Non-exportable log entry fields

The following log entry fields can be displayed in the log table, but cannot be exported to syslog.

Table 1. Non-exportable log entry fields
Field Description
Additional Situation Identifier of an additional situation that was detected simultaneously with the situation that triggered the log event.
APN The access point name (APN) of the mobile service in GTP traffic.
Blacklist response.Blacklist duration Duration of blacklisting in seconds.
Blacklist response.Blacklist executor Firewall or sensor that blacklisted the traffic that triggered the log event.
Blacklist response.Endpoint1 addr Blacklisted IP addresses for Endpoint1.
Blacklist response.Endpoint1 mask Netmask for blacklisted Endpoint1 IP address (32 = host address).
Blacklist response.Endpoint1 port Blacklisted Endpoint1 port (empty = all ports).
Blacklist response.Endpoint1 port range Blacklisted Endpoint1 port range.
Blacklist response.Endpoint2 addr Blacklisted IP addresses for Endpoint2.
Blacklist response.Endpoint2 mask Netmask for blacklisted Endpoint2 IP address (32 = host address).
Blacklist response.Endpoint2 port Blacklisted Endpoint2 port (empty = all ports).
Blacklist response.Endpoint2 port range Blacklisted Endpoint2 port range.
Blacklist response.Firewall ID ID number of firewall node for which the blacklist request is assigned (this must match the Firewall ID given to the blacklist Analyzer module).
Blacklist response.IP Protocol IP protocol of the blacklist response.
Blacklist response.Value missing in Blacklist Response field for which value resolving failed.
Certificate verify error TLS/SSL Certificate verify error code related to this event.
Client Application The client application that opened the connection.
Client Executable The product name and version of the client executable file, when available, or the file name of the client executable file when the product name and version are not available.
Connection analysis end The application could not continue analyzing the traffic stream after this event.
Correlation base component ID The policy used to decide a response after successful correlation. Usually the value of this field is the same as "Component ID", and the field is omitted.
Data type Data type of the log.
Dst VPN The destination VPN of the connection.
Element Domain Administrative Domain of the element associated with the event.
Endpoint The VPN Endpoint through which the traffic that triggered the log event was sent or received.
Ethernet main type Ethernet frame main type (Ethernet 2, IPX, LLC, SNAP).
Event type Description of the event triggered the log creation.
Executable File The file name part of the pathname to the client executable file that connects through the firewall.
Executable MD5 The MD5 checksum of the client executable file that connects through the firewall.
Executable Path The path to the client executable file that connects through the firewall.
Executable Product The product name of the client executable file, when available. The EIA client reports the product name when the executable file is signed.
Executable Signer The signer of the client executable file that connects through the firewall.
Executable Signer SHA1 The SHA1 checksum of the signer of the client executable file that connects through the firewall.
Executable Version The product version of the client executable file, when available. The EIA client reports the product version when the executable file is signed.
File The file name part of the pathname to the file that the anti-malware engine scans.
File MD5 The MD5 checksum of the pathname to the file that the anti-malware engine scans.
GRE protocol Protocol number of the GRE payload packet.
GRE version Version of the GRE header.
GTI Reputation The file reputation from the McAfee Global Threat Intelligence cloud service.
HTTP User Agent The HTTP header that identifies the web browser used to access the service.
HTTP Referrer The HTTP header that includes the referrer information.
HTTP XFF Client The originating IP address of the client that connects to the destination server through one or several HTTP proxies.
HTTP XFF Proxies The IP addresses of the HTTP proxy between the originating client IP address and the destination server.
IMSI The international mobile subscriber identity of mobile subscriber connecting to the network in GTP traffic.
IP frag conflict range.IP frag different bytes Total number of conflicting bytes.
IP frag conflict range.IP frag different bytes first First conflicting byte in the IP fragment.
IP frag conflict range.IP frag different bytes last Last conflicting byte in the IP fragment.
IP frag conflict range.IP frag different new first Value of the first conflicting byte in the latest fragment.
IP frag conflict range.IP frag different new last Value of the last conflicting byte in the latest fragment.
IP frag conflict range.IP frag different old first Value of the first conflicting byte in an earlier fragment.
IP frag conflict range.IP frag different old last Value of the last conflicting byte in an earlier fragment.
IPv6 extension header type IPv6 extension header type as indicated by the next header value of the preceding header.
IPv6 extension header's length IPv6 extension header length as indicated by the value of the hdr_ext_len field in the extension header.
IPv6 hop limit Hop limit field in the IPv6 header.
IPv6 option data length IPv6 option data length.
IPv6 option offset IPv6 option offset from the beginning of the IPv6 extension header.
IPv6 option type IPv6 option type.
IPv6 routing final destination Final destination address in the IPv6 routing header.
IPv6 routing header type IPv6 routing header type.
IPv6 routing segments left Segments left value in the IPv6 routing header.
LLC DSAP Logical Link Control Destination Service Access Point.
LLC SSAP Logical Link Control Source Service Access Point.
Log Data Tags The number of different Log Data Tags associated with the log event. You can see a detailed listing of the Log Data Tags in the Fields pane or the Details view.
Login Domain The administrative Domain in which the action that triggered the log event was taken.
Malware Malware identifier (if available) provided by the responding scanner. If the malware identifier is not available, contains the reputation returned by the responding scanner.
Message ID The Message Type Value of the GTP message.
MSISDN The mobile subscriber-integrated services digital network-number (MSISDN) of the GTP message.
Normalized URI normalization was used to find the match.
Overview Observed overview.
Overview Name Name of the observed overview.
Overview Section Summary of the observed section definition.
Packets Rcvd The number of packets that are received during the connection.
Packets Sent The number of packets that are sent during the connection.
Peer VPN Gateway The peer of the VPN Gateway through which the log event was sent or received.
Reference event ID Reference to a related event.
Reference event ID.Ref Comp Id Sender identifier of the referred event.
Reference event ID.Ref Creation Time Creation time of the referred event.
Reference event ID.Ref Event ID Identifier of the referred event.
Responding Scanner The name of the scanner or service that produced a file reputation or a scan result for a file filtering event.
Roles Roles of the Administrator who triggered the event.
Sandbox Reputation The file reputation from the Forcepoint Advanced Malware Detection sandbox service.
Scan Report A link to the Forcepoint Advanced Malware Detection sandbox analysis report. For the cloud sandbox, the report opens in an external portal.
Scanner Details More detailed information about how the file reputation or scan result was acquired in a file filtering event.
Sender Domain Administrative Domain from which the log entry was sent.
Sender module version.Sender build Build number of the engine that generated the event.
Sender module version.Sender module major Major version of the engine module that generated the event.
Sender module version.Sender module minor Minor version of the engine module that generated the event.
Sender module version.Sender module pl Patch version of the engine module that generated the event.
Sequence Number The sequence number of the GTP message.
Situation Type The type of the situation that triggered the log event.
SNAP Organization Code Subnetwork Access Protocol Organization Code.
SNMP Return Src IF The SNMP index of the return source interface.
SNMP Src IF The SNMP index of the source interface.
Src VPN The source VPN of the connection.
SSL/TLS Domain Domain name field in SSL/TLS certificate related to the event.
SSL VPN Portal Service Name The title for the service shown on the SSL VPN Portal webpage.
State Connection state in connection monitoring.
Subexpression Count The number of concurrent independent subexpressions.
TEID The tunnel endpoint identifier (TEID) of the GTP message.
TIE/ePO Reputation The value that is configured for the file on the McAfee ePO server and received via the McAfee® Threat Intelligence Exchange (TIE) server.
TCP urgent pointer Urgent pointer value in the TCP header.
TCP window size TCP receive window size.
TCP window shrinkage The amount by which the TCP window shrunk.
Threshold Check Time Threshold measurement end time.
Threshold Description Description of threshold limitation.
Threshold Measured Value Value exceeding the threshold.
TLS Alert Description TLS/SSL alert message description.
TLS Alert Level TLS/SSL alert message alert level.
TLS cipher suite TLS/SSL cipher suite.
TLS compression method TLS/SSL compression method.
TLS Protocol Version TLS/SSL protocol version.
Tunneled destination The destination IP address of tunneled GTP traffic.
Tunneled source The source IP address of tunneled GTP traffic.
Tunneling level Number of tunneling protocol layers encapsulating this protocol layer.
User and Group Information User and Group Information related to the event.
Version The GTP version of the GTP message.
VPN The VPN through which the traffic that triggered the log event was sent or received.
VPN Gateway The VPN Gateway through which the log event was sent or received.