Log fields

Table 1. Admin
Name Type Description
additional_information String Additional information about the event
date Date Date when the event occurred (yyyy-mm-dd)
log_component String Component responsible for logging
log_subtype String Sub type of event
log_type String Type of event
message String Message displayed
message_id Integer Message ID
src_ip String Original source IP address of traffic
status String Ultimate state of traffic
time Time Time when the event occurred (hh:mm:ss)
user String User name
Table 2. Advanced threat protection
Name Type Description
date Date Date when the event occurred (yyyy-mm-dd)
domain String Sender’s domain name
dst_ip String Original destination IP address of traffic
dst_port Integer Original destination port of TCP and UDP traffic
endpoint_id Integer Endpoint ID
event_id Integer Event ID
execution_path String Path of executable file
host_login_user String Logged user name on endpoint device
host_process_user String Running process on endpoint device
log_component String Component responsible for logging
log_subtype String Sub type of event
log_type String Type of event
message_id Integer Message ID
protocol Integer Traffic protocol number
src_ip String Original source IP address of traffic
src_port Integer Original source port of TCP and UDP traffic
app_risk Integer Risk level assigned to the application
status String Ultimate state of traffic
threat String Threat identified
type String Type of event
time Time Time when the event occurred (hh:mm:ss)
user String User name
url String URL of the web page accessed
Table 3. Application filter
Name Type Description
app_category String Name of the category under which application falls
app_name String Application name
app_risk Integer Risk level assigned to the application
app_technology String Technology of the application
appfilter_policy_id Integer Application filter policy ID applied on the traffic
appresolvedby String Application is resolved by signature or synchronized application
bytes_received Integer Total number of bytes received
bytes_sent Integer Total number of bytes sent
category String Name of the category under which website falls
date Date Date when the event occurred (yyyy-mm-dd)
dst_country Integer Country code for destination IP address
dst_ip String Original destination IP address of traffic
dst_port Integer Original destination port of TCP and UDP traffic
fw_rule_id Integer Firewall rule ID which is applied on the traffic
log_component String Component responsible for logging
log_subtype String Sub type of event
log_type String Type of event
message String Message displayed
message_id Integer Message ID
protocol Integer Traffic protocol number
src_country String Country code for source IP address
src_ip String Original source IP address of traffic
src_port Integer Original source port of TCP and UDP traffic
status String Ultimate state of traffic
time Time Time when the event occurred (hh:mm:ss)
user_group String Group to which the user belongs
user String User name
Table 4. Authentication
Name Type Description
additional_information String Additional information about the event
log_component String Component responsible for logging
log_subtype String Sub type of event
log_type String Type of event
message String Message displayed
message_id Integer Message ID
Table 5. Email
Name Type Description
action String Action performed on the message
bytes_received Integer Total number of bytes received
bytes_sent Integer Total number of bytes sent
date Date Date when the event occurred (yyyy-mm-dd)
domain String Sender’s domain name
dst_country Integer Country code for destination IP address
dst_ip String Original destination IP address of traffic
dst_port Integer Original destination port of TCP and UDP traffic
email_size Integer Email size, in bytes
fw_rule_id Integer Firewall rule ID which is applied on the traffic
host String Host from which the traffic originated
log_component String Component responsible for logging
log_subtype String Sub type of event
log_type String Type of event
message_id Integer Message ID
policy_name String Name of the policy associated with the event
protocol Integer Traffic protocol number
quarantine_reason String Reason why the record was detected as spam/malicious
recipient String Recipient’s email address
sender String Sender email address
src_country String Country code for source IP address
src_ip String Original source IP address of traffic
src_port Integer Original source port of TCP and UDP traffic
status String Ultimate state of traffic
subject String Email subject
time Time Time when the event occurred (hh:mm:ss)
user String User name
Table 6. Firewall
Name Type Description
app_category String Name of the category under which application falls
app_name String Application name
app_risk Integer Risk level assigned to the application
app_technology String Technology of the application
appfilter_policy_id Integer Application filter policy ID applied on the traffic
appresolvedby String Application is resolved by signature or synchronized application
bytes_received Integer Total number of bytes received
bytes_sent Integer Total number of bytes sent
con_direction String Packet direction
con_duration String Durability of traffic (seconds)
con_id Integer Unique identifier of connection
date Date Date when the event occurred (yyyy-mm-dd)
dst_country Integer Country code for destination IP address
dst_ip String Original destination IP address of traffic
dst_port Integer Original destination port of TCP and UDP traffic
dst_trans_ip String Translated destination IP address for outgoing traffic (applicable in route mode only)
dst_trans_port Integer Translated destination port for outgoing traffic(applicable in route mode only)
dst_zone String Name of destination zone
dst_zone_type String Type of destination zone
fw_rule_id Integer Firewall rule ID which is applied on the traffic
hb_status String Heartbeat status
in_interface String Interface for incoming traffic
ips_policy_id Integer IPS policy ID applied on the traffic
log_component String Component responsible for logging
log_subtype String Sub type of event
log_type String Type of event
message String Message displayed
message_id Integer Message ID
out_interface String Interface for outgoing traffic
packets_received Integer Total number of packets received
packets_sent Integer Total number of packets sent
policy_type String Policy type applied to the traffic
protocol Integer Traffic protocol number
src_country String Country code for source IP address
src_ip String Original source IP address of traffic
src_mac Integer Original source MAC address of traffic
src_port Integer Original source port of TCP and UDP traffic
src_trans_ip String Translated source IP address for outgoing traffic (applicable in route mode only)
src_trans_port Integer Translated source port for outgoing traffic
src_zone String Name of source zone
src_zone_type String Type of source zone
status String Ultimate state of traffic
time Time Time when the event occurred (hh:mm:ss)
user_group String Group to which the user belongs
user String User name
virt_con_id Integer Connection ID of the master connection
web_policy_id String Web policy ID
Table 7. IPS
Name Type Description
category String IPS signature category
classification String Signature classification
date Date Date when the event occurred (yyyy-mm-dd)
dst_country Integer Country code for destination IP address
dst_ip String Original destination IP address of traffic
fw_rule_id Integer Firewall rule ID which is applied on the traffic
icmp_code Integer ICMP code of ICMP traffic
icmp_type Integer ICMP type of ICMP traffic
ips_policy Integer IPS policy name which is applied on the traffic
ips_policy_id Integer IPS policy ID which is applied on the traffic
log_component String Component responsible for logging
log_subtype String Sub type of event
log_type String Type of event
message String Signature message
message_id Integer Message ID
OS String Operating system associated with the traffic
protocol Integer Traffic protocol number
rule_priority String Priority of IPS policy
sig_id String Signature ID
src_country String Country code for source IP address
src_ip String Original source IP address of traffic
time Time Time when the event occurred (hh:mm:ss)
user String User name
victim String Traffic target
Table 8. Malware
Name Type Description
bytes_sent Integer Total number of bytes sent
bytes_received Integer Total number of bytes received
date Date Date when the event occurred (yyyy-mm-dd)
domain String Sender’s domain name
dst_country Integer Country code for destination IP address
dst_ip String Original destination IP address of traffic
dst_port Integer Original destination port of TCP and UDP traffic
fw_rule_id Integer Firewall rule ID which is applied on the traffic
log_component String Component responsible for logging
log_subtype String Sub type of event
log_type String Type of event
message_id Integer Message ID
policy_name String Name of the policy associated with the event
protocol Integer Traffic protocol number
src_country String Country code for source IP address
src_ip String Original source IP address of traffic
src_port Integer Original source port of TCP and UDP traffic
status String Ultimate state of traffic
status_code Integer Status code
time Time Time when the event occurred (hh:mm:ss)
url String URL of the web page accessed
user String User name
user_agent String User agent
virus String Name of the malware identified by the scan engine
web_policy_id String Web policy ID
Table 9. Sandstorm
Name Type Description
date Date Date when the event occurred (yyyy-mm-dd)
domain String Domain associated with the event
file_name String File name associated with the event
file_size Integer Size of file associated with the event
file_type String Type of file associated with the event
host String Host from which the traffic originated
log_component String Component responsible for logging
log_subtype String Sub type of event
log_type String Type of event
message_id Integer Message ID
reason String Reason why the record was detected as spam/malicious
src_ip String Original source IP address of traffic
sha1sum Hexadecimal SHA1 checksum of the item being analyzed
subject String Signature message
time Time Time when the event occurred (hh:mm:ss)
user String User name
Table 10. Security Heartbeat
Name Type Description
date Date Date when the event occurred (yyyy-mm-dd)
endpoint_id Integer Endpoint ID
endpoint_ip String Endpoint IP
event_time Time Time when the event occurred
log_component String Component responsible for logging
log_subtype String Sub type of event
log_type String Type of event
message_id Integer Message ID
name String Name associated with the event
status String Ultimate state of traffic
time Time Time when the event occurred (hh:mm:ss)
Table 11. System
Name Type Description
additional_information String Additional information about the event
date Date Date when the event occurred (yyyy-mm-dd)
log_component String Component responsible for logging
log_subtype String Sub type of event
log_type String Type of event
message String Message displayed
message_id Integer Message ID
oldversion String Old version of the system component associated with the event
newversion String New version of the system component associated with the event
status String Ultimate state of traffic
time Time Time when the event occurred (hh:mm:ss)
Table 12. Web content policy
Name Type Description
action String Action taken on the content based on the web policy rule
category String Name of the category under which website falls
content_filter_key String Content filter key
context_match String String (context) of the file that matches the word/word(s) defined in the filter
context_prefix String String (context) of the file that precedes the matched content
context_suffix String String (context) of the file that succeeds the matched content
date Date Date when the event occurred (yyyy-mm-dd)
direction String Direction of the content being scanned
file_name String Name of the file being downloaded or uploaded
log_component String Component responsible for logging
log_subtype String Sub type of event
log_type String Type of event
message_id Integer Message ID
site_category String Web category of the website accessed
src_ip String Original source IP address of traffic
time Time Time when the event occurred (hh:mm:ss)
transaction_id String Transaction ID of the AV scan.
user String User name
website String Website accessed
Table 13. Web filter
Name Type Description
activity_name String Web policy activity that matched and caused the policy result. (If the transaction matches multiple activities then only the first one that causes the policy decision will be recorded.)
app_name String Application name
bytes_received Integer Total number of bytes received
bytes_sent Integer Total number of bytes sent
category String Name of the category under which website falls
category_type String Type of category under which website falls
con_duration String Durability of traffic (seconds)
con_id Integer Unique identifier of connection
content_type String Type of the content
date Date Date when the event occurred (yyyy-mm-dd)
domain String Sender’s domain name
download_file_name String Download file name
download_file_type String Download file type
dst_ip String Original destination IP address of traffic
dst_port Integer Original destination port of TCP and UDP traffic
exception String List of the checks excluded by web exceptions.
fw_rule_id Integer Firewall rule ID which is applied on the traffic
log_component String Component responsible for logging
log_subtype String Sub type of event
log_type String Type of event
message_id Integer Message ID
override_token String Override token
protocol Integer Traffic protocol number
reason String Reason why the record was detected as spam/malicious
referer String Referer
response_code Integer Response code
src_ip String Original source IP address of traffic
src_port Integer Original source port of TCP and UDP traffic
status String Ultimate state of traffic
status_code Integer Status code
transaction_id String Transaction ID of the AV scan.
upload_file_name String Upload file name
upload_file_type String Upload file type
url String URL of the web page accessed
user String User name
user_group String Group to which the user belongs
web_policy String Web policy associated with the event
web_policy_id String Web policy ID
Note XG Firewall always blocks web pages categorized as highly objectionable criminal activity and hides the domain name in logs and reports.
Table 14. Web server protection
Name Type Description
bytes_received Integer Total number of bytes received
bytes_sent Integer Total number of bytes sent
content_type String Type of the content
cookie String Name of the cookie
date Date Date when the event occurred (yyyy-mm-dd)
extra String More info on anti-virus
fw_rule_id Integer Firewall rule ID which is applied on the traffic
host String Host from which the traffic originated
log_component String Component responsible for logging
log_type String Type of event
message_id Integer Message ID
method String Name of HTTP request method
policy_name String Name of the policy associated with the event
protocol Integer Traffic protocol number
query_string String Query search
reason String Reason why the record was detected as spam/malicious
referer String Referer
response_code Integer Response code
response_time Integer Time to process the request
server String Server name
src_ip String Original source IP address of traffic
time Time Time when the event occurred (hh:mm:ss)
url String URL of the web page accessed
user String User name
user_agent String User agent