Event Definitions: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
No edit summary
No edit summary
 
(7 intermediate revisions by 2 users not shown)
Line 1: Line 1:
All event data is stored in the [[Global DB Schema]] in a relational database. As Untangle and applications process traffic they create Event objects that add and modify content in the database.
<span style="display:none" class="helpSource events">Events</span>
<span style="display:none" class="helpSource events_syslog">Events</span>
<span style="display:none" class="helpSource events_alert_rules">Events</span>
 
All event data is stored in the [[Database Schema]] in a relational database. As Untangle and applications process traffic they create Event objects that add and modify content in the database.
Each event has it's own class/object with certain fields that modify the database in a certain way.  
Each event has it's own class/object with certain fields that modify the database in a certain way.  


The list below shows the classes used in the event logging and the column fields available within each event. These can be used to add Alert Events or for other event handling within Untangle.  
The list below shows the classes used in the event logging and the attributes of each event object. These can be used to add alerts in [[Reports]] or for other event handling within Untangle.  


== HostTableEvent ==
== SpamLogEvent ==
<section begin='HostTableEvent' />
<section begin='SpamLogEvent' />


These events are created by the base system and inserted to the [[Global_DB_schema#host_table_updates|host_table_updates]] table when the host table is modified.
These events are created by [[Spam Blocker]] and update the [[Database_Schema#mail_msgs|mail_msgs]] table when an email is scanned.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 13: Line 17:
! Type
! Type
! Description
! Description
getAction
|-
|-
|address
|action
|InetAddress
|SpamMessageAction
|The address
|The action
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getClientAddr
|-
|clientAddr
|InetAddress
|The client address
getClientPort
|-
|-
|key
|clientPort
|String
|int
|The key
|The client port
getMessageId
|-
|-
|timeStamp
|messageId
|Timestamp
|Long
|The timestamp
|The message ID
getPartitionTablePostfix
getReceiver
|-
|-
|value
|receiver
|String
|String
|The value
|The receiver
|}
getScore
<section end='HostTableEvent' />
 
 
== DeviceTableEvent ==
<section begin='DeviceTableEvent' />
 
These events are created by the base system and inserted to the [[Global_DB_schema#device_table_updates|device_table_updates]] table when the device list is modified.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|-
|class
|score
|Class
|float
|The class name
|The score
getSender
|-
|-
|device
|sender
|DeviceTableEntry
|The Device
|-
|key
|String
|String
|The key
|The sender
getServerAddr
|-
|-
|macAddress
|serverAddr
|String
|InetAddress
|The MAC address
|The server address
getServerPort
|-
|serverPort
|int
|The server port
getSmtpMessageEvent
|-
|smtpMessageEvent
|SmtpMessageEvent
|The parent SMTP message event
isSpam
|-
|isSpam
|boolean
|True if spam, false otherwise
getSubject
|-
|subject
|String
|The subject
getTag
getTestsString
|-
|testsString
|String
|The tests string from the spam engine
getTimeStamp
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getVendorName
|-
|-
|value
|vendorName
|String
|String
|The value
|The application name
|}
|}
<section end='DeviceTableEvent' />
<section end='SpamLogEvent' />




== PenaltyBoxEvent ==
== SpamSmtpTarpitEvent ==
<section begin='PenaltyBoxEvent' />
<section begin='SpamSmtpTarpitEvent' />


These events are created by the [[Bandwidth Control]] and inserted to the [[Global_DB_schema#penaltybox|penaltybox]] table.
These events are created by [[Spam Blocker]] and inserted to the [[Database_Schema#smtp_tarpit_events|smtp_tarpit_events]] table when a session is tarpitted.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 83: Line 112:
! Type
! Type
! Description
! Description
getIPAddr
|-
|-
|action
|IPAddr
|int
|InetAddress
|The action
|The IP address
|-
getClass
|address
|InetAddress
|The address
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getHostname
|-
|hostname
|String
|The hostname
getPartitionTablePostfix
getSessionEvent
|-
|-
|entryTime
|sessionEvent
|Timestamp
|SessionEvent
|The entry time
|The session event
getSessionId
|-
|-
|exitTime
|sessionId
|Timestamp
|Long
|The exit time
|The session ID
getTag
getTimeStamp
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getVendorName
|-
|vendorName
|String
|The application name
|}
|}
<section end='PenaltyBoxEvent' />
<section end='SpamSmtpTarpitEvent' />




== SessionStatsEvent ==
== PrioritizeEvent ==
<section begin='SessionStatsEvent' />
<section begin='PrioritizeEvent' />


These events are created by the base system and update the [[Global_DB_schema#sessions|sessions]] table when a session ends with the updated stats.
These events are created by the [[Bandwidth Control]] and update the [[Database_Schema#sessions|session]] table when a session is prioritized.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 120: Line 162:
! Type
! Type
! Description
! Description
getClass
|-
|-
|c2pBytes
|class
|long
|Class
|The number of bytes sent from the client to Untangle
|-
|c2pChunks
|long
|The number of chunks/packets sent from the client to Untangle
|-
|class
|Class
|The class name
|The class name
getPartitionTablePostfix
getPriority
|-
|-
|p2cBytes
|priority
|long
|int
|The number of bytes sent to the client from Untangle
|The priority
getRuleId
|-
|-
|p2cChunks
|ruleId
|long
|int
|The number of chunks/packets sent to the client from Untangle
|The rule ID
getSessionEvent
|-
|-
|p2sBytes
|sessionEvent
|long
|SessionEvent
|The number of bytes sent to the server from Untangle
|The session event
getTag
getTimeStamp
|-
|-
|p2sChunks
|timeStamp
|long
|Timestamp
|The number of chunks/packets sent to the server from Untangle
|The timestamp
|-
|}
|s2pBytes
<section end='PrioritizeEvent' />
|long
|The number of bytes sent from the server to Untangle
|-
|s2pChunks
|long
|The number of chunks/packets sent from the server to Untangle
|-
|sessionId
|Long
|The session ID
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='SessionStatsEvent' />




== SessionEvent ==
== VirusFtpEvent ==
<section begin='SessionEvent' />
<section begin='VirusFtpEvent' />


These events are created by the base system and update the [[Global_DB_schema#sessions|sessions]] table each time a session is created.
These events are created by [[Virus Blocker]] and update the [[Database_Schema#ftp_events|ftp_events]] table when Virus Blocker scans an FTP transfer.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 177: Line 202:
! Type
! Type
! Description
! Description
getAppName
|-
|-
|cClientAddr
|appName
|InetAddress
|String
|The client-side (pre-NAT) client address
|The name of the application
getClass
|-
|-
|cClientPort
|class
|Integer
|Class
|The client-side (pre-NAT) client port
|The class name
getClean
|-
|-
|cServerAddr
|clean
|InetAddress
|boolean
|The client-side (pre-NAT) server address
|True if clean, false otherwise
getPartitionTablePostfix
getSessionEvent
|-
|-
|cServerPort
|sessionEvent
|Integer
|SessionEvent
|The client-side (pre-NAT) server port
|The session event
getTag
getTimeStamp
|-
|-
|sClientAddr
|timeStamp
|InetAddress
|Timestamp
|The server-side (post-NAT) client address
|The timestamp
getUri
|-
|-
|sClientPort
|uri
|Integer
|String
|The server-side (post-NAT) client port
|The URI
getVirusName
|-
|-
|sServerAddr
|virusName
|InetAddress
|String
|The server-side (post-NAT) server address
|The virus name, if not clean
|-
|}
|sServerPort
<section end='VirusFtpEvent' />
|Integer
 
|The server-side (post-NAT) server port
 
|-
== VirusHttpEvent ==
|bypassed
<section begin='VirusHttpEvent' />
|boolean
 
|True if bypassed, false otherwise
These events are created by [[Virus Blocker]] and update the [[Database_Schema#http_events|http_events]] table when Virus Blocker scans an HTTP transfer.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getAppName
|-
|appName
|String
|The name of the application
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getClean
|-
|-
|clientIntf
|clean
|Integer
|The client interface ID
|-
|entitled
|boolean
|boolean
|The entitled status
|True if clean, false otherwise
getPartitionTablePostfix
getRequestLine
|-
|-
|filterPrefix
|requestLine
|String
|RequestLine
|The filter prefix if blocked by the filter rules
|The request line
getSessionEvent
|-
|-
|hostname
|sessionEvent
|String
|SessionEvent
|The hostname
|The session event
|-
getTag
|icmpType
getTimeStamp
|Short
|The ICMP type
|-
|policyId
|Long
|The policy ID
|-
|protocol
|Short
|The protocol
|-
|protocolName
|String
|The protocol name
|-
|serverIntf
|Integer
|The server interface ID
|-
|sessionId
|Long
|The session ID
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getVirusName
|-
|-
|username
|virusName
|String
|String
|The username
|The virus name, if not clean
|}
|}
<section end='SessionEvent' />
<section end='VirusHttpEvent' />




== SessionNatEvent ==
== VirusSmtpEvent ==
<section begin='SessionNatEvent' />
<section begin='VirusSmtpEvent' />


These events are created by the base system and update the [[Global_DB_schema#sessions|sessions]] table each time a session is NATd with the post-NAT information.
These events are created by [[Virus Blocker]] and update the [[Database_Schema#mail_msgs|mail_msgs]] table when Virus Blocker scans an email.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 278: Line 302:
! Type
! Type
! Description
! Description
getAction
|-
|-
|sClientAddr
|action
|InetAddress
|String
|The server-side (post-NAT) client address
|The action
getAppName
|-
|-
|sClientPort
|appName
|Integer
|String
|The server-side (post-NAT) client port
|The name of the application
|-
getClass
|sServerAddr
|InetAddress
|The server-side (post-NAT) server address
|-
|sServerPort
|Integer
|The server-side (post-NAT) server port
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getClean
|-
|clean
|boolean
|True if clean, false otherwise
getMessageId
|-
|-
|serverIntf
|messageId
|Integer
|Long
|The server interface ID
|The message ID
getPartitionTablePostfix
getTag
getTimeStamp
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|}
getVirusName
<section end='SessionNatEvent' />
|-
|virusName
|String
|The virus name, if not clean
|}
<section end='VirusSmtpEvent' />




== QuotaEvent ==
== FirewallEvent ==
<section begin='QuotaEvent' />
<section begin='FirewallEvent' />


These events are created by the [[Bandwidth Control]] and inserted or update the [[Global_DB_schema#quotas|quotas]] table when quotas are given or exceeded.
These events are created by [[Firewall]] and update the [[Database_Schema#sessions|sessions]] table when a firewall rule matches a session.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 319: Line 352:
! Type
! Type
! Description
! Description
getBlocked
|-
|-
|action
|blocked
|int
|boolean
|The action (1=Quota Given, 2=Quota Exceeded)
|True if blocked, false otherwise
|-
getClass
|address
|InetAddress
|The address
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getFlagged
|-
|flagged
|boolean
|True if flagged, false otherwise
getPartitionTablePostfix
getRuleId
|-
|-
|quotaSize
|ruleId
|long
|long
|The quota size
|The rule ID
getSessionId
|-
|-
|reason
|sessionId
|String
|Long
|The reason
|The session ID
getTag
getTimeStamp
|-
|-
|timeStamp
|timeStamp
Line 344: Line 385:
|The timestamp
|The timestamp
|}
|}
<section end='QuotaEvent' />
<section end='FirewallEvent' />




== SettingsChangesEvent ==
== OpenVpnStatusEvent ==
<section begin='SettingsChangesEvent' />
<section begin='OpenVpnStatusEvent' />


These events are created by the base system and inserted to the [[Global_DB_schema#settings_changes|settings_changes]] table when settings are changed.
These events are created by [[OpenVPN]] and update the [[Database_Schema#openvpn_stats|openvpn_stats]] table periodically.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 356: Line 397:
! Type
! Type
! Description
! Description
getAddress
|-
|address
|InetAddress
|The address
getBytesRxDelta
|-
|bytesRxDelta
|long
|The delta number of RX (received) bytes from the previous event
getBytesRxTotal
|-
|bytesRxTotal
|long
|The total number of RX (received) bytes
getBytesTxDelta
|-
|bytesTxDelta
|long
|The delta number of TX (transmitted) bytes from the previous event
getBytesTxTotal
|-
|bytesTxTotal
|long
|The total number of TX (transmitted) bytes
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getClientName
|-
|-
|timeStamp
|clientName
|String
|The client name
getEnd
|-
|end
|Timestamp
|The end
getPartitionTablePostfix
getPoolAddress
|-
|poolAddress
|InetAddress
|The pool address
getPort
|-
|port
|int
|The port
getStart
|-
|start
|Timestamp
|The start
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|}
|}
<section end='SettingsChangesEvent' />
<section end='OpenVpnStatusEvent' />




== LogEvent ==
== OpenVpnEvent ==
<section begin='LogEvent' />
<section begin='OpenVpnEvent' />


These base class for all events.
These events are created by [[OpenVPN]] and update the [[Database_Schema#openvpn_events|openvpn_events]] table when OpenVPN processes a client action.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 377: Line 472:
! Type
! Type
! Description
! Description
getAddress
|-
|address
|InetAddress
|The address
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getClientName
|-
|clientName
|String
|The client name
getPartitionTablePostfix
getPoolAddress
|-
|poolAddress
|InetAddress
|The pool address
getTag
getTimeStamp
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getType
|-
|type
|OpenVpnEvent$EventType
|The type
|}
|}
<section end='LogEvent' />
<section end='OpenVpnEvent' />




== InterfaceStatEvent ==
== AdminLoginEvent ==
<section begin='InterfaceStatEvent' />
<section begin='AdminLoginEvent' />


These events are created by the base system and inserted to the [[Global_DB_schema#settings_changes|interface_stat_events]] table periodically with interface stats.
These events are created by the base system and inserted to the [[Database_Schema#user_table_updates|admin_logins]] table when an administrator login is attempted or successful.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 398: Line 517:
! Type
! Type
! Description
! Description
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getClientAddress
|-
|-
|interfaceId
|clientAddress
|int
|InetAddress
|The interface ID
|The client address
getLocal
|-
|-
|rxRate
|local
|double
|boolean
|The RX rate in byte/s
|1 if login is done via local console, 0 otherwise
getLogin
|-
|-
|timeStamp
|login
|Timestamp
|String
|The timestamp
|The login username
getPartitionTablePostfix
getReason
|-
|-
|txRate
|reason
|double
|String
|The TX rate in byte/s
|The reason
getSucceeded
|-
|succeeded
|boolean
|1 if successful, 0 otherwise
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
|}
<section end='InterfaceStatEvent' />
<section end='AdminLoginEvent' />




== SystemStatEvent ==
== AlertEvent ==
<section begin='SystemStatEvent' />
<section begin='AlertEvent' />


These events are created by the base system and inserted to the [[Global_DB_schema#server_events|server_events]] table periodically.
These events are created by [[Reports]] and inserted to the [[Database_Schema#alerts|alerts]] table when an alert fires.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 431: Line 567:
! Type
! Type
! Description
! Description
getCausalRule
|-
|-
|activeHosts
|causalRule
|int
|EventRule
|The active host count
|The causal rule
getCause
|-
|cause
|LogEvent
|The cause
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getDescription
|-
|-
|cpuSystem
|description
|float
|String
|The system CPU utilization
|The description
getEventSent
|-
|-
|cpuUser
|eventSent
|float
|Boolean
|The user CPU utilization
|True if the event was sent, false otherwise
getJson
|-
|-
|diskFree
|json
|long
|String
|The amount of disk free
|The JSON string
getPartitionTablePostfix
getSummaryText
|-
|-
|diskFreePercent
|summaryText
|float
|String
|The percentage of disk free
|The summary text
getTag
getTimeStamp
|-
|-
|diskTotal
|timeStamp
|long
|Timestamp
|The total size of the disk
|The timestamp
|-
|}
|load1
<section end='AlertEvent' />
|float
 
|The 1-minute CPU load
 
|-
== InterfaceStatEvent ==
|load15
<section begin='InterfaceStatEvent' />
|float
 
|The 15-minute CPU load
These events are created by the base system and inserted to the [[Database_Schema#settings_changes|interface_stat_events]] table periodically with interface stats.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|-
|load5
|class
|float
|Class
|The 5-minute CPU load
|The class name
getInterfaceId
|-
|-
|memBuffers
|interfaceId
|long
|int
|The amount of memory used by buffers
|The interface ID
getPartitionTablePostfix
getRxBytes
|-
|-
|memCache
|rxBytes
|long
|double
|The amount of memory used by cache
|The total of received bytes
getRxRate
|-
|-
|memFree
|rxRate
|long
|double
|The amount of free memory
|The RX rate in byte/s
|-
getTag
|memFreePercent
getTimeStamp
|float
|The percentage of total memory that is free
|-
|memTotal
|long
|The total amount of memory
|-
|swapFree
|long
|The amount of free swap
|-
|swapTotal
|long
|The total size of swap
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getTxBytes
|-
|txBytes
|double
|The total of transmitted bytes
getTxRate
|-
|txRate
|double
|The TX rate in byte/s
|}
|}
<section end='SystemStatEvent' />
<section end='InterfaceStatEvent' />




== TunnelStatusEvent ==
== LogEvent ==
<section begin='TunnelStatusEvent' />
<section begin='LogEvent' />


These events are created by [[IPsec VPN]] and inserted to the [[Global_DB_schema#ipsec_tunnel_stats|ipsec_tunnel_stats]] table periodically.
These base class for all events.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 516: Line 672:
! Type
! Type
! Description
! Description
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getPartitionTablePostfix
getTag
getTimeStamp
|-
|-
|inBytes
|timeStamp
|long
|The number of bytes received from this tunnel
|-
|outBytes
|long
|The number of bytes sent in this tunnel
|-
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|tunnelName
|String
|The name of this tunnel
|}
|}
<section end='TunnelStatusEvent' />
<section end='LogEvent' />




== VirtualUserEvent ==
== SystemStatEvent ==
<section begin='VirtualUserEvent' />
<section begin='SystemStatEvent' />


These events are created by [[IPsec VPN]] and inserted to the [[Global_DB_schema#ipsec_user_events|ipsec_user_events]] table when a user event occurs.
These events are created by the base system and inserted to the [[Database_Schema#server_events|server_events]] table periodically.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 549: Line 697:
! Type
! Type
! Description
! Description
getActiveHosts
|-
|activeHosts
|int
|The active host count
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getCpuSystem
|-
|-
|clientAddress
|cpuSystem
|InetAddress
|float
|The client address
|The system CPU utilization
getCpuUser
|-
|-
|clientProtocol
|cpuUser
|String
|float
|The client protocol
|The user CPU utilization
getDiskFree
|-
|-
|clientUsername
|diskFree
|String
|long
|The client username
|The amount of disk free
getDiskFreePercent
|-
|-
|elapsedTime
|diskFreePercent
|String
|float
|The elapsed time
|The percentage of disk free
getDiskTotal
|-
|-
|eventId
|diskTotal
|Long
|long
|The event ID
|The total size of the disk
getDiskUsed
|-
|-
|netInterface
|diskUsed
|String
|long
|The net interface
|The amount of disk used
getDiskUsedPercent
|-
|-
|netProcess
|diskUsedPercent
|String
|float
|The net process
|The percentage of disk used
getLoad1
|-
|-
|netRXbytes
|load1
|Long
|float
|The number of RX (received) bytes
|The 1-minute CPU load
getLoad15
|-
|-
|netTXbytes
|load15
|Long
|float
|The number of TX (transmitted) bytes
|The 15-minute CPU load
getLoad5
|-
|-
|timeStamp
|load5
|Timestamp
|float
|The timestamp
|The 5-minute CPU load
|}
getMemBuffers
<section end='VirtualUserEvent' />
 
 
== AlertEvent ==
<section begin='AlertEvent' />
 
These events are created by [[Reports]] and inserted to the [[Global_DB_schema#alerts|alerts]] table when an alert fires.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|-
|cause
|memBuffers
|LogEvent
|long
|The cause
|The amount of memory used by buffers
getMemCache
|-
|memCache
|long
|The amount of memory used by cache
getMemFree
|-
|-
|class
|memFree
|Class
|long
|The class name
|The amount of free memory
getMemFreePercent
|-
|-
|description
|memFreePercent
|String
|float
|The description
|The percentage of total memory that is free
getMemTotal
|-
|-
|json
|memTotal
|JSONObject
|long
|The JSON string
|The total amount of memory
getMemUsed
|-
|-
|summaryText
|memUsed
|String
|long
|The summary text
|The amount of used memory
getMemUsedPercent
|-
|-
|timeStamp
|memUsedPercent
|Timestamp
|float
|The percentage of total memory that is used
getPartitionTablePostfix
getSwapFree
|-
|swapFree
|long
|The amount of free swap
getSwapFreePercent
|-
|swapFreePercent
|float
|The percentage of total swap that is free
getSwapTotal
|-
|swapTotal
|long
|The total size of swap
getSwapUsed
|-
|swapUsed
|long
|The amount of used swap
getSwapUsedPercent
|-
|swapUsedPercent
|float
|The percentage of total swap that is used
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|The timestamp
|}
|}
<section end='AlertEvent' />
<section end='SystemStatEvent' />




== ConfigurationBackupEvent ==
== HostTableEvent ==
<section begin='ConfigurationBackupEvent' />
<section begin='HostTableEvent' />


These events are created by [[Configuration Backup]] and inserted to the [[Global_DB_schema#configuratio_backup_events|configuratio_backup_events]] table when a backup occurs.
These events are created by the base system and inserted to the [[Database_Schema#host_table_updates|host_table_updates]] table when the host table is modified.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 643: Line 837:
! Type
! Type
! Description
! Description
getAddress
|-
|address
|InetAddress
|The address
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getKey
|-
|-
|destination
|key
|String
|String
|The destination
|The key
getOldValue
|-
|-
|detail
|oldValue
|String
|String
|The details
|The old value
|-
getPartitionTablePostfix
|success
getTag
|boolean
getTimeStamp
|True if successful, false otherwise
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getValue
|-
|value
|String
|The value
|}
|}
<section end='ConfigurationBackupEvent' />
<section end='HostTableEvent' />




== WebCacheEvent ==
== DeviceTableEvent ==
<section begin='WebCacheEvent' />
<section begin='DeviceTableEvent' />


These events are created by [[Web Cache]] and inserted to the [[Global_DB_schema#web_cache_stats|web_cache_stats]] table periodically.
These events are created by the base system and inserted to the [[Database_Schema#device_table_updates|device_table_updates]] table when the device list is modified.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 676: Line 882:
! Type
! Type
! Description
! Description
|-
getClass
|bypassCount
|long
|The number of bypasses
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getDevice
|-
|-
|hitBytes
|device
|long
|DeviceTableEntry
|The number of bytes worth of hits
|The Device
getKey
|-
|-
|hitCount
|key
|long
|String
|The number of hits
|The key
getMacAddress
|-
|-
|missBytes
|macAddress
|long
|String
|The number of bytes worth of misses
|The MAC address
getOldValue
|-
|-
|missCount
|oldValue
|long
|String
|The number of misses
|The old value
|-
getPartitionTablePostfix
|policyId
getTag
|Long
getTimeStamp
|The policy ID
|-
|systemCount
|long
|The number of system bypasses
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getValue
|-
|value
|String
|The value
|}
|}
<section end='WebCacheEvent' />
<section end='DeviceTableEvent' />




== PrioritizeEvent ==
== SettingsChangesEvent ==
<section begin='PrioritizeEvent' />
<section begin='SettingsChangesEvent' />


These events are created by the [[Bandwidth Control]] and update the [[Global_DB_schema#sessions|session]] table when a session is prioritized.
These events are created by the base system and inserted to the [[Database_Schema#settings_changes|settings_changes]] table when settings are changed.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 725: Line 932:
! Type
! Type
! Description
! Description
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getHostname
|-
|-
|priority
|hostname
|int
|String
|The priority
|The hostname
getPartitionTablePostfix
getSettingsFile
|-
|-
|ruleId
|settingsFile
|int
|String
|The rule ID
|The settings file
|-
getTag
|sessionEvent
getTimeStamp
|SessionEvent
|The session event
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getUsername
|-
|username
|String
|The username
|}
|}
<section end='PrioritizeEvent' />
<section end='SettingsChangesEvent' />




== HttpResponseEvent ==
== UserTableEvent ==
<section begin='HttpResponseEvent' />
<section begin='UserTableEvent' />


These events are created by HTTP subsystem and update the [[Global_DB_schema#http_events|http_events]] table when a web response happens.
These events are created by the base system and inserted to the [[Database_Schema#user_table_updates|user_table_updates]] table when the user table is modified.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 758: Line 972:
! Type
! Type
! Description
! Description
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getKey
|-
|-
|contentLength
|key
|long
|String
|The content length
|The key
getOldValue
|-
|-
|contentType
|oldValue
|String
|String
|The content type
|The old value
getPartitionTablePostfix
getTag
getTimeStamp
|-
|-
|requestLine
|timeStamp
|RequestLine
|Timestamp
|The request line
|The timestamp
getUsername
|-
|username
|String
|The username
getValue
|-
|-
|timeStamp
|value
|Timestamp
|String
|The timestamp
|The value
|}
|}
<section end='HttpResponseEvent' />
<section end='UserTableEvent' />




== HttpRequestEvent ==
== SessionMinuteEvent ==
<section begin='HttpRequestEvent' />
<section begin='SessionMinuteEvent' />


These events are created by HTTP subsystem and inserted to the [[Global_DB_schema#http_events|http_events]] table when a web request happens.
These events are created by the base system and update the [[Database_Schema#sessions|session_minutes]] table each minute a session exists.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 791: Line 1,017:
! Type
! Type
! Description
! Description
getC2sBytes
|-
|c2sBytes
|long
|The number of bytes sent from the client to the server
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getPartitionTablePostfix
getS2cBytes
|-
|-
|contentLength
|s2cBytes
|long
|long
|The content length
|The number of bytes sent from the server to the client
getSessionId
|-
|-
|domain
|sessionId
|String
|long
|The domain
|The session ID
getTag
getTimeStamp
|-
|-
|host
|timeStamp
|String
|Timestamp
|The host
|The timestamp
|}
<section end='SessionMinuteEvent' />
 
 
== SessionEvent ==
<section begin='SessionEvent' />
 
These events are created by the base system and update the [[Database_Schema#sessions|sessions]] table each time a session is created.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getCClientAddr
|-
|-
|method
|CClientAddr
|HttpMethod
|InetAddress
|The HTTP method
|The client-side (pre-NAT) client address
getCClientPort
|-
|-
|referer
|CClientPort
|String
|Integer
|The referer
|The client-side (pre-NAT) client port
getCServerAddr
|-
|-
|requestId
|CServerAddr
|Long
|InetAddress
|The request ID
|The client-side (pre-NAT) server address
getCServerPort
|-
|-
|requestUri
|CServerPort
|URI
|Integer
|The request URI
|The client-side (pre-NAT) server port
getSClientAddr
|-
|-
|sessionEvent
|SClientAddr
|SessionEvent
|InetAddress
|The session event
|The server-side (post-NAT) client address
getSClientPort
|-
|-
|sessionId
|SClientPort
|Long
|Integer
|The session ID
|The server-side (post-NAT) client port
getSServerAddr
|-
|-
|timeStamp
|SServerAddr
|Timestamp
|InetAddress
|The timestamp
|The server-side (post-NAT) server address
|}
getSServerPort
<section end='HttpRequestEvent' />
 
 
== ApplicationControlLiteEvent ==
<section begin='ApplicationControlLiteEvent' />
 
These events are created by [[Application Control Lite]] and update the [[Global_DB_schema#sessions|sessions]] table when application control lite identifies a session.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|-
|blocked
|SServerPort
|Integer
|The server-side (post-NAT) server port
getBypassed
|-
|bypassed
|boolean
|boolean
|True if blocked, false otherwise
|True if bypassed, false otherwise
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getClientCountry
|-
|-
|protocol
|clientCountry
|String
|String
|The protocol
|The client country
getClientIntf
|-
|clientIntf
|Integer
|The client interface ID
getClientLatitude
|-
|-
|sessionId
|clientLatitude
|Long
|Double
|The session ID
|The client latitude
getClientLongitude
|-
|-
|timeStamp
|clientLongitude
|Timestamp
|Double
|The timestamp
|The client longitude
|}
getEntitled
<section end='ApplicationControlLiteEvent' />
 
 
== FirewallEvent ==
<section begin='FirewallEvent' />
 
These events are created by [[Firewall]] and update the [[Global_DB_schema#sessions|sessions]] table when a firewall rule matches a session.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|-
|blocked
|entitled
|boolean
|boolean
|True if blocked, false otherwise
|The entitled status
getFilterPrefix
|-
|filterPrefix
|String
|The filter prefix if blocked by the filter rules
getHostname
|-
|-
|class
|hostname
|Class
|String
|The class name
|The hostname
getIcmpType
|-
|-
|flagged
|icmpType
|boolean
|Short
|True if flagged, false otherwise
|The ICMP type
getLocalAddr
|-
|-
|ruleId
|localAddr
|long
|InetAddress
|The rule ID
|The local host address
getPartitionTablePostfix
getPolicyId
|-
|-
|sessionId
|policyId
|Long
|Integer
|The session ID
|The policy ID
getPolicyRuleId
|-
|-
|timeStamp
|policyRuleId
|Timestamp
|Integer
|The timestamp
|The policy rule ID
|}
getProtocol
<section end='FirewallEvent' />
 
 
== WebFilterEvent ==
<section begin='WebFilterEvent' />
 
These events are created by [[Web Filter]] and update the [[Global_DB_schema#http_events|http_events]] table when web filter processes a web request.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|-
|blocked
|protocol
|Boolean
|Short
|True if blocked, false otherwise
|The protocol
getProtocolName
|-
|-
|category
|protocolName
|String
|String
|The category
|The protocol name
getRemoteAddr
|-
|-
|class
|remoteAddr
|Class
|InetAddress
|The class name
|The remote host address
getServerCountry
|-
|-
|flagged
|serverCountry
|Boolean
|True if flagged, false otherwise
|-
|nodeName
|String
|String
|The name of the application
|The server country
getServerIntf
|-
|-
|reason
|serverIntf
|Reason
|Integer
|The reason
|The server interface ID
getServerLatitude
|-
|serverLatitude
|Double
|The server latitude
getServerLongitude
|-
|serverLongitude
|Double
|The server longitude
getSessionId
|-
|sessionId
|Long
|The session ID
getTag
getTagsString
|-
|tagsString
|String
|The string value of all tags
getTimeStamp
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getUsername
|-
|username
|String
|The username
|}
|}
<section end='WebFilterEvent' />
<section end='SessionEvent' />




== ApplicationControlLogEvent ==
== SessionStatsEvent ==
<section begin='ApplicationControlLogEvent' />
<section begin='SessionStatsEvent' />


These events are created by [[Application Control]] and update the [[Global_DB_schema#sessions|sessions]] table when application control identifies a session.
These events are created by the base system and update the [[Database_Schema#sessions|sessions]] table when a session ends with the updated stats.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 959: Line 1,232:
! Type
! Type
! Description
! Description
getC2pBytes
|-
|-
|application
|c2pBytes
|String
|long
|The application
|The number of bytes sent from the client to Untangle
getClass
|-
|-
|blocked
|class
|boolean
|True if blocked, false otherwise
|-
|category
|String
|The category
|-
|class
|Class
|Class
|The class name
|The class name
getEndTime
|-
|-
|confidence
|endTime
|Integer
|long
|The confidence (0-100)
|The end time/date
getP2cBytes
|-
|-
|detail
|p2cBytes
|String
|long
|The details
|The number of bytes sent to the client from Untangle
getP2sBytes
|-
|-
|flagged
|p2sBytes
|boolean
|long
|True if flagged, false otherwise
|The number of bytes sent to the server from Untangle
getPartitionTablePostfix
getS2pBytes
|-
|-
|protochain
|s2pBytes
|String
|long
|The protochain
|The number of bytes sent from the server to Untangle
|-
getSessionEvent
|ruleId
|Integer
|The rule ID
|-
|-
|sessionEvent
|sessionEvent
|SessionEvent
|SessionEvent
|The session event
|The session event
getSessionId
|-
|-
|state
|sessionId
|Integer
|Long
|The state
|The session ID
getTag
getTimeStamp
|-
|-
|timeStamp
|timeStamp
Line 1,008: Line 1,280:
|The timestamp
|The timestamp
|}
|}
<section end='ApplicationControlLogEvent' />
<section end='SessionStatsEvent' />




== ShieldEvent ==
== SessionNatEvent ==
<section begin='ShieldEvent' />
<section begin='SessionNatEvent' />


These events are created by base system and update the [[Global_DB_schema#sessions|sessions]] table when the shield blocks a session.
These events are created by the base system and update the [[Database_Schema#sessions|sessions]] table each time a session is NATd with the post-NAT information.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,020: Line 1,292:
! Type
! Type
! Description
! Description
getSClientAddr
|-
|-
|blocked
|SClientAddr
|boolean
|InetAddress
|True if blocked, false otherwise
|The server-side (post-NAT) client address
getSClientPort
|-
|SClientPort
|Integer
|The server-side (post-NAT) client port
getSServerAddr
|-
|SServerAddr
|InetAddress
|The server-side (post-NAT) server address
getSServerPort
|-
|SServerPort
|Integer
|The server-side (post-NAT) server port
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getPartitionTablePostfix
getServerIntf
|-
|-
|sessionId
|serverIntf
|Long
|Integer
|The session ID
|The server interface ID
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getTag
getTimeStamp
|-
|-
|timeStamp
|timeStamp
Line 1,037: Line 1,335:
|The timestamp
|The timestamp
|}
|}
<section end='ShieldEvent' />
<section end='SessionNatEvent' />




== SslInspectorLogEvent ==
== QuotaEvent ==
<section begin='SslInspectorLogEvent' />
<section begin='QuotaEvent' />


These events are created by [[SSL Inspector]] and update the [[Global_DB_schema#sessions|sessions]] table when a session is processed by SSL Inspector.
These events are created by the [[Bandwidth Control]] and inserted or update the [[Database_Schema#quotas|quotas]] table when quotas are given or exceeded.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,049: Line 1,347:
! Type
! Type
! Description
! Description
getAction
|-
|action
|int
|The action (1=Quota Given, 2=Quota Exceeded)
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getEntity
|-
|-
|detail
|entity
|String
|String
|The details
|The entity
getPartitionTablePostfix
getQuotaSize
|-
|-
|ruleId
|quotaSize
|Integer
|long
|The rule ID
|The quota size
getReason
|-
|-
|sessionEvent
|reason
|SessionEvent
|String
|The session event
|The reason
|-
getTag
|status
getTimeStamp
|String
|The status
|-
|-
|timeStamp
|timeStamp
Line 1,074: Line 1,380:
|The timestamp
|The timestamp
|}
|}
<section end='SslInspectorLogEvent' />
<section end='QuotaEvent' />




== SpamSmtpTarpitEvent ==
== SmtpMessageAddressEvent ==
<section begin='SpamSmtpTarpitEvent' />
<section begin='SmtpMessageAddressEvent' />


These events are created by [[Spam Blocker]] and inserted to the [[Global_DB_schema#smtp_tarpit_events|smtp_tarpit_events]] table when a session is tarpitted.
These events are created by SMTP subsystem and inserted to the [[Database_Schema#mail_addrs|mail_addrs]] table for each address on each email.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,086: Line 1,392:
! Type
! Type
! Description
! Description
getAddr
|-
|-
|iPAddr
|addr
|InetAddress
|String
|The IP address
|The address
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getKind
|-
|-
|hostname
|kind
|String
|AddressKind
|The hostname
|The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
getMessageId
|-
|-
|sessionEvent
|messageId
|SessionEvent
|The session event
|-
|sessionId
|Long
|Long
|The session ID
|The message ID
getPartitionTablePostfix
getPersonal
|-
|-
|timeStamp
|personal
|String
|personal
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|vendorName
|String
|The application name
|}
|}
<section end='SpamSmtpTarpitEvent' />
<section end='SmtpMessageAddressEvent' />




== SpamLogEvent ==
== SmtpMessageEvent ==
<section begin='SpamLogEvent' />
<section begin='SmtpMessageEvent' />


These events are created by [[Spam Blocker]] and update the [[Global_DB_schema#mail_msgs|mail_msgs]] table when an email is scanned.
These events are created by SMTP subsystem and inserted to the [[Database_Schema#mail_msgs|mail_msgs]] table for each email.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,127: Line 1,437:
! Type
! Type
! Description
! Description
getAddresses
|-
|-
|action
|addresses
|SpamMessageAction
|Set
|The action
|The addresses
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getEnvelopeFromAddress
|-
|-
|clientAddr
|envelopeFromAddress
|InetAddress
|String
|The client address
|The envelop FROM address
getEnvelopeToAddress
|-
|-
|clientPort
|envelopeToAddress
|int
|String
|The client port
|The envelope TO address
getMessageId
|-
|-
|messageId
|messageId
|Long
|Long
|The message ID
|The message ID
getPartitionTablePostfix
getReceiver
|-
|-
|receiver
|receiver
|String
|String
|The receiver
|The receiver
|-
getSender
|score
|float
|The score
|-
|-
|sender
|sender
|String
|String
|The sender
|The sender
getSessionEvent
|-
|-
|serverAddr
|sessionEvent
|InetAddress
|SessionEvent
|The server address
|The session event
getSessionId
|-
|-
|serverPort
|sessionId
|int
|Long
|The server port
|The session ID
|-
getSubject
|smtpMessageEvent
|SmtpMessageEvent
|The parent SMTP message event
|-
|isSpam
|boolean
|True if spam, false otherwise
|-
|-
|subject
|subject
|String
|String
|The subject
|The subject
|-
getTag
|testsString
getTimeStamp
|String
|The tests string from the spam engine
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getTmpFile
|-
|-
|vendorName
|tmpFile
|String
|File
|The application name
|The /tmp file
|}
|}
<section end='SpamLogEvent' />
<section end='SmtpMessageEvent' />




== SpamSmtpTarpitEvent ==
== CaptureRuleEvent ==
<section begin='SpamSmtpTarpitEvent' />
<section begin='CaptureRuleEvent' />


These events are created by [[Spam Blocker]] and inserted to the [[Global_DB_schema#smtp_tarpit_events|smtp_tarpit_events]] table when a session is tarpitted.
These events are created by [[Captive Portal]] and update the [[Database_Schema#sessions|sessions]] table when Captive Portal processes a session.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,204: Line 1,512:
! Type
! Type
! Description
! Description
getCaptured
|-
|-
|iPAddr
|captured
|InetAddress
|boolean
|The IP address
|True if captured, false otherwise
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getPartitionTablePostfix
getRuleId
|-
|-
|hostname
|ruleId
|String
|Integer
|The hostname
|The rule ID
getSessionEvent
|-
|-
|sessionEvent
|sessionEvent
|SessionEvent
|SessionEvent
|The session event
|The session event
|-
getTag
|sessionId
getTimeStamp
|Long
|The session ID
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|vendorName
|String
|The application name
|}
|}
<section end='SpamSmtpTarpitEvent' />
<section end='CaptureRuleEvent' />




== SpamLogEvent ==
== CaptivePortalUserEvent ==
<section begin='SpamLogEvent' />
<section begin='CaptivePortalUserEvent' />


These events are created by [[Spam Blocker]] and update the [[Global_DB_schema#mail_msgs|mail_msgs]] table when an email is scanned.
These events are created by [[Captive Portal]] and inserted to the [[Database_Schema#captive_portal_user_events|captive_portal_user_events]] table when Captive Portal user takes an action.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,245: Line 1,552:
! Type
! Type
! Description
! Description
getAuthenticationType
|-
|authenticationType
|CaptivePortalSettings$AuthenticationType
|The authentication type
getAuthenticationTypeValue
|-
|-
|action
|authenticationTypeValue
|SpamMessageAction
|String
|The action
|The authentication type as a string
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getClientAddr
|-
|-
|clientAddr
|clientAddr
|InetAddress
|String
|The client address
|The client address
getEvent
|-
|-
|clientPort
|event
|int
|CaptivePortalUserEvent$EventType
|The client port
|The event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
getEventValue
|-
|-
|messageId
|eventValue
|Long
|String
|The message ID
|The event value as a string (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
getLoginName
|-
|-
|receiver
|loginName
|String
|String
|The receiver
|The login name
getPartitionTablePostfix
getPolicyId
|-
|-
|score
|policyId
|float
|Integer
|The score
|The policy ID
getTag
getTimeStamp
|-
|-
|sender
|timeStamp
|String
|Timestamp
|The sender
|The timestamp
|}
<section end='CaptivePortalUserEvent' />
 
 
== AdBlockerEvent ==
<section begin='AdBlockerEvent' />
 
These events are created by [[Ad Blocker]] and update the [[Database_Schema#http_events|http_events]] table when an ad is blocked.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getAction
|-
|-
|serverAddr
|action
|InetAddress
|Action
|The server address
|The action
getClass
|-
|-
|serverPort
|class
|int
|Class
|The server port
|The class name
getPartitionTablePostfix
getReason
|-
|-
|smtpMessageEvent
|reason
|SmtpMessageEvent
|The parent SMTP message event
|-
|isSpam
|boolean
|True if spam, false otherwise
|-
|subject
|String
|String
|The subject
|The reason
getRequestId
|-
|-
|testsString
|requestId
|String
|Long
|The tests string from the spam engine
|The request ID
getTag
getTimeStamp
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|vendorName
|String
|The application name
|}
|}
<section end='SpamLogEvent' />
<section end='AdBlockerEvent' />




Line 1,316: Line 1,646:
<section begin='CookieEvent' />
<section begin='CookieEvent' />


These events are created by [[Ad Blocker]] and update the [[Global_DB_schema#http_events|http_events]] table when a cookie is blocked.
These events are created by [[Ad Blocker]] and update the [[Database_Schema#http_events|http_events]] table when a cookie is blocked.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,322: Line 1,652:
! Type
! Type
! Description
! Description
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getIdentification
|-
|-
|identification
|identification
|String
|String
|The identification string
|The identification string
getPartitionTablePostfix
getRequestId
|-
|-
|requestId
|requestId
|Long
|Long
|The request ID
|The request ID
getSessionEvent
|-
|-
|sessionEvent
|sessionEvent
|SessionEvent
|SessionEvent
|The session event
|The session event
getTag
getTimeStamp
|-
|-
|timeStamp
|timeStamp
Line 1,346: Line 1,683:




== AdBlockerEvent ==
== HttpRequestEvent ==
<section begin='AdBlockerEvent' />
<section begin='HttpRequestEvent' />


These events are created by [[Ad Blocker]] and update the [[Global_DB_schema#http_events|http_events]] table when an ad is blocked.
These events are created by HTTP subsystem and inserted to the [[Database_Schema#http_events|http_events]] table when a web request happens.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,355: Line 1,692:
! Type
! Type
! Description
! Description
|-
getClass
|action
|Action
|The action
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getContentLength
|-
|contentLength
|long
|The content length
getDomain
|-
|domain
|String
|The domain
getHost
|-
|-
|reason
|host
|String
|The host
getMethod
|-
|method
|HttpMethod
|The HTTP method
getPartitionTablePostfix
getReferer
|-
|referer
|String
|String
|The reason
|The referer
getRequestId
|-
|-
|requestId
|requestId
|Long
|Long
|The request ID
|The request ID
getRequestUri
|-
|-
|timeStamp
|requestUri
|Timestamp
|URI
|The request URI
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|The timestamp
|}
|}
<section end='AdBlockerEvent' />
<section end='HttpRequestEvent' />




== IntrusionPreventionLogEvent ==
== HttpResponseEvent ==
<section begin='IntrusionPreventionLogEvent' />
<section begin='HttpResponseEvent' />


These events are created by [[Intrusion Prevention]] and inserted to the [[Global_DB_schema#intrusion_prevention_events|intrusion_prevention_events]] table when a rule matches.
These events are created by HTTP subsystem and update the [[Database_Schema#http_events|http_events]] table when a web response happens.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,388: Line 1,757:
! Type
! Type
! Description
! Description
|-
getClass
|blocked
|short
|1 if blocked, 0 otherwise
|-
|category
|String
|The category
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getContentFilename
|-
|contentFilename
|String
|The content filename
getContentLength
|-
|-
|classificationId
|contentLength
|long
|long
|The classification ID
|The content length
getContentType
|-
|-
|classtype
|contentType
|String
|String
|The classtype
|The content type
getHttpRequestEvent
|-
|httpRequestEvent
|HttpRequestEvent
|The corresponding HTTP request event
getPartitionTablePostfix
getRequestLine
|-
|-
|dportIcode
|requestLine
|int
|RequestLine
|The dportIcode
|The request line
getTag
getTimeStamp
|-
|-
|eventId
|timeStamp
|long
|Timestamp
|The event ID
|The timestamp
|}
<section end='HttpResponseEvent' />
 
 
== WebCacheEvent ==
<section begin='WebCacheEvent' />
 
These events are created by [[Web Cache]] and inserted to the [[Database_Schema#web_cache_stats|web_cache_stats]] table periodically.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getBypassCount
|-
|-
|eventMicrosecond
|bypassCount
|long
|long
|The event microsecond
|The number of bypasses
getClass
|-
|-
|eventSecond
|class
|Class
|The class name
getHitBytes
|-
|hitBytes
|long
|long
|The event second
|The number of bytes worth of hits
getHitCount
|-
|-
|eventType
|hitCount
|long
|long
|The event type
|The number of hits
getMissBytes
|-
|-
|generatorId
|missBytes
|long
|long
|The generator ID
|The number of bytes worth of misses
getMissCount
|-
|-
|impact
|missCount
|short
|long
|The impact
|The number of misses
getPartitionTablePostfix
getPolicyId
|-
|-
|impactFlag
|policyId
|short
|Long
|The impact flag
|The policy ID
getSystemCount
|-
|-
|ipDestination
|systemCount
|InetAddress
|long
|The IP address destination
|The number of system bypasses
getTag
getTimeStamp
|-
|-
|ipSource
|timeStamp
|InetAddress
|Timestamp
|The IP address source
|The timestamp
|}
<section end='WebCacheEvent' />
 
 
== TunnelVpnStatusEvent ==
<section begin='TunnelVpnStatusEvent' />
 
These events are created by [[Tunnel VPN]] and inserted to the [[Database_Schema#tunnel_vpn_stats|tunnel_vpn_stats]] table periodically.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|class
|Class
|The class name
getInBytes
|-
|-
|mplsLabel
|inBytes
|long
|long
|The mplsLabel
|The number of bytes received from this tunnel
getOutBytes
|-
|-
|msg
|outBytes
|String
|long
|The msg
|The number of bytes sent in this tunnel
getPartitionTablePostfix
getTag
getTimeStamp
|-
|-
|padding
|timeStamp
|int
|Timestamp
|The padding
|The timestamp
getTunnelName
|-
|-
|priorityId
|tunnelName
|long
|String
|The priority ID
|The name of this tunnel
|}
<section end='TunnelVpnStatusEvent' />
 
 
== TunnelVpnEvent ==
<section begin='TunnelVpnEvent' />
 
These events are created by [[Tunnel VPN]] and inserted to the [[Database_Schema#tunnel_vpn_events|tunnel_vpn_events]] table when a tunnel connection event occurs.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|-
|protocol
|class
|short
|Class
|The protocol
|The class name
getEventType
|-
|-
|sensorId
|eventType
|long
|TunnelVpnEvent$EventType
|The sensor ID
|The event type
getLocalAddress
|-
|-
|signatureId
|localAddress
|long
|InetAddress
|The signature ID
|The local host address
getPartitionTablePostfix
getServerAddress
|-
|-
|signatureRevision
|serverAddress
|long
|InetAddress
|The signature revision
|The server address
|-
getTag
|sportItype
getTimeStamp
|int
|The sportItype
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getTunnelName
|-
|-
|vlanId
|tunnelName
|int
|String
|The VLAN Id
|The name of this tunnel
|}
|}
<section end='IntrusionPreventionLogEvent' />
<section end='TunnelVpnEvent' />




== WebFilterQueryEvent ==
== IntrusionPreventionLogEvent ==
<section begin='WebFilterQueryEvent' />
<section begin='IntrusionPreventionLogEvent' />


These events are created by [[Web Filter]] and inserted to the [[Global_DB_schema#http_query_events|http_query_events]] table when web filter processes a search engine search.
These events are created by [[Intrusion Prevention]] and inserted to the [[Database_Schema#intrusion_prevention_events|intrusion_prevention_events]] table when a rule matches.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,505: Line 1,952:
! Type
! Type
! Description
! Description
getBlocked
|-
|-
|class
|blocked
|Class
|boolean
|The class name
|True if blocked, false otherwise
getCategory
|-
|-
|contentLength
|category
|String
|The category
getClass
|-
|class
|Class
|The class name
getClassificationId
|-
|classificationId
|long
|long
|The content length
|The classification ID
getClasstype
|-
|-
|host
|classtype
|String
|String
|The host
|The classtype
getDportIcode
|-
|-
|method
|dportIcode
|HttpMethod
|int
|The method
|The dportIcode
getEventId
|-
|-
|nodeName
|eventId
|String
|long
|The name of the application
|The event ID
getEventMicrosecond
|-
|-
|requestId
|eventMicrosecond
|Long
|long
|The request ID
|The event microsecond
|-
getEventSecond
|requestUri
|-
|URI
|eventSecond
|The request URI
|long
|The event second
getEventType
|-
|-
|sessionEvent
|eventType
|SessionEvent
|long
|The session event
|The event type
getGeneratorId
|-
|-
|term
|generatorId
|String
|long
|The search term/phrase
|The generator ID
getImpact
|-
|-
|timeStamp
|impact
|Timestamp
|short
|The timestamp
|The impact
|}
getImpactFlag
<section end='WebFilterQueryEvent' />
|-
 
|impactFlag
 
|short
== WanFailoverTestEvent ==
|The impact flag
<section begin='WanFailoverTestEvent' />
getIpDestination
 
These events are created by [[WAN Failover]] and inserted to the [[Global_DB_schema#wan_failover_test_events|wan_failover_test_events]] table when a test is run.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|-
|class
|ipDestination
|Class
|InetAddress
|The class name
|The IP address destination
getIpSource
|-
|-
|description
|ipSource
|String
|InetAddress
|The description
|The IP address source
getMplsLabel
|-
|-
|interfaceId
|mplsLabel
|int
|long
|The interface ID
|The mplsLabel
getMsg
|-
|-
|name
|msg
|String
|String
|The test name
|The msg
getPadding
|-
|padding
|int
|The padding
getPartitionTablePostfix
getPriorityId
|-
|priorityId
|long
|The priority ID
getProtocol
|-
|protocol
|short
|The protocol
getRid
|-
|-
|osName
|rid
|String
|String
|The O/S interface name
|Rule ID
getSensorId
|-
|sensorId
|long
|The sensor ID
getSignatureId
|-
|-
|success
|signatureId
|Boolean
|long
|True if successful, false otherwise
|The signature ID
getSignatureRevision
|-
|-
|timeStamp
|signatureRevision
|Timestamp
|long
|The timestamp
|The signature revision
|}
getSportItype
<section end='WanFailoverTestEvent' />
|-
|sportItype
|int
|The sportItype
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
getVlanId
|-
|vlanId
|int
|The VLAN Id
|}
<section end='IntrusionPreventionLogEvent' />




== WanFailoverEvent ==
== ApplicationControlLogEvent ==
<section begin='WanFailoverEvent' />
<section begin='ApplicationControlLogEvent' />


These events are created by [[WAN Failover]] and inserted to the [[Global_DB_schema#wan_failover_action_events|wan_failover_action_events]] table when WAN Failover takes an action.
These events are created by [[Application Control]] and update the [[Database_Schema#sessions|sessions]] table when application control identifies a session.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,599: Line 2,102:
! Type
! Type
! Description
! Description
getApplication
|-
|-
|action
|application
|WanFailoverEvent$Action
|String
|The action
|The application
getBlocked
|-
|-
|class
|blocked
|boolean
|True if blocked, false otherwise
getCategory
|-
|category
|String
|The category
getClass
|-
|class
|Class
|Class
|The class name
|The class name
getConfidence
|-
|-
|interfaceId
|confidence
|int
|Integer
|The interface ID
|The confidence (0-100)
getDetail
|-
|-
|name
|detail
|String
|String
|The name
|The details
getFlagged
|-
|flagged
|boolean
|True if flagged, false otherwise
getPartitionTablePostfix
getProtochain
|-
|-
|osName
|protochain
|String
|String
|The O/S interface name
|The protochain
getRuleId
|-
|-
|timeStamp
|ruleId
|Timestamp
|Integer
|The timestamp
|The rule ID
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getState
|-
|state
|Integer
|The state
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
|}
<section end='WanFailoverEvent' />
<section end='ApplicationControlLogEvent' />




== CaptivePortalUserEvent ==
== LoginEvent ==
<section begin='CaptivePortalUserEvent' />
<section begin='LoginEvent' />


These events are created by [[Captive Portal]] and inserted to the [[Global_DB_schema#captive_portal_user_events|captive_portal_user_events]] table when Captive Portal user takes an action.
These events are created by [[Directory Connector]] and inserted to the [[Database_Schema#directory_connector_login_events|directory_connector_login_events]] table for each login.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,636: Line 2,177:
! Type
! Type
! Description
! Description
|-
getClass
|authenticationType
|CaptivePortalSettings$AuthenticationType
|The authentication type
|-
|authenticationTypeValue
|String
|The authentication type as a string
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getClientAddr
|-
|-
|clientAddr
|clientAddr
|InetAddress
|InetAddress
|The client address
|The client address
getDomain
|-
|domain
|String
|The domain
getEvent
|-
|-
|event
|event
|CaptivePortalUserEvent$EventType
|String
|The event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
|The event
|-
getLoginName
|eventValue
|String
|The event value as a string (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
|-
|-
|loginName
|loginName
|String
|String
|The login name
|The login name
getLoginType
|-
|-
|policyId
|loginType
|Long
|String
|The policy ID
|W = Windows login, A=Active Directory, R=RADIUS, T=test
getPartitionTablePostfix
getTag
getTimeStamp
|-
|-
|timeStamp
|timeStamp
Line 1,673: Line 2,215:
|The timestamp
|The timestamp
|}
|}
<section end='CaptivePortalUserEvent' />
<section end='LoginEvent' />




== CaptureRuleEvent ==
== WebFilterEvent ==
<section begin='CaptureRuleEvent' />
<section begin='WebFilterEvent' />


These events are created by [[Captive Portal]] and update the [[Global_DB_schema#sessions|sessions]] table when Captive Portal processes a session.
These events are created by [[Web Filter]] and update the [[Database_Schema#http_events|http_events]] table when web filter processes a web request.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,685: Line 2,227:
! Type
! Type
! Description
! Description
getAppName
|-
|-
|captured
|appName
|boolean
|String
|True if captured, false otherwise
|The name of the application
getBlocked
|-
|-
|class
|blocked
|Class
|Boolean
|The class name
|True if blocked, false otherwise
getCategory
|-
|-
|ruleId
|category
|String
|The category
getCategoryId
|-
|categoryId
|Integer
|Numeric value of matching category
getClass
|-
|class
|Class
|The class name
getFlagged
|-
|flagged
|Boolean
|True if flagged, false otherwise
getPartitionTablePostfix
getReason
|-
|reason
|Reason
|The reason
getRequestLine
|-
|requestLine
|RequestLine
|The request line
getRuleId
|-
|ruleId
|Integer
|Integer
|The rule ID
|The rule ID
getSessionEvent
|-
|-
|sessionEvent
|sessionEvent
|SessionEvent
|SessionEvent
|The session event
|The session event
getTag
getTimeStamp
|-
|-
|timeStamp
|timeStamp
Line 1,706: Line 2,285:
|The timestamp
|The timestamp
|}
|}
<section end='CaptureRuleEvent' />
<section end='WebFilterEvent' />




== VirusSmtpEvent ==
== WebFilterQueryEvent ==
<section begin='VirusSmtpEvent' />
<section begin='WebFilterQueryEvent' />


These events are created by [[Virus Blocker]] and update the [[Global_DB_schema#mail_msgs|mail_msgs]] table when Virus Blocker scans an email.
These events are created by [[Web Filter]] and inserted to the [[Database_Schema#http_query_events|http_query_events]] table when web filter processes a search engine search.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,718: Line 2,297:
! Type
! Type
! Description
! Description
getAppName
|-
|-
|action
|appName
|String
|String
|The action
|The name of the application
getBlocked
|-
|blocked
|Boolean
|True if blocked, false otherwise
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getContentLength
|-
|-
|clean
|contentLength
|boolean
|long
|True if clean, false otherwise
|The content length
getFlagged
|-
|-
|messageId
|flagged
|Long
|Boolean
|The message ID
|True if flagged, false otherwise
getHost
|-
|-
|nodeName
|host
|String
|String
|The name of the application
|The host
getMethod
|-
|method
|HttpMethod
|The method
getPartitionTablePostfix
getRequestId
|-
|-
|timeStamp
|requestId
|Timestamp
|Long
|The timestamp
|The request ID
getRequestUri
|-
|-
|virusName
|requestUri
|String
|URI
|The virus name, if not clean
|The request URI
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getTag
getTerm
|-
|term
|String
|The search term/phrase
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
|}
<section end='VirusSmtpEvent' />
<section end='WebFilterQueryEvent' />




== VirusFtpEvent ==
== WanFailoverTestEvent ==
<section begin='VirusFtpEvent' />
<section begin='WanFailoverTestEvent' />


These events are created by [[Virus Blocker]] and update the [[Global_DB_schema#ftp_events|ftp_events]] table when Virus Blocker scans an FTP transfer.
These events are created by [[WAN Failover]] and inserted to the [[Database_Schema#wan_failover_test_events|wan_failover_test_events]] table when a test is run.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,759: Line 2,372:
! Type
! Type
! Description
! Description
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getDescription
|-
|-
|clean
|description
|boolean
|True if clean, false otherwise
|-
|nodeName
|String
|String
|The name of the application
|The description
getInterfaceId
|-
|-
|sessionEvent
|interfaceId
|SessionEvent
|int
|The session event
|The interface ID
getName
|-
|name
|String
|The test name
getOsName
|-
|osName
|String
|The O/S interface name
getPartitionTablePostfix
getSuccess
|-
|success
|Boolean
|True if successful, false otherwise
getTag
getTimeStamp
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|uri
|String
|The URI
|-
|virusName
|String
|The virus name, if not clean
|}
|}
<section end='VirusFtpEvent' />
<section end='WanFailoverTestEvent' />




== VirusHttpEvent ==
== WanFailoverEvent ==
<section begin='VirusHttpEvent' />
<section begin='WanFailoverEvent' />


These events are created by [[Virus Blocker]] and update the [[Global_DB_schema#http_events|http_events]] table when Virus Blocker scans an HTTP transfer.
These events are created by [[WAN Failover]] and inserted to the [[Database_Schema#wan_failover_action_events|wan_failover_action_events]] table when WAN Failover takes an action.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,800: Line 2,422:
! Type
! Type
! Description
! Description
getAction
|-
|-
|class
|action
|WanFailoverEvent$Action
|The action
getClass
|-
|class
|Class
|Class
|The class name
|The class name
getInterfaceId
|-
|-
|clean
|interfaceId
|boolean
|int
|True if clean, false otherwise
|The interface ID
getName
|-
|-
|nodeName
|name
|String
|String
|The name of the application
|The name
getOsName
|-
|-
|requestId
|osName
|Long
|String
|The request ID
|The O/S interface name
getPartitionTablePostfix
getTag
getTimeStamp
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|virusName
|String
|The virus name, if not clean
|}
|}
<section end='VirusHttpEvent' />
<section end='WanFailoverEvent' />




== OpenVpnEvent ==
== ThreatPreventionEvent ==
<section begin='OpenVpnEvent' />
<section begin='ThreatPreventionEvent' />


These events are created by [[OpenVPN]] and update the [[Global_DB_schema#openvpn_events|openvpn_events]] table when OpenVPN processes a client action.
These events are created by [[Threat Prevention]] and inserted to the [[Database_Schema#sessions|sessions]] table for each threat lookup.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,837: Line 2,467:
! Type
! Type
! Description
! Description
getBlocked
|-
|-
|address
|blocked
|InetAddress
|boolean
|The address
|True if blocked, false otherwise
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getClientCategories
|-
|clientCategories
|int
|Client threat categories
getClientReputation
|-
|clientReputation
|int
|Client threat reputation
getFlagged
|-
|flagged
|boolean
|True if flagged, false otherwise
getPartitionTablePostfix
getRuleId
|-
|ruleId
|long
|The rule ID
getServerCategories
|-
|serverCategories
|int
|Server threat categories
getServerReputation
|-
|-
|clientName
|serverReputation
|String
|int
|The client name
|Server threat reputation
getSessionId
|-
|-
|poolAddress
|sessionId
|InetAddress
|Long
|The pool address
|The session ID
getTag
getTimeStamp
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
|-
|type
|OpenVpnEvent$EventType
|The type
|}
|}
<section end='OpenVpnEvent' />
<section end='ThreatPreventionEvent' />




== OpenVpnStatusEvent ==
== ThreatPreventionHttpEvent ==
<section begin='OpenVpnStatusEvent' />
<section begin='ThreatPreventionHttpEvent' />


These events are created by [[OpenVPN]] and update the [[Global_DB_schema#openvpn_stats|openvpn_stats]] table periodically.
These events are created by [[Threat Prevention]] and inserted to the [[Database_Schema#http_events|http_events]] table for each threat lookup.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,874: Line 2,532:
! Type
! Type
! Description
! Description
getBlocked
|-
|-
|address
|blocked
|InetAddress
|Boolean
|The address
|True if blocked, false otherwise
getCategories
|-
|-
|bytesRxDelta
|categories
|long
|Integer
|The delta number of RX (received) bytes from the previous event
|Server threat categories
|-
getClass
|bytesRxTotal
|long
|The total number of RX (received) bytes
|-
|bytesTxDelta
|long
|The delta number of TX (transmitted) bytes from the previous event
|-
|bytesTxTotal
|long
|The total number of TX (transmitted) bytes
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getFlagged
|-
|-
|clientName
|flagged
|String
|Boolean
|The client name
|True if flagged, false otherwise
getPartitionTablePostfix
getReputation
|-
|-
|end
|reputation
|Timestamp
|Integer
|The end
|Server threat reputation
getRequestLine
|-
|-
|poolAddress
|requestLine
|InetAddress
|RequestLine
|The pool address
|The request line
getRuleId
|-
|-
|port
|ruleId
|int
|Integer
|The port
|The rule ID
getSessionEvent
|-
|-
|start
|sessionEvent
|Timestamp
|SessionEvent
|The start
|The session event
getTag
getTimeStamp
|-
|-
|timeStamp
|timeStamp
Line 1,923: Line 2,580:
|The timestamp
|The timestamp
|}
|}
<section end='OpenVpnStatusEvent' />
<section end='ThreatPreventionHttpEvent' />




== SmtpMessageAddressEvent ==
== SpamLogEvent ==
<section begin='SmtpMessageAddressEvent' />
<section begin='SpamLogEvent' />


These events are created by SMTP subsystem and inserted to the [[Global_DB_schema#mail_addrs|mail_addrs]] table for each address on each email.
These events are created by [[Spam Blocker]] and update the [[Database_Schema#mail_msgs|mail_msgs]] table when an email is scanned.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 1,935: Line 2,592:
! Type
! Type
! Description
! Description
getAction
|-
|-
|addr
|action
|String
|SpamMessageAction
|The address
|The action
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getClientAddr
|-
|clientAddr
|InetAddress
|The client address
getClientPort
|-
|-
|kind
|clientPort
|AddressKind
|int
|The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
|The client port
getMessageId
|-
|-
|messageId
|messageId
|Long
|Long
|The message ID
|The message ID
getPartitionTablePostfix
getReceiver
|-
|receiver
|String
|The receiver
getScore
|-
|-
|personal
|score
|float
|The score
getSender
|-
|sender
|String
|String
|personal
|The sender
getServerAddr
|-
|-
|timeStamp
|serverAddr
|Timestamp
|InetAddress
|The timestamp
|The server address
|}
getServerPort
<section end='SmtpMessageAddressEvent' />
|-
 
|serverPort
 
|int
== SmtpMessageEvent ==
|The server port
<section begin='SmtpMessageEvent' />
getSmtpMessageEvent
 
These events are created by SMTP subsystem and inserted to the [[Global_DB_schema#mail_msgs|mail_msgs]] table for each email.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
|-
|-
|addresses
|smtpMessageEvent
|Set
|SmtpMessageEvent
|The addresses
|The parent SMTP message event
isSpam
|-
|-
|class
|isSpam
|Class
|boolean
|The class name
|True if spam, false otherwise
getSubject
|-
|-
|envelopeFromAddress
|subject
|String
|String
|The envelop FROM address
|The subject
getTag
getTestsString
|-
|-
|envelopeToAddress
|testsString
|String
|String
|The envelope TO address
|The tests string from the spam engine
|-
getTimeStamp
|messageId
|Long
|The message ID
|-
|receiver
|String
|The receiver
|-
|sender
|String
|The sender
|-
|sessionEvent
|SessionEvent
|The session event
|-
|sessionId
|Long
|The session ID
|-
|subject
|String
|The subject
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getVendorName
|-
|-
|tmpFile
|vendorName
|File
|String
|The /tmp file
|The application name
|}
|}
<section end='SmtpMessageEvent' />
<section end='SpamLogEvent' />




== LoginEvent ==
== SpamSmtpTarpitEvent ==
<section begin='LoginEvent' />
<section begin='SpamSmtpTarpitEvent' />


These events are created by [[Directory Connector]] and inserted to the [[Global_DB_schema#directory_connector_login_events|directory_connector_login_events]] table for each login.
These events are created by [[Spam Blocker]] and inserted to the [[Database_Schema#smtp_tarpit_events|smtp_tarpit_events]] table when a session is tarpitted.


{| border="1" cellpadding="2" width="90%" align="center"
{| border="1" cellpadding="2" width="90%" align="center"
Line 2,033: Line 2,687:
! Type
! Type
! Description
! Description
getIPAddr
|-
|IPAddr
|InetAddress
|The IP address
getClass
|-
|-
|class
|class
|Class
|Class
|The class name
|The class name
getHostname
|-
|-
|clientAddr
|hostname
|InetAddress
|The client address
|-
|domain
|String
|String
|The domain
|The hostname
getPartitionTablePostfix
getSessionEvent
|-
|-
|event
|sessionEvent
|String
|SessionEvent
|The event
|The session event
getSessionId
|-
|-
|loginName
|sessionId
|String
|Long
|The login name
|The session ID
getTag
getTimeStamp
|-
|-
|timeStamp
|timeStamp
|Timestamp
|Timestamp
|The timestamp
|The timestamp
getVendorName
|-
|vendorName
|String
|The application name
|}
|}
<section end='LoginEvent' />
<section end='SpamSmtpTarpitEvent' />
 
 
== ConfigurationBackupEvent ==
<section begin='ConfigurationBackupEvent' />
 
These events are created by [[Configuration Backup]] and inserted to the [[Database_Schema#configuratio_backup_events|configuratio_backup_events]] table when a backup occurs.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|class
|Class
|The class name
getDestination
|-
|destination
|String
|The destination
getDetail
|-
|detail
|String
|The details
getPartitionTablePostfix
getSuccess
|-
|success
|boolean
|True if successful, false otherwise
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='ConfigurationBackupEvent' />
 
 
== TunnelStatusEvent ==
<section begin='TunnelStatusEvent' />
 
These events are created by [[IPsec VPN]] and inserted to the [[Database_Schema#ipsec_tunnel_stats|ipsec_tunnel_stats]] table periodically.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|class
|Class
|The class name
getInBytes
|-
|inBytes
|long
|The number of bytes received from this tunnel
getOutBytes
|-
|outBytes
|long
|The number of bytes sent in this tunnel
getPartitionTablePostfix
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
getTunnelName
|-
|tunnelName
|String
|The name of this tunnel
|}
<section end='TunnelStatusEvent' />
 
 
== IpsecVpnEvent ==
<section begin='IpsecVpnEvent' />
 
These events are created by [[IPsec VPN]] and inserted to the [[Database_Schema#ipsec_vpn_events|ipsec_vpn_events]] table when IPsec connection event occurs.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|class
|Class
|The class name
getEventType
|-
|eventType
|IpsecVpnEvent$EventType
|The event type
getLocalAddress
|-
|localAddress
|String
|The local host address
getPartitionTablePostfix
getRemoteAddress
|-
|remoteAddress
|String
|The remote host address
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
getTunnelDescription
|-
|tunnelDescription
|String
|Description of tunnel
|}
<section end='IpsecVpnEvent' />
 
 
== VirtualUserEvent ==
<section begin='VirtualUserEvent' />
 
These events are created by [[IPsec VPN]] and inserted to the [[Database_Schema#ipsec_user_events|ipsec_user_events]] table when a user event occurs.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|class
|Class
|The class name
getClientAddress
|-
|clientAddress
|InetAddress
|The client address
getClientProtocol
|-
|clientProtocol
|String
|The client protocol
getClientUsername
|-
|clientUsername
|String
|The client username
getElapsedTime
|-
|elapsedTime
|String
|The elapsed time
getEventId
|-
|eventId
|Long
|The event ID
getNetInterface
|-
|netInterface
|String
|The net interface
getNetProcess
|-
|netProcess
|String
|The net process
getNetRXbytes
|-
|netRXbytes
|Long
|The number of RX (received) bytes
getNetTXbytes
|-
|netTXbytes
|Long
|The number of TX (transmitted) bytes
getPartitionTablePostfix
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='VirtualUserEvent' />
 
 
== SslInspectorLogEvent ==
<section begin='SslInspectorLogEvent' />
 
These events are created by [[SSL Inspector]] and update the [[Database_Schema#sessions|sessions]] table when a session is processed by SSL Inspector.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getClass
|-
|class
|Class
|The class name
getDetail
|-
|detail
|String
|The details
getPartitionTablePostfix
getRuleId
|-
|ruleId
|Integer
|The rule ID
getSessionEvent
|-
|sessionEvent
|SessionEvent
|The session event
getStatus
|-
|status
|String
|The status
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='SslInspectorLogEvent' />
 
 
== ApplicationControlLiteEvent ==
<section begin='ApplicationControlLiteEvent' />
 
These events are created by [[Application Control Lite]] and update the [[Database_Schema#sessions|sessions]] table when application control lite identifies a session.
 
{| border="1" cellpadding="2" width="90%" align="center"
! Attribute Name
! Type
! Description
getBlocked
|-
|blocked
|boolean
|True if blocked, false otherwise
getClass
|-
|class
|Class
|The class name
getPartitionTablePostfix
getProtocol
|-
|protocol
|String
|The protocol
getSessionId
|-
|sessionId
|Long
|The session ID
getTag
getTimeStamp
|-
|timeStamp
|Timestamp
|The timestamp
|}
<section end='ApplicationControlLiteEvent' />
 
 
}

Latest revision as of 15:36, 9 February 2020

All event data is stored in the Database Schema in a relational database. As Untangle and applications process traffic they create Event objects that add and modify content in the database. Each event has it's own class/object with certain fields that modify the database in a certain way.

The list below shows the classes used in the event logging and the attributes of each event object. These can be used to add alerts in Reports or for other event handling within Untangle.

SpamLogEvent

<section begin='SpamLogEvent' />

These events are created by Spam Blocker and update the mail_msgs table when an email is scanned.

Attribute Name Type Description

getAction

action SpamMessageAction The action

getClass

class Class The class name

getClientAddr

clientAddr InetAddress The client address

getClientPort

clientPort int The client port

getMessageId

messageId Long The message ID

getPartitionTablePostfix getReceiver

receiver String The receiver

getScore

score float The score

getSender

sender String The sender

getServerAddr

serverAddr InetAddress The server address

getServerPort

serverPort int The server port

getSmtpMessageEvent

smtpMessageEvent SmtpMessageEvent The parent SMTP message event

isSpam

isSpam boolean True if spam, false otherwise

getSubject

subject String The subject

getTag getTestsString

testsString String The tests string from the spam engine

getTimeStamp

timeStamp Timestamp The timestamp

getVendorName

vendorName String The application name

<section end='SpamLogEvent' />


SpamSmtpTarpitEvent

<section begin='SpamSmtpTarpitEvent' />

These events are created by Spam Blocker and inserted to the smtp_tarpit_events table when a session is tarpitted.

Attribute Name Type Description

getIPAddr

IPAddr InetAddress The IP address

getClass

class Class The class name

getHostname

hostname String The hostname

getPartitionTablePostfix getSessionEvent

sessionEvent SessionEvent The session event

getSessionId

sessionId Long The session ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

getVendorName

vendorName String The application name

<section end='SpamSmtpTarpitEvent' />


PrioritizeEvent

<section begin='PrioritizeEvent' />

These events are created by the Bandwidth Control and update the session table when a session is prioritized.

Attribute Name Type Description

getClass

class Class The class name

getPartitionTablePostfix getPriority

priority int The priority

getRuleId

ruleId int The rule ID

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='PrioritizeEvent' />


VirusFtpEvent

<section begin='VirusFtpEvent' />

These events are created by Virus Blocker and update the ftp_events table when Virus Blocker scans an FTP transfer.

Attribute Name Type Description

getAppName

appName String The name of the application

getClass

class Class The class name

getClean

clean boolean True if clean, false otherwise

getPartitionTablePostfix getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

getUri

uri String The URI

getVirusName

virusName String The virus name, if not clean

<section end='VirusFtpEvent' />


VirusHttpEvent

<section begin='VirusHttpEvent' />

These events are created by Virus Blocker and update the http_events table when Virus Blocker scans an HTTP transfer.

Attribute Name Type Description

getAppName

appName String The name of the application

getClass

class Class The class name

getClean

clean boolean True if clean, false otherwise

getPartitionTablePostfix getRequestLine

requestLine RequestLine The request line

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

getVirusName

virusName String The virus name, if not clean

<section end='VirusHttpEvent' />


VirusSmtpEvent

<section begin='VirusSmtpEvent' />

These events are created by Virus Blocker and update the mail_msgs table when Virus Blocker scans an email.

Attribute Name Type Description

getAction

action String The action

getAppName

appName String The name of the application

getClass

class Class The class name

getClean

clean boolean True if clean, false otherwise

getMessageId

messageId Long The message ID

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

getVirusName

virusName String The virus name, if not clean

<section end='VirusSmtpEvent' />


FirewallEvent

<section begin='FirewallEvent' />

These events are created by Firewall and update the sessions table when a firewall rule matches a session.

Attribute Name Type Description

getBlocked

blocked boolean True if blocked, false otherwise

getClass

class Class The class name

getFlagged

flagged boolean True if flagged, false otherwise

getPartitionTablePostfix getRuleId

ruleId long The rule ID

getSessionId

sessionId Long The session ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='FirewallEvent' />


OpenVpnStatusEvent

<section begin='OpenVpnStatusEvent' />

These events are created by OpenVPN and update the openvpn_stats table periodically.

Attribute Name Type Description

getAddress

address InetAddress The address

getBytesRxDelta

bytesRxDelta long The delta number of RX (received) bytes from the previous event

getBytesRxTotal

bytesRxTotal long The total number of RX (received) bytes

getBytesTxDelta

bytesTxDelta long The delta number of TX (transmitted) bytes from the previous event

getBytesTxTotal

bytesTxTotal long The total number of TX (transmitted) bytes

getClass

class Class The class name

getClientName

clientName String The client name

getEnd

end Timestamp The end

getPartitionTablePostfix getPoolAddress

poolAddress InetAddress The pool address

getPort

port int The port

getStart

start Timestamp The start

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='OpenVpnStatusEvent' />


OpenVpnEvent

<section begin='OpenVpnEvent' />

These events are created by OpenVPN and update the openvpn_events table when OpenVPN processes a client action.

Attribute Name Type Description

getAddress

address InetAddress The address

getClass

class Class The class name

getClientName

clientName String The client name

getPartitionTablePostfix getPoolAddress

poolAddress InetAddress The pool address

getTag getTimeStamp

timeStamp Timestamp The timestamp

getType

type OpenVpnEvent$EventType The type

<section end='OpenVpnEvent' />


AdminLoginEvent

<section begin='AdminLoginEvent' />

These events are created by the base system and inserted to the admin_logins table when an administrator login is attempted or successful.

Attribute Name Type Description

getClass

class Class The class name

getClientAddress

clientAddress InetAddress The client address

getLocal

local boolean 1 if login is done via local console, 0 otherwise

getLogin

login String The login username

getPartitionTablePostfix getReason

reason String The reason

getSucceeded

succeeded boolean 1 if successful, 0 otherwise

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='AdminLoginEvent' />


AlertEvent

<section begin='AlertEvent' />

These events are created by Reports and inserted to the alerts table when an alert fires.

Attribute Name Type Description

getCausalRule

causalRule EventRule The causal rule

getCause

cause LogEvent The cause

getClass

class Class The class name

getDescription

description String The description

getEventSent

eventSent Boolean True if the event was sent, false otherwise

getJson

json String The JSON string

getPartitionTablePostfix getSummaryText

summaryText String The summary text

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='AlertEvent' />


InterfaceStatEvent

<section begin='InterfaceStatEvent' />

These events are created by the base system and inserted to the interface_stat_events table periodically with interface stats.

Attribute Name Type Description

getClass

class Class The class name

getInterfaceId

interfaceId int The interface ID

getPartitionTablePostfix getRxBytes

rxBytes double The total of received bytes

getRxRate

rxRate double The RX rate in byte/s

getTag getTimeStamp

timeStamp Timestamp The timestamp

getTxBytes

txBytes double The total of transmitted bytes

getTxRate

txRate double The TX rate in byte/s

<section end='InterfaceStatEvent' />


LogEvent

<section begin='LogEvent' />

These base class for all events.

Attribute Name Type Description

getClass

class Class The class name

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='LogEvent' />


SystemStatEvent

<section begin='SystemStatEvent' />

These events are created by the base system and inserted to the server_events table periodically.

Attribute Name Type Description

getActiveHosts

activeHosts int The active host count

getClass

class Class The class name

getCpuSystem

cpuSystem float The system CPU utilization

getCpuUser

cpuUser float The user CPU utilization

getDiskFree

diskFree long The amount of disk free

getDiskFreePercent

diskFreePercent float The percentage of disk free

getDiskTotal

diskTotal long The total size of the disk

getDiskUsed

diskUsed long The amount of disk used

getDiskUsedPercent

diskUsedPercent float The percentage of disk used

getLoad1

load1 float The 1-minute CPU load

getLoad15

load15 float The 15-minute CPU load

getLoad5

load5 float The 5-minute CPU load

getMemBuffers

memBuffers long The amount of memory used by buffers

getMemCache

memCache long The amount of memory used by cache

getMemFree

memFree long The amount of free memory

getMemFreePercent

memFreePercent float The percentage of total memory that is free

getMemTotal

memTotal long The total amount of memory

getMemUsed

memUsed long The amount of used memory

getMemUsedPercent

memUsedPercent float The percentage of total memory that is used

getPartitionTablePostfix getSwapFree

swapFree long The amount of free swap

getSwapFreePercent

swapFreePercent float The percentage of total swap that is free

getSwapTotal

swapTotal long The total size of swap

getSwapUsed

swapUsed long The amount of used swap

getSwapUsedPercent

swapUsedPercent float The percentage of total swap that is used

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='SystemStatEvent' />


HostTableEvent

<section begin='HostTableEvent' />

These events are created by the base system and inserted to the host_table_updates table when the host table is modified.

Attribute Name Type Description

getAddress

address InetAddress The address

getClass

class Class The class name

getKey

key String The key

getOldValue

oldValue String The old value

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

getValue

value String The value

<section end='HostTableEvent' />


DeviceTableEvent

<section begin='DeviceTableEvent' />

These events are created by the base system and inserted to the device_table_updates table when the device list is modified.

Attribute Name Type Description

getClass

class Class The class name

getDevice

device DeviceTableEntry The Device

getKey

key String The key

getMacAddress

macAddress String The MAC address

getOldValue

oldValue String The old value

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

getValue

value String The value

<section end='DeviceTableEvent' />


SettingsChangesEvent

<section begin='SettingsChangesEvent' />

These events are created by the base system and inserted to the settings_changes table when settings are changed.

Attribute Name Type Description

getClass

class Class The class name

getHostname

hostname String The hostname

getPartitionTablePostfix getSettingsFile

settingsFile String The settings file

getTag getTimeStamp

timeStamp Timestamp The timestamp

getUsername

username String The username

<section end='SettingsChangesEvent' />


UserTableEvent

<section begin='UserTableEvent' />

These events are created by the base system and inserted to the user_table_updates table when the user table is modified.

Attribute Name Type Description

getClass

class Class The class name

getKey

key String The key

getOldValue

oldValue String The old value

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

getUsername

username String The username

getValue

value String The value

<section end='UserTableEvent' />


SessionMinuteEvent

<section begin='SessionMinuteEvent' />

These events are created by the base system and update the session_minutes table each minute a session exists.

Attribute Name Type Description

getC2sBytes

c2sBytes long The number of bytes sent from the client to the server

getClass

class Class The class name

getPartitionTablePostfix getS2cBytes

s2cBytes long The number of bytes sent from the server to the client

getSessionId

sessionId long The session ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='SessionMinuteEvent' />


SessionEvent

<section begin='SessionEvent' />

These events are created by the base system and update the sessions table each time a session is created.

Attribute Name Type Description

getCClientAddr

CClientAddr InetAddress The client-side (pre-NAT) client address

getCClientPort

CClientPort Integer The client-side (pre-NAT) client port

getCServerAddr

CServerAddr InetAddress The client-side (pre-NAT) server address

getCServerPort

CServerPort Integer The client-side (pre-NAT) server port

getSClientAddr

SClientAddr InetAddress The server-side (post-NAT) client address

getSClientPort

SClientPort Integer The server-side (post-NAT) client port

getSServerAddr

SServerAddr InetAddress The server-side (post-NAT) server address

getSServerPort

SServerPort Integer The server-side (post-NAT) server port

getBypassed

bypassed boolean True if bypassed, false otherwise

getClass

class Class The class name

getClientCountry

clientCountry String The client country

getClientIntf

clientIntf Integer The client interface ID

getClientLatitude

clientLatitude Double The client latitude

getClientLongitude

clientLongitude Double The client longitude

getEntitled

entitled boolean The entitled status

getFilterPrefix

filterPrefix String The filter prefix if blocked by the filter rules

getHostname

hostname String The hostname

getIcmpType

icmpType Short The ICMP type

getLocalAddr

localAddr InetAddress The local host address

getPartitionTablePostfix getPolicyId

policyId Integer The policy ID

getPolicyRuleId

policyRuleId Integer The policy rule ID

getProtocol

protocol Short The protocol

getProtocolName

protocolName String The protocol name

getRemoteAddr

remoteAddr InetAddress The remote host address

getServerCountry

serverCountry String The server country

getServerIntf

serverIntf Integer The server interface ID

getServerLatitude

serverLatitude Double The server latitude

getServerLongitude

serverLongitude Double The server longitude

getSessionId

sessionId Long The session ID

getTag getTagsString

tagsString String The string value of all tags

getTimeStamp

timeStamp Timestamp The timestamp

getUsername

username String The username

<section end='SessionEvent' />


SessionStatsEvent

<section begin='SessionStatsEvent' />

These events are created by the base system and update the sessions table when a session ends with the updated stats.

Attribute Name Type Description

getC2pBytes

c2pBytes long The number of bytes sent from the client to Untangle

getClass

class Class The class name

getEndTime

endTime long The end time/date

getP2cBytes

p2cBytes long The number of bytes sent to the client from Untangle

getP2sBytes

p2sBytes long The number of bytes sent to the server from Untangle

getPartitionTablePostfix getS2pBytes

s2pBytes long The number of bytes sent from the server to Untangle

getSessionEvent

sessionEvent SessionEvent The session event

getSessionId

sessionId Long The session ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='SessionStatsEvent' />


SessionNatEvent

<section begin='SessionNatEvent' />

These events are created by the base system and update the sessions table each time a session is NATd with the post-NAT information.

Attribute Name Type Description

getSClientAddr

SClientAddr InetAddress The server-side (post-NAT) client address

getSClientPort

SClientPort Integer The server-side (post-NAT) client port

getSServerAddr

SServerAddr InetAddress The server-side (post-NAT) server address

getSServerPort

SServerPort Integer The server-side (post-NAT) server port

getClass

class Class The class name

getPartitionTablePostfix getServerIntf

serverIntf Integer The server interface ID

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='SessionNatEvent' />


QuotaEvent

<section begin='QuotaEvent' />

These events are created by the Bandwidth Control and inserted or update the quotas table when quotas are given or exceeded.

Attribute Name Type Description

getAction

action int The action (1=Quota Given, 2=Quota Exceeded)

getClass

class Class The class name

getEntity

entity String The entity

getPartitionTablePostfix getQuotaSize

quotaSize long The quota size

getReason

reason String The reason

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='QuotaEvent' />


SmtpMessageAddressEvent

<section begin='SmtpMessageAddressEvent' />

These events are created by SMTP subsystem and inserted to the mail_addrs table for each address on each email.

Attribute Name Type Description

getAddr

addr String The address

getClass

class Class The class name

getKind

kind AddressKind The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)

getMessageId

messageId Long The message ID

getPartitionTablePostfix getPersonal

personal String personal

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='SmtpMessageAddressEvent' />


SmtpMessageEvent

<section begin='SmtpMessageEvent' />

These events are created by SMTP subsystem and inserted to the mail_msgs table for each email.

Attribute Name Type Description

getAddresses

addresses Set The addresses

getClass

class Class The class name

getEnvelopeFromAddress

envelopeFromAddress String The envelop FROM address

getEnvelopeToAddress

envelopeToAddress String The envelope TO address

getMessageId

messageId Long The message ID

getPartitionTablePostfix getReceiver

receiver String The receiver

getSender

sender String The sender

getSessionEvent

sessionEvent SessionEvent The session event

getSessionId

sessionId Long The session ID

getSubject

subject String The subject

getTag getTimeStamp

timeStamp Timestamp The timestamp

getTmpFile

tmpFile File The /tmp file

<section end='SmtpMessageEvent' />


CaptureRuleEvent

<section begin='CaptureRuleEvent' />

These events are created by Captive Portal and update the sessions table when Captive Portal processes a session.

Attribute Name Type Description

getCaptured

captured boolean True if captured, false otherwise

getClass

class Class The class name

getPartitionTablePostfix getRuleId

ruleId Integer The rule ID

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='CaptureRuleEvent' />


CaptivePortalUserEvent

<section begin='CaptivePortalUserEvent' />

These events are created by Captive Portal and inserted to the captive_portal_user_events table when Captive Portal user takes an action.

Attribute Name Type Description

getAuthenticationType

authenticationType CaptivePortalSettings$AuthenticationType The authentication type

getAuthenticationTypeValue

authenticationTypeValue String The authentication type as a string

getClass

class Class The class name

getClientAddr

clientAddr String The client address

getEvent

event CaptivePortalUserEvent$EventType The event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)

getEventValue

eventValue String The event value as a string (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)

getLoginName

loginName String The login name

getPartitionTablePostfix getPolicyId

policyId Integer The policy ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='CaptivePortalUserEvent' />


AdBlockerEvent

<section begin='AdBlockerEvent' />

These events are created by Ad Blocker and update the http_events table when an ad is blocked.

Attribute Name Type Description

getAction

action Action The action

getClass

class Class The class name

getPartitionTablePostfix getReason

reason String The reason

getRequestId

requestId Long The request ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='AdBlockerEvent' />


CookieEvent

<section begin='CookieEvent' />

These events are created by Ad Blocker and update the http_events table when a cookie is blocked.

Attribute Name Type Description

getClass

class Class The class name

getIdentification

identification String The identification string

getPartitionTablePostfix getRequestId

requestId Long The request ID

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='CookieEvent' />


HttpRequestEvent

<section begin='HttpRequestEvent' />

These events are created by HTTP subsystem and inserted to the http_events table when a web request happens.

Attribute Name Type Description

getClass

class Class The class name

getContentLength

contentLength long The content length

getDomain

domain String The domain

getHost

host String The host

getMethod

method HttpMethod The HTTP method

getPartitionTablePostfix getReferer

referer String The referer

getRequestId

requestId Long The request ID

getRequestUri

requestUri URI The request URI

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='HttpRequestEvent' />


HttpResponseEvent

<section begin='HttpResponseEvent' />

These events are created by HTTP subsystem and update the http_events table when a web response happens.

Attribute Name Type Description

getClass

class Class The class name

getContentFilename

contentFilename String The content filename

getContentLength

contentLength long The content length

getContentType

contentType String The content type

getHttpRequestEvent

httpRequestEvent HttpRequestEvent The corresponding HTTP request event

getPartitionTablePostfix getRequestLine

requestLine RequestLine The request line

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='HttpResponseEvent' />


WebCacheEvent

<section begin='WebCacheEvent' />

These events are created by Web Cache and inserted to the web_cache_stats table periodically.

Attribute Name Type Description

getBypassCount

bypassCount long The number of bypasses

getClass

class Class The class name

getHitBytes

hitBytes long The number of bytes worth of hits

getHitCount

hitCount long The number of hits

getMissBytes

missBytes long The number of bytes worth of misses

getMissCount

missCount long The number of misses

getPartitionTablePostfix getPolicyId

policyId Long The policy ID

getSystemCount

systemCount long The number of system bypasses

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='WebCacheEvent' />


TunnelVpnStatusEvent

<section begin='TunnelVpnStatusEvent' />

These events are created by Tunnel VPN and inserted to the tunnel_vpn_stats table periodically.

Attribute Name Type Description

getClass

class Class The class name

getInBytes

inBytes long The number of bytes received from this tunnel

getOutBytes

outBytes long The number of bytes sent in this tunnel

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

getTunnelName

tunnelName String The name of this tunnel

<section end='TunnelVpnStatusEvent' />


TunnelVpnEvent

<section begin='TunnelVpnEvent' />

These events are created by Tunnel VPN and inserted to the tunnel_vpn_events table when a tunnel connection event occurs.

Attribute Name Type Description

getClass

class Class The class name

getEventType

eventType TunnelVpnEvent$EventType The event type

getLocalAddress

localAddress InetAddress The local host address

getPartitionTablePostfix getServerAddress

serverAddress InetAddress The server address

getTag getTimeStamp

timeStamp Timestamp The timestamp

getTunnelName

tunnelName String The name of this tunnel

<section end='TunnelVpnEvent' />


IntrusionPreventionLogEvent

<section begin='IntrusionPreventionLogEvent' />

These events are created by Intrusion Prevention and inserted to the intrusion_prevention_events table when a rule matches.

Attribute Name Type Description

getBlocked

blocked boolean True if blocked, false otherwise

getCategory

category String The category

getClass

class Class The class name

getClassificationId

classificationId long The classification ID

getClasstype

classtype String The classtype

getDportIcode

dportIcode int The dportIcode

getEventId

eventId long The event ID

getEventMicrosecond

eventMicrosecond long The event microsecond

getEventSecond

eventSecond long The event second

getEventType

eventType long The event type

getGeneratorId

generatorId long The generator ID

getImpact

impact short The impact

getImpactFlag

impactFlag short The impact flag

getIpDestination

ipDestination InetAddress The IP address destination

getIpSource

ipSource InetAddress The IP address source

getMplsLabel

mplsLabel long The mplsLabel

getMsg

msg String The msg

getPadding

padding int The padding

getPartitionTablePostfix getPriorityId

priorityId long The priority ID

getProtocol

protocol short The protocol

getRid

rid String Rule ID

getSensorId

sensorId long The sensor ID

getSignatureId

signatureId long The signature ID

getSignatureRevision

signatureRevision long The signature revision

getSportItype

sportItype int The sportItype

getTag getTimeStamp

timeStamp Timestamp The timestamp

getVlanId

vlanId int The VLAN Id

<section end='IntrusionPreventionLogEvent' />


ApplicationControlLogEvent

<section begin='ApplicationControlLogEvent' />

These events are created by Application Control and update the sessions table when application control identifies a session.

Attribute Name Type Description

getApplication

application String The application

getBlocked

blocked boolean True if blocked, false otherwise

getCategory

category String The category

getClass

class Class The class name

getConfidence

confidence Integer The confidence (0-100)

getDetail

detail String The details

getFlagged

flagged boolean True if flagged, false otherwise

getPartitionTablePostfix getProtochain

protochain String The protochain

getRuleId

ruleId Integer The rule ID

getSessionEvent

sessionEvent SessionEvent The session event

getState

state Integer The state

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='ApplicationControlLogEvent' />


LoginEvent

<section begin='LoginEvent' />

These events are created by Directory Connector and inserted to the directory_connector_login_events table for each login.

Attribute Name Type Description

getClass

class Class The class name

getClientAddr

clientAddr InetAddress The client address

getDomain

domain String The domain

getEvent

event String The event

getLoginName

loginName String The login name

getLoginType

loginType String W = Windows login, A=Active Directory, R=RADIUS, T=test

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='LoginEvent' />


WebFilterEvent

<section begin='WebFilterEvent' />

These events are created by Web Filter and update the http_events table when web filter processes a web request.

Attribute Name Type Description

getAppName

appName String The name of the application

getBlocked

blocked Boolean True if blocked, false otherwise

getCategory

category String The category

getCategoryId

categoryId Integer Numeric value of matching category

getClass

class Class The class name

getFlagged

flagged Boolean True if flagged, false otherwise

getPartitionTablePostfix getReason

reason Reason The reason

getRequestLine

requestLine RequestLine The request line

getRuleId

ruleId Integer The rule ID

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='WebFilterEvent' />


WebFilterQueryEvent

<section begin='WebFilterQueryEvent' />

These events are created by Web Filter and inserted to the http_query_events table when web filter processes a search engine search.

Attribute Name Type Description

getAppName

appName String The name of the application

getBlocked

blocked Boolean True if blocked, false otherwise

getClass

class Class The class name

getContentLength

contentLength long The content length

getFlagged

flagged Boolean True if flagged, false otherwise

getHost

host String The host

getMethod

method HttpMethod The method

getPartitionTablePostfix getRequestId

requestId Long The request ID

getRequestUri

requestUri URI The request URI

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTerm

term String The search term/phrase

getTimeStamp

timeStamp Timestamp The timestamp

<section end='WebFilterQueryEvent' />


WanFailoverTestEvent

<section begin='WanFailoverTestEvent' />

These events are created by WAN Failover and inserted to the wan_failover_test_events table when a test is run.

Attribute Name Type Description

getClass

class Class The class name

getDescription

description String The description

getInterfaceId

interfaceId int The interface ID

getName

name String The test name

getOsName

osName String The O/S interface name

getPartitionTablePostfix getSuccess

success Boolean True if successful, false otherwise

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='WanFailoverTestEvent' />


WanFailoverEvent

<section begin='WanFailoverEvent' />

These events are created by WAN Failover and inserted to the wan_failover_action_events table when WAN Failover takes an action.

Attribute Name Type Description

getAction

action WanFailoverEvent$Action The action

getClass

class Class The class name

getInterfaceId

interfaceId int The interface ID

getName

name String The name

getOsName

osName String The O/S interface name

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='WanFailoverEvent' />


ThreatPreventionEvent

<section begin='ThreatPreventionEvent' />

These events are created by Threat Prevention and inserted to the sessions table for each threat lookup.

Attribute Name Type Description

getBlocked

blocked boolean True if blocked, false otherwise

getClass

class Class The class name

getClientCategories

clientCategories int Client threat categories

getClientReputation

clientReputation int Client threat reputation

getFlagged

flagged boolean True if flagged, false otherwise

getPartitionTablePostfix getRuleId

ruleId long The rule ID

getServerCategories

serverCategories int Server threat categories

getServerReputation

serverReputation int Server threat reputation

getSessionId

sessionId Long The session ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='ThreatPreventionEvent' />


ThreatPreventionHttpEvent

<section begin='ThreatPreventionHttpEvent' />

These events are created by Threat Prevention and inserted to the http_events table for each threat lookup.

Attribute Name Type Description

getBlocked

blocked Boolean True if blocked, false otherwise

getCategories

categories Integer Server threat categories

getClass

class Class The class name

getFlagged

flagged Boolean True if flagged, false otherwise

getPartitionTablePostfix getReputation

reputation Integer Server threat reputation

getRequestLine

requestLine RequestLine The request line

getRuleId

ruleId Integer The rule ID

getSessionEvent

sessionEvent SessionEvent The session event

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='ThreatPreventionHttpEvent' />


SpamLogEvent

<section begin='SpamLogEvent' />

These events are created by Spam Blocker and update the mail_msgs table when an email is scanned.

Attribute Name Type Description

getAction

action SpamMessageAction The action

getClass

class Class The class name

getClientAddr

clientAddr InetAddress The client address

getClientPort

clientPort int The client port

getMessageId

messageId Long The message ID

getPartitionTablePostfix getReceiver

receiver String The receiver

getScore

score float The score

getSender

sender String The sender

getServerAddr

serverAddr InetAddress The server address

getServerPort

serverPort int The server port

getSmtpMessageEvent

smtpMessageEvent SmtpMessageEvent The parent SMTP message event

isSpam

isSpam boolean True if spam, false otherwise

getSubject

subject String The subject

getTag getTestsString

testsString String The tests string from the spam engine

getTimeStamp

timeStamp Timestamp The timestamp

getVendorName

vendorName String The application name

<section end='SpamLogEvent' />


SpamSmtpTarpitEvent

<section begin='SpamSmtpTarpitEvent' />

These events are created by Spam Blocker and inserted to the smtp_tarpit_events table when a session is tarpitted.

Attribute Name Type Description

getIPAddr

IPAddr InetAddress The IP address

getClass

class Class The class name

getHostname

hostname String The hostname

getPartitionTablePostfix getSessionEvent

sessionEvent SessionEvent The session event

getSessionId

sessionId Long The session ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

getVendorName

vendorName String The application name

<section end='SpamSmtpTarpitEvent' />


ConfigurationBackupEvent

<section begin='ConfigurationBackupEvent' />

These events are created by Configuration Backup and inserted to the configuratio_backup_events table when a backup occurs.

Attribute Name Type Description

getClass

class Class The class name

getDestination

destination String The destination

getDetail

detail String The details

getPartitionTablePostfix getSuccess

success boolean True if successful, false otherwise

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='ConfigurationBackupEvent' />


TunnelStatusEvent

<section begin='TunnelStatusEvent' />

These events are created by IPsec VPN and inserted to the ipsec_tunnel_stats table periodically.

Attribute Name Type Description

getClass

class Class The class name

getInBytes

inBytes long The number of bytes received from this tunnel

getOutBytes

outBytes long The number of bytes sent in this tunnel

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

getTunnelName

tunnelName String The name of this tunnel

<section end='TunnelStatusEvent' />


IpsecVpnEvent

<section begin='IpsecVpnEvent' />

These events are created by IPsec VPN and inserted to the ipsec_vpn_events table when IPsec connection event occurs.

Attribute Name Type Description

getClass

class Class The class name

getEventType

eventType IpsecVpnEvent$EventType The event type

getLocalAddress

localAddress String The local host address

getPartitionTablePostfix getRemoteAddress

remoteAddress String The remote host address

getTag getTimeStamp

timeStamp Timestamp The timestamp

getTunnelDescription

tunnelDescription String Description of tunnel

<section end='IpsecVpnEvent' />


VirtualUserEvent

<section begin='VirtualUserEvent' />

These events are created by IPsec VPN and inserted to the ipsec_user_events table when a user event occurs.

Attribute Name Type Description

getClass

class Class The class name

getClientAddress

clientAddress InetAddress The client address

getClientProtocol

clientProtocol String The client protocol

getClientUsername

clientUsername String The client username

getElapsedTime

elapsedTime String The elapsed time

getEventId

eventId Long The event ID

getNetInterface

netInterface String The net interface

getNetProcess

netProcess String The net process

getNetRXbytes

netRXbytes Long The number of RX (received) bytes

getNetTXbytes

netTXbytes Long The number of TX (transmitted) bytes

getPartitionTablePostfix getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='VirtualUserEvent' />


SslInspectorLogEvent

<section begin='SslInspectorLogEvent' />

These events are created by SSL Inspector and update the sessions table when a session is processed by SSL Inspector.

Attribute Name Type Description

getClass

class Class The class name

getDetail

detail String The details

getPartitionTablePostfix getRuleId

ruleId Integer The rule ID

getSessionEvent

sessionEvent SessionEvent The session event

getStatus

status String The status

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='SslInspectorLogEvent' />


ApplicationControlLiteEvent

<section begin='ApplicationControlLiteEvent' />

These events are created by Application Control Lite and update the sessions table when application control lite identifies a session.

Attribute Name Type Description

getBlocked

blocked boolean True if blocked, false otherwise

getClass

class Class The class name

getPartitionTablePostfix getProtocol

protocol String The protocol

getSessionId

sessionId Long The session ID

getTag getTimeStamp

timeStamp Timestamp The timestamp

<section end='ApplicationControlLiteEvent' />


}