Database Schema: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
 
(One intermediate revision by one other user not shown)
Line 1: Line 1:
= Database Tables =
= Database Tables =


== admin_logins ==  
== configuration_backup_events ==  
<section begin='admin_logins' />
<section begin='configuration_backup_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 15: Line 15:
|The time of the event
|The time of the event
|-
|-
|login
|success
|Login
|Success
|boolean
|The result of the backup (true if the backup succeeded, false otherwise)
|-
|description
|Text detail of the event
|text
|text
|The login name
|Text detail of the event
|-
|-
|local
|destination
|Local
|Destination
|boolean
|text
|True if it is a login attempt through a local process
|The location of the backup
|-
|-
|client_addr
|event_id
|Client Address
|Event ID
|inet
|bigint
|The client IP address
|The unique event ID
|-
|succeeded
|Succeeded
|boolean
|True if the login succeeded, false otherwise
|-
|reason
|Reason
|character(1)
|The reason for the login (if applicable)
|-
|-
|}
|}
<section end='admin_logins' />
<section end='configuration_backup_events' />
()


 
== http_events ==  
== sessions ==  
<section begin='http_events' />
<section begin='sessions' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 53: Line 48:
!Description
!Description
|-
|-
|session_id
|request_id
|Session ID
|Request ID
|bigint
|bigint
|The session
|The HTTP request ID
|-
|-
|time_stamp
|time_stamp
Line 63: Line 58:
|The time of the event
|The time of the event
|-
|-
|end_time
|session_id
|End Time
|Session ID
|timestamp without time zone
|bigint
|The time the session ended
|The session
|-
|-
|bypassed
|client_intf
|Bypassed
|Client Interface
|boolean
|True if the session was bypassed, false otherwise
|-
|entitled
|Entitled
|boolean
|True if the session is entitled to premium functionality
|-
|protocol
|Protocol
|smallint
|smallint
|The IP protocol of session
|The client interface
|-
|-
|icmp_type
|server_intf
|ICMP Type
|Server Interface
|smallint
|smallint
|The ICMP type of session if ICMP
|The server interface
|-
|-
|hostname
|c_client_addr
|Hostname
|Client-side Client Address
|text
|inet
|The hostname of the local address
|The client-side client IP address
|-
|-
|username
|s_client_addr
|Username
|Server-side Client Address
|text
|inet
|The username associated with this session
|The server-side client IP address
|-
|policy_id
|Policy ID
|smallint
|The policy
|-
|policy_rule_id
|Policy Rule ID
|smallint
|The ID of the matching policy rule (0 means none)
|-
|c_client_addr
|Client-side Client Address
|inet
|The client-side client IP address
|-
|-
|c_server_addr
|c_server_addr
Line 118: Line 88:
|The client-side server IP address
|The client-side server IP address
|-
|-
|c_server_port
|s_server_addr
|Client-side Server Port
|Server-side Server Address
|integer
|inet
|The client-side server port
|The server-side server IP address
|-
|-
|c_client_port
|c_client_port
Line 128: Line 98:
|The client-side client port
|The client-side client port
|-
|-
|s_client_addr
|s_client_port
|Server-side Client Address
|Server-side Client Port
|inet
|integer
|The server-side client IP address
|The server-side client port
|-
|-
|s_server_addr
|c_server_port
|Server-side Server Address
|Client-side Server Port
|inet
|integer
|The server-side server IP address
|The client-side server port
|-
|-
|s_server_port
|s_server_port
Line 142: Line 112:
|integer
|integer
|The server-side server port
|The server-side server port
|-
|s_client_port
|Server-side Client Port
|integer
|The server-side client port
|-
|client_intf
|Client Interface
|smallint
|The client interface
|-
|server_intf
|Server Interface
|smallint
|The server interface
|-
|-
|client_country
|client_country
Line 188: Line 143:
|The server Longitude
|The server Longitude
|-
|-
|c2p_bytes
|policy_id
|From-Client Bytes
|Policy ID
|bigint
|smallint
|The number of bytes the client sent to Untangle (client-to-pipeline)
|The policy
|-
|-
|p2c_bytes
|username
|To-Client Bytes
|Username
|bigint
|text
|The number of bytes Untangle sent to client (pipeline-to-client)
|The username associated with this session
|-
|-
|s2p_bytes
|hostname
|From-Server Bytes
|Hostname
|bigint
|text
|The number of bytes the server sent to Untangle (client-to-pipeline)
|The hostname of the local address
|-
|-
|p2s_bytes
|method
|To-Server Bytes
|Method
|bigint
|character(1)
|The number of bytes Untangle sent to server (pipeline-to-client)
|The HTTP method
|-
|-
|filter_prefix
|uri
|Filter Block
|URI
|text
|text
|The network filter that blocked the connection (filter,shield,invalid)
|The HTTP URI
|-
|-
|firewall_blocked
|host
|Firewall Blocked
|Host
|boolean
|text
|True if Firewall blocked the session, false otherwise
|The HTTP host
|-
|-
|firewall_flagged
|domain
|Firewall Flagged
|Domain
|boolean
|text
|True if Firewall flagged the session, false otherwise
|The HTTP domain (shortened host)
|-
|-
|firewall_rule_index
|referer
|Firewall Rule ID
|Referer
|integer
|text
|The matching rule in Firewall (if any)
|The Referer URL
|-
|-
|threat_prevention_blocked
|c2s_content_length
|Threat Prevention Blocked
|Client-to-server Content Length
|boolean
|bigint
|True if Threat Prevention blocked the session, false otherwise
|The client-to-server content length
|-
|-
|threat_prevention_flagged
|s2c_content_length
|Threat Prevention Flagged
|Server-to-client Content Length
|boolean
|bigint
|True if Threat Prevention flagged the session, false otherwise
|The server-to-client content length
|-
|-
|threat_prevention_reason
|s2c_content_type
|Threat Prevention Reason
|Server-to-client Content Type
|Character(1)
|text
|The text detail from the Threat Prevention engine
|The server-to-client content type
|-
|s2c_content_filename
|Server-to-client Content Disposition Filename
|text
|The server-to-client content disposition filename
|-
|-
|threat_prevention_rule_id
|ad_blocker_cookie_ident
|Threat Prevention Rule ID
|Ad Blocker Cookie
|integer
|text
|The matching rule in Threat Prevention (if any)
|This name of cookie blocked by Ad Blocker
|-
|-
|threat_prevention_client_reputation
|ad_blocker_action
|Threat Prevention Client Reputation
|Ad Blocker Action
|smallint
|character(1)
|The client address reputation value
|This action of Ad Blocker on this request
|-
|-
|threat_prevention_client_categories
|web_filter_reason
|Threat Prevention Client Categories
|Reason for action (Web Filter)
|integer
|character(1)
|The client address reputation categories
|This reason Web Filter blocked/flagged this request
|-
|-
|threat_prevention_server_reputation
|web_filter_category_id
|Threat Prevention Server Reputation
|Web Category (Web Filter)
|smallint
|smallint
|The server address reputation value
|This numeric category according to Web Filter
|-
|-
|threat_prevention_server_categories
|web_filter_rule_id
|Threat Prevention Server Categories
|Web Rule (Web Filter)
|integer
|smallint
|The server address reputation categories
|This numeric rule according to Web Filter
|-
|-
|application_control_lite_protocol
|web_filter_blocked
|Application Control Lite Protocol
|Blocked (Web Filter)
|text
|boolean
|The application protocol according to Application Control Lite
|If Web Filter blocked this request
|-
|-
|application_control_lite_blocked
|web_filter_flagged
|Application Control Lite Blocked
|Flagged (Web Filter)
|boolean
|boolean
|True if Application Control Lite blocked the session
|If Web Filter flagged this request
|-
|-
|captive_portal_blocked
|virus_blocker_lite_clean
|Captive Portal Blocked
|Virus Blocker Lite Clean
|boolean
|boolean
|True if Captive Portal blocked the session
|The cleanliness of the file according to Virus Blocker Lite
|-
|-
|captive_portal_rule_index
|virus_blocker_lite_name
|Captive Portal Rule ID
|Virus Blocker Lite Name
|integer
|The matching rule in Captive Portal (if any)
|-
|application_control_application
|Application Control Application
|text
|text
|The application according to Application Control
|The name of the malware according to Virus Blocker Lite
|-
|-
|application_control_protochain
|virus_blocker_clean
|Application Control Protochain
|Virus Blocker Clean
|text
|boolean
|The protochain according to Application Control
|The cleanliness of the file according to Virus Blocker
|-
|-
|application_control_category
|virus_blocker_name
|Application Control Category
|Virus Blocker Name
|text
|text
|The category according to Application Control
|The name of the malware according to Virus Blocker
|-
|-
|application_control_blocked
|threat_prevention_blocked
|Application Control Blocked
|Threat Prevention Blocked
|boolean
|boolean
|True if Application Control blocked the session
|If Threat Prevention blocked this request
|-
|-
|application_control_flagged
|threat_prevention_flagged
|Application Control Flagged
|Threat Prevention Flagged
|boolean
|boolean
|True if Application Control flagged the session
|If Threat Prevention flagged this request
|-
|-
|application_control_confidence
|threat_prevention_rule_id
|Application Control Confidence
|Threat Prevention Rule Id
|integer
|integer
|True if Application Control confidence of this session's identification
|This numeric rule according to Threat Prevention
|-
|-
|application_control_ruleid
|threat_prevention_reputation
|Application Control Rule ID
|Threat Prevention Reputation
|integer
|smallint
|The matching rule in Application Control (if any)
|This numeric threat reputation
|-
|-
|application_control_detail
|threat_prevention_categories
|Application Control Detail
|Threat Prevention Categories
|text
|The text detail from the Application Control engine
|-
|bandwidth_control_priority
|Bandwidth Control Priority
|integer
|integer
|The priority given to this session
|This bitmask of threat categories
|-
|-
|bandwidth_control_rule
|}
|Bandwidth Control Rule ID
<section end='http_events' />
|integer
()
|The matching rule in Bandwidth Control rule (if any)
 
== intrusion_prevention_events ==
<section begin='intrusion_prevention_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|ssl_inspector_ruleid
|time_stamp
|SSL Inspector Rule ID
|Timestamp
|integer
|timestamp without time zone
|The matching rule in SSL Inspector rule (if any)
|The time of the event
|-
|-
|ssl_inspector_status
|sig_id
|SSL Inspector Status
|Signature ID
|text
|bigint
|The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED)
|This ID of the rule
|-
|-
|ssl_inspector_detail
|gen_id
|SSL Inspector Detail
|Grouping ID
|text
|bigint
|Additional text detail about the SSL connection (SNI, IP Address)
|The grouping ID for the rule, The gen_id + sig_id specify the rule's unique identifier
|-
|-
|local_addr
|class_id
|Local Address
|Classtype ID
|inet
|bigint
|The IP address of the local participant
|The numeric ID for the classtype
|-
|-
|remote_addr
|source_addr
|Remote Address
|Source Address
|inet
|inet
|The IP address of the remote participant
|The source IP address of the packet
|-
|-
|tags
|source_port
|Tags
|Source Port
|text
|integer
|The tags on this session
|The source port of the packet (if applicable)
|-
|-
|}
|dest_addr
<section end='sessions' />
|Destination Address
 
|inet
== session_minutes ==
|The destination IP address of the packet
<section begin='session_minutes' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|session_id
|dest_port
|Session ID
|Destination Port
|bigint
|integer
|The session
|The destination port of the packet (if applicable)
|-
|-
|time_stamp
|protocol
|Timestamp
|Protocol
|timestamp without time zone
|integer
|The time of the event
|The protocol of the packet
|-
|-
|c2s_bytes
|blocked
|From-Client Bytes
|Blocked
|bigint
|boolean
|The number of bytes the client sent
|If the packet was blocked/dropped
|-
|-
|s2c_bytes
|category
|From-Server Bytes
|Category
|bigint
|text
|The number of bytes the server sent
|The application specific grouping for the signature
|-
|-
|start_time
|classtype
|Start Time
|Classtype
|timestamp without time zone
|text
|The start time of the session
|The generalized threat signature grouping (unrelated to gen_id)
|-
|-
|end_time
|msg
|End Time
|Message
|timestamp without time zone
|text
|The time the session ended
|The "title" or "description" of the signature
|-
|-
|bypassed
|rid
|Bypassed
|Rule ID
|boolean
|text
|True if the session was bypassed, false otherwise
|The rule id
|-
|-
|entitled
|rule_id
|Entitled
|Rule ID
|boolean
|text
|True if the session is entitled to premium functionality
|The rule id
|-
|-
|protocol
|}
|Protocol
<section end='intrusion_prevention_events' />
|smallint
()
|The IP protocol of session
 
== smtp_tarpit_events ==
<section begin='smtp_tarpit_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|icmp_type
|time_stamp
|ICMP Type
|Timestamp
|smallint
|timestamp without time zone
|The ICMP type of session if ICMP
|The time of the event
|-
|ipaddr
|Client Address
|inet
|The client IP address
|-
|-
|hostname
|hostname
Line 434: Line 398:
|text
|text
|The hostname of the local address
|The hostname of the local address
|-
|username
|Username
|text
|The username associated with this session
|-
|-
|policy_id
|policy_id
|Policy ID
|Policy ID
|smallint
|bigint
|The policy
|The policy
|-
|-
|policy_rule_id
|vendor_name
|Policy Rule ID
|Vendor Name
|smallint
|character varying(255)
|The ID of the matching policy rule (0 means none)
|The "vendor name" of the app that logged the event
|-
|-
|c_client_addr
|event_id
|Client-side Client Address
|Event ID
|inet
|bigint
|The client-side client IP address
|The unique event ID
|-
|-
|c_server_addr
|}
|Client-side Server Address
<section end='smtp_tarpit_events' />
|inet
()
|The client-side server IP address
 
== ipsec_user_events ==
<section begin='ipsec_user_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|c_server_port
|event_id
|Client-side Server Port
|Event ID
|integer
|bigint
|The client-side server port
|The unique event ID
|-
|-
|c_client_port
|time_stamp
|Client-side Client Port
|Timestamp
|integer
|timestamp without time zone
|The client-side client port
|The time of the event
|-
|-
|s_client_addr
|connect_stamp
|Server-side Client Address
|Connect Time
|inet
|timestamp without time zone
|The server-side client IP address
|The time the connection started
|-
|-
|s_server_addr
|goodbye_stamp
|Server-side Server Address
|End Time
|inet
|timestamp without time zone
|The server-side server IP address
|The time the connection ended
|-
|-
|s_server_port
|client_address
|Server-side Server Port
|Client Address
|integer
|text
|The server-side server port
|The remote IP address of the client
|-
|-
|s_client_port
|client_protocol
|Server-side Client Port
|Client Protocol
|integer
|text
|The server-side client port
|The protocol the client used to connect
|-
|-
|client_intf
|client_username
|Client Interface
|Client Username
|smallint
|text
|The client interface
|The username of the client
|-
|-
|server_intf
|net_process
|Server Interface
|Net Process
|smallint
|text
|The server interface
|The PID of the PPP process for L2TP connections or the connection ID for Xauth connections
|-
|-
|client_country
|net_interface
|Client Country
|Net Interface
|text
|text
|The client Country
|The PPP interface for L2TP connections or the client interface for Xauth connections
|-
|-
|client_latitude
|elapsed_time
|Client Latitude
|Elapsed Time
|real
|text
|The client Latitude
|The total time the client was connected
|-
|-
|client_longitude
|rx_bytes
|Client Longitude
|Bytes Received
|real
|bigint
|The client Longitude
|The number of bytes received from the client in this connection
|-
|-
|server_country
|tx_bytes
|Server Country
|Bytes Sent
|text
|bigint
|The server Country
|The number of bytes sent to the client in this connection
|-
|-
|server_latitude
|}
|Server Latitude
<section end='ipsec_user_events' />
|real
()
|The server Latitude
 
== ipsec_vpn_events ==
<section begin='ipsec_vpn_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|-
|server_longitude
|time_stamp
|Server Longitude
|Timestamp
|real
|timestamp without time zone
|The server Longitude
|The time of the event
|-
|-
|filter_prefix
|local_address
|Filter Block
|Local Address
|text
|text
|The network filter that blocked the connection (filter,shield,invalid)
|The local address of the tunnel
|-
|-
|firewall_blocked
|remote_address
|Firewall Blocked
|Remote Address
|boolean
|text
|True if Firewall blocked the session, false otherwise
|The remote address of the tunnel
|-
|-
|firewall_flagged
|tunnel_description
|Firewall Flagged
|Tunnel Description
|boolean
|text
|True if Firewall flagged the session, false otherwise
|The description of the tunnel
|-
|-
|firewall_rule_index
|event_type
|Firewall Rule ID
|Event Type
|integer
|The matching rule in Firewall (if any)
|-
|application_control_lite_protocol
|Application Control Lite Protocol
|text
|text
|The application protocol according to Application Control Lite
|The type of the event (CONNECT,DISCONNECT)
|-
|-
|application_control_lite_blocked
|}
|Application Control Lite Blocked
<section end='ipsec_vpn_events' />
|boolean
()
|True if Application Control Lite blocked the session
 
|-
== ipsec_tunnel_stats ==
|captive_portal_blocked
<section begin='ipsec_tunnel_stats' />
|Captive Portal Blocked
 
|boolean
{| border="1" cellpadding="2" width="90%%" align="center"
|True if Captive Portal blocked the session
!Column Name
!Human Name
!Type
!Description
|-
|-
|captive_portal_rule_index
|time_stamp
|Captive Portal Rule ID
|Timestamp
|integer
|timestamp without time zone
|The matching rule in Captive Portal (if any)
|The time of the event
|-
|-
|application_control_application
|tunnel_name
|Application Control Application
|Tunnel Name
|text
|text
|The application according to Application Control
|The name of the IPsec tunnel
|-
|-
|application_control_protochain
|in_bytes
|Application Control Protochain
|In Bytes
|text
|bigint
|The protochain according to Application Control
|The number of bytes received during this time frame
|-
|-
|application_control_category
|out_bytes
|Application Control Category
|Out Bytes
|text
|bigint
|The category according to Application Control
|The number of bytes transmitted during this time frame
|-
|-
|application_control_blocked
|event_id
|Application Control Blocked
|Event ID
|boolean
|bigint
|True if Application Control blocked the session
|The unique event ID
|-
|-
|application_control_flagged
|}
|Application Control Flagged
<section end='ipsec_tunnel_stats' />
|boolean
()
|True if Application Control flagged the session
 
== http_query_events ==
<section begin='http_query_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|application_control_confidence
|event_id
|Application Control Confidence
|Event ID
|integer
|bigint
|True if Application Control confidence of this session's identification
|The unique event ID
|-
|-
|application_control_ruleid
|time_stamp
|Application Control Rule ID
|Timestamp
|integer
|timestamp without time zone
|The matching rule in Application Control (if any)
|The time of the event
|-
|-
|application_control_detail
|session_id
|Application Control Detail
|Session ID
|text
|bigint
|The text detail from the Application Control engine
|The session
|-
|-
|bandwidth_control_priority
|client_intf
|Bandwidth Control Priority
|Client Interface
|integer
|smallint
|The priority given to this session
|The client interface
|-
|-
|bandwidth_control_rule
|server_intf
|Bandwidth Control Rule ID
|Server Interface
|integer
|smallint
|The matching rule in Bandwidth Control rule (if any)
|The server interface
|-
|-
|ssl_inspector_ruleid
|c_client_addr
|SSL Inspector Rule ID
|Client-side Client Address
|integer
|inet
|The matching rule in SSL Inspector rule (if any)
|The client-side client IP address
|-
|-
|ssl_inspector_status
|s_client_addr
|SSL Inspector Status
|Server-side Client Address
|text
|inet
|The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED)
|The server-side client IP address
|-
|-
|ssl_inspector_detail
|c_server_addr
|SSL Inspector Detail
|Client-side Server Address
|text
|inet
|Additional text detail about the SSL connection (SNI, IP Address)
|The client-side server IP address
|-
|-
|local_addr
|s_server_addr
|Local Address
|Server-side Server Address
|inet
|inet
|The IP address of the local participant
|The server-side server IP address
|-
|-
|remote_addr
|c_client_port
|Remote Address
|Client-side Client Port
|inet
|integer
|The IP address of the remote participant
|The client-side client port
|-
|-
|tags
|s_client_port
|Tags
|Server-side Client Port
|text
|integer
|The tags on this session
|The server-side client port
|-
|-
|}
|c_server_port
<section end='session_minutes' />
|Client-side Server Port
 
|integer
 
|The client-side server port
== quotas ==
<section begin='quotas' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|s_server_port
|Timestamp
|Server-side Server Port
|timestamp without time zone
|The time of the event
|-
|action
|Action
|integer
|integer
|The action (1=Quota Given, 2=Quota Exceeded)
|The server-side server port
|-
|-
|size
|policy_id
|Size
|Policy ID
|bigint
|bigint
|The size of the quota
|The policy
|-
|-
|reason
|username
|Reason
|Username
|text
|text
|The reason for the action
|The username associated with this session
|-
|-
|entity
|hostname
|Entity
|Hostname
|text
|text
|The IP entity given the quota (address/username)
|The hostname of the local address
|-
|-
|}
|request_id
<section end='quotas' />
|Request ID
 
|bigint
 
|The HTTP request ID
== host_table_updates ==
<section begin='host_table_updates' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|address
|method
|Address
|Method
|inet
|character(1)
|The IP address of the host
|The HTTP method
|-
|-
|key
|uri
|Key
|URI
|text
|text
|The key being updated
|The HTTP URI
|-
|-
|value
|term
|Value
|Search Term
|text
|text
|The new value for the key
|The search term
|-
|-
|time_stamp
|host
|Timestamp
|Host
|timestamp without time zone
|text
|The time of the event
|The HTTP host
|-
|c2s_content_length
|Client-to-server Content Length
|bigint
|The client-to-server content length
|-
|s2c_content_length
|Server-to-client Content Length
|bigint
|The server-to-client content length
|-
|-
|old_value
|s2c_content_type
|Old Value
|Server-to-client Content Type
|text
|text
|The old value for the key
|The server-to-client content type
|-
|blocked
|Blocked
|boolean
|If Web Filter blocked this search term
|-
|flagged
|Flagged
|boolean
|If Web Filter flagged this search term
|-
|-
|}
|}
<section end='host_table_updates' />
<section end='http_query_events' />
()


== admin_logins ==
<section begin='admin_logins' />


== device_table_updates ==
{| border="1" cellpadding="2" width="90%%" align="center"
<section begin='device_table_updates' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Column Name
!Human Name
!Human Name
!Type
!Type
!Description
!Description
|-
|mac_address
|MAC Address
|text
|The MAC address of the device
|-
|key
|Key
|text
|The key being updated
|-
|value
|Value
|text
|The new value for the key
|-
|-
|time_stamp
|time_stamp
Line 759: Line 729:
|The time of the event
|The time of the event
|-
|-
|old_value
|login
|Old Value
|Login
|text
|text
|The old value for the key
|The login name
|-
|-
|}
|local
<section end='device_table_updates' />
|Local
 
|boolean
 
|True if it is a login attempt through a local process
== alerts ==  
|-
<section begin='alerts' />
|client_addr
|Client Address
|inet
|The client IP address
|-
|succeeded
|Succeeded
|boolean
|True if the login succeeded, false otherwise
|-
|reason
|Reason
|character(1)
|The reason for the login (if applicable)
|-
|}
<section end='admin_logins' />
()
 
== sessions ==  
<section begin='sessions' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 776: Line 766:
!Type
!Type
!Description
!Description
|-
|session_id
|Session ID
|bigint
|The session
|-
|-
|time_stamp
|time_stamp
Line 782: Line 777:
|The time of the event
|The time of the event
|-
|-
|description
|end_time
|Text detail of the event
|End Time
|text
|timestamp without time zone
|The description from the alert rule.
|The time the session ended
|-
|bypassed
|Bypassed
|boolean
|True if the session was bypassed, false otherwise
|-
|entitled
|Entitled
|boolean
|True if the session is entitled to premium functionality
|-
|protocol
|Protocol
|smallint
|The IP protocol of session
|-
|icmp_type
|ICMP Type
|smallint
|The ICMP type of session if ICMP
|-
|-
|summary_text
|hostname
|Summary Text
|Hostname
|text
|text
|The summary text of the alert
|The hostname of the local address
|-
|-
|json
|username
|JSON Text
|Username
|text
|text
|The summary JSON representation of the event causing the alert
|The username associated with this session
|-
|-
|}
|policy_id
<section end='alerts' />
|Policy ID
 
|smallint
 
|The policy
== settings_changes ==
<section begin='settings_changes' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|policy_rule_id
|Timestamp
|Policy Rule ID
|timestamp without time zone
|smallint
|The time of the event
|The ID of the matching policy rule (0 means none)
|-
|-
|settings_file
|local_addr
|Settings File
|Local Address
|text
|inet
|The name of the file changed
|The IP address of the local participant
|-
|-
|username
|remote_addr
|Username
|Remote Address
|text
|inet
|The username logged in at the time of the change
|The IP address of the remote participant
|-
|-
|hostname
|c_client_addr
|Hostname
|Client-side Client Address
|text
|inet
|The remote hostname
|The client-side client IP address
|-
|-
|}
|c_server_addr
<section end='settings_changes' />
|Client-side Server Address
 
|inet
 
|The client-side server IP address
== wan_failover_test_events ==
<section begin='wan_failover_test_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|c_server_port
|Timestamp
|Client-side Server Port
|timestamp without time zone
|integer
|The time of the event
|The client-side server port
|-
|-
|interface_id
|c_client_port
|Interface ID
|Client-side Client Port
|integer
|integer
|This interface ID
|The client-side client port
|-
|-
|name
|s_client_addr
|Interface Name
|Server-side Client Address
|text
|inet
|This name of the interface
|The server-side client IP address
|-
|-
|description
|s_server_addr
|Text detail of the event
|Server-side Server Address
|text
|inet
|The description from the test rule
|The server-side server IP address
|-
|-
|success
|s_server_port
|Success
|Server-side Server Port
|boolean
|integer
|The result of the test (true if the test succeeded, false otherwise)
|The server-side server port
|-
|-
|event_id
|s_client_port
|Event ID
|Server-side Client Port
|bigint
|integer
|The unique event ID
|The server-side client port
|-
|-
|}
|client_intf
<section end='wan_failover_test_events' />
|Client Interface
 
|smallint
 
|The client interface
== wan_failover_action_events ==
<section begin='wan_failover_action_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|server_intf
|Timestamp
|Server Interface
|timestamp without time zone
|smallint
|The time of the event
|The server interface
|-
|-
|interface_id
|client_country
|Interface ID
|Client Country
|integer
|text
|This interface ID
|The client Country
|-
|-
|action
|client_latitude
|Action
|Client Latitude
|text
|real
|This action (CONNECTED,DISCONNECTED)
|The client Latitude
|-
|-
|os_name
|client_longitude
|Interface O/S Name
|Client Longitude
|text
|real
|This O/S name of the interface
|The client Longitude
|-
|-
|name
|server_country
|Interface Name
|Server Country
|text
|text
|This name of the interface
|The server Country
|-
|server_latitude
|Server Latitude
|real
|The server Latitude
|-
|server_longitude
|Server Longitude
|real
|The server Longitude
|-
|-
|event_id
|c2p_bytes
|Event ID
|From-Client Bytes
|bigint
|bigint
|The unique event ID
|The number of bytes the client sent to Untangle (client-to-pipeline)
|-
|-
|}
|p2c_bytes
<section end='wan_failover_action_events' />
|To-Client Bytes
 
|bigint
 
|The number of bytes Untangle sent to client (pipeline-to-client)
== mail_msgs ==
<section begin='mail_msgs' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|s2p_bytes
|Timestamp
|From-Server Bytes
|timestamp without time zone
|bigint
|The time of the event
|The number of bytes the server sent to Untangle (client-to-pipeline)
|-
|-
|session_id
|p2s_bytes
|Session ID
|To-Server Bytes
|bigint
|bigint
|The session
|The number of bytes Untangle sent to server (pipeline-to-client)
|-
|-
|client_intf
|filter_prefix
|Client Interface
|Filter Block
|smallint
|text
|The client interface
|The network filter that blocked the connection (filter,shield,invalid)
|-
|-
|server_intf
|firewall_blocked
|Server Interface
|Firewall Blocked
|smallint
|boolean
|The server interface
|True if Firewall blocked the session, false otherwise
|-
|-
|c_client_addr
|firewall_flagged
|Client-side Client Address
|Firewall Flagged
|inet
|boolean
|The client-side client IP address
|True if Firewall flagged the session, false otherwise
|-
|-
|s_client_addr
|firewall_rule_index
|Server-side Client Address
|Firewall Rule ID
|inet
|integer
|The server-side client IP address
|The matching rule in Firewall (if any)
|-
|-
|c_server_addr
|threat_prevention_blocked
|Client-side Server Address
|Threat Prevention Blocked
|inet
|boolean
|The client-side server IP address
|If Threat Prevention blocked
|-
|-
|s_server_addr
|threat_prevention_flagged
|Server-side Server Address
|Threat Prevention Flagged
|inet
|boolean
|The server-side server IP address
|If Threat Prevention flagged
|-
|-
|c_client_port
|threat_prevention_reason
|Client-side Client Port
|Threat Prevention Reason
|integer
|character(1)
|The client-side client port
|Threat Prevention reason
|-
|-
|s_client_port
|threat_prevention_rule_id
|Server-side Client Port
|Threat Prevention Rule Id
|integer
|integer
|The server-side client port
|Numeric rule id of Threat Prevention
|-
|threat_prevention_client_reputation
|Threat Prevention Client Reputation
|smallint
|Numeric client reputation of Threat Prevention
|-
|-
|c_server_port
|threat_prevention_client_categories
|Client-side Server Port
|Threat Prevention Client Categories
|integer
|integer
|The client-side server port
|Bitmask client categories of Threat Prevention
|-
|threat_prevention_server_reputation
|Threat Prevention Server Reputation
|smallint
|Numeric server reputation of Threat Prevention
|-
|-
|s_server_port
|threat_prevention_server_categories
|Server-side Server Port
|Threat Prevention Server Categories
|integer
|integer
|The server-side server port
|Bitmask server categories of Threat Prevention
|-
|-
|policy_id
|application_control_lite_protocol
|Policy ID
|Application Control Lite Protocol
|bigint
|The policy
|-
|username
|Username
|text
|text
|The username associated with this session
|The application protocol according to Application Control Lite
|-
|application_control_lite_blocked
|Application Control Lite Blocked
|boolean
|True if Application Control Lite blocked the session
|-
|captive_portal_blocked
|Captive Portal Blocked
|boolean
|True if Captive Portal blocked the session
|-
|-
|msg_id
|captive_portal_rule_index
|Message ID
|Captive Portal Rule ID
|bigint
|integer
|The message ID
|The matching rule in Captive Portal (if any)
|-
|-
|subject
|application_control_application
|Subject
|Application Control Application
|text
|text
|The email subject
|The application according to Application Control
|-
|-
|hostname
|application_control_protochain
|Hostname
|Application Control Protochain
|text
|text
|The hostname of the local address
|The protochain according to Application Control
|-
|-
|event_id
|application_control_category
|Event ID
|Application Control Category
|bigint
|The unique event ID
|-
|sender
|Sender
|text
|text
|The address of the sender
|The category according to Application Control
|-
|-
|receiver
|application_control_blocked
|Receiver
|Application Control Blocked
|text
|boolean
|The address of the receiver
|True if Application Control blocked the session
|-
|-
|virus_blocker_lite_clean
|application_control_flagged
|Virus Blocker Lite Clean
|Application Control Flagged
|boolean
|boolean
|The cleanliness of the file according to Virus Blocker Lite
|True if Application Control flagged the session
|-
|-
|virus_blocker_lite_name
|application_control_confidence
|Virus Blocker Lite Name
|Application Control Confidence
|text
|integer
|The name of the malware according to Virus Blocker Lite
|True if Application Control confidence of this session's identification
|-
|-
|virus_blocker_clean
|application_control_ruleid
|Virus Blocker Clean
|Application Control Rule ID
|boolean
|integer
|The cleanliness of the file according to Virus Blocker
|The matching rule in Application Control (if any)
|-
|-
|virus_blocker_name
|application_control_detail
|Virus Blocker Name
|Application Control Detail
|text
|text
|The name of the malware according to Virus Blocker
|The text detail from the Application Control engine
|-
|-
|spam_blocker_lite_score
|bandwidth_control_priority
|Spam Blocker Lite Score
|Bandwidth Control Priority
|real
|integer
|The score of the email according to Spam Blocker Lite
|The priority given to this session
|-
|-
|spam_blocker_lite_is_spam
|bandwidth_control_rule
|Spam Blocker Lite Spam
|Bandwidth Control Rule ID
|boolean
|integer
|The spam status of the email according to Spam Blocker Lite
|The matching rule in Bandwidth Control rule (if any)
|-
|-
|spam_blocker_lite_tests_string
|ssl_inspector_ruleid
|Spam Blocker Lite Tests
|SSL Inspector Rule ID
|integer
|The matching rule in SSL Inspector rule (if any)
|-
|ssl_inspector_status
|SSL Inspector Status
|text
|text
|The tess results for Spam Blocker Lite
|The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED)
|-
|-
|spam_blocker_lite_action
|ssl_inspector_detail
|Spam Blocker Lite Action
|SSL Inspector Detail
|character(1)
|text
|The action taken by Spam Blocker Lite
|Additional text detail about the SSL connection (SNI, IP Address)
|-
|-
|spam_blocker_score
|tags
|Spam Blocker Score
|Tags
|real
|The score of the email according to Spam Blocker
|-
|spam_blocker_is_spam
|Spam Blocker Spam
|boolean
|The spam status of the email according to Spam Blocker
|-
|spam_blocker_tests_string
|Spam Blocker Tests
|text
|text
|The tess results for Spam Blocker
|The tags on this session
|-
|-
|spam_blocker_action
|}
|Spam Blocker Action
<section end='sessions' />
|character(1)
()
|The action taken by Spam Blocker
|-
|phish_blocker_score
|Phish Blocker Score
|real
|The score of the email according to Phish Blocker
|-
|phish_blocker_is_spam
|Phish Blocker Phish
|boolean
|The phish status of the email according to Phish Blocker
|-
|phish_blocker_tests_string
|Phish Blocker Tests
|text
|The tess results for Phish Blocker
|-
|phish_blocker_action
|Phish Blocker Action
|character(1)
|The action taken by Phish Blocker
|-
|}
<section end='mail_msgs' />


 
== session_minutes ==  
== mail_addrs ==  
<section begin='session_minutes' />
<section begin='mail_addrs' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,122: Line 1,095:
!Description
!Description
|-
|-
|time_stamp
|session_id
|Session ID
|bigint
|The session
|-
|time_stamp
|Timestamp
|Timestamp
|timestamp without time zone
|timestamp without time zone
|The time of the event
|The time of the event
|-
|-
|session_id
|c2s_bytes
|Session ID
|From-Client Bytes
|bigint
|bigint
|The session
|The number of bytes the client sent
|-
|-
|client_intf
|s2c_bytes
|Client Interface
|From-Server Bytes
|smallint
|bigint
|The client interface
|The number of bytes the server sent
|-
|-
|server_intf
|start_time
|Server Interface
|Start Time
|smallint
|timestamp without time zone
|The server interface
|The start time of the session
|-
|-
|c_client_addr
|end_time
|Client-side Client Address
|End Time
|inet
|timestamp without time zone
|The client-side client IP address
|The time the session ended
|-
|-
|s_client_addr
|bypassed
|Server-side Client Address
|Bypassed
|inet
|boolean
|The server-side client IP address
|True if the session was bypassed, false otherwise
|-
|-
|c_server_addr
|entitled
|Client-side Server Address
|Entitled
|inet
|boolean
|The client-side server IP address
|True if the session is entitled to premium functionality
|-
|-
|s_server_addr
|protocol
|Server-side Server Address
|Protocol
|inet
|smallint
|The server-side server IP address
|The IP protocol of session
|-
|-
|c_client_port
|icmp_type
|Client-side Client Port
|ICMP Type
|integer
|smallint
|The client-side client port
|The ICMP type of session if ICMP
|-
|-
|s_client_port
|hostname
|Server-side Client Port
|Hostname
|integer
|text
|The server-side client port
|The hostname of the local address
|-
|-
|c_server_port
|username
|Client-side Server Port
|Username
|integer
|text
|The client-side server port
|The username associated with this session
|-
|s_server_port
|Server-side Server Port
|integer
|The server-side server port
|-
|-
|policy_id
|policy_id
|Policy ID
|Policy ID
|bigint
|smallint
|The policy
|The policy
|-
|-
|username
|policy_rule_id
|Username
|Policy Rule ID
|text
|smallint
|The username associated with this session
|The ID of the matching policy rule (0 means none)
|-
|-
|msg_id
|local_addr
|Message ID
|Local Address
|bigint
|inet
|The message ID
|The IP address of the local participant
|-
|-
|subject
|remote_addr
|Subject
|Remote Address
|text
|inet
|The email subject
|The IP address of the remote participant
|-
|-
|addr
|c_client_addr
|Address
|Client-side Client Address
|text
|inet
|The address of this event
|The client-side client IP address
|-
|-
|addr_name
|c_server_addr
|Address Name
|Client-side Server Address
|text
|inet
|The name for this address
|The client-side server IP address
|-
|-
|addr_kind
|c_server_port
|Address Kind
|Client-side Server Port
|character(1)
|integer
|The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
|The client-side server port
|-
|-
|hostname
|c_client_port
|Hostname
|Client-side Client Port
|text
|integer
|The hostname of the local address
|The client-side client port
|-
|-
|event_id
|s_client_addr
|Event ID
|Server-side Client Address
|bigint
|inet
|The unique event ID
|The server-side client IP address
|-
|-
|sender
|s_server_addr
|Sender
|Server-side Server Address
|text
|inet
|The address of the sender
|The server-side server IP address
|-
|-
|virus_blocker_lite_clean
|s_server_port
|Virus Blocker Lite Clean
|Server-side Server Port
|boolean
|integer
|The cleanliness of the file according to Virus Blocker Lite
|The server-side server port
|-
|s_client_port
|Server-side Client Port
|integer
|The server-side client port
|-
|-
|virus_blocker_lite_name
|client_intf
|Virus Blocker Lite Name
|Client Interface
|text
|smallint
|The name of the malware according to Virus Blocker Lite
|The client interface
|-
|-
|virus_blocker_clean
|server_intf
|Virus Blocker Clean
|Server Interface
|boolean
|smallint
|The cleanliness of the file according to Virus Blocker
|The server interface
|-
|-
|virus_blocker_name
|client_country
|Virus Blocker Name
|Client Country
|text
|text
|The name of the malware according to Virus Blocker
|The client Country
|-
|-
|spam_blocker_lite_score
|client_latitude
|Spam Blocker Lite Score
|Client Latitude
|real
|real
|The score of the email according to Spam Blocker Lite
|The client Latitude
|-
|-
|spam_blocker_lite_is_spam
|client_longitude
|Spam Blocker Lite Spam
|Client Longitude
|boolean
|real
|The spam status of the email according to Spam Blocker Lite
|The client Longitude
|-
|-
|spam_blocker_lite_action
|server_country
|Spam Blocker Lite Action
|Server Country
|character(1)
|The action taken by Spam Blocker Lite
|-
|spam_blocker_lite_tests_string
|Spam Blocker Lite Tests
|text
|text
|The tess results for Spam Blocker Lite
|The server Country
|-
|-
|spam_blocker_score
|server_latitude
|Spam Blocker Score
|Server Latitude
|real
|real
|The score of the email according to Spam Blocker
|The server Latitude
|-
|-
|spam_blocker_is_spam
|server_longitude
|Spam Blocker Spam
|Server Longitude
|boolean
|real
|The spam status of the email according to Spam Blocker
|The server Longitude
|-
|-
|spam_blocker_action
|filter_prefix
|Spam Blocker Action
|Filter Block
|character(1)
|The action taken by Spam Blocker
|-
|spam_blocker_tests_string
|Spam Blocker Tests
|text
|text
|The tess results for Spam Blocker
|The network filter that blocked the connection (filter,shield,invalid)
|-
|-
|phish_blocker_score
|firewall_blocked
|Phish Blocker Score
|Firewall Blocked
|real
|boolean
|The score of the email according to Phish Blocker
|True if Firewall blocked the session, false otherwise
|-
|-
|phish_blocker_is_spam
|firewall_flagged
|Phish Blocker Phish
|Firewall Flagged
|boolean
|boolean
|The phish status of the email according to Phish Blocker
|True if Firewall flagged the session, false otherwise
|-
|-
|phish_blocker_tests_string
|firewall_rule_index
|Phish Blocker Tests
|Firewall Rule ID
|text
|integer
|The tess results for Phish Blocker
|The matching rule in Firewall (if any)
|-
|threat_prevention_blocked
|Threat Prevention Blocked
|boolean
|If Threat Prevention blocked
|-
|threat_prevention_flagged
|Threat Prevention Flagged
|boolean
|If Threat Prevention flagged
|-
|-
|phish_blocker_action
|threat_prevention_reason
|Phish Blocker Action
|Threat Prevention Reason
|character(1)
|character(1)
|The action taken by Phish Blocker
|Threat Prevention reason
|-
|-
|}
|threat_prevention_rule_id
<section end='mail_addrs' />
|Threat Prevention Rule Id
 
|integer
 
|Numeric rule id of Threat Prevention
== smtp_tarpit_events ==
<section begin='smtp_tarpit_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|threat_prevention_client_reputation
|Timestamp
|Threat Prevention Client Reputation
|timestamp without time zone
|smallint
|The time of the event
|Numeric client reputation of Threat Prevention
|-
|threat_prevention_client_categories
|Threat Prevention Client Categories
|integer
|Bitmask client categories of Threat Prevention
|-
|threat_prevention_server_reputation
|Threat Prevention Server Reputation
|smallint
|Numeric server reputation of Threat Prevention
|-
|-
|ipaddr
|threat_prevention_server_categories
|Client Address
|Threat Prevention Server Categories
|inet
|integer
|The client IP address
|Bitmask server categories of Threat Prevention
|-
|-
|hostname
|application_control_lite_protocol
|Hostname
|Application Control Lite Protocol
|text
|text
|The hostname of the local address
|The application protocol according to Application Control Lite
|-
|-
|policy_id
|application_control_lite_blocked
|Policy ID
|Application Control Lite Blocked
|bigint
|boolean
|The policy
|True if Application Control Lite blocked the session
|-
|vendor_name
|Vendor Name
|character varying(255)
|The "vendor name" of the app that logged the event
|-
|-
|event_id
|captive_portal_blocked
|Event ID
|Captive Portal Blocked
|bigint
|boolean
|The unique event ID
|True if Captive Portal blocked the session
|-
|-
|}
|captive_portal_rule_index
<section end='smtp_tarpit_events' />
|Captive Portal Rule ID
 
|integer
 
|The matching rule in Captive Portal (if any)
== http_events ==
<section begin='http_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|request_id
|application_control_application
|Request ID
|Application Control Application
|bigint
|text
|The HTTP request ID
|The application according to Application Control
|-
|-
|time_stamp
|application_control_protochain
|Timestamp
|Application Control Protochain
|timestamp without time zone
|text
|The time of the event
|The protochain according to Application Control
|-
|-
|session_id
|application_control_category
|Session ID
|Application Control Category
|bigint
|text
|The session
|The category according to Application Control
|-
|-
|client_intf
|application_control_blocked
|Client Interface
|Application Control Blocked
|smallint
|boolean
|The client interface
|True if Application Control blocked the session
|-
|-
|server_intf
|application_control_flagged
|Server Interface
|Application Control Flagged
|smallint
|boolean
|The server interface
|True if Application Control flagged the session
|-
|-
|c_client_addr
|application_control_confidence
|Client-side Client Address
|Application Control Confidence
|inet
|integer
|The client-side client IP address
|True if Application Control confidence of this session's identification
|-
|-
|s_client_addr
|application_control_ruleid
|Server-side Client Address
|Application Control Rule ID
|inet
|integer
|The server-side client IP address
|The matching rule in Application Control (if any)
|-
|-
|c_server_addr
|application_control_detail
|Client-side Server Address
|Application Control Detail
|inet
|text
|The client-side server IP address
|The text detail from the Application Control engine
|-
|-
|s_server_addr
|bandwidth_control_priority
|Server-side Server Address
|Bandwidth Control Priority
|inet
|The server-side server IP address
|-
|c_client_port
|Client-side Client Port
|integer
|integer
|The client-side client port
|The priority given to this session
|-
|-
|s_client_port
|bandwidth_control_rule
|Server-side Client Port
|Bandwidth Control Rule ID
|integer
|integer
|The server-side client port
|The matching rule in Bandwidth Control rule (if any)
|-
|-
|c_server_port
|ssl_inspector_ruleid
|Client-side Server Port
|SSL Inspector Rule ID
|integer
|integer
|The client-side server port
|The matching rule in SSL Inspector rule (if any)
|-
|-
|s_server_port
|ssl_inspector_status
|Server-side Server Port
|SSL Inspector Status
|integer
|text
|The server-side server port
|The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED)
|-
|-
|policy_id
|ssl_inspector_detail
|Policy ID
|SSL Inspector Detail
|smallint
|text
|The policy
|Additional text detail about the SSL connection (SNI, IP Address)
|-
|-
|username
|tags
|Username
|Tags
|text
|text
|The username associated with this session
|The tags on this session
|-
|}
<section end='session_minutes' />
()
 
== quotas ==
<section begin='quotas' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|-
|hostname
|entity
|Hostname
|Entity
|text
|text
|The hostname of the local address
|The IP entity given the quota (address/username)
|-
|-
|method
|action
|Method
|Action
|character(1)
|integer
|The HTTP method
|The action (1=Quota Given, 2=Quota Exceeded)
|-
|-
|uri
|size
|URI
|Size
|text
|bigint
|The HTTP URI
|The size of the quota
|-
|-
|host
|reason
|Host
|Reason
|text
|text
|The HTTP host
|The reason for the action
|-
|-
|domain
|}
|Domain
<section end='quotas' />
|text
()
|The HTTP domain (shortened host)
 
|-
== host_table_updates ==
|referer
<section begin='host_table_updates' />
|Referer
 
|text
{| border="1" cellpadding="2" width="90%%" align="center"
|The Referer URL
!Column Name
!Human Name
!Type
!Description
|-
|-
|c2s_content_length
|address
|Client-to-server Content Length
|Address
|bigint
|inet
|The client-to-server content length
|The IP address of the host
|-
|-
|s2c_content_length
|key
|Server-to-client Content Length
|Key
|bigint
|The server-to-client content length
|-
|s2c_content_type
|Server-to-client Content Type
|text
|text
|The server-to-client content type
|The key being updated
|-
|-
|ad_blocker_cookie_ident
|value
|Ad Blocker Cookie
|Value
|text
|text
|This name of cookie blocked by Ad Blocker
|The new value for the key
|-
|-
|ad_blocker_action
|old_value
|Ad Blocker Action
|Old Value
|character(1)
|text
|This action of Ad Blocker on this request
|The old value for the key
|-
|-
|web_filter_reason
|time_stamp
|Web Filter Reason
|Timestamp
|character(1)
|timestamp without time zone
|This reason Web Filter blocked/flagged this request
|The time of the event
|-
|-
|web_filter_category_id
|}
|Web Filter Category ID
<section end='host_table_updates' />
|int
()
|This category ID according to Web Filter
 
== device_table_updates ==
<section begin='device_table_updates' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|web_filter_blocked
|mac_address
|Web Filter Blocked
|MAC Address
|boolean
|text
|If Web Filter blocked this request
|The MAC address of the device
|-
|-
|web_filter_flagged
|key
|Web Filter Flagged
|Key
|boolean
|text
|If Web Filter flagged this request
|The key being updated
|-
|-
|virus_blocker_lite_clean
|value
|Virus Blocker Lite Clean
|Value
|boolean
|text
|The cleanliness of the file according to Virus Blocker Lite
|The new value for the key
|-
|-
|virus_blocker_lite_name
|old_value
|Virus Blocker Lite Name
|Old Value
|text
|text
|The name of the malware according to Virus Blocker Lite
|The old value for the key
|-
|-
|virus_blocker_clean
|time_stamp
|Virus Blocker Clean
|Timestamp
|boolean
|timestamp without time zone
|The cleanliness of the file according to Virus Blocker
|The time of the event
|-
|virus_blocker_name
|Virus Blocker Name
|text
|The name of the malware according to Virus Blocker
|-
|threat_prevention_blocked
|Threat Prevention Blocked
|boolean
|If Threat Prevention blocked this request
|-
|threat_prevention_flagged
|Threat Prevention Flagged
|boolean
|If Threat Prevention flagged this request
|-
|threat_prevention_rule_id
|Threat Prevention Rule ID
|integer
|The matching rule in Threat Prevention (if any)
|-
|threat_prevention_reputation
|Threat Prevention Reputation
|smallint
|The Threat Prevention reputation value
|-
|threat_prevention_categories
|Threat Prevention Categories
|integer
|The Threat Prevention categories
|-
|-
|}
|}
<section end='http_events' />
<section end='device_table_updates' />
()


== ftp_events ==  
== user_table_updates ==  
<section begin='ftp_events' />
<section begin='user_table_updates' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,575: Line 1,532:
!Description
!Description
|-
|-
|event_id
|username
|Event ID
|Username
|bigint
|text
|The unique event ID
|The username
|-
|key
|Key
|text
|The key being updated
|-
|value
|Value
|text
|The new value for the key
|-
|old_value
|Old Value
|text
|The old value for the key
|-
|-
|time_stamp
|time_stamp
Line 1,585: Line 1,557:
|The time of the event
|The time of the event
|-
|-
|session_id
|}
|Session ID
<section end='user_table_updates' />
|bigint
()
|The session
 
== alerts ==
<section begin='alerts' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|client_intf
|time_stamp
|Client Interface
|Timestamp
|smallint
|timestamp without time zone
|The client interface
|The time of the event
|-
|-
|server_intf
|description
|Server Interface
|Text detail of the event
|smallint
|text
|The server interface
|The description from the alert rule.
|-
|-
|c_client_addr
|summary_text
|Client-side Client Address
|Summary Text
|inet
|text
|The client-side client IP address
|The summary text of the alert
|-
|-
|s_client_addr
|json
|Server-side Client Address
|JSON Text
|inet
|text
|The server-side client IP address
|The summary JSON representation of the event causing the alert
|-
|-
|c_server_addr
|}
|Client-side Server Address
<section end='alerts' />
|inet
()
|The client-side server IP address
 
== settings_changes ==
<section begin='settings_changes' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|s_server_addr
|time_stamp
|Server-side Server Address
|Timestamp
|inet
|timestamp without time zone
|The server-side server IP address
|The time of the event
|-
|-
|policy_id
|settings_file
|Policy ID
|Settings File
|bigint
|text
|The policy
|The name of the file changed
|-
|-
|username
|username
|Username
|Username
|text
|text
|The username associated with this session
|The username logged in at the time of the change
|-
|-
|hostname
|hostname
|Hostname
|Hostname
|text
|text
|The hostname of the local address
|The remote hostname
|-
|}
<section end='settings_changes' />
()
 
== web_cache_stats ==
<section begin='web_cache_stats' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|-
|request_id
|hits
|Request ID
|Hits
|bigint
|bigint
|The FTP request ID
|The number of cache hits during this time frame
|-
|-
|method
|misses
|Method
|Misses
|character(1)
|bigint
|The FTP method
|The number of cache misses during this time frame
|-
|-
|uri
|bypasses
|URI
|Bypasses
|text
|bigint
|The FTP URI
|The number of cache user bypasses during this time frame
|-
|-
|virus_blocker_lite_clean
|systems
|Virus Blocker Lite Clean
|System bypasses
|boolean
|bigint
|The cleanliness of the file according to Virus Blocker Lite
|The number of cache system bypasses during this time frame
|-
|-
|virus_blocker_lite_name
|hit_bytes
|Virus Blocker Lite Name
|Hit Bytes
|text
|bigint
|The name of the malware according to Virus Blocker Lite
|The number of bytes saved from cache hits
|-
|-
|virus_blocker_clean
|miss_bytes
|Virus Blocker Clean
|Miss Bytes
|boolean
|bigint
|The cleanliness of the file according to Virus Blocker
|The number of bytes not saved from cache misses
|-
|-
|virus_blocker_name
|event_id
|Virus Blocker Name
|Event ID
|text
|bigint
|The name of the malware according to Virus Blocker
|The unique event ID
|-
|-
|}
|}
<section end='ftp_events' />
<section end='web_cache_stats' />
()


 
== server_events ==  
== ipsec_user_events ==  
<section begin='server_events' />
<section begin='ipsec_user_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,682: Line 1,688:
!Type
!Type
!Description
!Description
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|-
|time_stamp
|time_stamp
Line 1,693: Line 1,694:
|The time of the event
|The time of the event
|-
|-
|connect_stamp
|load_1
|Connect Time
|CPU load (1-min)
|timestamp without time zone
|numeric(6,2)
|The time the connection started
|The 1-minute CPU load
|-
|-
|goodbye_stamp
|load_5
|End Time
|CPU load (5-min)
|timestamp without time zone
|numeric(6,2)
|The time the connection ended
|The 5-minute CPU load
|-
|-
|client_address
|load_15
|Client Address
|CPU load (15-min)
|text
|numeric(6,2)
|The remote IP address of the client
|The 15-minute CPU load
|-
|-
|client_protocol
|cpu_user
|Client Protocol
|CPU User Utilization
|text
|numeric(6,3)
|The protocol the client used to connect
|The user CPU percent utilization
|-
|-
|client_username
|cpu_system
|Client Username
|CPU System Utilization
|text
|numeric(6,3)
|The username of the client
|The system CPU percent utilization
|-
|-
|net_process
|mem_total
|Net Process
|Total Memory
|text
|bigint
|The PID of the PPP process for L2TP connections or the connection ID for Xauth connections
|The total bytes of memory
|-
|-
|net_interface
|mem_free
|Net Interface
|Memory Free
|text
|bigint
|The PPP interface for L2TP connections or the client interface for Xauth connections
|The number of free bytes of memory
|-
|-
|elapsed_time
|disk_total
|Elapsed Time
|Disk Size
|text
|bigint
|The total time the client was connected
|The total disk size in bytes
|-
|-
|rx_bytes
|disk_free
|Bytes Received
|Disk Free
|bigint
|bigint
|The number of bytes received from the client in this connection
|The free disk space in bytes
|-
|-
|tx_bytes
|swap_total
|Bytes Sent
|Swap Size
|bigint
|bigint
|The number of bytes sent to the client in this connection
|The total swap size in bytes
|-
|-
|}
|swap_free
<section end='ipsec_user_events' />
|Swap Free
|bigint
|The free disk swap in bytes
|-
|active_hosts
|Active Hosts
|integer
|The number of active hosts
|-
|}
<section end='server_events' />
()


 
== interface_stat_events ==  
== ipsec_tunnel_stats ==  
<section begin='interface_stat_events' />
<section begin='ipsec_tunnel_stats' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,761: Line 1,772:
|The time of the event
|The time of the event
|-
|-
|tunnel_name
|interface_id
|Tunnel Name
|Interface ID
|text
|integer
|The name of the IPsec tunnel
|The interface ID
|-
|rx_rate
|Rx Rate
|double precision
|The RX rate (bytes/s)
|-
|-
|in_bytes
|rx_bytes
|In Bytes
|Bytes Received
|bigint
|bigint
|The number of bytes received during this time frame
|The number of bytes received from the client in this connection
|-
|-
|out_bytes
|tx_rate
|Out Bytes
|Tx Rate
|bigint
|double precision
|The number of bytes transmitted during this time frame
|The TX rate (bytes/s)
|-
|-
|event_id
|tx_bytes
|Event ID
|Bytes Sent
|bigint
|bigint
|The unique event ID
|The number of bytes sent to the client in this connection
|-
|-
|}
|}
<section end='ipsec_tunnel_stats' />
<section end='interface_stat_events' />
()


 
== mail_msgs ==  
== interface_stat_events ==  
<section begin='mail_msgs' />
<section begin='interface_stat_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,799: Line 1,815:
|The time of the event
|The time of the event
|-
|-
|interface_id
|session_id
|Interface ID
|Session ID
|integer
|bigint
|The interface ID
|The session
|-
|-
|rx_rate
|client_intf
|Rx Rate
|Client Interface
|double precision
|smallint
|The RX rate (bytes/s)
|The client interface
|-
|-
|tx_rate
|server_intf
|Tx Rate
|Server Interface
|double precision
|smallint
|The TX rate (bytes/s)
|The server interface
|-
|-
|}
|c_client_addr
<section end='interface_stat_events' />
|Client-side Client Address
 
|inet
 
|The client-side client IP address
== configuration_backup_events ==
<section begin='configuration_backup_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|s_client_addr
|Timestamp
|Server-side Client Address
|timestamp without time zone
|inet
|The time of the event
|The server-side client IP address
|-
|-
|success
|c_server_addr
|Success
|Client-side Server Address
|boolean
|inet
|The result of the backup (true if the backup succeeded, false otherwise)
|The client-side server IP address
|-
|-
|description
|s_server_addr
|Text detail of the event
|Server-side Server Address
|text
|inet
|Text detail of the event
|The server-side server IP address
|-
|-
|destination
|c_client_port
|Destination
|Client-side Client Port
|text
|integer
|The location of the backup
|The client-side client port
|-
|-
|event_id
|s_client_port
|Event ID
|Server-side Client Port
|bigint
|integer
|The unique event ID
|The server-side client port
|-
|-
|}
|c_server_port
<section end='configuration_backup_events' />
|Client-side Server Port
 
|integer
 
|The client-side server port
== directory_connector_login_events ==
<section begin='directory_connector_login_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|s_server_port
|Timestamp
|Server-side Server Port
|timestamp without time zone
|integer
|The time of the event
|The server-side server port
|-
|-
|login_name
|policy_id
|Login Name
|Policy ID
|text
|bigint
|The login name
|The policy
|-
|-
|domain
|username
|Domain
|Username
|text
|text
|The AD domain
|The username associated with this session
|-
|msg_id
|Message ID
|bigint
|The message ID
|-
|-
|type
|subject
|Type
|Subject
|text
|text
|The type of event (I=Login,U=Update,O=Logout)
|The email subject
|-
|-
|client_addr
|hostname
|Client Address
|Hostname
|inet
|text
|The client IP address
|The hostname of the local address
|-
|-
|}
|event_id
<section end='directory_connector_login_events' />
|Event ID
 
|bigint
 
|The unique event ID
== server_events ==
<section begin='server_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|sender
|Timestamp
|Sender
|timestamp without time zone
|text
|The time of the event
|The address of the sender
|-
|-
|load_1
|receiver
|CPU load (1-min)
|Receiver
|numeric(6,2)
|text
|The 1-minute CPU load
|The address of the receiver
|-
|-
|load_5
|virus_blocker_lite_clean
|CPU load (5-min)
|Virus Blocker Lite Clean
|numeric(6,2)
|boolean
|The 5-minute CPU load
|The cleanliness of the file according to Virus Blocker Lite
|-
|-
|load_15
|virus_blocker_lite_name
|CPU load (15-min)
|Virus Blocker Lite Name
|numeric(6,2)
|text
|The 15-minute CPU load
|The name of the malware according to Virus Blocker Lite
|-
|-
|cpu_user
|virus_blocker_clean
|CPU User Utilization
|Virus Blocker Clean
|numeric(6,3)
|boolean
|The user CPU percent utilization
|The cleanliness of the file according to Virus Blocker
|-
|-
|cpu_system
|virus_blocker_name
|CPU System Utilization
|Virus Blocker Name
|numeric(6,3)
|text
|The system CPU percent utilization
|The name of the malware according to Virus Blocker
|-
|-
|mem_total
|spam_blocker_lite_score
|Total Memory
|Spam Blocker Lite Score
|bigint
|real
|The total bytes of memory
|The score of the email according to Spam Blocker Lite
|-
|-
|mem_free
|spam_blocker_lite_is_spam
|Memory Free
|Spam Blocker Lite Spam
|bigint
|boolean
|The number of free bytes of memory
|The spam status of the email according to Spam Blocker Lite
|-
|-
|disk_total
|spam_blocker_lite_tests_string
|Disk Size
|Spam Blocker Lite Tests
|bigint
|text
|The total disk size in bytes
|The tess results for Spam Blocker Lite
|-
|-
|disk_free
|spam_blocker_lite_action
|Disk Free
|Spam Blocker Lite Action
|bigint
|character(1)
|The free disk space in bytes
|The action taken by Spam Blocker Lite
|-
|-
|swap_total
|spam_blocker_score
|Swap Size
|Spam Blocker Score
|bigint
|real
|The total swap size in bytes
|The score of the email according to Spam Blocker
|-
|-
|swap_free
|spam_blocker_is_spam
|Swap Free
|Spam Blocker Spam
|bigint
|boolean
|The free disk swap in bytes
|The spam status of the email according to Spam Blocker
|-
|-
|active_hosts
|spam_blocker_tests_string
|Active Hosts
|Spam Blocker Tests
|integer
|text
|The number of active hosts
|The tess results for Spam Blocker
|-
|-
|}
|spam_blocker_action
<section end='server_events' />
|Spam Blocker Action
 
|character(1)
 
|The action taken by Spam Blocker
== web_cache_stats ==
<section begin='web_cache_stats' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|phish_blocker_score
|Timestamp
|Phish Blocker Score
|timestamp without time zone
|real
|The time of the event
|The score of the email according to Phish Blocker
|-
|-
|hits
|phish_blocker_is_spam
|Hits
|Phish Blocker Phish
|bigint
|boolean
|The number of cache hits during this time frame
|The phish status of the email according to Phish Blocker
|-
|-
|misses
|phish_blocker_tests_string
|Misses
|Phish Blocker Tests
|bigint
|text
|The number of cache misses during this time frame
|The tess results for Phish Blocker
|-
|-
|bypasses
|phish_blocker_action
|Bypasses
|Phish Blocker Action
|bigint
|character(1)
|The number of cache user bypasses during this time frame
|The action taken by Phish Blocker
|-
|-
|systems
|}
|System bypasses
<section end='mail_msgs' />
|bigint
()
|The number of cache system bypasses during this time frame
 
|-
== mail_addrs ==  
|hit_bytes
<section begin='mail_addrs' />
|Hit Bytes
|bigint
|The number of bytes saved from cache hits
|-
|miss_bytes
|Miss Bytes
|bigint
|The number of bytes not saved from cache misses
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|}
<section end='web_cache_stats' />
 
 
== http_query_events ==  
<section begin='http_query_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 2,033: Line 2,002:
!Type
!Type
!Description
!Description
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|-
|time_stamp
|time_stamp
Line 2,109: Line 2,073:
|The username associated with this session
|The username associated with this session
|-
|-
|hostname
|msg_id
|Hostname
|Message ID
|text
|The hostname of the local address
|-
|request_id
|Request ID
|bigint
|bigint
|The HTTP request ID
|The message ID
|-
|-
|method
|subject
|Method
|Subject
|character(1)
|The HTTP method
|-
|uri
|URI
|text
|text
|The HTTP URI
|The email subject
|-
|-
|term
|addr
|Search Term
|Address
|text
|text
|The search term
|The address of this event
|-
|-
|host
|addr_name
|Host
|Address Name
|text
|text
|The HTTP host
|The name for this address
|-
|-
|c2s_content_length
|addr_kind
|Client-to-server Content Length
|Address Kind
|bigint
|character(1)
|The client-to-server content length
|The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
|-
|hostname
|Hostname
|text
|The hostname of the local address
|-
|-
|s2c_content_length
|event_id
|Server-to-client Content Length
|Event ID
|bigint
|bigint
|The server-to-client content length
|The unique event ID
|-
|-
|s2c_content_type
|sender
|Server-to-client Content Type
|Sender
|text
|text
|The server-to-client content type
|The address of the sender
|-
|-
|}
|virus_blocker_lite_clean
<section end='http_query_events' />
|Virus Blocker Lite Clean
 
|boolean
 
|The cleanliness of the file according to Virus Blocker Lite
== captive_portal_user_events ==
<section begin='captive_portal_user_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|virus_blocker_lite_name
|Timestamp
|Virus Blocker Lite Name
|timestamp without time zone
|text
|The time of the event
|The name of the malware according to Virus Blocker Lite
|-
|-
|policy_id
|virus_blocker_clean
|Policy ID
|Virus Blocker Clean
|bigint
|boolean
|The policy
|The cleanliness of the file according to Virus Blocker
|-
|-
|event_id
|virus_blocker_name
|Event ID
|Virus Blocker Name
|bigint
|text
|The unique event ID
|The name of the malware according to Virus Blocker
|-
|-
|login_name
|spam_blocker_lite_score
|Login Name
|Spam Blocker Lite Score
|text
|real
|The login username
|The score of the email according to Spam Blocker Lite
|-
|-
|event_info
|spam_blocker_lite_is_spam
|Event Type
|Spam Blocker Lite Spam
|text
|boolean
|The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
|The spam status of the email according to Spam Blocker Lite
|-
|-
|auth_type
|spam_blocker_lite_action
|Authorization Type
|Spam Blocker Lite Action
|text
|character(1)
|The authorization type for this event
|The action taken by Spam Blocker Lite
|-
|-
|client_addr
|spam_blocker_lite_tests_string
|Client Address
|Spam Blocker Lite Tests
|text
|text
|The remote IP address of the client
|The tess results for Spam Blocker Lite
|-
|-
|}
|spam_blocker_score
<section end='captive_portal_user_events' />
|Spam Blocker Score
 
|real
 
|The score of the email according to Spam Blocker
== openvpn_stats ==
<section begin='openvpn_stats' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|spam_blocker_is_spam
|Timestamp
|Spam Blocker Spam
|timestamp without time zone
|boolean
|The time of the event
|The spam status of the email according to Spam Blocker
|-
|-
|start_time
|spam_blocker_action
|Start Time
|Spam Blocker Action
|timestamp without time zone
|character(1)
|The time the OpenVPN session started
|The action taken by Spam Blocker
|-
|-
|end_time
|spam_blocker_tests_string
|End Time
|Spam Blocker Tests
|timestamp without time zone
|text
|The time the OpenVPN session ended
|The tess results for Spam Blocker
|-
|-
|rx_bytes
|phish_blocker_score
|Bytes Received
|Phish Blocker Score
|bigint
|real
|The total bytes received from the client during this session
|The score of the email according to Phish Blocker
|-
|-
|tx_bytes
|phish_blocker_is_spam
|Bytes Sent
|Phish Blocker Phish
|bigint
|boolean
|The total bytes sent to the client during this session
|The phish status of the email according to Phish Blocker
|-
|-
|remote_address
|phish_blocker_tests_string
|Remote Address
|Phish Blocker Tests
|inet
|text
|The remote IP address of the client
|The tess results for Phish Blocker
|-
|-
|pool_address
|phish_blocker_action
|Pool Address
|Phish Blocker Action
|inet
|character(1)
|The pool IP address of the client
|The action taken by Phish Blocker
|-
|remote_port
|Remote Port
|integer
|The remote port of the client
|-
|client_name
|Client Name
|text
|The name of the client
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|-
|}
|}
<section end='openvpn_stats' />
<section end='mail_addrs' />
()


 
== ftp_events ==  
== openvpn_events ==  
<section begin='ftp_events' />
<section begin='openvpn_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 2,277: Line 2,205:
!Type
!Type
!Description
!Description
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|-
|time_stamp
|time_stamp
Line 2,283: Line 2,216:
|The time of the event
|The time of the event
|-
|-
|remote_address
|session_id
|Remote Address
|Session ID
|bigint
|The session
|-
|client_intf
|Client Interface
|smallint
|The client interface
|-
|server_intf
|Server Interface
|smallint
|The server interface
|-
|c_client_addr
|Client-side Client Address
|inet
|inet
|The remote IP address of the client
|The client-side client IP address
|-
|-
|pool_address
|s_client_addr
|Pool Address
|Server-side Client Address
|inet
|inet
|The pool IP address of the client
|The server-side client IP address
|-
|-
|client_name
|c_server_addr
|Client Name
|Client-side Server Address
|text
|inet
|The name of the client
|The client-side server IP address
|-
|-
|type
|s_server_addr
|Type
|Server-side Server Address
|text
|inet
|The type of the event (CONNECT,DISCONNECT)
|The server-side server IP address
|-
|-
|}
|policy_id
<section end='openvpn_events' />
|Policy ID
 
|bigint
 
|The policy
== intrusion_prevention_events ==
<section begin='intrusion_prevention_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|username
|Timestamp
|Username
|timestamp without time zone
|text
|The time of the event
|The username associated with this session
|-
|-
|sig_id
|hostname
|Signature ID
|Hostname
|bigint
|text
|This ID of the rule
|The hostname of the local address
|-
|-
|gen_id
|request_id
|Grouping ID
|Request ID
|bigint
|bigint
|The grouping ID for the rule, The gen_id + sig_id specify the rule's unique identifier
|The FTP request ID
|-
|-
|class_id
|method
|Classtype ID
|Method
|bigint
|character(1)
|The numeric ID for the classtype
|The FTP method
|-
|-
|source_addr
|uri
|Source Address
|URI
|inet
|text
|The source IP address of the packet
|The FTP URI
|-
|-
|source_port
|virus_blocker_lite_clean
|Source Port
|Virus Blocker Lite Clean
|integer
|boolean
|The source port of the packet (if applicable)
|The cleanliness of the file according to Virus Blocker Lite
|-
|-
|dest_addr
|virus_blocker_lite_name
|Destination Address
|Virus Blocker Lite Name
|inet
|text
|The destination IP address of the packet
|The name of the malware according to Virus Blocker Lite
|-
|-
|dest_port
|virus_blocker_clean
|Destination Port
|Virus Blocker Clean
|integer
|The destination port of the packet (if applicable)
|-
|protocol
|Protocol
|integer
|The protocol of the packet
|-
|blocked
|Blocked
|boolean
|boolean
|If the packet was blocked/dropped
|The cleanliness of the file according to Virus Blocker
|-
|-
|category
|virus_blocker_name
|Category
|Virus Blocker Name
|text
|text
|The application specific grouping
|The name of the malware according to Virus Blocker
|-
|-
|classtype
|}
|Classtype
<section end='ftp_events' />
|text
()
|The generalized threat rule grouping (unrelated to gen_id)
|-
|msg
|Message
|text
|The "title" or "description" of the rule
|-
|}
<section end='intrusion_prevention_events' />
 


== syslog ==  
== tunnel_vpn_events ==  
<section begin='syslog' />
<section begin='tunnel_vpn_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 2,393: Line 2,313:
!Type
!Type
!Description
!Description
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|-
|time_stamp
|time_stamp
Line 2,399: Line 2,324:
|The time of the event
|The time of the event
|-
|-
|description
|tunnel_name
|Text detail of the event
|Tunnel Name
|text
|The name the tunnel
|-
|server_address
|Server IP Address
|text
|text
|The description from the alert rule.
|The address of the remote server
|-
|-
|summary_text
|local_address
|Summary Text
|Local Address
|text
|text
|The summary text of the alert
|The local address assigned the client
|-
|-
|json
|event_type
|JSON Text
|Event Type
|text
|text
|The summary JSON representation of the event causing the alert
|The type of the event (CONNECT,DISCONNECT)
|-
|-
|}
|}
<section end='syslog' />
<section end='tunnel_vpn_events' />
()


== tunnel_vpn_stats ==
<section begin='tunnel_vpn_stats' />


== user_table_updates ==
{| border="1" cellpadding="2" width="90%%" align="center"
<section begin='user_table_updates' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Column Name
!Human Name
!Human Name
!Type
!Type
!Description
!Description
|-
|username
|Username
|text
|The username
|-
|key
|Key
|text
|The key being updated
|-
|value
|Value
|text
|The new value for the key
|-
|old_value
|Old Value
|text
|The old value for the key
|-
|-
|time_stamp
|time_stamp
Line 2,451: Line 2,361:
|timestamp without time zone
|timestamp without time zone
|The time of the event
|The time of the event
|-
|tunnel_name
|Tunnel Name
|text
|The name of the Tunnel VPN tunnel
|-
|in_bytes
|In Bytes
|bigint
|The number of bytes received during this time frame
|-
|out_bytes
|Out Bytes
|bigint
|The number of bytes transmitted during this time frame
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|-
|}
|}
<section end='user_table_updates' />
<section end='tunnel_vpn_stats' />
()
 
== wan_failover_test_events ==
<section begin='wan_failover_test_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|interface_id
|Interface ID
|integer
|This interface ID
|-
|name
|Interface Name
|text
|This name of the interface
|-
|description
|Text detail of the event
|text
|The description from the test rule
|-
|success
|Success
|boolean
|The result of the test (true if the test succeeded, false otherwise)
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|}
<section end='wan_failover_test_events' />
()
 
== wan_failover_action_events ==
<section begin='wan_failover_action_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|interface_id
|Interface ID
|integer
|This interface ID
|-
|action
|Action
|text
|This action (CONNECTED,DISCONNECTED)
|-
|os_name
|Interface O/S Name
|text
|This O/S name of the interface
|-
|name
|Interface Name
|text
|This name of the interface
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|}
<section end='wan_failover_action_events' />
()
 
== directory_connector_login_events ==
<section begin='directory_connector_login_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|login_name
|Login Name
|text
|The login name
|-
|domain
|Domain
|text
|The AD domain
|-
|type
|Type
|text
|The type of event (I=Login,U=Update,O=Logout)
|-
|client_addr
|Client Address
|inet
|The client IP address
|-
|login_type
|Login Type
|text
|The login type
|-
|}
<section end='directory_connector_login_events' />
()
 
== captive_portal_user_events ==
<section begin='captive_portal_user_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|policy_id
|Policy ID
|bigint
|The policy
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|login_name
|Login Name
|text
|The login username
|-
|event_info
|Event Type
|text
|The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
|-
|auth_type
|Authorization Type
|text
|The authorization type for this event
|-
|client_addr
|Client Address
|text
|The remote IP address of the client
|-
|}
<section end='captive_portal_user_events' />
()
 
== openvpn_stats ==
<section begin='openvpn_stats' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|start_time
|Start Time
|timestamp without time zone
|The time the OpenVPN session started
|-
|end_time
|End Time
|timestamp without time zone
|The time the OpenVPN session ended
|-
|rx_bytes
|Bytes Received
|bigint
|The total bytes received from the client during this session
|-
|tx_bytes
|Bytes Sent
|bigint
|The total bytes sent to the client during this session
|-
|remote_address
|Remote Address
|inet
|The remote IP address of the client
|-
|pool_address
|Pool Address
|inet
|The pool IP address of the client
|-
|remote_port
|Remote Port
|integer
|The remote port of the client
|-
|client_name
|Client Name
|text
|The name of the client
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|}
<section end='openvpn_stats' />
()
 
== openvpn_events ==
<section begin='openvpn_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|remote_address
|Remote Address
|inet
|The remote IP address of the client
|-
|pool_address
|Pool Address
|inet
|The pool IP address of the client
|-
|client_name
|Client Name
|text
|The name of the client
|-
|type
|Type
|text
|The type of the event (CONNECT,DISCONNECT)
|-
|}
<section end='openvpn_events' />
()

Latest revision as of 18:37, 8 September 2020

Database Tables

configuration_backup_events

<section begin='configuration_backup_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
success Success boolean The result of the backup (true if the backup succeeded, false otherwise)
description Text detail of the event text Text detail of the event
destination Destination text The location of the backup
event_id Event ID bigint The unique event ID

<section end='configuration_backup_events' /> ()

http_events

<section begin='http_events' />

Column Name Human Name Type Description
request_id Request ID bigint The HTTP request ID
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
c_client_port Client-side Client Port integer The client-side client port
s_client_port Server-side Client Port integer The server-side client port
c_server_port Client-side Server Port integer The client-side server port
s_server_port Server-side Server Port integer The server-side server port
client_country Client Country text The client Country
client_latitude Client Latitude real The client Latitude
client_longitude Client Longitude real The client Longitude
server_country Server Country text The server Country
server_latitude Server Latitude real The server Latitude
server_longitude Server Longitude real The server Longitude
policy_id Policy ID smallint The policy
username Username text The username associated with this session
hostname Hostname text The hostname of the local address
method Method character(1) The HTTP method
uri URI text The HTTP URI
host Host text The HTTP host
domain Domain text The HTTP domain (shortened host)
referer Referer text The Referer URL
c2s_content_length Client-to-server Content Length bigint The client-to-server content length
s2c_content_length Server-to-client Content Length bigint The server-to-client content length
s2c_content_type Server-to-client Content Type text The server-to-client content type
s2c_content_filename Server-to-client Content Disposition Filename text The server-to-client content disposition filename
ad_blocker_cookie_ident Ad Blocker Cookie text This name of cookie blocked by Ad Blocker
ad_blocker_action Ad Blocker Action character(1) This action of Ad Blocker on this request
web_filter_reason Reason for action (Web Filter) character(1) This reason Web Filter blocked/flagged this request
web_filter_category_id Web Category (Web Filter) smallint This numeric category according to Web Filter
web_filter_rule_id Web Rule (Web Filter) smallint This numeric rule according to Web Filter
web_filter_blocked Blocked (Web Filter) boolean If Web Filter blocked this request
web_filter_flagged Flagged (Web Filter) boolean If Web Filter flagged this request
virus_blocker_lite_clean Virus Blocker Lite Clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name Virus Blocker Lite Name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean Virus Blocker Clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name Virus Blocker Name text The name of the malware according to Virus Blocker
threat_prevention_blocked Threat Prevention Blocked boolean If Threat Prevention blocked this request
threat_prevention_flagged Threat Prevention Flagged boolean If Threat Prevention flagged this request
threat_prevention_rule_id Threat Prevention Rule Id integer This numeric rule according to Threat Prevention
threat_prevention_reputation Threat Prevention Reputation smallint This numeric threat reputation
threat_prevention_categories Threat Prevention Categories integer This bitmask of threat categories

<section end='http_events' /> ()

intrusion_prevention_events

<section begin='intrusion_prevention_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
sig_id Signature ID bigint This ID of the rule
gen_id Grouping ID bigint The grouping ID for the rule, The gen_id + sig_id specify the rule's unique identifier
class_id Classtype ID bigint The numeric ID for the classtype
source_addr Source Address inet The source IP address of the packet
source_port Source Port integer The source port of the packet (if applicable)
dest_addr Destination Address inet The destination IP address of the packet
dest_port Destination Port integer The destination port of the packet (if applicable)
protocol Protocol integer The protocol of the packet
blocked Blocked boolean If the packet was blocked/dropped
category Category text The application specific grouping for the signature
classtype Classtype text The generalized threat signature grouping (unrelated to gen_id)
msg Message text The "title" or "description" of the signature
rid Rule ID text The rule id
rule_id Rule ID text The rule id

<section end='intrusion_prevention_events' /> ()

smtp_tarpit_events

<section begin='smtp_tarpit_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
ipaddr Client Address inet The client IP address
hostname Hostname text The hostname of the local address
policy_id Policy ID bigint The policy
vendor_name Vendor Name character varying(255) The "vendor name" of the app that logged the event
event_id Event ID bigint The unique event ID

<section end='smtp_tarpit_events' /> ()

ipsec_user_events

<section begin='ipsec_user_events' />

Column Name Human Name Type Description
event_id Event ID bigint The unique event ID
time_stamp Timestamp timestamp without time zone The time of the event
connect_stamp Connect Time timestamp without time zone The time the connection started
goodbye_stamp End Time timestamp without time zone The time the connection ended
client_address Client Address text The remote IP address of the client
client_protocol Client Protocol text The protocol the client used to connect
client_username Client Username text The username of the client
net_process Net Process text The PID of the PPP process for L2TP connections or the connection ID for Xauth connections
net_interface Net Interface text The PPP interface for L2TP connections or the client interface for Xauth connections
elapsed_time Elapsed Time text The total time the client was connected
rx_bytes Bytes Received bigint The number of bytes received from the client in this connection
tx_bytes Bytes Sent bigint The number of bytes sent to the client in this connection

<section end='ipsec_user_events' /> ()

ipsec_vpn_events

<section begin='ipsec_vpn_events' />

Column Name Human Name Type Description
event_id Event ID bigint The unique event ID
time_stamp Timestamp timestamp without time zone The time of the event
local_address Local Address text The local address of the tunnel
remote_address Remote Address text The remote address of the tunnel
tunnel_description Tunnel Description text The description of the tunnel
event_type Event Type text The type of the event (CONNECT,DISCONNECT)

<section end='ipsec_vpn_events' /> ()

ipsec_tunnel_stats

<section begin='ipsec_tunnel_stats' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
tunnel_name Tunnel Name text The name of the IPsec tunnel
in_bytes In Bytes bigint The number of bytes received during this time frame
out_bytes Out Bytes bigint The number of bytes transmitted during this time frame
event_id Event ID bigint The unique event ID

<section end='ipsec_tunnel_stats' /> ()

http_query_events

<section begin='http_query_events' />

Column Name Human Name Type Description
event_id Event ID bigint The unique event ID
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
c_client_port Client-side Client Port integer The client-side client port
s_client_port Server-side Client Port integer The server-side client port
c_server_port Client-side Server Port integer The client-side server port
s_server_port Server-side Server Port integer The server-side server port
policy_id Policy ID bigint The policy
username Username text The username associated with this session
hostname Hostname text The hostname of the local address
request_id Request ID bigint The HTTP request ID
method Method character(1) The HTTP method
uri URI text The HTTP URI
term Search Term text The search term
host Host text The HTTP host
c2s_content_length Client-to-server Content Length bigint The client-to-server content length
s2c_content_length Server-to-client Content Length bigint The server-to-client content length
s2c_content_type Server-to-client Content Type text The server-to-client content type
blocked Blocked boolean If Web Filter blocked this search term
flagged Flagged boolean If Web Filter flagged this search term

<section end='http_query_events' /> ()

admin_logins

<section begin='admin_logins' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
login Login text The login name
local Local boolean True if it is a login attempt through a local process
client_addr Client Address inet The client IP address
succeeded Succeeded boolean True if the login succeeded, false otherwise
reason Reason character(1) The reason for the login (if applicable)

<section end='admin_logins' /> ()

sessions

<section begin='sessions' />

Column Name Human Name Type Description
session_id Session ID bigint The session
time_stamp Timestamp timestamp without time zone The time of the event
end_time End Time timestamp without time zone The time the session ended
bypassed Bypassed boolean True if the session was bypassed, false otherwise
entitled Entitled boolean True if the session is entitled to premium functionality
protocol Protocol smallint The IP protocol of session
icmp_type ICMP Type smallint The ICMP type of session if ICMP
hostname Hostname text The hostname of the local address
username Username text The username associated with this session
policy_id Policy ID smallint The policy
policy_rule_id Policy Rule ID smallint The ID of the matching policy rule (0 means none)
local_addr Local Address inet The IP address of the local participant
remote_addr Remote Address inet The IP address of the remote participant
c_client_addr Client-side Client Address inet The client-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
c_server_port Client-side Server Port integer The client-side server port
c_client_port Client-side Client Port integer The client-side client port
s_client_addr Server-side Client Address inet The server-side client IP address
s_server_addr Server-side Server Address inet The server-side server IP address
s_server_port Server-side Server Port integer The server-side server port
s_client_port Server-side Client Port integer The server-side client port
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
client_country Client Country text The client Country
client_latitude Client Latitude real The client Latitude
client_longitude Client Longitude real The client Longitude
server_country Server Country text The server Country
server_latitude Server Latitude real The server Latitude
server_longitude Server Longitude real The server Longitude
c2p_bytes From-Client Bytes bigint The number of bytes the client sent to Untangle (client-to-pipeline)
p2c_bytes To-Client Bytes bigint The number of bytes Untangle sent to client (pipeline-to-client)
s2p_bytes From-Server Bytes bigint The number of bytes the server sent to Untangle (client-to-pipeline)
p2s_bytes To-Server Bytes bigint The number of bytes Untangle sent to server (pipeline-to-client)
filter_prefix Filter Block text The network filter that blocked the connection (filter,shield,invalid)
firewall_blocked Firewall Blocked boolean True if Firewall blocked the session, false otherwise
firewall_flagged Firewall Flagged boolean True if Firewall flagged the session, false otherwise
firewall_rule_index Firewall Rule ID integer The matching rule in Firewall (if any)
threat_prevention_blocked Threat Prevention Blocked boolean If Threat Prevention blocked
threat_prevention_flagged Threat Prevention Flagged boolean If Threat Prevention flagged
threat_prevention_reason Threat Prevention Reason character(1) Threat Prevention reason
threat_prevention_rule_id Threat Prevention Rule Id integer Numeric rule id of Threat Prevention
threat_prevention_client_reputation Threat Prevention Client Reputation smallint Numeric client reputation of Threat Prevention
threat_prevention_client_categories Threat Prevention Client Categories integer Bitmask client categories of Threat Prevention
threat_prevention_server_reputation Threat Prevention Server Reputation smallint Numeric server reputation of Threat Prevention
threat_prevention_server_categories Threat Prevention Server Categories integer Bitmask server categories of Threat Prevention
application_control_lite_protocol Application Control Lite Protocol text The application protocol according to Application Control Lite
application_control_lite_blocked Application Control Lite Blocked boolean True if Application Control Lite blocked the session
captive_portal_blocked Captive Portal Blocked boolean True if Captive Portal blocked the session
captive_portal_rule_index Captive Portal Rule ID integer The matching rule in Captive Portal (if any)
application_control_application Application Control Application text The application according to Application Control
application_control_protochain Application Control Protochain text The protochain according to Application Control
application_control_category Application Control Category text The category according to Application Control
application_control_blocked Application Control Blocked boolean True if Application Control blocked the session
application_control_flagged Application Control Flagged boolean True if Application Control flagged the session
application_control_confidence Application Control Confidence integer True if Application Control confidence of this session's identification
application_control_ruleid Application Control Rule ID integer The matching rule in Application Control (if any)
application_control_detail Application Control Detail text The text detail from the Application Control engine
bandwidth_control_priority Bandwidth Control Priority integer The priority given to this session
bandwidth_control_rule Bandwidth Control Rule ID integer The matching rule in Bandwidth Control rule (if any)
ssl_inspector_ruleid SSL Inspector Rule ID integer The matching rule in SSL Inspector rule (if any)
ssl_inspector_status SSL Inspector Status text The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED)
ssl_inspector_detail SSL Inspector Detail text Additional text detail about the SSL connection (SNI, IP Address)
tags Tags text The tags on this session

<section end='sessions' /> ()

session_minutes

<section begin='session_minutes' />

Column Name Human Name Type Description
session_id Session ID bigint The session
time_stamp Timestamp timestamp without time zone The time of the event
c2s_bytes From-Client Bytes bigint The number of bytes the client sent
s2c_bytes From-Server Bytes bigint The number of bytes the server sent
start_time Start Time timestamp without time zone The start time of the session
end_time End Time timestamp without time zone The time the session ended
bypassed Bypassed boolean True if the session was bypassed, false otherwise
entitled Entitled boolean True if the session is entitled to premium functionality
protocol Protocol smallint The IP protocol of session
icmp_type ICMP Type smallint The ICMP type of session if ICMP
hostname Hostname text The hostname of the local address
username Username text The username associated with this session
policy_id Policy ID smallint The policy
policy_rule_id Policy Rule ID smallint The ID of the matching policy rule (0 means none)
local_addr Local Address inet The IP address of the local participant
remote_addr Remote Address inet The IP address of the remote participant
c_client_addr Client-side Client Address inet The client-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
c_server_port Client-side Server Port integer The client-side server port
c_client_port Client-side Client Port integer The client-side client port
s_client_addr Server-side Client Address inet The server-side client IP address
s_server_addr Server-side Server Address inet The server-side server IP address
s_server_port Server-side Server Port integer The server-side server port
s_client_port Server-side Client Port integer The server-side client port
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
client_country Client Country text The client Country
client_latitude Client Latitude real The client Latitude
client_longitude Client Longitude real The client Longitude
server_country Server Country text The server Country
server_latitude Server Latitude real The server Latitude
server_longitude Server Longitude real The server Longitude
filter_prefix Filter Block text The network filter that blocked the connection (filter,shield,invalid)
firewall_blocked Firewall Blocked boolean True if Firewall blocked the session, false otherwise
firewall_flagged Firewall Flagged boolean True if Firewall flagged the session, false otherwise
firewall_rule_index Firewall Rule ID integer The matching rule in Firewall (if any)
threat_prevention_blocked Threat Prevention Blocked boolean If Threat Prevention blocked
threat_prevention_flagged Threat Prevention Flagged boolean If Threat Prevention flagged
threat_prevention_reason Threat Prevention Reason character(1) Threat Prevention reason
threat_prevention_rule_id Threat Prevention Rule Id integer Numeric rule id of Threat Prevention
threat_prevention_client_reputation Threat Prevention Client Reputation smallint Numeric client reputation of Threat Prevention
threat_prevention_client_categories Threat Prevention Client Categories integer Bitmask client categories of Threat Prevention
threat_prevention_server_reputation Threat Prevention Server Reputation smallint Numeric server reputation of Threat Prevention
threat_prevention_server_categories Threat Prevention Server Categories integer Bitmask server categories of Threat Prevention
application_control_lite_protocol Application Control Lite Protocol text The application protocol according to Application Control Lite
application_control_lite_blocked Application Control Lite Blocked boolean True if Application Control Lite blocked the session
captive_portal_blocked Captive Portal Blocked boolean True if Captive Portal blocked the session
captive_portal_rule_index Captive Portal Rule ID integer The matching rule in Captive Portal (if any)
application_control_application Application Control Application text The application according to Application Control
application_control_protochain Application Control Protochain text The protochain according to Application Control
application_control_category Application Control Category text The category according to Application Control
application_control_blocked Application Control Blocked boolean True if Application Control blocked the session
application_control_flagged Application Control Flagged boolean True if Application Control flagged the session
application_control_confidence Application Control Confidence integer True if Application Control confidence of this session's identification
application_control_ruleid Application Control Rule ID integer The matching rule in Application Control (if any)
application_control_detail Application Control Detail text The text detail from the Application Control engine
bandwidth_control_priority Bandwidth Control Priority integer The priority given to this session
bandwidth_control_rule Bandwidth Control Rule ID integer The matching rule in Bandwidth Control rule (if any)
ssl_inspector_ruleid SSL Inspector Rule ID integer The matching rule in SSL Inspector rule (if any)
ssl_inspector_status SSL Inspector Status text The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED)
ssl_inspector_detail SSL Inspector Detail text Additional text detail about the SSL connection (SNI, IP Address)
tags Tags text The tags on this session

<section end='session_minutes' /> ()

quotas

<section begin='quotas' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
entity Entity text The IP entity given the quota (address/username)
action Action integer The action (1=Quota Given, 2=Quota Exceeded)
size Size bigint The size of the quota
reason Reason text The reason for the action

<section end='quotas' /> ()

host_table_updates

<section begin='host_table_updates' />

Column Name Human Name Type Description
address Address inet The IP address of the host
key Key text The key being updated
value Value text The new value for the key
old_value Old Value text The old value for the key
time_stamp Timestamp timestamp without time zone The time of the event

<section end='host_table_updates' /> ()

device_table_updates

<section begin='device_table_updates' />

Column Name Human Name Type Description
mac_address MAC Address text The MAC address of the device
key Key text The key being updated
value Value text The new value for the key
old_value Old Value text The old value for the key
time_stamp Timestamp timestamp without time zone The time of the event

<section end='device_table_updates' /> ()

user_table_updates

<section begin='user_table_updates' />

Column Name Human Name Type Description
username Username text The username
key Key text The key being updated
value Value text The new value for the key
old_value Old Value text The old value for the key
time_stamp Timestamp timestamp without time zone The time of the event

<section end='user_table_updates' /> ()

alerts

<section begin='alerts' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
description Text detail of the event text The description from the alert rule.
summary_text Summary Text text The summary text of the alert
json JSON Text text The summary JSON representation of the event causing the alert

<section end='alerts' /> ()

settings_changes

<section begin='settings_changes' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
settings_file Settings File text The name of the file changed
username Username text The username logged in at the time of the change
hostname Hostname text The remote hostname

<section end='settings_changes' /> ()

web_cache_stats

<section begin='web_cache_stats' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
hits Hits bigint The number of cache hits during this time frame
misses Misses bigint The number of cache misses during this time frame
bypasses Bypasses bigint The number of cache user bypasses during this time frame
systems System bypasses bigint The number of cache system bypasses during this time frame
hit_bytes Hit Bytes bigint The number of bytes saved from cache hits
miss_bytes Miss Bytes bigint The number of bytes not saved from cache misses
event_id Event ID bigint The unique event ID

<section end='web_cache_stats' /> ()

server_events

<section begin='server_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
load_1 CPU load (1-min) numeric(6,2) The 1-minute CPU load
load_5 CPU load (5-min) numeric(6,2) The 5-minute CPU load
load_15 CPU load (15-min) numeric(6,2) The 15-minute CPU load
cpu_user CPU User Utilization numeric(6,3) The user CPU percent utilization
cpu_system CPU System Utilization numeric(6,3) The system CPU percent utilization
mem_total Total Memory bigint The total bytes of memory
mem_free Memory Free bigint The number of free bytes of memory
disk_total Disk Size bigint The total disk size in bytes
disk_free Disk Free bigint The free disk space in bytes
swap_total Swap Size bigint The total swap size in bytes
swap_free Swap Free bigint The free disk swap in bytes
active_hosts Active Hosts integer The number of active hosts

<section end='server_events' /> ()

interface_stat_events

<section begin='interface_stat_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
interface_id Interface ID integer The interface ID
rx_rate Rx Rate double precision The RX rate (bytes/s)
rx_bytes Bytes Received bigint The number of bytes received from the client in this connection
tx_rate Tx Rate double precision The TX rate (bytes/s)
tx_bytes Bytes Sent bigint The number of bytes sent to the client in this connection

<section end='interface_stat_events' /> ()

mail_msgs

<section begin='mail_msgs' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
c_client_port Client-side Client Port integer The client-side client port
s_client_port Server-side Client Port integer The server-side client port
c_server_port Client-side Server Port integer The client-side server port
s_server_port Server-side Server Port integer The server-side server port
policy_id Policy ID bigint The policy
username Username text The username associated with this session
msg_id Message ID bigint The message ID
subject Subject text The email subject
hostname Hostname text The hostname of the local address
event_id Event ID bigint The unique event ID
sender Sender text The address of the sender
receiver Receiver text The address of the receiver
virus_blocker_lite_clean Virus Blocker Lite Clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name Virus Blocker Lite Name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean Virus Blocker Clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name Virus Blocker Name text The name of the malware according to Virus Blocker
spam_blocker_lite_score Spam Blocker Lite Score real The score of the email according to Spam Blocker Lite
spam_blocker_lite_is_spam Spam Blocker Lite Spam boolean The spam status of the email according to Spam Blocker Lite
spam_blocker_lite_tests_string Spam Blocker Lite Tests text The tess results for Spam Blocker Lite
spam_blocker_lite_action Spam Blocker Lite Action character(1) The action taken by Spam Blocker Lite
spam_blocker_score Spam Blocker Score real The score of the email according to Spam Blocker
spam_blocker_is_spam Spam Blocker Spam boolean The spam status of the email according to Spam Blocker
spam_blocker_tests_string Spam Blocker Tests text The tess results for Spam Blocker
spam_blocker_action Spam Blocker Action character(1) The action taken by Spam Blocker
phish_blocker_score Phish Blocker Score real The score of the email according to Phish Blocker
phish_blocker_is_spam Phish Blocker Phish boolean The phish status of the email according to Phish Blocker
phish_blocker_tests_string Phish Blocker Tests text The tess results for Phish Blocker
phish_blocker_action Phish Blocker Action character(1) The action taken by Phish Blocker

<section end='mail_msgs' /> ()

mail_addrs

<section begin='mail_addrs' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
c_client_port Client-side Client Port integer The client-side client port
s_client_port Server-side Client Port integer The server-side client port
c_server_port Client-side Server Port integer The client-side server port
s_server_port Server-side Server Port integer The server-side server port
policy_id Policy ID bigint The policy
username Username text The username associated with this session
msg_id Message ID bigint The message ID
subject Subject text The email subject
addr Address text The address of this event
addr_name Address Name text The name for this address
addr_kind Address Kind character(1) The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
hostname Hostname text The hostname of the local address
event_id Event ID bigint The unique event ID
sender Sender text The address of the sender
virus_blocker_lite_clean Virus Blocker Lite Clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name Virus Blocker Lite Name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean Virus Blocker Clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name Virus Blocker Name text The name of the malware according to Virus Blocker
spam_blocker_lite_score Spam Blocker Lite Score real The score of the email according to Spam Blocker Lite
spam_blocker_lite_is_spam Spam Blocker Lite Spam boolean The spam status of the email according to Spam Blocker Lite
spam_blocker_lite_action Spam Blocker Lite Action character(1) The action taken by Spam Blocker Lite
spam_blocker_lite_tests_string Spam Blocker Lite Tests text The tess results for Spam Blocker Lite
spam_blocker_score Spam Blocker Score real The score of the email according to Spam Blocker
spam_blocker_is_spam Spam Blocker Spam boolean The spam status of the email according to Spam Blocker
spam_blocker_action Spam Blocker Action character(1) The action taken by Spam Blocker
spam_blocker_tests_string Spam Blocker Tests text The tess results for Spam Blocker
phish_blocker_score Phish Blocker Score real The score of the email according to Phish Blocker
phish_blocker_is_spam Phish Blocker Phish boolean The phish status of the email according to Phish Blocker
phish_blocker_tests_string Phish Blocker Tests text The tess results for Phish Blocker
phish_blocker_action Phish Blocker Action character(1) The action taken by Phish Blocker

<section end='mail_addrs' /> ()

ftp_events

<section begin='ftp_events' />

Column Name Human Name Type Description
event_id Event ID bigint The unique event ID
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
policy_id Policy ID bigint The policy
username Username text The username associated with this session
hostname Hostname text The hostname of the local address
request_id Request ID bigint The FTP request ID
method Method character(1) The FTP method
uri URI text The FTP URI
virus_blocker_lite_clean Virus Blocker Lite Clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name Virus Blocker Lite Name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean Virus Blocker Clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name Virus Blocker Name text The name of the malware according to Virus Blocker

<section end='ftp_events' /> ()

tunnel_vpn_events

<section begin='tunnel_vpn_events' />

Column Name Human Name Type Description
event_id Event ID bigint The unique event ID
time_stamp Timestamp timestamp without time zone The time of the event
tunnel_name Tunnel Name text The name the tunnel
server_address Server IP Address text The address of the remote server
local_address Local Address text The local address assigned the client
event_type Event Type text The type of the event (CONNECT,DISCONNECT)

<section end='tunnel_vpn_events' /> ()

tunnel_vpn_stats

<section begin='tunnel_vpn_stats' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
tunnel_name Tunnel Name text The name of the Tunnel VPN tunnel
in_bytes In Bytes bigint The number of bytes received during this time frame
out_bytes Out Bytes bigint The number of bytes transmitted during this time frame
event_id Event ID bigint The unique event ID

<section end='tunnel_vpn_stats' /> ()

wan_failover_test_events

<section begin='wan_failover_test_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
interface_id Interface ID integer This interface ID
name Interface Name text This name of the interface
description Text detail of the event text The description from the test rule
success Success boolean The result of the test (true if the test succeeded, false otherwise)
event_id Event ID bigint The unique event ID

<section end='wan_failover_test_events' /> ()

wan_failover_action_events

<section begin='wan_failover_action_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
interface_id Interface ID integer This interface ID
action Action text This action (CONNECTED,DISCONNECTED)
os_name Interface O/S Name text This O/S name of the interface
name Interface Name text This name of the interface
event_id Event ID bigint The unique event ID

<section end='wan_failover_action_events' /> ()

directory_connector_login_events

<section begin='directory_connector_login_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
login_name Login Name text The login name
domain Domain text The AD domain
type Type text The type of event (I=Login,U=Update,O=Logout)
client_addr Client Address inet The client IP address
login_type Login Type text The login type

<section end='directory_connector_login_events' /> ()

captive_portal_user_events

<section begin='captive_portal_user_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
policy_id Policy ID bigint The policy
event_id Event ID bigint The unique event ID
login_name Login Name text The login username
event_info Event Type text The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
auth_type Authorization Type text The authorization type for this event
client_addr Client Address text The remote IP address of the client

<section end='captive_portal_user_events' /> ()

openvpn_stats

<section begin='openvpn_stats' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
start_time Start Time timestamp without time zone The time the OpenVPN session started
end_time End Time timestamp without time zone The time the OpenVPN session ended
rx_bytes Bytes Received bigint The total bytes received from the client during this session
tx_bytes Bytes Sent bigint The total bytes sent to the client during this session
remote_address Remote Address inet The remote IP address of the client
pool_address Pool Address inet The pool IP address of the client
remote_port Remote Port integer The remote port of the client
client_name Client Name text The name of the client
event_id Event ID bigint The unique event ID

<section end='openvpn_stats' /> ()

openvpn_events

<section begin='openvpn_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
remote_address Remote Address inet The remote IP address of the client
pool_address Pool Address inet The pool IP address of the client
client_name Client Name text The name of the client
type Type text The type of the event (CONNECT,DISCONNECT)

<section end='openvpn_events' /> ()