Table sem5.dbo.AGENT_TRAFFIC_LOG_1
Keeps network traffic that occur in agents

Generated by
SchemaSpy
Legend:
Primary key columns
Columns with indexes
Implied relationships
Excluded column relationships
< n > number of related tables
 
Column Type Size Nulls Auto Default Children Parents Comments
USN bigint 8 A USN-based serial number; this ID is not unique.
DOMAIN_ID char 32 GUID of the domain to which the log belongs
SITE_ID char 32 GUID of the site to which the log belongs
SERVER_ID char 32 GUID of the server to which the log belongs
GROUP_ID char 32 GUID of the group to which the log belongs
COMPUTER_ID char 32 GUID of the client computer that is associated with the agent traffic log
TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
EVENT_ID int 4 An event ID from send agent:
301 = TCP initiated
302 = UDP datagram
303 = Ping request
304 = TCP completed
305 = Traffic (other)
306 = ICMP packet
307 = Ethernet packet
308 = IP packet
EVENT_TIME bigint 8 The event generated time (GMT)
SEVERITY int 4 Severity as defined in the Security Rule.
Critical = 0 - 3
Major = 4 - 7
Minor = 8 - 11
Info = 12 - 15
AGENT_ID char 32  √  null GUID of the agent
HARDWARE_KEY char 32  √  null Hash of Computer Hardware information
HOST_NAME nvarchar 512  √  null Host Name of the client computer
LOCAL_HOST_IP bigint 8  √  null The IP address of local computer (IPv4)
REMOTE_HOST_IP bigint 8  √  null The IP address of remote computer (IPv4)
REMOTE_HOST_NAME nvarchar 128  √  null The Name of remote computer (it may be empty if name solve failed)
NETWORK_PROTOCOL tinyint 1  √  null The protocol type: Enum (OTHERS = 1; TCP = 2; UDP = 3; ICMP = 4)
LOCAL_PORT int 4  √  null The TCP/UDP port in local machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. On the other event, it is always zero.
REMOTE_PORT int 4  √  null The TCP/UDP port in remote machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. On the other event, it is always zero.
TRAFFIC_DIRECTION tinyint 1  √  null The direction of traffic. Enum ( unknown = 0; inbound = 1; outbound = 2)
BEGIN_TIME bigint 8  √  null The begin time of security issue
END_TIME bigint 8  √  null The end time of security issue. End time is an optional field because we may fail to detect the exact end time of traffic, like UDP. In those cases, the end time is equal to begin time.
REPETITION int 4  √  null The number of attacks. Sometime, when a hacker launches a mass attack, it may be damped to one event by the log system.
APP_NAME nvarchar 512  √  null The full path of application involved. It may be empty if an unknown application is involved or if no application is involved. For example, the ping of death DoS attack does not have AppName because it attacks the operating system itself.
BLOCKED tinyint 1 Specify if the traffic was blocked. (Yes = 1, No = 0)
RULE_ID char 32  √  null The ID of rule triggered by the event. It is always 0 if rule ID is not specified in security rule. The field is helpful to security rule troubleshooting. If multiple rules matched, it logs the rule that has finial decision on PacketProc (pass/block/drop).
RULE_NAME nvarchar 512  √  null Name of the rule that was triggered by the event. If not specified in the security rule, an empty string. Useful for troubleshooting. In theory, a rule can be recognized by the rule ID. Rule name, however, can help provide quicker recognition.
ALERT tinyint 1  √  null It reflects the alert attribute in profile action. It is true if action::alert is true. (Yes = 1, No = 0)
SEND_SNMP_TRAP tinyint 1  √  null It reflects the send SNMP trap action. It is true if send is true. (Yes = 1, No = 0)
LOCAL_HOST_MAC varchar 18  √  null The MAC address of local computer
REMOTE_HOST_MAC varchar 18  √  null The MAC address of remote computer
LOCATION_NAME nvarchar 512  √  null The location used when event occurs
USER_NAME nvarchar 512  √  null Login user name
DOMAIN_NAME nvarchar 512  √  null Login domain name
RESERVED_INT1 int 4  √  null
RESERVED_INT2 int 4  √  null
RESERVED_BIGINT1 bigint 8  √  null
RESERVED_BIGINT2 bigint 8  √  null
RESERVED_CHAR1 char 32  √  null
RESERVED_CHAR2 char 32  √  null
RESERVED_VARCHAR1 nvarchar 520  √  null
RESERVED_BINARY varbinary 2000  √  null
LOG_IDX char 32  √  null Log index unique ID
LOCAL_HOST_IPV6 varchar 32  √  null Local host IPv6
REMOTE_HOST_IPV6 varchar 32  √  null Remote host IPv6

Analyzed at Mon Oct 29 12:07 PDT 2012

Indexes:
Column(s) Type Sort Constraint Name
USN Performance Asc I_AGENT_TRAFFIC_LOG_1
ALERT Performance Asc I_AGENT_TRAFFIC_LOG_1_ALERT
EVENT_ID Performance Asc I_AGENT_TRAFFIC_LOG_1_ID
LOG_IDX Performance Asc I_AGENT_TRAFFIC_LOG_1_LOG_IDX
EVENT_TIME Performance Asc I_AGENT_TRAFFIC_LOG_1_TIME_PLUS
TIME_STAMP Performance Asc I_AGENT_TRAFFIC_LOG_1_TS