Sophos Auditing data fields
The following database views, or data sources, are available for Sophos Auditing:
- Reports.vAuditEventsAll
- Reports.vAuditEventsForPolicyEditAndDuplicate
The data fields available for each of these data sources are listed below. All date-time columns are returned in UTC in the format "yyyy-mm-dd hh:mi:ss" (24 hours). The fields common to both views are highlighted in bold
Reports.vAuditEventsAll
The Reports.vAuditEventsAll database view contains the full list of audit events and most of the audit information.
|
Data field |
Data type |
Description |
|---|---|---|
|
EventId |
integer |
A unique numeric ID of the event. |
|
Timestamp |
datetime |
The time when the action logged in the event took place. |
|
Action |
nvarchar(128) |
The action logged in the event, for example, Create, Edit, Rename, Assign, Delete. |
|
TargetType |
nvarchar(128) |
The type of the object or configuration setting modified by the action, for example, Group, Computer, Policy, Role. |
|
TargetSubType |
nvarchar(128) |
The subtype of the object or setting modified by the action, where applicable. For example, the name of the modified policy, such as Anti-virus and HIPS or Data control. |
|
TargetName |
nvarchar(4000) |
The name of the object or setting modified by the action, for example, the user-defined name of the policy or group. |
|
ParameterType |
nvarchar(128) |
The type of the new setting or object assigned to the target. For example, for Action="Rename" and TargetType="Policy", ParameterType="New name". For Action="Assign" and TargetType="Computer", ParameterType="Group". |
|
ParameterValue |
nvarchar(4000) |
The value of the new setting or object, for example, the new user-defined name of the policy, or the new group the computer has been assigned to. |
|
Result |
nvarchar(128) |
The result of the action; has the value "Success" or "Failure". |
|
UserName |
nvarchar(256) |
The name of the user who carried out the action. |
|
HostName |
nvarchar(256) |
The name of the computer from which the user carried out the action. |
|
HostIPAddress |
nvarchar(48) |
The IP address of the computer from which the user carried out the action. If network connections between the server and Sophos Enterprise Console are made over IPv6, then IPv6 addresses will be recorded. Otherwise, IPv4 addresses will be recorded. |
|
ActionId |
integer |
A unique numeric ID of the action. |
|
TargetTypeId |
integer |
A unique numeric ID of the target type. |
|
TargetSubTypeId |
integer |
A unique numeric ID of the target subtype. |
|
ParameterTypeId |
integer |
A unique numeric ID of the parameter type. |
|
SubEstateId |
integer |
A unique numeric ID of the user's sub-estate. |
|
ResultId |
integer |
A unique numeric ID of the result, 1 (success) or 0 (failure). |
|
UserSid |
nvarchar(128) |
The user's security identifier. |
Reports.vAuditEventsForPolicyEditAndDuplicate
The Reports.vAuditEventsForPolicyEditAndDuplicate database view contains information about policy changes.
|
Data field |
Data type |
Description |
|---|---|---|
|
EventId |
integer |
A unique numeric ID of the event. |
|
Timestamp |
datetime |
The time when the action logged in the event took place. |
|
Action |
nvarchar(128) |
The action logged in the event. |
|
Result |
nvarchar(128) |
The result of the action; has the value "Success" or "Failure". |
|
PolicyType |
nvarchar(128) |
The type of the policy changed by the action, for example, Anti-virus and HIPS or Web control. |
|
PolicyName |
nvarchar(4000) |
The user-defined name of the policy. |
|
PolicyContent |
XML |
The snippet of the policy configuration changes, in XML format. |
|
UserName |
nvarchar(256) |
The name of the user who carried out the action. |