Non-exportable log entry fields
The following log entry fields can be displayed in the log table, but cannot be exported to syslog.
Field | Description |
---|---|
Additional Situation | Identifier of an additional situation that was detected simultaneously with the situation that triggered the log event. |
APN | The access point name (APN) of the mobile service in GTP traffic. |
Blacklist response.Blacklist duration | Duration of blacklisting in seconds. |
Blacklist response.Blacklist executor | Firewall or sensor that blacklisted the traffic that triggered the log event. |
Blacklist response.Endpoint1 addr | Blacklisted IP addresses for Endpoint1. |
Blacklist response.Endpoint1 mask | Netmask for blacklisted Endpoint1 IP address (32 = host address). |
Blacklist response.Endpoint1 port | Blacklisted Endpoint1 port (empty = all ports). |
Blacklist response.Endpoint1 port range | Blacklisted Endpoint1 port range. |
Blacklist response.Endpoint2 addr | Blacklisted IP addresses for Endpoint2. |
Blacklist response.Endpoint2 mask | Netmask for blacklisted Endpoint2 IP address (32 = host address). |
Blacklist response.Endpoint2 port | Blacklisted Endpoint2 port (empty = all ports). |
Blacklist response.Endpoint2 port range | Blacklisted Endpoint2 port range. |
Blacklist response.Firewall ID | ID number of firewall node for which the blacklist request is assigned (this must match the Firewall ID given to the blacklist Analyzer module). |
Blacklist response.IP Protocol | IP protocol of the blacklist response. |
Blacklist response.Value missing in | Blacklist Response field for which value resolving failed. |
Certificate verify error | TLS/SSL Certificate verify error code related to this event. |
Client Application | The client application that opened the connection. |
Client Executable | The product name and version of the client executable file, when available, or the file name of the client executable file when the product name and version are not available. |
Connection analysis end | The application could not continue analyzing the traffic stream after this event. |
Correlation base component ID | The policy used to decide a response after successful correlation. Usually the value of this field is the same as "Component ID", and the field is omitted. |
Data type | Data type of the log. |
Dst VPN | The destination VPN of the connection. |
Element Domain | Administrative Domain of the element associated with the event. |
Endpoint | The VPN Endpoint through which the traffic that triggered the log event was sent or received. |
Ethernet main type | Ethernet frame main type (Ethernet 2, IPX, LLC, SNAP). |
Event type | Description of the event triggered the log creation. |
Executable File | The file name part of the pathname to the client executable file that connects through the firewall. |
Executable MD5 | The MD5 checksum of the client executable file that connects through the firewall. |
Executable Path | The path to the client executable file that connects through the firewall. |
Executable Product | The product name of the client executable file, when available. The EIA client reports the product name when the executable file is signed. |
Executable Signer | The signer of the client executable file that connects through the firewall. |
Executable Signer SHA1 | The SHA1 checksum of the signer of the client executable file that connects through the firewall. |
Executable Version | The product version of the client executable file, when available. The EIA client reports the product version when the executable file is signed. |
File | The file name part of the pathname to the file that the anti-malware engine scans. |
File MD5 | The MD5 checksum of the pathname to the file that the anti-malware engine scans. |
GRE protocol | Protocol number of the GRE payload packet. |
GRE version | Version of the GRE header. |
GTI Reputation | The file reputation from the McAfee Global Threat Intelligence cloud service. |
HTTP User Agent | The HTTP header that identifies the web browser used to access the service. |
HTTP Referrer | The HTTP header that includes the referrer information. |
HTTP XFF Client | The originating IP address of the client that connects to the destination server through one or several HTTP proxies. |
HTTP XFF Proxies | The IP addresses of the HTTP proxy between the originating client IP address and the destination server. |
IMSI | The international mobile subscriber identity of mobile subscriber connecting to the network in GTP traffic. |
IP frag conflict range.IP frag different bytes | Total number of conflicting bytes. |
IP frag conflict range.IP frag different bytes first | First conflicting byte in the IP fragment. |
IP frag conflict range.IP frag different bytes last | Last conflicting byte in the IP fragment. |
IP frag conflict range.IP frag different new first | Value of the first conflicting byte in the latest fragment. |
IP frag conflict range.IP frag different new last | Value of the last conflicting byte in the latest fragment. |
IP frag conflict range.IP frag different old first | Value of the first conflicting byte in an earlier fragment. |
IP frag conflict range.IP frag different old last | Value of the last conflicting byte in an earlier fragment. |
IPv6 extension header type | IPv6 extension header type as indicated by the next header value of the preceding header. |
IPv6 extension header's length | IPv6 extension header length as indicated by the value of the hdr_ext_len field in the extension header. |
IPv6 hop limit | Hop limit field in the IPv6 header. |
IPv6 option data length | IPv6 option data length. |
IPv6 option offset | IPv6 option offset from the beginning of the IPv6 extension header. |
IPv6 option type | IPv6 option type. |
IPv6 routing final destination | Final destination address in the IPv6 routing header. |
IPv6 routing header type | IPv6 routing header type. |
IPv6 routing segments left | Segments left value in the IPv6 routing header. |
LLC DSAP | Logical Link Control Destination Service Access Point. |
LLC SSAP | Logical Link Control Source Service Access Point. |
Log Data Tags | The number of different Log Data Tags associated with the log event. You can see a detailed listing of the Log Data Tags in the Fields pane or the Details view. |
Login Domain | The administrative Domain in which the action that triggered the log event was taken. |
Malware | Malware identifier (if available) provided by the responding scanner. If the malware identifier is not available, contains the reputation returned by the responding scanner. |
Message ID | The Message Type Value of the GTP message. |
MSISDN | The mobile subscriber-integrated services digital network-number (MSISDN) of the GTP message. |
Normalized | URI normalization was used to find the match. |
Overview | Observed overview. |
Overview Name | Name of the observed overview. |
Overview Section | Summary of the observed section definition. |
Packets Rcvd | The number of packets that are received during the connection. |
Packets Sent | The number of packets that are sent during the connection. |
Peer VPN Gateway | The peer of the VPN Gateway through which the log event was sent or received. |
Reference event ID | Reference to a related event. |
Reference event ID.Ref Comp Id | Sender identifier of the referred event. |
Reference event ID.Ref Creation Time | Creation time of the referred event. |
Reference event ID.Ref Event ID | Identifier of the referred event. |
Responding Scanner | The name of the scanner or service that produced a file reputation or a scan result for a file filtering event. |
Roles | Roles of the Administrator who triggered the event. |
Sandbox Reputation | The file reputation from the Forcepoint Advanced Malware Detection sandbox service. |
Scan Report | A link to the Forcepoint Advanced Malware Detection sandbox analysis report. For the cloud sandbox, the report opens in an external portal. |
Scanner Details | More detailed information about how the file reputation or scan result was acquired in a file filtering event. |
Sender Domain | Administrative Domain from which the log entry was sent. |
Sender module version.Sender build | Build number of the engine that generated the event. |
Sender module version.Sender module major | Major version of the engine module that generated the event. |
Sender module version.Sender module minor | Minor version of the engine module that generated the event. |
Sender module version.Sender module pl | Patch version of the engine module that generated the event. |
Sequence Number | The sequence number of the GTP message. |
Situation Type | The type of the situation that triggered the log event. |
SNAP Organization Code | Subnetwork Access Protocol Organization Code. |
SNMP Return Src IF | The SNMP index of the return source interface. |
SNMP Src IF | The SNMP index of the source interface. |
Src VPN | The source VPN of the connection. |
SSL/TLS Domain | Domain name field in SSL/TLS certificate related to the event. |
SSL VPN Portal Service Name | The title for the service shown on the SSL VPN Portal webpage. |
State | Connection state in connection monitoring. |
Subexpression Count | The number of concurrent independent subexpressions. |
TEID | The tunnel endpoint identifier (TEID) of the GTP message. |
TIE/ePO Reputation | The value that is configured for the file on the McAfee ePO server and received via the McAfee® Threat Intelligence Exchange (TIE) server. |
TCP urgent pointer | Urgent pointer value in the TCP header. |
TCP window size | TCP receive window size. |
TCP window shrinkage | The amount by which the TCP window shrunk. |
Threshold Check Time | Threshold measurement end time. |
Threshold Description | Description of threshold limitation. |
Threshold Measured Value | Value exceeding the threshold. |
TLS Alert Description | TLS/SSL alert message description. |
TLS Alert Level | TLS/SSL alert message alert level. |
TLS cipher suite | TLS/SSL cipher suite. |
TLS compression method | TLS/SSL compression method. |
TLS Protocol Version | TLS/SSL protocol version. |
Tunneled destination | The destination IP address of tunneled GTP traffic. |
Tunneled source | The source IP address of tunneled GTP traffic. |
Tunneling level | Number of tunneling protocol layers encapsulating this protocol layer. |
User and Group Information | User and Group Information related to the event. |
Version | The GTP version of the GTP message. |
VPN | The VPN through which the traffic that triggered the log event was sent or received. |
VPN Gateway | The VPN Gateway through which the log event was sent or received. |