Database Schema: Difference between revisions

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search
No edit summary
No edit summary
Line 2: Line 2:
The global DB schema shows the tables and columns used for tracking all logged events in Untangle. These can be used to add conditions to reports and event logs and in the reporting system to create or edit reports.
The global DB schema shows the tables and columns used for tracking all logged events in Untangle. These can be used to add conditions to reports and event logs and in the reporting system to create or edit reports.


== admin_logins ==  
== ipsec_tunnel_stats ==  
<section begin='admin_logins' />
<section begin='ipsec_tunnel_stats' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 16: Line 16:
|The time of the event
|The time of the event
|-
|-
|login
|tunnel_name
|Login
|Tunnel Name
|text
|text
|The login name
|The name of the IPsec tunnel
|-
|-
|local
|in_bytes
|Local
|In Bytes
|boolean
|bigint
|True if it is a login attempt through a local process
|The number of bytes received during this time frame
|-
|-
|client_addr
|out_bytes
|Client Address
|Out Bytes
|inet
|bigint
|The client IP address
|The number of bytes transmitted during this time frame
|-
|-
|succeeded
|event_id
|Succeeded
|Event ID
|boolean
|bigint
|True if the login succeeded, false otherwise
|The unique event ID
|-
|reason
|Reason
|character(1)
|The reason for the login (if applicable)
|-
|-
|}
|}
<section end='admin_logins' />
<section end='ipsec_tunnel_stats' />




== sessions ==  
== ipsec_user_events ==  
<section begin='sessions' />
<section begin='ipsec_user_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 54: Line 49:
!Description
!Description
|-
|-
|session_id
|event_id
|Session ID
|Event ID
|bigint
|bigint
|The session
|The unique event ID
|-
|-
|time_stamp
|time_stamp
Line 64: Line 59:
|The time of the event
|The time of the event
|-
|-
|end_time
|connect_stamp
|Connect Time
|timestamp without time zone
|The time the connection started
|-
|goodbye_stamp
|End Time
|End Time
|timestamp without time zone
|timestamp without time zone
|The time the session ended
|The time the connection ended
|-
|-
|bypassed
|client_address
|Bypassed
|Client Address
|boolean
|text
|True if the session was bypassed, false otherwise
|The remote IP address of the client
|-
|-
|entitled
|client_protocol
|Entitled
|Client Protocol
|boolean
|True if the session is entitled to premium functionality
|-
|protocol
|Protocol
|smallint
|The IP protocol of session
|-
|icmp_type
|ICMP Type
|smallint
|The ICMP type of session if ICMP
|-
|hostname
|Hostname
|text
|text
|The hostname
|The protocol the client used to connect
|-
|-
|username
|client_username
|Username
|Client Username
|text
|text
|The username
|The username of the client
|-
|-
|policy_id
|net_process
|Policy ID
|Net Process
|smallint
|text
|The policy
|The PID of the PPP process for L2TP connections or the connection ID for Xauth connections
|-
|-
|c_client_addr
|net_interface
|Client-side Client Address
|Net Interface
|inet
|text
|The client-side client IP address
|The PPP interface for L2TP connections or the client interface for Xauth connections
|-
|-
|c_server_addr
|elapsed_time
|Client-side Server Address
|Elapsed Time
|inet
|text
|The client-side server IP address
|The total time the client was connected
|-
|-
|c_server_port
|rx_bytes
|Client-side Server Port
|Bytes Received
|integer
|bigint
|The client-side server port
|The number of bytes received from the client in this connection
|-
|-
|c_client_port
|tx_bytes
|Client-side Client Port
|Bytes Sent
|integer
|bigint
|The client-side client port
|The number of bytes sent to the client in this connection
|-
|-
|s_client_addr
|}
|Server-side Client Address
<section end='ipsec_user_events' />
|inet
 
|The server-side client IP address
 
== http_events ==
<section begin='http_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|s_server_addr
|request_id
|Server-side Server Address
|Request ID
|inet
|bigint
|The server-side server IP address
|The HTTP request ID
|-
|-
|s_server_port
|time_stamp
|Server-side Server Port
|Timestamp
|integer
|timestamp without time zone
|The server-side server port
|The time of the event
|-
|-
|s_client_port
|session_id
|Server-side Client Port
|Session ID
|integer
|bigint
|The server-side client port
|The session
|-
|-
|client_intf
|client_intf
Line 154: Line 147:
|The server interface
|The server interface
|-
|-
|c2p_bytes
|c_client_addr
|From-Client Bytes
|Client-side Client Address
|bigint
|inet
|The number of bytes the client sent to Untangle (client-to-pipeline)
|The client-side client IP address
|-
|-
|p2c_bytes
|s_client_addr
|To-Client Bytes
|Server-side Client Address
|bigint
|inet
|The number of bytes Untangle sent to client (pipeline-to-client)
|The server-side client IP address
|-
|-
|s2p_bytes
|c_server_addr
|From-Server Bytes
|Client-side Server Address
|bigint
|inet
|The number of bytes the server sent to Untangle (client-to-pipeline)
|The client-side server IP address
|-
|-
|p2s_bytes
|s_server_addr
|To-Server Bytes
|Server-side Server Address
|bigint
|inet
|The number of bytes Untangle sent to server (pipeline-to-client)
|The server-side server IP address
|-
|-
|filter_prefix
|c_client_port
|Filter Block
|Client-side Client Port
|text
|integer
|The network filter that blocked the connection
|The client-side client port
|-
|-
|shield_blocked
|s_client_port
|Shield Blocked
|Server-side Client Port
|boolean
|integer
|True if the shield blocked the session, false otherwise
|The server-side client port
|-
|firewall_blocked
|Firewall Blocked
|boolean
|True if Firewall blocked the session, false otherwise
|-
|-
|firewall_flagged
|c_server_port
|Firewall Flagged
|Client-side Server Port
|boolean
|integer
|True if Firewall flagged the session, false otherwise
|The client-side server port
|-
|-
|firewall_rule_index
|s_server_port
|Firewall Rule ID
|Server-side Server Port
|integer
|integer
|The matching rule in Firewall (if any)
|The server-side server port
|-
|policy_id
|Policy ID
|smallint
|The policy
|-
|-
|application_control_lite_protocol
|username
|Application Control Lite Protocol
|Username
|text
|text
|The application protocol according to Application Control Lite
|The username associated with this session
|-
|-
|application_control_lite_blocked
|hostname
|Application Control Lite Blocked
|Hostname
|boolean
|text
|True if Application Control Lite blocked the session
|The hostname of the local address
|-
|-
|captive_portal_blocked
|method
|Captive Portal Blocked
|Method
|boolean
|character(1)
|True if Captive Portal blocked the session
|The HTTP method
|-
|-
|captive_portal_rule_index
|uri
|Captive Portal Rule ID
|URI
|integer
|The matching rule in Captive Portal (if any)
|-
|application_control_application
|Application Control Application
|text
|text
|The application according to Application Control
|The HTTP URI
|-
|-
|application_control_protochain
|host
|Application Control Protochain
|Host
|text
|text
|The protochain according to Application Control
|The HTTP host
|-
|-
|application_control_category
|domain
|Application Control Category
|Domain
|text
|text
|The category according to Application Control
|The HTTP domain (shortened host)
|-
|-
|application_control_blocked
|referer
|Application Control Blocked
|Referer
|boolean
|text
|True if Application Control blocked the session
|The Referer URL
|-
|-
|application_control_flagged
|c2s_content_length
|Application Control Flagged
|Client-to-server Content Length
|boolean
|bigint
|True if Application Control flagged the session
|The client-to-server content length
|-
|-
|application_control_confidence
|s2c_content_length
|Application Control Confidence
|Server-to-client Content Length
|integer
|bigint
|True if Application Control confidence of this session's identification
|The server-to-client content length
|-
|-
|application_control_ruleid
|s2c_content_type
|Application Control Rule ID
|Server-to-client Content Type
|integer
|text
|The matching rule in Application Control (if any)
|The server-to-client content type
|-
|-
|application_control_detail
|ad_blocker_cookie_ident
|Application Control Detail
|Ad Blocker Cookie
|text
|text
|The text detail from the Application Control engine
|This name of cookie blocked by Ad Blocker
|-
|-
|bandwidth_control_priority
|ad_blocker_action
|Bandwidth Control Priority
|Ad Blocker Action
|integer
|character(1)
|The priority given to this session
|This action of Ad Blocker on this request
|-
|-
|bandwidth_control_rule
|web_filter_lite_reason
|Bandwidth Control Rule ID
|Web Filter Lite Reason
|integer
|character(1)
|The matching rule in Bandwidth Control rule (if any)
|This reason Web Filter Lite blocked/flagged this request
|-
|-
|ssl_inspector_ruleid
|web_filter_lite_category
|HTTPS Inspector Rule ID
|Web Filter Lite Category
|integer
|text
|The matching rule in HTTPS Inspector rule (if any)
|This category according to Web Filter Lite
|-
|web_filter_lite_blocked
|Web Filter Lite Blocked
|boolean
|If Web Filter Lite blocked this request
|-
|web_filter_lite_flagged
|Web Filter Lite Flagged
|boolean
|If Web Filter Lite flagged this request
|-
|-
|ssl_inspector_status
|web_filter_reason
|HTTPS Inspector Status
|Web Filter Reason
|text
|character(1)
|The status/action of the SSL session (INSPECTED/IGNORED/BLOCKED/UNTRUSTED/ABANDONED)
|This reason Web Filter blocked/flagged this request
|-
|-
|ssl_inspector_detail
|web_filter_category
|HTTPS Inspector Detail
|Web Filter Category
|text
|text
|Additional text detail about the SSL connection (SNI, IP Address)
|This category according to Web Filter
|-
|-
|}
|web_filter_blocked
<section end='sessions' />
|Web Filter Blocked
 
|boolean
 
|If Web Filter blocked this request
== penaltybox ==
|-
<section begin='penaltybox' />
|web_filter_flagged
 
|Web Filter Flagged
{| border="1" cellpadding="2" width="90%%" align="center"
|boolean
!Column Name
|If Web Filter flagged this request
!Human Name
!Type
!Description
|-
|-
|address
|virus_blocker_lite_clean
|Address
|Virus Blocker Lite Clean
|inet
|boolean
|The IP address of the host
|The cleanliness of the file according to Virus Blocker Lite
|-
|-
|reason
|virus_blocker_lite_name
|Reason
|Virus Blocker Lite Name
|text
|text
|The reason for the action
|The name of the malware according to Virus Blocker Lite
|-
|-
|start_time
|virus_blocker_clean
|Start Time
|Virus Blocker Clean
|timestamp without time zone
|boolean
|The time the client entered the penalty box
|The cleanliness of the file according to Virus Blocker
|-
|-
|end_time
|virus_blocker_name
|End Time
|Virus Blocker Name
|timestamp without time zone
|text
|The time the client exited the penalty box
|The name of the malware according to Virus Blocker
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|-
|}
|}
<section end='penaltybox' />
<section end='http_events' />




== quotas ==  
== captive_portal_user_events ==  
<section begin='quotas' />
<section begin='captive_portal_user_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 340: Line 330:
|The time of the event
|The time of the event
|-
|-
|address
|policy_id
|Address
|Policy ID
|inet
|bigint
|The IP address of the host
|The policy
|-
|-
|action
|event_id
|Action
|Event ID
|integer
|bigint
|The action (1=Quota Given, 2=Quota Exceeded)
|The unique event ID
|-
|-
|size
|login_name
|Size
|Login Name
|bigint
|text
|The size of the quota
|The login username
|-
|-
|reason
|event_info
|Reason
|Event Type
|text
|text
|The reason for the action
|The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
|-
|-
|}
|auth_type
<section end='quotas' />
|Authorization Type
 
|text
 
|The authorization type for this event
== host_table_updates ==  
|-
<section begin='host_table_updates' />
|client_addr
|Client Address
|text
|The remote IP address of the client
|-
|}
<section end='captive_portal_user_events' />
 
 
== server_events ==  
<section begin='server_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 372: Line 372:
!Type
!Type
!Description
!Description
|-
|address
|Address
|inet
|The IP address of the host
|-
|key
|Key
|text
|The key being updated
|-
|value
|Value
|text
|The new value for the key
|-
|-
|time_stamp
|time_stamp
Line 393: Line 378:
|The time of the event
|The time of the event
|-
|-
|}
|load_1
<section end='host_table_updates' />
|CPU load (1-min)
 
|numeric(6,2)
 
|The 1-minute CPU load
== device_table_updates ==
<section begin='device_table_updates' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|mac_address
|load_5
|MAC Address
|CPU load (5-min)
|text
|numeric(6,2)
|The MAC address of the device
|The 5-minute CPU load
|-
|-
|key
|load_15
|Key
|CPU load (15-min)
|text
|numeric(6,2)
|The key being updated
|The 15-minute CPU load
|-
|cpu_user
|CPU User Utilization
|numeric(6,3)
|The user CPU percent utilization
|-
|-
|value
|cpu_system
|Value
|CPU System Utilization
|text
|numeric(6,3)
|The new value for the key
|The system CPU percent utilization
|-
|-
|time_stamp
|mem_total
|Timestamp
|Total Memory
|timestamp without time zone
|bigint
|The time of the event
|The total bytes of memory
|-
|-
|}
|mem_free
<section end='device_table_updates' />
|Memory Free
 
|bigint
 
|The number of free bytes of memory
== alerts ==
<section begin='alerts' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|disk_total
|Timestamp
|Disk Size
|timestamp without time zone
|bigint
|The time of the event
|The total disk size in bytes
|-
|-
|description
|disk_free
|Text detail of the event
|Disk Free
|text
|bigint
|The description from the alert rule.
|The free disk space in bytes
|-
|-
|summary_text
|swap_total
|Summary Text
|Swap Size
|text
|bigint
|The summary text of the alert
|The total swap size in bytes
|-
|-
|json
|swap_free
|JSON Text
|Swap Free
|text
|bigint
|The summary JSON representation of the event causing the alert
|The free disk swap in bytes
|-
|active_hosts
|Active Hosts
|integer
|The number of active hosts
|-
|-
|}
|}
<section end='alerts' />
<section end='server_events' />




== settings_changes ==  
== interface_stat_events ==  
<section begin='settings_changes' />
<section begin='interface_stat_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 477: Line 456:
|The time of the event
|The time of the event
|-
|-
|settings_file
|interface_id
|Settings File
|Interface ID
|text
|integer
|The name of the file changed
|The interface ID
|-
|-
|username
|rx_rate
|Username
|Rx Rate
|text
|double precision
|The username logged in at the time of the change
|The RX rate (bytes/s)
|-
|-
|hostname
|tx_rate
|Hostname
|Tx Rate
|text
|double precision
|The remote hostname
|The TX rate (bytes/s)
|-
|-
|}
|}
<section end='settings_changes' />
<section end='interface_stat_events' />




== wan_failover_action_events ==  
== openvpn_stats ==  
<section begin='wan_failover_action_events' />
<section begin='openvpn_stats' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 510: Line 489:
|The time of the event
|The time of the event
|-
|-
|interface_id
|start_time
|Interface ID
|Start Time
|integer
|timestamp without time zone
|This interface ID
|The time the OpenVPN session started
|-
|-
|action
|end_time
|Action
|End Time
|text
|timestamp without time zone
|This action (CONNECTED/DISCONNECTED)
|The time the OpenVPN session ended
|-
|-
|os_name
|rx_bytes
|Interface O/S Name
|Bytes Received
|text
|bigint
|This O/S name of the interface
|The total bytes received from the client during this session
|-
|-
|name
|tx_bytes
|Interface Name
|Bytes Sent
|text
|bigint
|This name of the interface
|The total bytes sent to the client during this session
|-
|-
|event_id
|remote_address
|Event ID
|Remote Address
|bigint
|inet
|The unique event ID
|The remote IP address of the client
|-
|-
|}
|pool_address
<section end='wan_failover_action_events' />
|Pool Address
 
|inet
 
|The pool IP address of the client
== wan_failover_test_events ==  
|-
<section begin='wan_failover_test_events' />
|remote_port
|Remote Port
|integer
|The remote port of the client
|-
|client_name
|Client Name
|text
|The name of the client
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|}
<section end='openvpn_stats' />
 
 
== openvpn_events ==  
<section begin='openvpn_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 553: Line 552:
|The time of the event
|The time of the event
|-
|-
|interface_id
|remote_address
|Interface ID
|Remote Address
|integer
|inet
|This interface ID
|The remote IP address of the client
|-
|pool_address
|Pool Address
|inet
|The pool IP address of the client
|-
|-
|name
|client_name
|Interface Name
|Client Name
|text
|text
|This name of the interface
|The name of the client
|-
|-
|description
|type
|Text detail of the event
|Type
|text
|text
|The description from the test rule
|The type of the event (CONNECT/DISCONNECT)
|-
|-
|success
|}
|Success
<section end='openvpn_events' />
|boolean
 
|The result of the test (true if the test succeeded, false otherwise)
 
|-
== mail_msgs ==  
|event_id
|Event ID
|bigint
|The unique event ID
|-
|}
<section end='wan_failover_test_events' />
 
 
== mail_msgs ==  
<section begin='mail_msgs' />
<section begin='mail_msgs' />


Line 659: Line 653:
|Username
|Username
|text
|text
|The username
|The username associated with this session
|-
|-
|msg_id
|msg_id
Line 674: Line 668:
|Hostname
|Hostname
|text
|text
|The hostname
|The hostname of the local address
|-
|-
|event_id
|event_id
Line 852: Line 846:
|Username
|Username
|text
|text
|The username
|The username associated with this session
|-
|-
|msg_id
|msg_id
Line 882: Line 876:
|Hostname
|Hostname
|text
|text
|The hostname
|The hostname of the local address
|-
|-
|event_id
|event_id
Line 1,000: Line 994:
|Hostname
|Hostname
|text
|text
|The hostname
|The hostname of the local address
|-
|-
|policy_id
|policy_id
Line 1,021: Line 1,015:




== http_events ==  
== ftp_events ==  
<section begin='http_events' />
<section begin='ftp_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,030: Line 1,024:
!Description
!Description
|-
|-
|request_id
|event_id
|Request ID
|Event ID
|bigint
|bigint
|The HTTP request ID
|The unique event ID
|-
|-
|time_stamp
|time_stamp
Line 1,075: Line 1,069:
|The server-side server IP address
|The server-side server IP address
|-
|-
|c_client_port
|policy_id
|Client-side Client Port
|Policy ID
|integer
|bigint
|The client-side client port
|The policy
|-
|-
|s_client_port
|username
|Server-side Client Port
|integer
|The server-side client port
|-
|c_server_port
|Client-side Server Port
|integer
|The client-side server port
|-
|s_server_port
|Server-side Server Port
|integer
|The server-side server port
|-
|policy_id
|Policy ID
|smallint
|The policy
|-
|username
|Username
|Username
|text
|text
|The username
|The username associated with this session
|-
|-
|hostname
|hostname
|Hostname
|Hostname
|text
|text
|The hostname
|The hostname of the local address
|-
|request_id
|Request ID
|bigint
|The FTP request ID
|-
|-
|method
|method
|Method
|Method
|character(1)
|character(1)
|The HTTP method
|The FTP method
|-
|-
|uri
|uri
|URI
|URI
|text
|text
|The HTTP URI
|The FTP URI
|-
|-
|host
|virus_blocker_lite_clean
|Host
|Virus Blocker Lite Clean
|text
|boolean
|The HTTP host
|The cleanliness of the file according to Virus Blocker Lite
|-
|-
|domain
|virus_blocker_lite_name
|Domain
|Virus Blocker Lite Name
|text
|text
|The HTTP domain (shortened host)
|The name of the malware according to Virus Blocker Lite
|-
|-
|c2s_content_length
|virus_blocker_clean
|Client-to-server Content Length
|Virus Blocker Clean
|bigint
|boolean
|The client-to-server content length
|The cleanliness of the file according to Virus Blocker
|-
|-
|s2c_content_length
|virus_blocker_name
|Server-to-client Content Length
|Virus Blocker Name
|bigint
|The server-to-client content length
|-
|s2c_content_type
|Server-to-client Content Type
|text
|text
|The server-to-client content type
|The name of the malware according to Virus Blocker
|-
|-
|ad_blocker_cookie_ident
|}
|Ad Blocker Cookie
<section end='ftp_events' />
|text
 
|This name of cookie blocked by Ad Blocker
 
== wan_failover_test_events ==
<section begin='wan_failover_test_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|-
|ad_blocker_action
|interface_id
|Ad Blocker Action
|Interface ID
|character(1)
|integer
|This action of Ad Blocker on this request
|This interface ID
|-
|-
|web_filter_lite_reason
|name
|Web Filter Lite Reason
|Interface Name
|character(1)
|text
|This reason Web Filter Lite blocked/flagged this request
|This name of the interface
|-
|-
|web_filter_lite_category
|description
|Web Filter Lite Category
|Text detail of the event
|text
|text
|This category according to Web Filter Lite
|The description from the test rule
|-
|-
|web_filter_lite_blocked
|success
|Web Filter Lite Blocked
|Success
|boolean
|boolean
|If Web Filter Lite blocked this request
|The result of the test (true if the test succeeded, false otherwise)
|-
|-
|web_filter_lite_flagged
|event_id
|Web Filter Lite Flagged
|Event ID
|boolean
|bigint
|If Web Filter Lite flagged this request
|The unique event ID
|-
|-
|web_filter_reason
|}
|Web Filter Reason
<section end='wan_failover_test_events' />
|character(1)
 
|This reason Web Filter blocked/flagged this request
 
== wan_failover_action_events ==
<section begin='wan_failover_action_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|interface_id
|Interface ID
|integer
|This interface ID
|-
|-
|web_filter_category
|action
|Web Filter Category
|Action
|text
|text
|This category according to Web Filter
|This action (CONNECTED/DISCONNECTED)
|-
|-
|web_filter_blocked
|os_name
|Web Filter Blocked
|Interface O/S Name
|boolean
|text
|If Web Filter blocked this request
|This O/S name of the interface
|-
|-
|web_filter_flagged
|name
|Web Filter Flagged
|Interface Name
|boolean
|If Web Filter flagged this request
|-
|virus_blocker_lite_clean
|Virus Blocker Lite Clean
|boolean
|The cleanliness of the file according to Virus Blocker Lite
|-
|virus_blocker_lite_name
|Virus Blocker Lite Name
|text
|text
|The name of the malware according to Virus Blocker Lite
|This name of the interface
|-
|-
|virus_blocker_clean
|event_id
|Virus Blocker Clean
|Event ID
|boolean
|bigint
|The cleanliness of the file according to Virus Blocker
|The unique event ID
|-
|virus_blocker_name
|Virus Blocker Name
|text
|The name of the malware according to Virus Blocker
|-
|referer
|Referer
|text
|The Referer URL
|-
|-
|}
|}
<section end='http_events' />
<section end='wan_failover_action_events' />




== ftp_events ==  
== intrusion_prevention_events ==  
<section begin='ftp_events' />
<section begin='intrusion_prevention_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,232: Line 1,217:
!Type
!Type
!Description
!Description
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|-
|time_stamp
|time_stamp
Line 1,243: Line 1,223:
|The time of the event
|The time of the event
|-
|-
|session_id
|sig_id
|Session ID
|Signature ID
|bigint
|bigint
|The session
|This ID of the rule
|-
|-
|client_intf
|gen_id
|Client Interface
|Grouping ID
|smallint
|bigint
|The client interface
|The grouping ID for the rule, The gen_id + sig_id specify the rule's unique identifier
|-
|-
|server_intf
|class_id
|Server Interface
|Classtype ID
|smallint
|bigint
|The server interface
|The numeric ID for the classtype
|-
|-
|c_client_addr
|source_addr
|Client-side Client Address
|Source Address
|inet
|inet
|The client-side client IP address
|The source IP address of the packet
|-
|-
|s_client_addr
|source_port
|Server-side Client Address
|Source Port
|inet
|integer
|The server-side client IP address
|The source port of the packet (if applicable)
|-
|-
|c_server_addr
|dest_addr
|Client-side Server Address
|Destination Address
|inet
|inet
|The client-side server IP address
|The destination IP address of the packet
|-
|-
|s_server_addr
|dest_port
|Server-side Server Address
|Destination Port
|inet
|integer
|The server-side server IP address
|The destination port of the packet (if applicable)
|-
|protocol
|Protocol
|integer
|The protocol of the packet
|-
|-
|policy_id
|blocked
|Policy ID
|Blocked
|bigint
|boolean
|The policy
|If the packet was blocked/dropped
|-
|-
|username
|category
|Username
|Category
|text
|text
|The username
|The application specific grouping
|-
|-
|hostname
|classtype
|Hostname
|Classtype
|text
|text
|The hostname
|The generalized threat rule grouping (unrelated to gen_id)
|-
|-
|request_id
|msg
|Request ID
|Message
|bigint
|text
|The FTP request ID
|The "title" or "description" of the rule
|-
|-
|method
|}
|Method
<section end='intrusion_prevention_events' />
|character(1)
 
|The FTP method
 
== web_cache_stats ==
<section begin='web_cache_stats' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|uri
|time_stamp
|URI
|Timestamp
|text
|timestamp without time zone
|The FTP URI
|The time of the event
|-
|-
|virus_blocker_lite_clean
|hits
|Virus Blocker Lite Clean
|Hits
|boolean
|bigint
|The cleanliness of the file according to Virus Blocker Lite
|The number of cache hits during this time frame
|-
|-
|virus_blocker_lite_name
|misses
|Virus Blocker Lite Name
|Misses
|text
|bigint
|The name of the malware according to Virus Blocker Lite
|The number of cache misses during this time frame
|-
|-
|virus_blocker_clean
|bypasses
|Virus Blocker Clean
|Bypasses
|boolean
|bigint
|The cleanliness of the file according to Virus Blocker
|The number of cache user bypasses during this time frame
|-
|-
|virus_blocker_name
|systems
|Virus Blocker Name
|System bypasses
|text
|bigint
|The name of the malware according to Virus Blocker
|The number of cache system bypasses during this time frame
|-
|hit_bytes
|Hit Bytes
|bigint
|The number of bytes saved from cache hits
|-
|miss_bytes
|Miss Bytes
|bigint
|The number of bytes not saved from cache misses
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|-
|}
|}
<section end='ftp_events' />
<section end='web_cache_stats' />




== ipsec_user_events ==  
== http_query_events ==  
<section begin='ipsec_user_events' />
<section begin='http_query_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,351: Line 1,359:
|The time of the event
|The time of the event
|-
|-
|connect_stamp
|session_id
|Connect Time
|Session ID
|timestamp without time zone
|bigint
|The time the connection started
|The session
|-
|-
|goodbye_stamp
|client_intf
|End Time
|Client Interface
|timestamp without time zone
|smallint
|The time the connection ended
|The client interface
|-
|-
|client_address
|server_intf
|Client Address
|Server Interface
|text
|smallint
|The remote IP address of the client
|The server interface
|-
|-
|client_protocol
|c_client_addr
|Client Protocol
|Client-side Client Address
|text
|inet
|The protocol the client used to connect
|The client-side client IP address
|-
|-
|client_username
|s_client_addr
|Client Username
|Server-side Client Address
|text
|inet
|The username of the client
|The server-side client IP address
|-
|-
|net_process
|c_server_addr
|Net Process
|Client-side Server Address
|text
|inet
|The PID of the PPP process for L2TP connections or the connection ID for Xauth connections
|The client-side server IP address
|-
|-
|net_interface
|s_server_addr
|Net Interface
|Server-side Server Address
|text
|inet
|The PPP interface for L2TP connections or the client interface for Xauth connections
|The server-side server IP address
|-
|-
|elapsed_time
|c_client_port
|Elapsed Time
|Client-side Client Port
|text
|integer
|The total time the client was connected
|The client-side client port
|-
|-
|rx_bytes
|s_client_port
|Bytes Received
|Server-side Client Port
|bigint
|integer
|The number of bytes received from the client in this connection
|The server-side client port
|-
|-
|tx_bytes
|c_server_port
|Bytes Sent
|Client-side Server Port
|integer
|The client-side server port
|-
|s_server_port
|Server-side Server Port
|integer
|The server-side server port
|-
|policy_id
|Policy ID
|bigint
|bigint
|The number of bytes sent to the client in this connection
|The policy
|-
|-
|}
|username
<section end='ipsec_user_events' />
|Username
 
|text
 
|The username associated with this session
== configuration_backup_events ==
<section begin='configuration_backup_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|hostname
|Timestamp
|Hostname
|timestamp without time zone
|text
|The time of the event
|The hostname of the local address
|-
|-
|success
|request_id
|Success
|Request ID
|boolean
|bigint
|The result of the backup (true if the backup succeeded, false otherwise)
|The HTTP request ID
|-
|-
|description
|method
|Text detail of the event
|Method
|text
|character(1)
|Text detail of the event
|The HTTP method
|-
|-
|destination
|uri
|Destination
|URI
|text
|text
|The location of the backup
|The HTTP URI
|-
|-
|event_id
|term
|Event ID
|Search Term
|text
|The search term
|-
|host
|Host
|text
|The HTTP host
|-
|c2s_content_length
|Client-to-server Content Length
|bigint
|The client-to-server content length
|-
|s2c_content_length
|Server-to-client Content Length
|bigint
|bigint
|The unique event ID
|The server-to-client content length
|-
|s2c_content_type
|Server-to-client Content Type
|text
|The server-to-client content type
|-
|-
|}
|}
<section end='configuration_backup_events' />
<section end='http_query_events' />




== ipsec_tunnel_stats ==  
== directory_connector_login_events ==  
<section begin='ipsec_tunnel_stats' />
<section begin='directory_connector_login_events' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,457: Line 1,487:
|The time of the event
|The time of the event
|-
|-
|tunnel_name
|login_name
|Tunnel Name
|Login Name
|text
|text
|The name of the IPsec tunnel
|The login name
|-
|-
|in_bytes
|domain
|In Bytes
|Domain
|bigint
|text
|The number of bytes received during this time frame
|The AD domain
|-
|-
|out_bytes
|type
|Out Bytes
|Type
|bigint
|text
|The number of bytes transmitted during this time frame
|The type of event (I=Login,U=Update,O=Logout)
|-
|-
|event_id
|client_addr
|Event ID
|Client Address
|bigint
|inet
|The unique event ID
|The client IP address
|-
|-
|}
|}
<section end='ipsec_tunnel_stats' />
<section end='directory_connector_login_events' />




== server_events ==  
== admin_logins ==  
<section begin='server_events' />
<section begin='admin_logins' />


{| border="1" cellpadding="2" width="90%%" align="center"
{| border="1" cellpadding="2" width="90%%" align="center"
Line 1,495: Line 1,525:
|The time of the event
|The time of the event
|-
|-
|load_1
|login
|CPU load (1-min)
|Login
|numeric(6,2)
|text
|The 1-minute CPU load
|The login name
|-
|-
|load_5
|local
|CPU load (5-min)
|Local
|numeric(6,2)
|boolean
|The 5-minute CPU load
|True if it is a login attempt through a local process
|-
|-
|load_15
|client_addr
|CPU load (15-min)
|Client Address
|numeric(6,2)
|inet
|The 15-minute CPU load
|The client IP address
|-
|-
|cpu_user
|succeeded
|CPU User Utilization
|Succeeded
|numeric(6,3)
|boolean
|The user CPU percent utilization
|True if the login succeeded, false otherwise
|-
|-
|cpu_system
|reason
|CPU System Utilization
|Reason
|numeric(6,3)
|character(1)
|The system CPU percent utilization
|The reason for the login (if applicable)
|-
|-
|mem_total
|}
|Total Memory
<section end='admin_logins' />
|bigint
 
|The total bytes of memory
 
== sessions ==
<section begin='sessions' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|mem_free
|session_id
|Memory Free
|Session ID
|bigint
|bigint
|The number of free bytes of memory
|The session
|-
|-
|disk_total
|time_stamp
|Disk Size
|Timestamp
|bigint
|timestamp without time zone
|The total disk size in bytes
|The time of the event
|-
|-
|disk_free
|end_time
|Disk Free
|End Time
|bigint
|timestamp without time zone
|The free disk space in bytes
|The time the session ended
|-
|-
|swap_total
|bypassed
|Swap Size
|Bypassed
|bigint
|boolean
|The total swap size in bytes
|True if the session was bypassed, false otherwise
|-
|-
|swap_free
|entitled
|Swap Free
|Entitled
|bigint
|boolean
|The free disk swap in bytes
|True if the session is entitled to premium functionality
|-
|-
|active_hosts
|protocol
|Active Hosts
|Protocol
|integer
|smallint
|The number of active hosts
|The IP protocol of session
|-
|-
|}
|icmp_type
<section end='server_events' />
|ICMP Type
 
|smallint
 
|The ICMP type of session if ICMP
== captive_portal_user_events ==
<section begin='captive_portal_user_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|hostname
|Timestamp
|Hostname
|timestamp without time zone
|text
|The time of the event
|The hostname of the local address
|-
|username
|Username
|text
|The username associated with this session
|-
|-
|policy_id
|policy_id
|Policy ID
|Policy ID
|bigint
|smallint
|The policy
|The policy
|-
|-
|event_id
|policy_rule_id
|Event ID
|Policy Rule ID
|bigint
|smallint
|The unique event ID
|The ID of the matching policy rule (0 means none)
|-
|-
|login_name
|local_addr
|Login Name
|Local Address
|text
|inet
|The login username
|The IP address of the local participant
|-
|-
|event_info
|remote_addr
|Event Type
|Remote Address
|text
|inet
|The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
|The IP address of the remote participant
|-
|-
|auth_type
|c_client_addr
|Authorization Type
|Client-side Client Address
|text
|inet
|The authorization type for this event
|The client-side client IP address
|-
|-
|client_addr
|c_server_addr
|Client Address
|Client-side Server Address
|text
|inet
|The remote IP address of the client
|The client-side server IP address
|-
|-
|}
|c_server_port
<section end='captive_portal_user_events' />
|Client-side Server Port
 
|integer
 
|The client-side server port
== directory_connector_login_events ==
<section begin='directory_connector_login_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|c_client_port
|Timestamp
|Client-side Client Port
|timestamp without time zone
|integer
|The time of the event
|The client-side client port
|-
|-
|login_name
|s_client_addr
|Login Name
|Server-side Client Address
|text
|inet
|The login name
|The server-side client IP address
|-
|-
|domain
|s_server_addr
|Domain
|Server-side Server Address
|text
|inet
|The AD domain
|The server-side server IP address
|-
|-
|type
|s_server_port
|Type
|Server-side Server Port
|text
|integer
|The type of event (I=Login,U=Update,O=Logout)
|The server-side server port
|-
|-
|client_addr
|s_client_port
|Client Address
|Server-side Client Port
|inet
|integer
|The client IP address
|The server-side client port
|-
|-
|}
|client_intf
<section end='directory_connector_login_events' />
|Client Interface
 
|smallint
 
|The client interface
== web_cache_stats ==
<section begin='web_cache_stats' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|server_intf
|Timestamp
|Server Interface
|timestamp without time zone
|smallint
|The time of the event
|The server interface
|-
|-
|hits
|client_country
|Hits
|Client Country
|bigint
|text
|The number of cache hits during this time frame
|The client Country
|-
|client_latitude
|Client Latitude
|real
|The client Latitude
|-
|client_longitude
|Client Longitude
|real
|The client Longitude
|-
|server_country
|Server Country
|text
|The server Country
|-
|-
|misses
|server_latitude
|Misses
|Server Latitude
|bigint
|real
|The number of cache misses during this time frame
|The server Latitude
|-
|-
|bypasses
|server_longitude
|Bypasses
|Server Longitude
|bigint
|real
|The number of cache user bypasses during this time frame
|The server Longitude
|-
|-
|systems
|c2p_bytes
|System bypasses
|From-Client Bytes
|bigint
|bigint
|The number of cache system bypasses during this time frame
|The number of bytes the client sent to Untangle (client-to-pipeline)
|-
|-
|hit_bytes
|p2c_bytes
|Hit Bytes
|To-Client Bytes
|bigint
|bigint
|The number of bytes saved from cache hits
|The number of bytes Untangle sent to client (pipeline-to-client)
|-
|-
|miss_bytes
|s2p_bytes
|Miss Bytes
|From-Server Bytes
|bigint
|bigint
|The number of bytes not saved from cache misses
|The number of bytes the server sent to Untangle (client-to-pipeline)
|-
|-
|event_id
|p2s_bytes
|Event ID
|To-Server Bytes
|bigint
|bigint
|The unique event ID
|The number of bytes Untangle sent to server (pipeline-to-client)
|-
|-
|}
|filter_prefix
<section end='web_cache_stats' />
|Filter Block
 
|text
 
|The network filter that blocked the connection
== http_query_events ==
<section begin='http_query_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|event_id
|firewall_blocked
|Event ID
|Firewall Blocked
|bigint
|boolean
|The unique event ID
|True if Firewall blocked the session, false otherwise
|-
|-
|time_stamp
|firewall_flagged
|Timestamp
|Firewall Flagged
|timestamp without time zone
|boolean
|The time of the event
|True if Firewall flagged the session, false otherwise
|-
|-
|session_id
|firewall_rule_index
|Session ID
|Firewall Rule ID
|bigint
|integer
|The session
|The matching rule in Firewall (if any)
|-
|-
|client_intf
|application_control_lite_protocol
|Client Interface
|Application Control Lite Protocol
|smallint
|text
|The client interface
|The application protocol according to Application Control Lite
|-
|-
|server_intf
|application_control_lite_blocked
|Server Interface
|Application Control Lite Blocked
|smallint
|boolean
|The server interface
|True if Application Control Lite blocked the session
|-
|-
|c_client_addr
|captive_portal_blocked
|Client-side Client Address
|Captive Portal Blocked
|inet
|boolean
|The client-side client IP address
|True if Captive Portal blocked the session
|-
|-
|s_client_addr
|captive_portal_rule_index
|Server-side Client Address
|Captive Portal Rule ID
|inet
|integer
|The server-side client IP address
|The matching rule in Captive Portal (if any)
|-
|-
|c_server_addr
|application_control_application
|Client-side Server Address
|Application Control Application
|inet
|text
|The client-side server IP address
|The application according to Application Control
|-
|-
|s_server_addr
|application_control_protochain
|Server-side Server Address
|Application Control Protochain
|inet
|text
|The server-side server IP address
|The protochain according to Application Control
|-
|application_control_category
|Application Control Category
|text
|The category according to Application Control
|-
|-
|c_client_port
|application_control_blocked
|Client-side Client Port
|Application Control Blocked
|integer
|boolean
|The client-side client port
|True if Application Control blocked the session
|-
|-
|s_client_port
|application_control_flagged
|Server-side Client Port
|Application Control Flagged
|integer
|boolean
|The server-side client port
|True if Application Control flagged the session
|-
|-
|c_server_port
|application_control_confidence
|Client-side Server Port
|Application Control Confidence
|integer
|integer
|The client-side server port
|True if Application Control confidence of this session's identification
|-
|-
|s_server_port
|application_control_ruleid
|Server-side Server Port
|Application Control Rule ID
|integer
|integer
|The server-side server port
|The matching rule in Application Control (if any)
|-
|-
|policy_id
|application_control_detail
|Policy ID
|Application Control Detail
|bigint
|The policy
|-
|username
|Username
|text
|text
|The username
|The text detail from the Application Control engine
|-
|-
|hostname
|bandwidth_control_priority
|Hostname
|Bandwidth Control Priority
|text
|integer
|The hostname
|The priority given to this session
|-
|-
|request_id
|bandwidth_control_rule
|Request ID
|Bandwidth Control Rule ID
|bigint
|integer
|The HTTP request ID
|The matching rule in Bandwidth Control rule (if any)
|-
|-
|method
|ssl_inspector_ruleid
|Method
|SSL Inspector Rule ID
|character(1)
|integer
|The HTTP method
|The matching rule in SSL Inspector rule (if any)
|-
|-
|uri
|ssl_inspector_status
|URI
|SSL Inspector Status
|text
|text
|The HTTP URI
|The status/action of the SSL session (INSPECTED/IGNORED/BLOCKED/UNTRUSTED/ABANDONED)
|-
|-
|term
|ssl_inspector_detail
|Search Term
|SSL Inspector Detail
|text
|text
|The search term
|Additional text detail about the SSL connection (SNI, IP Address)
|-
|-
|host
|}
|Host
<section end='sessions' />
|text
 
|The HTTP host
 
|-
== session_minutes ==  
|c2s_content_length
<section begin='session_minutes' />
|Client-to-server Content Length
 
|bigint
{| border="1" cellpadding="2" width="90%%" align="center"
|The client-to-server content length
|-
|s2c_content_length
|Server-to-client Content Length
|bigint
|The server-to-client content length
|-
|s2c_content_type
|Server-to-client Content Type
|text
|The server-to-client content type
|-
|}
<section end='http_query_events' />
 
 
== openvpn_stats ==  
<section begin='openvpn_stats' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Column Name
!Human Name
!Human Name
!Type
!Type
!Description
!Description
|-
|session_id
|Session ID
|bigint
|The session
|-
|-
|time_stamp
|time_stamp
Line 1,845: Line 1,856:
|The time of the event
|The time of the event
|-
|-
|start_time
|c2s_bytes
|From-Client Bytes
|bigint
|The number of bytes the client sent
|-
|s2c_bytes
|From-Server Bytes
|bigint
|The number of bytes the server sent
|-
|start_time
|Start Time
|Start Time
|timestamp without time zone
|timestamp without time zone
|The time the OpenVPN session started
|The start time of the session
|-
|-
|end_time
|end_time
|End Time
|End Time
|timestamp without time zone
|timestamp without time zone
|The time the OpenVPN session ended
|The time the session ended
|-
|-
|rx_bytes
|bypassed
|Bytes Received
|Bypassed
|bigint
|boolean
|The total bytes received from the client during this session
|True if the session was bypassed, false otherwise
|-
|-
|tx_bytes
|entitled
|Bytes Sent
|Entitled
|bigint
|boolean
|The total bytes sent to the client during this session
|True if the session is entitled to premium functionality
|-
|-
|remote_address
|protocol
|Remote Address
|Protocol
|inet
|smallint
|The remote IP address of the client
|The IP protocol of session
|-
|-
|pool_address
|icmp_type
|Pool Address
|ICMP Type
|inet
|smallint
|The pool IP address of the client
|The ICMP type of session if ICMP
|-
|-
|remote_port
|hostname
|Remote Port
|Hostname
|integer
|text
|The remote port of the client
|The hostname of the local address
|-
|-
|client_name
|username
|Client Name
|Username
|text
|text
|The name of the client
|The username associated with this session
|-
|-
|event_id
|policy_id
|Event ID
|Policy ID
|bigint
|smallint
|The unique event ID
|The policy
|-
|-
|}
|policy_rule_id
<section end='openvpn_stats' />
|Policy Rule ID
 
|smallint
 
|The ID of the matching policy rule (0 means none)
== openvpn_events ==
<section begin='openvpn_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|local_addr
|Timestamp
|Local Address
|timestamp without time zone
|inet
|The time of the event
|The IP address of the local participant
|-
|-
|remote_address
|remote_addr
|Remote Address
|Remote Address
|inet
|inet
|The remote IP address of the client
|The IP address of the remote participant
|-
|-
|pool_address
|c_client_addr
|Pool Address
|Client-side Client Address
|inet
|inet
|The pool IP address of the client
|The client-side client IP address
|-
|-
|client_name
|c_server_addr
|Client Name
|Client-side Server Address
|text
|inet
|The name of the client
|The client-side server IP address
|-
|-
|type
|c_server_port
|Type
|Client-side Server Port
|text
|integer
|The type of the event (CONNECT/DISCONNECT)
|The client-side server port
|-
|-
|}
|c_client_port
<section end='openvpn_events' />
|Client-side Client Port
 
|integer
 
|The client-side client port
== intrusion_prevention_events ==
<section begin='intrusion_prevention_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|s_client_addr
|Timestamp
|Server-side Client Address
|timestamp without time zone
|inet
|The time of the event
|The server-side client IP address
|-
|-
|sig_id
|s_server_addr
|Signature ID
|Server-side Server Address
|bigint
|This ID of the rule
|-
|gen_id
|Grouping ID
|bigint
|The grouping ID for the rule, The gen_id + sig_id specify the rule's unique identifier
|-
|class_id
|Classtype ID
|bigint
|The numeric ID for the classtype
|-
|source_addr
|Source Address
|inet
|inet
|The source IP address of the packet
|The server-side server IP address
|-
|-
|source_port
|s_server_port
|Source Port
|Server-side Server Port
|integer
|integer
|The source port of the packet (if applicable)
|The server-side server port
|-
|-
|dest_addr
|s_client_port
|Destination Address
|Server-side Client Port
|inet
|The destination IP address of the packet
|-
|dest_port
|Destination Port
|integer
|integer
|The destination port of the packet (if applicable)
|The server-side client port
|-
|-
|protocol
|client_intf
|Protocol
|Client Interface
|integer
|smallint
|The protocol of the packet
|The client interface
|-
|-
|blocked
|server_intf
|Blocked
|Server Interface
|boolean
|smallint
|If the packet was blocked/dropped
|The server interface
|-
|-
|category
|client_country
|Category
|Client Country
|text
|text
|The application specific grouping
|The client Country
|-
|client_latitude
|Client Latitude
|real
|The client Latitude
|-
|-
|classtype
|client_longitude
|Classtype
|Client Longitude
|text
|real
|The generalized threat rule grouping (unrelated to gen_id)
|The client Longitude
|-
|-
|msg
|server_country
|Message
|Server Country
|text
|text
|The "title" or "description" of the rule
|The server Country
|-
|-
|}
|server_latitude
<section end='intrusion_prevention_events' />
|Server Latitude
 
|real
 
|The server Latitude
== interface_stat_events ==
<section begin='interface_stat_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|-
|time_stamp
|server_longitude
|Timestamp
|Server Longitude
|timestamp without time zone
|real
|The time of the event
|The server Longitude
|-
|-
|interface_id
|filter_prefix
|Interface ID
|Filter Block
|text
|The network filter that blocked the connection
|-
|firewall_blocked
|Firewall Blocked
|boolean
|True if Firewall blocked the session, false otherwise
|-
|firewall_flagged
|Firewall Flagged
|boolean
|True if Firewall flagged the session, false otherwise
|-
|firewall_rule_index
|Firewall Rule ID
|integer
|integer
|The interface ID
|The matching rule in Firewall (if any)
|-
|-
|rx_rate
|application_control_lite_protocol
|Rx Rate
|Application Control Lite Protocol
|double precision
|text
|The RX rate (bytes/s)
|The application protocol according to Application Control Lite
|-
|-
|tx_rate
|application_control_lite_blocked
|Tx Rate
|Application Control Lite Blocked
|double precision
|boolean
|The TX rate (bytes/s)
|True if Application Control Lite blocked the session
|-
|-
|}
|captive_portal_blocked
<section end='interface_stat_events' />
|Captive Portal Blocked
|boolean
|True if Captive Portal blocked the session
|-
|captive_portal_rule_index
|Captive Portal Rule ID
|integer
|The matching rule in Captive Portal (if any)
|-
|application_control_application
|Application Control Application
|text
|The application according to Application Control
|-
|application_control_protochain
|Application Control Protochain
|text
|The protochain according to Application Control
|-
|application_control_category
|Application Control Category
|text
|The category according to Application Control
|-
|application_control_blocked
|Application Control Blocked
|boolean
|True if Application Control blocked the session
|-
|application_control_flagged
|Application Control Flagged
|boolean
|True if Application Control flagged the session
|-
|application_control_confidence
|Application Control Confidence
|integer
|True if Application Control confidence of this session's identification
|-
|application_control_ruleid
|Application Control Rule ID
|integer
|The matching rule in Application Control (if any)
|-
|application_control_detail
|Application Control Detail
|text
|The text detail from the Application Control engine
|-
|bandwidth_control_priority
|Bandwidth Control Priority
|integer
|The priority given to this session
|-
|bandwidth_control_rule
|Bandwidth Control Rule ID
|integer
|The matching rule in Bandwidth Control rule (if any)
|-
|ssl_inspector_ruleid
|SSL Inspector Rule ID
|integer
|The matching rule in SSL Inspector rule (if any)
|-
|ssl_inspector_status
|SSL Inspector Status
|text
|The status/action of the SSL session (INSPECTED/IGNORED/BLOCKED/UNTRUSTED/ABANDONED)
|-
|ssl_inspector_detail
|SSL Inspector Detail
|text
|Additional text detail about the SSL connection (SNI, IP Address)
|-
|}
<section end='session_minutes' />
 
 
== penaltybox ==
<section begin='penaltybox' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|address
|Address
|inet
|The IP address of the host
|-
|reason
|Reason
|text
|The reason for the action
|-
|start_time
|Start Time
|timestamp without time zone
|The time the client entered the penalty box
|-
|end_time
|End Time
|timestamp without time zone
|The time the client exited the penalty box
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|}
<section end='penaltybox' />
 
 
== quotas ==
<section begin='quotas' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|address
|Address
|inet
|The IP address of the host
|-
|action
|Action
|integer
|The action (1=Quota Given, 2=Quota Exceeded)
|-
|size
|Size
|bigint
|The size of the quota
|-
|reason
|Reason
|text
|The reason for the action
|-
|}
<section end='quotas' />
 
 
== host_table_updates ==
<section begin='host_table_updates' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|address
|Address
|inet
|The IP address of the host
|-
|key
|Key
|text
|The key being updated
|-
|value
|Value
|text
|The new value for the key
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|}
<section end='host_table_updates' />
 
 
== device_table_updates ==
<section begin='device_table_updates' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|mac_address
|MAC Address
|text
|The MAC address of the device
|-
|key
|Key
|text
|The key being updated
|-
|value
|Value
|text
|The new value for the key
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|}
<section end='device_table_updates' />
 
 
== alerts ==
<section begin='alerts' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|description
|Text detail of the event
|text
|The description from the alert rule.
|-
|summary_text
|Summary Text
|text
|The summary text of the alert
|-
|json
|JSON Text
|text
|The summary JSON representation of the event causing the alert
|-
|}
<section end='alerts' />
 
 
== configuration_backup_events ==
<section begin='configuration_backup_events' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|success
|Success
|boolean
|The result of the backup (true if the backup succeeded, false otherwise)
|-
|description
|Text detail of the event
|text
|Text detail of the event
|-
|destination
|Destination
|text
|The location of the backup
|-
|event_id
|Event ID
|bigint
|The unique event ID
|-
|}
<section end='configuration_backup_events' />
 
 
== settings_changes ==
<section begin='settings_changes' />
 
{| border="1" cellpadding="2" width="90%%" align="center"
!Column Name
!Human Name
!Type
!Description
|-
|time_stamp
|Timestamp
|timestamp without time zone
|The time of the event
|-
|settings_file
|Settings File
|text
|The name of the file changed
|-
|username
|Username
|text
|The username logged in at the time of the change
|-
|hostname
|Hostname
|text
|The remote hostname
|-
|}
<section end='settings_changes' />

Revision as of 17:23, 26 December 2016

The global DB schema shows the tables and columns used for tracking all logged events in Untangle. These can be used to add conditions to reports and event logs and in the reporting system to create or edit reports.

ipsec_tunnel_stats

<section begin='ipsec_tunnel_stats' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
tunnel_name Tunnel Name text The name of the IPsec tunnel
in_bytes In Bytes bigint The number of bytes received during this time frame
out_bytes Out Bytes bigint The number of bytes transmitted during this time frame
event_id Event ID bigint The unique event ID

<section end='ipsec_tunnel_stats' />


ipsec_user_events

<section begin='ipsec_user_events' />

Column Name Human Name Type Description
event_id Event ID bigint The unique event ID
time_stamp Timestamp timestamp without time zone The time of the event
connect_stamp Connect Time timestamp without time zone The time the connection started
goodbye_stamp End Time timestamp without time zone The time the connection ended
client_address Client Address text The remote IP address of the client
client_protocol Client Protocol text The protocol the client used to connect
client_username Client Username text The username of the client
net_process Net Process text The PID of the PPP process for L2TP connections or the connection ID for Xauth connections
net_interface Net Interface text The PPP interface for L2TP connections or the client interface for Xauth connections
elapsed_time Elapsed Time text The total time the client was connected
rx_bytes Bytes Received bigint The number of bytes received from the client in this connection
tx_bytes Bytes Sent bigint The number of bytes sent to the client in this connection

<section end='ipsec_user_events' />


http_events

<section begin='http_events' />

Column Name Human Name Type Description
request_id Request ID bigint The HTTP request ID
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
c_client_port Client-side Client Port integer The client-side client port
s_client_port Server-side Client Port integer The server-side client port
c_server_port Client-side Server Port integer The client-side server port
s_server_port Server-side Server Port integer The server-side server port
policy_id Policy ID smallint The policy
username Username text The username associated with this session
hostname Hostname text The hostname of the local address
method Method character(1) The HTTP method
uri URI text The HTTP URI
host Host text The HTTP host
domain Domain text The HTTP domain (shortened host)
referer Referer text The Referer URL
c2s_content_length Client-to-server Content Length bigint The client-to-server content length
s2c_content_length Server-to-client Content Length bigint The server-to-client content length
s2c_content_type Server-to-client Content Type text The server-to-client content type
ad_blocker_cookie_ident Ad Blocker Cookie text This name of cookie blocked by Ad Blocker
ad_blocker_action Ad Blocker Action character(1) This action of Ad Blocker on this request
web_filter_lite_reason Web Filter Lite Reason character(1) This reason Web Filter Lite blocked/flagged this request
web_filter_lite_category Web Filter Lite Category text This category according to Web Filter Lite
web_filter_lite_blocked Web Filter Lite Blocked boolean If Web Filter Lite blocked this request
web_filter_lite_flagged Web Filter Lite Flagged boolean If Web Filter Lite flagged this request
web_filter_reason Web Filter Reason character(1) This reason Web Filter blocked/flagged this request
web_filter_category Web Filter Category text This category according to Web Filter
web_filter_blocked Web Filter Blocked boolean If Web Filter blocked this request
web_filter_flagged Web Filter Flagged boolean If Web Filter flagged this request
virus_blocker_lite_clean Virus Blocker Lite Clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name Virus Blocker Lite Name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean Virus Blocker Clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name Virus Blocker Name text The name of the malware according to Virus Blocker

<section end='http_events' />


captive_portal_user_events

<section begin='captive_portal_user_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
policy_id Policy ID bigint The policy
event_id Event ID bigint The unique event ID
login_name Login Name text The login username
event_info Event Type text The type of event (LOGIN, FAILED, TIMEOUT, INACTIVE, USER_LOGOUT, ADMIN_LOGOUT)
auth_type Authorization Type text The authorization type for this event
client_addr Client Address text The remote IP address of the client

<section end='captive_portal_user_events' />


server_events

<section begin='server_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
load_1 CPU load (1-min) numeric(6,2) The 1-minute CPU load
load_5 CPU load (5-min) numeric(6,2) The 5-minute CPU load
load_15 CPU load (15-min) numeric(6,2) The 15-minute CPU load
cpu_user CPU User Utilization numeric(6,3) The user CPU percent utilization
cpu_system CPU System Utilization numeric(6,3) The system CPU percent utilization
mem_total Total Memory bigint The total bytes of memory
mem_free Memory Free bigint The number of free bytes of memory
disk_total Disk Size bigint The total disk size in bytes
disk_free Disk Free bigint The free disk space in bytes
swap_total Swap Size bigint The total swap size in bytes
swap_free Swap Free bigint The free disk swap in bytes
active_hosts Active Hosts integer The number of active hosts

<section end='server_events' />


interface_stat_events

<section begin='interface_stat_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
interface_id Interface ID integer The interface ID
rx_rate Rx Rate double precision The RX rate (bytes/s)
tx_rate Tx Rate double precision The TX rate (bytes/s)

<section end='interface_stat_events' />


openvpn_stats

<section begin='openvpn_stats' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
start_time Start Time timestamp without time zone The time the OpenVPN session started
end_time End Time timestamp without time zone The time the OpenVPN session ended
rx_bytes Bytes Received bigint The total bytes received from the client during this session
tx_bytes Bytes Sent bigint The total bytes sent to the client during this session
remote_address Remote Address inet The remote IP address of the client
pool_address Pool Address inet The pool IP address of the client
remote_port Remote Port integer The remote port of the client
client_name Client Name text The name of the client
event_id Event ID bigint The unique event ID

<section end='openvpn_stats' />


openvpn_events

<section begin='openvpn_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
remote_address Remote Address inet The remote IP address of the client
pool_address Pool Address inet The pool IP address of the client
client_name Client Name text The name of the client
type Type text The type of the event (CONNECT/DISCONNECT)

<section end='openvpn_events' />


mail_msgs

<section begin='mail_msgs' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
c_client_port Client-side Client Port integer The client-side client port
s_client_port Server-side Client Port integer The server-side client port
c_server_port Client-side Server Port integer The client-side server port
s_server_port Server-side Server Port integer The server-side server port
policy_id Policy ID bigint The policy
username Username text The username associated with this session
msg_id Message ID bigint The message ID
subject Subject text The email subject
hostname Hostname text The hostname of the local address
event_id Event ID bigint The unique event ID
sender Sender text The address of the sender
receiver Receiver text The address of the receiver
virus_blocker_lite_clean Virus Blocker Lite Clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name Virus Blocker Lite Name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean Virus Blocker Clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name Virus Blocker Name text The name of the malware according to Virus Blocker
spam_blocker_lite_score Spam Blocker Lite Score real The score of the email according to Spam Blocker Lite
spam_blocker_lite_is_spam Spam Blocker Lite Spam boolean The spam status of the email according to Spam Blocker Lite
spam_blocker_lite_tests_string Spam Blocker Lite Tests text The tess results for Spam Blocker Lite
spam_blocker_lite_action Spam Blocker Lite Action character(1) The action taken by Spam Blocker Lite
spam_blocker_score Spam Blocker Score real The score of the email according to Spam Blocker
spam_blocker_is_spam Spam Blocker Spam boolean The spam status of the email according to Spam Blocker
spam_blocker_tests_string Spam Blocker Tests text The tess results for Spam Blocker
spam_blocker_action Spam Blocker Action character(1) The action taken by Spam Blocker
phish_blocker_score Phish Blocker Score real The score of the email according to Phish Blocker
phish_blocker_is_spam Phish Blocker Phish boolean The phish status of the email according to Phish Blocker
phish_blocker_tests_string Phish Blocker Tests text The tess results for Phish Blocker
phish_blocker_action Phish Blocker Action character(1) The action taken by Phish Blocker

<section end='mail_msgs' />


mail_addrs

<section begin='mail_addrs' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
c_client_port Client-side Client Port integer The client-side client port
s_client_port Server-side Client Port integer The server-side client port
c_server_port Client-side Server Port integer The client-side server port
s_server_port Server-side Server Port integer The server-side server port
policy_id Policy ID bigint The policy
username Username text The username associated with this session
msg_id Message ID bigint The message ID
subject Subject text The email subject
addr Address text The address of this event
addr_name Address Name text The name for this address
addr_kind Address Kind character(1) The type for this address (F=From, T=To, C=CC, G=Envelope From, B=Envelope To, X=Unknown)
hostname Hostname text The hostname of the local address
event_id Event ID bigint The unique event ID
sender Sender text The address of the sender
virus_blocker_lite_clean Virus Blocker Lite Clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name Virus Blocker Lite Name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean Virus Blocker Clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name Virus Blocker Name text The name of the malware according to Virus Blocker
spam_blocker_lite_score Spam Blocker Lite Score real The score of the email according to Spam Blocker Lite
spam_blocker_lite_is_spam Spam Blocker Lite Spam boolean The spam status of the email according to Spam Blocker Lite
spam_blocker_lite_action Spam Blocker Lite Action character(1) The action taken by Spam Blocker Lite
spam_blocker_lite_tests_string Spam Blocker Lite Tests text The tess results for Spam Blocker Lite
spam_blocker_score Spam Blocker Score real The score of the email according to Spam Blocker
spam_blocker_is_spam Spam Blocker Spam boolean The spam status of the email according to Spam Blocker
spam_blocker_action Spam Blocker Action character(1) The action taken by Spam Blocker
spam_blocker_tests_string Spam Blocker Tests text The tess results for Spam Blocker
phish_blocker_score Phish Blocker Score real The score of the email according to Phish Blocker
phish_blocker_is_spam Phish Blocker Phish boolean The phish status of the email according to Phish Blocker
phish_blocker_tests_string Phish Blocker Tests text The tess results for Phish Blocker
phish_blocker_action Phish Blocker Action character(1) The action taken by Phish Blocker

<section end='mail_addrs' />


smtp_tarpit_events

<section begin='smtp_tarpit_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
ipaddr Client Address inet The client IP address
hostname Hostname text The hostname of the local address
policy_id Policy ID bigint The policy
vendor_name Vendor Name character varying(255) The "vendor name" of the app that logged the event
event_id Event ID bigint The unique event ID

<section end='smtp_tarpit_events' />


ftp_events

<section begin='ftp_events' />

Column Name Human Name Type Description
event_id Event ID bigint The unique event ID
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
policy_id Policy ID bigint The policy
username Username text The username associated with this session
hostname Hostname text The hostname of the local address
request_id Request ID bigint The FTP request ID
method Method character(1) The FTP method
uri URI text The FTP URI
virus_blocker_lite_clean Virus Blocker Lite Clean boolean The cleanliness of the file according to Virus Blocker Lite
virus_blocker_lite_name Virus Blocker Lite Name text The name of the malware according to Virus Blocker Lite
virus_blocker_clean Virus Blocker Clean boolean The cleanliness of the file according to Virus Blocker
virus_blocker_name Virus Blocker Name text The name of the malware according to Virus Blocker

<section end='ftp_events' />


wan_failover_test_events

<section begin='wan_failover_test_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
interface_id Interface ID integer This interface ID
name Interface Name text This name of the interface
description Text detail of the event text The description from the test rule
success Success boolean The result of the test (true if the test succeeded, false otherwise)
event_id Event ID bigint The unique event ID

<section end='wan_failover_test_events' />


wan_failover_action_events

<section begin='wan_failover_action_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
interface_id Interface ID integer This interface ID
action Action text This action (CONNECTED/DISCONNECTED)
os_name Interface O/S Name text This O/S name of the interface
name Interface Name text This name of the interface
event_id Event ID bigint The unique event ID

<section end='wan_failover_action_events' />


intrusion_prevention_events

<section begin='intrusion_prevention_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
sig_id Signature ID bigint This ID of the rule
gen_id Grouping ID bigint The grouping ID for the rule, The gen_id + sig_id specify the rule's unique identifier
class_id Classtype ID bigint The numeric ID for the classtype
source_addr Source Address inet The source IP address of the packet
source_port Source Port integer The source port of the packet (if applicable)
dest_addr Destination Address inet The destination IP address of the packet
dest_port Destination Port integer The destination port of the packet (if applicable)
protocol Protocol integer The protocol of the packet
blocked Blocked boolean If the packet was blocked/dropped
category Category text The application specific grouping
classtype Classtype text The generalized threat rule grouping (unrelated to gen_id)
msg Message text The "title" or "description" of the rule

<section end='intrusion_prevention_events' />


web_cache_stats

<section begin='web_cache_stats' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
hits Hits bigint The number of cache hits during this time frame
misses Misses bigint The number of cache misses during this time frame
bypasses Bypasses bigint The number of cache user bypasses during this time frame
systems System bypasses bigint The number of cache system bypasses during this time frame
hit_bytes Hit Bytes bigint The number of bytes saved from cache hits
miss_bytes Miss Bytes bigint The number of bytes not saved from cache misses
event_id Event ID bigint The unique event ID

<section end='web_cache_stats' />


http_query_events

<section begin='http_query_events' />

Column Name Human Name Type Description
event_id Event ID bigint The unique event ID
time_stamp Timestamp timestamp without time zone The time of the event
session_id Session ID bigint The session
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
c_client_addr Client-side Client Address inet The client-side client IP address
s_client_addr Server-side Client Address inet The server-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
s_server_addr Server-side Server Address inet The server-side server IP address
c_client_port Client-side Client Port integer The client-side client port
s_client_port Server-side Client Port integer The server-side client port
c_server_port Client-side Server Port integer The client-side server port
s_server_port Server-side Server Port integer The server-side server port
policy_id Policy ID bigint The policy
username Username text The username associated with this session
hostname Hostname text The hostname of the local address
request_id Request ID bigint The HTTP request ID
method Method character(1) The HTTP method
uri URI text The HTTP URI
term Search Term text The search term
host Host text The HTTP host
c2s_content_length Client-to-server Content Length bigint The client-to-server content length
s2c_content_length Server-to-client Content Length bigint The server-to-client content length
s2c_content_type Server-to-client Content Type text The server-to-client content type

<section end='http_query_events' />


directory_connector_login_events

<section begin='directory_connector_login_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
login_name Login Name text The login name
domain Domain text The AD domain
type Type text The type of event (I=Login,U=Update,O=Logout)
client_addr Client Address inet The client IP address

<section end='directory_connector_login_events' />


admin_logins

<section begin='admin_logins' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
login Login text The login name
local Local boolean True if it is a login attempt through a local process
client_addr Client Address inet The client IP address
succeeded Succeeded boolean True if the login succeeded, false otherwise
reason Reason character(1) The reason for the login (if applicable)

<section end='admin_logins' />


sessions

<section begin='sessions' />

Column Name Human Name Type Description
session_id Session ID bigint The session
time_stamp Timestamp timestamp without time zone The time of the event
end_time End Time timestamp without time zone The time the session ended
bypassed Bypassed boolean True if the session was bypassed, false otherwise
entitled Entitled boolean True if the session is entitled to premium functionality
protocol Protocol smallint The IP protocol of session
icmp_type ICMP Type smallint The ICMP type of session if ICMP
hostname Hostname text The hostname of the local address
username Username text The username associated with this session
policy_id Policy ID smallint The policy
policy_rule_id Policy Rule ID smallint The ID of the matching policy rule (0 means none)
local_addr Local Address inet The IP address of the local participant
remote_addr Remote Address inet The IP address of the remote participant
c_client_addr Client-side Client Address inet The client-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
c_server_port Client-side Server Port integer The client-side server port
c_client_port Client-side Client Port integer The client-side client port
s_client_addr Server-side Client Address inet The server-side client IP address
s_server_addr Server-side Server Address inet The server-side server IP address
s_server_port Server-side Server Port integer The server-side server port
s_client_port Server-side Client Port integer The server-side client port
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
client_country Client Country text The client Country
client_latitude Client Latitude real The client Latitude
client_longitude Client Longitude real The client Longitude
server_country Server Country text The server Country
server_latitude Server Latitude real The server Latitude
server_longitude Server Longitude real The server Longitude
c2p_bytes From-Client Bytes bigint The number of bytes the client sent to Untangle (client-to-pipeline)
p2c_bytes To-Client Bytes bigint The number of bytes Untangle sent to client (pipeline-to-client)
s2p_bytes From-Server Bytes bigint The number of bytes the server sent to Untangle (client-to-pipeline)
p2s_bytes To-Server Bytes bigint The number of bytes Untangle sent to server (pipeline-to-client)
filter_prefix Filter Block text The network filter that blocked the connection
firewall_blocked Firewall Blocked boolean True if Firewall blocked the session, false otherwise
firewall_flagged Firewall Flagged boolean True if Firewall flagged the session, false otherwise
firewall_rule_index Firewall Rule ID integer The matching rule in Firewall (if any)
application_control_lite_protocol Application Control Lite Protocol text The application protocol according to Application Control Lite
application_control_lite_blocked Application Control Lite Blocked boolean True if Application Control Lite blocked the session
captive_portal_blocked Captive Portal Blocked boolean True if Captive Portal blocked the session
captive_portal_rule_index Captive Portal Rule ID integer The matching rule in Captive Portal (if any)
application_control_application Application Control Application text The application according to Application Control
application_control_protochain Application Control Protochain text The protochain according to Application Control
application_control_category Application Control Category text The category according to Application Control
application_control_blocked Application Control Blocked boolean True if Application Control blocked the session
application_control_flagged Application Control Flagged boolean True if Application Control flagged the session
application_control_confidence Application Control Confidence integer True if Application Control confidence of this session's identification
application_control_ruleid Application Control Rule ID integer The matching rule in Application Control (if any)
application_control_detail Application Control Detail text The text detail from the Application Control engine
bandwidth_control_priority Bandwidth Control Priority integer The priority given to this session
bandwidth_control_rule Bandwidth Control Rule ID integer The matching rule in Bandwidth Control rule (if any)
ssl_inspector_ruleid SSL Inspector Rule ID integer The matching rule in SSL Inspector rule (if any)
ssl_inspector_status SSL Inspector Status text The status/action of the SSL session (INSPECTED/IGNORED/BLOCKED/UNTRUSTED/ABANDONED)
ssl_inspector_detail SSL Inspector Detail text Additional text detail about the SSL connection (SNI, IP Address)

<section end='sessions' />


session_minutes

<section begin='session_minutes' />

Column Name Human Name Type Description
session_id Session ID bigint The session
time_stamp Timestamp timestamp without time zone The time of the event
c2s_bytes From-Client Bytes bigint The number of bytes the client sent
s2c_bytes From-Server Bytes bigint The number of bytes the server sent
start_time Start Time timestamp without time zone The start time of the session
end_time End Time timestamp without time zone The time the session ended
bypassed Bypassed boolean True if the session was bypassed, false otherwise
entitled Entitled boolean True if the session is entitled to premium functionality
protocol Protocol smallint The IP protocol of session
icmp_type ICMP Type smallint The ICMP type of session if ICMP
hostname Hostname text The hostname of the local address
username Username text The username associated with this session
policy_id Policy ID smallint The policy
policy_rule_id Policy Rule ID smallint The ID of the matching policy rule (0 means none)
local_addr Local Address inet The IP address of the local participant
remote_addr Remote Address inet The IP address of the remote participant
c_client_addr Client-side Client Address inet The client-side client IP address
c_server_addr Client-side Server Address inet The client-side server IP address
c_server_port Client-side Server Port integer The client-side server port
c_client_port Client-side Client Port integer The client-side client port
s_client_addr Server-side Client Address inet The server-side client IP address
s_server_addr Server-side Server Address inet The server-side server IP address
s_server_port Server-side Server Port integer The server-side server port
s_client_port Server-side Client Port integer The server-side client port
client_intf Client Interface smallint The client interface
server_intf Server Interface smallint The server interface
client_country Client Country text The client Country
client_latitude Client Latitude real The client Latitude
client_longitude Client Longitude real The client Longitude
server_country Server Country text The server Country
server_latitude Server Latitude real The server Latitude
server_longitude Server Longitude real The server Longitude
filter_prefix Filter Block text The network filter that blocked the connection
firewall_blocked Firewall Blocked boolean True if Firewall blocked the session, false otherwise
firewall_flagged Firewall Flagged boolean True if Firewall flagged the session, false otherwise
firewall_rule_index Firewall Rule ID integer The matching rule in Firewall (if any)
application_control_lite_protocol Application Control Lite Protocol text The application protocol according to Application Control Lite
application_control_lite_blocked Application Control Lite Blocked boolean True if Application Control Lite blocked the session
captive_portal_blocked Captive Portal Blocked boolean True if Captive Portal blocked the session
captive_portal_rule_index Captive Portal Rule ID integer The matching rule in Captive Portal (if any)
application_control_application Application Control Application text The application according to Application Control
application_control_protochain Application Control Protochain text The protochain according to Application Control
application_control_category Application Control Category text The category according to Application Control
application_control_blocked Application Control Blocked boolean True if Application Control blocked the session
application_control_flagged Application Control Flagged boolean True if Application Control flagged the session
application_control_confidence Application Control Confidence integer True if Application Control confidence of this session's identification
application_control_ruleid Application Control Rule ID integer The matching rule in Application Control (if any)
application_control_detail Application Control Detail text The text detail from the Application Control engine
bandwidth_control_priority Bandwidth Control Priority integer The priority given to this session
bandwidth_control_rule Bandwidth Control Rule ID integer The matching rule in Bandwidth Control rule (if any)
ssl_inspector_ruleid SSL Inspector Rule ID integer The matching rule in SSL Inspector rule (if any)
ssl_inspector_status SSL Inspector Status text The status/action of the SSL session (INSPECTED/IGNORED/BLOCKED/UNTRUSTED/ABANDONED)
ssl_inspector_detail SSL Inspector Detail text Additional text detail about the SSL connection (SNI, IP Address)

<section end='session_minutes' />


penaltybox

<section begin='penaltybox' />

Column Name Human Name Type Description
address Address inet The IP address of the host
reason Reason text The reason for the action
start_time Start Time timestamp without time zone The time the client entered the penalty box
end_time End Time timestamp without time zone The time the client exited the penalty box
time_stamp Timestamp timestamp without time zone The time of the event

<section end='penaltybox' />


quotas

<section begin='quotas' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
address Address inet The IP address of the host
action Action integer The action (1=Quota Given, 2=Quota Exceeded)
size Size bigint The size of the quota
reason Reason text The reason for the action

<section end='quotas' />


host_table_updates

<section begin='host_table_updates' />

Column Name Human Name Type Description
address Address inet The IP address of the host
key Key text The key being updated
value Value text The new value for the key
time_stamp Timestamp timestamp without time zone The time of the event

<section end='host_table_updates' />


device_table_updates

<section begin='device_table_updates' />

Column Name Human Name Type Description
mac_address MAC Address text The MAC address of the device
key Key text The key being updated
value Value text The new value for the key
time_stamp Timestamp timestamp without time zone The time of the event

<section end='device_table_updates' />


alerts

<section begin='alerts' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
description Text detail of the event text The description from the alert rule.
summary_text Summary Text text The summary text of the alert
json JSON Text text The summary JSON representation of the event causing the alert

<section end='alerts' />


configuration_backup_events

<section begin='configuration_backup_events' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
success Success boolean The result of the backup (true if the backup succeeded, false otherwise)
description Text detail of the event text Text detail of the event
destination Destination text The location of the backup
event_id Event ID bigint The unique event ID

<section end='configuration_backup_events' />


settings_changes

<section begin='settings_changes' />

Column Name Human Name Type Description
time_stamp Timestamp timestamp without time zone The time of the event
settings_file Settings File text The name of the file changed
username Username text The username logged in at the time of the change
hostname Hostname text The remote hostname

<section end='settings_changes' />