detail
|long
|String
|The number of hits
|The details
getMissBytes
|-
|missBytes
|long
|The number of bytes worth of misses
getMissCount
|-
|missCount
|long
|The number of misses
getPartitionTablePostfix
getPartitionTablePostfix
getPolicyId
getSuccess
|-
|-
|policyId
|success
|Long
|boolean
|The policy ID
|True if successful, false otherwise
getSystemCount
|-
|systemCount
|long
|The number of system bypasses
getTag
getTag
getTimeStamp
getTimeStamp
Line 2,645: Line 2,765:
|The timestamp
|The timestamp
|}
|}
<section end='WebCacheEvent' />
<section end='ConfigurationBackupEvent' />




== TunnelVpnStatusEvent ==
== TunnelStatusEvent ==
<section begin='TunnelVpnStatusEvent' />
<section begin='TunnelStatusEvent' />


These events are created by [[Tunnel VPN]] and inserted to the [[Database_Schema#tunnel_vpn_stats|tunnel_vpn_stats]] table periodically.
These events are created by [[IPsec VPN]] and inserted to the [[Database_Schema#ipsec_tunnel_stats|ipsec_tunnel_stats]] table periodically.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 2,685: Line 2,805:
|The name of this tunnel
|The name of this tunnel
|}
|}
<section end='TunnelVpnStatusEvent' />
<section end='TunnelStatusEvent' />




== TunnelVpnEvent ==
== IpsecVpnEvent ==
<section begin='TunnelVpnEvent' />
<section begin='IpsecVpnEvent' />


These events are created by [[Tunnel VPN]] and inserted to the [[Database_Schema#tunnel_vpn_events|tunnel_vpn_events]] table when a tunnel connection event occurs.
These events are created by [[IPsec VPN]] and inserted to the [[Database_Schema#ipsec_vpn_events|ipsec_vpn_events]] table when IPsec connection event occurs.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 2,705: Line 2,825:
|-
|-
|eventType
|eventType
|TunnelVpnEvent$EventType
|IpsecVpnEvent$EventType
|The event type
|The event type
getLocalAddress
getLocalAddress
|-
|-
|localAddress
|localAddress
|InetAddress
|String
|The local host address
|The local host address
getPartitionTablePostfix
getPartitionTablePostfix
getServerAddress
getRemoteAddress
|-
|-
|serverAddress
|remoteAddress
|InetAddress
|String
|The server address
|The remote host address
getTag
getTag
getTimeStamp
getTimeStamp
Line 2,724: Line 2,844:
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getTunnelName
getTunnelDescription
|-
|-
|tunnelName
|tunnelDescription
|String
|String
|The name of this tunnel
|Description of tunnel
|}
|}
<section end='TunnelVpnEvent' />
<section end='IpsecVpnEvent' />




== IntrusionPreventionLogEvent ==
== VirtualUserEvent ==
<section begin='IntrusionPreventionLogEvent' />
<section begin='VirtualUserEvent' />


These events are created by [[Intrusion Prevention]] and inserted to the [[Database_Schema#intrusion_prevention_events|intrusion_prevention_events]] table when a rule matches.
These events are created by [[IPsec VPN]] and inserted to the [[Database_Schema#ipsec_user_events|ipsec_user_events]] table when a user event occurs.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 2,742: Line 2,862:
! Type
! Type
! Description
! Description
getBlocked
getClass
|-
|-
|blocked
|class
|boolean
|Class
|True if blocked, false otherwise
|The class name
getCategory
getClientAddress
|-
|clientAddress
|InetAddress
|The client address
getClientProtocol
|-
|-
|category
|clientProtocol
|String
|String
|The category
|The client protocol
getClass
getClientUsername
|-
|-
|class
|clientUsername
|Class
|String
|The class name
|The client username
getClassificationId
getElapsedTime
|-
|-
|classificationId
|elapsedTime
|long
|The classification ID
getClasstype
|-
|classtype
|String
|String
|The classtype
|The elapsed time
getDportIcode
|-
|dportIcode
|int
|The dportIcode
getEventId
getEventId
|-
|-
|eventId
|eventId
|long
|Long
|The event ID
|The event ID
getEventMicrosecond
getNetInterface
|-
|-
|eventMicrosecond
|netInterface
|long
|String
|The event microsecond
|The net interface
getEventSecond
getNetProcess
|-
|-
|eventSecond
|netProcess
|long
|String
|The event second
|The net process
getEventType
getNetRXbytes
|-
|-
|eventType
|netRXbytes
|long
|Long
|The event type
|The number of RX (received) bytes
getGeneratorId
getNetTXbytes
|-
|-
|generatorId
|netTXbytes
|long
|Long
|The generator ID
|The number of TX (transmitted) bytes
getImpact
getPartitionTablePostfix
getTag
getTimeStamp
|-
|-
|impact
|timeStamp
|short
|Timestamp
|The impact
|The timestamp
getImpactFlag
|}
<section end='VirtualUserEvent' />
 
 
== SslInspectorLogEvent ==
<section begin='SslInspectorLogEvent' />
 
These events are created by [[SSL Inspector]] and update the [[Database_Schema#sessions|sessions]] table when a session is processed by SSL Inspector.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|-
|impactFlag
|class
|short
|Class
|The impact flag
|The class name
getIpDestination
getDetail
|-
|-
|ipDestination
|detail
|InetAddress
|String
|The IP address destination
|The details
getIpSource
getPartitionTablePostfix
getRuleId
|-
|-
|ipSource
|ruleId
|InetAddress
|Integer
|The IP address source
|The rule ID
getMplsLabel
getSessionEvent
|-
|-
|mplsLabel
|sessionEvent
|long
|SessionEvent
|The mplsLabel
|The session event
getMsg
getStatus
|-
|-
|msg
|status
|String
|String
|The msg
|The status
getPadding
getTag
getTimeStamp
|-
|-
|padding
|timeStamp
|int
|Timestamp
|The padding
|The timestamp
getPartitionTablePostfix
|}
getPriorityId
<section end='SslInspectorLogEvent' />
|-
 
|priorityId
 
|long
== ApplicationControlLiteEvent ==
|The priority ID
<section begin='ApplicationControlLiteEvent' />
 
These events are created by [[Application Control Lite]] and update the [[Database_Schema#sessions|sessions]] table when application control lite identifies a session.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getBlocked
|-
|blocked
|boolean
|True if blocked, false otherwise
getClass
|-
|class
|Class
|The class name
getPartitionTablePostfix
getProtocol
getProtocol
|-
|-
|protocol
|protocol
|short
|String
|The protocol
|The protocol
getRid
getSessionId
|-
|-
|rid
|sessionId
|String
|Long
|Rule ID
|The session ID
getSensorId
getTag
getTimeStamp
|-
|-
|sensorId
|timeStamp
|long
|Timestamp
|The sensor ID
|The timestamp
getSignatureId
|-
|signatureId
|long
|The signature ID
getSignatureRevision
|-
|signatureRevision
|long
|The signature revision
getSportItype
|-
|sportItype
|int
|The sportItype
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
getVlanId
|-
|vlanId
|int
|The VLAN Id
|}
|}
<section end='IntrusionPreventionLogEvent' />
<section end='ApplicationControlLiteEvent' />




== AlertEvent ==
}
<section begin='AlertEvent' />
 
These events are created by [[Reports]] and inserted to the [[Database_Schema#alerts|alerts]] table when an alert fires.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getCause
|-
|cause
|LogEvent
|The cause
getClass
|-
|class
|Class
|The class name
getDescription
|-
|description
|String
|The description
getJson
|-
|json
|JSONObject
|The JSON string
getPartitionTablePostfix
getSummaryText
|-
|summaryText
|String
|The summary text
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='AlertEvent' />
 
 
== SmtpMessageAddressEvent ==
<section begin='SmtpMessageAddressEvent' />
 
These events are created by SMTP subsystem and inserted to the [[Database_Schema#mail_addrs|mail_addrs]] table for each address on each email.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getAddr
|-
|addr
|String
|The address
getClass
|-
|class
|Class
|The class name
getKind
|-
|kind
|AddressKind
|The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
getMessageId
|-
|messageId
|Long
|The message ID
getPartitionTablePostfix
getPersonal
|-
|personal
|String
|personal
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='SmtpMessageAddressEvent' />
 
 
== SmtpMessageEvent ==
<section begin='SmtpMessageEvent' />
 
These events are created by SMTP subsystem and inserted to the [[Database_Schema#mail_msgs|mail_msgs]] table for each email.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getAddresses
|-
|addresses
|Set
|The addresses
getClass
|-
|class
|Class
|The class name
getEnvelopeFromAddress
|-
|envelopeFromAddress
|String
|The envelop FROM address
getEnvelopeToAddress
|-
|envelopeToAddress
|String
|The envelope TO address
getMessageId
|-
|messageId
|Long
|The message ID
getPartitionTablePostfix
getReceiver
|-
|receiver
|String
|The receiver
getSender
|-
|sender
|String
|The sender
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getSessionId
|-
|sessionId
|Long
|The session ID
getSubject
|-
|subject
|String
|The subject
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
getTmpFile
|-
|tmpFile
|File
|The /tmp file
|}
<section end='SmtpMessageEvent' />
 
 
== ApplicationControlLogEvent ==
<section begin='ApplicationControlLogEvent' />
 
These events are created by [[Application Control]] and update the [[Database_Schema#sessions|sessions]] table when application control identifies a session.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getApplication
|-
|application
|String
|The application
getBlocked
|-
|blocked
|boolean
|True if blocked, false otherwise
getCategory
|-
|category
|String
|The category
getClass
|-
|class
|Class
|The class name
getConfidence
|-
|confidence
|Integer
|The confidence (0-100)
getDetail
|-
|detail
|String
|The details
getFlagged
|-
|flagged
|boolean
|True if flagged, false otherwise
getPartitionTablePostfix
getProtochain
|-
|protochain
|String
|The protochain
getRuleId
|-
|ruleId
|Integer
|The rule ID
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getState
|-
|state
|Integer
|The state
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='ApplicationControlLogEvent' />
 
 
== LoginEvent ==
<section begin='LoginEvent' />
 
These events are created by [[Directory Connector]] and inserted to the [[Database_Schema#directory_connector_login_events|directory_connector_login_events]] table for each login.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|class
|Class
|The class name
getClientAddr
|-
|clientAddr
|InetAddress
|The client address
getDomain
|-
|domain
|String
|The domain
getEvent
|-
|event
|String
|The event
getLoginName
|-
|loginName
|String
|The login name
getLoginType
|-
|loginType
|String
|W = Windows login, A=Active Directory, R=RADIUS, T=test
getPartitionTablePostfix
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='LoginEvent' />
 
 
== WebFilterEvent ==
<section begin='WebFilterEvent' />
 
These events are created by [[Web Filter]] and update the [[Database_Schema#http_events|http_events]] table when web filter processes a web request.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getAppName
|-
|appName
|String
|The name of the application
getBlocked
|-
|blocked
|Boolean
|True if blocked, false otherwise
getCategory
|-
|category
|String
|The category
getCategoryId
|-
|categoryId
|Integer
|Numeric value of matching category
getClass
|-
|class
|Class
|The class name
getFlagged
|-
|flagged
|Boolean
|True if flagged, false otherwise
getPartitionTablePostfix
getReason
|-
|reason
|Reason
|The reason
getRequestLine
|-
|requestLine
|RequestLine
|The request line
getRuleId
|-
|ruleId
|Integer
|The rule ID
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='WebFilterEvent' />
 
 
== WebFilterQueryEvent ==
<section begin='WebFilterQueryEvent' />
 
These events are created by [[Web Filter]] and inserted to the [[Database_Schema#http_query_events|http_query_events]] table when web filter processes a search engine search.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getAppName
|-
|appName
|String
|The name of the application
getBlocked
|-
|blocked
|Boolean
|True if blocked, false otherwise
getClass
|-
|class
|Class
|The class name
getContentLength
|-
|contentLength
|long
|The content length
getFlagged
|-
|flagged
|Boolean
|True if flagged, false otherwise
getHost
|-
|host
|String
|The host
getMethod
|-
|method
|HttpMethod
|The method
getPartitionTablePostfix
getRequestId
|-
|requestId
|Long
|The request ID
getRequestUri
|-
|requestUri
|URI
|The request URI
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getTag
getTerm
|-
|term
|String
|The search term/phrase
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='WebFilterQueryEvent' />
 
 
== WanFailoverTestEvent ==
<section begin='WanFailoverTestEvent' />
 
These events are created by [[WAN Failover]] and inserted to the [[Database_Schema#wan_failover_test_events|wan_failover_test_events]] table when a test is run.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|class
|Class
|The class name
getDescription
|-
|description
|String
|The description
getInterfaceId
|-
|interfaceId
|int
|The interface ID
getName
|-
|name
|String
|The test name
getOsName
|-
|osName
|String
|The O/S interface name
getPartitionTablePostfix
getSuccess
|-
|success
|Boolean
|True if successful, false otherwise
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='WanFailoverTestEvent' />
 
 
== WanFailoverEvent ==
<section begin='WanFailoverEvent' />
 
These events are created by [[WAN Failover]] and inserted to the [[Database_Schema#wan_failover_action_events|wan_failover_action_events]] table when WAN Failover takes an action.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getAction
|-
|action
|WanFailoverEvent$Action
|The action
getClass
|-
|class
|Class
|The class name
getInterfaceId
|-
|interfaceId
|int
|The interface ID
getName
|-
|name
|String
|The name
getOsName
|-
|osName
|String
|The O/S interface name
getPartitionTablePostfix
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='WanFailoverEvent' />
 
 
== CaptureRuleEvent ==
<section begin='CaptureRuleEvent' />
 
These events are created by [[Captive Portal]] and update the [[Database_Schema#sessions|sessions]] table when Captive Portal processes a session.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getCaptured
|-
|captured
|boolean
|True if captured, false otherwise
getClass
|-
|class
|Class
|The class name
getPartitionTablePostfix
getRuleId
|-
|ruleId
|Integer
|The rule ID
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='CaptureRuleEvent' />
 
 
== CaptivePortalUserEvent ==
<section begin='CaptivePortalUserEvent' />
 
These events are created by [[Captive Portal]] and inserted to the [[Database_Schema#captive_portal_user_events|captive_portal_user_events]] table when Captive Portal user takes an action.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getAuthenticationType
|-
|authenticationType
|CaptivePortalSettings$AuthenticationType
|The authentication type
getAuthenticationTypeValue
|-
|authenticationTypeValue
|String
|The authentication type as a string
getClass
|-
|class
|Class
|The class name
getClientAddr
|-
|clientAddr
|InetAddress
|The client address
getEvent
|-
|event
|CaptivePortalUserEvent$EventType
|The event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
getEventValue
|-
|eventValue
|String
|The event value as a string (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
getLoginName
|-
|loginName
|String
|The login name
getPartitionTablePostfix
getPolicyId
|-
|policyId
|Integer
|The policy ID
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='CaptivePortalUserEvent' />
 
 
== SpamLogEvent ==
<section begin='SpamLogEvent' />
 
These events are created by [[Spam Blocker]] and update the [[Database_Schema#mail_msgs|mail_msgs]] table when an email is scanned.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getAction
|-
|action
|SpamMessageAction
|The action
getClass
|-
|class
|Class
|The class name
getClientAddr
|-
|clientAddr
|InetAddress
|The client address
getClientPort
|-
|clientPort
|int
|The client port
getMessageId
|-
|messageId
|Long
|The message ID
getPartitionTablePostfix
getReceiver
|-
|receiver
|String
|The receiver
getScore
|-
|score
|float
|The score
getSender
|-
|sender
|String
|The sender
getServerAddr
|-
|serverAddr
|InetAddress
|The server address
getServerPort
|-
|serverPort
|int
|The server port
getSmtpMessageEvent
|-
|smtpMessageEvent
|SmtpMessageEvent
|The parent SMTP message event
isSpam
|-
|isSpam
|boolean
|True if spam, false otherwise
getSubject
|-
|subject
|String
|The subject
getTag
getTestsString
|-
|testsString
|String
|The tests string from the spam engine
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
getVendorName
|-
|vendorName
|String
|The application name
|}
<section end='SpamLogEvent' />
 
 
== SpamSmtpTarpitEvent ==
<section begin='SpamSmtpTarpitEvent' />
 
These events are created by [[Spam Blocker]] and inserted to the [[Database_Schema#smtp_tarpit_events|smtp_tarpit_events]] table when a session is tarpitted.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getIPAddr
|-
|IPAddr
|InetAddress
|The IP address
getClass
|-
|class
|Class
|The class name
getHostname
|-
|hostname
|String
|The hostname
getPartitionTablePostfix
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getSessionId
|-
|sessionId
|Long
|The session ID
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
getVendorName
|-
|vendorName
|String
|The application name
|}
<section end='SpamSmtpTarpitEvent' />
 
 
== ConfigurationBackupEvent ==
<section begin='ConfigurationBackupEvent' />
 
These events are created by [[Configuration Backup]] and inserted to the [[Database_Schema#configuratio_backup_events|configuratio_backup_events]] table when a backup occurs.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|class
|Class
|The class name
getDestination
|-
|destination
|String
|The destination
getDetail
|-
|detail
|String
|The details
getPartitionTablePostfix
getSuccess
|-
|success
|boolean
|True if successful, false otherwise
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='ConfigurationBackupEvent' />
 
 
== TunnelStatusEvent ==
<section begin='TunnelStatusEvent' />
 
These events are created by [[IPsec VPN]] and inserted to the [[Database_Schema#ipsec_tunnel_stats|ipsec_tunnel_stats]] table periodically.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|class
|Class
|The class name
getInBytes
|-
|inBytes
|long
|The number of bytes received from this tunnel
getOutBytes
|-
|outBytes
|long
|The number of bytes sent in this tunnel
getPartitionTablePostfix
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
getTunnelName
|-
|tunnelName
|String
|The name of this tunnel
|}
<section end='TunnelStatusEvent' />
 
 
== IpsecVpnEvent ==
<section begin='IpsecVpnEvent' />
 
These events are created by [[IPsec VPN]] and inserted to the [[Database_Schema#ipsec_vpn_events|ipsec_vpn_events]] table when IPsec connection event occurs.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|class
|Class
|The class name
getEventType
|-
|eventType
|IpsecVpnEvent$EventType
|The event type
getLocalAddress
|-
|localAddress
|String
|The local host address
getPartitionTablePostfix
getRemoteAddress
|-
|remoteAddress
|String
|The remote host address
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
getTunnelDescription
|-
|tunnelDescription
|String
|Description of tunnel
|}
<section end='IpsecVpnEvent' />
 
 
== VirtualUserEvent ==
<section begin='VirtualUserEvent' />
 
These events are created by [[IPsec VPN]] and inserted to the [[Database_Schema#ipsec_user_events|ipsec_user_events]] table when a user event occurs.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|class
|Class
|The class name
getClientAddress
|-
|clientAddress
|InetAddress
|The client address
getClientProtocol
|-
|clientProtocol
|String
|The client protocol
getClientUsername
|-
|clientUsername
|String
|The client username
getElapsedTime
|-
|elapsedTime
|String
|The elapsed time
getEventId
|-
|eventId
|Long
|The event ID
getNetInterface
|-
|netInterface
|String
|The net interface
getNetProcess
|-
|netProcess
|String
|The net process
getNetRXbytes
|-
|netRXbytes
|Long
|The number of RX (received) bytes
getNetTXbytes
|-
|netTXbytes
|Long
|The number of TX (transmitted) bytes
getPartitionTablePostfix
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='VirtualUserEvent' />
 
 
== SslInspectorLogEvent ==
<section begin='SslInspectorLogEvent' />
 
These events are created by [[SSL Inspector]] and update the [[Database_Schema#sessions|sessions]] table when a session is processed by SSL Inspector.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|class
|Class
|The class name
getDetail
|-
|detail
|String
|The details
getPartitionTablePostfix
getRuleId
|-
|ruleId
|Integer
|The rule ID
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getStatus
|-
|status
|String
|The status
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='SslInspectorLogEvent' />
 
 
== ApplicationControlLiteEvent ==
<section begin='ApplicationControlLiteEvent' />
 
These events are created by [[Application Control Lite]] and update the [[Database_Schema#sessions|sessions]] table when application control lite identifies a session.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getBlocked
|-
|blocked
|boolean
|True if blocked, false otherwise
getClass
|-
|class
|Class
|The class name
getPartitionTablePostfix
getProtocol
|-
|protocol
|String
|The protocol
getSessionId
|-
|sessionId
|Long
|The session ID
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='ApplicationControlLiteEvent' />
 
 
== HttpRequestEvent ==
<section begin='HttpRequestEvent' />
 
These events are created by HTTP subsystem and inserted to the [[Database_Schema#http_events|http_events]] table when a web request happens.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|class
|Class
|The class name
getContentLength
|-
|contentLength
|long
|The content length
getDomain
|-
|domain
|String
|The domain
getHost
|-
|host
|String
|The host
getMethod
|-
|method
|HttpMethod
|The HTTP method
getPartitionTablePostfix
getReferer
|-
|referer
|String
|The referer
getRequestId
|-
|requestId
|Long
|The request ID
getRequestUri
|-
|requestUri
|URI
|The request URI
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='HttpRequestEvent' />
 
 
== HttpResponseEvent ==
<section begin='HttpResponseEvent' />
 
These events are created by HTTP subsystem and update the [[Database_Schema#http_events|http_events]] table when a web response happens.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|class
|Class
|The class name
getContentLength
|-
|contentLength
|long
|The content length
getContentType
|-
|contentType
|String
|The content type
getHttpRequestEvent
|-
|httpRequestEvent
|HttpRequestEvent
|The corresponding HTTP request event
getPartitionTablePostfix
getRequestLine
|-
|requestLine
|RequestLine
|The request line
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='HttpResponseEvent' />
 
 
== IntrusionPreventionLogEvent ==
<section begin='IntrusionPreventionLogEvent' />
 
These events are created by [[Intrusion Prevention]] and inserted to the [[Database_Schema#intrusion_prevention_events|intrusion_prevention_events]] table when a rule matches.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getBlocked
|-
|blocked
|short
|True if blocked, false otherwise
getCategory
|-
|category
|String
|The category
getClass
|-
|class
|Class
|The class name
getClassificationId
|-
|classificationId
|long
|The classification ID
getClasstype
|-
|classtype
|String
|The classtype
getDportIcode
|-
|dportIcode
|int
|The dportIcode
getEventId
|-
|eventId
|long
|The event ID
getEventMicrosecond
|-
|eventMicrosecond
|long
|The event microsecond
getEventSecond
|-
|eventSecond
|long
|The event second
getEventType
|-
|eventType
|long
|The event type
getGeneratorId
|-
|generatorId
|long
|The generator ID
getImpact
|-
|impact
|short
|The impact
getImpactFlag
|-
|impactFlag
|short
|The impact flag
getIpDestination
|-
|ipDestination
|InetAddress
|The IP address destination
getIpSource
|-
|ipSource
|InetAddress
|The IP address source
getMplsLabel
|-
|mplsLabel
|long
|The mplsLabel
getMsg
|-
|msg
|String
|The msg
getPadding
|-
|padding
|int
|The padding
getPartitionTablePostfix
getPriorityId
|-
|priorityId
|long
|The priority ID
getProtocol
|-
|protocol
|short
|The protocol
getSensorId
|-
|sensorId
|long
|The sensor ID
getSignatureId
|-
|signatureId
|long
|The signature ID
getSignatureRevision
|-
|signatureRevision
|long
|The signature revision
getSportItype
|-
|sportItype
|int
|The sportItype
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
getVlanId
|-
|vlanId
|int
|The VLAN Id
|}
<section end='IntrusionPreventionLogEvent' />

Latest revision as of 15:36, 9 February 2020

All event data is stored in the Database Schema in a relational database. As Untangle and applications process traffic they create Event objects that add and modify content in the database. Each event has it's own class/object with certain fields that modify the database in a certain way.

The list below shows the classes used in the event logging and the attributes of each event object. These can be used to add alerts in Reports or for other event handling within Untangle.

SpamLogEvent

<section begin='SpamLogEvent' />

These events are created by Spam Blocker and update the mail_msgs table when an email is scanned.

Attribute Name Type Description

getAction

action SpamMessageAction The action

getClass

class Class The class name

getClientAddr

clientAddr InetAddress The client address

getClientPort

clientPort int The client port

getMessageId

messageId Long The message ID

getPartitionTablePostfix getReceiver

receiver String The receiver

getScore

score float The score

getSender

sender String The sender

getServerAddr

serverAddr InetAddress The server address

getServerPort

serverPort int The server port

getSmtpMessageEvent

smtpMessageEvent SmtpMessageEvent The parent SMTP message event

isSpam

isSpam boolean True if spam, false otherwise

getSubject

subject String The subject

getTag getTestsString

testsString String The tests string from the spam engine

getTimeStamp

timeStamp Timestamp The timestamp

getVendorName

vendorName String The application name

<section end='SpamLogEvent' />


SpamSmtpTarpitEvent

<section begin='SpamSmtpTarpitEvent' />

These events are created by Spam Blocker and inserted to the smtp_tarpit_events table when a session is tarpitted.

Attribute Name Type Description

getIPAddr

IPAddr InetAddress The IP address

getClass

class Class The class name

getHostname

hostname String The hostname

getPartitionTablePostfix getSessionEvent

sessionEvent SessionEvent The session event

getSessionId

sessionId Long The session ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

getVendorName

vendorName String The application name

<section end='SpamSmtpTarpitEvent' />


PrioritizeEvent

<section begin='PrioritizeEvent' />

These events are created by the Bandwidth Control and update the session table when a session is prioritized.

Attribute Name Type Description

getClass

class Class The class name

getPartitionTablePostfix getPriority

priority int The priority

getRuleId

ruleId int The rule ID

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='PrioritizeEvent' />


VirusFtpEvent

<section begin='VirusFtpEvent' />

These events are created by Virus Blocker and update the ftp_events table when Virus Blocker scans an FTP transfer.

Attribute Name Type Description

getAppName

appName String The name of the application

getClass

class Class The class name

getClean

clean boolean True if clean, false otherwise

getPartitionTablePostfix getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

getUri

uri String The URI

getVirusName

virusName String The virus name, if not clean

<section end='VirusFtpEvent' />


VirusHttpEvent

<section begin='VirusHttpEvent' />

These events are created by Virus Blocker and update the http_events table when Virus Blocker scans an HTTP transfer.

Attribute Name Type Description

getAppName

appName String The name of the application

getClass

class Class The class name

getClean

clean boolean True if clean, false otherwise

getPartitionTablePostfix getRequestLine

requestLine RequestLine The request line

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

getVirusName

virusName String The virus name, if not clean

<section end='VirusHttpEvent' />


VirusSmtpEvent

<section begin='VirusSmtpEvent' />

These events are created by Virus Blocker and update the mail_msgs table when Virus Blocker scans an email.

Attribute Name Type Description

getAction

action String The action

getAppName

appName String The name of the application

getClass

class Class The class name

getClean

clean boolean True if clean, false otherwise

getMessageId

messageId Long The message ID

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

getVirusName

virusName String The virus name, if not clean

<section end='VirusSmtpEvent' />


FirewallEvent

<section begin='FirewallEvent' />

These events are created by Firewall and update the sessions table when a firewall rule matches a session.

Attribute Name Type Description

getBlocked

blocked boolean True if blocked, false otherwise

getClass

class Class The class name

getFlagged

flagged boolean True if flagged, false otherwise

getPartitionTablePostfix getRuleId

ruleId long The rule ID

getSessionId

sessionId Long The session ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='FirewallEvent' />


OpenVpnStatusEvent

<section begin='OpenVpnStatusEvent' />

These events are created by OpenVPN and update the openvpn_stats table periodically.

Attribute Name Type Description

getAddress

address InetAddress The address

getBytesRxDelta

bytesRxDelta long The delta number of RX (received) bytes from the previous event

getBytesRxTotal

bytesRxTotal long The total number of RX (received) bytes

getBytesTxDelta

bytesTxDelta long The delta number of TX (transmitted) bytes from the previous event

getBytesTxTotal

bytesTxTotal long The total number of TX (transmitted) bytes

getClass

class Class The class name

getClientName

clientName String The client name

getEnd

end Timestamp The end

getPartitionTablePostfix getPoolAddress

poolAddress InetAddress The pool address

getPort

port int The port

getStart

start Timestamp The start

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='OpenVpnStatusEvent' />


OpenVpnEvent

<section begin='OpenVpnEvent' />

These events are created by OpenVPN and update the openvpn_events table when OpenVPN processes a client action.

Attribute Name Type Description

getAddress

address InetAddress The address

getClass

class Class The class name

getClientName

clientName String The client name

getPartitionTablePostfix getPoolAddress

poolAddress InetAddress The pool address

getTag getTimeStamp

timeStamp Timestamp The timestamp

getType

type OpenVpnEvent$EventType The type

<section end='OpenVpnEvent' />


AdminLoginEvent

<section begin='AdminLoginEvent' />

These events are created by the base system and inserted to the admin_logins table when an administrator login is attempted or successful.

Attribute Name Type Description

getClass

class Class The class name

getClientAddress

clientAddress InetAddress The client address

getLocal

local boolean 1 if login is done via local console, 0 otherwise

getLogin

login String The login username

getPartitionTablePostfix getReason

reason String The reason

getSucceeded

succeeded boolean 1 if successful, 0 otherwise

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='AdminLoginEvent' />


AlertEvent

<section begin='AlertEvent' />

These events are created by Reports and inserted to the alerts table when an alert fires.

Attribute Name Type Description

getCausalRule

causalRule EventRule The causal rule

getCause

cause LogEvent The cause

getClass

class Class The class name

getDescription

description String The description

getEventSent

eventSent Boolean True if the event was sent, false otherwise

getJson

json String The JSON string

getPartitionTablePostfix getSummaryText

summaryText String The summary text

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='AlertEvent' />


InterfaceStatEvent

<section begin='InterfaceStatEvent' />

These events are created by the base system and inserted to the interface_stat_events table periodically with interface stats.

Attribute Name Type Description

getClass

class Class The class name

getInterfaceId

interfaceId int The interface ID

getPartitionTablePostfix getRxBytes

rxBytes double The total of received bytes

getRxRate

rxRate double The RX rate in byte/s

getTag getTimeStamp

timeStamp Timestamp The timestamp

getTxBytes

txBytes double The total of transmitted bytes

getTxRate

txRate double The TX rate in byte/s

<section end='InterfaceStatEvent' />


LogEvent

<section begin='LogEvent' />

These base class for all events.

Attribute Name Type Description

getClass

class Class The class name

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='LogEvent' />


SystemStatEvent

<section begin='SystemStatEvent' />

These events are created by the base system and inserted to the server_events table periodically.

Attribute Name Type Description

getActiveHosts

activeHosts int The active host count

getClass

class Class The class name

getCpuSystem

cpuSystem float The system CPU utilization

getCpuUser

cpuUser float The user CPU utilization

getDiskFree

diskFree long The amount of disk free

getDiskFreePercent

diskFreePercent float The percentage of disk free

getDiskTotal

diskTotal long The total size of the disk

getDiskUsed

diskUsed long The amount of disk used

getDiskUsedPercent

diskUsedPercent float The percentage of disk used

getLoad1

load1 float The 1-minute CPU load

getLoad15

load15 float The 15-minute CPU load

getLoad5

load5 float The 5-minute CPU load

getMemBuffers

memBuffers long The amount of memory used by buffers

getMemCache

memCache long The amount of memory used by cache

getMemFree

memFree long The amount of free memory

getMemFreePercent

memFreePercent float The percentage of total memory that is free

getMemTotal

memTotal long The total amount of memory

getMemUsed

memUsed long The amount of used memory

getMemUsedPercent

memUsedPercent float The percentage of total memory that is used

getPartitionTablePostfix getSwapFree

swapFree long The amount of free swap

getSwapFreePercent

swapFreePercent float The percentage of total swap that is free

getSwapTotal

swapTotal long The total size of swap

getSwapUsed

swapUsed long The amount of used swap

getSwapUsedPercent

swapUsedPercent float The percentage of total swap that is used

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='SystemStatEvent' />


HostTableEvent

<section begin='HostTableEvent' />

These events are created by the base system and inserted to the host_table_updates table when the host table is modified.

Attribute Name Type Description

getAddress

address InetAddress The address

getClass

class Class The class name

getKey

key String The key

getOldValue

oldValue String The old value

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

getValue

value String The value

<section end='HostTableEvent' />


DeviceTableEvent

<section begin='DeviceTableEvent' />

These events are created by the base system and inserted to the device_table_updates table when the device list is modified.

Attribute Name Type Description

getClass

class Class The class name

getDevice

device DeviceTableEntry The Device

getKey

key String The key

getMacAddress

macAddress String The MAC address

getOldValue

oldValue String The old value

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

getValue

value String The value

<section end='DeviceTableEvent' />


SettingsChangesEvent

<section begin='SettingsChangesEvent' />

These events are created by the base system and inserted to the settings_changes table when settings are changed.

Attribute Name Type Description

getClass

class Class The class name

getHostname

hostname String The hostname

getPartitionTablePostfix getSettingsFile

settingsFile String The settings file

getTag getTimeStamp

timeStamp Timestamp The timestamp

getUsername

username String The username

<section end='SettingsChangesEvent' />


UserTableEvent

<section begin='UserTableEvent' />

These events are created by the base system and inserted to the user_table_updates table when the user table is modified.

Attribute Name Type Description

getClass

class Class The class name

getKey

key String The key

getOldValue

oldValue String The old value

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

getUsername

username String The username

getValue

value String The value

<section end='UserTableEvent' />


SessionMinuteEvent

<section begin='SessionMinuteEvent' />

These events are created by the base system and update the session_minutes table each minute a session exists.

Attribute Name Type Description

getC2sBytes

c2sBytes long The number of bytes sent from the client to the server

getClass

class Class The class name

getPartitionTablePostfix getS2cBytes

s2cBytes long The number of bytes sent from the server to the client

getSessionId

sessionId long The session ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='SessionMinuteEvent' />


SessionEvent

<section begin='SessionEvent' />

These events are created by the base system and update the sessions table each time a session is created.

Attribute Name Type Description

getCClientAddr

CClientAddr InetAddress The client-side (pre-NAT) client address

getCClientPort

CClientPort Integer The client-side (pre-NAT) client port

getCServerAddr

CServerAddr InetAddress The client-side (pre-NAT) server address

getCServerPort

CServerPort Integer The client-side (pre-NAT) server port

getSClientAddr

SClientAddr InetAddress The server-side (post-NAT) client address

getSClientPort

SClientPort Integer The server-side (post-NAT) client port

getSServerAddr

SServerAddr InetAddress The server-side (post-NAT) server address

getSServerPort

SServerPort Integer The server-side (post-NAT) server port

getBypassed

bypassed boolean True if bypassed, false otherwise

getClass

class Class The class name

getClientCountry

clientCountry String The client country

getClientIntf

clientIntf Integer The client interface ID

getClientLatitude

clientLatitude Double The client latitude

getClientLongitude

clientLongitude Double The client longitude

getEntitled

entitled boolean The entitled status

getFilterPrefix

filterPrefix String The filter prefix if blocked by the filter rules

getHostname

hostname String The hostname

getIcmpType

icmpType Short The ICMP type

getLocalAddr

localAddr InetAddress The local host address

getPartitionTablePostfix getPolicyId

policyId Integer The policy ID

getPolicyRuleId

policyRuleId Integer The policy rule ID

getProtocol

protocol Short The protocol

getProtocolName

protocolName String The protocol name

getRemoteAddr

remoteAddr InetAddress The remote host address

getServerCountry

serverCountry String The server country

getServerIntf

serverIntf Integer The server interface ID

getServerLatitude

serverLatitude Double The server latitude

getServerLongitude

serverLongitude Double The server longitude

getSessionId

sessionId Long The session ID

getTag getTagsString

tagsString String The string value of all tags

getTimeStamp

timeStamp Timestamp The timestamp

getUsername

username String The username

<section end='SessionEvent' />


SessionStatsEvent

<section begin='SessionStatsEvent' />

These events are created by the base system and update the sessions table when a session ends with the updated stats.

Attribute Name Type Description

getC2pBytes

c2pBytes long The number of bytes sent from the client to Untangle

getClass

class Class The class name

getEndTime

endTime long The end time/date

getP2cBytes

p2cBytes long The number of bytes sent to the client from Untangle

getP2sBytes

p2sBytes long The number of bytes sent to the server from Untangle

getPartitionTablePostfix getS2pBytes

s2pBytes long The number of bytes sent from the server to Untangle

getSessionEvent

sessionEvent SessionEvent The session event

getSessionId

sessionId Long The session ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='SessionStatsEvent' />


SessionNatEvent

<section begin='SessionNatEvent' />

These events are created by the base system and update the sessions table each time a session is NATd with the post-NAT information.

Attribute Name Type Description

getSClientAddr

SClientAddr InetAddress The server-side (post-NAT) client address

getSClientPort

SClientPort Integer The server-side (post-NAT) client port

getSServerAddr

SServerAddr InetAddress The server-side (post-NAT) server address

getSServerPort

SServerPort Integer The server-side (post-NAT) server port

getClass

class Class The class name

getPartitionTablePostfix getServerIntf

serverIntf Integer The server interface ID

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='SessionNatEvent' />


QuotaEvent

<section begin='QuotaEvent' />

These events are created by the Bandwidth Control and inserted or update the quotas table when quotas are given or exceeded.

Attribute Name Type Description

getAction

action int The action (1=Quota Given, 2=Quota Exceeded)

getClass

class Class The class name

getEntity

entity String The entity

getPartitionTablePostfix getQuotaSize

quotaSize long The quota size

getReason

reason String The reason

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='QuotaEvent' />


SmtpMessageAddressEvent

<section begin='SmtpMessageAddressEvent' />

These events are created by SMTP subsystem and inserted to the mail_addrs table for each address on each email.

Attribute Name Type Description

getAddr

addr String The address

getClass

class Class The class name

getKind

kind AddressKind The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)

getMessageId

messageId Long The message ID

getPartitionTablePostfix getPersonal

personal String personal

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='SmtpMessageAddressEvent' />


SmtpMessageEvent

<section begin='SmtpMessageEvent' />

These events are created by SMTP subsystem and inserted to the mail_msgs table for each email.

Attribute Name Type Description

getAddresses

addresses Set The addresses

getClass

class Class The class name

getEnvelopeFromAddress

envelopeFromAddress String The envelop FROM address

getEnvelopeToAddress

envelopeToAddress String The envelope TO address

getMessageId

messageId Long The message ID

getPartitionTablePostfix getReceiver

receiver String The receiver

getSender

sender String The sender

getSessionEvent

sessionEvent SessionEvent The session event

getSessionId

sessionId Long The session ID

getSubject

subject String The subject

getTag getTimeStamp

timeStamp Timestamp The timestamp

getTmpFile

tmpFile File The /tmp file

<section end='SmtpMessageEvent' />


CaptureRuleEvent

<section begin='CaptureRuleEvent' />

These events are created by Captive Portal and update the sessions table when Captive Portal processes a session.

Attribute Name Type Description

getCaptured

captured boolean True if captured, false otherwise

getClass

class Class The class name

getPartitionTablePostfix getRuleId

ruleId Integer The rule ID

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='CaptureRuleEvent' />


CaptivePortalUserEvent

<section begin='CaptivePortalUserEvent' />

These events are created by Captive Portal and inserted to the captive_portal_user_events table when Captive Portal user takes an action.

Attribute Name Type Description

getAuthenticationType

authenticationType CaptivePortalSettings$AuthenticationType The authentication type

getAuthenticationTypeValue

authenticationTypeValue String The authentication type as a string

getClass

class Class The class name

getClientAddr

clientAddr String The client address

getEvent

event CaptivePortalUserEvent$EventType The event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)

getEventValue

eventValue String The event value as a string (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)

getLoginName

loginName String The login name

getPartitionTablePostfix getPolicyId

policyId Integer The policy ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='CaptivePortalUserEvent' />


AdBlockerEvent

<section begin='AdBlockerEvent' />

These events are created by Ad Blocker and update the http_events table when an ad is blocked.

Attribute Name Type Description

getAction

action Action The action

getClass

class Class The class name

getPartitionTablePostfix getReason

reason String The reason

getRequestId

requestId Long The request ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='AdBlockerEvent' />


CookieEvent

<section begin='CookieEvent' />

These events are created by Ad Blocker and update the http_events table when a cookie is blocked.

Attribute Name Type Description

getClass

class Class The class name

getIdentification

identification String The identification string

getPartitionTablePostfix getRequestId

requestId Long The request ID

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='CookieEvent' />


HttpRequestEvent

<section begin='HttpRequestEvent' />

These events are created by HTTP subsystem and inserted to the http_events table when a web request happens.

Attribute Name Type Description

getClass

class Class The class name

getContentLength

contentLength long The content length

getDomain

domain String The domain

getHost

host String The host

getMethod

method HttpMethod The HTTP method

getPartitionTablePostfix getReferer

referer String The referer

getRequestId

requestId Long The request ID

getRequestUri

requestUri URI The request URI

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='HttpRequestEvent' />


HttpResponseEvent

<section begin='HttpResponseEvent' />

These events are created by HTTP subsystem and update the http_events table when a web response happens.

Attribute Name Type Description

getClass

class Class The class name

getContentFilename

contentFilename String The content filename

getContentLength

contentLength long The content length

getContentType

contentType String The content type

getHttpRequestEvent

httpRequestEvent HttpRequestEvent The corresponding HTTP request event

getPartitionTablePostfix getRequestLine

requestLine RequestLine The request line

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='HttpResponseEvent' />


WebCacheEvent

<section begin='WebCacheEvent' />

These events are created by Web Cache and inserted to the web_cache_stats table periodically.

Attribute Name Type Description

getBypassCount

bypassCount long The number of bypasses

getClass

class Class The class name

getHitBytes

hitBytes long The number of bytes worth of hits

getHitCount

hitCount long The number of hits

getMissBytes

missBytes long The number of bytes worth of misses

getMissCount

missCount long The number of misses

getPartitionTablePostfix getPolicyId

policyId Long The policy ID

getSystemCount

systemCount long The number of system bypasses

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='WebCacheEvent' />


TunnelVpnStatusEvent

<section begin='TunnelVpnStatusEvent' />

These events are created by Tunnel VPN and inserted to the tunnel_vpn_stats table periodically.

Attribute Name Type Description

getClass

class Class The class name

getInBytes

inBytes long The number of bytes received from this tunnel

getOutBytes

outBytes long The number of bytes sent in this tunnel

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

getTunnelName

tunnelName String The name of this tunnel

<section end='TunnelVpnStatusEvent' />


TunnelVpnEvent

<section begin='TunnelVpnEvent' />

These events are created by Tunnel VPN and inserted to the tunnel_vpn_events table when a tunnel connection event occurs.

Attribute Name Type Description

getClass

class Class The class name

getEventType

eventType TunnelVpnEvent$EventType The event type

getLocalAddress

localAddress InetAddress The local host address

getPartitionTablePostfix getServerAddress

serverAddress InetAddress The server address

getTag getTimeStamp

timeStamp Timestamp The timestamp

getTunnelName

tunnelName String The name of this tunnel

<section end='TunnelVpnEvent' />


IntrusionPreventionLogEvent

<section begin='IntrusionPreventionLogEvent' />

These events are created by Intrusion Prevention and inserted to the intrusion_prevention_events table when a rule matches.

Attribute Name Type Description

getBlocked

blocked boolean True if blocked, false otherwise

getCategory

category String The category

getClass

class Class The class name

getClassificationId

classificationId long The classification ID

getClasstype

classtype String The classtype

getDportIcode

dportIcode int The dportIcode

getEventId

eventId long The event ID

getEventMicrosecond

eventMicrosecond long The event microsecond

getEventSecond

eventSecond long The event second

getEventType

eventType long The event type

getGeneratorId

generatorId long The generator ID

getImpact

impact short The impact

getImpactFlag

impactFlag short The impact flag

getIpDestination

ipDestination InetAddress The IP address destination

getIpSource

ipSource InetAddress The IP address source

getMplsLabel

mplsLabel long The mplsLabel

getMsg

msg String The msg

getPadding

padding int The padding

getPartitionTablePostfix getPriorityId

priorityId long The priority ID

getProtocol

protocol short The protocol

getRid

rid String Rule ID

getSensorId

sensorId long The sensor ID

getSignatureId

signatureId long The signature ID

getSignatureRevision

signatureRevision long The signature revision

getSportItype

sportItype int The sportItype

getTag getTimeStamp

timeStamp Timestamp The timestamp

getVlanId

vlanId int The VLAN Id

<section end='IntrusionPreventionLogEvent' />


ApplicationControlLogEvent

<section begin='ApplicationControlLogEvent' />

These events are created by Application Control and update the sessions table when application control identifies a session.

Attribute Name Type Description

getApplication

application String The application

getBlocked

blocked boolean True if blocked, false otherwise

getCategory

category String The category

getClass

class Class The class name

getConfidence

confidence Integer The confidence (0-100)

getDetail

detail String The details

getFlagged

flagged boolean True if flagged, false otherwise

getPartitionTablePostfix getProtochain

protochain String The protochain

getRuleId

ruleId Integer The rule ID

getSessionEvent

sessionEvent SessionEvent The session event

getState

state Integer The state

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='ApplicationControlLogEvent' />


LoginEvent

<section begin='LoginEvent' />

These events are created by Directory Connector and inserted to the directory_connector_login_events table for each login.

Attribute Name Type Description

getClass

class Class The class name

getClientAddr

clientAddr InetAddress The client address

getDomain

domain String The domain

getEvent

event String The event

getLoginName

loginName String The login name

getLoginType

loginType String W = Windows login, A=Active Directory, R=RADIUS, T=test

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='LoginEvent' />


WebFilterEvent

<section begin='WebFilterEvent' />

These events are created by Web Filter and update the http_events table when web filter processes a web request.

Attribute Name Type Description

getAppName

appName String The name of the application

getBlocked

blocked Boolean True if blocked, false otherwise

getCategory

category String The category

getCategoryId

categoryId Integer Numeric value of matching category

getClass

class Class The class name

getFlagged

flagged Boolean True if flagged, false otherwise

getPartitionTablePostfix getReason

reason Reason The reason

getRequestLine

requestLine RequestLine The request line

getRuleId

ruleId Integer The rule ID

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='WebFilterEvent' />


WebFilterQueryEvent

<section begin='WebFilterQueryEvent' />

These events are created by Web Filter and inserted to the http_query_events table when web filter processes a search engine search.

Attribute Name Type Description

getAppName

appName String The name of the application

getBlocked

blocked Boolean True if blocked, false otherwise

getClass

class Class The class name

getContentLength

contentLength long The content length

getFlagged

flagged Boolean True if flagged, false otherwise

getHost

host String The host

getMethod

method HttpMethod The method

getPartitionTablePostfix getRequestId

requestId Long The request ID

getRequestUri

requestUri URI The request URI

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTerm

term String The search term/phrase

getTimeStamp

timeStamp Timestamp The timestamp

<section end='WebFilterQueryEvent' />


WanFailoverTestEvent

<section begin='WanFailoverTestEvent' />

These events are created by WAN Failover and inserted to the wan_failover_test_events table when a test is run.

Attribute Name Type Description

getClass

class Class The class name

getDescription

description String The description

getInterfaceId

interfaceId int The interface ID

getName

name String The test name

getOsName

osName String The O/S interface name

getPartitionTablePostfix getSuccess

success Boolean True if successful, false otherwise

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='WanFailoverTestEvent' />


WanFailoverEvent

<section begin='WanFailoverEvent' />

These events are created by WAN Failover and inserted to the wan_failover_action_events table when WAN Failover takes an action.

Attribute Name Type Description

getAction

action WanFailoverEvent$Action The action

getClass

class Class The class name

getInterfaceId

interfaceId int The interface ID

getName

name String The name

getOsName

osName String The O/S interface name

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='WanFailoverEvent' />


ThreatPreventionEvent

<section begin='ThreatPreventionEvent' />

These events are created by Threat Prevention and inserted to the sessions table for each threat lookup.

Attribute Name Type Description

getBlocked

blocked boolean True if blocked, false otherwise

getClass

class Class The class name

getClientCategories

clientCategories int Client threat categories

getClientReputation

clientReputation int Client threat reputation

getFlagged

flagged boolean True if flagged, false otherwise

getPartitionTablePostfix getRuleId

ruleId long The rule ID

getServerCategories

serverCategories int Server threat categories

getServerReputation

serverReputation int Server threat reputation

getSessionId

sessionId Long The session ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='ThreatPreventionEvent' />


ThreatPreventionHttpEvent

<section begin='ThreatPreventionHttpEvent' />

These events are created by Threat Prevention and inserted to the http_events table for each threat lookup.

Attribute Name Type Description

getBlocked

blocked Boolean True if blocked, false otherwise

getCategories

categories Integer Server threat categories

getClass

class Class The class name

getFlagged

flagged Boolean True if flagged, false otherwise

getPartitionTablePostfix getReputation

reputation Integer Server threat reputation

getRequestLine

requestLine RequestLine The request line

getRuleId

ruleId Integer The rule ID

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='ThreatPreventionHttpEvent' />


SpamLogEvent

<section begin='SpamLogEvent' />

These events are created by Spam Blocker and update the mail_msgs table when an email is scanned.

Attribute Name Type Description

getAction

action SpamMessageAction The action

getClass

class Class The class name

getClientAddr

clientAddr InetAddress The client address

getClientPort

clientPort int The client port

getMessageId

messageId Long The message ID

getPartitionTablePostfix getReceiver

receiver String The receiver

getScore

score float The score

getSender

sender String The sender

getServerAddr

serverAddr InetAddress The server address

getServerPort

serverPort int The server port

getSmtpMessageEvent

smtpMessageEvent SmtpMessageEvent The parent SMTP message event

isSpam

isSpam boolean True if spam, false otherwise

getSubject

subject String The subject

getTag getTestsString

testsString String The tests string from the spam engine

getTimeStamp

timeStamp Timestamp The timestamp

getVendorName

vendorName String The application name

<section end='SpamLogEvent' />


SpamSmtpTarpitEvent

<section begin='SpamSmtpTarpitEvent' />

These events are created by Spam Blocker and inserted to the smtp_tarpit_events table when a session is tarpitted.

Attribute Name Type Description

getIPAddr

IPAddr InetAddress The IP address

getClass

class Class The class name

getHostname

hostname String The hostname

getPartitionTablePostfix getSessionEvent

sessionEvent SessionEvent The session event

getSessionId

sessionId Long The session ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

getVendorName

vendorName String The application name

<section end='SpamSmtpTarpitEvent' />


ConfigurationBackupEvent

<section begin='ConfigurationBackupEvent' />

These events are created by Configuration Backup and inserted to the configuratio_backup_events table when a backup occurs.

Attribute Name Type Description

getClass

class Class The class name

getDestination

destination String The destination

getDetail

detail String The details

getPartitionTablePostfix getSuccess

success boolean True if successful, false otherwise

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='ConfigurationBackupEvent' />


TunnelStatusEvent

<section begin='TunnelStatusEvent' />

These events are created by IPsec VPN and inserted to the ipsec_tunnel_stats table periodically.

Attribute Name Type Description

getClass

class Class The class name

getInBytes

inBytes long The number of bytes received from this tunnel

getOutBytes

outBytes long The number of bytes sent in this tunnel

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

getTunnelName

tunnelName String The name of this tunnel

<section end='TunnelStatusEvent' />


IpsecVpnEvent

<section begin='IpsecVpnEvent' />

These events are created by IPsec VPN and inserted to the ipsec_vpn_events table when IPsec connection event occurs.

Attribute Name Type Description

getClass

class Class The class name

getEventType

eventType IpsecVpnEvent$EventType The event type

getLocalAddress

localAddress String The local host address

getPartitionTablePostfix getRemoteAddress

remoteAddress String The remote host address

getTag getTimeStamp

timeStamp Timestamp The timestamp

getTunnelDescription

tunnelDescription String Description of tunnel

<section end='IpsecVpnEvent' />


VirtualUserEvent

<section begin='VirtualUserEvent' />

These events are created by IPsec VPN and inserted to the ipsec_user_events table when a user event occurs.

Attribute Name Type Description

getClass

class Class The class name

getClientAddress

clientAddress InetAddress The client address

getClientProtocol

clientProtocol String The client protocol

getClientUsername

clientUsername String The client username

getElapsedTime

elapsedTime String The elapsed time

getEventId

eventId Long The event ID

getNetInterface

netInterface String The net interface

getNetProcess

netProcess String The net process

getNetRXbytes

netRXbytes Long The number of RX (received) bytes

getNetTXbytes

netTXbytes Long The number of TX (transmitted) bytes

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='VirtualUserEvent' />


SslInspectorLogEvent

<section begin='SslInspectorLogEvent' />

These events are created by SSL Inspector and update the sessions table when a session is processed by SSL Inspector.

Attribute Name Type Description

getClass

class Class The class name

getDetail

detail String The details

getPartitionTablePostfix getRuleId

ruleId Integer The rule ID

getSessionEvent

sessionEvent SessionEvent The session event

getStatus

status String The status

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='SslInspectorLogEvent' />


ApplicationControlLiteEvent

<section begin='ApplicationControlLiteEvent' />

These events are created by Application Control Lite and update the sessions table when application control lite identifies a session.

Attribute Name Type Description

getBlocked

blocked boolean True if blocked, false otherwise

getClass

class Class The class name

getPartitionTablePostfix getProtocol

protocol String The protocol

getSessionId

sessionId Long The session ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='ApplicationControlLiteEvent' />


}