SchemaSpy Analysis of sem5.dbo - ColumnsSymantec Endpoint Protection Manager Database Schema Generated by
SchemaSpy
Generated by SchemaSpy on Mon Oct 29 12:07 PDT 2012
Legend:
Primary key columns
Columns with indexes
 

sem5.dbo contains 2718 columns - click on heading to sort:
Table Column Type Size Nulls Auto Default Comments
AGENT_BEHAVIOR_LOG_1 BEGIN_TIME bigint 8  √  null The begin time of security issue
AGENT_BEHAVIOR_LOG_2 BEGIN_TIME bigint 8  √  null The begin time of security issue
AGENT_SECURITY_LOG_1 BEGIN_TIME bigint 8  √  null The begin time of security issue
AGENT_SECURITY_LOG_2 BEGIN_TIME bigint 8  √  null The begin time of security issue
AGENT_TRAFFIC_LOG_1 BEGIN_TIME bigint 8  √  null The begin time of security issue
AGENT_TRAFFIC_LOG_2 BEGIN_TIME bigint 8  √  null The begin time of security issue
COMMAND BEGIN_TIME bigint 8 ((0)) Time that the command launched at the client in GMT
ENFORCER_TRAFFIC_LOG_1 BEGIN_TIME bigint 8  √  null The begin time of Enforcer event
ENFORCER_TRAFFIC_LOG_2 BEGIN_TIME bigint 8  √  null The begin time of Enforcer event
V_AGENT_BEHAVIOR_LOG BEGIN_TIME bigint 8  √  null
V_AGENT_SECURITY_LOG BEGIN_TIME bigint 8  √  null
V_AGENT_TRAFFIC_LOG BEGIN_TIME bigint 8  √  null
V_ENFORCER_TRAFFIC_LOG BEGIN_TIME bigint 8  √  null
AGENT_BEHAVIOR_LOG_1 CALLER_PROCESS_ID bigint 8  √  null ID of the Process that triggers the logging
AGENT_BEHAVIOR_LOG_2 CALLER_PROCESS_ID bigint 8  √  null ID of the Process that triggers the logging
V_AGENT_BEHAVIOR_LOG CALLER_PROCESS_ID bigint 8  √  null
AGENT_BEHAVIOR_LOG_1 CALLER_RETURN_ADDRESS bigint 8  √  null Return address of the caller. This field allows our software to detect the calling module that makes the API call.
AGENT_BEHAVIOR_LOG_2 CALLER_RETURN_ADDRESS bigint 8  √  null Return address of the caller. This field allows our software to detect the calling module that makes the API call.
V_AGENT_BEHAVIOR_LOG CALLER_RETURN_ADDRESS bigint 8  √  null
AGENT_SECURITY_LOG_1 CIDS_SIGN_ID bigint 8 ((0)) Signature ID
AGENT_SECURITY_LOG_2 CIDS_SIGN_ID bigint 8 ((0)) Signature ID
V_AGENT_SECURITY_LOG CIDS_SIGN_ID bigint 8
AGENT_SECURITY_LOG_1 CIDS_SIGN_SUB_ID bigint 8 ((0)) Signature sub ID
AGENT_SECURITY_LOG_2 CIDS_SIGN_SUB_ID bigint 8 ((0)) Signature sub ID
V_AGENT_SECURITY_LOG CIDS_SIGN_SUB_ID bigint 8
NOTIFICATION CLIENT_TRIGGERED bigint 8 ((0)) Time when notification condition was last triggered. As of version 12.1.2, this column is used instead of TRIGGERED.
SEM_JOB CREATE_TIME bigint 8 When the command was issued at the console by the administrator
SEM_AGENT CREATION_TIME bigint 8  √  null Create time of the agent
SEM_CLIENT CREATION_TIME bigint 8  √  null Create time of the client
SEM_SVA CREATION_TIME bigint 8  √  null
SEM_SVA_CLIENT CREATION_TIME bigint 8  √  null
SEM_AGENT DEPLOY_TIMESTAMP bigint 8 ((0)) The time of the deployment action.
LAN_DEVICE_DETECTED DEVICE_DETECTED_TIME bigint 8  √  null GUID of the domain
V_LAN_DEVICE_DETECTED DEVICE_DETECTED_TIME bigint 8  √  null
SEM_COMPUTER DHCP_SERVER bigint 8  √  null
SEM_SVA_COMPUTER DHCP_SERVER bigint 8  √  null
V_SEM_COMPUTER DHCP_SERVER bigint 8  √  null
SEM_COMPUTER DISK_TOTAL bigint 8  √  null Total disk space
SEM_SVA_COMPUTER DISK_TOTAL bigint 8  √  null
V_SEM_COMPUTER DISK_TOTAL bigint 8  √  null
SEM_COMPUTER DNS_SERVER1 bigint 8  √  null
SEM_SVA_COMPUTER DNS_SERVER1 bigint 8  √  null
V_SEM_COMPUTER DNS_SERVER1 bigint 8  √  null
SEM_COMPUTER DNS_SERVER2 bigint 8  √  null
SEM_SVA_COMPUTER DNS_SERVER2 bigint 8  √  null
V_SEM_COMPUTER DNS_SERVER2 bigint 8  √  null
LICENSE END_DATE bigint 8 License end date time, read from license file
AGENT_BEHAVIOR_LOG_1 END_TIME bigint 8  √  null The end time of security issue. End time is an optional field because the exact end time of traffic may not be detected, for example with UDP traffic. If end time is not detected, it is set to equal begin time.
AGENT_BEHAVIOR_LOG_2 END_TIME bigint 8  √  null The end time of security issue. End time is an optional field because we may fail to detect the exact end time of traffic, like UDP. in those cases, the end time is equal to begin time.
AGENT_SECURITY_LOG_1 END_TIME bigint 8  √  null The end time of security issue. End time is an optional field because we may fail to detect the exact end time of traffic, like UDP. In those cases, the end time is equal to begin time.
AGENT_SECURITY_LOG_2 END_TIME bigint 8  √  null The end time of security issue. End time is an optional field because we may fail to detect the exact end time of traffic, like UDP. In those cases, the end time is equal to begin time.
AGENT_TRAFFIC_LOG_1 END_TIME bigint 8  √  null The end time of security issue. End time is an optional field because we may fail to detect the exact end time of traffic, like UDP. In those cases, the end time is equal to begin time.
AGENT_TRAFFIC_LOG_2 END_TIME bigint 8  √  null The end time of security issue. End time is an optional field because we may fail to detect the exact end time of traffic, like UDP. In those cases, the end time is equal to begin time.
ENFORCER_TRAFFIC_LOG_1 END_TIME bigint 8  √  null The end time of Enforcer event
ENFORCER_TRAFFIC_LOG_2 END_TIME bigint 8  √  null The end time of Enforcer event
V_AGENT_BEHAVIOR_LOG END_TIME bigint 8  √  null
V_AGENT_SECURITY_LOG END_TIME bigint 8  √  null
V_AGENT_TRAFFIC_LOG END_TIME bigint 8  √  null
V_ENFORCER_TRAFFIC_LOG END_TIME bigint 8  √  null
HISTORY EVENT_DATETIME bigint 8 ((0)) Snapshot time in GMT
AGENT_BEHAVIOR_LOG_1 EVENT_TIME bigint 8 The event generated time (GMT)
AGENT_BEHAVIOR_LOG_2 EVENT_TIME bigint 8 The event generated time (GMT)
AGENT_PACKET_LOG_1 EVENT_TIME bigint 8 The event generated time (GMT)
AGENT_PACKET_LOG_2 EVENT_TIME bigint 8 The event generated time (GMT)
AGENT_SECURITY_LOG_1 EVENT_TIME bigint 8 The event generated time (GMT)
AGENT_SECURITY_LOG_2 EVENT_TIME bigint 8 The event generated time (GMT)
AGENT_SYSTEM_LOG_1 EVENT_TIME bigint 8 The event generated time (GMT)
AGENT_SYSTEM_LOG_2 EVENT_TIME bigint 8 The event generated time (GMT)
AGENT_TRAFFIC_LOG_1 EVENT_TIME bigint 8 The event generated time (GMT)
AGENT_TRAFFIC_LOG_2 EVENT_TIME bigint 8 The event generated time (GMT)
ENFORCER_CLIENT_LOG_1 EVENT_TIME bigint 8 The event generated time (GMT)
ENFORCER_CLIENT_LOG_2 EVENT_TIME bigint 8 The event generated time (GMT)
ENFORCER_SYSTEM_LOG_1 EVENT_TIME bigint 8 The event generated time (GMT)
ENFORCER_SYSTEM_LOG_2 EVENT_TIME bigint 8 The event generated time (GMT)
ENFORCER_TRAFFIC_LOG_1 EVENT_TIME bigint 8 The event generated time (GMT)
ENFORCER_TRAFFIC_LOG_2 EVENT_TIME bigint 8 The event generated time (GMT)
V_AGENT_BEHAVIOR_LOG EVENT_TIME bigint 8
V_AGENT_PACKET_LOG EVENT_TIME bigint 8
V_AGENT_SECURITY_LOG EVENT_TIME bigint 8
V_AGENT_SYSTEM_LOG EVENT_TIME bigint 8
V_AGENT_TRAFFIC_LOG EVENT_TIME bigint 8
V_ENFORCER_CLIENT_LOG EVENT_TIME bigint 8
V_ENFORCER_SYSTEM_LOG EVENT_TIME bigint 8
V_ENFORCER_TRAFFIC_LOG EVENT_TIME bigint 8
V_SECURITY_VIEW EVENT_TIME bigint 8
LICENSE EXPIRE_DATE bigint 8  √  null end date - grace days
LICENSE_CHAIN EXPIRE_DATE bigint 8  √  null Expiration date of the chain : end date - grace days
AGENT_BEHAVIOR_LOG_1 FILE_SIZE bigint 8  √  null Size of the file associated with the application control violation, in MB
AGENT_BEHAVIOR_LOG_2 FILE_SIZE bigint 8  √  null Size of the file associated with the application control violation in MB
HPP_APPLICATION FILE_SIZE bigint 8 ((0)) File size
SEM_APPLICATION FILE_SIZE bigint 8  √  null File size of the application binary
V_AGENT_BEHAVIOR_LOG FILE_SIZE bigint 8  √  null
SCANREPORT FILESCANNED bigint 8 ('0') Number of files scanned
SCANREPORT FILESINFECTED bigint 8 ('0') Number of files the scan found
INVENTORYCURRENTRISK1 FIRST_INFECTED_TIME bigint 8 ((0)) Time that the unremediated risk was first detected
HPP_APPLICATION FIRST_SEEN bigint 8 ((0)) The first seen date for the convicted application
Default is 0.
SEM_AGENT FREE_DISK bigint 8  √  null Free disk space available
SEM_AGENT FREE_MEM bigint 8  √  null Free memory available
SEM_COMPUTER GATEWAY1 bigint 8  √  null
SEM_SVA_COMPUTER GATEWAY1 bigint 8  √  null
V_SEM_COMPUTER GATEWAY1 bigint 8  √  null
SEM_COMPUTER GATEWAY2 bigint 8  √  null
SEM_SVA_COMPUTER GATEWAY2 bigint 8  √  null
V_SEM_COMPUTER GATEWAY2 bigint 8  √  null
SEM_COMPUTER GATEWAY3 bigint 8  √  null
SEM_SVA_COMPUTER GATEWAY3 bigint 8  √  null
V_SEM_COMPUTER GATEWAY3 bigint 8  √  null
SEM_COMPUTER GATEWAY4 bigint 8  √  null
SEM_SVA_COMPUTER GATEWAY4 bigint 8  √  null
V_SEM_COMPUTER GATEWAY4 bigint 8  √  null
LICENSE GRACE_POLICY bigint 8 number of days of grace, specified in license file. End date includes the grace days as well. Hence expiration date = end date - grace days
SCANS INFECTED bigint 8 ((0)) Number of files the scan found infected
AGENT_BEHAVIOR_LOG_1 IP_ADDR bigint 8  √  null IP Address of the machine associated with the application control violation
AGENT_BEHAVIOR_LOG_2 IP_ADDR bigint 8  √  null IP Address of the machine associated with the application control violation
V_AGENT_BEHAVIOR_LOG IP_ADDR bigint 8  √  null
SEM_COMPUTER IP_ADDR1 bigint 8  √  null
SEM_SVA_COMPUTER IP_ADDR1 bigint 8  √  null
V_SEM_COMPUTER IP_ADDR1 bigint 8  √  null
SEM_COMPUTER IP_ADDR2 bigint 8  √  null
SEM_SVA_COMPUTER IP_ADDR2 bigint 8  √  null
V_SEM_COMPUTER IP_ADDR2 bigint 8  √  null
SEM_COMPUTER IP_ADDR3 bigint 8  √  null
SEM_SVA_COMPUTER IP_ADDR3 bigint 8  √  null
V_SEM_COMPUTER IP_ADDR3 bigint 8  √  null
SEM_COMPUTER IP_ADDR4 bigint 8  √  null
SEM_SVA_COMPUTER IP_ADDR4 bigint 8  √  null
V_SEM_COMPUTER IP_ADDR4 bigint 8  √  null
GUP_LIST IP_ADDRESS bigint 8 Represents the GUP IP address
LAN_DEVICE_DETECTED IP_ADDRESS bigint 8 IP Address of the device
LAN_DEVICE_EXCLUDED IP_ADDRESS bigint 8  √  null IP Address of the device
V_LAN_DEVICE_DETECTED IP_ADDRESS bigint 8
V_LAN_DEVICE_EXCLUDED IP_ADDRESS bigint 8  √  null
LAN_DEVICE_EXCLUDED IP_RANGE_END bigint 8  √  null End of IP Address range
V_LAN_DEVICE_EXCLUDED IP_RANGE_END bigint 8  √  null
LAN_DEVICE_EXCLUDED IP_RANGE_START bigint 8  √  null Start of IP Address range
V_LAN_DEVICE_EXCLUDED IP_RANGE_START bigint 8  √  null
COMPUTER_APPLICATION LAST_ACCESS_TIME bigint 8  √  null Last access time of the application on the computer (GMT)
SEM_AGENT LAST_CONNECTED_IP_ADDR bigint 8  √  null
SEM_AGENT LAST_DOWNLOAD_TIME bigint 8 ((0)) Last download time
SEM_AGENT LAST_HEURISTIC_THREAT_TIME bigint 8 ((0)) Last time that SONAR detected a risk
BASIC_METADATA LAST_MODIFY_TIME bigint 8  √  null Last modify time
SEM_APPLICATION LAST_MODIFY_TIME bigint 8  √  null Last modify time of the application binary
SEM_SVA LAST_REBOOT_TIME bigint 8  √  null
ADMIN_GROUP_REFRESH_INFO LAST_REFRESH_AT bigint 8
SEM_AGENT LAST_SCAN_TIME bigint 8 ((0)) Last scan time for this agent (GMT)
COMMAND LAST_UPDATE_TIME bigint 8 ((0)) Time of last status reported by client in GMT
SEM_AGENT LAST_UPDATE_TIME bigint 8  √  null Last online time of the agent
SEM_REPLICATION_STATE LAST_UPDATE_TIME bigint 8 Last USN update time
SEM_SVA LAST_UPDATE_TIME bigint 8  √  null
SEM_AGENT LAST_VIRUS_TIME bigint 8 ((0)) Last time virus was detected on the client computer (GMT)
HISTORYCONFIG LASTRUN bigint 8 ((0)) When the report got generated last in GMT
NOTIFICATION LASTRUN bigint 8 ((0)) Time stamp when this notification has last been analyzed
SEM_AGENT LICENSE_EXPIRY bigint 8 ((0)) For future use
AGENT_PACKET_LOG_1 LOCAL_HOST_IP bigint 8  √  null The IP address of local computer (IPv4)
AGENT_PACKET_LOG_2 LOCAL_HOST_IP bigint 8  √  null The IP address of local computer (IPv4)
AGENT_SECURITY_LOG_1 LOCAL_HOST_IP bigint 8  √  null The IP address of local computer (IPv4)
AGENT_SECURITY_LOG_2 LOCAL_HOST_IP bigint 8  √  null The IP address of local computer (IPv4)
AGENT_TRAFFIC_LOG_1 LOCAL_HOST_IP bigint 8  √  null The IP address of local computer (IPv4)
AGENT_TRAFFIC_LOG_2 LOCAL_HOST_IP bigint 8  √  null The IP address of local computer (IPv4)
ALERTS LOCAL_HOST_IP bigint 8  √  ((0)) Local host IP
ENFORCER_TRAFFIC_LOG_1 LOCAL_HOST_IP bigint 8 The IP address of local computer (IPv4)
ENFORCER_TRAFFIC_LOG_2 LOCAL_HOST_IP bigint 8 The IP address of local computer (IPv4)
V_AGENT_PACKET_LOG LOCAL_HOST_IP bigint 8  √  null
V_AGENT_SECURITY_LOG LOCAL_HOST_IP bigint 8  √  null
V_AGENT_TRAFFIC_LOG LOCAL_HOST_IP bigint 8  √  null
V_ALERTS LOCAL_HOST_IP bigint 8  √  null
V_ENFORCER_TRAFFIC_LOG LOCAL_HOST_IP bigint 8
SEM_COMPUTER MEMORY bigint 8  √  null Physical memory in kb
SEM_SVA_COMPUTER MEMORY bigint 8  √  null
V_SEM_COMPUTER MEMORY bigint 8  √  null
SCANS OMITTED bigint 8 ((0)) Number of files omitted
SERIAL_NUMBERS POLICY_LAST_MODIFIED bigint 8  √  null The time when the event is logged into system (GMT), which is server side time
SEM_COMPUTER PROCESSOR_CLOCK bigint 8  √  null Processor clock
SEM_SVA_COMPUTER PROCESSOR_CLOCK bigint 8  √  null
V_SEM_COMPUTER PROCESSOR_CLOCK bigint 8  √  null
AGENT_PACKET_LOG_1 REMOTE_HOST_IP bigint 8  √  null The IP address of remote computer (IPv4)
AGENT_PACKET_LOG_2 REMOTE_HOST_IP bigint 8  √  null The IP address of remote computer (IPv4)
AGENT_SECURITY_LOG_1 REMOTE_HOST_IP bigint 8  √  null The IP address of remote computer (IPv4)
AGENT_SECURITY_LOG_2 REMOTE_HOST_IP bigint 8  √  null The IP address of remote computer (IPv4)
AGENT_TRAFFIC_LOG_1 REMOTE_HOST_IP bigint 8  √  null The IP address of remote computer (IPv4)
AGENT_TRAFFIC_LOG_2 REMOTE_HOST_IP bigint 8  √  null The IP address of remote computer (IPv4)
ENFORCER_TRAFFIC_LOG_1 REMOTE_HOST_IP bigint 8 The IP address of remote computer (IPv4)
ENFORCER_TRAFFIC_LOG_2 REMOTE_HOST_IP bigint 8 The IP address of remote computer (IPv4)
V_AGENT_PACKET_LOG REMOTE_HOST_IP bigint 8  √  null
V_AGENT_SECURITY_LOG REMOTE_HOST_IP bigint 8  √  null
V_AGENT_TRAFFIC_LOG REMOTE_HOST_IP bigint 8  √  null
V_ENFORCER_TRAFFIC_LOG REMOTE_HOST_IP bigint 8
REPORTS REPORT_TIME bigint 8 Report sample time
AGENT_BEHAVIOR_LOG_1 RESERVED_BIGINT1 bigint 8  √  null
AGENT_BEHAVIOR_LOG_2 RESERVED_BIGINT1 bigint 8  √  null
AGENT_PACKET_LOG_1 RESERVED_BIGINT1 bigint 8  √  null
AGENT_PACKET_LOG_2 RESERVED_BIGINT1 bigint 8  √  null
AGENT_SECURITY_LOG_1 RESERVED_BIGINT1 bigint 8  √  null
AGENT_SECURITY_LOG_2 RESERVED_BIGINT1 bigint 8  √  null
AGENT_SYSTEM_LOG_1 RESERVED_BIGINT1 bigint 8  √  null
AGENT_SYSTEM_LOG_2 RESERVED_BIGINT1 bigint 8  √  null
AGENT_TRAFFIC_LOG_1 RESERVED_BIGINT1 bigint 8  √  null
AGENT_TRAFFIC_LOG_2 RESERVED_BIGINT1 bigint 8  √  null
BASIC_METADATA RESERVED_BIGINT1 bigint 8  √  null
BINARY_FILE RESERVED_BIGINT1 bigint 8  √  null
COMMAND RESERVED_BIGINT1 bigint 8  √  null
COMPUTER_APPLICATION RESERVED_BIGINT1 bigint 8  √  null
ENFORCER_CLIENT_LOG_1 RESERVED_BIGINT1 bigint 8  √  null
ENFORCER_CLIENT_LOG_2 RESERVED_BIGINT1 bigint 8  √  null
ENFORCER_SYSTEM_LOG_1 RESERVED_BIGINT1 bigint 8  √  null
ENFORCER_SYSTEM_LOG_2 RESERVED_BIGINT1 bigint 8  √  null
ENFORCER_TRAFFIC_LOG_1 RESERVED_BIGINT1 bigint 8  √  null
ENFORCER_TRAFFIC_LOG_2 RESERVED_BIGINT1 bigint 8  √  null
IDENTITY_MAP RESERVED_BIGINT1 bigint 8  √  null
LAN_DEVICE_DETECTED RESERVED_BIGINT1 bigint 8  √  null
LAN_DEVICE_EXCLUDED RESERVED_BIGINT1 bigint 8  √  null
LEGACY_AGENT RESERVED_BIGINT1 bigint 8  √  null
LOCAL_METADATA RESERVED_BIGINT1 bigint 8  √  null
LOG_CONFIG RESERVED_BIGINT1 bigint 8  √  null
REPORTS RESERVED_BIGINT1 bigint 8  √  null
SEM_AGENT RESERVED_BIGINT1 bigint 8  √  null
SEM_APPLICATION RESERVED_BIGINT1 bigint 8  √  null
SEM_CLIENT RESERVED_BIGINT1 bigint 8  √  null
SEM_COMPUTER RESERVED_BIGINT1 bigint 8  √  null
SEM_JOB RESERVED_BIGINT1 bigint 8  √  null
SEM_SVA RESERVED_BIGINT1 bigint 8  √  null
SEM_SVA_CLIENT RESERVED_BIGINT1 bigint 8  √  null
SEM_SVA_COMPUTER RESERVED_BIGINT1 bigint 8  √  null
SERVER_ADMIN_LOG_1 RESERVED_BIGINT1 bigint 8  √  null
SERVER_ADMIN_LOG_2 RESERVED_BIGINT1 bigint 8  √  null
SERVER_CLIENT_LOG_1 RESERVED_BIGINT1 bigint 8  √  null
SERVER_CLIENT_LOG_2 RESERVED_BIGINT1 bigint 8  √  null
SERVER_ENFORCER_LOG_1 RESERVED_BIGINT1 bigint 8  √  null
SERVER_ENFORCER_LOG_2 RESERVED_BIGINT1 bigint 8  √  null
SERVER_POLICY_LOG_1 RESERVED_BIGINT1 bigint 8  √  null
SERVER_POLICY_LOG_2 RESERVED_BIGINT1 bigint 8  √  null
SERVER_SYSTEM_LOG_1 RESERVED_BIGINT1 bigint 8  √  null
SERVER_SYSTEM_LOG_2 RESERVED_BIGINT1 bigint 8  √  null
SYSTEM_STATE RESERVED_BIGINT1 bigint 8  √  null
V_AGENT_BEHAVIOR_LOG RESERVED_BIGINT1 bigint 8  √  null
V_AGENT_PACKET_LOG RESERVED_BIGINT1 bigint 8  √  null
V_AGENT_SECURITY_LOG RESERVED_BIGINT1 bigint 8  √  null
V_AGENT_SYSTEM_LOG RESERVED_BIGINT1 bigint 8  √  null
V_AGENT_TRAFFIC_LOG RESERVED_BIGINT1 bigint 8  √  null
V_DOMAINS RESERVED_BIGINT1 bigint 8  √  null
V_ENFORCER_CLIENT_LOG RESERVED_BIGINT1 bigint 8  √  null
V_ENFORCER_SYSTEM_LOG RESERVED_BIGINT1 bigint 8  √  null
V_ENFORCER_TRAFFIC_LOG RESERVED_BIGINT1 bigint 8  √  null
V_GROUPS RESERVED_BIGINT1 bigint 8  √  null
V_LAN_DEVICE_DETECTED RESERVED_BIGINT1 bigint 8  √  null
V_LAN_DEVICE_EXCLUDED RESERVED_BIGINT1 bigint 8  √  null
V_SEM_COMPUTER RESERVED_BIGINT1 bigint 8  √  null
V_SERVER_ADMIN_LOG RESERVED_BIGINT1 bigint 8  √  null
V_SERVER_CLIENT_LOG RESERVED_BIGINT1 bigint 8  √  null
V_SERVER_ENFORCER_LOG RESERVED_BIGINT1 bigint 8  √  null
V_SERVER_POLICY_LOG RESERVED_BIGINT1 bigint 8  √  null
V_SERVER_SYSTEM_LOG RESERVED_BIGINT1 bigint 8  √  null
V_SERVERS RESERVED_BIGINT1 bigint 8  √  null
AGENT_BEHAVIOR_LOG_1 RESERVED_BIGINT2 bigint 8  √  null
AGENT_BEHAVIOR_LOG_2 RESERVED_BIGINT2 bigint 8  √  null
AGENT_PACKET_LOG_1 RESERVED_BIGINT2 bigint 8  √  null
AGENT_PACKET_LOG_2 RESERVED_BIGINT2 bigint 8  √  null
AGENT_SECURITY_LOG_1 RESERVED_BIGINT2 bigint 8  √  null
AGENT_SECURITY_LOG_2 RESERVED_BIGINT2 bigint 8  √  null
AGENT_SYSTEM_LOG_1 RESERVED_BIGINT2 bigint 8  √  null
AGENT_SYSTEM_LOG_2 RESERVED_BIGINT2 bigint 8  √  null
AGENT_TRAFFIC_LOG_1 RESERVED_BIGINT2 bigint 8  √  null
AGENT_TRAFFIC_LOG_2 RESERVED_BIGINT2 bigint 8  √  null
BASIC_METADATA RESERVED_BIGINT2 bigint 8  √  null
BINARY_FILE RESERVED_BIGINT2 bigint 8  √  null
COMMAND RESERVED_BIGINT2 bigint 8  √  null
COMPUTER_APPLICATION RESERVED_BIGINT2 bigint 8  √  null
ENFORCER_CLIENT_LOG_1 RESERVED_BIGINT2 bigint 8  √  null
ENFORCER_CLIENT_LOG_2 RESERVED_BIGINT2 bigint 8  √  null
ENFORCER_SYSTEM_LOG_1 RESERVED_BIGINT2 bigint 8  √  null
ENFORCER_SYSTEM_LOG_2 RESERVED_BIGINT2 bigint 8  √  null
ENFORCER_TRAFFIC_LOG_1 RESERVED_BIGINT2 bigint 8  √  null
ENFORCER_TRAFFIC_LOG_2 RESERVED_BIGINT2 bigint 8  √  null
IDENTITY_MAP RESERVED_BIGINT2 bigint 8  √  null
LAN_DEVICE_DETECTED RESERVED_BIGINT2 bigint 8  √  null
LAN_DEVICE_EXCLUDED RESERVED_BIGINT2 bigint 8  √  null
LEGACY_AGENT RESERVED_BIGINT2 bigint 8  √  null
LOCAL_METADATA RESERVED_BIGINT2 bigint 8  √  null
LOG_CONFIG RESERVED_BIGINT2 bigint 8  √  null
REPORTS RESERVED_BIGINT2 bigint 8  √  null
SEM_AGENT RESERVED_BIGINT2 bigint 8  √  null
SEM_APPLICATION RESERVED_BIGINT2 bigint 8  √  null
SEM_CLIENT RESERVED_BIGINT2 bigint 8  √  null
SEM_COMPUTER RESERVED_BIGINT2 bigint 8  √  null
SEM_JOB RESERVED_BIGINT2 bigint 8  √  null
SEM_SVA RESERVED_BIGINT2 bigint 8  √  null
SEM_SVA_CLIENT RESERVED_BIGINT2 bigint 8  √  null
SEM_SVA_COMPUTER RESERVED_BIGINT2 bigint 8  √  null
SERVER_ADMIN_LOG_1 RESERVED_BIGINT2 bigint 8  √  null
SERVER_ADMIN_LOG_2 RESERVED_BIGINT2 bigint 8  √  null
SERVER_CLIENT_LOG_1 RESERVED_BIGINT2 bigint 8  √  null
SERVER_CLIENT_LOG_2 RESERVED_BIGINT2 bigint 8  √  null
SERVER_ENFORCER_LOG_1 RESERVED_BIGINT2 bigint 8  √  null
SERVER_ENFORCER_LOG_2 RESERVED_BIGINT2 bigint 8  √  null
SERVER_POLICY_LOG_1 RESERVED_BIGINT2 bigint 8  √  null
SERVER_POLICY_LOG_2 RESERVED_BIGINT2 bigint 8  √  null
SERVER_SYSTEM_LOG_1 RESERVED_BIGINT2 bigint 8  √  null
SERVER_SYSTEM_LOG_2 RESERVED_BIGINT2 bigint 8  √  null
SYSTEM_STATE RESERVED_BIGINT2 bigint 8  √  null
V_AGENT_BEHAVIOR_LOG RESERVED_BIGINT2 bigint 8  √  null
V_AGENT_PACKET_LOG RESERVED_BIGINT2 bigint 8  √  null
V_AGENT_SECURITY_LOG RESERVED_BIGINT2 bigint 8  √  null
V_AGENT_SYSTEM_LOG RESERVED_BIGINT2 bigint 8  √  null
V_AGENT_TRAFFIC_LOG RESERVED_BIGINT2 bigint 8  √  null
V_DOMAINS RESERVED_BIGINT2 bigint 8  √  null
V_ENFORCER_CLIENT_LOG RESERVED_BIGINT2 bigint 8  √  null
V_ENFORCER_SYSTEM_LOG RESERVED_BIGINT2 bigint 8  √  null
V_ENFORCER_TRAFFIC_LOG RESERVED_BIGINT2 bigint 8  √  null
V_GROUPS RESERVED_BIGINT2 bigint 8  √  null
V_LAN_DEVICE_DETECTED RESERVED_BIGINT2 bigint 8  √  null
V_LAN_DEVICE_EXCLUDED RESERVED_BIGINT2 bigint 8  √  null
V_SEM_COMPUTER RESERVED_BIGINT2 bigint 8  √  null
V_SERVER_ADMIN_LOG RESERVED_BIGINT2 bigint 8  √  null
V_SERVER_CLIENT_LOG RESERVED_BIGINT2 bigint 8  √  null
V_SERVER_ENFORCER_LOG RESERVED_BIGINT2 bigint 8  √  null
V_SERVER_POLICY_LOG RESERVED_BIGINT2 bigint 8  √  null
V_SERVER_SYSTEM_LOG RESERVED_BIGINT2 bigint 8  √  null
V_SERVERS RESERVED_BIGINT2 bigint 8  √  null
ALERTS SCAN_ID bigint 8 ((0)) Pointer to scan table event that picked up this event
SCANS SCAN_ID bigint 8 ((0)) Scan ID provided by agent
V_ALERTS SCAN_ID bigint 8
INVENTORYCURRENTRISK1 SCAN_TIME bigint 8 ((0)) Last scan time
SE_GLOBAL SEQ_NUM bigint 8 The latest USN on the site
ALERTS SOURCE_COMPUTER_IP bigint 8 ((0)) This is the source of the threat. This is logged when threat tracer is enabled in the AV policy.
V_ALERTS SOURCE_COMPUTER_IP bigint 8
LICENSE START_DATE bigint 8 License start date time, read from license file
LAN_DEVICE_EXCLUDED SUBNET_MASK bigint 8  √  null Subnet mask of the device
V_LAN_DEVICE_EXCLUDED SUBNET_MASK bigint 8  √  null
SEM_COMPUTER SUBNET_MASK1 bigint 8  √  null
SEM_SVA_COMPUTER SUBNET_MASK1 bigint 8  √  null
V_SEM_COMPUTER SUBNET_MASK1 bigint 8  √  null
SEM_COMPUTER SUBNET_MASK2 bigint 8  √  null
SEM_SVA_COMPUTER SUBNET_MASK2 bigint 8  √  null
V_SEM_COMPUTER SUBNET_MASK2 bigint 8  √  null
SEM_COMPUTER SUBNET_MASK3 bigint 8  √  null
SEM_SVA_COMPUTER SUBNET_MASK3 bigint 8  √  null
V_SEM_COMPUTER SUBNET_MASK3 bigint 8  √  null
SEM_COMPUTER SUBNET_MASK4 bigint 8  √  null
SEM_SVA_COMPUTER SUBNET_MASK4 bigint 8  √  null
V_SEM_COMPUTER SUBNET_MASK4 bigint 8  √  null
LOG_CONFIG SWITCH_TIME bigint 8  √  null Last log switch time
SCANS THREATS bigint 8 ((0)) Number of threats that the scan found
AGENT_BEHAVIOR_LOG_1 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
AGENT_BEHAVIOR_LOG_2 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
AGENT_PACKET_LOG_1 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
AGENT_PACKET_LOG_2 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
AGENT_SECURITY_LOG_1 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
AGENT_SECURITY_LOG_2 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
AGENT_SYSTEM_LOG_1 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
AGENT_SYSTEM_LOG_2 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
AGENT_TRAFFIC_LOG_1 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
AGENT_TRAFFIC_LOG_2 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
ALERTFILTER TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
ALERTS TIME_STAMP bigint 8 ((0)) The time when the event is logged into system or updated in the system (GMT), which is server side time
ANOMALYDETECTION TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
ANOMALYDETECTIONS TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
ANOMALYREMEDIATION TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
ANOMALYREMEDIATIONS TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
AUDIT_REPORT TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
BASIC_METADATA TIME_STAMP bigint 8 Time that the record was modified; used to resolve merge conflict.
BEHAVIOR_REPORT TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
BINARY_FILE TIME_STAMP bigint 8 Time that the record was modified; used to resolve merge conflict
COMMAND TIME_STAMP bigint 8 The time when the command is added into system (GMT), which is server side time
COMMAND_REPORT TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
COMPLIANCE_REPORT TIME_STAMP bigint 8 ((0)) Time that the record was modified
COMPUTER_APPLICATION TIME_STAMP bigint 8 Time that the record was modified; used to resolve merge conflict
ENFORCER_CLIENT_LOG_1 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
ENFORCER_CLIENT_LOG_2 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
ENFORCER_SYSTEM_LOG_1 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
ENFORCER_SYSTEM_LOG_2 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
ENFORCER_TRAFFIC_LOG_1 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
ENFORCER_TRAFFIC_LOG_2 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
FIREWALL_REPORT TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
GROUP_LAN_SENSOR TIME_STAMP bigint 8
GUIPARMS TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
GUP_LIST TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
HISTORYCONFIG TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
HOMEPAGECONFIG TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
HPP_ALERTS TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
HPP_APPLICATION TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
INVENTORYCURRENTRISK1 TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
INVENTORYREPORT TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
LAN_DEVICE_DETECTED TIME_STAMP bigint 8 Time that the record was modified; used to resolve merge conflict
LAN_DEVICE_EXCLUDED TIME_STAMP bigint 8 Time that the record was modified; used to resolve merge conflict
LEGACY_AGENT TIME_STAMP bigint 8 Time that the record was modified; used to resolve merge conflict
LICENSE TIME_STAMP bigint 8 Time that the record was modified; used to resolve merge conflict
LICENSE_CHAIN TIME_STAMP bigint 8 Time that the record was modified; used to resolve merge conflict
NOTIFICATION TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
NOTIFICATIONALERTS TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
NOTIFICATIONHISTORY TIME_STAMP bigint 8 ((0))
PATTERN TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
PROCESS_STATE TIME_STAMP bigint 8 The time when the data is inserted/updated into system (GMT), which is server side time
REPORTS TIME_STAMP bigint 8 Time that the record was modified; used to resolve merge conflict
SCANREPORT TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
SCANS TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
SCFINVENTORY TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
SEM_AGENT TIME_STAMP bigint 8 Time that the record was modified; used to resolve merge conflict
SEM_APPLICATION TIME_STAMP bigint 8 Time that the record was modified; used to resolve merge conflict
SEM_CLIENT TIME_STAMP bigint 8 Time that the record was modified; used to resolve merge conflict
SEM_COMPLIANCE_CRITERIA TIME_STAMP bigint 8 ((0)) Time that the record was modified; used to resolve merge conflict
SEM_COMPLIANCE_CRITERIA_2 TIME_STAMP bigint 8 ((0))
SEM_COMPUTER TIME_STAMP bigint 8 Time that the record was modified; used to resolve merge conflict
SEM_CONTENT TIME_STAMP bigint 8 ((0)) Time that the record was modified; used to resolve merge conflict
SEM_JOB TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
SEM_OS_INFO TIME_STAMP bigint 8 ((0)) Time that the record was modified; used to resolve merge conflict
SEM_SVA TIME_STAMP bigint 8
SEM_SVA_CLIENT TIME_STAMP bigint 8
SEM_SVA_COMPUTER TIME_STAMP bigint 8
SERVER_ADMIN_LOG_1 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
SERVER_ADMIN_LOG_2 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
SERVER_CLIENT_LOG_1 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
SERVER_CLIENT_LOG_2 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
SERVER_ENFORCER_LOG_1 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
SERVER_ENFORCER_LOG_2 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
SERVER_POLICY_LOG_1 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
SERVER_POLICY_LOG_2 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
SERVER_SYSTEM_LOG_1 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
SERVER_SYSTEM_LOG_2 TIME_STAMP bigint 8 The time when the event is logged into system (GMT), which is server side time
SYSTEM_REPORT TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
SYSTEM_STATE TIME_STAMP bigint 8 Time that the record was modified; used to resolve merge conflict
THREATREPORT TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
V_AGENT_BEHAVIOR_LOG TIME_STAMP bigint 8
V_AGENT_PACKET_LOG TIME_STAMP bigint 8
V_AGENT_SECURITY_LOG TIME_STAMP bigint 8
V_AGENT_SYSTEM_LOG TIME_STAMP bigint 8
V_AGENT_TRAFFIC_LOG TIME_STAMP bigint 8
V_ALERTS TIME_STAMP bigint 8
V_CLIENT_CHANGE_LOG TIME_STAMP bigint 8  √  null
V_ENFORCER_CLIENT_LOG TIME_STAMP bigint 8
V_ENFORCER_SYSTEM_LOG TIME_STAMP bigint 8
V_ENFORCER_TRAFFIC_LOG TIME_STAMP bigint 8
V_LAN_DEVICE_DETECTED TIME_STAMP bigint 8
V_LAN_DEVICE_EXCLUDED TIME_STAMP bigint 8
V_SECURITY_VIEW TIME_STAMP bigint 8
V_SEM_COMPUTER TIME_STAMP bigint 8
V_SEM_CONTENT TIME_STAMP bigint 8
V_SERVER_ADMIN_LOG TIME_STAMP bigint 8
V_SERVER_CLIENT_LOG TIME_STAMP bigint 8
V_SERVER_ENFORCER_LOG TIME_STAMP bigint 8
V_SERVER_POLICY_LOG TIME_STAMP bigint 8
V_SERVER_SYSTEM_LOG TIME_STAMP bigint 8
V_VIRUS TIME_STAMP bigint 8
VIRUS TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
VIRUSCATEGORY TIME_STAMP bigint 8 ((0)) The time when the event is logged into system (GMT), which is server side time
SCANS TOTALFILES bigint 8 ((0)) Number of files scanned
NOTIFICATION TRIGGERED bigint 8 ((0)) Time when alert was last triggered
AGENT_BEHAVIOR_LOG_1 USN bigint 8 A USN-based serial number; this ID is not unique.
AGENT_BEHAVIOR_LOG_2 USN bigint 8 A USN-based serial number; this ID is not unique.
AGENT_PACKET_LOG_1 USN bigint 8 A USN-based serial number; this ID is not unique.
AGENT_PACKET_LOG_2 USN bigint 8 A USN-based serial number; this ID is not unique.
AGENT_SECURITY_LOG_1 USN bigint 8 A USN-based serial number; this ID is not unique.
AGENT_SECURITY_LOG_2 USN bigint 8 A USN-based serial number; this ID is not unique.
AGENT_SYSTEM_LOG_1 USN bigint 8 A USN-based serial number; this ID is not unique.
AGENT_SYSTEM_LOG_2 USN bigint 8 A USN-based serial number; this ID is not unique.
AGENT_TRAFFIC_LOG_1 USN bigint 8 A USN-based serial number; this ID is not unique.
AGENT_TRAFFIC_LOG_2 USN bigint 8 A USN-based serial number; this ID is not unique.
ALERTFILTER USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
ALERTS USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
ANOMALYDETECTION USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
ANOMALYDETECTIONS USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
ANOMALYREMEDIATION USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
ANOMALYREMEDIATIONS USN bigint 8 ((1)) A USN-based serial number; this ID is not unique
AUDIT_REPORT USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
BASIC_METADATA USN bigint 8 Update serial number; used by replication
BEHAVIOR_REPORT USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
BINARY_FILE USN bigint 8 Update serial number; used by replication
COMMAND USN bigint 8 Update serial number; used by replication
COMMAND_REPORT USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
COMPLIANCE_REPORT USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
COMPUTER_APPLICATION USN bigint 8 Update serial number; used by replication
ENFORCER_CLIENT_LOG_1 USN bigint 8 A USN-based serial number; this ID is not unique.
ENFORCER_CLIENT_LOG_2 USN bigint 8 A USN-based serial number; this ID is not unique.
ENFORCER_SYSTEM_LOG_1 USN bigint 8 A USN-based serial number; this ID is not unique.
ENFORCER_SYSTEM_LOG_2 USN bigint 8 A USN-based serial number; this ID is not unique.
ENFORCER_TRAFFIC_LOG_1 USN bigint 8 A USN-based serial number; this ID is not unique.
ENFORCER_TRAFFIC_LOG_2 USN bigint 8 A USN-based serial number; this ID is not unique.
FIREWALL_REPORT USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
GROUP_LAN_SENSOR USN bigint 8
GUIPARMS USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
GUP_LIST USN bigint 8 A USN-based serial number; this ID is not unique.
HISTORYCONFIG USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
HOMEPAGECONFIG USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
HPP_ALERTS USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
HPP_APPLICATION USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
INVENTORYCURRENTRISK1 USN bigint 8 ((1)) Update serial number; used to detect data change.
INVENTORYREPORT USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
LAN_DEVICE_DETECTED USN bigint 8 Update serial number; used by replication
LAN_DEVICE_EXCLUDED USN bigint 8 Update serial number; used by replication
LEGACY_AGENT USN bigint 8 Update serial number; used by replication
LICENSE USN bigint 8 Update serial number; used to detect data change
LICENSE_CHAIN USN bigint 8 Update serial number; used to detect data change
NOTIFICATION USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
NOTIFICATIONALERTS USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
NOTIFICATIONHISTORY USN bigint 8 ((1))
PATTERN USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
REPORTS USN bigint 8 Update serial number; used by replication
SCANREPORT USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
SCANS USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
SCFINVENTORY USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
SEM_AGENT USN bigint 8 Update serial number; used by replication
SEM_APPLICATION USN bigint 8 Update serial number; used by replication
SEM_CLIENT USN bigint 8 Update serial number; used by replication
SEM_COMPLIANCE_CRITERIA USN bigint 8 ((1)) Update serial number; used by replication
SEM_COMPLIANCE_CRITERIA_2 USN bigint 8 ((1))
SEM_COMPUTER USN bigint 8 Update serial number; used by replication
SEM_CONTENT USN bigint 8 ((1)) Update serial number; used by replication
SEM_JOB USN bigint 8 Update serial number; used by replication
SEM_OS_INFO USN bigint 8 ((1)) Update serial number; used by replication
SEM_SVA USN bigint 8
SEM_SVA_CLIENT USN bigint 8
SEM_SVA_COMPUTER USN bigint 8
SERVER_ADMIN_LOG_1 USN bigint 8 A USN-based serial number; this ID is not unique.
SERVER_ADMIN_LOG_2 USN bigint 8 A USN-based serial number; this ID is not unique.
SERVER_CLIENT_LOG_1 USN bigint 8 A USN-based serial number; this ID is not unique.
SERVER_CLIENT_LOG_2 USN bigint 8 A USN-based serial number; this ID is not unique.
SERVER_ENFORCER_LOG_1 USN bigint 8 A USN-based serial number; this ID is not unique.
SERVER_ENFORCER_LOG_2 USN bigint 8 A USN-based serial number; this ID is not unique.
SERVER_POLICY_LOG_1 USN bigint 8 A USN-based serial number; this ID is not unique.
SERVER_POLICY_LOG_2 USN bigint 8 A USN-based serial number; this ID is not unique.
SERVER_SYSTEM_LOG_1 USN bigint 8 A USN-based serial number; this ID is not unique.
SERVER_SYSTEM_LOG_2 USN bigint 8 A USN-based serial number; this ID is not unique.
SYSTEM_REPORT USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
SYSTEM_STATE USN bigint 8 Update serial number; used by replication
THREATREPORT USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
V_AGENT_BEHAVIOR_LOG USN bigint 8
V_AGENT_PACKET_LOG USN bigint 8
V_AGENT_SECURITY_LOG USN bigint 8
V_AGENT_SYSTEM_LOG USN bigint 8
V_AGENT_TRAFFIC_LOG USN bigint 8
V_ALERTS USN bigint 8
V_ENFORCER_CLIENT_LOG USN bigint 8
V_ENFORCER_SYSTEM_LOG USN bigint 8
V_ENFORCER_TRAFFIC_LOG USN bigint 8
V_LAN_DEVICE_DETECTED USN bigint 8
V_LAN_DEVICE_EXCLUDED USN bigint 8
V_SEM_COMPUTER USN bigint 8
V_SEM_CONTENT USN bigint 8
V_SERVER_ADMIN_LOG USN bigint 8
V_SERVER_CLIENT_LOG USN bigint 8
V_SERVER_ENFORCER_LOG USN bigint 8
V_SERVER_POLICY_LOG USN bigint 8
V_SERVER_SYSTEM_LOG USN bigint 8
V_VIRUS USN bigint 8
VIRUS USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
VIRUSCATEGORY USN bigint 8 ((1)) A USN-based serial number; this ID is not unique.
SEM_REPLICATION_STATE USN_LIFETIME bigint 8 Caches USN life time.
ALERTS VBIN_ID bigint 8 ((0)) Client-side ID of the quarantined threat if quarantined
V_ALERTS VBIN_ID bigint 8
V_VIRUS VID bigint 8
VIRUS VID bigint 8 ((0)) Unique identifier for a virus set by Security Response
LICENSE WARN_DATE bigint 8  √  null The date to start the warning window, computed based on end date and warn policy ( end date - warn days)
LICENSE_CHAIN WARN_DATE bigint 8  √  null The date to start the warning window, computed based on end date and warn policy (end date - warn days)
LICENSE WARN_POLICY bigint 8 number of days, prior to end, to start the warning. read from license file
SEM_COMPUTER WINS_SERVER1 bigint 8  √  null
SEM_SVA_COMPUTER WINS_SERVER1 bigint 8  √  null
V_SEM_COMPUTER WINS_SERVER1 bigint 8  √  null
SEM_COMPUTER WINS_SERVER2 bigint 8  √  null
SEM_SVA_COMPUTER WINS_SERVER2 bigint 8  √  null
V_SEM_COMPUTER WINS_SERVER2 bigint 8  √  null
CONNECTION_TEST STATUS char 1  √  null Not specified
LICENSE TYPE char 1 License type
ALERTFILTER USERELATIVE char 2 ('on') Use relative dates ('on') or absolute dates
AUDIT_REPORT USERELATIVE char 2 ('on') Use relative dates ('on') or absolute dates
BEHAVIOR_REPORT USERELATIVE char 2 ('on') Use relative dates ('on') or absolute dates
COMMAND_REPORT USERELATIVE char 2 ('on') Use relative dates ('on') or absolute dates
COMPLIANCE_REPORT USERELATIVE char 2 ('on') Use relative dates ('on') or absolute dates
FIREWALL_REPORT USERELATIVE char 2 ('on') Use relative dates ('on') or absolute dates
INVENTORYREPORT USERELATIVE char 2 ('on') Use relative dates ('on') or absolute dates
SCANREPORT USERELATIVE char 2 ('on') Use relative dates ('on') or absolute dates
SYSTEM_REPORT USERELATIVE char 2 ('on') Use relative dates ('on') or absolute dates
THREATREPORT USERELATIVE char 2 ('on') Use relative dates ('on') or absolute dates
VERSION VERSION char 10 Version of Reporting
LICENSE FULFILLMENT_ID char 16 License fulfilment id, read from license file
LICENSE SERIAL_ID char 16 License serial id, read from license file
LICENSE SERIAL_NUM char 16 License serial number, read from license file
VERSION PRODUCT char 20
NOTIFICATIONALERTS ACKNOWLEDGED_USERID char 32 ('') GUID of user who acknowledged this notification
ANOMALYDETECTION ACTION_OPERAND_HASH char 32  √  null Hash value for the column ACTION_OPERAND
ANOMALYREMEDIATION ACTION_OPERAND_HASH char 32  √  null Hash value for the column ACTION_OPERAND
SERVER_POLICY_LOG_1 ADMIN_ID char 32 GUID of the administrator who is modifying the policy
SERVER_POLICY_LOG_2 ADMIN_ID char 32 GUID of the administrator who is modifying the policy
V_SERVER_POLICY_LOG ADMIN_ID char 32
ADMIN_GROUP_REFRESH_INFO ADMINCONTEXT_ID char 32
AGENT_BEHAVIOR_LOG_1 AGENT_ID char 32  √  null GUID of the agent
AGENT_BEHAVIOR_LOG_2 AGENT_ID char 32  √  null GUID of the agent
AGENT_PACKET_LOG_1 AGENT_ID char 32  √  null GUID of the agent
AGENT_PACKET_LOG_2 AGENT_ID char 32  √  null GUID of the agent
AGENT_SECURITY_LOG_1 AGENT_ID char 32  √  null GUID of the agent
AGENT_SECURITY_LOG_2 AGENT_ID char 32  √  null GUID of the agent
AGENT_SYSTEM_LOG_1 AGENT_ID char 32  √  null GUID of the agent
AGENT_SYSTEM_LOG_2 AGENT_ID char 32  √  null GUID of the agent
AGENT_TRAFFIC_LOG_1 AGENT_ID char 32  √  null GUID of the agent
AGENT_TRAFFIC_LOG_2 AGENT_ID char 32  √  null GUID of the agent
COMPUTER_APPLICATION AGENT_ID char 32 GUID of the agent
LAN_DEVICE_DETECTED AGENT_ID char 32 GUID of the agent
LEGACY_AGENT AGENT_ID char 32 GUID in the SEM_AGENT tablet
SCFINVENTORY AGENT_ID char 32
SEM_AGENT AGENT_ID char 32
SEM_CONTENT AGENT_ID char 32 GUID of the agent
SERVER_CLIENT_LOG_1 AGENT_ID char 32 GUID of the agent
SERVER_CLIENT_LOG_2 AGENT_ID char 32 GUID of the agent
V_AGENT_BEHAVIOR_LOG AGENT_ID char 32  √  null
V_AGENT_PACKET_LOG AGENT_ID char 32  √  null
V_AGENT_SECURITY_LOG AGENT_ID char 32  √  null
V_AGENT_SYSTEM_LOG AGENT_ID char 32  √  null
V_AGENT_TRAFFIC_LOG AGENT_ID char 32  √  null
V_LAN_DEVICE_DETECTED AGENT_ID char 32
V_SECURITY_VIEW AGENT_ID char 32  √  null
V_SEM_CONTENT AGENT_ID char 32
V_SERVER_CLIENT_LOG AGENT_ID char 32
AGENT_SECURITY_LOG_1 AGENT_SECURITY_LOG_IDX char 32  √  null Log index unique ID
AGENT_SECURITY_LOG_2 AGENT_SECURITY_LOG_IDX char 32  √  null Log index unique ID
SEM_COMPLIANCE_CRITERIA AGENT_SECURITY_LOG_IDX char 32 Foreign key to V_AGENT_SECURITY.AGENT_SECURITY_LOG_IDX
SEM_COMPLIANCE_CRITERIA_2 AGENT_SECURITY_LOG_IDX char 32
V_AGENT_SECURITY_LOG AGENT_SECURITY_LOG_IDX char 32  √  null
ANOMALYDETECTIONS ALERT_EVENT_IDX char 32 Foreign key to ALERTS.IDX
ANOMALYREMEDIATIONS ALERT_EVENT_IDX char 32 Foreign key to ALERTS.IDX
ALERTFILTER ALERTFILTER_IDX char 32
ANOMALYDETECTION ANOMALY_DETECTION_IDX char 32
ANOMALYDETECTIONS ANOMALY_DETECTION_IDX char 32 Pointer to table 'anomalydetection'
ANOMALYREMEDIATION ANOMALY_REMEDIATION_IDX char 32
ANOMALYREMEDIATIONS ANOMALY_REMEDIATION_IDX char 32 Pointer to table 'anomalyremediation'
COMPUTER_APPLICATION APP_HASH char 32 Hash value of the learned application record
SEM_APPLICATION APP_HASH char 32 Checksum of the learned application. Including name, path, file checksum, file size and so on.
HPP_APPLICATION APP_IDX char 32
AUDIT_REPORT AUDITFILTER_IDX char 32
BEHAVIOR_REPORT BEHAVIORFILTER_IDX char 32
LICENSE CHAINID char 32 foreign key to LICENSE_CHAIN table
BASIC_METADATA CHECKSUM char 32 Checksum of XML content
BINARY_FILE CHECKSUM char 32  √  null Checksum of XML content
LICENSE_CHAIN CHECKSUM char 32 foreign key to LICENSE_CHAIN table
LOCAL_METADATA CHECKSUM char 32  √  null Checksum of XML content
REPORTS CHECKSUM char 32 Checksum of XML content
SEM_APPLICATION CHECKSUM char 32 File checksum of the application binary
SYSTEM_STATE CHECKSUM char 32 Checksum of XML content
ENFORCER_CLIENT_LOG_1 CLIENT_ID char 32  √  null Not used (logged as '')
ENFORCER_CLIENT_LOG_2 CLIENT_ID char 32  √  null Not used (logged as '')
ENFORCER_TRAFFIC_LOG_1 CLIENT_ID char 32  √  null Not used (logged as '')
ENFORCER_TRAFFIC_LOG_2 CLIENT_ID char 32  √  null Not used (logged as '')
LEGACY_AGENT CLIENT_ID char 32 GUID in the SEM_CLIENT tablet
SEM_CLIENT CLIENT_ID char 32
SEM_SVA_CLIENT CLIENT_ID char 32
SERVER_ADMIN_LOG_1 CLIENT_ID char 32  √  null GUID of the client to which the log belongs
SERVER_ADMIN_LOG_2 CLIENT_ID char 32  √  null GUID of the client to which the log belongs
SERVER_CLIENT_LOG_1 CLIENT_ID char 32  √  null GUID of the client to which the log belongs
SERVER_CLIENT_LOG_2 CLIENT_ID char 32  √  null GUID of the client to which the log belongs
V_CLIENT_CHANGE_LOG CLIENT_ID char 32
V_ENFORCER_CLIENT_LOG CLIENT_ID char 32  √  null
V_ENFORCER_TRAFFIC_LOG CLIENT_ID char 32  √  null
V_SERVER_ADMIN_LOG CLIENT_ID char 32  √  null
V_SERVER_CLIENT_LOG CLIENT_ID char 32  √  null
ALERTS CLIENTGROUP_IDX char 32 ('') Pointer to table 'identity_map'; this is the SEPM group GUID
SCANS CLIENTGROUP_IDX char 32 ('') Pointer to table IDENTITY_MAP (group GUID)
V_ALERTS CLIENTGROUP_IDX char 32
COMMAND COMMAND_ID char 32
SEM_JOB COMMAND_ID char 32
COMMAND_REPORT COMMANDFILTER_IDX char 32
COMPLIANCE_REPORT COMPLIANCEFILTER_IDX char 32
AGENT_BEHAVIOR_LOG_1 COMPUTER_ID char 32 GUID of the client computer associated with the agent log
AGENT_BEHAVIOR_LOG_2 COMPUTER_ID char 32 GUID of the client computer associated with the agent log
AGENT_PACKET_LOG_1 COMPUTER_ID char 32 GUID of the client computer associated with the agent packet log
AGENT_PACKET_LOG_2 COMPUTER_ID char 32 GUID of the client computer associated with the agent packet log
AGENT_SECURITY_LOG_1 COMPUTER_ID char 32 GUID of the client computer associated with the agent security log
AGENT_SECURITY_LOG_2 COMPUTER_ID char 32 GUID of the client computer associated with the agent security log
AGENT_SYSTEM_LOG_1 COMPUTER_ID char 32 GUID of the client computer that is associated with the agent system log
AGENT_SYSTEM_LOG_2 COMPUTER_ID char 32 GUID of the client computer that is associated with the agent system log
AGENT_TRAFFIC_LOG_1 COMPUTER_ID char 32 GUID of the client computer that is associated with the agent traffic log
AGENT_TRAFFIC_LOG_2 COMPUTER_ID char 32 GUID of the client computer that is associated with the agent traffic log
COMPUTER_APPLICATION COMPUTER_ID char 32 GUID of the computer
GUP_LIST COMPUTER_ID char 32 Referencing Computer_ID in SEM_COMPUTER table
LAN_DEVICE_DETECTED COMPUTER_ID char 32 B1011
LEGACY_AGENT COMPUTER_ID char 32 GUID in the SEM_COMPUTER tablet
SEM_AGENT COMPUTER_ID char 32  √  null GUID of the register computer
SEM_CLIENT COMPUTER_ID char 32  √  null GUID of the register computer
SEM_COMPUTER COMPUTER_ID char 32
SEM_SVA COMPUTER_ID char 32  √  null
SEM_SVA_CLIENT COMPUTER_ID char 32  √  null
SEM_SVA_COMPUTER COMPUTER_ID char 32
V_AGENT_BEHAVIOR_LOG COMPUTER_ID char 32
V_AGENT_PACKET_LOG COMPUTER_ID char 32
V_AGENT_SECURITY_LOG COMPUTER_ID char 32
V_AGENT_SYSTEM_LOG COMPUTER_ID char 32
V_AGENT_TRAFFIC_LOG COMPUTER_ID char 32
V_CLIENT_CHANGE_LOG COMPUTER_ID char 32  √  null
V_LAN_DEVICE_DETECTED COMPUTER_ID char 32
V_SECURITY_VIEW COMPUTER_ID char 32
V_SEM_COMPUTER COMPUTER_ID char 32
ALERTS COMPUTER_IDX char 32 ('') Foreign key to SEM_COMPUTER.COMPUTER_ID
INVENTORYCURRENTRISK1 COMPUTER_IDX char 32
SCANS COMPUTER_IDX char 32 ('') Foreign key to SEM_COMPUTER.COMPUTER_ID
V_ALERTS COMPUTER_IDX char 32
SEM_COMPLIANCE_CRITERIA CRITERIA_IDX char 32
SEM_COMPLIANCE_CRITERIA_2 CRITERIA_IDX char 32
SEM_AGENT CURRENT_CLIENT_ID char 32  √  null Client that logs on this agent.
SEM_SVA CURRENT_CLIENT_ID char 32  √  null
ADMINUSER DOMAIN_ID char 32 ('') GUID representing currently logged in domain.
AGENT_BEHAVIOR_LOG_1 DOMAIN_ID char 32 GUID of the domain to which the log belongs
AGENT_BEHAVIOR_LOG_2 DOMAIN_ID char 32 GUID of the domain to which the log belongs
AGENT_PACKET_LOG_1 DOMAIN_ID char 32 GUID of the domain to which the log belongs
AGENT_PACKET_LOG_2 DOMAIN_ID char 32 GUID of the domain to which the log belongs
AGENT_SECURITY_LOG_1 DOMAIN_ID char 32 GUID of the domain to which the log belongs
AGENT_SECURITY_LOG_2 DOMAIN_ID char 32 GUID of the domain to which the log belongs
AGENT_SYSTEM_LOG_1 DOMAIN_ID char 32 GUID of the domain to which the log belongs
AGENT_SYSTEM_LOG_2 DOMAIN_ID char 32 GUID of the domain to which the log belongs
AGENT_TRAFFIC_LOG_1 DOMAIN_ID char 32 GUID of the domain to which the log belongs
AGENT_TRAFFIC_LOG_2 DOMAIN_ID char 32 GUID of the domain to which the log belongs
BASIC_METADATA DOMAIN_ID char 32  √  null GUID of the domain that the object belong to.
SemRootConfig and SemSite do not have DOMAIN_ID
BINARY_FILE DOMAIN_ID char 32  √  null GUID of the domain to which the binary file belongs
COMMAND DOMAIN_ID char 32 The domain ID currently being administered when the command is created
COMPUTER_APPLICATION DOMAIN_ID char 32 GUID of the domain to which the client computer belongs
ENFORCER_CLIENT_LOG_1 DOMAIN_ID char 32 Not used (logged as '00000000000000000000000000000000')
ENFORCER_CLIENT_LOG_2 DOMAIN_ID char 32 Not used (logged as '00000000000000000000000000000000')
ENFORCER_TRAFFIC_LOG_1 DOMAIN_ID char 32 Not used (logged as '00000000000000000000000000000000')
ENFORCER_TRAFFIC_LOG_2 DOMAIN_ID char 32 Not used (logged as '00000000000000000000000000000000')
GROUP_HI_STATUS DOMAIN_ID char 32 The domain name that the group belongs to.
IDENTITY_MAP DOMAIN_ID char 32  √  null GUID of the domain
REPORTS DOMAIN_ID char 32  √  null GUID of the domain to which the report belongs
The reports for system administrator do not have DOMAIN_ID
SEM_AGENT DOMAIN_ID char 32  √  null GUID of the domain
SEM_APPLICATION DOMAIN_ID char 32
SEM_CLIENT DOMAIN_ID char 32  √  null GUID of the domain
SEM_COMPUTER DOMAIN_ID char 32  √  null GUID of the domain
SEM_SVA DOMAIN_ID char 32  √  null
SEM_SVA_CLIENT DOMAIN_ID char 32  √  null
SEM_SVA_COMPUTER DOMAIN_ID char 32  √  null
SERVER_ADMIN_LOG_1 DOMAIN_ID char 32  √  null GUID of the domain to which the log belongs
SERVER_ADMIN_LOG_2 DOMAIN_ID char 32  √  null GUID of the domain to which the log belongs
SERVER_CLIENT_LOG_1 DOMAIN_ID char 32  √  null GUID of the domain to which the log belongs
SERVER_CLIENT_LOG_2 DOMAIN_ID char 32  √  null GUID of the domain to which the log belongs
SERVER_POLICY_LOG_1 DOMAIN_ID char 32  √  null GUID of the domain which was administered
SERVER_POLICY_LOG_2 DOMAIN_ID char 32  √  null GUID of the domain which was administered
SERVER_SYSTEM_LOG_1 DOMAIN_ID char 32  √  null Not used, logged as ''
SERVER_SYSTEM_LOG_2 DOMAIN_ID char 32  √  null Not used, logged as ''
SYSTEM_STATE DOMAIN_ID char 32  √  null GUID of the domain that the state object
V_AGENT_BEHAVIOR_LOG DOMAIN_ID char 32
V_AGENT_PACKET_LOG DOMAIN_ID char 32
V_AGENT_SECURITY_LOG DOMAIN_ID char 32
V_AGENT_SYSTEM_LOG DOMAIN_ID char 32
V_AGENT_TRAFFIC_LOG DOMAIN_ID char 32
V_CLIENT_CHANGE_LOG DOMAIN_ID char 32  √  null
V_DOMAINS DOMAIN_ID char 32  √  null
V_ENFORCER_CLIENT_LOG DOMAIN_ID char 32
V_ENFORCER_TRAFFIC_LOG DOMAIN_ID char 32
V_GROUPS DOMAIN_ID char 32  √  null
V_SECURITY_VIEW DOMAIN_ID char 32
V_SEM_COMPUTER DOMAIN_ID char 32  √  null
V_SERVER_ADMIN_LOG DOMAIN_ID char 32  √  null
V_SERVER_CLIENT_LOG DOMAIN_ID char 32  √  null
V_SERVER_POLICY_LOG DOMAIN_ID char 32  √  null
V_SERVER_SYSTEM_LOG DOMAIN_ID char 32  √  null
V_SERVERS DOMAIN_ID char 32  √  null
ENFORCER_CLIENT_LOG_1 ENFORCER_ID char 32 GUID of the Enforcer
ENFORCER_CLIENT_LOG_2 ENFORCER_ID char 32 GUID of the Enforcer
ENFORCER_SYSTEM_LOG_1 ENFORCER_ID char 32 GUID of the Enforcer
ENFORCER_SYSTEM_LOG_2 ENFORCER_ID char 32 GUID of the Enforcer
ENFORCER_TRAFFIC_LOG_1 ENFORCER_ID char 32 GUID of the Enforcer
ENFORCER_TRAFFIC_LOG_2 ENFORCER_ID char 32 GUID of the Enforcer
SERVER_ENFORCER_LOG_1 ENFORCER_ID char 32 GUID of the Enforcer
SERVER_ENFORCER_LOG_2 ENFORCER_ID char 32 GUID of the Enforcer
V_ENFORCER_CLIENT_LOG ENFORCER_ID char 32
V_ENFORCER_SYSTEM_LOG ENFORCER_ID char 32
V_ENFORCER_TRAFFIC_LOG ENFORCER_ID char 32
V_SERVER_ENFORCER_LOG ENFORCER_ID char 32
LAN_DEVICE_EXCLUDED EXCLUDED_ID char 32
V_LAN_DEVICE_EXCLUDED EXCLUDED_ID char 32
INVENTORYCURRENTRISK1 FILE_KEY char 32
HISTORYCONFIG FILTER_USER_ID char 32  √  ('') Filter user ID
FIREWALL_REPORT FIREWALLFILTER_IDX char 32
ADMIN_GROUPS GROUP_ID char 32
AGENT_BEHAVIOR_LOG_1 GROUP_ID char 32 GUID of the group to which the log belongs
AGENT_BEHAVIOR_LOG_2 GROUP_ID char 32 GUID of the group to which the log belongs
AGENT_PACKET_LOG_1 GROUP_ID char 32 GUID of the group to which the log belongs
AGENT_PACKET_LOG_2 GROUP_ID char 32 GUID of the group to which the log belongs
AGENT_SECURITY_LOG_1 GROUP_ID char 32 GUID of the group to which the log belongs
AGENT_SECURITY_LOG_2 GROUP_ID char 32 GUID of the group to which the log belongs
AGENT_SYSTEM_LOG_1 GROUP_ID char 32 GUID of the group to which the log belongs
AGENT_SYSTEM_LOG_2 GROUP_ID char 32 GUID of the group to which the log belongs
AGENT_TRAFFIC_LOG_1 GROUP_ID char 32 GUID of the group to which the log belongs
AGENT_TRAFFIC_LOG_2 GROUP_ID char 32 GUID of the group to which the log belongs
COMPUTER_APPLICATION GROUP_ID char 32 Group GUID
GROUP_HI_STATUS GROUP_ID char 32
GROUP_LAN_SENSOR GROUP_ID char 32
SEM_AGENT GROUP_ID char 32  √  null Current group GUID of the agent
SEM_CLIENT GROUP_ID char 32  √  null GUID of the group
SEM_SVA GROUP_ID char 32  √  null
SEM_SVA_CLIENT GROUP_ID char 32  √  null
SERIAL_NUMBERS GROUP_ID char 32 GUID of a group
V_AGENT_BEHAVIOR_LOG GROUP_ID char 32
V_AGENT_PACKET_LOG GROUP_ID char 32
V_AGENT_SECURITY_LOG GROUP_ID char 32
V_AGENT_SYSTEM_LOG GROUP_ID char 32
V_AGENT_TRAFFIC_LOG GROUP_ID char 32
V_CLIENT_CHANGE_LOG GROUP_ID char 32  √  null
V_SECURITY_VIEW GROUP_ID char 32
V_SERVER_CLIENT_LOG GROUP_ID char 32  √  null
GUP_LIST GUP_ID char 32
AGENT_BEHAVIOR_LOG_1 HARDWARE_KEY char 32  √  null Hash of Computer Hardware information
AGENT_BEHAVIOR_LOG_2 HARDWARE_KEY char 32  √  null Hash of Computer Hardware information
AGENT_PACKET_LOG_1 HARDWARE_KEY char 32  √  null Hash of Computer Hardware information
AGENT_PACKET_LOG_2 HARDWARE_KEY char 32  √  null Hash of Computer Hardware information
AGENT_SECURITY_LOG_1 HARDWARE_KEY char 32  √  null Hash of Computer Hardware information
AGENT_SECURITY_LOG_2 HARDWARE_KEY char 32  √  null Hash of Computer Hardware information
AGENT_SYSTEM_LOG_1 HARDWARE_KEY char 32  √  null Hash of Computer Hardware information
AGENT_SYSTEM_LOG_2 HARDWARE_KEY char 32  √  null Hash of Computer Hardware information
AGENT_TRAFFIC_LOG_1 HARDWARE_KEY char 32  √  null Hash of Computer Hardware information
AGENT_TRAFFIC_LOG_2 HARDWARE_KEY char 32  √  null Hash of Computer Hardware information
COMMAND HARDWARE_KEY char 32
SEM_CLIENT HARDWARE_KEY char 32  √  null Hash of Computer Hardware information
SEM_COMPUTER HARDWARE_KEY char 32  √  null Hash of computer hardware information
SEM_SVA_CLIENT HARDWARE_KEY char 32  √  null
SEM_SVA_COMPUTER HARDWARE_KEY char 32  √  null
V_AGENT_BEHAVIOR_LOG HARDWARE_KEY char 32  √  null
V_AGENT_PACKET_LOG HARDWARE_KEY char 32  √  null
V_AGENT_SECURITY_LOG HARDWARE_KEY char 32  √  null
V_AGENT_SYSTEM_LOG HARDWARE_KEY char 32  √  null
V_AGENT_TRAFFIC_LOG HARDWARE_KEY char 32  √  null
V_SEM_COMPUTER HARDWARE_KEY char 32  √  null
LAN_DEVICE_DETECTED HASH char 32 Link with the computer HARDWARE_KEY
LAN_DEVICE_EXCLUDED HASH char 32 Link with the computer HARDWARE_KEY
SEM_CLIENT HASH char 32 Hash of POLICY_MODE,COMPUTER_NAME,COMPUTER_DOMAIN_NAME,USER_NAME,USER_DOMAIN_NAME
SEM_SVA_CLIENT HASH char 32
V_LAN_DEVICE_DETECTED HASH char 32
V_LAN_DEVICE_EXCLUDED HASH char 32
HPP_APPLICATION HELP_VIRUS_IDX char 32  √  null Foreign key to VIRUS table which provides help ID for online Symantec write-up
ENFORCER_CLIENT_LOG_1 HI_STATUS char 32  √  null Host Integrity Status of SNAC agent
ENFORCER_CLIENT_LOG_2 HI_STATUS char 32  √  null Host Integrity Status of SNAC agent
V_ENFORCER_CLIENT_LOG HI_STATUS char 32  √  null
HISTORY HISTORY_IDX char 32
HISTORY HISTORYCONFIG_IDX char 32 ('') Pointer to historyconfig table
HISTORYCONFIG HISTORYCONFIG_IDX char 32
HOMEPAGECONFIG HOMEPAGECONFIG_IDX char 32
ANOMALYDETECTIONS ID char 32
ANOMALYREMEDIATIONS ID char 32 (upper(replace(newid(),'-','')))
BASIC_METADATA ID char 32
BINARY_FILE ID char 32
IDENTITY_MAP ID char 32
LICENSE ID char 32
LICENSE_CHAIN ID char 32
LOCAL_METADATA ID char 32
PROCESS_STATE ID char 32
REPORTS ID char 32
SYSTEM_STATE ID char 32
V_DOMAINS ID char 32
V_GROUPS ID char 32
V_SERVERS ID char 32
SEM_AGENT IDS_CHECKSUM char 32  √  null Current IDS checksum of agent
AGENTSTATUS IDX char 32
ALERTS IDX char 32
DATA_HANDLER IDX char 32
HPP_ALERTS IDX char 32
NOTIFICATIONALERTS IDX char 32
NOTIFICATIONHISTORY IDX char 32
V_ALERTS IDX char 32
INVENTORYREPORT INVENTORYFILTER_IDX char 32
LAN_DEVICE_DETECTED LAN_DEVICE_ID char 32 GUID of the device
V_LAN_DEVICE_DETECTED LAN_DEVICE_ID char 32
ALERTS LAST_LOG_SESSION_GUID char 32 ('') This is an ID used by the client to keep track of related threat events.
V_ALERTS LAST_LOG_SESSION_GUID char 32
SEM_AGENT LAST_SERVER_ID char 32  √  null Last connected server GUID
SEM_SVA LAST_SERVER_ID char 32  √  null
SEM_AGENT LAST_SITE_ID char 32  √  null Last connected site GUID
SEM_SVA LAST_SITE_ID char 32  √  null
LEGACY_AGENT LEGACY_AGENT_ID char 32
SEM_AGENT LICENSE_ID char 32  √  null SEP license ID
SEM_REPLICATION_STATE LOCAL_SERVER_ID char 32 GUID of a server
COMPUTER_APPLICATION LOCATION_ID char 32 GUID of the location
AGENT_BEHAVIOR_LOG_1 LOG_IDX char 32  √  null Log index unique ID
AGENT_BEHAVIOR_LOG_2 LOG_IDX char 32  √  null Log index unique ID
AGENT_PACKET_LOG_1 LOG_IDX char 32  √  null Log index unique ID
AGENT_PACKET_LOG_2 LOG_IDX char 32  √  null Log index unique ID
AGENT_SYSTEM_LOG_1 LOG_IDX char 32  √  null Log index unique ID
AGENT_SYSTEM_LOG_2 LOG_IDX char 32  √  null Log index unique ID
AGENT_TRAFFIC_LOG_1 LOG_IDX char 32  √  null Log index unique ID
AGENT_TRAFFIC_LOG_2 LOG_IDX char 32  √  null Log index unique ID
ENFORCER_CLIENT_LOG_1 LOG_IDX char 32  √  null
ENFORCER_CLIENT_LOG_2 LOG_IDX char 32  √  null
ENFORCER_SYSTEM_LOG_1 LOG_IDX char 32  √  null Log index unique ID
ENFORCER_SYSTEM_LOG_2 LOG_IDX char 32  √  null Log index unique ID
ENFORCER_TRAFFIC_LOG_1 LOG_IDX char 32  √  null
ENFORCER_TRAFFIC_LOG_2 LOG_IDX char 32  √  null
SERVER_CLIENT_LOG_1 LOG_IDX char 32  √  null Log index unique ID
SERVER_CLIENT_LOG_2 LOG_IDX char 32  √  null Log index unique ID
SERVER_ENFORCER_LOG_1 LOG_IDX char 32  √  null
SERVER_ENFORCER_LOG_2 LOG_IDX char 32  √  null
V_AGENT_BEHAVIOR_LOG LOG_IDX char 32  √  null
V_AGENT_PACKET_LOG LOG_IDX char 32  √  null
V_AGENT_SYSTEM_LOG LOG_IDX char 32  √  null
V_AGENT_TRAFFIC_LOG LOG_IDX char 32  √  null
V_ENFORCER_CLIENT_LOG LOG_IDX char 32  √  null
V_ENFORCER_SYSTEM_LOG LOG_IDX char 32  √  null
V_ENFORCER_TRAFFIC_LOG LOG_IDX char 32  √  null
V_SERVER_CLIENT_LOG LOG_IDX char 32  √  null
V_SERVER_ENFORCER_LOG LOG_IDX char 32  √  null
ANOMALYDETECTIONS LOG_SESSION_GUID char 32 ('') This is an ID used by the client to keep track of related threat events.
ANOMALYREMEDIATIONS LOG_SESSION_GUID char 32 This is an ID used by the client to keep track of related threat events.
ALERTS MOTHER_IDX char 32 ('') Pointer to the related compressed event in the ALERTS table. This is the compressed event created by database maintenance. A value here means this event has been aggregated server-side and is a child event.
V_ALERTS MOTHER_IDX char 32
NOTIFICATION NOTAG_IDX char 32
NOTIFICATIONALERTS NOTAG_IDX char 32 ('') Notification which triggered this alert (Pointer to table 'notification')
SERVER_POLICY_LOG_1 OBJECT_ID char 32 GUID of the AgentPolicy
SERVER_POLICY_LOG_2 OBJECT_ID char 32 GUID of the AgentPolicy
V_SERVER_POLICY_LOG OBJECT_ID char 32
SEM_CLIENT OU_GUID char 32  √  null OU's GUID if the client is from ActiveDirectory
SEM_SVA_CLIENT OU_GUID char 32  √  null
BASIC_METADATA OWNER char 32  √  null GUID of the owner. It only applies to a private object.
BINARY_FILE OWNER char 32  √  null GUID of the owner. It only applies to private object
NOTIFICATIONHISTORY OWNER char 32
SYSTEM_STATE OWNER char 32  √  null GUID of the corresponding schema object
ALERTS PARENTSERVER_IDX char 32 ('') Pointer to table 'identity_map'; this is the SEPM server GUID
SCANS PARENTSERVER_IDX char 32 ('') Pointer to table IDENTITY_MAP (server GUID)
V_ALERTS PARENTSERVER_IDX char 32
PATTERN PATTERN_IDX char 32
SEM_AGENT PATTERN_IDX char 32 ('') Pointer to table 'pattern'
SEM_CONTENT PATTERN_IDX char 32 Pointer to pattern table
V_IPS PATTERN_IDX char 32
V_MR_CLEAN PATTERN_IDX char 32
V_SEM_CONTENT PATTERN_IDX char 32
V_SONAR PATTERN_IDX char 32
V_VIRUS PATTERN_IDX char 32
VIRUS PATTERN_IDX char 32 ('') Pointer to table 'pattern', that protects against this threat/virus
ENFORCER_CLIENT_LOG_1 POLICY_STATUS char 32  √  null Policy Status such as Passed, Failed, Unknown etc
ENFORCER_CLIENT_LOG_2 POLICY_STATUS char 32  √  null Policy Status such as Passed, Failed, Unknown etc
V_ENFORCER_CLIENT_LOG POLICY_STATUS char 32  √  null
SEM_AGENT PROFILE_CHECKSUM char 32  √  null Current profile checksum of agent
ENFORCER_CLIENT_LOG_1 RADIUS_STATUS char 32  √  null Radius Status
ENFORCER_CLIENT_LOG_2 RADIUS_STATUS char 32  √  null Radius Status
V_ENFORCER_CLIENT_LOG RADIUS_STATUS char 32  √  null
SEM_REPLICATION_STATE REMOTE_SITE_ID char 32 GUID of a site
AGENT_BEHAVIOR_LOG_1 RESERVED_CHAR1 char 32  √  null
AGENT_BEHAVIOR_LOG_2 RESERVED_CHAR1 char 32  √  null
AGENT_PACKET_LOG_1 RESERVED_CHAR1 char 32  √  null
AGENT_PACKET_LOG_2 RESERVED_CHAR1 char 32  √  null
AGENT_SECURITY_LOG_1 RESERVED_CHAR1 char 32  √  null
AGENT_SECURITY_LOG_2 RESERVED_CHAR1 char 32  √  null
AGENT_SYSTEM_LOG_1 RESERVED_CHAR1 char 32  √  null
AGENT_SYSTEM_LOG_2 RESERVED_CHAR1 char 32  √  null
AGENT_TRAFFIC_LOG_1 RESERVED_CHAR1 char 32  √  null
AGENT_TRAFFIC_LOG_2 RESERVED_CHAR1 char 32  √  null
BASIC_METADATA RESERVED_CHAR1 char 32  √  null
BINARY_FILE RESERVED_CHAR1 char 32  √  null
COMMAND RESERVED_CHAR1 char 32  √  null
COMPUTER_APPLICATION RESERVED_CHAR1 char 32  √  null
ENFORCER_CLIENT_LOG_1 RESERVED_CHAR1 char 32  √  null
ENFORCER_CLIENT_LOG_2 RESERVED_CHAR1 char 32  √  null
ENFORCER_SYSTEM_LOG_1 RESERVED_CHAR1 char 32  √  null
ENFORCER_SYSTEM_LOG_2 RESERVED_CHAR1 char 32  √  null
ENFORCER_TRAFFIC_LOG_1 RESERVED_CHAR1 char 32  √  null
ENFORCER_TRAFFIC_LOG_2 RESERVED_CHAR1 char 32  √  null
IDENTITY_MAP RESERVED_CHAR1 char 32  √  null
LAN_DEVICE_DETECTED RESERVED_CHAR1 char 32  √  null
LAN_DEVICE_EXCLUDED RESERVED_CHAR1 char 32  √  null
LEGACY_AGENT RESERVED_CHAR1 char 32  √  null
LOCAL_METADATA RESERVED_CHAR1 char 32  √  null
LOG_CONFIG RESERVED_CHAR1 char 32  √  null
REPORTS RESERVED_CHAR1 char 32  √  null
SEM_AGENT RESERVED_CHAR1 char 32  √  null
SEM_APPLICATION RESERVED_CHAR1 char 32  √  null
SEM_CLIENT RESERVED_CHAR1 char 32  √  null
SEM_COMPUTER RESERVED_CHAR1 char 32  √  null
SEM_JOB RESERVED_CHAR1 char 32  √  null
SEM_SVA RESERVED_CHAR1 char 32  √  null
SEM_SVA_CLIENT RESERVED_CHAR1 char 32  √  null
SEM_SVA_COMPUTER RESERVED_CHAR1 char 32  √  null
SERVER_ADMIN_LOG_1 RESERVED_CHAR1 char 32  √  null
SERVER_ADMIN_LOG_2 RESERVED_CHAR1 char 32  √  null
SERVER_CLIENT_LOG_1 RESERVED_CHAR1 char 32  √  null
SERVER_CLIENT_LOG_2 RESERVED_CHAR1 char 32  √  null
SERVER_ENFORCER_LOG_1 RESERVED_CHAR1 char 32  √  null
SERVER_ENFORCER_LOG_2 RESERVED_CHAR1 char 32  √  null
SERVER_POLICY_LOG_1 RESERVED_CHAR1 char 32  √  null
SERVER_POLICY_LOG_2 RESERVED_CHAR1 char 32  √  null
SERVER_SYSTEM_LOG_1 RESERVED_CHAR1 char 32  √  null
SERVER_SYSTEM_LOG_2 RESERVED_CHAR1 char 32  √  null
SYSTEM_STATE RESERVED_CHAR1 char 32  √  null
V_AGENT_BEHAVIOR_LOG RESERVED_CHAR1 char 32  √  null
V_AGENT_PACKET_LOG RESERVED_CHAR1 char 32  √  null
V_AGENT_SECURITY_LOG RESERVED_CHAR1 char 32  √  null
V_AGENT_SYSTEM_LOG RESERVED_CHAR1 char 32  √  null
V_AGENT_TRAFFIC_LOG RESERVED_CHAR1 char 32  √  null
V_DOMAINS RESERVED_CHAR1 char 32  √  null
V_ENFORCER_CLIENT_LOG RESERVED_CHAR1 char 32  √  null
V_ENFORCER_SYSTEM_LOG RESERVED_CHAR1 char 32  √  null
V_ENFORCER_TRAFFIC_LOG RESERVED_CHAR1 char 32  √  null
V_GROUPS RESERVED_CHAR1 char 32  √  null
V_LAN_DEVICE_DETECTED RESERVED_CHAR1 char 32  √  null
V_LAN_DEVICE_EXCLUDED RESERVED_CHAR1 char 32  √  null
V_SEM_COMPUTER RESERVED_CHAR1 char 32  √  null
V_SERVER_ADMIN_LOG RESERVED_CHAR1 char 32  √  null
V_SERVER_CLIENT_LOG RESERVED_CHAR1 char 32  √  null
V_SERVER_ENFORCER_LOG RESERVED_CHAR1 char 32  √  null
V_SERVER_POLICY_LOG RESERVED_CHAR1 char 32  √  null
V_SERVER_SYSTEM_LOG RESERVED_CHAR1 char 32  √  null
V_SERVERS RESERVED_CHAR1 char 32  √  null
AGENT_BEHAVIOR_LOG_1 RESERVED_CHAR2 char 32  √  null
AGENT_BEHAVIOR_LOG_2 RESERVED_CHAR2 char 32  √  null
AGENT_PACKET_LOG_1 RESERVED_CHAR2 char 32  √  null
AGENT_PACKET_LOG_2 RESERVED_CHAR2 char 32  √  null
AGENT_SECURITY_LOG_1 RESERVED_CHAR2 char 32  √  null
AGENT_SECURITY_LOG_2 RESERVED_CHAR2 char 32  √  null
AGENT_SYSTEM_LOG_1 RESERVED_CHAR2 char 32  √  null
AGENT_SYSTEM_LOG_2 RESERVED_CHAR2 char 32  √  null
AGENT_TRAFFIC_LOG_1 RESERVED_CHAR2 char 32  √  null
AGENT_TRAFFIC_LOG_2 RESERVED_CHAR2 char 32  √  null
BASIC_METADATA RESERVED_CHAR2 char 32  √  null
BINARY_FILE RESERVED_CHAR2 char 32  √  null
COMMAND RESERVED_CHAR2 char 32  √  null
COMPUTER_APPLICATION RESERVED_CHAR2 char 32  √  null
ENFORCER_CLIENT_LOG_1 RESERVED_CHAR2 char 32  √  null
ENFORCER_CLIENT_LOG_2 RESERVED_CHAR2 char 32  √  null
ENFORCER_SYSTEM_LOG_1 RESERVED_CHAR2 char 32  √  null
ENFORCER_SYSTEM_LOG_2 RESERVED_CHAR2 char 32  √  null
ENFORCER_TRAFFIC_LOG_1 RESERVED_CHAR2 char 32  √  null
ENFORCER_TRAFFIC_LOG_2 RESERVED_CHAR2 char 32  √  null
IDENTITY_MAP RESERVED_CHAR2 char 32  √  null
LAN_DEVICE_DETECTED RESERVED_CHAR2 char 32  √  null
LAN_DEVICE_EXCLUDED RESERVED_CHAR2 char 32  √  null
LEGACY_AGENT RESERVED_CHAR2 char 32  √  null
LOCAL_METADATA RESERVED_CHAR2 char 32  √  null
LOG_CONFIG RESERVED_CHAR2 char 32  √  null
REPORTS RESERVED_CHAR2 char 32  √  null
SEM_AGENT RESERVED_CHAR2 char 32  √  null
SEM_APPLICATION RESERVED_CHAR2 char 32  √  null
SEM_CLIENT RESERVED_CHAR2 char 32  √  null
SEM_COMPUTER RESERVED_CHAR2 char 32  √  null
SEM_JOB RESERVED_CHAR2 char 32  √  null
SEM_SVA RESERVED_CHAR2 char 32  √  null
SEM_SVA_CLIENT RESERVED_CHAR2 char 32  √  null
SEM_SVA_COMPUTER RESERVED_CHAR2 char 32  √  null
SERVER_ADMIN_LOG_1 RESERVED_CHAR2 char 32  √  null
SERVER_ADMIN_LOG_2 RESERVED_CHAR2 char 32  √  null
SERVER_CLIENT_LOG_1 RESERVED_CHAR2 char 32  √  null
SERVER_CLIENT_LOG_2 RESERVED_CHAR2 char 32  √  null
SERVER_ENFORCER_LOG_1 RESERVED_CHAR2 char 32  √  null
SERVER_ENFORCER_LOG_2 RESERVED_CHAR2 char 32  √  null
SERVER_POLICY_LOG_1 RESERVED_CHAR2 char 32  √  null
SERVER_POLICY_LOG_2 RESERVED_CHAR2 char 32  √  null
SERVER_SYSTEM_LOG_1 RESERVED_CHAR2 char 32  √  null
SERVER_SYSTEM_LOG_2 RESERVED_CHAR2 char 32  √  null
SYSTEM_STATE RESERVED_CHAR2 char 32  √  null
V_AGENT_BEHAVIOR_LOG RESERVED_CHAR2 char 32  √  null
V_AGENT_PACKET_LOG RESERVED_CHAR2 char 32  √  null
V_AGENT_SECURITY_LOG RESERVED_CHAR2 char 32  √  null
V_AGENT_SYSTEM_LOG RESERVED_CHAR2 char 32  √  null
V_AGENT_TRAFFIC_LOG RESERVED_CHAR2 char 32  √  null
V_DOMAINS RESERVED_CHAR2 char 32  √  null
V_ENFORCER_CLIENT_LOG RESERVED_CHAR2 char 32  √  null
V_ENFORCER_SYSTEM_LOG RESERVED_CHAR2 char 32  √  null
V_ENFORCER_TRAFFIC_LOG RESERVED_CHAR2 char 32  √  null
V_GROUPS RESERVED_CHAR2 char 32  √  null
V_LAN_DEVICE_DETECTED RESERVED_CHAR2 char 32  √  null
V_LAN_DEVICE_EXCLUDED RESERVED_CHAR2 char 32  √  null
V_SEM_COMPUTER RESERVED_CHAR2 char 32  √  null
V_SERVER_ADMIN_LOG RESERVED_CHAR2 char 32  √  null
V_SERVER_CLIENT_LOG RESERVED_CHAR2 char 32  √  null
V_SERVER_ENFORCER_LOG RESERVED_CHAR2 char 32  √  null
V_SERVER_POLICY_LOG RESERVED_CHAR2 char 32  √  null
V_SERVER_SYSTEM_LOG RESERVED_CHAR2 char 32  √  null
V_SERVERS RESERVED_CHAR2 char 32  √  null
AGENT_BEHAVIOR_LOG_1 RULE_ID char 32  √  null The ID of rule triggered by the event. It is always 0 if rule ID is not specified in security rule. The field is helpful to security rule troubleshooting. If multiple rules matched, it logs the rule that has final decision on PacketProc (pass/block/drop).
AGENT_BEHAVIOR_LOG_2 RULE_ID char 32  √  null The ID of rule triggered by the event. It is always 0 if rule ID is not specified in security rule. The field is helpful to security rule troubleshooting. If multiple rules matched, it logs the rule that has finial decision on PacketProc (pass/block/drop).
AGENT_TRAFFIC_LOG_1 RULE_ID char 32  √  null The ID of rule triggered by the event. It is always 0 if rule ID is not specified in security rule. The field is helpful to security rule troubleshooting. If multiple rules matched, it logs the rule that has finial decision on PacketProc (pass/block/drop).
AGENT_TRAFFIC_LOG_2 RULE_ID char 32  √  null The ID of rule triggered by the event. It is always 0 if rule ID is not specified in security rule. The field is helpful to security rule troubleshooting. If multiple rules matched, it logs the rule that has finial decision on PacketProc (pass/block/drop).
V_AGENT_BEHAVIOR_LOG RULE_ID char 32  √  null
V_AGENT_TRAFFIC_LOG RULE_ID char 32  √  null
SCANS SCAN_IDX char 32
SCANREPORT SCANFILTER_IDX char 32
AGENT_BEHAVIOR_LOG_1 SERVER_ID char 32 GUID of the server to which the log belongs
AGENT_BEHAVIOR_LOG_2 SERVER_ID char 32 GUID of the server to which the log belongs
AGENT_PACKET_LOG_1 SERVER_ID char 32 GUID of the server to which the log belongs
AGENT_PACKET_LOG_2 SERVER_ID char 32 GUID of the server to which the log belongs
AGENT_SECURITY_LOG_1 SERVER_ID char 32 GUID of the server to which the log belongs
AGENT_SECURITY_LOG_2 SERVER_ID char 32 GUID of the server to which the log belongs
AGENT_SYSTEM_LOG_1 SERVER_ID char 32 GUID of the server to which the log belongs
AGENT_SYSTEM_LOG_2 SERVER_ID char 32 GUID of the server to which the log belongs
AGENT_TRAFFIC_LOG_1 SERVER_ID char 32 GUID of the server to which the log belongs
AGENT_TRAFFIC_LOG_2 SERVER_ID char 32 GUID of the server to which the log belongs
SERVER_ADMIN_LOG_1 SERVER_ID char 32 GUID of the server to which the log belongs
SERVER_ADMIN_LOG_2 SERVER_ID char 32 GUID of the server to which the log belongs
SERVER_CLIENT_LOG_1 SERVER_ID char 32 GUID of the server to which the log belongs
SERVER_CLIENT_LOG_2 SERVER_ID char 32 GUID of the server to which the log belongs
SERVER_ENFORCER_LOG_1 SERVER_ID char 32 GUID of the server to which the log belongs
SERVER_ENFORCER_LOG_2 SERVER_ID char 32 GUID of the server to which the log belongs
SERVER_POLICY_LOG_1 SERVER_ID char 32 GUID of the server to which the log belongs
SERVER_POLICY_LOG_2 SERVER_ID char 32 GUID of the server to which the log belongs
SERVER_SYSTEM_LOG_1 SERVER_ID char 32 GUID of the server to which the log belongs
SERVER_SYSTEM_LOG_2 SERVER_ID char 32 GUID of the server to which the log belongs
V_AGENT_BEHAVIOR_LOG SERVER_ID char 32
V_AGENT_PACKET_LOG SERVER_ID char 32
V_AGENT_SECURITY_LOG SERVER_ID char 32
V_AGENT_SYSTEM_LOG SERVER_ID char 32
V_AGENT_TRAFFIC_LOG SERVER_ID char 32
V_CLIENT_CHANGE_LOG SERVER_ID char 32  √  null
V_SECURITY_VIEW SERVER_ID char 32
V_SERVER_ADMIN_LOG SERVER_ID char 32
V_SERVER_CLIENT_LOG SERVER_ID char 32
V_SERVER_ENFORCER_LOG SERVER_ID char 32
V_SERVER_POLICY_LOG SERVER_ID char 32
V_SERVER_SYSTEM_LOG SERVER_ID char 32
AGENTSTATUS SERVERGROUP_IDX char 32 ('') Pointer to 'identity_map' table
ALERTS SERVERGROUP_IDX char 32 ('') Pointer to table 'identity_map'; this is the SEPM domain GUID
SCANS SERVERGROUP_IDX char 32 ('') Pointer to table IDENTITY_MAP (domain GUID)
V_ALERTS SERVERGROUP_IDX char 32
AGENT_BEHAVIOR_LOG_1 SITE_ID char 32 GUID of the site to which the log belongs
AGENT_BEHAVIOR_LOG_2 SITE_ID char 32 GUID of the site to which the log belongs
AGENT_PACKET_LOG_1 SITE_ID char 32 GUID of the site to which the log belongs
AGENT_PACKET_LOG_2 SITE_ID char 32 GUID of the site to which the log belongs
AGENT_SECURITY_LOG_1 SITE_ID char 32 GUID of the site to which the log belongs
AGENT_SECURITY_LOG_2 SITE_ID char 32 GUID of the site to which the log belongs
AGENT_SYSTEM_LOG_1 SITE_ID char 32 GUID of the site to which the log belongs
AGENT_SYSTEM_LOG_2 SITE_ID char 32 GUID of the site to which the log belongs
AGENT_TRAFFIC_LOG_1 SITE_ID char 32 GUID of the site to which the log belongs
AGENT_TRAFFIC_LOG_2 SITE_ID char 32 GUID of the site to which the log belongs
ENFORCER_CLIENT_LOG_1 SITE_ID char 32 GUID of the site to which the log belongs
ENFORCER_CLIENT_LOG_2 SITE_ID char 32 GUID of the site to which the log belongs
ENFORCER_SYSTEM_LOG_1 SITE_ID char 32 GUID of the site to which the log belongs
ENFORCER_SYSTEM_LOG_2 SITE_ID char 32 GUID of the site to which the log belongs
ENFORCER_TRAFFIC_LOG_1 SITE_ID char 32 GUID of the site to which the log belongs
ENFORCER_TRAFFIC_LOG_2 SITE_ID char 32 GUID of the site to which the log belongs
REPORTS SITE_ID char 32 GUID of the site from where the report generated
SERVER_ADMIN_LOG_1 SITE_ID char 32 GUID of the site to which the log belongs
SERVER_ADMIN_LOG_2 SITE_ID char 32 GUID of the site to which the log belongs
SERVER_CLIENT_LOG_1 SITE_ID char 32 GUID of the site to which the log belongs
SERVER_CLIENT_LOG_2 SITE_ID char 32 GUID of the site to which the log belongs
SERVER_ENFORCER_LOG_1 SITE_ID char 32 GUID of the site to which the log belongs
SERVER_ENFORCER_LOG_2 SITE_ID char 32 GUID of the site to which the log belongs
SERVER_POLICY_LOG_1 SITE_ID char 32 GUID of the site to which the log belongs
SERVER_POLICY_LOG_2 SITE_ID char 32 GUID of the site to which the log belongs
SERVER_SYSTEM_LOG_1 SITE_ID char 32 GUID of the site to which the log belongs
SERVER_SYSTEM_LOG_2 SITE_ID char 32 GUID of the site to which the log belongs
V_AGENT_BEHAVIOR_LOG SITE_ID char 32
V_AGENT_PACKET_LOG SITE_ID char 32
V_AGENT_SECURITY_LOG SITE_ID char 32
V_AGENT_SYSTEM_LOG SITE_ID char 32
V_AGENT_TRAFFIC_LOG SITE_ID char 32
V_ENFORCER_CLIENT_LOG SITE_ID char 32
V_ENFORCER_SYSTEM_LOG SITE_ID char 32
V_ENFORCER_TRAFFIC_LOG SITE_ID char 32
V_SERVER_ADMIN_LOG SITE_ID char 32
V_SERVER_CLIENT_LOG SITE_ID char 32
V_SERVER_ENFORCER_LOG SITE_ID char 32
V_SERVER_POLICY_LOG SITE_ID char 32
V_SERVER_SYSTEM_LOG SITE_ID char 32
ALERTS SITE_IDX char 32  √  (NULL) Pointer to table 'identity_map'; this is the SEPM site GUID
V_ALERTS SITE_IDX char 32  √  null
SEM_AGENT SNAC_LICENSE_ID char 32  √  null SNAC license ID
SEM_JOB SOURCE_ADMIN_ID char 32 GUID of the administrator who issued the command
SEM_JOB SOURCE_SITE_ID char 32 GUID of the site from where the command generated
SEM_AGENT SVA_ID char 32  √  null
SEM_SVA SVA_ID char 32
SYSTEM_REPORT SYSTEMFILTER_IDX char 32
THREATREPORT THREATFILTER_IDX char 32
ENFORCER_CLIENT_LOG_1 UID_STATUS char 32  √  null Indicates UID status whether Authenticated, Failed etc
ENFORCER_CLIENT_LOG_2 UID_STATUS char 32  √  null Indicates UID status whether Authenticated, Failed etc
V_ENFORCER_CLIENT_LOG UID_STATUS char 32  √  null
ADMIN_GROUP_REFRESH_INFO USER_ID char 32
ADMIN_GROUPS USER_ID char 32
ADMINUSER USER_ID char 32
ALERTFILTER USER_ID char 32 ('') User ID
AUDIT_REPORT USER_ID char 32 ('')
BEHAVIOR_REPORT USER_ID char 32 ('')
COMMAND_REPORT USER_ID char 32 ('')
COMPLIANCE_REPORT USER_ID char 32 ('')
FIREWALL_REPORT USER_ID char 32 ('') GUID of the user who created this filter
HISTORYCONFIG USER_ID char 32 ('') GUID of user who created this scheduled report
INVENTORYREPORT USER_ID char 32 ('')
NOTIFICATION USER_ID char 32 ('') Admin GUID
SCANREPORT USER_ID char 32 ('')
SYSTEM_REPORT USER_ID char 32 ('')
THREATREPORT USER_ID char 32 ('')
HOMEPAGECONFIG USER_NAME char 32 ('') Admin GUID
ALERTS VIRUSNAME_IDX char 32 ('') Pointer to table 'virus'
INVENTORYCURRENTRISK1 VIRUSNAME_IDX char 32 ('') Foreign key to VIRUS table
V_ALERTS VIRUSNAME_IDX char 32
V_VIRUS VIRUSNAME_IDX char 32
VIRUS VIRUSNAME_IDX char 32
SEM_APPLICATION SHA1 char 40  √  null FileSHA1 algorithm
COMPUTER_APPLICATION CREATOR_SHA2 char 64  √  null SHA2 of process that dropped the file
SEM_APPLICATION SHA2 char 64  √  null FileSHA2 algorithm
INVENTORYCURRENTRISK1 SHA256 char 64 Risk file SHA-256
VERSION SR_NONCE char 64  √  null For internal usage only
LEGACY_AGENT GROUP_PATH char 260 Group full path
NOTIFICATIONALERTS ACKNOWLEDGED_TIME datetime 16,3 ('19700101') Time when notification was acknowledged
ALERTS ALERTDATETIME datetime 16,3 ('19700101') Time of event occurrences
NOTIFICATIONALERTS ALERTDATETIME datetime 16,3 ('19700101') Time stamp when the alert was generated
V_ALERTS ALERTDATETIME datetime 16,3
ALERTS ALERTENDDATETIME datetime 16,3 ('19700101') Time at which event ended. This is the end of the aggregated event time.
V_ALERTS ALERTENDDATETIME datetime 16,3
ALERTS ALERTINSERTTIME datetime 16,3 ('19700101') Time at which event was inserted in to the database
V_ALERTS ALERTINSERTTIME datetime 16,3
OAUTH_ACCESS_TOKEN CREATION_DATE datetime 16,3
OAUTH_CLIENT_DETAILS CREATION_DATE datetime 16,3
OAUTH_REFRESH_TOKEN CREATION_DATE datetime 16,3
V_VIRUS DISCOVERED datetime 16,3
VIRUS DISCOVERED datetime 16,3 ('19700101') When threat was first discovered by Symantec (as downloaded from Symantec's web site)
PATTERN INSERTDATETIME datetime 16,3 ('19700101') Time when this pattern information was entered into the database
SCFINVENTORY IPSSIGDATE datetime 16,3  √  (NULL) Date of IPS signature
INVENTORYREPORT LASTCHECKINTIME datetime 16,3 ('19700101') Last time of check in with parent server
PATTERN PATTERNDATE datetime 16,3 ('19700101') Date when this content was released
V_IPS PATTERNDATE datetime 16,3
ALERTFILTER STARTDATEFROM datetime 16,3 ('19700101') Start date
AUDIT_REPORT STARTDATEFROM datetime 16,3 ('19700101') Start time for filter
BEHAVIOR_REPORT STARTDATEFROM datetime 16,3 ('19700101') Filter start date
COMMAND_REPORT STARTDATEFROM datetime 16,3 ('19700101') Start time
COMPLIANCE_REPORT STARTDATEFROM datetime 16,3 ('19700101') Start date
FIREWALL_REPORT STARTDATEFROM datetime 16,3 ('19700101') Start date
SYSTEM_REPORT STARTDATEFROM datetime 16,3 ('19700101') Time filter start date
THREATREPORT STARTDATEFROM datetime 16,3 ('19700101') Starting date
SCANS STARTDATETIME datetime 16,3 ('19700101') Start time for scan
ALERTFILTER STARTDATETO datetime 16,3 ('19700101') End date
AUDIT_REPORT STARTDATETO datetime 16,3 ('19700101') End time for filter
BEHAVIOR_REPORT STARTDATETO datetime 16,3 ('19700101') Filter end date
COMMAND_REPORT STARTDATETO datetime 16,3 ('19700101') End time
COMPLIANCE_REPORT STARTDATETO datetime 16,3 ('19700101') End date
FIREWALL_REPORT STARTDATETO datetime 16,3 ('19700101') End date
SYSTEM_REPORT STARTDATETO datetime 16,3 ('19700101') Time filter end date
THREATREPORT STARTDATETO datetime 16,3 ('19700101') Ending date
HISTORYCONFIG STARTTIME datetime 16,3 ('19700101') When to start generating the report. This establishes its scheduled time within the repeat schedule.
SCANREPORT STARTTIMEFROM datetime 16,3 ('19700101') Start date
SCANREPORT STARTTIMETO datetime 16,3 ('19700101') End date
SCANS STOPDATETIME datetime 16,3 ('19700101') Stop time for scan
OAUTH_ACCESS_TOKEN AUTHENTICATION image 2147483647  √  null
OAUTH_REFRESH_TOKEN AUTHENTICATION image 2147483647  √  null
BASIC_METADATA CONTENT image 2147483647 XML content of the schema object
BINARY_FILE CONTENT image 2147483647  √  null XML content of the schema object
LOCAL_METADATA CONTENT image 2147483647  √  null XML content of the schema object
NOTIFICATIONHISTORY CONTENT image 2147483647
REPORTS CONTENT image 2147483647 XML content of the schema object
SYSTEM_STATE CONTENT image 2147483647 XML content of the schema object
OAUTH_CLIENT_DETAILS ACCESS_TOKEN_VALIDITY int 4  √  null
NOTIFICATIONALERTS ACKNOWLEDGED int 4 ((0)) Flag whether the alert has been acknowledged
AGENT_BEHAVIOR_LOG_1 ACTION int 4  √  null What we did:
0 = allow
1 = block
2 = ask
3 = continue
4 = terminate
AGENT_BEHAVIOR_LOG_2 ACTION int 4  √  null What we did:
0 = allow
1 = block
2 = ask
3 = continue
4 = terminate
V_AGENT_BEHAVIOR_LOG ACTION int 4  √  null
ACTUALACTION ACTUALACTION_IDX int 4
ALERTS ACTUALACTION_IDX int 4 ((0)) Pointer to table 'actualaction'; this is the action taken on the risk
V_ALERTS ACTUALACTION_IDX int 4
AGENT_BEHAVIOR_LOG_1 ALERT int 4  √  null Indicates whether this event will be counted during alert notification processing at the server. It is true if the event is logged by Tamper Protection. It is false otherwise. (True =1, False = 0)
AGENT_BEHAVIOR_LOG_2 ALERT int 4  √  null Indicates whether this event will be counted during alert notification processing at the server. It is true if the event is logged by Tamper Protection. It is false otherwise. (True =1, False = 0)
AGENT_PACKET_LOG_1 ALERT int 4  √  null It reflects the alert attribute in profile action. It is true if action::alert is true. (Yes = 1, no = 0)
AGENT_PACKET_LOG_2 ALERT int 4  √  null It reflects the alert attribute in profile action. It is true if action::alert is true. (Yes = 1, no = 0)
V_AGENT_BEHAVIOR_LOG ALERT int 4  √  null
V_AGENT_PACKET_LOG ALERT int 4  √  null
V_SECURITY_VIEW ALERT int 4  √  null
ALERTMSG ALERT_IDX int 4
ALERTS ALERT_IDX int 4 ((0)) Pointer to table ALERTMSG
V_ALERTS ALERT_IDX int 4
ANOMALYDETECTION ANOMALY_DETECTION_OPERATION_ID int 4 ((0)) Pointer to table 'Anomalydetectionoperation'
ANOMALYDETECTION ANOMALY_DETECTION_TYPE_ID int 4 ((0)) Pointer to table 'Anomalydetectiontype'
ANOMALYREMEDIATION ANOMALY_REMEDIATION_OPERATION_ID int 4 ((0)) Pointer to table 'anomalyremediationoperation'
ANOMALYREMEDIATION ANOMALY_REMEDIATION_TYPE_ID int 4 ((0)) Pointer to table 'anomalyremediationtype'
HPP_APPLICATION APP_TYPE int 4 ((-1)) Application type:
0 = Trojan worm
1 = Trojan worm
2 = Key logger
100 = Remote control
ADMINUSER AUTOREFRESH int 4 ((0)) User-defined auto refresh value for all logs (events.php, alerts.php)
FIREWALL_REPORT BLOCKED int 4  √  (NULL) 1 = Blocked, 0 = Not blocked
AGENT_SYSTEM_LOG_1 CATEGORY int 4  √  null It is not used now.
AGENT_SYSTEM_LOG_2 CATEGORY int 4  √  null It is not used now.
V_AGENT_SYSTEM_LOG CATEGORY int 4  √  null
V_VIRUS CATEGORY int 4
VIRUS CATEGORY int 4 ((-1)) Current category (as downloaded from Symantec's web site). Values are 1 through 5 where 1 is very low and 5 is very severe. -1 means unknown or not applicable. This rating is only applicable to viral threats.
SEM_SVA CLIENT_COUNT int 4 ((0))
THREATREPORT CLIENTGROUPINCLUDE int 4 ('0') Whether to include (1) or exclude (0) the client groups in the list. (Always set to 1 in SAV 11.0.)
NOTIFICATION CLIENTPACKAGE_TYPE int 4 ('0') Client package type
THREATREPORT CLIENTUSERINCLUDE int 4 ('0') Whether to include (1) or exclude (0) the users in the list. (Always set to 1 in SAV 11.0.)
THREATREPORT COMPUTERINCLUDE int 4 ('0') Whether to include (1) or exclude (0) the computers in the list. (Always set to 1 in SAV 11.0.)
HPP_ALERTS CONFIDENCE int 4 ((0)) The Confidence level that produced the conviction.
>= 100: Extremely High [100..]
>= 65: High [65..99]
>= 25: Medium [25..64]
>= 10: Low [10..24]
>=1: Symantec knows very little about the file/unknown [1..9]
0 is not a valid value. We can say unknown also for 0.
Default is 0
LOG_CONFIG CURRENT_ROWS int 4 Current log count in the log table
NOTIFICATION DAMPER int 4 ((0)) Minimum quiet time between alerts in minutes; 0 means autodamper which is 60 minutes
VERSION DBSCHEMA int 4 Schema version
INVENTORYCURRENTRISK1 DEFDATE int 4 ((0)) AV definition date used during last scan
V_VIRUS DEPENDENCY int 4
VIRUS DEPENDENCY int 4 ((-1)) Number of dependent components that risk installs. 0 = No rating, 1, 2 = Low, 3 = Medium, 4 >= High, -1 means not applicable. This rating is only applicable to non-viral threats.
SEM_AGENT DEPLOY_STATUS int 4 ((0)) This is an integer sent by the client to represent the current deployment status. It can be generated by the client itself or by the installer.
302448896=Symantec Endpoint Protection Manager indicated an upgrade package for the client
302448897=The client decided to accept the upgrade package
302448898=The client decided to reject the upgrade package
302449152=The client has requested package information for the upgrade
302449153=The client has received package information for the upgrade
302449408=The client hasn't allowed the download of the upgrade package to start
302449409=The client has successfully downloaded and verified the upgrade package
302449664=The client failed to apply the upgrade package
302449665=The client failed to patch the delta
302449666=The client failed to launch the upgrade installer
302449667=The client successfully launched the final upgrade installer
302449920=The client is requesting the full version of the upgrade package due to the delta's failure
302456832=Install successful.
302460928=Install repair successful.
302465024=Uninstall successful.
302469120=Install failed, rolled back.
302469121=Install failed, insufficient disk space.
302469122=Install failed, launch condition.
302469123=Install failed, consumer product found.
302469124=Restart pending
302456833=Files copied.
302469125=Install failed, legacy enterprise edition found.
302469126=Install failed, non-elevated privileges.
302469127=Install failed, incompatible operating system.
ANOMALYDETECTIONOPERATION DETECTION_OPERATION_ID int 4
V_VIRUS DETECTION_TYPE int 4
VIRUS DETECTION_TYPE int 4 ((-1)) Detection type
ANOMALYDETECTIONTYPE DETECTION_TYPE_ID int 4
FIREWALL_REPORT DIRECTION int 4  √  (NULL) 1 = Inbound, 2 = Outbound, 0 = Unknown
SCANREPORT DURATION int 4 ('0') Length of the scan
SCANS DURATION int 4 ((0)) Length of the scan in seconds
VIRUS DYNACAT int 4  √  (NULL) Sub category ID for the risk threat. Links to VIRUSCATEGORY table.
VIRUSCATEGORY DYNACAT int 4 Sub-category ID
V_VIRUS DYNAUBER int 4  √  null
VIRUS DYNAUBER int 4  √  (NULL) Uber category for the risk threat. Links to VIRUSCATEGORY table.
VIRUSCATEGORY DYNAUBER int 4 Uber category ID
SYSTEM_REPORT ENFORCER_TYPE int 4  √  (NULL) 0 = Gateway Enforcer
1 = LAN Enforcer
2 = DHCP Enforcer
3 = Integrated Enforcer
4 = NAP Enforcer
5 = PeerToPeer Enforcer
SERVER_ADMIN_LOG_1 ERROR_CODE int 4  √  null ErrorCode can unique identify the error in source code (Only used when an exception is related to this event). ** See worksheet ERROR_CODE and MSG_ID values. **
SERVER_ADMIN_LOG_2 ERROR_CODE int 4  √  null ErrorCode can unique identify the error in source code (Only used when an exception is related to this event). ** See worksheet ERROR_CODE and MSG_ID values. **
SERVER_SYSTEM_LOG_1 ERROR_CODE int 4  √  null ErrorCode can unique identify the error in source code (Only used when an exception is related to this event). ** See ERROR_CODE and MSG_ID worksheet **
SERVER_SYSTEM_LOG_2 ERROR_CODE int 4  √  null ErrorCode can unique identify the error in source code (Only used when an exception is related to this event). ** See ERROR_CODE and MSG_ID worksheet **
V_SERVER_ADMIN_LOG ERROR_CODE int 4  √  null
V_SERVER_SYSTEM_LOG ERROR_CODE int 4  √  null
COMMAND ESTIMATED_DURATION int 4 ((0)) Agent estimation of command duration in minutes. 0 = no estimate or negligible time.
AGENT_BEHAVIOR_LOG_1 EVENT_ID int 4 An event ID from send agent:
501 = Application Control Driver
502 = Application Control Rules
999 = Tamper Protection
AGENT_BEHAVIOR_LOG_2 EVENT_ID int 4 An event ID from send agent:
501 = Application Control Driver
502 = Application Control Rules
999 = Tamper Protection
AGENT_PACKET_LOG_1 EVENT_ID int 4 An event ID from send agent:
401 = Raw Ethernet
AGENT_PACKET_LOG_2 EVENT_ID int 4 An event ID from send agent:
401 = Raw Ethernet
AGENT_SECURITY_LOG_1 EVENT_ID int 4 Compliance events:
209 = Host Integrity failed (TSLOG_SEC_NO_AV)
210 = Host Integrity passed (TSLOG_SEC_AV)
221 = Host Integrity failed but reported as PASS
237 = Host Integrity custom log entry

Firewall and IPS events:
207 = Active Response
211 = Active Response Disengaged
219 = Active Response Cancelled
205 = Executable file changed
216 = Executable file change detected
217 = Executable file change accepted
218 = Executable file change denied
220 = Application Hijacking
201 = Invalid traffic by rule
202 = Port Scan
203 = Denial of Service
204 = Trojan
206 = Intrusion Prevention System (Intrusion Detected, TSLOG_SEC_INTRUSION_DETECTED)
208 = MAC Spoofing
249 = Browser Protection event

Application and Device control:
238 = Device control disabled device
239 = Buffer Overflow Event
240 = Software protection has thrown an exception
AGENT_SECURITY_LOG_2 EVENT_ID int 4 Compliance events:
209 = Host Integrity failed (TSLOG_SEC_NO_AV)
210 = Host Integrity passed (TSLOG_SEC_AV)
221 = Host Integrity failed but reported as PASS
237 = Host Integrity custom log entry

Firewall and IPS events:
207 = Active Response
211 = Active Response Disengaged
219 = Active Response Cancelled
205 = Executable file changed
216 = Executable file change detected
217 = Executable file change accepted
218 = Executable file change denied
220 = Application Hijacking
201 = Invalid traffic by rule
202 = Port Scan
203 = Denial of Service
204 = Trojan
206 = Intrusion Prevention System (Intrusion Detected, TSLOG_SEC_INTRUSION_DETECTED)
208 = MAC Spoofing
249 = Browser Protection event

Application and Device control:
238 = Device control disabled device
239 = Buffer Overflow Event
240 = Software protection has thrown an exception
AGENT_SYSTEM_LOG_1 EVENT_ID int 4 An event ID from send agent

AGENT_SYSTEM_INSTALL_EVENT_TYPES = Installation events: possible values are
0x12070001 = Internal error
0x12070101 = Install complete
0x12070102 = Restart recommended
0x12070103 = Restart required
0x12070104 = Installation failed
0x12070105 = Uninstallation complete
0x12070106 = Uninstallation failed
0x12071037 = Symantec AntiVirus installed
0x12071038 = Symantec Firewall installed
0x12071039 = Uninstall
0x1207103A = Uninstall rolled-back

AGENT_SYSTEM_SERVICE_EVENT_TYPES = Service events: possible values are
0x12070201 = Service starting
0x12070202 = Service started
0x12070203 = Service start failure
0x12070204 = Service stopped,0x12070205=Service stop failure
0x1207021A = Attempt to stop service

AGENT_SYSTEM_CONFIG_EVENT_TYPES = Configuration events: possible values are
0x12070206 = Config import complete
0x12070207 = Config import error
0x12070208 = Config export complete
0x12070209 = Config export error

AGENT_SYSTEM_HI_EVENT_TYPES = Host Integrity events: possible values are
0x12070210 = Host Integrity disabled
0x12070211 = Host Integrity enabled
0x12070220 = NAP integration enabled

AGENT_SYSTEM_IMPORT_EVENT_TYPES = Import events: possible values are
0x12070214 = Successfully imported advanced rule
0x12070215 = Failed to import advanced rule
0x12070216 = Successfully exported advanced rule
0x12070217 = Failed to export advanced rule

AGENT_SYSTEM_CLIENT_EVENT_TYPES = Client events: possible values are
0x12070218 = Client Engine enabled
0x12070219 = Client Engine disabled
0x12071046 = Proactive Threat Scanning is not supported on this platform
0x12071047 = Proactive Threat Scanning Load Error

AGENT_SYSTEM_SERVER_EVENT_TYPES = Server events: possible values are
0x12070301 = Server connected
0x12070302 = No server response
0x12070303 = Server connection failed
0x12070304 = Server disconnected
0x120B0001 = Cannot reach server
0x120B0002 = Reconnected server

AGENT_SYSTEM_PROFILE_EVENT_TYPES = Policy events: possible values are
0x12070306 = New policy received
0x12070307 = New policy applied
0x12070308 = New policy failed
0x12070309 = Cannot download policy
0x120B0005 = Cannot download policy
0x1207030A = Have latest policy
0x120B0004 = Have latest policy

AGENT_SYSTEM_AV_EVENT_TYPES = Antivirus engine events: possible values are
0x12071006 = Scan Omission
0x1207100B = Virus Behavior Detected
0x1207100C = Configuration Changed
0x12071010 = Definition File Download
0x12071012 = Sent To Quarantine Server
0x12071013 = Delivered To Symantec
0x12071014 = Security Response Backup
0x12071015 = Scan Aborted
0x12071016 = Symantec AntiVirus Auto-Protect Load Error
0x12071017 = Symantec AntiVirus Auto-Protect Enabled
0x12071018 = Symantec AntiVirus Auto-Protect Disabled
0x1207101A = Scan Delayed
0x1207101B = Scan Re-started
0x12071027 = Symantec AntiVirus is using old virus definitions
0x12071041 = Scan suspended
0x12071042 = Scan Resumed
0x12071043 = Scan Duration Too Short
0x12071045 = Scan Enhancements Failed

AGENT_SYSTEM_LICENSE_EVENT_TYPES = License events: possible values are
0x1207101E = License Warning
0x1207101F = License Error
0x12071020 = License in Grace Period
0x12071023 = License Installed
0x12071025 = License Up-to-date

AGENT_SYSTEM_SECURITY_EVENT_TYPES = Security events: possible values are
0x1207102B = Computer not compliant with security policy
0x1207102C = Computer compliant with security policy
0x1207102D = Tamper Attempt

AGENT_SYSTEM_OTHER_EVENT_TYPES = Other events: possible values are
0x1207020A = Email post OK
0x1207020B = Email post failure
0x1207020C = Update complete
0x1207020D = Update failure
0x1207020E = Manual location change
0x1207020F = Location changed
0x12070212 = Old Rasdll detected
0x12070213 = Autoupdate postponed
0x12070305 = Mode changed
0x1207030B = Cannot apply HI script
0x12070500 = System message from device control
0x12070600 = System message from anti-buffer overflow driver
0x12071021 = Access Denied Warning
0x12071022 = Log Forwarding Error
0x12071044 = Client moved
AGENT_SYSTEM_LOG_2 EVENT_ID int 4 An event ID from send agent

AGENT_SYSTEM_INSTALL_EVENT_TYPES = Installation events: possible values are
0x12070001 = Internal error
0x12070101 = Install complete
0x12070102 = Restart recommended
0x12070103 = Restart required
0x12070104 = Installation failed
0x12070105 = Uninstallation complete
0x12070106 = Uninstallation failed
0x12071037 = Symantec AntiVirus installed
0x12071038 = Symantec Firewall installed
0x12071039 = Uninstall
0x1207103A = Uninstall rolled-back

AGENT_SYSTEM_SERVICE_EVENT_TYPES = Service events: possible values are
0x12070201 = Service starting
0x12070202 = Service started
0x12070203 = Service start failure
0x12070204 = Service stopped,0x12070205=Service stop failure
0x1207021A = Attempt to stop service

AGENT_SYSTEM_CONFIG_EVENT_TYPES = Configuration events: possible values are
0x12070206 = Config import complete
0x12070207 = Config import error
0x12070208 = Config export complete
0x12070209 = Config export error

AGENT_SYSTEM_HI_EVENT_TYPES = Host Integrity events: possible values are
0x12070210 = Host Integrity disabled
0x12070211 = Host Integrity enabled
0x12070220 = NAP integration enabled

AGENT_SYSTEM_IMPORT_EVENT_TYPES = Import events: possible values are
0x12070214 = Successfully imported advanced rule
0x12070215 = Failed to import advanced rule
0x12070216 = Successfully exported advanced rule
0x12070217 = Failed to export advanced rule

AGENT_SYSTEM_CLIENT_EVENT_TYPES = Client events: possible values are
0x12070218 = Client Engine enabled
0x12070219 = Client Engine disabled
0x12071046 = Proactive Threat Scanning is not supported on this platform
0x12071047 = Proactive Threat Scanning Load Error

AGENT_SYSTEM_SERVER_EVENT_TYPES = Server events: possible values are
0x12070301 = Server connected
0x12070302 = No server response
0x12070303 = Server connection failed
0x12070304 = Server disconnected
0x120B0001 = Cannot reach server
0x120B0002 = Reconnected server

AGENT_SYSTEM_PROFILE_EVENT_TYPES = Policy events: possible values are
0x12070306 = New policy received
0x12070307 = New policy applied
0x12070308 = New policy failed
0x12070309 = Cannot download policy
0x120B0005 = Cannot download policy
0x1207030A = Have latest policy
0x120B0004 = Have latest policy

AGENT_SYSTEM_AV_EVENT_TYPES = Antivirus engine events: possible values are
0x12071006 = Scan Omission
0x1207100B = Virus Behavior Detected
0x1207100C = Configuration Changed
0x12071010 = Definition File Download
0x12071012 = Sent To Quarantine Server
0x12071013 = Delivered To Symantec
0x12071014 = Security Response Backup
0x12071015 = Scan Aborted
0x12071016 = Symantec AntiVirus Auto-Protect Load Error
0x12071017 = Symantec AntiVirus Auto-Protect Enabled
0x12071018 = Symantec AntiVirus Auto-Protect Disabled
0x1207101A = Scan Delayed
0x1207101B = Scan Re-started
0x12071027 = Symantec AntiVirus is using old virus definitions
0x12071041 = Scan suspended
0x12071042 = Scan Resumed
0x12071043 = Scan Duration Too Short
0x12071045 = Scan Enhancements Failed

AGENT_SYSTEM_LICENSE_EVENT_TYPES = License events: possible values are
0x1207101E = License Warning
0x1207101F = License Error
0x12071020 = License in Grace Period
0x12071023 = License Installed
0x12071025 = License Up-to-date

AGENT_SYSTEM_SECURITY_EVENT_TYPES = Security events: possible values are
0x1207102B = Computer not compliant with security policy
0x1207102C = Computer compliant with security policy
0x1207102D = Tamper Attempt

AGENT_SYSTEM_OTHER_EVENT_TYPES = Other events: possible values are
0x1207020A = Email post OK
0x1207020B = Email post failure
0x1207020C = Update complete
0x1207020D = Update failure
0x1207020E = Manual location change
0x1207020F = Location changed
0x12070212 = Old Rasdll detected
0x12070213 = Autoupdate postponed
0x12070305 = Mode changed
0x1207030B = Cannot apply HI script
0x12070500 = System message from device control
0x12070600 = System message from anti-buffer overflow driver
0x12071021 = Access Denied Warning
0x12071022 = Log Forwarding Error
0x12071044 = Client moved
AGENT_TRAFFIC_LOG_1 EVENT_ID int 4 An event ID from send agent:
301 = TCP initiated
302 = UDP datagram
303 = Ping request
304 = TCP completed
305 = Traffic (other)
306 = ICMP packet
307 = Ethernet packet
308 = IP packet
AGENT_TRAFFIC_LOG_2 EVENT_ID int 4 An event ID from send agent:
301 = TCP initiated
302 = UDP datagram
303 = Ping request
304 = TCP completed
305 = Traffic (other)
306 = ICMP packet
307 = Ethernet packet
308 = IP packet
COMPLIANCE_REPORT EVENT_ID int 4  √  (NULL) Events for Enforcer Server:
1 = Enforcer registered
2 = Enforcer failed to register
5 = Enforcer downloaded policy
7 = Enforcer downloaded sylink.xml
9 = Server received Enforcer log
12 = Server received Enforcer information
Events for Enforcer Traffic :
17 = Incoming traffic blocked
18 = Outgoing traffic blocked
33 = Incoming traffic allowed
34 = Outgoing traffic allowed
Events for Host compliance:
209 = Host Integrity failed
210 = Host Integrity passed
221 = Host Integrity failed but reported as PASS
237 = Host Integrity custom log entry
Events for Attack (firewall):
207 = Active Response
211 = Active Response disengaged
219 = Active Response canceled
217 = Executable file change accepted
218 = Executable file change denied
220 = Application Hijack
201 = N/A (invalid traffic by rule)
202 = Port Scan
203 = Denial of Service
204 = Trojan
206 = Intrusion Prevention
208 = MAC Spoofing
Events for Device control:
238 = Device control disabled device
ENFORCER_CLIENT_LOG_1 EVENT_ID int 4 No event IDs defined, logged as 0
ENFORCER_CLIENT_LOG_2 EVENT_ID int 4 No event IDs defined, logged as 0
ENFORCER_SYSTEM_LOG_1 EVENT_ID int 4  √  null An event ID from send agent: (in hex)
0x101 = Connected to management server
0x102 = Lost connection to management server
0x103 = Applied policy downloaded from management server
0x104 = Failed to apply policy downloaded from management server
0x105 = Applied management server configuration
0x106 = Failed to apply management server configuration
0x107 = Applied management server configuration
0x108 = Failed to apply management server configuration
0x110 = Registered to NAP management server
0x111 = Unregistered from NAP management server
0x112 = Failed to register to NAP management server
0x201 = Enforcer started
0x202 = Enforcer stopped
0x203 = Enforcer paused
0x204 = Enforcer resumed
0x205 = Enforcer disconnected from server
0x301 = Enforcer failover enabled
0x302 = Enforcer failover disabled
0x303 = Enforcer in standby mode
0x304 = Enforcer in primary mode
0x305 = Enforcer short
0x306 = Enforcer loop
0x401 = Forward engine pause
0x402 = Forward engine start
0x403 = DNS Enforcer enabled
0x404 = DNS Enforcer disabled
0x405 = DHCP Enforcer enabled
0x406 = DHCP Enforcer disabled
0x407 = Allow all enabled
0x408 = Allow all disabled
0x501 = Seat number change
0x601 = Failed to create policy parser
0x602 = Failed to import policy downloaded from management server
0x603 = Failed to export policy downloaded from management server
0x701 = Incorrect customized attribute
ENFORCER_SYSTEM_LOG_2 EVENT_ID int 4  √  null An event ID from send agent: (in hex)
0x101 = Connected to management server
0x102 = Lost connection to management server
0x103 = Applied policy downloaded from management server
0x104 = Failed to apply policy downloaded from management server
0x105 = Applied management server configuration
0x106 = Failed to apply management server configuration
0x107 = Applied management server configuration
0x108 = Failed to apply management server configuration
0x110 = Registered to NAP management server
0x111 = Unregistered from NAP management server
0x112 = Failed to register to NAP management server
0x201 = Enforcer started
0x202 = Enforcer stopped
0x203 = Enforcer paused
0x204 = Enforcer resumed
0x205 = Enforcer disconnected from server
0x301 = Enforcer failover enabled
0x302 = Enforcer failover disabled
0x303 = Enforcer in standby mode
0x304 = Enforcer in primary mode
0x305 = Enforcer short
0x306 = Enforcer loop
0x401 = Forward engine pause
0x402 = Forward engine start
0x403 = DNS Enforcer enabled
0x404 = DNS Enforcer disabled
0x405 = DHCP Enforcer enabled
0x406 = DHCP Enforcer disabled
0x407 = Allow all enabled
0x408 = Allow all disabled
0x501 = Seat number change
0x601 = Failed to create policy parser
0x602 = Failed to import policy downloaded from management server
0x603 = Failed to export policy downloaded from management server
0x701 = Incorrect customized attribute
ENFORCER_TRAFFIC_LOG_1 EVENT_ID int 4  √  null An event ID from send agent:
17 = Incoming traffic blocked
18 = Outgoing traffic blocked
33 = Incoming traffic allowed
34 = Outgoing traffic allowed
ENFORCER_TRAFFIC_LOG_2 EVENT_ID int 4  √  null An event ID from send agent:
17 = Incoming traffic blocked
18 = Outgoing traffic blocked
33 = Incoming traffic allowed
34 = Outgoing traffic allowed
SERVER_ADMIN_LOG_1 EVENT_ID int 4 A unique ID of the admin event:
0x1001 = Login succeeded
0x1002 = Login failed
0x1003 = Logout
0x1004 = Account locked
0x1005 = Account unlocked
0x1006 = Account disabled
0x1007 = Account enabled
0x1008 = Administrator created
0x1009 = Administrator deleted
0x100A = Administrator renamed
0x100B = Password changed
0x100C = Administrator properties are changed
0x100D = Domain is created
0x100E = Domain is deleted
0x100F = Domain properties are changed
0x1020 = Domain is disabled
0x1021 = Domain is enabled
0x1022 = Domain is renamed
0x2001 = Group is created
0x2002 = Group is deleted
0x2003 = Group is renamed
0x2004 = Group is moved
0x2005 = Group properties are changed
0x2006 = User is created
0x2007 = User is deleted
0x2008 = User is moved
0x2009 = User is copied
0x200A = User policy mode is switched
0x200B = User properties are changed
0x200C = Computer is created
0x200D = Computer is deleted
0x200E = Computer is moved
0x200F = Computer is copied
0x2010 = Computer policy mode is switched
0x2011 = Computer properties are changed
0x2012 = Organizational Unit is imported
0x2013 = Domain user is imported
0x2014 = LDAP user is imported
0x3001 = Package is created
0x3002 = Package is deleted
0x3003 = Package is exported
0x3004 = Package is moved to recycle bin
0x3005 = Package is now current
0x3006 = Package is added to other domain
0x3007 = Package properties are changed
0x3008 = Package deployment created
0x3009 = Package deployment deleted
0x300A = Package deployment properties changed
0x300B = Package updated
0x4001 = Replication partner is registered
0x4002 = Replication partner is deleted
0x4003 = Remote site is deleted
0x4004 = Site properties are changed
0x4005 = Server properties are changed
0x4006 = Database properties are changed
0x4007 = Partner properties are change
0x4008 = Site license is changed
0x4009 = Enforcer license changed
# looks like it is not used
0x400A = Replicate now
# looks like it is not used
0x400B = Back up now
# looks like it is not used
0x400C = External logging properties are changed
# looks like it is not used
0x400D = Site backup settings changed
# looks like it is not used
0x400E = Server deleted
# looks like it is not used
0x400F = Server certificate changed
0x4010 = Replicate now
0x4011 = Back up now
0x4012 = External logging properties are changed
0x4013 = Site backup settings changed
0x4014 = Server deleted
0x4015 = Server certificate changed
0x4016 = Enforcer group properties changed
SERVER_ADMIN_LOG_2 EVENT_ID int 4 A unique ID of the admin event:
0x1001 = Login succeeded
0x1002 = Login failed
0x1003 = Logout
0x1004 = Account locked
0x1005 = Account unlocked
0x1006 = Account disabled
0x1007 = Account enabled
0x1008 = Administrator created
0x1009 = Administrator deleted
0x100A = Administrator renamed
0x100B = Password changed
0x100C = Administrator properties are changed
0x100D = Domain is created
0x100E = Domain is deleted
0x100F = Domain properties are changed
0x1020 = Domain is disabled
0x1021 = Domain is enabled
0x1022 = Domain is renamed
0x2001 = Group is created
0x2002 = Group is deleted
0x2003 = Group is renamed
0x2004 = Group is moved
0x2005 = Group properties are changed
0x2006 = User is created
0x2007 = User is deleted
0x2008 = User is moved
0x2009 = User is copied
0x200A = User policy mode is switched
0x200B = User properties are changed
0x200C = Computer is created
0x200D = Computer is deleted
0x200E = Computer is moved
0x200F = Computer is copied
0x2010 = Computer policy mode is switched
0x2011 = Computer properties are changed
0x2012 = Organizational Unit is imported
0x2013 = Domain user is imported
0x2014 = LDAP user is imported
0x3001 = Package is created
0x3002 = Package is deleted
0x3003 = Package is exported
0x3004 = Package is moved to recycle bin
0x3005 = Package is now current
0x3006 = Package is added to other domain
0x3007 = Package properties are changed
0x3008 = Package deployment created
0x3009 = Package deployment deleted
0x300A = Package deployment properties changed
0x300B = Package updated
0x4001 = Replication partner is registered
0x4002 = Replication partner is deleted
0x4003 = Remote site is deleted
0x4004 = Site properties are changed
0x4005 = Server properties are changed
0x4006 = Database properties are changed
0x4007 = Partner properties are change
0x4008 = Site license is changed
0x4009 = Enforcer license changed
# looks like it is not used
0x400A = Replicate now
# looks like it is not used
0x400B = Back up now
# looks like it is not used
0x400C = External logging properties are changed
# looks like it is not used
0x400D = Site backup settings changed
# looks like it is not used
0x400E = Server deleted
# looks like it is not used
0x400F = Server certificate changed
0x4010 = Replicate now
0x4011 = Back up now
0x4012 = External logging properties are changed
0x4013 = Site backup settings changed
0x4014 = Server deleted
0x4015 = Server certificate changed
0x4016 = Enforcer group properties changed
SERVER_CLIENT_LOG_1 EVENT_ID int 4 A unique ID of the client activity event:
1 = Registration succeeded
2 = Registration failed
3 = Client reconnected
4 = Client disconnected
5 = Downloaded policy
6 = Downloaded Intrusion Prevention policy
7 = Downloaded sylink.xml
8 = Downloaded auto-upgrade file
9 = Server received log
10 = Log processing failed
11 = Server received learned application
12 = Server received client information
13 = Client information processing failed
14 = Hardware identity change
15 = Downloaded File Fingerprint list
20 = Downloaded content package
22 = Downloaded command
SERVER_CLIENT_LOG_2 EVENT_ID int 4 A unique ID of the client activity event:
1 = Registration succeeded
2 = Registration failed
3 = Client reconnected
4 = Client disconnected
5 = Downloaded policy
6 = Downloaded Intrusion Prevention policy
7 = Downloaded sylink.xml
8 = Downloaded auto-upgrade file
9 = Server received log
10 = Log processing failed
11 = Server received learned application
12 = Server received client information
13 = Client information processing failed
14 = Hardware identity change
15 = Downloaded File Fingerprint list
20 = Downloaded content package
22 = Downloaded command
SERVER_ENFORCER_LOG_1 EVENT_ID int 4 A unique ID of the Enforcer activity:
0x101 = Connected to Policy Manager
0x102 = Lost connection to Policy Manager
0x103 = Applied policy downloaded from Policy Manager
0x104 = Failed to apply policy downloaded from Policy Manager
0x105 = Applied Policy Manager configuration
0x106 = Failed to apply Policy Manager configuration
0x107 = Applied Policy Manager configuration
0x108 = Failed to apply Policy Manager configuration
0x201 = Enforcer started
0x202 = Enforcer stopped
0x203 = Enforcer paused
0x204 = Enforcer resumed
0x205 = Enforcer disconnected from server
0x301 = Enforcer failover enabled
0x302 = Enforcer failover disabled
0x303 = Enforcer in standby mode
0x304 = Enforcer in primary mode
0x305 = Enforcer short
0x306 = Enforcer loop
0x401 = Forward engine pause
0x402 = Forward engine start
0x403 = DNS Enforcer enabled
0x404 = DNS Enforcer disabled
0x405 = DHCP Enforcer enabled
0x406 = DHCP Enforcer disabled
0x407 = Allow all enabled
0x408 = Allow all disabled
0x501 = Seat number change
0x601 = Failed to create policy parser
0x602 = Failed to import policy downloaded from Policy Manager
0x603 = Failed to export policy downloaded from Policy Manager
0x701 = Incorrect customized attribute
SERVER_ENFORCER_LOG_2 EVENT_ID int 4 A unique ID of the Enforcer activity:
0x101 = Connected to Policy Manager
0x102 = Lost connection to Policy Manager
0x103 = Applied policy downloaded from Policy Manager
0x104 = Failed to apply policy downloaded from Policy Manager
0x105 = Applied Policy Manager configuration
0x106 = Failed to apply Policy Manager configuration
0x107 = Applied Policy Manager configuration
0x108 = Failed to apply Policy Manager configuration
0x201 = Enforcer started
0x202 = Enforcer stopped
0x203 = Enforcer paused
0x204 = Enforcer resumed
0x205 = Enforcer disconnected from server
0x301 = Enforcer failover enabled
0x302 = Enforcer failover disabled
0x303 = Enforcer in standby mode
0x304 = Enforcer in primary mode
0x305 = Enforcer short
0x306 = Enforcer loop
0x401 = Forward engine pause
0x402 = Forward engine start
0x403 = DNS Enforcer enabled
0x404 = DNS Enforcer disabled
0x405 = DHCP Enforcer enabled
0x406 = DHCP Enforcer disabled
0x407 = Allow all enabled
0x408 = Allow all disabled
0x501 = Seat number change
0x601 = Failed to create policy parser
0x602 = Failed to import policy downloaded from Policy Manager
0x603 = Failed to export policy downloaded from Policy Manager
0x701 = Incorrect customized attribute
SERVER_POLICY_LOG_1 EVENT_ID int 4 A unique ID of the policy event:
0 = Policy added
1 = Policy deleted
2 = Policy edited
3 = Add shared policy upon system install
4 = Add shared policy upon system upgrade
5 = Add shared policy upon domain creation
SERVER_POLICY_LOG_2 EVENT_ID int 4 A unique ID of the policy event:
0 = Policy added
1 = Policy deleted
2 = Policy edited
3 = Add shared policy upon system install
4 = Add shared policy upon system upgrade
5 = Add shared policy upon domain creation
SERVER_SYSTEM_LOG_1 EVENT_ID int 4 The unique ID for the system event.

Server events; possible values are as follows:
257 = Management server started up successfully
258 = Management server startup failed
259 = Management server shut down gracefully
260 = Management server created
261 = Site created
262 = Package published
263 = Site license exceeded
264 = Organization Unit or Container importing started
265 = Organization Unit or Container importing succeeded
266 = Organization Unit or Container importing failed
267 = Client sweeping started
268 = Client sweeping summary
269 = Client sweeping successful
270 = Client sweeping failed
271 = Database logs have been swept
272 = Management server upgrade successful
273 = Scheduled reporting failed
274 = Virus definitions folder does not exist
275 = The process {0} cannot lock the process status table. The process status has been locked by the server {1} since {2}.
276 = Whitelist and Blacklist LiveUpdate
281 = Resource is locked

Replication events; possible values are as follows:
769 = Replication from remote site started
770 = Replication failed to log on to remote site
771 = Unable to fetch changed data from remote site
772 = Replication finished successfully
773 = Replication failed
774 = Replication merge failed
775 = Unable to connect to remote site
776 = Name changed to resolve merge conflict
777 = Group full path name is too long for replication
778 = Retrieval of local changed data for remote site started.
779 = Retrieval of local changed data for remote site finished successfully
780 = Retrieval of local changed data for remote site failed.
781 = Replication has been chosen as the deadlock victim and has been killed by the database.
782 = Replication data has been received
783 = DB versions dont match between local and remote sites

Backup events; possible values are as follows:
1025 = Backup connection failed
1026 = Backup data fetch failed
1027 = Backup file write failed
1028 = Backup failed
1029 = Backup success
1030 = Backup has been started

System error events; possible values are as follows:
1281 = An unexpected exception has occurred
1282 = Connection to the mail server failed
1283 = Failed to start RADIUS Server. The RADIUS port may be in use by another process.
1284 = Failed to start RADIUS Server. Set non-Block IO socket failed
1285 = Failed to start RADIUS Server. Create socket Error.
1286 = Server error

Policy events; possible values are as follows:
1537 = Added Intrusion Prevention Policy
1538 = Deleted Intrusion Prevention Policy
1539 = Updated Intrusion Prevention Policy
1540 = Intrusion Prevention Policy is up to date
1541 = Skipped publishing a Content Revision during LU Content Policy compilation as the corresponding binary file exist.

LiveUpdate events; possible values are as follows:
1793 = LiveUpdate started
1794 = LiveUpdate successful
1795 = LiveUpdate failed
1796 = LiveUpdate manual launch successful
1797 = LiveUpdate manual launch failed
1798 = LiveUpdate retry started
1799 = LiveUpdate retry successful
1800 = LiveUpdate retry failed
1802 = Download started
1803 = Retry timestamp is over the maximum retry window, switching to regular schedule run.
1804 = LiveUpdate retry failed and will try again
1805 = Retry timestamp is equal or over the next schedule time, switching to regular schedule run.
1806 = LUALL.EXE has been launched.
1807 = LUALL.EXE exited abnormally.
1808 = LUALL.EXE finished running.
1809 = LUALL.EXE Failed.
1810 = Start uploading content to the database
1811 = The specified LiveUpdate file path does not exist.
1812 = LiveUpdate content category file has been inserted
1813 = LiveUpdate content category file has been updated
1814 = Client Package has been downloaded
1815 = Client Package patching failed
1816 = New LiveUpdate content has been downloaded
1817 = There is an error in the LiveUpdate upload URL parameters.
1818 = Failed to download LiveUpdate content
1819 = Cleaned up LiveUpdate downloaded content
1820 = Host Integrity Template has been updated
1821 = LiveUpdate exceeded its timeout. Process is destroyed.
1822 = LiveUpdate next start time and server
1824 = Failed to update
1825 = {0} is up-to-date.
1826 = LiveUpdate re-run is triggered by content catalog update.
1827 = {0} is not available on the LiveUpdate server.
1828 = Manual LiveUpdate cancelled
1829 = LiveUpdate delayed

Network Audit events; possible values are as follows:
2049 = Network Audit Search Unagented Hosts Started
2050 = Network Audit Search Unagented Hosts Finished Normally
2051 = Network Audit Search Unagented Hosts Finished Abnormally
2052 = Network Audit Client Remote Pushing Install Started
2053 = Network Audit Client Remote Pushing Install Finished Normally
2054 = Network Audit Client Remote Pushing Install Finished Abnormally

Rapid Response content events; possible values are as follows:
2305 = Successful installation of rapid response content
2306 = Failed to install rapid response content

Certificate events; possible values are as follows:
4097 = Got a valid certificate.
4098 = Got a mis-matched certificate.

JDNI events; possible values are as follows:
4353 = Management Server has detected and ignored one or more duplicate entries. Please check the following entries in your directory server:\n{0}

Send email events; possible values are as follows:
4609 = Email sending failed
4610 = Email sending directly to mail server failed

Licensing events; possible values are as follows:
4865 = Add a license
4866 = Renew a license
4867 = Delete a license
4868 = Import trial license
4869 = Import upgrade license
4870 = License expires
4871 = License overdeployed
4872 = Remove trial license

Transaction log truncation events; possible values are as follows:
5121 = Truncate Transaction Log Task Started
5122 = Truncate Transaction Log Task Succeeded
5123 = Truncate Transaction Log Task Failed

Rebuild indexes events; possible values are as follows:
5377 = Rebuild Indexes Task Started
5378 = Rebuild Indexes Task Succeeded
5379 = Rebuild Indexes Task Failed

SERVER_SYSTEM_LOG_2 EVENT_ID int 4 The unique ID for the system event.

Server events; possible values are as follows:
257 = Management server started up successfully
258 = Management server startup failed
259 = Management server shut down gracefully
260 = Management server created
261 = Site created
262 = Package published
263 = Site license exceeded
264 = Organization Unit or Container importing started
265 = Organization Unit or Container importing succeeded
266 = Organization Unit or Container importing failed
267 = Client sweeping started
268 = Client sweeping summary
269 = Client sweeping successful
270 = Client sweeping failed
271 = Database logs have been swept
272 = Management server upgrade successful
273 = Scheduled reporting failed
274 = Virus definitions folder does not exist
275 = The process {0} cannot lock the process status table. The process status has been locked by the server {1} since {2}.
276 = Whitelist and Blacklist LiveUpdate
281 = Resource is locked

Replication events; possible values are as follows:
769 = Replication from remote site started
770 = Replication failed to log on to remote site
771 = Unable to fetch changed data from remote site
772 = Replication finished successfully
773 = Replication failed
774 = Replication merge failed
775 = Unable to connect to remote site
776 = Name changed to resolve merge conflict
777 = Group full path name is too long for replication
778 = Retrieval of local changed data for remote site started.
779 = Retrieval of local changed data for remote site finished successfully
780 = Retrieval of local changed data for remote site failed.
781 = Replication has been chosen as the deadlock victim and has been killed by the database.
782 = Replication data has been received
783 = DB versions dont match between local and remote sites

Backup events; possible values are as follows:
1025 = Backup connection failed
1026 = Backup data fetch failed
1027 = Backup file write failed
1028 = Backup failed
1029 = Backup success
1030 = Backup has been started

System error events; possible values are as follows:
1281 = An unexpected exception has occurred
1282 = Connection to the mail server failed
1283 = Failed to start RADIUS Server. The RADIUS port may be in use by another process.
1284 = Failed to start RADIUS Server. Set non-Block IO socket failed
1285 = Failed to start RADIUS Server. Create socket Error.
1286 = Server error

Policy events; possible values are as follows:
1537 = Added Intrusion Prevention Policy
1538 = Deleted Intrusion Prevention Policy
1539 = Updated Intrusion Prevention Policy
1540 = Intrusion Prevention Policy is up to date
1541 = Skipped publishing a Content Revision during LU Content Policy compilation as the corresponding binary file exist.

LiveUpdate events; possible values are as follows:
1793 = LiveUpdate started
1794 = LiveUpdate successful
1795 = LiveUpdate failed
1796 = LiveUpdate manual launch successful
1797 = LiveUpdate manual launch failed
1798 = LiveUpdate retry started
1799 = LiveUpdate retry successful
1800 = LiveUpdate retry failed
1802 = Download started
1803 = Retry timestamp is over the maximum retry window, switching to regular schedule run.
1804 = LiveUpdate retry failed and will try again
1805 = Retry timestamp is equal or over the next schedule time, switching to regular schedule run.
1806 = LUALL.EXE has been launched.
1807 = LUALL.EXE exited abnormally.
1808 = LUALL.EXE finished running.
1809 = LUALL.EXE Failed.
1810 = Start uploading content to the database
1811 = The specified LiveUpdate file path does not exist.
1812 = LiveUpdate content category file has been inserted
1813 = LiveUpdate content category file has been updated
1814 = Client Package has been downloaded
1815 = Client Package patching failed
1816 = New LiveUpdate content has been downloaded
1817 = There is an error in the LiveUpdate upload URL parameters.
1818 = Failed to download LiveUpdate content
1819 = Cleaned up LiveUpdate downloaded content
1820 = Host Integrity Template has been updated
1821 = LiveUpdate exceeded its timeout. Process is destroyed.
1822 = LiveUpdate next start time and server
1824 = Failed to update
1825 = {0} is up-to-date.
1826 = LiveUpdate re-run is triggered by content catalog update.
1827 = {0} is not available on the LiveUpdate server.
1828 = Manual LiveUpdate cancelled
1829 = LiveUpdate delayed

Network Audit events; possible values are as follows:
2049 = Network Audit Search Unagented Hosts Started
2050 = Network Audit Search Unagented Hosts Finished Normally
2051 = Network Audit Search Unagented Hosts Finished Abnormally
2052 = Network Audit Client Remote Pushing Install Started
2053 = Network Audit Client Remote Pushing Install Finished Normally
2054 = Network Audit Client Remote Pushing Install Finished Abnormally

Rapid Response content events; possible values are as follows:
2305 = Successful installation of rapid response content
2306 = Failed to install rapid response content

Certificate events; possible values are as follows:
4097 = Got a valid certificate.
4098 = Got a mis-matched certificate.

JDNI events; possible values are as follows:
4353 = Management Server has detected and ignored one or more duplicate entries. Please check the following entries in your directory server:\n{0}

Send email events; possible values are as follows:
4609 = Email sending failed
4610 = Email sending directly to mail server failed

Licensing events; possible values are as follows:
4865 = Add a license
4866 = Renew a license
4867 = Delete a license
4868 = Import trial license
4869 = Import upgrade license
4870 = License expires
4871 = License overdeployed
4872 = Remove trial license

Transaction log truncation events; possible values are as follows:
5121 = Truncate Transaction Log Task Started
5122 = Truncate Transaction Log Task Succeeded
5123 = Truncate Transaction Log Task Failed

Rebuild indexes events; possible values are as follows:
5377 = Rebuild Indexes Task Started
5378 = Rebuild Indexes Task Succeeded
5379 = Rebuild Indexes Task Failed

V_AGENT_BEHAVIOR_LOG EVENT_ID int 4
V_AGENT_PACKET_LOG EVENT_ID int 4
V_AGENT_SECURITY_LOG EVENT_ID int 4
V_AGENT_SYSTEM_LOG EVENT_ID int 4
V_AGENT_TRAFFIC_LOG EVENT_ID int 4
V_CLIENT_CHANGE_LOG EVENT_ID int 4
V_ENFORCER_CLIENT_LOG EVENT_ID int 4
V_ENFORCER_SYSTEM_LOG EVENT_ID int 4  √  null
V_ENFORCER_TRAFFIC_LOG EVENT_ID int 4  √  null
V_SECURITY_VIEW EVENT_ID int 4
V_SERVER_ADMIN_LOG EVENT_ID int 4
V_SERVER_CLIENT_LOG EVENT_ID int 4
V_SERVER_ENFORCER_LOG EVENT_ID int 4
V_SERVER_POLICY_LOG EVENT_ID int 4
V_SERVER_SYSTEM_LOG EVENT_ID int 4
AUDIT_REPORT EVENTTYPE int 4  √  (NULL) 0 = Policy added
1 = Policy deleted
2 = Policy edited
3 = Add shared policy upon system install
4 = Add shared policy upon system upgrade
5 = Add shared policy upon domain creation
BEHAVIOR_REPORT EVENTTYPE int 4  √  (NULL) For Application Control
501 = Application Control Driver
502 = Application Control Rules
999 = Tamper Protection
FIREWALL_REPORT EVENTTYPE int 4  √  (NULL) Events for Traffic :
307 = Ethernet packet,
306 = ICMP packet,
308 = IP packet,
303 = Ping request,
301 = TCP initiated,
304 = TCP completed,
302 = UDP datagram,
305 = Other
Events for Packet:
401 = Raw Ethernet
LOG_CONFIG EXPIRATION int 4 ((60)) Expiration date of the logs
SEM_CLIENT EXTRA_FEATURE int 4  √  null
SEM_SVA_CLIENT EXTRA_FEATURE int 4  √  null
FIREWALL_REPORT FIREWALLTYPE int 4 ((0)) 1 = Traffic, 2 = Packets
THREATREPORT FROMUSERINCLUDE int 4 ((0)) Deprecated
LICENSE GRACE_COUNT int 4  √  null actual grace count, computed based on seat count and grace percentage
LICENSE_CHAIN GRACE_COUNT int 4  √  null actual grace count, computed based on seat count and grace percentage
LICENSE GRACE_COUNT_PCT int 4 grace seat percentage value, read from license file
GUIPARMS GUIPARMS_IDX int 4
AGENT_SECURITY_LOG_1 HACK_TYPE int 4  √  null If event ID = 209, Host Integrity failed (TSLOG_SEC_NO_AV), the reason for the failure
If Event ID = 206, Intrusion Prevention System( Intrusion Detected, TSLOG_SEC_INTRUSION_DETECTED), the intrusion ID
If event ID = 210, Host Integrity passed( TSLOG_SEC_AV), additional information

Possible reasons are as follows:

Process is not running - Bit0 is 1
Signature is out of date - Bit1 is 1
Recovery was attempted - Bit2 is 1
AGENT_SECURITY_LOG_2 HACK_TYPE int 4  √  null It is reason if event ID is TSLOG_SEC_NO_AV
It is intrusion ID if Event ID is TSLOG_SEC_INTRUSION_DETECTED
It is additional information if event ID is TSLOG_SEC_AV

Reasons:

Process is not running - Bit0 is 1
Signature is out of date - Bit1 is 1
Recovery was attempted - Bit2 is 1
COMPLIANCE_REPORT HACK_TYPE int 4  √  (NULL) 0 = Process is not running
1 = Signature is out-of-date
2 = Recovery was attempted
V_AGENT_SECURITY_LOG HACK_TYPE int 4  √  null
SEM_SVA HEARTBEAT int 4  √  null
INVENTORYREPORT HI_REASONCODE int 4  √  ((-1)) Filters on the following reasons:
0 = Pass
101 = Antivirus version is out-of-date
102 = Antivirus is not running
103 = Script failed
104 = Check is incomplete
105 = Check is disabled
127 = Location changed
-1 = No filter (all)
SEM_AGENT HI_REASONCODE int 4  √  null Host integrity reason code:
0 = Pass
101 = Antivirus version is out-of-date
102 = Antivirus is not running
103 = Script failed
104 = Check is incomplete
105 = Check is disabled
127 = Location changed
SEM_AGENT HI_STATUS int 4  √  null Host integrity status:
0 = Fail
1 = Success
2 = Pending
3 = Disabled
4 = Ignore
AGENTCONFIG IDX int 4
THREATREPORT IPADDRESSINCLUDE int 4 ('0') Whether to include (1) or exclude (0) the IP addresses in the list. (Always set to 1 in SAV 11.0.)
SCFINVENTORY IPSSIGREV int 4  √  (NULL) Revision of IPS signature
LEGACY_AGENT LAN_SENSOR int 4 If the Agent is a LAN_SENSOR
ADMINUSER LASTCHANGE int 4 (CONVERT([int],getdate(),0)) Last time that the user accessed the console
INVENTORYREPORT LASTSCANTIME int 4  √  (NULL) Last time machine was scanned:
0 = past week
1 = past month
2 = past three months
3 = past year
4 = past 24 hours
5 = current month
ADMINUSER LASTSPMTIME int 4 (CONVERT([int],getdate(),0)) Last time for successful keep alive to application server
SEM_AGENT LICENSE_STATUS int 4 ((-1)) For future use
ALERTFILTER LIMITROWS int 4 ((20)) Number of rows to use for pagination
AUDIT_REPORT LIMITROWS int 4 ((20)) Number of rows to use for pagination
BEHAVIOR_REPORT LIMITROWS int 4 ((20)) Number of rows to show for pagination
COMMAND_REPORT LIMITROWS int 4 ((20)) Number of rows to use for pagination
COMPLIANCE_REPORT LIMITROWS int 4 ((20)) Number of rows to use for pagination
FIREWALL_REPORT LIMITROWS int 4 ((20)) Number of rows to use for pagination
INVENTORYREPORT LIMITROWS int 4 ('20') Number of rows to use for pagination
SCANREPORT LIMITROWS int 4 ('0') Number of rows to use for pagination
SYSTEM_REPORT LIMITROWS int 4 ((20)) Number of rows to use for pagination
THREATREPORT LIMITROWS int 4 ('20') Number of rows to use for pagination
AGENT_PACKET_LOG_1 LOCAL_PORT int 4  √  null The TCP/UDP port in local machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. On the other event, it is always zero.
AGENT_PACKET_LOG_2 LOCAL_PORT int 4  √  null The TCP/UDP port in local machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. On the other event, it is always zero.
AGENT_SECURITY_LOG_1 LOCAL_PORT int 4 ((0)) Local port
AGENT_SECURITY_LOG_2 LOCAL_PORT int 4 ((0)) Local port
AGENT_TRAFFIC_LOG_1 LOCAL_PORT int 4  √  null The TCP/UDP port in local machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. On the other event, it is always zero.
AGENT_TRAFFIC_LOG_2 LOCAL_PORT int 4  √  null The TCP/UDP port in local machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. On the other event, it is always zero.
COMPLIANCE_REPORT LOCAL_PORT int 4  √  (NULL) Port number
ENFORCER_TRAFFIC_LOG_1 LOCAL_PORT int 4 The TCP/UDP port in local machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. On the other event, it is always zero
ENFORCER_TRAFFIC_LOG_2 LOCAL_PORT int 4 The TCP/UDP port in local machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. On the other event, it is always zero
V_AGENT_PACKET_LOG LOCAL_PORT int 4  √  null
V_AGENT_SECURITY_LOG LOCAL_PORT int 4
V_AGENT_TRAFFIC_LOG LOCAL_PORT int 4  √  null
V_ENFORCER_TRAFFIC_LOG LOCAL_PORT int 4
VIRUSCATEGORY LOCALE int 4 ((0)) Locale integer
FIREWALL_REPORT LOCALPORT int 4  √  (NULL) Port number
LOG_CONFIG LOG_TYPE int 4
AGENTSTATUS MAIL int 4 ((0)) Flag whether e-mail has already been sent (1 = Yes, 0 = No)
SEM_AGENT MAJOR_VERSION int 4 ((0)) SEP version: 11
SEM_SVA MAJOR_VERSION int 4 ((0))
V_VIRUS MAXCATEGORY int 4
VIRUS MAXCATEGORY int 4 ((-1)) Maximum category that the virus has reached. Values are 1 through 5. -1 means unknown or not applicable. This rating is only applicable to viral threats.
LICENSE METER_COUNT int 4 seat count, read from license file
LICENSE_CHAIN METER_COUNT int 4 seat count, from license file
SEM_AGENT MINOR_VERSION int 4 ((0)) Minor version
SEM_SVA MINOR_VERSION int 4 ((0))
SERVER_ADMIN_LOG_1 MSG_ID int 4  √  null Event description ID, use this ID to load the localized message (Only used when an exception is related to this event). ** See worksheet ERROR_CODE and MSG_ID values. **
SERVER_ADMIN_LOG_2 MSG_ID int 4  √  null Event description ID, use this ID to load the localized message (Only used when an exception is related to this event). ** See worksheet ERROR_CODE and MSG_ID values. **
SERVER_SYSTEM_LOG_1 MSG_ID int 4  √  null Event description ID, use this ID to load localized message (Only used when an exception is related to this event) ** See ERROR_CODE and MSG_ID worksheet **
SERVER_SYSTEM_LOG_2 MSG_ID int 4  √  null Event description ID, use this ID to load localized message (Only used when an exception is related to this event)
V_SERVER_ADMIN_LOG MSG_ID int 4  √  null
V_SERVER_SYSTEM_LOG MSG_ID int 4  √  null
ALERTS NOOFVIRUSES int 4 ((1)) Number of events for aggregated event record. This can be due to client-side aggregation, server-side compression, or both.
V_ALERTS NOOFVIRUSES int 4
NOTIFICATION NTIMES int 4 ((0)) Number of occurrences to trigger this notification
SEM_OS_INFO OS_FAMILY int 4 Operating system family
SEM_COMPUTER OS_LANG int 4  √  null Operating system language ID, for example, English = 0x09
SEM_SVA_COMPUTER OS_LANG int 4  √  null
V_SEM_COMPUTER OS_LANG int 4  √  null
SEM_OS_INFO OS_MAJOR int 4  √  ('') Operating system major version
SEM_OS_INFO OS_MINOR int 4  √  ('') Operating system minor version
COMPLIANCE_REPORT OS_TYPE int 4  √  (NULL) 600 = Windows Vista and Windows Server 2008
502 = Windows 2003 and Windows XP 64 bit
501 = Windows XP
500 = Windows 2000
400 = Windows NT
000 = Other
V_VIRUS OVERALL int 4
VIRUS OVERALL int 4 ((-1)) An average of all the security risk ratings. This rating is only applicable to non-viral threats.
THREATREPORT PARENTSERVERINCLUDE int 4 ('0') Whether to include (1) or exclude (0) the servers in the list. (Always set to 1 in SAV 11.0.)
V_VIRUS PERFORMANCE int 4
VIRUS PERFORMANCE int 4 ((-1)) Measures the negative impact that the presence of a security risk has on the computer's performance. 0= No rating, 1,2= Low, 3= Medium, 4>= High, -1 means not applicable. This rating is only applicable to non-viral threats.
ENFORCER_CLIENT_LOG_1 PERIOD int 4  √  null The period in seconds that the Enforcer will take action on the client. Only valid when action is equal to Rejected and Disconnected. For other actions, this field must be 0.
ENFORCER_CLIENT_LOG_2 PERIOD int 4  √  null The period in seconds that the Enforcer will take action on the client. Only valid when action is equal to Rejected and Disconnected. For other actions, this field must be 0.
V_ENFORCER_CLIENT_LOG PERIOD int 4  √  null
LEGACY_AGENT POLICY_MODE int 4 User/Computer mode
SEM_CLIENT POLICY_MODE int 4  √  null Enum {USER_MODE, COMPUTER_MODE}
V_CLIENT_CHANGE_LOG POLICY_MODE int 4  √  null
GUP_LIST PORT int 4 Represents the GUP port
HPP_ALERTS PREVALENCE int 4 ((0)) The prevalence data for the application
0: Unknown.
1-50: Very low
51-100: Low
101-150: Moderate
151-200: High
201-255: Very high
> 255: Very high
Default is 0
V_VIRUS PRIVACY int 4
VIRUS PRIVACY int 4 ((-1)) The level of privacy that is lost due to the presence of a security risk on a computer. 0= No rating, 1, 2 = Low, 3 = Medium, 4 >= High, -1 means not applicable. This rating is only applicable to non-viral threats.
SEM_COMPUTER PROCESSOR_NUM int 4  √  null Number of processors
SEM_SVA_COMPUTER PROCESSOR_NUM int 4  √  null
V_SEM_COMPUTER PROCESSOR_NUM int 4  √  null
FIREWALL_REPORT PROTOCOL int 4  √  (NULL) 1 = Other, 2 = TCP, 3 = UDP, 4 = ICMP
INVENTORYREPORT R_OS_TYPE int 4  √  ((-1)) 600 = Windows Vista and Windows Server 2008,
502 = Windows 2003 and Windows XP 64 bit,
501 = Windows XP,
500 = Windows 2000,
400 = Windows NT
000 = Other
-1 = No filter (all)
SCANREPORT R_OS_TYPE int 4  √  ((-1)) Operating System type running on the client computer:
SEM_AGENT R_OS_TYPE int 4  √  null Enum that indicates the operating system on the client computer.
SEM_SVA R_OS_TYPE int 4  √  null
THREATREPORT R_OS_TYPE int 4  √  ((-1)) Operating System type running on the client computer:
ALERTFILTER RELATIVEDATETYPE int 4 ((0)) 0 = past week
1 = past month
2 = past three months
3 = past year
4 = past 24 hours
5 = current month
AUDIT_REPORT RELATIVEDATETYPE int 4 ((0)) 0 = past week
1 = past month
2 = past three months
3 = past year
4 = past 24 hours
5 = current month
BEHAVIOR_REPORT RELATIVEDATETYPE int 4 ((0)) 0 = past week
1 = past month
2 = past three months
3 = past year
4 = past 24 hours
5 = current month
COMMAND_REPORT RELATIVEDATETYPE int 4 ((0)) 0 = past week
1 = past month
2 = past three months
3 = past year
4 = past 24 hours
5 = current month
COMPLIANCE_REPORT RELATIVEDATETYPE int 4 ((0)) 0 = past week
1 = past month
2 = past three months
3 = past year
4 = past 24 hours
5 = current month
FIREWALL_REPORT RELATIVEDATETYPE int 4 ((0)) 0 = past week
1 = past month
2 = past three months
3 = past year
4 = past 24 hours
5 = current month
INVENTORYREPORT RELATIVEDATETYPE int 4 ('0') Last check in time if relative filtering used:
0 = past week
1 = past month
2 = past three months
3 = past year
4 = past 24 hours
5 = current month
SCANREPORT RELATIVEDATETYPE int 4 ('0') 0 = past week
1 = past month
2 = past three months
3 = past year
4 = past 24 hours
5 = current month
SYSTEM_REPORT RELATIVEDATETYPE int 4 ((0)) 0 = past week
1 = past month
2 = past three months
3 = past year
4 = past 24 hours
5 = current month
THREATREPORT RELATIVEDATETYPE int 4 ('0') 0 = past week
1 = past month
2 = past three months
3 = past year
4 = past 24 hours
5 = current month
ANOMALYREMEDIATIONOPERATION REMEDIATION_OPERATION_ID int 4
ANOMALYREMEDIATIONTYPE REMEDIATION_TYPE_ID int 4
AGENT_PACKET_LOG_1 REMOTE_PORT int 4  √  null The TCP/UDP port in remote machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. On the other event, it is always zero.
AGENT_PACKET_LOG_2 REMOTE_PORT int 4  √  null The TCP/UDP port in remote machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. On the other event, it is always zero.
AGENT_SECURITY_LOG_1 REMOTE_PORT int 4 ((0)) Remote port
AGENT_SECURITY_LOG_2 REMOTE_PORT int 4 ((0)) Remote port
AGENT_TRAFFIC_LOG_1 REMOTE_PORT int 4  √  null The TCP/UDP port in remote machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. On the other event, it is always zero.
AGENT_TRAFFIC_LOG_2 REMOTE_PORT int 4  √  null The TCP/UDP port in remote machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. On the other event, it is always zero.
ENFORCER_TRAFFIC_LOG_1 REMOTE_PORT int 4 The TCP/UDP port in remote machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. On the other event, it is always zero.
ENFORCER_TRAFFIC_LOG_2 REMOTE_PORT int 4 The TCP/UDP port in remote machine (host byte-order). It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. On the other event, it is always zero.
V_AGENT_PACKET_LOG REMOTE_PORT int 4  √  null
V_AGENT_SECURITY_LOG REMOTE_PORT int 4
V_AGENT_TRAFFIC_LOG REMOTE_PORT int 4  √  null
V_ENFORCER_TRAFFIC_LOG REMOTE_PORT int 4
AGENTSTATUS REMOTE_TZ_OFFSET int 4 ((0)) Time zone offset
AGENTCONFIG REMOTEX int 4 ((0)) 1 indicates this agent runs on a remote host; 0 indicates it is running locally on the SAV Reporter host itself.
V_VIRUS REMOVAL int 4
VIRUS REMOVAL int 4 ((-1)) Skill level required to remove the threat from a given computer. 0 = No rating, 1,2 = Low, 3 = Medium, 4 >= High, -1 means not applicable. This rating is only applicable to non-viral threats.
AGENT_BEHAVIOR_LOG_1 REPETITION int 4 ((1)) Event repetition due to aggregation (damper)
AGENT_BEHAVIOR_LOG_2 REPETITION int 4 ((1)) Event repetition due to aggregation (damper)
AGENT_SECURITY_LOG_1 REPETITION int 4  √  null The number of attacks. Sometime, when a hacker launches a mass attack, it may be damped to one event by the log system.
AGENT_SECURITY_LOG_2 REPETITION int 4  √  null The number of attacks. Sometime, when a hacker launches a mass attack, it may be damped to one event by the log system.
AGENT_TRAFFIC_LOG_1 REPETITION int 4  √  null The number of attacks. Sometime, when a hacker launches a mass attack, it may be damped to one event by the log system.
AGENT_TRAFFIC_LOG_2 REPETITION int 4  √  null The number of attacks. Sometime, when a hacker launches a mass attack, it may be damped to one event by the log system.
ENFORCER_TRAFFIC_LOG_1 REPETITION int 4  √  null The number of attacks. Sometime, when a hacker launches a mass attack, it may be damped to one event by the log system.
ENFORCER_TRAFFIC_LOG_2 REPETITION int 4  √  null The number of attacks. Sometime, when a hacker launches a mass attack, it may be damped to one event by the log system.
V_AGENT_BEHAVIOR_LOG REPETITION int 4
V_AGENT_SECURITY_LOG REPETITION int 4  √  null
V_AGENT_TRAFFIC_LOG REPETITION int 4  √  null
V_ENFORCER_TRAFFIC_LOG REPETITION int 4  √  null
V_SECURITY_VIEW REPETITION int 4  √  null
AUDIT_REPORT REPORT_IDX int 4 ('0') Not used
BEHAVIOR_REPORT REPORT_IDX int 4 ('0') Not used
COMMAND_REPORT REPORT_IDX int 4 ('0') Not used
COMPLIANCE_REPORT REPORT_IDX int 4 ('0') Not used
FIREWALL_REPORT REPORT_IDX int 4 ('0') Not used
INVENTORYREPORT REPORT_IDX int 4 ('0') Not used
SCANREPORT REPORT_IDX int 4 ('0') Not used
SYSTEM_REPORT REPORT_IDX int 4 ('0') Not used
THREATREPORT REPORT_IDX int 4 ('0') Not used
AGENTSTATUS REPORTER_TZ_OFFSET int 4 ((0)) Time zone offset
ALERTS REQUESTEDACTION_IDX int 4 ((0)) Pointer to table 'actualaction'; this is the action requested by the policy
V_ALERTS REQUESTEDACTION_IDX int 4
AGENT_BEHAVIOR_LOG_1 RESERVED_INT1 int 4  √  null
AGENT_BEHAVIOR_LOG_2 RESERVED_INT1 int 4  √  null
AGENT_PACKET_LOG_1 RESERVED_INT1 int 4  √  null
AGENT_PACKET_LOG_2 RESERVED_INT1 int 4  √  null
AGENT_SECURITY_LOG_1 RESERVED_INT1 int 4  √  null
AGENT_SECURITY_LOG_2 RESERVED_INT1 int 4  √  null
AGENT_SYSTEM_LOG_1 RESERVED_INT1 int 4  √  null
AGENT_SYSTEM_LOG_2 RESERVED_INT1 int 4  √  null
AGENT_TRAFFIC_LOG_1 RESERVED_INT1 int 4  √  null
AGENT_TRAFFIC_LOG_2 RESERVED_INT1 int 4  √  null
BASIC_METADATA RESERVED_INT1 int 4  √  null
BINARY_FILE RESERVED_INT1 int 4  √  null
COMMAND RESERVED_INT1 int 4  √  null
COMPUTER_APPLICATION RESERVED_INT1 int 4  √  null
ENFORCER_CLIENT_LOG_1 RESERVED_INT1 int 4  √  null
ENFORCER_CLIENT_LOG_2 RESERVED_INT1 int 4  √  null
ENFORCER_SYSTEM_LOG_1 RESERVED_INT1 int 4  √  null
ENFORCER_SYSTEM_LOG_2 RESERVED_INT1 int 4  √  null
ENFORCER_TRAFFIC_LOG_1 RESERVED_INT1 int 4  √  null
ENFORCER_TRAFFIC_LOG_2 RESERVED_INT1 int 4  √  null
IDENTITY_MAP RESERVED_INT1 int 4  √  null
LAN_DEVICE_DETECTED RESERVED_INT1 int 4  √  null
LAN_DEVICE_EXCLUDED RESERVED_INT1 int 4  √  null
LEGACY_AGENT RESERVED_INT1 int 4  √  null
LOCAL_METADATA RESERVED_INT1 int 4  √  null
LOG_CONFIG RESERVED_INT1 int 4  √  null
REPORTS RESERVED_INT1 int 4  √  null
SEM_AGENT RESERVED_INT1 int 4  √  null
SEM_APPLICATION RESERVED_INT1 int 4  √  null
SEM_CLIENT RESERVED_INT1 int 4  √  null
SEM_COMPUTER RESERVED_INT1 int 4  √  null
SEM_JOB RESERVED_INT1 int 4  √  null
SEM_SVA RESERVED_INT1 int 4  √  null
SEM_SVA_CLIENT RESERVED_INT1 int 4  √  null
SEM_SVA_COMPUTER RESERVED_INT1 int 4  √  null
SERVER_ADMIN_LOG_1 RESERVED_INT1 int 4  √  null
SERVER_ADMIN_LOG_2 RESERVED_INT1 int 4  √  null
SERVER_CLIENT_LOG_1 RESERVED_INT1 int 4  √  null
SERVER_CLIENT_LOG_2 RESERVED_INT1 int 4  √  null
SERVER_ENFORCER_LOG_1 RESERVED_INT1 int 4  √  null
SERVER_ENFORCER_LOG_2 RESERVED_INT1 int 4  √  null
SERVER_POLICY_LOG_1 RESERVED_INT1 int 4  √  null
SERVER_POLICY_LOG_2 RESERVED_INT1 int 4  √  null
SERVER_SYSTEM_LOG_1 RESERVED_INT1 int 4  √  null
SERVER_SYSTEM_LOG_2 RESERVED_INT1 int 4  √  null
SYSTEM_STATE RESERVED_INT1 int 4  √  null
V_AGENT_BEHAVIOR_LOG RESERVED_INT1 int 4  √  null
V_AGENT_PACKET_LOG RESERVED_INT1 int 4  √  null
V_AGENT_SECURITY_LOG RESERVED_INT1 int 4  √  null
V_AGENT_SYSTEM_LOG RESERVED_INT1 int 4  √  null
V_AGENT_TRAFFIC_LOG RESERVED_INT1 int 4  √  null
V_DOMAINS RESERVED_INT1 int 4  √  null
V_ENFORCER_CLIENT_LOG RESERVED_INT1 int 4  √  null
V_ENFORCER_SYSTEM_LOG RESERVED_INT1 int 4  √  null
V_ENFORCER_TRAFFIC_LOG RESERVED_INT1 int 4  √  null
V_GROUPS RESERVED_INT1 int 4  √  null
V_LAN_DEVICE_DETECTED RESERVED_INT1 int 4  √  null
V_LAN_DEVICE_EXCLUDED RESERVED_INT1 int 4  √  null
V_SEM_COMPUTER RESERVED_INT1 int 4  √  null
V_SERVER_ADMIN_LOG RESERVED_INT1 int 4  √  null
V_SERVER_CLIENT_LOG RESERVED_INT1 int 4  √  null
V_SERVER_ENFORCER_LOG RESERVED_INT1 int 4  √  null
V_SERVER_POLICY_LOG RESERVED_INT1 int 4  √  null
V_SERVER_SYSTEM_LOG RESERVED_INT1 int 4  √  null
V_SERVERS RESERVED_INT1 int 4  √  null
AGENT_BEHAVIOR_LOG_1 RESERVED_INT2 int 4  √  null
AGENT_BEHAVIOR_LOG_2 RESERVED_INT2 int 4  √  null
AGENT_PACKET_LOG_1 RESERVED_INT2 int 4  √  null
AGENT_PACKET_LOG_2 RESERVED_INT2 int 4  √  null
AGENT_SECURITY_LOG_1 RESERVED_INT2 int 4  √  null
AGENT_SECURITY_LOG_2 RESERVED_INT2 int 4  √  null
AGENT_SYSTEM_LOG_1 RESERVED_INT2 int 4  √  null
AGENT_SYSTEM_LOG_2 RESERVED_INT2 int 4  √  null
AGENT_TRAFFIC_LOG_1 RESERVED_INT2 int 4  √  null
AGENT_TRAFFIC_LOG_2 RESERVED_INT2 int 4  √  null
BASIC_METADATA RESERVED_INT2 int 4  √  null
BINARY_FILE RESERVED_INT2 int 4  √  null
COMMAND RESERVED_INT2 int 4  √  null
COMPUTER_APPLICATION RESERVED_INT2 int 4  √  null
ENFORCER_CLIENT_LOG_1 RESERVED_INT2 int 4  √  null
ENFORCER_CLIENT_LOG_2 RESERVED_INT2 int 4  √  null
ENFORCER_SYSTEM_LOG_1 RESERVED_INT2 int 4  √  null
ENFORCER_SYSTEM_LOG_2 RESERVED_INT2 int 4  √  null
ENFORCER_TRAFFIC_LOG_1 RESERVED_INT2 int 4  √  null
ENFORCER_TRAFFIC_LOG_2 RESERVED_INT2 int 4  √  null
IDENTITY_MAP RESERVED_INT2 int 4  √  null
LAN_DEVICE_DETECTED RESERVED_INT2 int 4  √  null
LAN_DEVICE_EXCLUDED RESERVED_INT2 int 4  √  null
LEGACY_AGENT RESERVED_INT2 int 4  √  null
LOCAL_METADATA RESERVED_INT2 int 4  √  null
LOG_CONFIG RESERVED_INT2 int 4  √  null
REPORTS RESERVED_INT2 int 4  √  null
SEM_AGENT RESERVED_INT2 int 4  √  null
SEM_APPLICATION RESERVED_INT2 int 4  √  null
SEM_CLIENT RESERVED_INT2 int 4  √  null
SEM_COMPUTER RESERVED_INT2 int 4  √  null
SEM_JOB RESERVED_INT2 int 4  √  null
SEM_SVA RESERVED_INT2 int 4  √  null
SEM_SVA_CLIENT RESERVED_INT2 int 4  √  null
SEM_SVA_COMPUTER RESERVED_INT2 int 4  √  null
SERVER_ADMIN_LOG_1 RESERVED_INT2 int 4  √  null
SERVER_ADMIN_LOG_2 RESERVED_INT2 int 4  √  null
SERVER_CLIENT_LOG_1 RESERVED_INT2 int 4  √  null
SERVER_CLIENT_LOG_2 RESERVED_INT2 int 4  √  null
SERVER_ENFORCER_LOG_1 RESERVED_INT2 int 4  √  null
SERVER_ENFORCER_LOG_2 RESERVED_INT2 int 4  √  null
SERVER_POLICY_LOG_1 RESERVED_INT2 int 4  √  null
SERVER_POLICY_LOG_2 RESERVED_INT2 int 4  √  null
SERVER_SYSTEM_LOG_1 RESERVED_INT2 int 4  √  null
SERVER_SYSTEM_LOG_2 RESERVED_INT2 int 4  √  null
SYSTEM_STATE RESERVED_INT2 int 4  √  null
V_AGENT_BEHAVIOR_LOG RESERVED_INT2 int 4  √  null
V_AGENT_PACKET_LOG RESERVED_INT2 int 4  √  null
V_AGENT_SECURITY_LOG RESERVED_INT2 int 4  √  null
V_AGENT_SYSTEM_LOG RESERVED_INT2 int 4  √  null
V_AGENT_TRAFFIC_LOG RESERVED_INT2 int 4  √  null
V_DOMAINS RESERVED_INT2 int 4  √  null
V_ENFORCER_CLIENT_LOG RESERVED_INT2 int 4  √  null
V_ENFORCER_SYSTEM_LOG RESERVED_INT2 int 4  √  null
V_ENFORCER_TRAFFIC_LOG RESERVED_INT2 int 4  √  null
V_GROUPS RESERVED_INT2 int 4  √  null
V_LAN_DEVICE_DETECTED RESERVED_INT2 int 4  √  null
V_LAN_DEVICE_EXCLUDED RESERVED_INT2 int 4  √  null
V_SEM_COMPUTER RESERVED_INT2 int 4  √  null
V_SERVER_ADMIN_LOG RESERVED_INT2 int 4  √  null
V_SERVER_CLIENT_LOG RESERVED_INT2 int 4  √  null
V_SERVER_ENFORCER_LOG RESERVED_INT2 int 4  √  null
V_SERVER_POLICY_LOG RESERVED_INT2 int 4  √  null
V_SERVER_SYSTEM_LOG RESERVED_INT2 int 4  √  null
V_SERVERS RESERVED_INT2 int 4  √  null
PATTERN REVISION int 4 ((0)) Revision number for this content
V_IPS REVISION int 4
HISTORYCONFIG RUNHOURS int 4 ((24)) Repeat schedule for this report in hours, for example:
1 = Every 1 hour
24 = Every 1 day
168 = Every week
720 = Every month
ALERTS SECONDARYACTION_IDX int 4 ((0)) Pointer to table 'actualaction'; this is the secondary action requested by the policy
V_ALERTS SECONDARYACTION_IDX int 4
NOTIFICATION SECURITY_EVENT int 4 ((0)) Which buckets of security events
HPP_ALERTS SENSITIVITY int 4 ((0)) The engine sensitivity setting that produced the detection (0...100)
PATTERN SEQUENCE int 4 ((0)) Sequence number associated with this definition
SEM_CONTENT SEQUENCE int 4 ((0))
V_IPS SEQUENCE int 4
V_MR_CLEAN SEQUENCE int 4
V_SEM_CONTENT SEQUENCE int 4
V_SONAR SEQUENCE int 4
THREATREPORT SERVERGROUPINCLUDE int 4 ('0') Whether to include (1) or exclude (0) the domains in the list. (Always set to 1 in SAV 11.0.)
AGENT_BEHAVIOR_LOG_1 SEVERITY int 4 The seriousness of the event
0 is most serious
AGENT_BEHAVIOR_LOG_2 SEVERITY int 4 The seriousness of the event
0 is most serious
AGENT_SECURITY_LOG_1 SEVERITY int 4 It is severity defined in Security Rule.
Critical = 0 - 3
Major = 4 - 7
Minor = 8 - 11
Info = 12 - 15
AGENT_SECURITY_LOG_2 SEVERITY int 4 It is severity defined in Security Rule.
Critical = 0 - 3
Major = 4 - 7
Minor = 8 - 11
Info = 12 - 15
AGENT_SYSTEM_LOG_1 SEVERITY int 4 The type of event. Possible values are: INFO = 0, WARNING = 1, ERROR = 2, FATAL = 3
AGENT_SYSTEM_LOG_2 SEVERITY int 4 The type of event. Possible values are: INFO = 0, WARNING = 1, ERROR = 2, FATAL = 3
AGENT_TRAFFIC_LOG_1 SEVERITY int 4 Severity as defined in the Security Rule.
Critical = 0 - 3
Major = 4 - 7
Minor = 8 - 11
Info = 12 - 15
AGENT_TRAFFIC_LOG_2 SEVERITY int 4 Severity as defined in the Security Rule.
Critical = 0 - 3
Major = 4 - 7
Minor = 8 - 11
Info = 12 - 15
BEHAVIOR_REPORT SEVERITY int 4  √  (NULL) 1 = Critical
5 = Major
9 = Minor
13 = Information
COMPLIANCE_REPORT SEVERITY int 4  √  (NULL) 1 = Critical (which filters on SEVERITY >= 0 AND SEVERITY <= 3)
5 = Major (which filters on SEVERITY >= 4 AND SEVERITY <= 7)
9 = Minor (which filters on SEVERITY >= 8 AND SEVERITY <= 11)
13 = Info (which filters on SEVERITY >= 12 AND SEVERITY <= 15)
ENFORCER_SYSTEM_LOG_1 SEVERITY int 4 The type of event. Possible values are:
0 = INFO
1 = WARNING
2 = ERROR
3 = FATAL
ENFORCER_SYSTEM_LOG_2 SEVERITY int 4 The type of event. Possible values are:
0 = INFO
1 = WARNING
2 = ERROR
3 = FATAL
FIREWALL_REPORT SEVERITY int 4  √  (NULL) 1 = Critical, 5 = Major, 9 = Minor, 13 = Info
SERVER_ADMIN_LOG_1 SEVERITY int 4 Enum (SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST)
SERVER_ADMIN_LOG_2 SEVERITY int 4 Enum (SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST)
SERVER_SYSTEM_LOG_1 SEVERITY int 4 Enum (SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST):
>= 400 is Finer and above
>=500 is Fine and above
>=700 is Configuration and above
>=800 is Informational and above
>=900 is Warning and above
>=1000 is Severe and above
SERVER_SYSTEM_LOG_2 SEVERITY int 4 Enum (SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST):
>= 400 is Finer and above
>=500 is Fine and above
>=700 is Configuration and above
>=800 is Informational and above
>=900 is Warning and above
>=1000 is Severe and above
SYSTEM_REPORT SEVERITY int 4  √  (NULL) For Administrative, Client-Server and Server activity:
1000 = Error and above
900 = Warning and above
800 = Informational and above
-1 = No filter (all)

For Enforcer activity and Client activity:
0 = Informational and above
1 = Warning and above
2 = Error and above
3 = Fatal
-1 = No filter (all)
V_AGENT_BEHAVIOR_LOG SEVERITY int 4
V_AGENT_SECURITY_LOG SEVERITY int 4
V_AGENT_SYSTEM_LOG SEVERITY int 4
V_AGENT_TRAFFIC_LOG SEVERITY int 4
V_ENFORCER_SYSTEM_LOG SEVERITY int 4
V_SERVER_ADMIN_LOG SEVERITY int 4
V_SERVER_SYSTEM_LOG SEVERITY int 4
COMMAND STATE_ID int 4 ((0)) Command status: a numeric value corresponding to one of
0 = INITIAL
1 = RECEIVED
2 = IN_PROGRESS
3 = COMPLETED
4 = REJECTED
5 = CANCELLED
6 = ERROR

When first created, command status = INITIAL. It indicates that the endpoint has not received it yet.
COMMAND_REPORT STATE_ID int 4  √  (NULL) Command status
0 = Not received
1 = Received
2 = In progress
3 = Completed
4 = Rejected
5 = Canceled
6 = Error
ANOMALYDETECTIONS STATUS int 4 Scan detection status. Currently always 1 to mean "successful detection performed". Other values are reserved for future use.
ANOMALYREMEDIATIONS STATUS int 4 1 = successful remediation, 0 = failed remediation, no default.
PROCESS_STATE STATUS int 4 Virus definition
PROCESS_STATE_NA = -1
PROCESS_STATE_UNLOCKED = 0
PROCESS_STATE_LOCKED = 1
V_VIRUS STEALTH int 4
VIRUS STEALTH int 4 ((-1)) Assesses how easy it is to determine if a security risk is present on a computer. 0 = No rating, 1,2 = Low, 3 = Medium, 4> = High, -1 means not applicable. This rating is only applicable to non-viral threats.
COMMAND SUB_STATE_ID int 4  √  null Command-specific status:
-1 = Unknown
0 = Success
1 = Client did not execute the command
2 = Client did not report any status
3 = Command was a duplicate and not executed
4 = Spooled command could not restart
5 = Restart command not allowed from the console
6 = Unexpected error
100 = Success
101 = Security risk found
102 = Scan was suspended
103 = Scan was aborted
105 = Scan did not return status
106 = Scan failed to start
110 = Auto-Protect could not be turned on
120 = LiveUpdate download is in progress
121 = LiveUpdate download failed
131 = Quarantine delete failed
132 = Quarantine delete partial success
COMMAND_REPORT SUB_STATE_ID int 4  √  (NULL) Status Details
-1 = Unknown
0 = Success
1 = Client did not execute the command
2 = Client did not report any status
3 = Command was a duplicate and not executed
4 = Spooled command could not restart
5 = Restart command not allowed from the console
6 = Unexpected error
101 = Security risk found
102 = Scan was suspended
103 = Scan was aborted
105 = Scan did not return status
106 = Scan failed to start
110 = Auto-Protect could not be turned on
120 = LiveUpdate download is in progress
121 = LiveUpdate download failed
131 = Quarantine delete failed
132 = Quarantine delete partial success
NOTIFICATION SYSTEM_EVENT int 4 ((0)) Which buckets of system events
AGENT_BEHAVIOR_LOG_1 TEST_MODE int 4  √  null Was this rule run in test mode?
0 = No, Else = Yes
AGENT_BEHAVIOR_LOG_2 TEST_MODE int 4  √  null Was this rule run in test mode?
0 = No, Else = Yes
V_AGENT_BEHAVIOR_LOG TEST_MODE int 4  √  null
THREATREPORT THREATINCLUDE int 4 ('0') Whether to include (1) or exclude (0) the risks in the list. (Always set to 1 in SAV 11.0.)
SCANREPORT THREATS int 4 ('0') Number of risks the scan found
THREATREPORT THREATTYPEINCLUDE int 4 ('0') Whether to include (1) or exclude (0) the risk types in the list (Always set to 1 in SAV 11.0.)
LOG_CONFIG THRESHOLD int 4 ((10000)) Threshold of the log count
SEM_AGENT TIMEZONE int 4 ((0)) Time zone offset of the client computer
SEM_SVA TIMEZONE int 4 ((0))
ENFORCER_TRAFFIC_LOG_1 TOTAL_BYTES int 4 The total length of all packets in the traffic
ENFORCER_TRAFFIC_LOG_2 TOTAL_BYTES int 4 The total length of all packets in the traffic
V_ENFORCER_TRAFFIC_LOG TOTAL_BYTES int 4
SEM_COMPUTER TPM_DEVICE int 4  √  null TPM device id
SEM_SVA_COMPUTER TPM_DEVICE int 4  √  null
V_SEM_COMPUTER TPM_DEVICE int 4  √  null
V_VIRUS TYPE int 4  √  null
VIRUS TYPE int 4  √  (NULL) Threat type:
0 = Viral
1 = Non-Viral malicious
2 = Malicious
3 = Antivirus - Heuristic
4 = Security risk
5 = Hack tool
6 = Spyware
7 = Trackware
8 = Dialer
9 = Remote access
10 = Adware
11 = Jokeware
12 = Client compliancy
13 = Generic load point
14 = Proactive Threat Scan - Heuristic
15 = Cookie
V_VIRUS TYPE2 int 4  √  null
VIRUS TYPE2 int 4  √  (NULL) Threat location:
0 = Boot virus
1 = File virus
2 = Mutation virus
3 = Macro virus
4 = File virus
5 = File virus
6 = Memory virus
7 = Memory OS virus
8 = Memory mcb virus
9 = Memory highest virus
11 = Virus behavior
12 = Virus behavior
13 = Compressed file
14 = Heuristic
HISTORYCONFIG TZ_OFFSET int 4 ((0)) Time zone offset from when the admin created the scheduled report so that data can be formatted to the administrator's local time
NOTIFICATION TZ_OFFSET int 4 ((0)) Time zone when admin created the notification so that e-mailed reports can display dates in admin's local time zone.
SEM_SVA VSIC_CACHE_SIZE int 4 ((0))
SEM_SVA VSIC_REQUESTS_NUM int 4 ((0))
SEM_SVA VSIC_SUBMITS_NUM int 4 ((0))
AGENTCONFIG WARNAFTER_VALUE int 4 ((0)) Time of agent inactivity after which a warning will be raised
THREATREPORT WEB_DOMAIN_INCLUDE int 4 ((0)) Whether the Web domain filter is in use or not for this particular saved filter. This is not currently used.
HPP_ALERTS WHITELIST_REASON int 4 ((0)) 0 = Not on the permitted application list
100 = Symantec permitted application list
101 = Administrator permitted application list
102 = User permitted application list
INVENTORYREPORT WORSTINFECTION_IDX int 4  √  ((-1)) Not used
SEM_AGENT WORSTINFECTION_IDX int 4 ((9999)) Worst detection:
0 = (Severity 0) Viral
1 = (Severity 1) Non-Viral malicious
2 = (Severity 2) Malicious
3 = (Severity 3) Antivirus - Heuristic
5 = (Severity 5) Hack tool
6 = (Severity 6) Spyware
7 = (Severity 7) Trackware
8 = (Severity 8) Dialer
9 = (Severity 9) Remote access
10 = (Severity 10) Adware
11 = (Severity 11) Jokeware
12 = (Severity 12) Client compliancy
13 = (Severity 13) Generic load point
14 = (Severity 14) Proactive Threat Scan - Heuristic
15 = (Severity 15) Cookie
9999 = No detections
NOTIFICATION XMINUTES int 4 ((0)) Time window in which ntimes events must occur to trigger the notification
HPP_ALERTS WEB_DOMAIN nvarchar 126 ('') Web domain
THREATREPORT WEB_DOMAIN nvarchar 126 ('%') Risk report filter for Web domain name
AGENT_SECURITY_LOG_1 AGENT_VERSION nvarchar 128  √  null Agent version number of client
AGENT_SECURITY_LOG_2 AGENT_VERSION nvarchar 128  √  null Agent version number of client
SEM_AGENT AGENT_VERSION nvarchar 128  √  null Version of agent software
V_AGENT_SECURITY_LOG AGENT_VERSION nvarchar 128  √  null
NOTIFICATION BATCH_FILE_NAME nvarchar 128 ('') Batch file or executable to be executed when the notification is triggered
SCANS CLIENTUSER1 nvarchar 128 ('') User who was logged in when scan started
SCANS CLIENTUSER2 nvarchar 128 ('') User who was logged in when scan ended
SEM_CLIENT COMPUTER_NAME nvarchar 128  √  null Computer name
SEM_COMPUTER COMPUTER_NAME nvarchar 128  √  null Computer name
SEM_SVA_CLIENT COMPUTER_NAME nvarchar 128  √  null
SEM_SVA_COMPUTER COMPUTER_NAME nvarchar 128  √  null
V_CLIENT_CHANGE_LOG COMPUTER_NAME nvarchar 128  √  null
V_SEM_COMPUTER COMPUTER_NAME nvarchar 128  √  null
AGENTSTATUS MACHINE_NAME nvarchar 128 ('') Computer name of the client computer
SEM_OS_INFO OS_NAME nvarchar 128 Operating system name
SEM_OS_INFO OS_TYPE nvarchar 128  √  ('') Operating system type
SEM_COMPUTER PROCESSOR_TYPE nvarchar 128  √  null Processor type
SEM_SVA_COMPUTER PROCESSOR_TYPE nvarchar 128  √  null
V_SEM_COMPUTER PROCESSOR_TYPE nvarchar 128  √  null
AGENT_PACKET_LOG_1 REMOTE_HOST_NAME nvarchar 128  √  null The Name of remote computer (it may be empty if name solve failed)
AGENT_PACKET_LOG_2 REMOTE_HOST_NAME nvarchar 128  √  null The Name of remote computer (it may be empty if name solve failed)
AGENT_SECURITY_LOG_1 REMOTE_HOST_NAME nvarchar 128  √  null The Name of remote computer (it may be empty if name solve failed)
AGENT_SECURITY_LOG_2 REMOTE_HOST_NAME nvarchar 128  √  null The Name of remote computer (it may be empty if name solve failed)
AGENT_TRAFFIC_LOG_1 REMOTE_HOST_NAME nvarchar 128  √  null The Name of remote computer (it may be empty if name solve failed)
AGENT_TRAFFIC_LOG_2 REMOTE_HOST_NAME nvarchar 128  √  null The Name of remote computer (it may be empty if name solve failed)
V_AGENT_PACKET_LOG REMOTE_HOST_NAME nvarchar 128  √  null
V_AGENT_SECURITY_LOG REMOTE_HOST_NAME nvarchar 128  √  null
V_AGENT_TRAFFIC_LOG REMOTE_HOST_NAME nvarchar 128  √  null
ALERTFILTER REPORTINPUTS nvarchar 128 ('') Special parameters if report needs them
AUDIT_REPORT REPORTINPUTS nvarchar 128 ('') Special parameters if report needs them
BEHAVIOR_REPORT REPORTINPUTS nvarchar 128 ('') Special parameters if report needs them
COMMAND_REPORT REPORTINPUTS nvarchar 128 ('') Special parameters if report needs them
COMPLIANCE_REPORT REPORTINPUTS nvarchar 128 ('') Special parameters if report needs them
FIREWALL_REPORT REPORTINPUTS nvarchar 128 ('') Special parameters if report needs them
INVENTORYREPORT REPORTINPUTS nvarchar 128 ('') Special parameters if report needs them
SYSTEM_REPORT REPORTINPUTS nvarchar 128 ('') Special parameters if report needs them
INVENTORYREPORT SERVICE_PACK nvarchar 128 ('%') OS service pack or % for no filter (all)
SEM_COMPUTER SERVICE_PACK nvarchar 128  √  null Service pack
SEM_SVA_COMPUTER SERVICE_PACK nvarchar 128  √  null
V_SEM_COMPUTER SERVICE_PACK nvarchar 128  √  null
ALERTS SOURCE_COMPUTER_NAME nvarchar 128 ('') This is the source of the threat. This is logged when threat tracer is enabled in the AV policy.
V_ALERTS SOURCE_COMPUTER_NAME nvarchar 128
SEM_OS_INFO SPC_OS_NAME nvarchar 128  √  ('') Operating system name in SPC
SEM_OS_INFO SPC_OS_TYPE nvarchar 128  √  ('') Operating system type in SPC
SEM_OS_INFO SPC_OS_VERSION nvarchar 128  √  ('') Operating system version in SPC
SEM_SVA SVA_VERSION nvarchar 128  √  null
ALERTS USER_NAME nvarchar 128 ('') User logged into machine when event took place
V_ALERTS USER_NAME nvarchar 128
SEM_SVA VSIC_VERSION nvarchar 128  √  null
SEM_AGENT DEPARTMENT nvarchar 256  √  null Employee department
SEM_AGENT JOB_TITLE nvarchar 256  √  null Employee job title
SEM_OS_INFO OPERATING_SYSTEM nvarchar 256
SEM_COMPUTER OPERATION_SYSTEM nvarchar 256  √  null Operation System name
SEM_SVA_COMPUTER OPERATION_SYSTEM nvarchar 256  √  null
V_SEM_COMPUTER OPERATION_SYSTEM nvarchar 256  √  null
PATTERN PATTERN_TYPE nvarchar 256 ('') Virus definition = VIRUS_DEFS
DECABI
DEUCE_SIG
ERASER_ENGINE
PTS_CONTENT
PTS_ENGINE
SYKNAPPS_CAL
SYKNAPPS_ENGINE
SYKNAPPS_WHITELIST
V_IPS PATTERN_TYPE nvarchar 256
V_MR_CLEAN PATTERN_TYPE nvarchar 256
V_SONAR PATTERN_TYPE nvarchar 256
ENFORCER_CLIENT_LOG_1 REMOTE_HOST_INFO nvarchar 256  √  null Remote host information
ENFORCER_CLIENT_LOG_2 REMOTE_HOST_INFO nvarchar 256  √  null Remote host information
V_ENFORCER_CLIENT_LOG REMOTE_HOST_INFO nvarchar 256  √  null
SEM_AGENT EMAIL nvarchar 258  √  null Employee email
OAUTH_CLIENT_DETAILS APP_NAME nvarchar 400  √  null
SERVER_ADMIN_LOG_1 ADMIN_NAME nvarchar 500 Administrator name
SERVER_ADMIN_LOG_2 ADMIN_NAME nvarchar 500 Administrator name
V_SERVER_ADMIN_LOG ADMIN_NAME nvarchar 500
BEHAVIOR_REPORT CALLERPROCESSLIST nvarchar 510 ('') Comma-separated, wild-carded process names by which to filter
VIRUSCATEGORY CATEGORY_DESC nvarchar 510 ('') Category description, Category_Desc (English string key used for lookup)
0 = Viral
1 = Non-Viral malicious
2 = Malicious
3 = Heuristic
/* 4 = Security risk */
5 = Hack tool
6 = Spyware
7 = Trackware
8 = Dialer
9 = Remote access
10 = Adware
11 = Jokeware
12 = Client compliancy
13 = Generic load point
14 = ApplicationHeuristic
15 = Cookie
ALERTFILTER CLIENTGROUP nvarchar 510 ('') Not used
NOTIFICATION CLIENTGROUP nvarchar 510 ('%') Name of client group(s) to which this notification applies (Comma-separated list, wild-cards allowed)
BEHAVIOR_REPORT CLIENTGROUPLIST nvarchar 510 ('') Comma-separated, wild-carded group names by which to filter
COMPLIANCE_REPORT CLIENTGROUPLIST nvarchar 510 ('') Comma-separated, wild-carded group names by which to filter
FIREWALL_REPORT CLIENTGROUPLIST nvarchar 510 ('') Comma-separated, wild-carded group names by which to filter
INVENTORYREPORT CLIENTGROUPLIST nvarchar 510 ('%') Comma-separated, wild-carded list of group names by which to filter
SCANREPORT CLIENTGROUPLIST nvarchar 510 ('%') Comma-separated, wild-carded list of client groups by which to filter
SYSTEM_REPORT CLIENTGROUPLIST nvarchar 510 ('') Comma separated, wild-card group names by which to filter
THREATREPORT CLIENTGROUPLIST nvarchar 510 ('%') Comma-separated, wild-carded list of client groups by which to filter
THREATREPORT CLIENTUSERLIST nvarchar 510 ('%') Comma-separated, wild-carded list of users by which to filter
ALERTFILTER COMPUTER nvarchar 510 ('') Not used
NOTIFICATION COMPUTER nvarchar 510 ('%') Name of computer(s) to which this notification applies (Comma-separated list, wild-cards allowed)
ALERTS DESCRIPTION nvarchar 510 ('')
HISTORYCONFIG DESCRIPTION nvarchar 510 ('') Admin-provided description for this report
V_ALERTS DESCRIPTION nvarchar 510
HISTORYCONFIG EMAIL nvarchar 510 ('') Comma-separated list of emails to send the report to
NOTIFICATION EMAIL nvarchar 510 ('') Comma-separated email list to send email when this notification is triggered
COMPLIANCE_REPORT ENFORCERLIST nvarchar 510 ('') Comma-separated, wild-carded Enforcer names by which to filter
SYSTEM_REPORT ENFORCERLIST nvarchar 510 ('') Comma separated Enforcer names by which to filter
SYSTEM_REPORT EVENT_DESC nvarchar 510 ('')
SYSTEM_REPORT EVENTSOURCELIST nvarchar 510 ('') Comma-separated event names by which to filter
INVENTORYCURRENTRISK1 FILENAME nvarchar 510 ('') Risk file name
ALERTS FILEPATH nvarchar 510 ('') File path of attacked file
V_ALERTS FILEPATH nvarchar 510
ALERTFILTER FILTERACKNOWLEDGED nvarchar 510 ('') 1 = Acknowledged
0 = Unacknowledged
ALERTFILTER FILTERCREATEDBY nvarchar 510 ('') GUID of the administrator who created any alert filters
ALERTFILTER FILTERNAME nvarchar 510 ('') User-specified name of filter
AUDIT_REPORT FILTERNAME nvarchar 510 ('')
BEHAVIOR_REPORT FILTERNAME nvarchar 510 ('')
COMMAND_REPORT FILTERNAME nvarchar 510 ('')
COMPLIANCE_REPORT FILTERNAME nvarchar 510 ('')
FIREWALL_REPORT FILTERNAME nvarchar 510 ('') Filter name
HISTORYCONFIG FILTERNAME nvarchar 510 ('Default') Filter used by this scheduled report
INVENTORYREPORT FILTERNAME nvarchar 510 ('')
SCANREPORT FILTERNAME nvarchar 510 ('')
SYSTEM_REPORT FILTERNAME nvarchar 510 ('')
THREATREPORT FILTERNAME nvarchar 510 ('')
ALERTFILTER FILTERSUBJECT nvarchar 510 ('') AF = Authentication failure
CL = Client list changed
CS = Client security alert
ED = Enforcer Down
WL = Forced or commercial application detected
LA = New learned application
NV = New risk detected
NS = New software package
VO = Virus outbreak
DF = Server health
1V = Single risk event
SE = System event
UM = Unmanaged computer
ID = Virus definitions out-of-date
THREATREPORT FROMUSERLIST nvarchar 510 ('%') Deprecated
THREATREPORT HPP_APP_LIST nvarchar 510 ('%') Comma-separated, wild-carded list of heuristic risks by which to filter
NOTIFICATION HYPERLINK2 nvarchar 510 ('/reports/FullReport.php') Hyperlink used to generate report
BEHAVIOR_REPORT IPADDRESSLIST nvarchar 510 ('') Comma-separated, wild-carded IP by which to filter
COMPLIANCE_REPORT IPADDRESSLIST nvarchar 510 ('') Comma-separated, wild-carded IP list by which to filter
FIREWALL_REPORT IPADDRESSLIST nvarchar 510 ('') Comma-separated, wild-carded IP list by which to filter
INVENTORYREPORT IPADDRESSLIST nvarchar 510 ('%') Comma-separated, wild-carded list of IP addresses by which to filter
SCANREPORT IPADDRESSLIST nvarchar 510 ('%') Comma-separated, wild-carded list of IP addresses by which to filter
SYSTEM_REPORT IPADDRESSLIST nvarchar 510 ('') Comma-separated wild-card IP addresses by which to filter
THREATREPORT IPADDRESSLIST nvarchar 510 ('%') Comma-separated, wild-carded list of IP addresses by which to filter
AGENTSTATUS LASTRUN_DATA nvarchar 510  √  (NULL) Extra data associated with the agent run if any
SCANS MESSAGE1 nvarchar 510 ('') Scan message when scan started
SCANS MESSAGE2 nvarchar 510 ('') Scan message when scan ended
HISTORYCONFIG NAME nvarchar 510 ('') Name of this scheduled report
NOTIFICATION NAME nvarchar 510 ('') Name of notification configuration
ALERTFILTER NOTIFICATIONNAME nvarchar 510 ('') Name of selected notification condition
ALERTFILTER PARENTSERVER nvarchar 510 ('') Not used
NOTIFICATION PARENTSERVER nvarchar 510 ('%') Name of parent server(s) to which this notification applies (Comma-separated list, wild-cards allowed)
AUDIT_REPORT PARENTSERVERLIST nvarchar 510 ('') Comma-separated, wild-carded server names by which to filter
BEHAVIOR_REPORT PARENTSERVERLIST nvarchar 510 ('') Comma-separated, wild-carded server names by which to filter
COMPLIANCE_REPORT PARENTSERVERLIST nvarchar 510 ('') Comma-separated, wild-carded server names by which to filter
FIREWALL_REPORT PARENTSERVERLIST nvarchar 510 ('') Comma-separated, wild-carded server names by which to filter
INVENTORYREPORT PARENTSERVERLIST nvarchar 510 ('%') Comma-separated, wild-carded list of server names by which to filter
SCANREPORT PARENTSERVERLIST nvarchar 510 ('%') Comma-separated, wild-carded list of parent servers by which to filter
SYSTEM_REPORT PARENTSERVERLIST nvarchar 510 ('') comma separated, wild-card server names by which to filter
THREATREPORT PARENTSERVERLIST nvarchar 510 ('%') Comma-separated, wild-carded list of SEPM servers by which to filter
AUDIT_REPORT POLICYNAMELIST nvarchar 510 ('') Comma-separated, wild-carded policy names by which to filter
SYSTEM_REPORT POLICYNAMELIST nvarchar 510 ('') Comma-separated, wild-card policy names by which to filter
COMPLIANCE_REPORT REMOTEHOSTLIST nvarchar 510 ('') Comma-separated, wild-carded remote computer names by which to filter
FIREWALL_REPORT REMOTEHOSTLIST nvarchar 510 ('') Comma-separated, wild-carded remote computer names by which to filter
FIREWALL_REPORT REMOTEIPADDRLIST nvarchar 510 ('') Comma-separated, wild-carded remote IP list by which to filter
COMPLIANCE_REPORT REMOTEIPLIST nvarchar 510 ('') Comma-separated, wild-carded remote IP list by which to filter
SCANREPORT REPORTINPUTS nvarchar 510 ('') Special parameters if report needs them
THREATREPORT REPORTINPUTS nvarchar 510 ('') Special parameters if report needs them
SCANREPORT SCANSTARTMESSAGE nvarchar 510 ('%') Scan description
SCFINVENTORY SCFPOLICYFILE nvarchar 510 ('')
ALERTFILTER SERVERGROUP nvarchar 510 ('') Not used
NOTIFICATION SERVERGROUP nvarchar 510 ('%') Name of server group(s) to which this notification applies (Comma-separated list, wild-cards allowed)
AUDIT_REPORT SERVERGROUPLIST nvarchar 510 ('') Comma-separated, wild-carded domain names by which to filter
BEHAVIOR_REPORT SERVERGROUPLIST nvarchar 510 ('') Comma-separated, wild-carded domain names by which to filter
COMPLIANCE_REPORT SERVERGROUPLIST nvarchar 510 ('') Comma-separated, wild-carded domain names by which to filter
FIREWALL_REPORT SERVERGROUPLIST nvarchar 510 ('') Comma-separated, wild-carded domain names by which to filter
INVENTORYREPORT SERVERGROUPLIST nvarchar 510 ('%') Comma-separated, wild-carded list of domain names by which to filter
SCANREPORT SERVERGROUPLIST nvarchar 510 ('%') Comma-separated, wild-carded list of server groups by which to filter
SYSTEM_REPORT SERVERGROUPLIST nvarchar 510 ('') Comma separated, wild-card domain names by which to filter
THREATREPORT SERVERGROUPLIST nvarchar 510 ('%') Comma-separated, wild-carded list of domains by which to filter
AUDIT_REPORT SITELIST nvarchar 510 ('') Comma-separated, wild-carded site names by which to filter
BEHAVIOR_REPORT SITELIST nvarchar 510 ('') Comma-separated, wild-carded site names by which to filter
COMPLIANCE_REPORT SITELIST nvarchar 510 ('') Comma-separated, wild-carded site names by which to filter
FIREWALL_REPORT SITELIST nvarchar 510 ('') Comma-separated, wild-carded site names by which to filter
INVENTORYREPORT SITELIST nvarchar 510 ('%') Comma-separated, wild-carded list of site names by which to filter
SYSTEM_REPORT SITELIST nvarchar 510 ('') Comma-separated, wild-card site names by which to filter
NOTIFICATIONALERTS SUBJECT nvarchar 510 ('') Subject of alert
THREATREPORT THREATLIST nvarchar 510 ('%') Comma-separated, wild-carded list of risks by which to filter
ALERTFILTER THREATNAME nvarchar 510 ('') Not used
VIRUSCATEGORY TRANSLATION nvarchar 510 ('') Translated name
ADMINUSER USER_NAME nvarchar 510 ('') User name of the admin
AUDIT_REPORT USERLIST nvarchar 510 ('') Comma-separated, wild-carded user names by which to filter
BEHAVIOR_REPORT USERLIST nvarchar 510 ('') Comma-separated, wild-carded user names by which to filter
COMPLIANCE_REPORT USERLIST nvarchar 510 ('') Comma-separated, wild-carded user names by which to filter
FIREWALL_REPORT USERLIST nvarchar 510 ('') Comma-separated, wild-carded user names by which to filter
INVENTORYREPORT USERLIST nvarchar 510 ('%') Comma-separated, wild-carded list of user names by which to filter
SCANREPORT USERLIST nvarchar 510 ('%') Comma-separated, wild-carded list of users by which to filter
SYSTEM_REPORT USERLIST nvarchar 510 ('') Comma-separated, wild-card user names by which to filter
GUIPARMS VALUE nvarchar 510 ('') Parameter value
HOMEPAGECONFIG VALUE nvarchar 510 ('') Parameter value
NOTIFICATION VIRUS nvarchar 510 ('%') Name of virus(es) to which this notification applies (Comma-separated list, wild-cards allowed)
V_VIRUS VIRUSNAME nvarchar 510
VIRUS VIRUSNAME nvarchar 510 ('') Name of virus / threat
AGENT_PACKET_LOG_1 APP_NAME nvarchar 512  √  null The full path name of the application involved. It may be empty if an unknown application is involved or if no application is involved. For example, the ping of death DoS attack does not have an AppName because it attacks the operating system.
AGENT_PACKET_LOG_2 APP_NAME nvarchar 512  √  null The full path name of the application involved. It may be empty if an unknown application is involved or if no application is involved. For example, the ping of death DoS attack does not have an AppName because it attacks the operating system.
AGENT_SECURITY_LOG_1 APP_NAME nvarchar 512  √  null The full path of application involved. It may be empty if unknown application is involved with that or no application involved. For example, the ping of death DoS attacking does not have AppName because it attacks OS itself.
AGENT_SECURITY_LOG_2 APP_NAME nvarchar 512  √  null The full path of application involved. It may be empty if unknown application is involved with that or no application involved. For example, the ping of death DoS attacking does not have AppName because it attacks OS itself.
AGENT_TRAFFIC_LOG_1 APP_NAME nvarchar 512  √  null The full path of application involved. It may be empty if an unknown application is involved or if no application is involved. For example, the ping of death DoS attack does not have AppName because it attacks the operating system itself.
AGENT_TRAFFIC_LOG_2 APP_NAME nvarchar 512  √  null The full path of application involved. It may be empty if an unknown application is involved or if no application is involved. For example, the ping of death DoS attack does not have AppName because it attacks the operating system itself.
V_AGENT_PACKET_LOG APP_NAME nvarchar 512  √  null
V_AGENT_SECURITY_LOG APP_NAME nvarchar 512  √  null
V_AGENT_TRAFFIC_LOG APP_NAME nvarchar 512  √  null
HPP_APPLICATION APP_VERSION nvarchar 512 ('') Application version
AGENT_BEHAVIOR_LOG_1 CALLER_PROCESS_NAME nvarchar 512  √  null The full path name of the application involved. It may be empty if the application is unknown, or if OS itself is involved, or if no application is involved. Also, it may be empty if profile says"don't log application name in raw traffic log".
AGENT_BEHAVIOR_LOG_2 CALLER_PROCESS_NAME nvarchar 512  √  null The full path name of the application involved. It may be empty if the application is unknown, or if OS itself is involved, or if no application is involved. Also, it may be empty if profile says"don't log application name in raw traffic log".
V_AGENT_BEHAVIOR_LOG CALLER_PROCESS_NAME nvarchar 512  √  null
AGENT_BEHAVIOR_LOG_1 CALLER_RETURN_MODULE_NAME nvarchar 512  √  null Module name of caller. See "CallerReturnAddress" for more information.
AGENT_BEHAVIOR_LOG_2 CALLER_RETURN_MODULE_NAME nvarchar 512  √  null Module name of caller. See CallerReturnAddress for more information.
V_AGENT_BEHAVIOR_LOG CALLER_RETURN_MODULE_NAME nvarchar 512  √  null
SEM_COMPUTER COMPUTER_DESCRIPTION nvarchar 512  √  null Domain name of the computer
SEM_SVA_COMPUTER COMPUTER_DESCRIPTION nvarchar 512  √  null
V_SEM_COMPUTER COMPUTER_DESCRIPTION nvarchar 512  √  null
SEM_CLIENT COMPUTER_DOMAIN_NAME nvarchar 512  √  null Computer description
SEM_COMPUTER COMPUTER_DOMAIN_NAME nvarchar 512  √  null Computer description
SEM_SVA_CLIENT COMPUTER_DOMAIN_NAME nvarchar 512  √  null
SEM_SVA_COMPUTER COMPUTER_DOMAIN_NAME nvarchar 512  √  null
V_CLIENT_CHANGE_LOG COMPUTER_DOMAIN_NAME nvarchar 512  √  null
V_SEM_COMPUTER COMPUTER_DOMAIN_NAME nvarchar 512  √  null
SEM_COMPUTER CURRENT_LOGIN_DOMAIN nvarchar 512  √  null Windows domain
V_SEM_COMPUTER CURRENT_LOGIN_DOMAIN nvarchar 512  √  null
SEM_COMPUTER CURRENT_LOGIN_USER nvarchar 512  √  null Logged in user
V_SEM_COMPUTER CURRENT_LOGIN_USER nvarchar 512  √  null
AGENT_BEHAVIOR_LOG_1 DESCRIPTION nvarchar 512  √  null What behavior was blocked
AGENT_BEHAVIOR_LOG_2 DESCRIPTION nvarchar 512  √  null What behavior was blocked
SEM_CLIENT DESCRIPTION nvarchar 512  √  null Domain name of the computer
SEM_COMPLIANCE_CRITERIA DESCRIPTION nvarchar 512 ('') Additional compliance check details. Either exception text or one of:
Checksum_blank = fingerprint value is empty
Failed_to_get_modification_date = failed to get modification date
NAN = not a number
Cannot_parse_URL = cannot parse URL
URL_not_accessible_or_failed_to_create_destination_file = URL not accessible or failed to create destination file
Download_exceeded_limit = download exceeded limit
Destination = destination file access violation
By_User = action initiated by user
Access_denied_by_server = access denied by server
Download_file = download file not found
Process_time_out = process timed out
Failed_to_detect_OS_type = failed to detect OS type
Application_name_is_empty = application name is empty
Probably_software_is_not_installed = probably software is not installed
Signature_age_in_seconds_failed = could not compute signature age
Failed_to_parse_URL = failed to parse URL
Missing_or_no_version_info = missing or no version information
After_script_file_running = after script file run
OS_ignore = operating system check was ignored
Save_failed = save failed
No_previous_time = no previous time
OK_or_YES = user response was OK or Yes
Cancel_or_NO = user response was Cancel or No
Fail_to_get_current_OS_language_version = could not retrieve current operating system language
SEM_COMPLIANCE_CRITERIA_2 DESCRIPTION nvarchar 512 ('')
SEM_SVA_CLIENT DESCRIPTION nvarchar 512  √  null
V_AGENT_BEHAVIOR_LOG DESCRIPTION nvarchar 512  √  null
AGENT_BEHAVIOR_LOG_1 DOMAIN_NAME nvarchar 512  √  null Login (Windows) domain name
AGENT_BEHAVIOR_LOG_2 DOMAIN_NAME nvarchar 512  √  null Login (Windows) domain name
AGENT_SECURITY_LOG_1 DOMAIN_NAME nvarchar 512  √  null Login domain name
AGENT_SECURITY_LOG_2 DOMAIN_NAME nvarchar 512  √  null Login domain name
AGENT_TRAFFIC_LOG_1 DOMAIN_NAME nvarchar 512  √  null Login domain name
AGENT_TRAFFIC_LOG_2 DOMAIN_NAME nvarchar 512  √  null Login domain name
SERVER_CLIENT_LOG_1 DOMAIN_NAME nvarchar 512  √  null Domain name of the client
SERVER_CLIENT_LOG_2 DOMAIN_NAME nvarchar 512  √  null Domain name of the client
V_AGENT_BEHAVIOR_LOG DOMAIN_NAME nvarchar 512  √  null
V_AGENT_SECURITY_LOG DOMAIN_NAME nvarchar 512  √  null
V_AGENT_TRAFFIC_LOG DOMAIN_NAME nvarchar 512  √  null
V_SERVER_CLIENT_LOG DOMAIN_NAME nvarchar 512  √  null
AGENT_BEHAVIOR_LOG_1 ENCODED_API_NAME nvarchar 512  √  null
AGENT_BEHAVIOR_LOG_2 ENCODED_API_NAME nvarchar 512  √  null
V_AGENT_BEHAVIOR_LOG ENCODED_API_NAME nvarchar 512  √  null
ENFORCER_CLIENT_LOG_1 EVENT_DESC nvarchar 512  √  null Description of the event. Usually, first line of the description is treated as the summary.
ENFORCER_CLIENT_LOG_2 EVENT_DESC nvarchar 512  √  null Description of the event. Usually, first line of the description is treated as the summary.
ENFORCER_SYSTEM_LOG_1 EVENT_DESC nvarchar 512  √  null Description of the event. Usually, the first line of the description is treated as the summary.
ENFORCER_SYSTEM_LOG_2 EVENT_DESC nvarchar 512  √  null Description of the event. Usually, the first line of the description is treated as the summary.
SERVER_ADMIN_LOG_1 EVENT_DESC nvarchar 512  √  null Description of the event. Usually, the first line of the description is treated as the summary.
SERVER_ADMIN_LOG_2 EVENT_DESC nvarchar 512  √  null Description of the event. Usually, the first line of the description is treated as the summary.
SERVER_POLICY_LOG_1 EVENT_DESC nvarchar 512  √  null Description of the event. Usually, the first line of the description is treated as the summary.
SERVER_POLICY_LOG_2 EVENT_DESC nvarchar 512  √  null Description of the event. Usually, the first line of the description is treated as the summary.
V_ENFORCER_CLIENT_LOG EVENT_DESC nvarchar 512  √  null
V_ENFORCER_SYSTEM_LOG EVENT_DESC nvarchar 512  √  null
V_SERVER_ADMIN_LOG EVENT_DESC nvarchar 512  √  null
V_SERVER_POLICY_LOG EVENT_DESC nvarchar 512  √  null
SEM_AGENT FULL_NAME nvarchar 512  √  null Employee full name
SEM_CLIENT FULL_NAME nvarchar 512  √  null User full name
AGENT_BEHAVIOR_LOG_1 HOST_NAME nvarchar 512  √  null Host Name of client computer
AGENT_BEHAVIOR_LOG_2 HOST_NAME nvarchar 512  √  null Host Name of client computer
AGENT_PACKET_LOG_1 HOST_NAME nvarchar 512  √  null Host Name of client computer
AGENT_PACKET_LOG_2 HOST_NAME nvarchar 512  √  null Host Name of client computer
AGENT_SECURITY_LOG_1 HOST_NAME nvarchar 512  √  null Host Name of client computer
AGENT_SECURITY_LOG_2 HOST_NAME nvarchar 512  √  null Host Name of client computer
AGENT_SYSTEM_LOG_1 HOST_NAME nvarchar 512  √  null Host Name of the client computer
AGENT_SYSTEM_LOG_2 HOST_NAME nvarchar 512  √  null Host Name of the client computer
AGENT_TRAFFIC_LOG_1 HOST_NAME nvarchar 512  √  null Host Name of the client computer
AGENT_TRAFFIC_LOG_2 HOST_NAME nvarchar 512  √  null Host Name of the client computer
SERVER_CLIENT_LOG_1 HOST_NAME nvarchar 512  √  null Computer name of the client
SERVER_CLIENT_LOG_2 HOST_NAME nvarchar 512  √  null Computer name of the client
V_AGENT_BEHAVIOR_LOG HOST_NAME nvarchar 512  √  null
V_AGENT_PACKET_LOG HOST_NAME nvarchar 512  √  null
V_AGENT_SECURITY_LOG HOST_NAME nvarchar 512  √  null
V_AGENT_SYSTEM_LOG HOST_NAME nvarchar 512  √  null
V_AGENT_TRAFFIC_LOG HOST_NAME nvarchar 512  √  null
V_SERVER_CLIENT_LOG HOST_NAME nvarchar 512  √  null
AGENT_SECURITY_LOG_1 LOCATION_NAME nvarchar 512  √  null The location used when event occurs
AGENT_SECURITY_LOG_2 LOCATION_NAME nvarchar 512  √  null The location used when event occurs
AGENT_TRAFFIC_LOG_1 LOCATION_NAME nvarchar 512  √  null The location used when event occurs
AGENT_TRAFFIC_LOG_2 LOCATION_NAME nvarchar 512  √  null The location used when event occurs
V_AGENT_SECURITY_LOG LOCATION_NAME nvarchar 512  √  null
V_AGENT_TRAFFIC_LOG LOCATION_NAME nvarchar 512  √  null
INVENTORYCURRENTRISK1 LOGON_USER nvarchar 512  √  null User who was logged on when risk was first detected
AGENT_BEHAVIOR_LOG_1 PARAMETER nvarchar 512  √  null Parameters that were used in the API call. Each parameter was converted to string format and separated by one space character. Double quotation mark characters within the string are escaped with a \ character.
AGENT_BEHAVIOR_LOG_2 PARAMETER nvarchar 512  √  null Parameters that were used in the API call. Each parameter was converted to STRING format and separated by one space character. Double quotation characters within the string are escape by a \ char.
V_AGENT_BEHAVIOR_LOG PARAMETER nvarchar 512  √  null
ENFORCER_CLIENT_LOG_1 REMOTE_HOST nvarchar 512  √  null Remote host name
ENFORCER_CLIENT_LOG_2 REMOTE_HOST nvarchar 512  √  null Remote host name
V_ENFORCER_CLIENT_LOG REMOTE_HOST nvarchar 512  √  null
AGENT_BEHAVIOR_LOG_1 RULE_NAME nvarchar 512  √  null Name of the rule that was triggered by the event. If not specified in the security rule, an empty string. Useful for troubleshooting. In theory, a rule can be recognized by the rule ID. Rule name, however, can help provide quicker recognition.
AGENT_BEHAVIOR_LOG_2 RULE_NAME nvarchar 512  √  null Name of the rule that was triggered by the event. If not specified in the security rule, an empty string. Useful for troubleshooting. In theory, a rule can be recognized by the rule ID. Rule name, however, can help provide quicker recognition.
AGENT_PACKET_LOG_1 RULE_NAME nvarchar 512  √  null Name of the rule that was triggered by the event. If not specified in the security rule, an empty string. Useful for troubleshooting. In theory, a rule can be recognized by the rule ID. Rule name, however, can help provide quicker recognition.
AGENT_PACKET_LOG_2 RULE_NAME nvarchar 512  √  null Name of the rule that was triggered by the event. If not specified in the security rule, an empty string. Useful for troubleshooting. In theory, a rule can be recognized by the rule ID. Rule name, however, can help provide quicker recognition.
AGENT_TRAFFIC_LOG_1 RULE_NAME nvarchar 512  √  null Name of the rule that was triggered by the event. If not specified in the security rule, an empty string. Useful for troubleshooting. In theory, a rule can be recognized by the rule ID. Rule name, however, can help provide quicker recognition.
AGENT_TRAFFIC_LOG_2 RULE_NAME nvarchar 512  √  null Name of the rule that was triggered by the event. If not specified in the security rule, an empty string. Useful for troubleshooting. In theory, a rule can be recognized by the rule ID. Rule name, however, can help provide quicker recognition.
SEM_COMPLIANCE_CRITERIA RULE_NAME nvarchar 512 ('') Admin-provided rule name from policy
SEM_COMPLIANCE_CRITERIA_2 RULE_NAME nvarchar 512 ('')
V_AGENT_BEHAVIOR_LOG RULE_NAME nvarchar 512  √  null
V_AGENT_PACKET_LOG RULE_NAME nvarchar 512  √  null
V_AGENT_TRAFFIC_LOG RULE_NAME nvarchar 512  √  null
SEM_APPLICATION SIGNER_NAME nvarchar 512  √  null Signer name
HISTORY STATISTIC nvarchar 512 ('') Summary statistic **See Snapshot data format worksheet for details **
HISTORY TARGET nvarchar 512 ('') Data **See Snapshot data format worksheet for details **
SEM_COMPLIANCE_CRITERIA TARGET nvarchar 512 ('') The target of the criteria, for example, the AV product name, the firewall product name, the file name, the registry key, the registry value, the patch version, the OS version, the process name, or the service name.
SEM_COMPLIANCE_CRITERIA_2 TARGET nvarchar 512 ('')
HPP_ALERTS URL nvarchar 512 ('') The URL determined from where the image was downloaded from.
Default is "".
This field belongs to creator for dropper application
The creator process of the dropper threat.
Default is "".
SEM_CLIENT USER_DOMAIN_NAME nvarchar 512  √  null User login domain name
V_CLIENT_CHANGE_LOG USER_DOMAIN_NAME nvarchar 512  √  null
AGENT_BEHAVIOR_LOG_1 USER_NAME nvarchar 512  √  null Login user name
AGENT_BEHAVIOR_LOG_2 USER_NAME nvarchar 512  √  null Login user name
AGENT_SECURITY_LOG_1 USER_NAME nvarchar 512  √  null Login user name
AGENT_SECURITY_LOG_2 USER_NAME nvarchar 512  √  null Login user name
AGENT_TRAFFIC_LOG_1 USER_NAME nvarchar 512  √  null Login user name
AGENT_TRAFFIC_LOG_2 USER_NAME nvarchar 512  √  null Login user name
SEM_CLIENT USER_NAME nvarchar 512  √  null User login name
SERVER_CLIENT_LOG_1 USER_NAME nvarchar 512  √  null Login user name of the client
SERVER_CLIENT_LOG_2 USER_NAME nvarchar 512  √  null Login user name of the client
V_AGENT_BEHAVIOR_LOG USER_NAME nvarchar 512  √  null
V_AGENT_SECURITY_LOG USER_NAME nvarchar 512  √  null
V_AGENT_TRAFFIC_LOG USER_NAME nvarchar 512  √  null
V_CLIENT_CHANGE_LOG USER_NAME nvarchar 512  √  null
V_SERVER_CLIENT_LOG USER_NAME nvarchar 512  √  null
AGENT_BEHAVIOR_LOG_1 VAPI_NAME nvarchar 512  √  null What API was blocked
AGENT_BEHAVIOR_LOG_2 VAPI_NAME nvarchar 512  √  null What API was blocked
V_AGENT_BEHAVIOR_LOG VAPI_NAME nvarchar 512  √  null
HPP_APPLICATION APP_NAME nvarchar 520 ('') Application name
SEM_APPLICATION APPLICATION_NAME nvarchar 520 ('') Name of the learned application
SEM_APPLICATION APPLICATION_PATH nvarchar 520  √  null Path of the learned application
HPP_APPLICATION COMPANY_NAME nvarchar 520 ('') Company name
SEM_APPLICATION COMPANY_NAME nvarchar 520  √  null Company name
AGENT_BEHAVIOR_LOG_1 RESERVED_VARCHAR1 nvarchar 520  √  null
AGENT_BEHAVIOR_LOG_2 RESERVED_VARCHAR1 nvarchar 520  √  null
AGENT_PACKET_LOG_1 RESERVED_VARCHAR1 nvarchar 520  √  null
AGENT_PACKET_LOG_2 RESERVED_VARCHAR1 nvarchar 520  √  null
AGENT_SECURITY_LOG_1 RESERVED_VARCHAR1 nvarchar 520  √  null
AGENT_SECURITY_LOG_2 RESERVED_VARCHAR1 nvarchar 520  √  null
AGENT_SYSTEM_LOG_1 RESERVED_VARCHAR1 nvarchar 520  √  null
AGENT_SYSTEM_LOG_2 RESERVED_VARCHAR1 nvarchar 520  √  null
AGENT_TRAFFIC_LOG_1 RESERVED_VARCHAR1 nvarchar 520  √  null
AGENT_TRAFFIC_LOG_2 RESERVED_VARCHAR1 nvarchar 520  √  null
BASIC_METADATA RESERVED_VARCHAR1 nvarchar 520  √  null
BINARY_FILE RESERVED_VARCHAR1 nvarchar 520  √  null
COMPUTER_APPLICATION RESERVED_VARCHAR1 nvarchar 520  √  null
ENFORCER_CLIENT_LOG_1 RESERVED_VARCHAR1 nvarchar 520  √  null For PeerToPeer Enforcer log records, this field contains the host name of the client acting as the Enforcer.
ENFORCER_CLIENT_LOG_2 RESERVED_VARCHAR1 nvarchar 520  √  null For PeerToPeer Enforcer log records, this field contains the host name of the client acting as the Enforcer.
ENFORCER_SYSTEM_LOG_1 RESERVED_VARCHAR1 nvarchar 520  √  null
ENFORCER_SYSTEM_LOG_2 RESERVED_VARCHAR1 nvarchar 520  √  null
ENFORCER_TRAFFIC_LOG_1 RESERVED_VARCHAR1 nvarchar 520  √  null
ENFORCER_TRAFFIC_LOG_2 RESERVED_VARCHAR1 nvarchar 520  √  null
IDENTITY_MAP RESERVED_VARCHAR1 nvarchar 520  √  null
LEGACY_AGENT RESERVED_VARCHAR1 nvarchar 520  √  null
LOCAL_METADATA RESERVED_VARCHAR1 nvarchar 520  √  null
LOG_CONFIG RESERVED_VARCHAR1 nvarchar 520  √  null
SEM_AGENT RESERVED_VARCHAR1 nvarchar 520  √  null
SEM_APPLICATION RESERVED_VARCHAR1 nvarchar 520  √  null
SEM_CLIENT RESERVED_VARCHAR1 nvarchar 520  √  null
SEM_COMPUTER RESERVED_VARCHAR1 nvarchar 520  √  null
SEM_SVA RESERVED_VARCHAR1 nvarchar 520  √  null
SEM_SVA_CLIENT RESERVED_VARCHAR1 nvarchar 520  √  null
SEM_SVA_COMPUTER RESERVED_VARCHAR1 nvarchar 520  √  null
SERVER_ADMIN_LOG_1 RESERVED_VARCHAR1 nvarchar 520  √  null
SERVER_ADMIN_LOG_2 RESERVED_VARCHAR1 nvarchar 520  √  null
SERVER_CLIENT_LOG_1 RESERVED_VARCHAR1 nvarchar 520  √  null
SERVER_CLIENT_LOG_2 RESERVED_VARCHAR1 nvarchar 520  √  null
SERVER_ENFORCER_LOG_1 RESERVED_VARCHAR1 nvarchar 520  √  null
SERVER_ENFORCER_LOG_2 RESERVED_VARCHAR1 nvarchar 520  √  null
SERVER_POLICY_LOG_1 RESERVED_VARCHAR1 nvarchar 520  √  null
SERVER_POLICY_LOG_2 RESERVED_VARCHAR1 nvarchar 520  √  null
SERVER_SYSTEM_LOG_1 RESERVED_VARCHAR1 nvarchar 520  √  null
SERVER_SYSTEM_LOG_2 RESERVED_VARCHAR1 nvarchar 520  √  null
SYSTEM_STATE RESERVED_VARCHAR1 nvarchar 520  √  null
V_AGENT_BEHAVIOR_LOG RESERVED_VARCHAR1 nvarchar 520  √  null
V_AGENT_PACKET_LOG RESERVED_VARCHAR1 nvarchar 520  √  null
V_AGENT_SECURITY_LOG RESERVED_VARCHAR1 nvarchar 520  √  null
V_AGENT_SYSTEM_LOG RESERVED_VARCHAR1 nvarchar 520  √  null
V_AGENT_TRAFFIC_LOG RESERVED_VARCHAR1 nvarchar 520  √  null
V_DOMAINS RESERVED_VARCHAR1 nvarchar 520  √  null
V_ENFORCER_CLIENT_LOG RESERVED_VARCHAR1 nvarchar 520  √  null
V_ENFORCER_SYSTEM_LOG RESERVED_VARCHAR1 nvarchar 520  √  null
V_ENFORCER_TRAFFIC_LOG RESERVED_VARCHAR1 nvarchar 520  √  null
V_GROUPS RESERVED_VARCHAR1 nvarchar 520  √  null
V_SEM_COMPUTER RESERVED_VARCHAR1 nvarchar 520  √  null
V_SERVER_ADMIN_LOG RESERVED_VARCHAR1 nvarchar 520  √  null
V_SERVER_CLIENT_LOG RESERVED_VARCHAR1 nvarchar 520  √  null
V_SERVER_ENFORCER_LOG RESERVED_VARCHAR1 nvarchar 520  √  null
V_SERVER_POLICY_LOG RESERVED_VARCHAR1 nvarchar 520  √  null
V_SERVER_SYSTEM_LOG RESERVED_VARCHAR1 nvarchar 520  √  null
V_SERVERS RESERVED_VARCHAR1 nvarchar 520  √  null
AGENT_SECURITY_LOG_1 STR_CIDS_SIGN_ID nvarchar 520 ('') Signature Name
AGENT_SECURITY_LOG_2 STR_CIDS_SIGN_ID nvarchar 520 ('') Signature Name
V_AGENT_SECURITY_LOG STR_CIDS_SIGN_ID nvarchar 520
COMMAND SUB_STATE_DESC nvarchar 520  √  null Command-specific extra information like number of files scanned or error message.
SEM_JOB COMMAND_DESC nvarchar 700  √  null Detail description of the command
ANOMALYDETECTION ACTION_OPERAND nvarchar 1024 ('') File or registry key on which this action took place
ANOMALYREMEDIATION ACTION_OPERAND nvarchar 1024 ('') File or registry key on which this action took place.
BEHAVIOR_REPORT COMPUTERLIST nvarchar 1024 ('') Comma-separated, wild-carded computer names by which to filter
COMMAND_REPORT COMPUTERLIST nvarchar 1024 ('') Command separated, wild-carded list of computer names to filter
COMPLIANCE_REPORT COMPUTERLIST nvarchar 1024 ('') Comma separate, wild-carded computer names by which to filter
FIREWALL_REPORT COMPUTERLIST nvarchar 1024 ('') Comma-separated, wild-carded computer names by which to filter
INVENTORYREPORT COMPUTERLIST nvarchar 1024 ('%') Comma-separated, wild-carded list of computer names by which to filter
SCANREPORT COMPUTERLIST nvarchar 1024 ('%') Comma-separated, wild-carded list of computers by which to filter
SYSTEM_REPORT COMPUTERLIST nvarchar 1024 ('') Comma-separated, wild-card computer names by which to filter
THREATREPORT COMPUTERLIST nvarchar 1024 ('%') Comma-separated, wild-carded list of computers by which to filter
NOTIFICATIONALERTS HYPERLINK nvarchar 1024 ('') Link to report with details about alert situation
SEM_APPLICATION APP_DESCRIPTION nvarchar 2048  √  null Description of the learned application
AGENT_SYSTEM_LOG_1 EVENT_DESC nvarchar 2048  √  null Description of the event. Usually, the first line of the description is treated as the summary.
AGENT_SYSTEM_LOG_2 EVENT_DESC nvarchar 2048  √  null Description of the event. Usually, the first line of the description is treated as the summary.
V_AGENT_SYSTEM_LOG EVENT_DESC nvarchar 2048  √  null
ENFORCER_CLIENT_LOG_1 EXTENDED_INFO nvarchar 2048  √  null
ENFORCER_CLIENT_LOG_2 EXTENDED_INFO nvarchar 2048  √  null
V_ENFORCER_CLIENT_LOG EXTENDED_INFO nvarchar 2048  √  null
NOTIFICATIONALERTS MSG nvarchar 2048 ('') Notification alert message text
SEM_AGENT ATTRIBUTE_EXTENSION nvarchar 4000  √  null Not used
AGENT_SECURITY_LOG_1 EVENT_DESC nvarchar 4000  √  null Description of the event. Usually, the first line of the description is treated as the summary.
AGENT_SECURITY_LOG_2 EVENT_DESC nvarchar 4000  √  null Description of the event. Usually, the first line of the description is treated as the summary.
SERVER_SYSTEM_LOG_1 EVENT_DESC nvarchar 4000  √  null Description of the event. Usually, the first line of the description is treated as the summary.
SERVER_SYSTEM_LOG_2 EVENT_DESC nvarchar 4000  √  null Description of the event. Usually, the first line of the description is treated as the summary.
V_AGENT_SECURITY_LOG EVENT_DESC nvarchar 4000  √  null
V_SERVER_SYSTEM_LOG EVENT_DESC nvarchar 4000  √  null
SEM_AGENT HI_REASONDESC nvarchar 4000  √  null Host integrity description
BASIC_METADATA NAME nvarchar 4000  √  null Object name
IDENTITY_MAP NAME nvarchar 4000  √  null Name of the object
V_DOMAINS NAME nvarchar 4000  √  null
V_GROUPS NAME nvarchar 4000  √  null
V_SERVERS NAME nvarchar 4000  √  null
SERVER_ADMIN_LOG_1 STACK_TRACE nvarchar 4000  √  null Stacktrace of exception (Only used when an exception is related to this event)
SERVER_ADMIN_LOG_2 STACK_TRACE nvarchar 4000  √  null Stacktrace of exception (Only used when an exception is related to this event)
SERVER_SYSTEM_LOG_1 STACK_TRACE nvarchar 4000  √  null Stacktrace of exception (Only used when an exception is related to this event).
SERVER_SYSTEM_LOG_2 STACK_TRACE nvarchar 4000  √  null Stacktrace of exception (Only used when an exception is related to this event).
V_SERVER_ADMIN_LOG STACK_TRACE nvarchar 4000  √  null
V_SERVER_SYSTEM_LOG STACK_TRACE nvarchar 4000  √  null
OAUTH_CLIENT_DETAILS WEB_SERVER_REDIRECT_URI nvarchar 4000  √  null
BASIC_METADATA DESCRIPTION nvarchar 4096  √  null Object description
AGENT_SECURITY_LOG_1 INTRUSION_PAYLOAD_URL nvarchar 4200 ('') URL that hosted payload
AGENT_SECURITY_LOG_2 INTRUSION_PAYLOAD_URL nvarchar 4200 ('') URL that hosted payload
V_AGENT_SECURITY_LOG INTRUSION_PAYLOAD_URL nvarchar 4200
AGENT_SECURITY_LOG_1 INTRUSION_URL nvarchar 4200 ('') URL from detection
AGENT_SECURITY_LOG_2 INTRUSION_URL nvarchar 4200 ('') URL from detection
V_AGENT_SECURITY_LOG INTRUSION_URL nvarchar 4200
SEM_AGENT DEPLOY_MSG nvarchar 8000  √  null This is a free form detailed message sent by the client to elaborate on the deployment status.
AGENT_BEHAVIOR_LOG_1 ACTION_TYPE smallint 2  √  null Violation type that triggered the SymProtect event.
Valid values are between 0 to 58 both inclusive.
AGENT_BEHAVIOR_LOG_2 ACTION_TYPE smallint 2  √  null Violation type that triggered the SymProtect event.
Valid values are 0 to 58 inclusive.
V_AGENT_BEHAVIOR_LOG ACTION_TYPE smallint 2  √  null
BEHAVIOR_REPORT ACTION tinyint 1  √  (NULL) 0 = Allow
1 = Block
2 = Ask
3 = Continue
4 = Terminate
AGENT_SECURITY_LOG_1 ALERT tinyint 1  √  null It reflects the alert attribute in profile action. It is true if action::alert is true. (Yes = 1, No = 0)
AGENT_SECURITY_LOG_2 ALERT tinyint 1  √  null It reflects the alert attribute in profile action. It is true if action::alert is true. (Yes = 1, No = 0)
AGENT_TRAFFIC_LOG_1 ALERT tinyint 1  √  null It reflects the alert attribute in profile action. It is true if action::alert is true. (Yes = 1, No = 0)
AGENT_TRAFFIC_LOG_2 ALERT tinyint 1  √  null It reflects the alert attribute in profile action. It is true if action::alert is true. (Yes = 1, No = 0)
ENFORCER_TRAFFIC_LOG_1 ALERT tinyint 1 It reflects the alert attribute in profile action. It is true if action::alert is true.
ENFORCER_TRAFFIC_LOG_2 ALERT tinyint 1 It reflects the alert attribute in profile action. It is true if action::alert is true.
LAN_DEVICE_DETECTED ALERT tinyint 1  √  null It reflects the alert attribute in profile action. It is true if action::alert is true.
V_AGENT_SECURITY_LOG ALERT tinyint 1  √  null
V_AGENT_TRAFFIC_LOG ALERT tinyint 1  √  null
V_ENFORCER_TRAFFIC_LOG ALERT tinyint 1
V_LAN_DEVICE_DETECTED ALERT tinyint 1  √  null
SEM_AGENT AP_ONOFF tinyint 1 ((127)) AutoProtect status:
1 = on
2 = Not installed
0 = off
127 = Not reporting
INVENTORYREPORT AVENGINE_ONOFF tinyint 1  √  ((127)) Antivirus Engine Status:
0 = filter for off, 127 = No filter (all)
SEM_AGENT AVENGINE_ONOFF tinyint 1 ((127)) RTVScan status:
1 = on
2 = Not installed
0 = off
127 = Not reporting
SEM_AGENT BASH_STATUS tinyint 1 ((0)) SONAR status:
0 = off
1= on
2 = not installed
3 = off by policy
4 = malfunction
It was meant to be for more granular op-state, but currently, it is the same as PTP_ONOFF.< /internalUse>
BEHAVIOR_REPORT BEHAVIORTYPE tinyint 1 ((0)) 1 = Application type, 2 = Device Control type
AGENT_PACKET_LOG_1 BLOCKED tinyint 1 Specify if the traffic was blocked (Yes = 1, no = 0)
AGENT_PACKET_LOG_2 BLOCKED tinyint 1 Specify if the traffic was blocked (Yes = 1, no = 0)
AGENT_TRAFFIC_LOG_1 BLOCKED tinyint 1 Specify if the traffic was blocked. (Yes = 1, No = 0)
AGENT_TRAFFIC_LOG_2 BLOCKED tinyint 1 Specify if the traffic was blocked. (Yes = 1, No = 0)
COMPLIANCE_REPORT BLOCKED tinyint 1  √  (NULL) 0 = Blocked, 1 = Not Blocked
ENFORCER_TRAFFIC_LOG_1 BLOCKED tinyint 1 Specify if the traffic was blocked. (0 = blocked, 1 = Not blocked ** note the difference in values between this and the AGENT_TRAFFIC_LOG_x tables)
ENFORCER_TRAFFIC_LOG_2 BLOCKED tinyint 1 Specify if the traffic was blocked. (0 = blocked, 1 = Not blocked ** note the difference in values between this and the AGENT_TRAFFIC_LOG_x tables)
V_AGENT_PACKET_LOG BLOCKED tinyint 1
V_AGENT_TRAFFIC_LOG BLOCKED tinyint 1
V_ENFORCER_TRAFFIC_LOG BLOCKED tinyint 1
INVENTORYREPORT CIDS_BROWSER_FF_ONOFF tinyint 1 ((127)) See SEM_AGENT.CIDS_BROWSER_FF_ONOFF. Included again in this table because it represents a filter option.
SEM_AGENT CIDS_BROWSER_FF_ONOFF tinyint 1 ((127)) FireFox browser protection status (0-4 enumeration)
INVENTORYREPORT CIDS_BROWSER_IE_ONOFF tinyint 1 ((127)) See SEM_AGENT.CIDS_BROWSER_IE_ONOFF. Included again in this table because it represents a filter option.
SEM_AGENT CIDS_BROWSER_IE_ONOFF tinyint 1 ((127)) Internet Explorer browser protection status (0-4 enumeration)
SEM_AGENT CIDS_DRV_MULF_CODE tinyint 1 ((0)) IDS error code if its op-state = 4
: Possible values
enum NetworkProtectionErrors
{
eIPSOk = 0,
eIPSGeneralError,
eDriverNotLoaded,
eAutoblockFailure,
eIDSEngineManagerFailure,
eSignatureManagerFailure,
eNetworkExclisionManagerFailure,
eNetworkInfoManagerFailure,
eUDPTrafficManagerFailure,
eSymEfaManagerFailure,
eProcessTrackerFailure,
eSettingsManagerFailure,
eWFPHookManagerFailure,
eLastNetworkProtectionError = 0xffffffff
};
SEM_AGENT CIDS_DRV_ONOFF tinyint 1 ((127)) Network intrusion prevention status:
0 = off
1 = on
2 = not installed
3 = off by admin policy
127 = unknown.
Default is 127
HPP_ALERTS CIDS_ONOFF tinyint 1 ((127)) Enabled state of CIDS
0 = off
1 = on
2 = not installed
127 = unknown.
Default is 127
INVENTORYREPORT CIDS_ONOFF tinyint 1 ((127)) Network intrusion prevention status:
0 = off
1 = on
2 = not installed
3 = off by admin policy
127 = unknown.
Default is 127
SEM_AGENT CIDS_SILENT_MODE tinyint 1 ((0)) Is the IDS driver installed as an internal component for another protection technology, 0 = no, 1 = yes
LICENSE_CHAIN CLIENT_PRODUCT_TYPE tinyint 1 ((0)) This holds value for SEP, SNAC
SEP=0
SNAC=1
COMPLIANCE_REPORT COMPLIANCE_TYPE tinyint 1 ((0)) 1 = Enforcer Server
2 = Enforcer Client
3 = Enforcer Traffic
4 = Host Compliance
5 = Attack (Firewall logs)
6 = Device Control
SEM_AGENT CONTENT_UPDATE tinyint 1 ((1)) Accepts content update: 1 = Yes, 0 = no
SEM_CLIENT CREATOR tinyint 1  √  null
SEM_SVA_CLIENT CREATOR tinyint 1  √  null
INVENTORYREPORT DA_ONOFF tinyint 1 ((127)) Download advisor status
Enabled state of DA
0 = off
1 = on
2 = not installed
3 = off by admin policy
127 = unknown.
SEM_AGENT DA_ONOFF tinyint 1 ((127)) Download advisor operational state
Enabled state of DA
0 = off
1 = on
2 = not installed
3 = off by admin policy
127 = unknown.
Default is 127
ALERTFILTER DELETED tinyint 1 ((0)) Deleted row: 0 = not deleted, 1 = deleted
ALERTS DELETED tinyint 1 ((0)) Deleted row: 0 = not deleted, 1 = deleted
ANOMALYDETECTION DELETED tinyint 1 ((0)) Deleted row: 0 = not deleted, 1 = deleted
ANOMALYDETECTIONS DELETED tinyint 1 ((0)) Deleted row: 0 = not deleted, 1 = deleted
ANOMALYREMEDIATION DELETED tinyint 1 ((0)) Deleted row: 0 = not deleted, 1 = deleted
ANOMALYREMEDIATIONS DELETED tinyint 1 ((0)) Deleted row; 0 = Not deleted, 1 = deleted
AUDIT_REPORT DELETED tinyint 1 ((0)) Deleted flag; 0 = Not deleted, 1 = Deleted
BASIC_METADATA DELETED tinyint 1 Deleted flag; 0 = Not deleted, 1 = Deleted
BEHAVIOR_REPORT DELETED tinyint 1 ((0)) Deleted flag; 0 = Not deleted, 1 = Deleted
BINARY_FILE DELETED tinyint 1 The deleted flag of the schema object:
1 = Deleted
0 = Not Deleted
COMMAND DELETED tinyint 1 The deleted flag of the schema object:
1 = Deleted
0 = Not Deleted
COMMAND_REPORT DELETED tinyint 1 ((0)) Deleted rows; 0 = not deleted, 1 = deleted
COMPLIANCE_REPORT DELETED tinyint 1 ((0)) Deleted entry; 0 = Not deleted, 1 = Deleted
COMPUTER_APPLICATION DELETED tinyint 1 The deleted flag of the schema object:
1 = Deleted
0 = Not Deleted
FIREWALL_REPORT DELETED tinyint 1 ((0)) Delete row; 0 = Not deleted, 1 = Deleted
GROUP_LAN_SENSOR DELETED tinyint 1
GUIPARMS DELETED tinyint 1 ((0)) Delete row; 0 = Not deleted, 1 = Deleted
GUP_LIST DELETED tinyint 1 Delete row; 0 = Not deleted, 1 = Deleted
HISTORYCONFIG DELETED tinyint 1 ((0)) Deleted row; 0 = Not Deleted, 1 = Deleted
HOMEPAGECONFIG DELETED tinyint 1 ((0)) Deleted row; 0 = Not Deleted, 1 = Deleted
HPP_ALERTS DELETED tinyint 1 ((0)) Deleted row; 0 = Not Deleted, 1 = Deleted
HPP_APPLICATION DELETED tinyint 1 ((0)) Deleted row; 0 = Not Deleted, 1 = Deleted
IDENTITY_MAP DELETED tinyint 1  √  null Deleted row; 0 = Not Deleted, 1 = Deleted
INVENTORYCURRENTRISK1 DELETED tinyint 1 ((0)) Deleted row; 0 = Not Deleted, 1 = Deleted
INVENTORYREPORT DELETED tinyint 1 ((0)) Deleted row; 0 = Not Deleted, 1 = Deleted
LAN_DEVICE_DETECTED DELETED tinyint 1 The deleted flag of the schema object:
1 = Deleted
0 = Not Deleted
LAN_DEVICE_EXCLUDED DELETED tinyint 1 The deleted flag of the schema object:
0 = Deleted
1 = Not Deleted
LEGACY_AGENT DELETED tinyint 1 The deleted flag of the schema object:
1 = Deleted
0 = Not Deleted
LICENSE DELETED tinyint 1 The deleted flag of the schema object:
1 = Deleted
0 = Not Deleted
LICENSE_CHAIN DELETED tinyint 1 ((0)) The deleted flag of the schema object:
1 = Deleted
0 = Not Deleted
LOCAL_METADATA DELETED tinyint 1 The deleted flag of the schema object:
0 = Deleted
1 = Not Deleted
NOTIFICATION DELETED tinyint 1 ((0)) Deleted row; 0 = Not Deleted, 1 = Deleted
NOTIFICATIONALERTS DELETED tinyint 1 ((0)) Deleted row; 0 = Not deleted, 1 = deleted
NOTIFICATIONHISTORY DELETED tinyint 1 ((0))
PATTERN DELETED tinyint 1 ((0)) Deleted row; 0 = Not deleted, 1 = Deleted
REPORTS DELETED tinyint 1 The deleted flag of the schema object:
1 = Deleted
0 = Not Deleted
SCANREPORT DELETED tinyint 1 ((0))
SCANS DELETED tinyint 1 ((0)) Deleted row; 0 = Not deleted, 1 = Deleted
SCFINVENTORY DELETED tinyint 1 ((0)) Deleted row; 0 = Not deleted, 1 = Deleted
SEM_AGENT DELETED tinyint 1 The deleted flag of the schema object:
1 = Deleted
0 = Not Deleted
SEM_APPLICATION DELETED tinyint 1 The deleted flag of the schema object:
1 = Deleted
0 = Not Deleted
SEM_CLIENT DELETED tinyint 1 The deleted flag of the schema object:
1 = Deleted
0 = Not Deleted
SEM_COMPLIANCE_CRITERIA DELETED tinyint 1 ((0)) The deleted flag of the schema object:
1 = Deleted
0 = Not Deleted
SEM_COMPLIANCE_CRITERIA_2 DELETED tinyint 1 ((0))
SEM_COMPUTER DELETED tinyint 1 The deleted flag of the schema object:
1 = Deleted
0 = Not Deleted
SEM_CONTENT DELETED tinyint 1 ((0)) The deleted flag of the schema object:
1 = Deleted
0 = Not Deleted
SEM_JOB DELETED tinyint 1 Deleted row:
1 = Deleted
0 = Not Deleted
SEM_OS_INFO DELETED tinyint 1 ((0)) The deleted flag of the schema object:
1 = Deleted
0 = Not Deleted
SEM_SVA DELETED tinyint 1
SEM_SVA_CLIENT DELETED tinyint 1
SEM_SVA_COMPUTER DELETED tinyint 1
SYSTEM_REPORT DELETED tinyint 1 ((0)) The deleted flag of the schema object:
0 = Deleted
1 = Not Deleted
SYSTEM_STATE DELETED tinyint 1 tinyint, NOT NULL
THREATREPORT DELETED tinyint 1 ((0)) Deleted row: 0 = Not deleted, 1 = Deleted
V_ALERTS DELETED tinyint 1
V_CLIENT_CHANGE_LOG DELETED tinyint 1
V_DOMAINS DELETED tinyint 1  √  null
V_GROUPS DELETED tinyint 1  √  null
V_IPS DELETED tinyint 1
V_LAN_DEVICE_DETECTED DELETED tinyint 1
V_LAN_DEVICE_EXCLUDED DELETED tinyint 1
V_MR_CLEAN DELETED tinyint 1
V_SEM_COMPUTER DELETED tinyint 1
V_SEM_CONTENT DELETED tinyint 1
V_SERVERS DELETED tinyint 1  √  null
V_SONAR DELETED tinyint 1
V_VIRUS DELETED tinyint 1
VIRUS DELETED tinyint 1 ((0)) Deleted row: 0 = Not deleted, 1 = deleted
VIRUSCATEGORY DELETED tinyint 1 ((0)) Deleted row: 0 = Not deleted, 1 = deleted
INVENTORYREPORT DEPLOY_STATUS tinyint 1 ((0)) See SEM_AGENT.DEPLOY_STATUS. Included again in this table because it represents a filter option.
COMPUTER_APPLICATION DETECTION tinyint 1 ((0)) was this involved in a detection on this machine?
HPP_ALERTS DETECTION_SCORE tinyint 1 ((0)) The score of the detection (0...100)
HPP_APPLICATION DETECTION_TYPE tinyint 1 ((0)) Detection type:
0 = heuristic
1 = commercial application
HPP_ALERTS DIS_SUBMIT tinyint 1 ((0)) Recommendation if this detection should be submitted to Symantec (0 = No, 1 = Yes)
BASIC_METADATA DISABLED tinyint 1  √  null Indicate the policy is disabled or not
HISTORYCONFIG DISABLED tinyint 1 ((0)) Scheduled report disabled: 0 = No, 1 = Yes
HPP_ALERTS DISPOSITION tinyint 1 ((127)) Where the value 127 for DISPOSITION means that there was no reputation data available for this detection.
INVENTORYREPORT ELAM_ONOFF tinyint 1 ((127)) Early Launch Anti-Malware status:
0 = off
1 = on
2 = not installed
3 = off by admin policy
127 = unknown.
Default is 127
SEM_AGENT ELAM_ONOFF tinyint 1 ((127))
OAUTH_CLIENT_DETAILS ENABLED tinyint 1  √  null
COMPLIANCE_REPORT ENFORCER_TYPE tinyint 1  √  (NULL) For Enforcer Client: 0 = Gateway Enforcer, 1 = LAN Enforcer, 2 = DHCP Enforcer, 3 = Integrated Enforcer, 4 = NAP Enforcer, 5 = PeerToPeer Enforcer
ENFORCER_CLIENT_LOG_1 ENFORCER_TYPE tinyint 1 0 = Gateway Enforcer
1 = LAN Enforcer
2 = DHCP Enforcer
3 = Integrated Enforcer
4 = NAP Enforcer
5 = PeerToPeer Enforcer
ENFORCER_CLIENT_LOG_2 ENFORCER_TYPE tinyint 1 0 = Gateway Enforcer
1 = LAN Enforcer
2 = DHCP Enforcer
3 = Integrated Enforcer
4 = NAP Enforcer
5 = PeerToPeer Enforcer
ENFORCER_SYSTEM_LOG_1 ENFORCER_TYPE tinyint 1 0 = Gateway Enforcer
1 = LAN Enforcer
2 = DHCP Enforcer
3 = Integrated Enforcer
4 = NAP Enforcer
5 = PeerToPeer Enforcer
ENFORCER_SYSTEM_LOG_2 ENFORCER_TYPE tinyint 1 0 = Gateway Enforcer
1 = LAN Enforcer
2 = DHCP Enforcer
3 = Integrated Enforcer
4 = NAP Enforcer
5 = PeerToPeer Enforcer
ENFORCER_TRAFFIC_LOG_1 ENFORCER_TYPE tinyint 1 0 = Gateway Enforcer
1 = LAN Enforcer
2 = DHCP Enforcer
3 = Integrated Enforcer
4 = NAP Enforcer
5 = PeerToPeer Enforcer
ENFORCER_TRAFFIC_LOG_2 ENFORCER_TYPE tinyint 1 0 = Gateway Enforcer
1 = LAN Enforcer
2 = DHCP Enforcer
3 = Integrated Enforcer
4 = NAP Enforcer
5 = PeerToPeer Enforcer
V_ENFORCER_CLIENT_LOG ENFORCER_TYPE tinyint 1
V_ENFORCER_SYSTEM_LOG ENFORCER_TYPE tinyint 1
V_ENFORCER_TRAFFIC_LOG ENFORCER_TYPE tinyint 1
LAN_DEVICE_EXCLUDED EXCLUDE_MODE tinyint 1
V_LAN_DEVICE_EXCLUDED EXCLUDE_MODE tinyint 1
BEHAVIOR_REPORT FILE_SIZE tinyint 1 ((0)) Size of the file in MB associated with the application control violation (used for filtering)
BEHAVIOR_REPORT FILE_UPDOWN tinyint 1 ((0)) Greater than or less than. Used for filtering in association with FILE_SIZE in this table.
0 = don't filter with this
1 = greater than
2 = less than
THREATREPORT FILTER_TYPE tinyint 1 ((0)) 1 = Risk , 2 = Proactive Threat Protection
INVENTORYREPORT FIREWALL_ONOFF tinyint 1  √  ((127)) Firewall status:
0 = filters on off, 127 = No filter (all)
SEM_AGENT FIREWALL_ONOFF tinyint 1 ((127)) Firewall status: 1 = On, 2 = Not installed, 0 = Off, 127 = Not reporting
SEM_CLIENT GROUP_IS_OU tinyint 1  √  null If client is from ActiveDirectory
SEM_SVA_CLIENT GROUP_IS_OU tinyint 1  √  null
HPP_APPLICATION HASH_TYPE tinyint 1 ((1)) HASH algorithm used:
0 = MD5
1 = SHA-1
2 = SHA-256
GROUP_HI_STATUS HI_ENABLED tinyint 1 Is HI enabled?
INVENTORYREPORT HI_STATUS tinyint 1  √  ((127)) Filters on the following compliance status:
0 = Fail
1 = Success
2 = Pending
3 = Disabled
4 = Ignore
127 = No filter (all)
HYPERVISOR_PATTERN HYPERVISOR_VENDOR_ID tinyint 1 Vendor ID that links to HYPERVISOR_VENDOR
HYPERVISOR_VENDOR HYPERVISOR_VENDOR_ID tinyint 1
SEM_COMPUTER HYPERVISOR_VENDOR_ID tinyint 1  √  null Foreign key to HYPERVISOR_VENDOR table
SEM_SVA_COMPUTER HYPERVISOR_VENDOR_ID tinyint 1  √  null
V_SEM_COMPUTER HYPERVISOR_VENDOR_ID tinyint 1  √  null
SEM_AGENT INFECTED tinyint 1 ((0)) Whether the client computer is infected:
0 = Not infected
1 = Infected
SEM_APPLICATION INTERESTING tinyint 1 ((0)) This is whether this application was flagged for detection by the administrator using the Detect Process option in the Centralized Exceptions policy
SEM_AGENT IS_GRACE tinyint 1 ((0)) Is the license in grace period?
HISTORYCONFIG IS_MAIL_TO_SYS_ADMIN tinyint 1 ('1') The flag for mailing to be sent to system administrator.
NOTIFICATION IS_MAIL_TO_SYS_ADMIN tinyint 1 ('1') Flag for mailing to System Administrator
SEM_AGENT IS_NPVDI_CLIENT tinyint 1 ((0))
ADMIN_GROUPS IS_READONLY tinyint 1
V_VIRUS LATEST_THREAT tinyint 1
VIRUS LATEST_THREAT tinyint 1 ((0)) 0 = not a latest threat, 1 = latest threat
DATA_HANDLER LF_SORT tinyint 1 ((0)) Sort files: 0 = Ascending by file modification time, 1 = Descending by file modification time
INVENTORYREPORT LICENSE_STATUS tinyint 1  √  ((127)) Not used
AGENT_SECURITY_LOG_1 NETWORK_PROTOCOL tinyint 1  √  null The protocol type: Enum (OTHERS = 1; TCP = 2; UDP = 3; ICMP = 4)
AGENT_SECURITY_LOG_2 NETWORK_PROTOCOL tinyint 1  √  null The protocol type: Enum (OTHERS = 1; TCP = 2; UDP = 3; ICMP = 4)
AGENT_TRAFFIC_LOG_1 NETWORK_PROTOCOL tinyint 1  √  null The protocol type: Enum (OTHERS = 1; TCP = 2; UDP = 3; ICMP = 4)
AGENT_TRAFFIC_LOG_2 NETWORK_PROTOCOL tinyint 1  √  null The protocol type: Enum (OTHERS = 1; TCP = 2; UDP = 3; ICMP = 4)
COMPLIANCE_REPORT NETWORK_PROTOCOL tinyint 1  √  (NULL) 1 = Other, 2 = TCP, 3 = UDP, 4 = ICMP
ENFORCER_TRAFFIC_LOG_1 NETWORK_PROTOCOL tinyint 1 The protocol type: Enum (OTHERS = 1; TCP = 2; UDP = 3; ICMP = 4)
ENFORCER_TRAFFIC_LOG_2 NETWORK_PROTOCOL tinyint 1 The protocol type: Enum (OTHERS = 1; TCP = 2; UDP = 3; ICMP = 4)
V_AGENT_SECURITY_LOG NETWORK_PROTOCOL tinyint 1  √  null
V_AGENT_TRAFFIC_LOG NETWORK_PROTOCOL tinyint 1  √  null
V_ENFORCER_TRAFFIC_LOG NETWORK_PROTOCOL tinyint 1
INVENTORYREPORT ONOFF tinyint 1  √  ((127)) Auto-Protect Status:
0 = filter for off, 127 = No filter (all)
INVENTORYREPORT OPERATOR tinyint 1 ((0)) Not used
SEM_AGENT OSELAM_STATUS tinyint 1 ((127))
COMMAND PERCENT_COMPLETE tinyint 1 ((0)) Progress (0-100%) of command based on estimated duration.
COMMAND_REPORT PERCENT_COMPLETE tinyint 1  √  (NULL) Command progress
SEM_CLIENT PIN_MARK tinyint 1  √  null A flag to mark if this client should synchronized with ActiveDirectory
SEM_SVA_CLIENT PIN_MARK tinyint 1  √  null
INVENTORYREPORT PTP_ONOFF tinyint 1 ((127)) Proactive threat protection status:
0 = off
1 = on
2 = not installed
3 = off by admin policy
127 = unknown.
Default is 127
SEM_AGENT PTP_ONOFF tinyint 1 ((127)) Enabled state of Proactive threat protection is
0 = off
1 = on
2 = not installed
3 = off by admin policy
127 = unknown.
Default is 127
INVENTORYREPORT REBOOT_REQUIRED tinyint 1  √  ((127)) Restart required status:
1 = filter for needs restart, 127 = No filter (all)
SEM_AGENT REBOOT_REQUIRED tinyint 1 ((0)) Reboot Required: 0 = No, 1 = Yes
SEM_REPLICATION_STATE REPLICATION_STATE tinyint 1 ((0)) Replication is in process or not. 0: not, 1: replication in process
HPP_ALERTS RISK_LEVEL tinyint 1 ((0)) The risk level (high, med, low) for the convicted threat.
0 -- Unknown
1 or 2 -- Low
3 -- Medium
4 -- High
Default is 0.
AGENT_BEHAVIOR_LOG_1 SEND_SNMP_TRAP tinyint 1  √  null It reflects the send SNMP trap action. It is true if send is true.
AGENT_BEHAVIOR_LOG_2 SEND_SNMP_TRAP tinyint 1  √  null It reflects the send SNMP trap action. It is true if send is true.
AGENT_PACKET_LOG_1 SEND_SNMP_TRAP tinyint 1  √  null It reflects the send SNMP trap action. It is true if send is true. (Yes = 1, no = 0)
AGENT_PACKET_LOG_2 SEND_SNMP_TRAP tinyint 1  √  null It reflects the send SNMP trap action. It is true if send is true. (Yes = 1, no = 0)
AGENT_SECURITY_LOG_1 SEND_SNMP_TRAP tinyint 1  √  null It reflects the send SNMP trap action. It is true if send is true. (Yes = 1, No = 0)
AGENT_SECURITY_LOG_2 SEND_SNMP_TRAP tinyint 1  √  null It reflects the send SNMP trap action. It is true if send is true. (Yes = 1, No = 0)
AGENT_SYSTEM_LOG_1 SEND_SNMP_TRAP tinyint 1  √  null It reflects the send SNMP trap action. It is true if send is true. (Yes = 1, No = 0)
AGENT_SYSTEM_LOG_2 SEND_SNMP_TRAP tinyint 1  √  null It reflects the send SNMP trap action. It is true if send is true. (Yes = 1, No = 0)
AGENT_TRAFFIC_LOG_1 SEND_SNMP_TRAP tinyint 1  √  null It reflects the send SNMP trap action. It is true if send is true. (Yes = 1, No = 0)
AGENT_TRAFFIC_LOG_2 SEND_SNMP_TRAP tinyint 1  √  null It reflects the send SNMP trap action. It is true if send is true. (Yes = 1, No = 0)
LAN_DEVICE_DETECTED SEND_SNMP_TRAP tinyint 1  √  null It reflects the send SNMP trap action. It is true if send is true.
V_AGENT_BEHAVIOR_LOG SEND_SNMP_TRAP tinyint 1  √  null
V_AGENT_PACKET_LOG SEND_SNMP_TRAP tinyint 1  √  null
V_AGENT_SECURITY_LOG SEND_SNMP_TRAP tinyint 1  √  null
V_AGENT_SYSTEM_LOG SEND_SNMP_TRAP tinyint 1  √  null
V_AGENT_TRAFFIC_LOG SEND_SNMP_TRAP tinyint 1  √  null
V_LAN_DEVICE_DETECTED SEND_SNMP_TRAP tinyint 1  √  null
SEM_JOB SOURCE_TYPE tinyint 1 ((0))
INVENTORYREPORT STATUS tinyint 1  √  ((127)) 1 = online, 0 = offline,127 = No filter (all)
SEM_AGENT STATUS tinyint 1  √  null Online status of the agent (0 = offline, 1 = online)
SEM_SVA STATUS tinyint 1  √  null
SYSTEM_REPORT SYSTEM_TYPE tinyint 1 ((0)) 1 = Administrative
2 = Client server activity
3 = Server activity
4 = Client activity
5 = Enforcer Activity
INVENTORYREPORT TAMPER_ONOFF tinyint 1  √  ((127)) Tamper Protection status:
0 = filter for off, 127 = No filter (all)
SEM_AGENT TAMPER_ONOFF tinyint 1 ((127)) Tamper Protection status:
1 = on
2 = Not installed
0 = off
127 = Not reporting status
BEHAVIOR_REPORT TEST_MODE tinyint 1  √  (NULL) 1 = Yes, 0 = No
V_VIRUS TOP_THREAT tinyint 1
VIRUS TOP_THREAT tinyint 1 ((0)) 0 = Not a top threat, 1 = top threat
INVENTORYREPORT TPM_DEVICE tinyint 1  √  ((127)) TPM device installed:
1 = filters on device is installed, 127 = No filter (all)
AGENT_PACKET_LOG_1 TRAFFIC_DIRECTION tinyint 1  √  null The direction of traffic. Enum (unknown = 0; inbound = 1; outbound = 2)
AGENT_PACKET_LOG_2 TRAFFIC_DIRECTION tinyint 1  √  null The direction of traffic. Enum (unknown = 0; inbound = 1; outbound = 2)
AGENT_SECURITY_LOG_1 TRAFFIC_DIRECTION tinyint 1  √  null The direction of traffic. Enum ( unknown = 0; inbound = 1; outbound = 2)
AGENT_SECURITY_LOG_2 TRAFFIC_DIRECTION tinyint 1  √  null The direction of traffic. Enum ( unknown = 0; inbound = 1; outbound = 2)
AGENT_TRAFFIC_LOG_1 TRAFFIC_DIRECTION tinyint 1  √  null The direction of traffic. Enum ( unknown = 0; inbound = 1; outbound = 2)
AGENT_TRAFFIC_LOG_2 TRAFFIC_DIRECTION tinyint 1  √  null The direction of traffic. Enum ( unknown = 0; inbound = 1; outbound = 2)
COMPLIANCE_REPORT TRAFFIC_DIRECTION tinyint 1  √  (NULL) 1 = Inbound, 2 = Outbound, 0 = Unknown
ENFORCER_TRAFFIC_LOG_1 TRAFFIC_DIRECTION tinyint 1 The direction of traffic. Enum (unknown = 0; inbound = 1; outbound = 2)
ENFORCER_TRAFFIC_LOG_2 TRAFFIC_DIRECTION tinyint 1 The direction of traffic. Enum (unknown = 0; inbound = 1; outbound = 2)
V_AGENT_PACKET_LOG TRAFFIC_DIRECTION tinyint 1  √  null
V_AGENT_SECURITY_LOG TRAFFIC_DIRECTION tinyint 1  √  null
V_AGENT_TRAFFIC_LOG TRAFFIC_DIRECTION tinyint 1  √  null
V_ENFORCER_TRAFFIC_LOG TRAFFIC_DIRECTION tinyint 1
DATA_HANDLER VERSION tinyint 1 ((0)) Handler version
SCANS VSIC_SCAN tinyint 1 ((0))
SEM_AGENT VSIC_STATUS tinyint 1 ((127))
COMMAND RESERVED_BINARY varbinary 1000  √  null
SEM_JOB RESERVED_BINARY varbinary 1000  √  null
OAUTH_ACCESS_TOKEN TOKEN varbinary 1000  √  null
OAUTH_REFRESH_TOKEN TOKEN varbinary 1000  √  null
AGENT_SECURITY_LOG_1 RESERVED_BINARY varbinary 1900  √  null
AGENT_SECURITY_LOG_2 RESERVED_BINARY varbinary 1900  √  null
V_AGENT_SECURITY_LOG RESERVED_BINARY varbinary 1900  √  null
AGENT_PACKET_LOG_1 EVENT_DATA varbinary 2000  √  null Additional data in binary format. This field is optional.
AGENT_PACKET_LOG_2 EVENT_DATA varbinary 2000  √  null Additional data in binary format. This field is optional.
AGENT_SYSTEM_LOG_1 EVENT_DATA varbinary 2000  √  null Additional data in binary format. This field is optional.
AGENT_SYSTEM_LOG_2 EVENT_DATA varbinary 2000  √  null Additional data in binary format. This field is optional.
SERVER_POLICY_LOG_1 EVENT_DATA varbinary 2000  √  null Additional data in binary format. This field is optional.
SERVER_POLICY_LOG_2 EVENT_DATA varbinary 2000  √  null Additional data in binary format. This field is optional.
V_AGENT_PACKET_LOG EVENT_DATA varbinary 2000  √  null
V_AGENT_SYSTEM_LOG EVENT_DATA varbinary 2000  √  null
V_SERVER_POLICY_LOG EVENT_DATA varbinary 2000  √  null
AGENT_BEHAVIOR_LOG_1 RESERVED_BINARY varbinary 2000  √  null
AGENT_BEHAVIOR_LOG_2 RESERVED_BINARY varbinary 2000  √  null
AGENT_PACKET_LOG_1 RESERVED_BINARY varbinary 2000  √  null
AGENT_PACKET_LOG_2 RESERVED_BINARY varbinary 2000  √  null
AGENT_SYSTEM_LOG_1 RESERVED_BINARY varbinary 2000  √  null
AGENT_SYSTEM_LOG_2 RESERVED_BINARY varbinary 2000  √  null
AGENT_TRAFFIC_LOG_1 RESERVED_BINARY varbinary 2000  √  null
AGENT_TRAFFIC_LOG_2 RESERVED_BINARY varbinary 2000  √  null
BASIC_METADATA RESERVED_BINARY varbinary 2000  √  null
BINARY_FILE RESERVED_BINARY varbinary 2000  √  null
COMPUTER_APPLICATION RESERVED_BINARY varbinary 2000  √  null
ENFORCER_CLIENT_LOG_1 RESERVED_BINARY varbinary 2000  √  null
ENFORCER_CLIENT_LOG_2 RESERVED_BINARY varbinary 2000  √  null
ENFORCER_SYSTEM_LOG_1 RESERVED_BINARY varbinary 2000  √  null
ENFORCER_SYSTEM_LOG_2 RESERVED_BINARY varbinary 2000  √  null
ENFORCER_TRAFFIC_LOG_1 RESERVED_BINARY varbinary 2000  √  null
ENFORCER_TRAFFIC_LOG_2 RESERVED_BINARY varbinary 2000  √  null
IDENTITY_MAP RESERVED_BINARY varbinary 2000  √  null
LAN_DEVICE_DETECTED RESERVED_BINARY varbinary 2000  √  null
LAN_DEVICE_EXCLUDED RESERVED_BINARY varbinary 2000  √  null
LEGACY_AGENT RESERVED_BINARY varbinary 2000  √  null
LOCAL_METADATA RESERVED_BINARY varbinary 2000  √  null
LOG_CONFIG RESERVED_BINARY varbinary 2000  √  null
REPORTS RESERVED_BINARY varbinary 2000  √  null
SEM_APPLICATION RESERVED_BINARY varbinary 2000  √  null
SEM_CLIENT RESERVED_BINARY varbinary 2000  √  null
SEM_COMPUTER RESERVED_BINARY varbinary 2000  √  null
SEM_SVA_CLIENT RESERVED_BINARY varbinary 2000  √  null
SEM_SVA_COMPUTER RESERVED_BINARY varbinary 2000  √  null
SERVER_ADMIN_LOG_1 RESERVED_BINARY varbinary 2000  √  null
SERVER_ADMIN_LOG_2 RESERVED_BINARY varbinary 2000  √  null
SERVER_CLIENT_LOG_1 RESERVED_BINARY varbinary 2000  √  null
SERVER_CLIENT_LOG_2 RESERVED_BINARY varbinary 2000  √  null
SERVER_ENFORCER_LOG_1 RESERVED_BINARY varbinary 2000  √  null
SERVER_ENFORCER_LOG_2 RESERVED_BINARY varbinary 2000  √  null
SERVER_POLICY_LOG_1 RESERVED_BINARY varbinary 2000  √  null
SERVER_POLICY_LOG_2 RESERVED_BINARY varbinary 2000  √  null
SERVER_SYSTEM_LOG_1 RESERVED_BINARY varbinary 2000  √  null
SERVER_SYSTEM_LOG_2 RESERVED_BINARY varbinary 2000  √  null
SYSTEM_STATE RESERVED_BINARY varbinary 2000  √  null
V_AGENT_BEHAVIOR_LOG RESERVED_BINARY varbinary 2000  √  null
V_AGENT_PACKET_LOG RESERVED_BINARY varbinary 2000  √  null
V_AGENT_SYSTEM_LOG RESERVED_BINARY varbinary 2000  √  null
V_AGENT_TRAFFIC_LOG RESERVED_BINARY varbinary 2000  √  null
V_DOMAINS RESERVED_BINARY varbinary 2000  √  null
V_ENFORCER_CLIENT_LOG RESERVED_BINARY varbinary 2000  √  null
V_ENFORCER_SYSTEM_LOG RESERVED_BINARY varbinary 2000  √  null
V_ENFORCER_TRAFFIC_LOG RESERVED_BINARY varbinary 2000  √  null
V_GROUPS RESERVED_BINARY varbinary 2000  √  null
V_LAN_DEVICE_DETECTED RESERVED_BINARY varbinary 2000  √  null
V_LAN_DEVICE_EXCLUDED RESERVED_BINARY varbinary 2000  √  null
V_SEM_COMPUTER RESERVED_BINARY varbinary 2000  √  null
V_SERVER_ADMIN_LOG RESERVED_BINARY varbinary 2000  √  null
V_SERVER_CLIENT_LOG RESERVED_BINARY varbinary 2000  √  null
V_SERVER_ENFORCER_LOG RESERVED_BINARY varbinary 2000  √  null
V_SERVER_POLICY_LOG RESERVED_BINARY varbinary 2000  √  null
V_SERVER_SYSTEM_LOG RESERVED_BINARY varbinary 2000  √  null
V_SERVERS RESERVED_BINARY varbinary 2000  √  null
AGENT_SECURITY_LOG_1 EVENT_DATA varbinary 3000  √  null Additional data in binary format. This field is optional.
AGENT_SECURITY_LOG_2 EVENT_DATA varbinary 3000  √  null Additional data in binary format. This field is optional.
V_AGENT_SECURITY_LOG EVENT_DATA varbinary 3000  √  null
INVENTORYREPORT INFECTED varchar 2 ('') On' = filter for infected machines
SEM_COMPUTER DISK_DRIVE varchar 3  √  null Drive letter referred to by DISK_TOTAL
SEM_SVA_COMPUTER DISK_DRIVE varchar 3  √  null
V_SEM_COMPUTER DISK_DRIVE varchar 3  √  null
INVENTORYREPORT GOOD varchar 5 ('%') Not used
AUDIT_REPORT SORTDIR varchar 5 ('DESC') DESC = descending sort, ASC = ascending sort
BEHAVIOR_REPORT SORTDIR varchar 5 ('DESC') DESC = descending order, ASC = Ascending order
COMMAND_REPORT SORTDIR varchar 5 ('asc') DESC = Descending order, ASC = Ascending order
COMPLIANCE_REPORT SORTDIR varchar 5 ('DESC') DESC = Descending, ASC = Ascending
FIREWALL_REPORT SORTDIR varchar 5 ('DESC') DESC = Descending, ASC = Ascending
INVENTORYREPORT SORTDIR varchar 5 ('DESC') Ascending or descending
SCANREPORT SORTDIR varchar 5 ('DESC') Sort direction; desc = Descending, asc = Ascending
SYSTEM_REPORT SORTDIR varchar 5 ('DESC') Sort direction: Desc = Descending, Asc = Ascending
THREATREPORT SORTDIR varchar 5 ('DESC') Either 'asc' or 'desc'
ALERTS STATUS varchar 6  √  (NULL)
V_ALERTS STATUS varchar 6  √  null
SEM_AGENT OS_BIT_TYPE varchar 8  √  null
NOTIFICATION CATEGORY varchar 10 ('>= -1') Virus category for which this notification applies:
>= -1 is no filter (all)
>= 1 filters for Category 1 (Very Low) and above
>= 2 filters for Category 2 (Low) and above
>= 3 filters for Category 3 (Moderate) and above
>= 4 filters for Category 4 (Severe) and above
>= 5 filters for Category 5 (Very Severe)
= -1 filters for unknown
AGENTCONFIG ENABLED varchar 10 ('') Is "on" if status checking for this agent type is enabled, if status checking is not enabled, then it is blank.
HISTORYCONFIG REPORT_IDX varchar 10 ('I-0') Format is Reporttype-number: example I-0 is Virus Definitions Distribution

I = Computer Status Report
0 = Virus Definitions Distribution
1 = Computers Not Checked Into Server
2 = Symantec Endpoint Protection Product Versions
3 = Intrusion Prevention Signature Distribution
4 = Client Inventory
5 = Compliance Status Distribution
6 = Client Online Status
7 = Clients With Latest Policy
8 = Client Count by Group
9 = Security Status Summary
10 = Protection Content Versions
11 =Client Migration
100 = Client Software Rollout (Snapshots)
101 = Clients Online/Offline Over Time (Snapshots)
102 = Clients With Latest Policy Over Time (Snapshots)
103 = Non-Compliant Clients Over Time (Snapshots)
104 = Virus Definition Rollout (Snapshots)

A = Audit Report
0 = Policies Used

B = Application and Device Control Report
0 = Top Groups With Most Alerted Application Control Logs
1 = Top Targets Blocked
2 = Top Devices Blocked


C = Compliance Report
0 = Network Compliance Status
1 = Compliance Status
2 = Clients by Compliance Failure Summary
3 = Compliance Failure Details
4 = Non-compliant Clients by Location

F = Network Threat Protection Report
0 = Top Targets Attacked
1 = Top Sources of Attack
2 = Top Types of Attack
3 = Top Blocked Applications
4 = Attacks Over Time
5 = Security Events by Severity
6 = Blocked Applications Over Time
7 = Traffic Notifications Over Time
8 = Top Traffic Notifications
9 = Full Report

R = Risk Report
0 = Infected and At Risk Computers
1 = Detection Action Summary
2 = Risk Detections Count
3 = New Risks Detected in the Network
4 = Top Risk Detections Correlation
5 = Risk Distribution Summary
6 = Risk Distribution Over Time
8 = Proactive Threat Detection Results
9 = Proactive Threat Distribution
10 = Proactive Threat Detection Over Time
11 = Action Summary for Top Risks
12 = Number of Notifications
14 = Number of Notifications Over Time
13 = Weekly Outbreaks
7 = Comprehensive Risk Report

S = Scan Report
0 = Scan Statistics Histogram
1 = Computers by Last Scan Time
2 = Computers Not Scanned

Y = System Report
0 = Top Clients That Generate Errors
1 = Top Servers That Generate Errors
2 = Top Enforcers That Generate Errors
3 = Database Replication Failures Over Time
4 =Site Status Report
AGENTCONFIG WARNAFTER_UNIT varchar 10 ('') Unit for Warnafter_value (minutes, hours or days)
SEM_AGENT EMPLOYMENT_STATUS varchar 16  √  null Employee status
INVENTORYREPORT FILVIEW varchar 16 ('SAVCE') Not used
SEM_COMPUTER MAC_ADDR1 varchar 17  √  null
SEM_SVA_COMPUTER MAC_ADDR1 varchar 17  √  null
V_SEM_COMPUTER MAC_ADDR1 varchar 17  √  null
SEM_COMPUTER MAC_ADDR2 varchar 17  √  null
SEM_SVA_COMPUTER MAC_ADDR2 varchar 17  √  null
V_SEM_COMPUTER MAC_ADDR2 varchar 17  √  null
SEM_COMPUTER MAC_ADDR3 varchar 17  √  null
SEM_SVA_COMPUTER MAC_ADDR3 varchar 17  √  null
V_SEM_COMPUTER MAC_ADDR3 varchar 17  √  null
SEM_COMPUTER MAC_ADDR4 varchar 17  √  null
SEM_SVA_COMPUTER MAC_ADDR4 varchar 17  √  null
V_SEM_COMPUTER MAC_ADDR4 varchar 17  √  null
ENFORCER_CLIENT_LOG_1 REMOTE_HOST_MAC varchar 17  √  null Remote host MAC address
ENFORCER_CLIENT_LOG_2 REMOTE_HOST_MAC varchar 17  √  null Remote host MAC address
V_ENFORCER_CLIENT_LOG REMOTE_HOST_MAC varchar 17  √  null
AGENT_SECURITY_LOG_1 LOCAL_HOST_MAC varchar 18  √  null The MAC address of local computer
AGENT_SECURITY_LOG_2 LOCAL_HOST_MAC varchar 18  √  null The MAC address of local computer
AGENT_TRAFFIC_LOG_1 LOCAL_HOST_MAC varchar 18  √  null The MAC address of local computer
AGENT_TRAFFIC_LOG_2 LOCAL_HOST_MAC varchar 18  √  null The MAC address of local computer
V_AGENT_SECURITY_LOG LOCAL_HOST_MAC varchar 18  √  null
V_AGENT_TRAFFIC_LOG LOCAL_HOST_MAC varchar 18  √  null
LAN_DEVICE_DETECTED MAC_ADDRESS varchar 18 Mac Address of the device
LAN_DEVICE_EXCLUDED MAC_ADDRESS varchar 18  √  null Mac Address of the device
V_LAN_DEVICE_DETECTED MAC_ADDRESS varchar 18
V_LAN_DEVICE_EXCLUDED MAC_ADDRESS varchar 18  √  null
AGENT_SECURITY_LOG_1 REMOTE_HOST_MAC varchar 18  √  null The MAC address of remote computer
AGENT_SECURITY_LOG_2 REMOTE_HOST_MAC varchar 18  √  null The MAC address of remote computer
AGENT_TRAFFIC_LOG_1 REMOTE_HOST_MAC varchar 18  √  null The MAC address of remote computer
AGENT_TRAFFIC_LOG_2 REMOTE_HOST_MAC varchar 18  √  null The MAC address of remote computer
V_AGENT_SECURITY_LOG REMOTE_HOST_MAC varchar 18  √  null
V_AGENT_TRAFFIC_LOG REMOTE_HOST_MAC varchar 18  √  null
AGENTCONFIG AGENTTYPE varchar 20 ('') 1 = LogSender
2 = ClientInventory
3 = LogReaderInventory
4 = LogReaderEvents
5 = NotificationAgent
6 = HistoryAgent
7 = VirusCategory
8 = DBmaint
9 = Backup
10 = DiskFull
SEM_AGENT CIDS_DEFSET_VERSION varchar 20  √  null IDS definition version, this is not used in queries. The definition will be in SEM_CONTENT/PATTERN tables.
SEM_AGENT CIDS_ENGINE_VERSION varchar 20  √  null IDS engine version
SCANS STATUS varchar 20 ('started') Scan status as hard-coded English key:
completed = Completed
cancelled = Canceled
started = Started
AGENTSTATUS VERSION_BUILD varchar 20 ('00.00.00') Version/build (major.minor.build) of agent
NOTIFICATION TYPE varchar 30 ('') VO = Risk outbreak
SO = Outbreak on single computers
VM = Outbreak by number of computers
1V = Single risk event
NV = New risk detected
ID = Virus definitions out-of-date
AF = Authentication failure
AFS = Authentication failure on single server
SE = System event
CS = Client security alert
CSS = Client security alert on single computers
CSM = Client security alert by number of computers
LA = New learned application
CL = Client list changed
DF = Server health
UM = Unmanaged computers
NS = New software package
ED = Enforcer is down
WL = Forced or Commercial application detected
DD = Database down
LE = Paid license expiring
TLE = Trial license expiring
ODC = SEPM is overdeployed with the current license
OLE = Upgrade license expiring
SVA = Security virtual appliance offline
COMPLIANCE_REPORT ACTION varchar 32 ('') For Enforcer Client: Authenticated, Disconnected, Passed, Rejected, Failed
THREATREPORT ACTUALACTION varchar 32 ('') Possibilities here are in the ACTUALACTION table
INVENTORYREPORT CLIENTTYPE varchar 32 ('') Not used
SCANS COMMAND_ID varchar 32  √  (NULL) Pointer to table SEM_JOB; command ID that kicked off this scan (if any)
SEM_AGENT EMPLOYEE_NUMBER varchar 32  √  null Employee number
AGENT_SYSTEM_LOG_1 EVENT_SOURCE varchar 32 The data source, such as NETPORT, NATSRV, etc.
AGENT_SYSTEM_LOG_2 EVENT_SOURCE varchar 32 The data source, such as NETPORT, NATSRV, etc.
V_AGENT_SYSTEM_LOG EVENT_SOURCE varchar 32
THREATREPORT EVENTTYPE varchar 32 ('') Possibilities here are in the ALERTMSG table
SEM_AGENT HOME_PHONE varchar 32  √  null Employee home phone number
ALERTS HPP_APP_IDX varchar 32 ('') Pointer to hpp_application table
V_ALERTS HPP_APP_IDX varchar 32
SCANREPORT LASTCOLUMN varchar 32 ('SERVERGROUP') Not used
AGENT_PACKET_LOG_1 LOCAL_HOST_IPV6 varchar 32  √  null Local host IPv6
AGENT_PACKET_LOG_2 LOCAL_HOST_IPV6 varchar 32  √  null Local host IPv6
AGENT_SECURITY_LOG_1 LOCAL_HOST_IPV6 varchar 32  √  null Local host IPv6
AGENT_SECURITY_LOG_2 LOCAL_HOST_IPV6 varchar 32  √  null Local host IPv6
AGENT_TRAFFIC_LOG_1 LOCAL_HOST_IPV6 varchar 32  √  null Local host IPv6
AGENT_TRAFFIC_LOG_2 LOCAL_HOST_IPV6 varchar 32  √  null Local host IPv6
V_AGENT_PACKET_LOG LOCAL_HOST_IPV6 varchar 32  √  null
V_AGENT_SECURITY_LOG LOCAL_HOST_IPV6 varchar 32  √  null
V_AGENT_TRAFFIC_LOG LOCAL_HOST_IPV6 varchar 32  √  null
SEM_AGENT MOBILE_PHONE varchar 32  √  null Employee mobile number
SEM_AGENT OFFICE_PHONE varchar 32  √  null Employee office number
THREATREPORT PRODUCT varchar 32 ('generic') Not used
LICENSE PRODUCT_ID varchar 32 product code , indicating sepe/sepsb product type, version and suffix. Read from license file
LICENSE PRODUCT_TYPE varchar 32 Enteprise or small business product type : SEPSB / SEPE
INVENTORYREPORT PRODUCTVERSION varchar 32 ('%') Product version by which to filter
BASIC_METADATA REF_ID varchar 32  √  null Object reference ID
AGENT_PACKET_LOG_1 REMOTE_HOST_IPV6 varchar 32  √  null Remote host IPv6
AGENT_PACKET_LOG_2 REMOTE_HOST_IPV6 varchar 32  √  null Remote host IPv6
AGENT_SECURITY_LOG_1 REMOTE_HOST_IPV6 varchar 32  √  null Remote host IPv6
AGENT_SECURITY_LOG_2 REMOTE_HOST_IPV6 varchar 32  √  null Remote host IPv6
AGENT_TRAFFIC_LOG_1 REMOTE_HOST_IPV6 varchar 32  √  null Remote host IPv6
AGENT_TRAFFIC_LOG_2 REMOTE_HOST_IPV6 varchar 32  √  null Remote host IPv6
V_AGENT_PACKET_LOG REMOTE_HOST_IPV6 varchar 32  √  null
V_AGENT_SECURITY_LOG REMOTE_HOST_IPV6 varchar 32  √  null
V_AGENT_TRAFFIC_LOG REMOTE_HOST_IPV6 varchar 32  √  null
THREATREPORT RISK_LEVEL varchar 32 ('') SONAR log filter field for Risk level. One of the following:
All (>= -1)
Unknown (= 0)
Low (>= 1)
Medium (= 3)
High (= 4)
SEM_SVA SERVICES varchar 32  √  null
AUDIT_REPORT SORTORDER varchar 32 ('TIME_STAMP') Column/Field by which to sort data
BEHAVIOR_REPORT SORTORDER varchar 32 ('EVENT_TIME') Table column to sort by
COMMAND_REPORT SORTORDER varchar 32 ('COMPUTER_NAME') Column name in table to sort by
COMPLIANCE_REPORT SORTORDER varchar 32 ('EVENT_TIME') Log column sort
FIREWALL_REPORT SORTORDER varchar 32 ('EVENT_TIME') Column in table to sort by
INVENTORYREPORT SORTORDER varchar 32 ('LAST_UPDATE_TIME') Which column to sort for Computer Status log
SCANREPORT SORTORDER varchar 32 ('STARTDATETIME') I.Computer'
'P.Parentserver'
'G.Clientgroup'
'C.Clientuser'
'S.Servergroup'
'SC.Startdatetime'
'SC.Duration'
'SC.Totalfiles' (total files scanned)
'SC.Threats'
'SC.Infected' (total files infected)
SYSTEM_REPORT SORTORDER varchar 32 ('EVENT_TIME') Column to sort on for log views
THREATREPORT SORTORDER varchar 32 ('ALERTDATETIME') Which column to use for the log view sort
SCANREPORT STATUS varchar 32 ('%') Scan status as hard-coded English key: Completed, Cancelled, Started, % means no filter (all)
THREATREPORT TIMEBASE varchar 32 ('') Deprecated
THREATREPORT TREATCOMPRESSED varchar 32 ('') Deprecated
PATTERN CLIENT_MONIKER varchar 40 ('') Moniker for this content
SEM_CONTENT CLIENT_MONIKER varchar 40 ('')
V_SEM_CONTENT CLIENT_MONIKER varchar 40
AGENT_SECURITY_LOG_1 HI_EXECUTION_ID varchar 50  √  null Execution ID that SNAC agent generates for each HI execution.
AGENT_SECURITY_LOG_2 HI_EXECUTION_ID varchar 50  √  null Execution ID that SNAC agent generates for each HI execution.
ENFORCER_CLIENT_LOG_1 HI_EXECUTION_ID varchar 50  √  null Execution ID that SNAC agent generates for each HI execution
ENFORCER_CLIENT_LOG_2 HI_EXECUTION_ID varchar 50  √  null Execution ID that SNAC agent generates for each HI execution
V_AGENT_SECURITY_LOG HI_EXECUTION_ID varchar 50  √  null
V_ENFORCER_CLIENT_LOG HI_EXECUTION_ID varchar 50  √  null
NOTIFICATION LASTRUN_DATA varchar 50 ('') Any extra data needed to give details in notification e-mail
AGENTSTATUS LASTRUNGMT varchar 50 ((0)) Last time this agent ran, stored as GMT
ALERTS SOURCE varchar 50 ('') Hard-coded English string used as lookup key for scan types:
"Scheduled Scan"
"Manual Scan"
"Real Time Scan"
"Integrity Shield"
"Definition downloader"
"System"
"Startup Scan"
"DefWatch"
"Manual Quarantine"
"Reboot Processing"
"Heuristic Scan"
INVENTORYCURRENTRISK1 SOURCE varchar 50 ('') Type of scan that detected the risk
V_ALERTS SOURCE varchar 50
LOG_CONFIG CURRENT_TABLE varchar 60 Current log table name
SEM_COMPLIANCE_CRITERIA ACTION varchar 64 ('') hard-coded English key - one of:
check
remediation
SEM_COMPLIANCE_CRITERIA_2 ACTION varchar 64 ('')
SEM_AGENT AGENT_TYPE varchar 64  √  null Type of the agent installed:
105 = Symantec Endpoint Protection
151 = Symantec Network Access Control
SEM_SVA AGENT_TYPE varchar 64  √  null
HPP_APPLICATION APP_HASH varchar 64 HASH for this application
ALERTS AV_PRODUCT_VERSION varchar 64  √  (NULL) AV product version
V_ALERTS AV_PRODUCT_VERSION varchar 64  √  null
HPP_ALERTS COH_ENGINE_VERSION varchar 64 ('') Version of the TruScan engine
SEM_JOB COMMAND_NAME varchar 64 Hard-coded English string that indicates which command was launched. This is the same string as what is placed in the XML for pre-defined name.

Update_Now = Update Content
ScanNow_Full = Full Scan
ScanNow_Quick = Active Scan
ScanNow_Custom = Custom Scan
Update_ScanNow_Full = Update Content and Scan Full
Update_ScanNow_Quick = Update Content and Scan Quick
Update_ScanNow_Custom = Update Content and Scan Custom
CancelScan = Cancel Scan
Reboot = Restart
ApOn = Turn Auto-Protect On
ApOff = Turn Auto-Protect Off
FwOn = Turn Firewall On
FwOff = Turn Firewall Off
DeleteQuarantine = Delete from Quarantine
SEM_AGENT DEPLOY_PRE_VER varchar 64  √  null The agent version prior to a deployment action.
SEM_AGENT DEPLOY_RUNNING_VER varchar 64  √  null The current agent version
SEM_AGENT DEPLOY_TARGET_VER varchar 64  √  null The agent version the deployment action is trying to move to.
SYSTEM_REPORT EVENT_ID varchar 64 ('') Blank or % in this field means no filtering.
For the System > Administrative log

ADMIN_ADMIN_TYPES=Administrator events. Possible values:
4097=Login succeeded
4098=Login failed
4099=Logout
4050=Account locked
4101=Account unlocked
4102=Account disabled
4103=Account enabled
4104=Administrator created
4105=Administrator deleted
4106=Administrator renamed
4107=Password changed
4108=Administrator properties are changed

ADMIN_DOMAIN_TYPES=Domain events. Possible values are as follows:
4109=Domain is created
4110=Domain is deleted
4111=Domain properties are changed
4128=Domain is disabled
4129=Domain is enabled
4130=Domain is renamed

ADMIN_GROUP_TYPES=Group events. Possible values are as follows:
8193=Group is created
8194=Group is deleted
8195=Group is renamed
8196=Group is moved
8197=Group properties are changed

ADMIN_USER_TYPES=User events. Possible values are as follows:
8198=User is created
8199=User is deleted
8200=User is moved
8201=User is copied
8202=User policy mode is switched
8203=User properties are changed

ADMIN_COMPUTER_TYPES=Computer events. Possible values are as follows:
8204=Computer is created
8205=Computer is deleted
8206=Computer is moved
8207=Computer is copied
8208=Computer policy mode is switched
8209=Computer properties are changed

ADMIN_IMPORT_TYPES=Import events. Possible values are as follows:
8210=Organizational Unit is imported
8211=Domain user is imported
8212=LDAP user is imported

ADMIN_PACKAGE_TYPES=Package events. Possible values are as follows:
12289=Package is created
12290=Package is deleted
12291=Package is exported
12292=Package is moved to recycle bin
12293=Package is now current
12294=Package is added to other domain
12295=Package properties are changed
12296=Package deployment created
12297=Package deployment deleted
12298=Package deployment properties changed
12299=Package updated

ADMIN_REPLICATION_TYPES=Replication events. Possible values are as follows:
16385=Replication partner is registered
16386=Replication partner is deleted
16400=Replicate now

ADMIN_OTHER_TYPES=Other events. Possible values are as follows:
16387=Remote site is deleted
16388=Site properties are changed
16389=Server properties are changed
16390=Database properties are changed
16391=Partner properties are changed
16392=Site license is changed
16393=Enforcer license changed
16394=Replicate now
16395=Back up now
16396=External logging properties are changed
16397=Site backup settings changed
16398=Server deleted
16399=Server certificate changed
16401=Back up now
16402=External logging properties are changed
16403=Site backup settings changed
16404=Server deleted
16405=Server certificate changed
16406=Enforcer group properties changed

For the System > Client-Server Activity log.

1=Registration succeeded
2=Registration failed
3=Client reconnected
4=Client disconnected
5=Downloaded policy
6=Downloaded Intrusion Prevention policy
7=Downloaded sylink.xml
8=Downloaded auto-upgrade file
9=Server received log
10=Log processing failed
11=Server received learned application
12=Server received client information
13=Client information processing failed
14=Hardware identity change
15=Downloaded File Fingerprint list
20=Downloaded content package
22=Downloaded command

For the System > Server Activity log.

SERVER_EVENT_TYPES=Server events. Possible values are as follows:
257=Server startup succeeded
258=Server startup failed
259=Server shut down gracefully
260=Server created

SERVER_AGENT_EVENT_TYPES=Database maintenance events. Possible values are as follows:
267=Client sweeping started
268=Client sweeping Summary
269=Client sweeping succeeded
270=Client sweeping failed
271=Database logs have been swept

SERVER_BACKUP_EVENT_TYPES=Backup events. Possible values are as follows:
1025=Backup connection failed
1026=Backup data fetch failed
1027=Backup file write failed
1028=Backup unknown failed
1029=Backup success
1030=Backup started

SERVER_RADIUS_EVENT_TYPES=Radius server events. Possible values are as follows:
1283=Failed to start Radius server. The Radius port may be in use by another process
1284=Failed to start Radius server. Set non-Block IO socket failed.
1285=Failed to start Radius Server. Create socket error.

SERVER_REPLICATION_EVENT_TYPES=Replication events. Possible values are as follows:
769=Replication from remote site started
770=Replication failed to login to remote site
771=Unable to fetch changed data from remote site
772=Replication finished successfully
773=Replication failed
774=Replication merge failed
775=Unable to connect to remote site
776=Name changed to resolvs merge conflict
777=Group full path name is too long for replication
778=Retrieval of local changed data for remote site started
779=Retrieval of local changed data for remote site finished successfully
780=Retrieval of local changed data for remote site failed
781=Replication has been chosen as the deadlock victim and killed by database
782=Replication data is received

SERVER_IMPORT_EVENT_TYPES=Import events. Possible values are as follows:
264=Organization importing started
265=Organization importing succeeded
266=Organization importing failed

SERVER_INTRUSION_PREVENTION_EVEN=Intrusion Prevention policy content updates. Possible values are as follows:
1537=Added Intrusion Prevention Library
1538=Deleted Intrusion Prevention Library
1539=Updated Intrusion Prevention Library
1540=Intrusion Prevention Library is up to date

SERVER_LU_EVENT_TYPES=LiveUpdate events. Possible values are as follows:
1793=LiveUpdate started
1794=LiveUpdate succeeded
1795=LiveUpdate failed
1796=LiveUpdate manual task succeeded
1797=LiveUpdate manual task failed
1798=LiveUpdate retry started
1799=LiveUpdate retry succeeded
1800=LiveUpdate retry failed and will try again
1801=LiveUpdate manual task started
1802=LiveUpdate retry over max window
1803=LiveUpdate retry failed and will try again
1804=LiveUpdate retry pass scheduled time
1805=LiveUpdate All process launched
1806=LiveUpdate All process exited abnormally
1807=LiveUpdate next server
1808=LiveUpdate All process finished
1809=LiveUpdate All process failed to launch
1810=LiveUpdate uploading content
1811=LiveUpdate file path not exist
1812=LiveUpdate Content Catalog file has been inserted
1813=LiveUpdate Content Catalog file has been updated
1814=Client Package has been downloaded
1815=Client Package patching failed.
1816=New LiveUpdate content has been downloaded
1817=LiveUpdate wrong URL parameter
1824=Antivirus and antispyware definitions Win64 11.0 MicroDefsB.CurDefs failed to update
1825=Download is current
1826=LiveUpdate re-run is triggered by content catalog update.
1818=Failed to download LiveUpdate content
1819=LiveUpdate content cleaned up
1820=Host Integrity Template has been updated
1821=LiveUpdate timed out
1822=LiveUpdate schedule updated

SERVER_NET_AUDIT_EVENT_TYPES=Find unmanaged computers events: possible values 2049=Search uncliented hosts started
2050=Search uncliented hosts finished normally
2051=Search uncliented hosts finished abnormally
2052=Client remote started
2053=Client remote finished normally
2054=Client remote finished abnormally

SERVER_OTHER_EVENT_TYPES=Other events. Possible values are as follows:
261=Site created
262=Package published
263=Site license exceeded
272=Server upgrade success
273=Scheduled reporting failed
274=Security risk rating summary
1281=An unexpected exception has occurred
1282=Connect mail server failed
1286=Server error

For the System > Client Activity log. EventIDs are listed by hexadecimal value.

AGENT_SYSTEM_INSTALL_EVENT_TYPES=Installation events. Possible values are as follows:
0x12070001=Internal error
0x12070101=Install complete
0x12070102=Restart recommended
0x12070103=Restart required
0x12070104=Installation failed
0x12070105=Uninstallation complete
0x12070106=Uninstallation failed
0x12071037=Symantec AntiVirus installed
0x12071038=Symantec Firewall installed
0x12071039=Uninstall
0x1207103A=Uninstall rolled-back

AGENT_SYSTEM_SERVICE_EVENT_TYPES=Service events. Possible values are as follows:
0x12070201=Service starting
0x12070202=Service started
0x12070203=Service start failure
0x12070204=Service stopped
0x12070205=Service stop failure
0x1207021A=Attempt to stop service

AGENT_SYSTEM_CONFIG_EVENT_TYPES=Configuration events. Possible values are as follows:
0x12070206=Config import complete
0x12070207=Config import error
0x12070208=Config export complete
0x12070209=Config export error

AGENT_SYSTEM_HI_EVENT_TYPES=Host Integrity events. Possible values are as follows:
0x12070210=Host Integrity disabled
0x12070211=Host Integrity enabled

AGENT_SYSTEM_IMPORT_EVENT_TYPES=Import events. Possible values are as follows:
0x12070214=Successfully imported advanced rule
0x12070215=Failed to import advanced rule
0x12070216=Successfully exported advanced rule
0x12070217=Failed to export advanced rule

AGENT_SYSTEM_CLIENT_EVENT_TYPES=Client events. Possible values are as follows:
0x12070218=Client Engine enabled
0x12070219=Client Engine disabled
0x12071046=Proactive Threat Scanning is not supported on this platform
0x12071047=Proactive Threat Scanning Load Error

AGENT_SYSTEM_SERVER_EVENT_TYPES=Server events. Possible values are as follows:
0x12070301=Server connected
0x12070302=No server response
0x12070303=Server connection failed
0x12070304=Server disconnected
0x120B0001=Cannot reach server
0x120B0002=Reconnected server

AGENT_SYSTEM_PROFILE_EVENT_TYPES=Policy events. Possible values are as follows:
0x12070306=New policy received
0x12070307=New policy applied
0x12070308=New policy failed
0x12070309=Cannot download policy
0x120B0005=Cannot download policy
0x1207030A=Have latest policy
0x120B0004=Have latest policy

AGENT_SYSTEM_AV_EVENT_TYPES=Antivirus engine events. Possible values are as follows:
0x12071006=Scan Omission
0x1207100B=Virus Behavior Detected
0x1207100C=Configuration Changed
0x12071010=Definition File Download
0x12071012=Sent To Quarantine Server
0x12071013=Delivered To Symantec
0x12071014=Security Response Backup
0x12071015=Scan Aborted
0x12071016=Symantec AntiVirus Auto-Protect Load Error
0x12071017=Symantec AntiVirus Auto-Protect Enabled
0x12071018=Symantec AntiVirus Auto-Protect Disabled
0x1207101A=Scan Delayed
0x1207101B=Scan Re-started
0x12071027=Symantec AntiVirus is using old virus definitions
0x12071041=Scan suspended
0x12071042=Scan Resumed
0x12071043=Scan Duration Too Short
0x12071045=Scan Enhancements Failed

AGENT_SYSTEM_LICENSE_EVENT_TYPES=License events. Possible values are as follows:
0x1207101E=License Warning
0x1207101F=License Error
0x12071020=License in Grace Period
0x12071023=License Installed
0x12071025=License Up-to-date

AGENT_SYSTEM_SECURITY_EVENT_TYPES=Security events. Possible values are as follows:
0x1207102B=Computer not compliant with security policy
0x1207102C=Computer compliant with security policy
0x1207102D=Tamper Attempt

AGENT_SYSTEM_OTHER_EVENT_TYPES=Other events: possible values 0x1207020A=Email post OK
0x1207020B=Email post failure
0x1207020C=Update complete
0x1207020D=Update failure
0x1207020E=Manual location change
0x1207020F=Location changed
0x12070212=Old Rasdll detected
0x12070213=Autoupdate postponed
0x12070305=Mode changed
0x1207030B=Cannot apply HI script
0x12070500=System message from device control
0x12070600=System message from anti-buffer overflow driver
0x12071021=Access Denied Warning
0x12071022=Log Forwarding Error
0x12071044=Client moved

For the System > Enforcer Activity log. EventIDs are listed by hexadecimal value.

ENFORCER_POLICY_MANAGER_EVENT_TY=Management events. Possible values are as follows:
0x101=Connected to Policy Manager
0x102=Lost connection to Policy Manager
0x103=Applied policy downloaded from Policy Manager
0x104=Failed to apply policy downloaded from Policy Manager
0x105=Applied Policy Manager configuration
0x106=Failed to apply Policy Manager configuration
0x107=Applied Policy Manager configuration
0x108=Failed to apply Policy Manager configuration

ENFORCER_ENFORCER_EVENT_TYPES=Enforcer events. Possible values are as follows:
0x201=Enforcer started
0x202=Enforcer stopped
0x203=Enforcer paused
0x204=Enforcer resumed
0x205=Enforcer disconnected from server
0x301=Enforcer failover enabled
0x302=Enforcer failover disabled
0x303=Enforcer in standby mode
0x304=Enforcer in primary mode
0x305=Enforcer short
0x306=Enforcer loop

ENFORCER_ENABLE_EVENT_TYPES=Enable events. Possible values are as follows:
0x401=Forward engine pause
0x402=Forward engine start
0x403=DNS enforcer enabled
0x404=DNS enforcer disabled
0x405=DHCP enforcer enabled
0x406=DHCP enforcer disabled
0x407=Allow all enabled
0x408=Allow all disabled

ENFORCER_PROFILE_EVENT_TYPES=Policy events. Possible values are as follows:
0x501=Seat number change
0x601=Failed to create policy parser
0x602=Failed to import policy downloaded from Policy Manager
0x603=Failed to export policy downloaded from Policy Manager
0x701=Incorrect customized attribute
SEM_OS_INFO I18N_KEY varchar 64 ('') Key value for i18n display
SEM_AGENT IDS_SERIAL_NO varchar 64  √  null Current IDS serial number of agent
INVENTORYREPORT IDS_VERSION varchar 64 ('%') Intrusion prevention system signature version by which to filter
SEM_AGENT IDS_VERSION varchar 64  √  null Current IDS version of agent
SERIAL_NUMBERS IPS_SERIAL_NO varchar 64  √  null IPS serial number of the group
AGENT_SECURITY_LOG_1 PROFILE_SERIAL_NO varchar 64  √  null Policy serial number
AGENT_SECURITY_LOG_2 PROFILE_SERIAL_NO varchar 64  √  null Policy serial number
SEM_AGENT PROFILE_SERIAL_NO varchar 64  √  null Current profile serial number of agent
SERIAL_NUMBERS PROFILE_SERIAL_NO varchar 64 Profile serial number of the group
V_AGENT_SECURITY_LOG PROFILE_SERIAL_NO varchar 64  √  null
INVENTORYREPORT PROFILE_VERSION varchar 64 ('%') Profile version by which to filter
SEM_AGENT PROFILE_VERSION varchar 64  √  null Current profile version of agent
SEM_COMPLIANCE_CRITERIA RESULT varchar 64 ('') One of:
pass
fail
ignore
error
postponed. for remediation criteria only
unknown. fallback at the server if the criteria or rule ends up without a final status
SEM_COMPLIANCE_CRITERIA_2 RESULT varchar 64 ('')
SEM_COMPLIANCE_CRITERIA RULE_TYPE varchar 64 ('') hard-coded English key - one of:
antivirus
antispyware
patch
servicepack
firewall
custom
unknown - fallback when processing log at the server and action ends up null or blank
SEM_COMPLIANCE_CRITERIA_2 RULE_TYPE varchar 64 ('')
SCANS SCAN_TYPE varchar 64 ('') Type of scan:
ScanNow_Quick = Active Scan
ScanNow_Full = Full Scan
ScanNow_Custom = Admin-defined Scan
HISTORY STAT_TYPE varchar 64 ('') What kind of data; hard-coded English key **See Snapshot data format worksheet for details **
OAUTH_ACCESS_TOKEN AUTHENTICATION_ID varchar 80  √  null
OAUTH_CLIENT_DETAILS AUTHORIZED_GRANT_TYPES varchar 80  √  null
OAUTH_ACCESS_TOKEN CLIENT_ID varchar 80  √  null
OAUTH_CLIENT_DETAILS CLIENT_ID varchar 80
OAUTH_REFRESH_TOKEN CLIENT_ID varchar 80  √  null
OAUTH_CLIENT_DETAILS CLIENT_SECRET varchar 80  √  null
OAUTH_CLIENT_DETAILS CREATED_BY varchar 80  √  null
OAUTH_ACCESS_TOKEN REFRESH_TOKEN varchar 80  √  null
OAUTH_ACCESS_TOKEN TOKEN_ID varchar 80
OAUTH_REFRESH_TOKEN TOKEN_ID varchar 80
OAUTH_ACCESS_TOKEN USER_ID varchar 80  √  null
OAUTH_REFRESH_TOKEN USER_ID varchar 80  √  null
V_SEM_COMPUTER DHCP_SERVER_TEXT varchar 123  √  null
V_SEM_COMPUTER DNS_SERVER1_TEXT varchar 123  √  null
V_SEM_COMPUTER DNS_SERVER2_TEXT varchar 123  √  null
V_SEM_COMPUTER GATEWAY1_TEXT varchar 123  √  null
V_SEM_COMPUTER GATEWAY2_TEXT varchar 123  √  null
V_SEM_COMPUTER GATEWAY3_TEXT varchar 123  √  null
V_SEM_COMPUTER GATEWAY4_TEXT varchar 123  √  null
V_SEM_COMPUTER IP_ADDR1_TEXT varchar 123  √  null
V_SEM_COMPUTER IP_ADDR2_TEXT varchar 123  √  null
V_SEM_COMPUTER IP_ADDR3_TEXT varchar 123  √  null
V_SEM_COMPUTER IP_ADDR4_TEXT varchar 123  √  null
V_AGENT_BEHAVIOR_LOG IP_ADDR_TEXT varchar 123  √  null
V_LAN_DEVICE_DETECTED IP_ADDRESS_TEXT varchar 123  √  null
V_LAN_DEVICE_EXCLUDED IP_ADDRESS_TEXT varchar 123  √  null
V_LAN_DEVICE_EXCLUDED IP_RANGE_END_TEXT varchar 123  √  null
V_LAN_DEVICE_EXCLUDED IP_RANGE_START_TEXT varchar 123  √  null
V_AGENT_PACKET_LOG LOCAL_HOST_IP_TEXT varchar 123  √  null
V_AGENT_SECURITY_LOG LOCAL_HOST_IP_TEXT varchar 123  √  null
V_AGENT_TRAFFIC_LOG LOCAL_HOST_IP_TEXT varchar 123  √  null
V_ENFORCER_TRAFFIC_LOG LOCAL_HOST_IP_TEXT varchar 123  √  null
V_AGENT_PACKET_LOG REMOTE_HOST_IP_TEXT varchar 123  √  null
V_AGENT_SECURITY_LOG REMOTE_HOST_IP_TEXT varchar 123  √  null
V_AGENT_TRAFFIC_LOG REMOTE_HOST_IP_TEXT varchar 123  √  null
V_ENFORCER_TRAFFIC_LOG REMOTE_HOST_IP_TEXT varchar 123  √  null
V_ALERTS SOURCE_COMPUTER_IP_TEXT varchar 123  √  null
V_SEM_COMPUTER SUBNET_MASK1_TEXT varchar 123  √  null
V_SEM_COMPUTER SUBNET_MASK2_TEXT varchar 123  √  null
V_SEM_COMPUTER SUBNET_MASK3_TEXT varchar 123  √  null
V_SEM_COMPUTER SUBNET_MASK4_TEXT varchar 123  √  null
V_LAN_DEVICE_EXCLUDED SUBNET_MASK_TEXT varchar 123  √  null
V_SEM_COMPUTER WINS_SERVER1_TEXT varchar 123  √  null
V_SEM_COMPUTER WINS_SERVER2_TEXT varchar 123  √  null
ALERTMSG ALERT varchar 128 ('') This is a hard-coded English string used as a look-up corresponding to an event ID from sender agent as follows:
1 = Virus found
2 = Security risk found
3 is not used
4 is not used
5 = Commercial application detected
6 = Forced proactive threat detected
7 = Proactive detection now permitted
8 = Potential risk found
9 = Risk sample submitted to Symantec
HYPERVISOR_PATTERN BIOS_MANUFACTURER_PREFIX varchar 128  √  null
HYPERVISOR_PATTERN BIOS_SERIALNUMBER_PREFIX varchar 128  √  null
SEM_COMPUTER BIOS_VERSION varchar 128  √  null BIOS version
SEM_SVA_COMPUTER BIOS_VERSION varchar 128  √  null
V_SEM_COMPUTER BIOS_VERSION varchar 128  √  null
SEM_COMPLIANCE_CRITERIA ERROR varchar 128 ('') One of:
unknown = unknown
product_unknown = product unknown
file_notfound = file not found
filename_invalid = invalid file name
parameter_invalid = invalid condition parameter
parameter_undefined = condition parameter was not specified in the policy
bad_url = URL format is invalid
filedownload_op_err = URL not accessible or failed to create destination file
time_out = action timed out
connection_lost = connection was lost
access_violation = access violation on file
access_denied = access denied
remediation_abort = user aborted remediation
remediation_postpone = user postponed remediation
createdir_failed = directory creation failed
system_err = system error
runas_noprivilege = a required privilege is not held by the client
internal_err = internal error
os_unknown = failed to detect operating system type
SEM_COMPLIANCE_CRITERIA_2 ERROR varchar 128 ('')
HYPERVISOR_VENDOR HYPERVISOR_VENDOR_NAME varchar 128  √  null Vendor name
HYPERVISOR_PATTERN MOTHERBOARD_MANUFACTURER_PREFIX varchar 128  √  null Keeps prefix for the motherboard manufactures
LICENSE PRODUCT_NAME varchar 128 Example:
Symantec Endpoint Protection Small Business Edition 12.0 Trial License
SEM_AGENT REBOOT_REASON varchar 128 ('') Format is = ; = ...
Components:
AVMAN = Antivirus
LUMAN = LiveUpdate
FW = Network Threat Protection
GUP = Group Update Provider
Reasons:
1 = risk remediation to complete
2 = product patch to apply
3 = content download to apply
OAUTH_CLIENT_DETAILS AUTHORITIES varchar 200  √  null
OAUTH_CLIENT_DETAILS RESOURCE_IDS varchar 200  √  null
LOG_CONFIG TABLE_LIST varchar 250 The name of the tables to switch logs
NOTIFICATION ACTACTION varchar 255 ('%') % = No filter (all)
1 = Quarantined
3 = Deleted
4 = Left alone
5 = Cleaned
6 = Cleaned or macros deleted
14 = Pending repair
15 = Partially repaired
16 = Process termination pending restart
17 = Excluded
19 = Cleaned by deletion
20 = Access denied
21 = Process terminated
22 = No repair available
23 = All actions failed
98 = Suspicious
ACTUALACTION ACTUALACTION varchar 255 ('') A hard-coded English string used for the following lookups:
-1 = Action invalid
1 = Quarantined
2 = Renamed
3 = Deleted
4 = Left alone
5 = Cleaned
6 = Cleaned or macros deleted
7 = Saved
9 = Moved back
10 = Renamed back
11 = Undone
12 = Bad
13 = Backed up
14 = Pending repair
15 = Partially repaired
16 = Process termination pending restart
17 = Excluded
18 = Restart processing
19 = Cleaned by deletion
20 = Access denied
21 = Process terminated
22 = No repair available
23 = All actions failed
98 = Suspicious
99 = Details pending
110 = Detected by using the commercial application list
111 = Forced detection by using the file name
1000 = Forced detection by using the file hash
500 = Not applicable
ALERTFILTER ACTUALACTION varchar 255 ('') Not used
AGENTSTATUS AGENTNAME varchar 255 ('') Name associated with this agent (for LogSender agents: Server Group name; for LogSenderSAVSMTP agents: mail gateway host name; for ClientInventory agents: name of Parent Server; else: blank)
AGENTSTATUS AGENTTYPE varchar 255 ('') Type of Agent:
SAV 10.x
LogSender
ClientInventory
SAV 11.x
AgentSweepingTask (Database maintenance)
TopThreatsTask (Gathers top and latest threats information)
VirusCatTask (Gathers virus properties)
ThreatCatTask (Gathers risk properties)
ANOMALYDETECTIONOPERATION DETECTION_OPERATION_DESC varchar 255 ('') Detection_Operation_ID, Detection_Operation_Desc (hard-coded English string used for lookup)
0 = Unknown
1 = Scan
2 = Present
3 = Not Present
4 = Equal
5 = Not Equal
6 = Equal (Case-insensitive)
7 = Not Equal (Case-insensitive)
8 = Scan Memory
ANOMALYDETECTIONTYPE DETECTION_TYPE_DESC varchar 255 ('') Detection_Type_ID, Detection_Type_Desc (a hard-coded English string used for lookup)
1000 = Registry
1001 = File
1002 = Process
1003 = Batch File
1004 = INI File
1005 = Service
1006 = Infected File
1007 = COM Object
1008 = Hosts File Entry
1009 = Directory
1010 = Layered Service Provider
AGENTCONFIG EMAIL varchar 255 ('') Comma-separated list of e-mail addresses to receive a warning mail if agent is considered inactive
COMPLIANCE_REPORT FULL_CHARTS varchar 255 ('') Admin-specified list of charts to include in the NTP Full Report
FIREWALL_REPORT FULL_CHARTS varchar 255 ('') Not used
THREATREPORT FULL_CHARTS varchar 255 ('') Admin-specified list of charts to include in the Antivirus Comprehensive report
ALERTFILTER LASTCOLUMN varchar 255 ('')
DATA_HANDLER LF_EXT varchar 255 ('') File Extension: possible values are .dat, .AgentStatus, .SecurityRisk, .VirusScans, .VirusLogs, .Inventory
DATA_HANDLER LF_HANDLER varchar 255 ('') Classes that handle data files:
AvMan = com.sygate.scm.server.logreader.av.LogHandler
Legacy agentstatus = com.sygate.scm.server.logreader.av.AgentStatusHandler
Legacy inventory = com.sygate.scm.server.logreader.av.InventoryHandler
Legacy security and virus logs = com.sygate.scm.server.logreader.av.LogHandler
SYSTEM_REPORT MSG_ID varchar 255 ('') This field stores the hard-coded English string key found to the left of the = sign. To the right is a description of the kinds of error messages that will be queried. % or blank in this field means no filtering (all records). See "ERROR_CODE and MSG_ID" worksheet for the list of corresponding MSG IDs that fall into each bucket.
For System>Administrative:
ERR_SERVER=Server error messages
ERR_INVALID_PARAMETER=Invalid parameter error messages
ERR_GENERAL=General error messages
ERR_ROOT=Root error messages
ERR_AUTHENTICATION=Login related error messages
ERR_METADATA=Metadata error messages
ERR_TRANSACTION=Transaction error messages
ERR_DATASTORE=Datastore error messages
ERR_LICENSE=License error messages
ERR_CERTIFICATE=Certificate error messages
ERR_GROUP=Group error messages
ERR_FILE=File related error messages
ERR_LIVEUPDATE=LiveUpdate error messages
ERR_OTHER=Other error messages
ERR_NONE=None

For System> Server activity:
ERR_SERVER=Server error messages
ERR_INVALID_PARAMETER=Invalid parameter error messages
ERR_GENERAL=General error messages
ERR_ROOT=Root error messages
ERR_AUTHENTICATION=Login related error messages
ERR_METADATA=Metadata error messages
ERR_TRANSACTION=Transaction error messages
ERR_DATASTORE=Datastore error messages
ERR_LICENSE=License error messages
ERR_CERTIFICATE=Certificate error messages
ERR_GROUP=Group error messages
ERR_FILE=File related error messages
ERR_LIVEUPDATE=LiveUpdate error messages
ERR_OTHER=Other error messages
ERR_NONE=None
GUIPARMS PARAMETER varchar 255 ('') Parameter name
HOMEPAGECONFIG PARAMETER varchar 255 ('') Parameter name
INVENTORYREPORT PATTERN_IDX varchar 255 ('%') Hard-coded English string used as key (filters for Antivirus signature version):
WITHIN_RELATIVE_30 = Within the last 30 days
WITHIN_RELATIVE_90 = Within the last 90 days
OUTSIDE_RELATIVE_30 = Older than the last 30 days
OUTSIDE_RELATIVE_90 = Older than the last 90 days

or virus definition revision which results in an < = query on that revision.
ANOMALYREMEDIATIONOPERATION REMEDIATION_OPERATION_DESC varchar 255 ('') Remediation_Operation_ID, Remediation_Operation_Desc (a hard-coded English string used for lookup)
0 = Unknown
1 = Delete
2 = Delete Line
3 = Move
4 = Create Empty File
5 = Set
6 = Terminate
7 = Suspend
8 = Stop
9 = Remove
10 = Handle Threat
11 = Set IP Address
12 = Set Domain Name
13 = Deny Access
999 = Invalid
1001 = Move
1002 = Rename
1003 = Delete
1004 = Leave Alone
1005 = Clean
1006 = Remove Macros
1007 = Save As
1008 = Move Back
1010 = Rename Back
1011 = Undo
1012 = Bad
1013 = Backup
1014 = Pending
1015 = Partial
1016 = Terminate
1017 = Exclude
1018 = Reboot Processing
1019 = Clean By Deletion
1020 = Access Denied
ANOMALYREMEDIATIONTYPE REMEDIATION_TYPE_DESC varchar 255 ('') Remediation_Type_ID, Remediation_Type_Desc (hard-coded English string used for lookup)
2000 = Registry
2001 = File
2002 = Process
2003 = Batch File
2004 = INI File
2005 = Service
2006 = Infected File
2007 = COM Object
2008 = Hosts File Entry
2009 = Directory
2010 = Layered Service Provider
2011 = Internet Browser Cache
SCFINVENTORY SCFVERSION varchar 255 ('') Firewall version
ALERTFILTER SOURCE varchar 255 ('') Not used
NOTIFICATION SOURCE varchar 255 ('%') Scan for which this notification applies (hard-coded English string used as key):
% = all
Scheduled Scan
Manual Scan
Real Time Scan
Heuristic Scan
Console
Definition downloader
System
Startup Scan
Idle Scan
Manual Quarantine
THREATREPORT SOURCE varchar 255 ('') Hard-coded English lookup key:
Scheduled Scan
Manual Scan
Real Time Scan
Heuristic Scan
Console
Definition downloader
System
Startup Scan
Idle Scan
Manual Quarantine
DATA_HANDLER STATE_HANDLER varchar 255 ('') Classes that handle state files:
SEP = com.sygate.scm.server.statereader.sep.StateHandler
AvMan = com.sygate.scm.server.statereader.av.StateHandler
LuMan = com.sygate.scm.server.statereader.lu.StateHandler
DATA_HANDLER TECH_ID varchar 255 ('') Technology extension: possible values are AvMan, LuMan, legacy, SEP
ALERTFILTER THREATCATEGORY varchar 255 ('') Not used
THREATREPORT THREATCATEGORY varchar 255 ('') = -1 (Unknown)
>= 1 (Very low risk)
>= 2 (Low risk)
>= 3 (Moderate risk)
>= 4 (Severe risk)
>= 5 (Very severe risk)
THREATREPORT THREATTYPELIST varchar 255 ('%') Possibilities here are in the VIRUSCATEGORY table--no longer a list but a single item.
HISTORYCONFIG TZ_NAME varchar 255 ('') Time zone when admin created the notification so that e-mailed reports can display dates in admin's local time zone.
NOTIFICATION TZ_NAME varchar 255 ('') Time zone when admin created the notification so that e-mailed reports can display dates in admin's local time zone.
PROCESS_STATE UPDATE_OWNER varchar 255  √  null Server ID + process name
PATTERN VERSION varchar 255 ('') Version number for this content
V_IPS VERSION varchar 255
V_MR_CLEAN VERSION varchar 255
V_SONAR VERSION varchar 255
ENFORCER_CLIENT_LOG_1 ACTION varchar 256  √  null Enforcer's action on this client (hard-coded English string used as lookup)

Authenticated = Agent's UID is correct
Rejected = Agent's UID is wrong or there's no agent running
Disconnected = Agent disconnects from Enforcer or Enforcer service stops
Passed = Agent has passed Host Integrity check
Failed = Agent has failed Host Integrity check
ENFORCER_CLIENT_LOG_2 ACTION varchar 256  √  null Enforcer's action on this client (hard-coded English string used as lookup)

Authenticated = Agent's UID is correct
Rejected = Agent's UID is wrong or there's no agent running
Disconnected = Agent disconnects from Enforcer or Enforcer service stops
Passed = Agent has passed Host Integrity check
Failed = Agent has failed Host Integrity check
V_ENFORCER_CLIENT_LOG ACTION varchar 256  √  null
HPP_ALERTS AGREEMENT_ACK varchar 256 ('') Agreement acknowledge
ALERTS AV_PRODUCT varchar 256  √  (NULL) AV product name
V_ALERTS AV_PRODUCT varchar 256  √  null
SEM_COMPLIANCE_CRITERIA CRITERIA varchar 256 ('') hard-coded English key - one of:
as_is_installed
as_is_running
as_signature_ok
av_is_installed
av_is_running
av_signature_ok
file_age_ok
file_date_ok
file_size_ok
file_version_ok
file_download
file_exists
file_checksum_ok
file_execute
fw_is_installed
fw_is_running
patch_is_installed
reg_value_incr
reg_key_exists
reg_value_ok
reg_value_exists
reg_value_set
timestamp_ok
msg_dlg_ok
os_ok
os_lang_ok
process_is_running. means either user app or service
file_delete
service_pack_ok
hi_setup
remediation (provides have overall status of remediation)
unknown. fallback at the server if criteria is null or blank
SEM_COMPLIANCE_CRITERIA_2 CRITERIA varchar 256 ('')
HPP_ALERTS DOWNLOADER varchar 256 ('') The creator process of the dropper threat.
Default is "".
AGENT_BEHAVIOR_LOG_1 PARAM_DEVICE_ID varchar 256  √  null GUID of an external device (floppy disk, dvd, USB device, etc.)
AGENT_BEHAVIOR_LOG_2 PARAM_DEVICE_ID varchar 256  √  null GUID of an external device (floppy disk, dvd, USB device, etc.)
V_AGENT_BEHAVIOR_LOG PARAM_DEVICE_ID varchar 256  √  null
LICENSE RENEWAL_URL varchar 256  √  null URL for the license renewal, created using slic library API
LICENSE_CHAIN RENEWAL_URL varchar 256  √  null URL for the license renewal, created using slic API
SEM_JOB SOURCE_HOST_IP varchar 256  √  null
BASIC_METADATA TYPE varchar 256 Type name of the schema object
BINARY_FILE TYPE varchar 256  √  null Type name of the schema object
IDENTITY_MAP TYPE varchar 256  √  null Object Type Name
LOCAL_METADATA TYPE varchar 256  √  null Type of local_metadata.
Only support SemLocalSettings at this moment.
PROCESS_STATE TYPE varchar 256 "PROCESS_STATE" is set for processes synchronization.
REPORTS TYPE varchar 256 Type of report
SYSTEM_STATE TYPE varchar 256 Type name of the schema object
V_DOMAINS TYPE varchar 256  √  null
V_GROUPS TYPE varchar 256  √  null
V_SERVERS TYPE varchar 256  √  null
SEM_APPLICATION VERSION varchar 256  √  null File version of the application binary
COMMAND RESERVED_VARCHAR1 varchar 260  √  null
LAN_DEVICE_DETECTED RESERVED_VARCHAR1 varchar 260  √  null
LAN_DEVICE_EXCLUDED RESERVED_VARCHAR1 varchar 260  √  null
REPORTS RESERVED_VARCHAR1 varchar 260  √  null
SEM_JOB RESERVED_VARCHAR1 varchar 260  √  null
V_LAN_DEVICE_DETECTED RESERVED_VARCHAR1 varchar 260  √  null
V_LAN_DEVICE_EXCLUDED RESERVED_VARCHAR1 varchar 260  √  null
COMPUTER_APPLICATION DOWNLOAD_URL varchar 512  √  null source URL of the first drop on this machine
OAUTH_CLIENT_DETAILS SCOPE varchar 2000  √  null