Database Schema: Difference between revisions
From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
Bcarmichael (talk | contribs) |
Bcarmichael (talk | contribs) |
||
| Line 2,391: | Line 2,391: | ||
<section end='user_table_updates' /> | <section end='user_table_updates' /> | ||
== | == threat_prevention_events == | ||
<section begin=' | <section begin='threat_prevention_events' /> | ||
<section end='threat_prevention_events' /> | |||
<section end=' | |||
Revision as of 22:15, 28 January 2020
Database Tables
admin_logins
<section begin='admin_logins' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| login | Login | text | The login name |
| local | Local | boolean | True if it is a login attempt through a local process |
| client_addr | Client Address | inet | The client IP address |
| succeeded | Succeeded | boolean | True if the login succeeded, false otherwise |
| reason | Reason | character(1) | The reason for the login (if applicable) |
<section end='admin_logins' />
sessions
<section begin='sessions' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| session_id | Session ID | bigint | The session |
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| end_time | End Time | timestamp without time zone | The time the session ended |
| bypassed | Bypassed | boolean | True if the session was bypassed, false otherwise |
| entitled | Entitled | boolean | True if the session is entitled to premium functionality |
| protocol | Protocol | smallint | The IP protocol of session |
| icmp_type | ICMP Type | smallint | The ICMP type of session if ICMP |
| hostname | Hostname | text | The hostname of the local address |
| username | Username | text | The username associated with this session |
| policy_id | Policy ID | smallint | The policy |
| policy_rule_id | Policy Rule ID | smallint | The ID of the matching policy rule (0 means none) |
| c_client_addr | Client-side Client Address | inet | The client-side client IP address |
| c_server_addr | Client-side Server Address | inet | The client-side server IP address |
| c_server_port | Client-side Server Port | integer | The client-side server port |
| c_client_port | Client-side Client Port | integer | The client-side client port |
| s_client_addr | Server-side Client Address | inet | The server-side client IP address |
| s_server_addr | Server-side Server Address | inet | The server-side server IP address |
| s_server_port | Server-side Server Port | integer | The server-side server port |
| s_client_port | Server-side Client Port | integer | The server-side client port |
| client_intf | Client Interface | smallint | The client interface |
| server_intf | Server Interface | smallint | The server interface |
| client_country | Client Country | text | The client Country |
| client_latitude | Client Latitude | real | The client Latitude |
| client_longitude | Client Longitude | real | The client Longitude |
| server_country | Server Country | text | The server Country |
| server_latitude | Server Latitude | real | The server Latitude |
| server_longitude | Server Longitude | real | The server Longitude |
| c2p_bytes | From-Client Bytes | bigint | The number of bytes the client sent to Untangle (client-to-pipeline) |
| p2c_bytes | To-Client Bytes | bigint | The number of bytes Untangle sent to client (pipeline-to-client) |
| s2p_bytes | From-Server Bytes | bigint | The number of bytes the server sent to Untangle (client-to-pipeline) |
| p2s_bytes | To-Server Bytes | bigint | The number of bytes Untangle sent to server (pipeline-to-client) |
| filter_prefix | Filter Block | text | The network filter that blocked the connection (filter,shield,invalid) |
| firewall_blocked | Firewall Blocked | boolean | True if Firewall blocked the session, false otherwise |
| firewall_flagged | Firewall Flagged | boolean | True if Firewall flagged the session, false otherwise |
| firewall_rule_index | Firewall Rule ID | integer | The matching rule in Firewall (if any) |
| application_control_lite_protocol | Application Control Lite Protocol | text | The application protocol according to Application Control Lite |
| application_control_lite_blocked | Application Control Lite Blocked | boolean | True if Application Control Lite blocked the session |
| captive_portal_blocked | Captive Portal Blocked | boolean | True if Captive Portal blocked the session |
| captive_portal_rule_index | Captive Portal Rule ID | integer | The matching rule in Captive Portal (if any) |
| application_control_application | Application Control Application | text | The application according to Application Control |
| application_control_protochain | Application Control Protochain | text | The protochain according to Application Control |
| application_control_category | Application Control Category | text | The category according to Application Control |
| application_control_blocked | Application Control Blocked | boolean | True if Application Control blocked the session |
| application_control_flagged | Application Control Flagged | boolean | True if Application Control flagged the session |
| application_control_confidence | Application Control Confidence | integer | True if Application Control confidence of this session's identification |
| application_control_ruleid | Application Control Rule ID | integer | The matching rule in Application Control (if any) |
| application_control_detail | Application Control Detail | text | The text detail from the Application Control engine |
| bandwidth_control_priority | Bandwidth Control Priority | integer | The priority given to this session |
| bandwidth_control_rule | Bandwidth Control Rule ID | integer | The matching rule in Bandwidth Control rule (if any) |
| ssl_inspector_ruleid | SSL Inspector Rule ID | integer | The matching rule in SSL Inspector rule (if any) |
| ssl_inspector_status | SSL Inspector Status | text | The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED) |
| ssl_inspector_detail | SSL Inspector Detail | text | Additional text detail about the SSL connection (SNI, IP Address) |
| local_addr | Local Address | inet | The IP address of the local participant |
| remote_addr | Remote Address | inet | The IP address of the remote participant |
| tags | Tags | text | The tags on this session |
<section end='sessions' />
session_minutes
<section begin='session_minutes' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| session_id | Session ID | bigint | The session |
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| c2s_bytes | From-Client Bytes | bigint | The number of bytes the client sent |
| s2c_bytes | From-Server Bytes | bigint | The number of bytes the server sent |
| start_time | Start Time | timestamp without time zone | The start time of the session |
| end_time | End Time | timestamp without time zone | The time the session ended |
| bypassed | Bypassed | boolean | True if the session was bypassed, false otherwise |
| entitled | Entitled | boolean | True if the session is entitled to premium functionality |
| protocol | Protocol | smallint | The IP protocol of session |
| icmp_type | ICMP Type | smallint | The ICMP type of session if ICMP |
| hostname | Hostname | text | The hostname of the local address |
| username | Username | text | The username associated with this session |
| policy_id | Policy ID | smallint | The policy |
| policy_rule_id | Policy Rule ID | smallint | The ID of the matching policy rule (0 means none) |
| c_client_addr | Client-side Client Address | inet | The client-side client IP address |
| c_server_addr | Client-side Server Address | inet | The client-side server IP address |
| c_server_port | Client-side Server Port | integer | The client-side server port |
| c_client_port | Client-side Client Port | integer | The client-side client port |
| s_client_addr | Server-side Client Address | inet | The server-side client IP address |
| s_server_addr | Server-side Server Address | inet | The server-side server IP address |
| s_server_port | Server-side Server Port | integer | The server-side server port |
| s_client_port | Server-side Client Port | integer | The server-side client port |
| client_intf | Client Interface | smallint | The client interface |
| server_intf | Server Interface | smallint | The server interface |
| client_country | Client Country | text | The client Country |
| client_latitude | Client Latitude | real | The client Latitude |
| client_longitude | Client Longitude | real | The client Longitude |
| server_country | Server Country | text | The server Country |
| server_latitude | Server Latitude | real | The server Latitude |
| server_longitude | Server Longitude | real | The server Longitude |
| filter_prefix | Filter Block | text | The network filter that blocked the connection (filter,shield,invalid) |
| firewall_blocked | Firewall Blocked | boolean | True if Firewall blocked the session, false otherwise |
| firewall_flagged | Firewall Flagged | boolean | True if Firewall flagged the session, false otherwise |
| firewall_rule_index | Firewall Rule ID | integer | The matching rule in Firewall (if any) |
| application_control_lite_protocol | Application Control Lite Protocol | text | The application protocol according to Application Control Lite |
| application_control_lite_blocked | Application Control Lite Blocked | boolean | True if Application Control Lite blocked the session |
| captive_portal_blocked | Captive Portal Blocked | boolean | True if Captive Portal blocked the session |
| captive_portal_rule_index | Captive Portal Rule ID | integer | The matching rule in Captive Portal (if any) |
| application_control_application | Application Control Application | text | The application according to Application Control |
| application_control_protochain | Application Control Protochain | text | The protochain according to Application Control |
| application_control_category | Application Control Category | text | The category according to Application Control |
| application_control_blocked | Application Control Blocked | boolean | True if Application Control blocked the session |
| application_control_flagged | Application Control Flagged | boolean | True if Application Control flagged the session |
| application_control_confidence | Application Control Confidence | integer | True if Application Control confidence of this session's identification |
| application_control_ruleid | Application Control Rule ID | integer | The matching rule in Application Control (if any) |
| application_control_detail | Application Control Detail | text | The text detail from the Application Control engine |
| bandwidth_control_priority | Bandwidth Control Priority | integer | The priority given to this session |
| bandwidth_control_rule | Bandwidth Control Rule ID | integer | The matching rule in Bandwidth Control rule (if any) |
| ssl_inspector_ruleid | SSL Inspector Rule ID | integer | The matching rule in SSL Inspector rule (if any) |
| ssl_inspector_status | SSL Inspector Status | text | The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED) |
| ssl_inspector_detail | SSL Inspector Detail | text | Additional text detail about the SSL connection (SNI, IP Address) |
| local_addr | Local Address | inet | The IP address of the local participant |
| remote_addr | Remote Address | inet | The IP address of the remote participant |
| tags | Tags | text | The tags on this session |
<section end='session_minutes' />
quotas
<section begin='quotas' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| action | Action | integer | The action (1=Quota Given, 2=Quota Exceeded) |
| size | Size | bigint | The size of the quota |
| reason | Reason | text | The reason for the action |
| entity | Entity | text | The IP entity given the quota (address/username) |
<section end='quotas' />
host_table_updates
<section begin='host_table_updates' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| address | Address | inet | The IP address of the host |
| key | Key | text | The key being updated |
| value | Value | text | The new value for the key |
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| old_value | Old Value | text | The old value for the key |
<section end='host_table_updates' />
device_table_updates
<section begin='device_table_updates' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| mac_address | MAC Address | text | The MAC address of the device |
| key | Key | text | The key being updated |
| value | Value | text | The new value for the key |
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| old_value | Old Value | text | The old value for the key |
<section end='device_table_updates' />
alerts
<section begin='alerts' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| description | Text detail of the event | text | The description from the alert rule. |
| summary_text | Summary Text | text | The summary text of the alert |
| json | JSON Text | text | The summary JSON representation of the event causing the alert |
<section end='alerts' />
settings_changes
<section begin='settings_changes' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| settings_file | Settings File | text | The name of the file changed |
| username | Username | text | The username logged in at the time of the change |
| hostname | Hostname | text | The remote hostname |
<section end='settings_changes' />
wan_failover_test_events
<section begin='wan_failover_test_events' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| interface_id | Interface ID | integer | This interface ID |
| name | Interface Name | text | This name of the interface |
| description | Text detail of the event | text | The description from the test rule |
| success | Success | boolean | The result of the test (true if the test succeeded, false otherwise) |
| event_id | Event ID | bigint | The unique event ID |
<section end='wan_failover_test_events' />
wan_failover_action_events
<section begin='wan_failover_action_events' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| interface_id | Interface ID | integer | This interface ID |
| action | Action | text | This action (CONNECTED,DISCONNECTED) |
| os_name | Interface O/S Name | text | This O/S name of the interface |
| name | Interface Name | text | This name of the interface |
| event_id | Event ID | bigint | The unique event ID |
<section end='wan_failover_action_events' />
mail_msgs
<section begin='mail_msgs' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| session_id | Session ID | bigint | The session |
| client_intf | Client Interface | smallint | The client interface |
| server_intf | Server Interface | smallint | The server interface |
| c_client_addr | Client-side Client Address | inet | The client-side client IP address |
| s_client_addr | Server-side Client Address | inet | The server-side client IP address |
| c_server_addr | Client-side Server Address | inet | The client-side server IP address |
| s_server_addr | Server-side Server Address | inet | The server-side server IP address |
| c_client_port | Client-side Client Port | integer | The client-side client port |
| s_client_port | Server-side Client Port | integer | The server-side client port |
| c_server_port | Client-side Server Port | integer | The client-side server port |
| s_server_port | Server-side Server Port | integer | The server-side server port |
| policy_id | Policy ID | bigint | The policy |
| username | Username | text | The username associated with this session |
| msg_id | Message ID | bigint | The message ID |
| subject | Subject | text | The email subject |
| hostname | Hostname | text | The hostname of the local address |
| event_id | Event ID | bigint | The unique event ID |
| sender | Sender | text | The address of the sender |
| receiver | Receiver | text | The address of the receiver |
| virus_blocker_lite_clean | Virus Blocker Lite Clean | boolean | The cleanliness of the file according to Virus Blocker Lite |
| virus_blocker_lite_name | Virus Blocker Lite Name | text | The name of the malware according to Virus Blocker Lite |
| virus_blocker_clean | Virus Blocker Clean | boolean | The cleanliness of the file according to Virus Blocker |
| virus_blocker_name | Virus Blocker Name | text | The name of the malware according to Virus Blocker |
| spam_blocker_lite_score | Spam Blocker Lite Score | real | The score of the email according to Spam Blocker Lite |
| spam_blocker_lite_is_spam | Spam Blocker Lite Spam | boolean | The spam status of the email according to Spam Blocker Lite |
| spam_blocker_lite_tests_string | Spam Blocker Lite Tests | text | The tess results for Spam Blocker Lite |
| spam_blocker_lite_action | Spam Blocker Lite Action | character(1) | The action taken by Spam Blocker Lite |
| spam_blocker_score | Spam Blocker Score | real | The score of the email according to Spam Blocker |
| spam_blocker_is_spam | Spam Blocker Spam | boolean | The spam status of the email according to Spam Blocker |
| spam_blocker_tests_string | Spam Blocker Tests | text | The tess results for Spam Blocker |
| spam_blocker_action | Spam Blocker Action | character(1) | The action taken by Spam Blocker |
| phish_blocker_score | Phish Blocker Score | real | The score of the email according to Phish Blocker |
| phish_blocker_is_spam | Phish Blocker Phish | boolean | The phish status of the email according to Phish Blocker |
| phish_blocker_tests_string | Phish Blocker Tests | text | The tess results for Phish Blocker |
| phish_blocker_action | Phish Blocker Action | character(1) | The action taken by Phish Blocker |
<section end='mail_msgs' />
mail_addrs
<section begin='mail_addrs' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| session_id | Session ID | bigint | The session |
| client_intf | Client Interface | smallint | The client interface |
| server_intf | Server Interface | smallint | The server interface |
| c_client_addr | Client-side Client Address | inet | The client-side client IP address |
| s_client_addr | Server-side Client Address | inet | The server-side client IP address |
| c_server_addr | Client-side Server Address | inet | The client-side server IP address |
| s_server_addr | Server-side Server Address | inet | The server-side server IP address |
| c_client_port | Client-side Client Port | integer | The client-side client port |
| s_client_port | Server-side Client Port | integer | The server-side client port |
| c_server_port | Client-side Server Port | integer | The client-side server port |
| s_server_port | Server-side Server Port | integer | The server-side server port |
| policy_id | Policy ID | bigint | The policy |
| username | Username | text | The username associated with this session |
| msg_id | Message ID | bigint | The message ID |
| subject | Subject | text | The email subject |
| addr | Address | text | The address of this event |
| addr_name | Address Name | text | The name for this address |
| addr_kind | Address Kind | character(1) | The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown) |
| hostname | Hostname | text | The hostname of the local address |
| event_id | Event ID | bigint | The unique event ID |
| sender | Sender | text | The address of the sender |
| virus_blocker_lite_clean | Virus Blocker Lite Clean | boolean | The cleanliness of the file according to Virus Blocker Lite |
| virus_blocker_lite_name | Virus Blocker Lite Name | text | The name of the malware according to Virus Blocker Lite |
| virus_blocker_clean | Virus Blocker Clean | boolean | The cleanliness of the file according to Virus Blocker |
| virus_blocker_name | Virus Blocker Name | text | The name of the malware according to Virus Blocker |
| spam_blocker_lite_score | Spam Blocker Lite Score | real | The score of the email according to Spam Blocker Lite |
| spam_blocker_lite_is_spam | Spam Blocker Lite Spam | boolean | The spam status of the email according to Spam Blocker Lite |
| spam_blocker_lite_action | Spam Blocker Lite Action | character(1) | The action taken by Spam Blocker Lite |
| spam_blocker_lite_tests_string | Spam Blocker Lite Tests | text | The tess results for Spam Blocker Lite |
| spam_blocker_score | Spam Blocker Score | real | The score of the email according to Spam Blocker |
| spam_blocker_is_spam | Spam Blocker Spam | boolean | The spam status of the email according to Spam Blocker |
| spam_blocker_action | Spam Blocker Action | character(1) | The action taken by Spam Blocker |
| spam_blocker_tests_string | Spam Blocker Tests | text | The tess results for Spam Blocker |
| phish_blocker_score | Phish Blocker Score | real | The score of the email according to Phish Blocker |
| phish_blocker_is_spam | Phish Blocker Phish | boolean | The phish status of the email according to Phish Blocker |
| phish_blocker_tests_string | Phish Blocker Tests | text | The tess results for Phish Blocker |
| phish_blocker_action | Phish Blocker Action | character(1) | The action taken by Phish Blocker |
<section end='mail_addrs' />
smtp_tarpit_events
<section begin='smtp_tarpit_events' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| ipaddr | Client Address | inet | The client IP address |
| hostname | Hostname | text | The hostname of the local address |
| policy_id | Policy ID | bigint | The policy |
| vendor_name | Vendor Name | character varying(255) | The "vendor name" of the app that logged the event |
| event_id | Event ID | bigint | The unique event ID |
<section end='smtp_tarpit_events' />
http_events
<section begin='http_events' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| request_id | Request ID | bigint | The HTTP request ID |
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| session_id | Session ID | bigint | The session |
| client_intf | Client Interface | smallint | The client interface |
| server_intf | Server Interface | smallint | The server interface |
| c_client_addr | Client-side Client Address | inet | The client-side client IP address |
| s_client_addr | Server-side Client Address | inet | The server-side client IP address |
| c_server_addr | Client-side Server Address | inet | The client-side server IP address |
| s_server_addr | Server-side Server Address | inet | The server-side server IP address |
| c_client_port | Client-side Client Port | integer | The client-side client port |
| s_client_port | Server-side Client Port | integer | The server-side client port |
| c_server_port | Client-side Server Port | integer | The client-side server port |
| s_server_port | Server-side Server Port | integer | The server-side server port |
| policy_id | Policy ID | smallint | The policy |
| username | Username | text | The username associated with this session |
| hostname | Hostname | text | The hostname of the local address |
| method | Method | character(1) | The HTTP method |
| uri | URI | text | The HTTP URI |
| host | Host | text | The HTTP host |
| domain | Domain | text | The HTTP domain (shortened host) |
| referer | Referer | text | The Referer URL |
| c2s_content_length | Client-to-server Content Length | bigint | The client-to-server content length |
| s2c_content_length | Server-to-client Content Length | bigint | The server-to-client content length |
| s2c_content_type | Server-to-client Content Type | text | The server-to-client content type |
| ad_blocker_cookie_ident | Ad Blocker Cookie | text | This name of cookie blocked by Ad Blocker |
| ad_blocker_action | Ad Blocker Action | character(1) | This action of Ad Blocker on this request |
| web_filter_reason | Web Filter Reason | character(1) | This reason Web Filter blocked/flagged this request |
| web_filter_category_id | Web Filter Category ID | int | This category ID according to Web Filter |
| web_filter_blocked | Web Filter Blocked | boolean | If Web Filter blocked this request |
| web_filter_flagged | Web Filter Flagged | boolean | If Web Filter flagged this request |
| virus_blocker_lite_clean | Virus Blocker Lite Clean | boolean | The cleanliness of the file according to Virus Blocker Lite |
| virus_blocker_lite_name | Virus Blocker Lite Name | text | The name of the malware according to Virus Blocker Lite |
| virus_blocker_clean | Virus Blocker Clean | boolean | The cleanliness of the file according to Virus Blocker |
| virus_blocker_name | Virus Blocker Name | text | The name of the malware according to Virus Blocker |
<section end='http_events' />
ftp_events
<section begin='ftp_events' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| event_id | Event ID | bigint | The unique event ID |
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| session_id | Session ID | bigint | The session |
| client_intf | Client Interface | smallint | The client interface |
| server_intf | Server Interface | smallint | The server interface |
| c_client_addr | Client-side Client Address | inet | The client-side client IP address |
| s_client_addr | Server-side Client Address | inet | The server-side client IP address |
| c_server_addr | Client-side Server Address | inet | The client-side server IP address |
| s_server_addr | Server-side Server Address | inet | The server-side server IP address |
| policy_id | Policy ID | bigint | The policy |
| username | Username | text | The username associated with this session |
| hostname | Hostname | text | The hostname of the local address |
| request_id | Request ID | bigint | The FTP request ID |
| method | Method | character(1) | The FTP method |
| uri | URI | text | The FTP URI |
| virus_blocker_lite_clean | Virus Blocker Lite Clean | boolean | The cleanliness of the file according to Virus Blocker Lite |
| virus_blocker_lite_name | Virus Blocker Lite Name | text | The name of the malware according to Virus Blocker Lite |
| virus_blocker_clean | Virus Blocker Clean | boolean | The cleanliness of the file according to Virus Blocker |
| virus_blocker_name | Virus Blocker Name | text | The name of the malware according to Virus Blocker |
<section end='ftp_events' />
ipsec_user_events
<section begin='ipsec_user_events' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| event_id | Event ID | bigint | The unique event ID |
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| connect_stamp | Connect Time | timestamp without time zone | The time the connection started |
| goodbye_stamp | End Time | timestamp without time zone | The time the connection ended |
| client_address | Client Address | text | The remote IP address of the client |
| client_protocol | Client Protocol | text | The protocol the client used to connect |
| client_username | Client Username | text | The username of the client |
| net_process | Net Process | text | The PID of the PPP process for L2TP connections or the connection ID for Xauth connections |
| net_interface | Net Interface | text | The PPP interface for L2TP connections or the client interface for Xauth connections |
| elapsed_time | Elapsed Time | text | The total time the client was connected |
| rx_bytes | Bytes Received | bigint | The number of bytes received from the client in this connection |
| tx_bytes | Bytes Sent | bigint | The number of bytes sent to the client in this connection |
<section end='ipsec_user_events' />
ipsec_tunnel_stats
<section begin='ipsec_tunnel_stats' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| tunnel_name | Tunnel Name | text | The name of the IPsec tunnel |
| in_bytes | In Bytes | bigint | The number of bytes received during this time frame |
| out_bytes | Out Bytes | bigint | The number of bytes transmitted during this time frame |
| event_id | Event ID | bigint | The unique event ID |
<section end='ipsec_tunnel_stats' />
interface_stat_events
<section begin='interface_stat_events' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| interface_id | Interface ID | integer | The interface ID |
| rx_rate | Rx Rate | double precision | The RX rate (bytes/s) |
| tx_rate | Tx Rate | double precision | The TX rate (bytes/s) |
<section end='interface_stat_events' />
configuration_backup_events
<section begin='configuration_backup_events' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| success | Success | boolean | The result of the backup (true if the backup succeeded, false otherwise) |
| description | Text detail of the event | text | Text detail of the event |
| destination | Destination | text | The location of the backup |
| event_id | Event ID | bigint | The unique event ID |
<section end='configuration_backup_events' />
directory_connector_login_events
<section begin='directory_connector_login_events' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| login_name | Login Name | text | The login name |
| domain | Domain | text | The AD domain |
| type | Type | text | The type of event (I=Login,U=Update,O=Logout) |
| client_addr | Client Address | inet | The client IP address |
<section end='directory_connector_login_events' />
server_events
<section begin='server_events' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| load_1 | CPU load (1-min) | numeric(6,2) | The 1-minute CPU load |
| load_5 | CPU load (5-min) | numeric(6,2) | The 5-minute CPU load |
| load_15 | CPU load (15-min) | numeric(6,2) | The 15-minute CPU load |
| cpu_user | CPU User Utilization | numeric(6,3) | The user CPU percent utilization |
| cpu_system | CPU System Utilization | numeric(6,3) | The system CPU percent utilization |
| mem_total | Total Memory | bigint | The total bytes of memory |
| mem_free | Memory Free | bigint | The number of free bytes of memory |
| disk_total | Disk Size | bigint | The total disk size in bytes |
| disk_free | Disk Free | bigint | The free disk space in bytes |
| swap_total | Swap Size | bigint | The total swap size in bytes |
| swap_free | Swap Free | bigint | The free disk swap in bytes |
| active_hosts | Active Hosts | integer | The number of active hosts |
<section end='server_events' />
web_cache_stats
<section begin='web_cache_stats' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| hits | Hits | bigint | The number of cache hits during this time frame |
| misses | Misses | bigint | The number of cache misses during this time frame |
| bypasses | Bypasses | bigint | The number of cache user bypasses during this time frame |
| systems | System bypasses | bigint | The number of cache system bypasses during this time frame |
| hit_bytes | Hit Bytes | bigint | The number of bytes saved from cache hits |
| miss_bytes | Miss Bytes | bigint | The number of bytes not saved from cache misses |
| event_id | Event ID | bigint | The unique event ID |
<section end='web_cache_stats' />
http_query_events
<section begin='http_query_events' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| event_id | Event ID | bigint | The unique event ID |
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| session_id | Session ID | bigint | The session |
| client_intf | Client Interface | smallint | The client interface |
| server_intf | Server Interface | smallint | The server interface |
| c_client_addr | Client-side Client Address | inet | The client-side client IP address |
| s_client_addr | Server-side Client Address | inet | The server-side client IP address |
| c_server_addr | Client-side Server Address | inet | The client-side server IP address |
| s_server_addr | Server-side Server Address | inet | The server-side server IP address |
| c_client_port | Client-side Client Port | integer | The client-side client port |
| s_client_port | Server-side Client Port | integer | The server-side client port |
| c_server_port | Client-side Server Port | integer | The client-side server port |
| s_server_port | Server-side Server Port | integer | The server-side server port |
| policy_id | Policy ID | bigint | The policy |
| username | Username | text | The username associated with this session |
| hostname | Hostname | text | The hostname of the local address |
| request_id | Request ID | bigint | The HTTP request ID |
| method | Method | character(1) | The HTTP method |
| uri | URI | text | The HTTP URI |
| term | Search Term | text | The search term |
| host | Host | text | The HTTP host |
| c2s_content_length | Client-to-server Content Length | bigint | The client-to-server content length |
| s2c_content_length | Server-to-client Content Length | bigint | The server-to-client content length |
| s2c_content_type | Server-to-client Content Type | text | The server-to-client content type |
<section end='http_query_events' />
captive_portal_user_events
<section begin='captive_portal_user_events' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| policy_id | Policy ID | bigint | The policy |
| event_id | Event ID | bigint | The unique event ID |
| login_name | Login Name | text | The login username |
| event_info | Event Type | text | The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT) |
| auth_type | Authorization Type | text | The authorization type for this event |
| client_addr | Client Address | text | The remote IP address of the client |
<section end='captive_portal_user_events' />
openvpn_stats
<section begin='openvpn_stats' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| start_time | Start Time | timestamp without time zone | The time the OpenVPN session started |
| end_time | End Time | timestamp without time zone | The time the OpenVPN session ended |
| rx_bytes | Bytes Received | bigint | The total bytes received from the client during this session |
| tx_bytes | Bytes Sent | bigint | The total bytes sent to the client during this session |
| remote_address | Remote Address | inet | The remote IP address of the client |
| pool_address | Pool Address | inet | The pool IP address of the client |
| remote_port | Remote Port | integer | The remote port of the client |
| client_name | Client Name | text | The name of the client |
| event_id | Event ID | bigint | The unique event ID |
<section end='openvpn_stats' />
openvpn_events
<section begin='openvpn_events' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| remote_address | Remote Address | inet | The remote IP address of the client |
| pool_address | Pool Address | inet | The pool IP address of the client |
| client_name | Client Name | text | The name of the client |
| type | Type | text | The type of the event (CONNECT,DISCONNECT) |
<section end='openvpn_events' />
intrusion_prevention_events
<section begin='intrusion_prevention_events' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| sig_id | Signature ID | bigint | This ID of the rule |
| gen_id | Grouping ID | bigint | The grouping ID for the rule, The gen_id + sig_id specify the rule's unique identifier |
| class_id | Classtype ID | bigint | The numeric ID for the classtype |
| source_addr | Source Address | inet | The source IP address of the packet |
| source_port | Source Port | integer | The source port of the packet (if applicable) |
| dest_addr | Destination Address | inet | The destination IP address of the packet |
| dest_port | Destination Port | integer | The destination port of the packet (if applicable) |
| protocol | Protocol | integer | The protocol of the packet |
| blocked | Blocked | boolean | If the packet was blocked/dropped |
| category | Category | text | The application specific grouping |
| classtype | Classtype | text | The generalized threat rule grouping (unrelated to gen_id) |
| msg | Message | text | The "title" or "description" of the rule |
<section end='intrusion_prevention_events' />
syslog
<section begin='syslog' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
| description | Text detail of the event | text | The description from the alert rule. |
| summary_text | Summary Text | text | The summary text of the alert |
| json | JSON Text | text | The summary JSON representation of the event causing the alert |
<section end='syslog' />
user_table_updates
<section begin='user_table_updates' />
| Column Name | Human Name | Type | Description |
|---|---|---|---|
| username | Username | text | The username |
| key | Key | text | The key being updated |
| value | Value | text | The new value for the key |
| old_value | Old Value | text | The old value for the key |
| time_stamp | Timestamp | timestamp without time zone | The time of the event |
<section end='user_table_updates' />
threat_prevention_events
<section begin='threat_prevention_events' />
<section end='threat_prevention_events' />
