Non-exportable log entry fields
The following log entry fields can be displayed in the log table, but cannot be exported to syslog.
| Field | Description |
|---|---|
| Additional Situation | Identifier of an additional situation that was detected simultaneously with the situation that triggered the log event. |
| APN | The access point name (APN) of the mobile service in GTP traffic. |
| Blacklist response.Blacklist duration | Duration of blacklisting in seconds. |
| Blacklist response.Blacklist executor | Firewall or sensor that blacklisted the traffic that triggered the log event. |
| Blacklist response.Endpoint1 addr | Blacklisted IP addresses for Endpoint1. |
| Blacklist response.Endpoint1 mask | Netmask for blacklisted Endpoint1 IP address (32 = host address). |
| Blacklist response.Endpoint1 port | Blacklisted Endpoint1 port (empty = all ports). |
| Blacklist response.Endpoint1 port range | Blacklisted Endpoint1 port range. |
| Blacklist response.Endpoint2 addr | Blacklisted IP addresses for Endpoint2. |
| Blacklist response.Endpoint2 mask | Netmask for blacklisted Endpoint2 IP address (32 = host address). |
| Blacklist response.Endpoint2 port | Blacklisted Endpoint2 port (empty = all ports). |
| Blacklist response.Endpoint2 port range | Blacklisted Endpoint2 port range. |
| Blacklist response.Firewall ID | ID number of firewall node for which the blacklist request is assigned (this must match the Firewall ID given to the blacklist Analyzer module). |
| Blacklist response.IP Protocol | IP protocol of the blacklist response. |
| Blacklist response.Value missing in | Blacklist Response field for which value resolving failed. |
| Certificate verify error | TLS/SSL Certificate verify error code related to this event. |
| Client Application | The client application that opened the connection. |
| Client Executable | The product name and version of the client executable file, when available, or the file name of the client executable file when the product name and version are not available. |
| Connection analysis end | The application could not continue analyzing the traffic stream after this event. |
| Correlation base component ID | The policy used to decide a response after successful correlation. Usually the value of this field is the same as "Component ID", and the field is omitted. |
| Data type | Data type of the log. |
| Dst VPN | The destination VPN of the connection. |
| Element Domain | Administrative Domain of the element associated with the event. |
| Endpoint | The VPN Endpoint through which the traffic that triggered the log event was sent or received. |
| Ethernet main type | Ethernet frame main type (Ethernet 2, IPX, LLC, SNAP). |
| Event type | Description of the event triggered the log creation. |
| Executable File | The file name part of the pathname to the client executable file that connects through the firewall. |
| Executable MD5 | The MD5 checksum of the client executable file that connects through the firewall. |
| Executable Path | The path to the client executable file that connects through the firewall. |
| Executable Product | The product name of the client executable file, when available. The EIA client reports the product name when the executable file is signed. |
| Executable Signer | The signer of the client executable file that connects through the firewall. |
| Executable Signer SHA1 | The SHA1 checksum of the signer of the client executable file that connects through the firewall. |
| Executable Version | The product version of the client executable file, when available. The EIA client reports the product version when the executable file is signed. |
| File | The file name part of the pathname to the file that the anti-malware engine scans. |
| File MD5 | The MD5 checksum of the pathname to the file that the anti-malware engine scans. |
| GRE protocol | Protocol number of the GRE payload packet. |
| GRE version | Version of the GRE header. |
| GTI Reputation | The file reputation from the McAfee Global Threat Intelligence cloud service. |
| HTTP User Agent | The HTTP header that identifies the web browser used to access the service. |
| HTTP Referrer | The HTTP header that includes the referrer information. |
| HTTP XFF Client | The originating IP address of the client that connects to the destination server through one or several HTTP proxies. |
| HTTP XFF Proxies | The IP addresses of the HTTP proxy between the originating client IP address and the destination server. |
| IMSI | The international mobile subscriber identity of mobile subscriber connecting to the network in GTP traffic. |
| IP frag conflict range.IP frag different bytes | Total number of conflicting bytes. |
| IP frag conflict range.IP frag different bytes first | First conflicting byte in the IP fragment. |
| IP frag conflict range.IP frag different bytes last | Last conflicting byte in the IP fragment. |
| IP frag conflict range.IP frag different new first | Value of the first conflicting byte in the latest fragment. |
| IP frag conflict range.IP frag different new last | Value of the last conflicting byte in the latest fragment. |
| IP frag conflict range.IP frag different old first | Value of the first conflicting byte in an earlier fragment. |
| IP frag conflict range.IP frag different old last | Value of the last conflicting byte in an earlier fragment. |
| IPv6 extension header type | IPv6 extension header type as indicated by the next header value of the preceding header. |
| IPv6 extension header's length | IPv6 extension header length as indicated by the value of the hdr_ext_len field in the extension header. |
| IPv6 hop limit | Hop limit field in the IPv6 header. |
| IPv6 option data length | IPv6 option data length. |
| IPv6 option offset | IPv6 option offset from the beginning of the IPv6 extension header. |
| IPv6 option type | IPv6 option type. |
| IPv6 routing final destination | Final destination address in the IPv6 routing header. |
| IPv6 routing header type | IPv6 routing header type. |
| IPv6 routing segments left | Segments left value in the IPv6 routing header. |
| LLC DSAP | Logical Link Control Destination Service Access Point. |
| LLC SSAP | Logical Link Control Source Service Access Point. |
| Log Data Tags | The number of different Log Data Tags associated with the log event. You can see a detailed listing of the Log Data Tags in the Fields pane or the Details view. |
| Login Domain | The administrative Domain in which the action that triggered the log event was taken. |
| Malware | Malware identifier (if available) provided by the responding scanner. If the malware identifier is not available, contains the reputation returned by the responding scanner. |
| Message ID | The Message Type Value of the GTP message. |
| MSISDN | The mobile subscriber-integrated services digital network-number (MSISDN) of the GTP message. |
| Normalized | URI normalization was used to find the match. |
| Overview | Observed overview. |
| Overview Name | Name of the observed overview. |
| Overview Section | Summary of the observed section definition. |
| Packets Rcvd | The number of packets that are received during the connection. |
| Packets Sent | The number of packets that are sent during the connection. |
| Peer VPN Gateway | The peer of the VPN Gateway through which the log event was sent or received. |
| Reference event ID | Reference to a related event. |
| Reference event ID.Ref Comp Id | Sender identifier of the referred event. |
| Reference event ID.Ref Creation Time | Creation time of the referred event. |
| Reference event ID.Ref Event ID | Identifier of the referred event. |
| Responding Scanner | The name of the scanner or service that produced a file reputation or a scan result for a file filtering event. |
| Roles | Roles of the Administrator who triggered the event. |
| Sandbox Reputation | The file reputation from the Forcepoint Advanced Malware Detection sandbox service. |
| Scan Report | A link to the Forcepoint Advanced Malware Detection sandbox analysis report. For the cloud sandbox, the report opens in an external portal. |
| Scanner Details | More detailed information about how the file reputation or scan result was acquired in a file filtering event. |
| Sender Domain | Administrative Domain from which the log entry was sent. |
| Sender module version.Sender build | Build number of the engine that generated the event. |
| Sender module version.Sender module major | Major version of the engine module that generated the event. |
| Sender module version.Sender module minor | Minor version of the engine module that generated the event. |
| Sender module version.Sender module pl | Patch version of the engine module that generated the event. |
| Sequence Number | The sequence number of the GTP message. |
| Situation Type | The type of the situation that triggered the log event. |
| SNAP Organization Code | Subnetwork Access Protocol Organization Code. |
| SNMP Return Src IF | The SNMP index of the return source interface. |
| SNMP Src IF | The SNMP index of the source interface. |
| Src VPN | The source VPN of the connection. |
| SSL/TLS Domain | Domain name field in SSL/TLS certificate related to the event. |
| SSL VPN Portal Service Name | The title for the service shown on the SSL VPN Portal webpage. |
| State | Connection state in connection monitoring. |
| Subexpression Count | The number of concurrent independent subexpressions. |
| TEID | The tunnel endpoint identifier (TEID) of the GTP message. |
| TIE/ePO Reputation | The value that is configured for the file on the McAfee ePO server and received via the McAfee® Threat Intelligence Exchange (TIE) server. |
| TCP urgent pointer | Urgent pointer value in the TCP header. |
| TCP window size | TCP receive window size. |
| TCP window shrinkage | The amount by which the TCP window shrunk. |
| Threshold Check Time | Threshold measurement end time. |
| Threshold Description | Description of threshold limitation. |
| Threshold Measured Value | Value exceeding the threshold. |
| TLS Alert Description | TLS/SSL alert message description. |
| TLS Alert Level | TLS/SSL alert message alert level. |
| TLS cipher suite | TLS/SSL cipher suite. |
| TLS compression method | TLS/SSL compression method. |
| TLS Protocol Version | TLS/SSL protocol version. |
| Tunneled destination | The destination IP address of tunneled GTP traffic. |
| Tunneled source | The source IP address of tunneled GTP traffic. |
| Tunneling level | Number of tunneling protocol layers encapsulating this protocol layer. |
| User and Group Information | User and Group Information related to the event. |
| Version | The GTP version of the GTP message. |
| VPN | The VPN through which the traffic that triggered the log event was sent or received. |
| VPN Gateway | The VPN Gateway through which the log event was sent or received. |