Traffic log fields

Fields included in the traffic log export file.

Table 1.
Field name Description
dep_traffic_log_version Version number of the log format. As changes are made to the attributes included in the logs, the version number will be incremented.
*related_connection_ref.ref_event_id The event ID of the referred event
*related_connection_ref.ref_creation_time The creation time of the referred event
*related_connection_ref.ref_termination Number of seconds the referenced connection lasted
*related_connection_ref.ref_comp_id The comp ID of the referred event
acc_elapsed (connection) Elapsed time of connection in seconds
acc_rx_bytes Number of bytes received during connection
acc_rx_packets Number of packets received during connection
acc_tx_bytes Number of bytes sent during connection
acc_tx_packets Number of packets sent during connection
action_title The action applied by the service:
  • Discard
  • Allow
  • Refuse
  • Wait for further actions
  • Discard (passive)
  • Wait for authentication
  • Wait for RPC reply
  • Terminate (passive)
  • Terminate
  • Terminate (failed)
  • Permit
  • Terminate (reset)
additional_situation_title The identifier of a Web Category that was detected simultaneously with the situation that caused sending this event
alert_severity_title Severity of the situation:
  • Info
  • Low
  • High
  • Critical
comp_id The identifier of the creator of the log entry
comp_id_title The identifier of the service element that created the log entry
conn_direction Connection direction:
  • Unknown
  • Client
  • Unspecified
  • Server
data_type_title The log data type, value is typically: Inspection Monitoring
dport Connection destination protocol port
dst Connection destination IP address
dst_interface Destination interface
event_id Event ID, unique within one sender
event_title The title of the logged service event. Values include:
  • New connection
  • Connection closed
  • Connection report
  • Related packet
  • Connection discarded
  • Incomplete connection closed
  • Connection refused
  • State sync configuration changed
  • Packet discarded
facility_title The processing function that created this log event. Values include:
  • Packet Filtering
  • Inspection
http_request_host HTTP request host
http_request_method HTTP request method
http_request_uri HTTP request URI
http_response_code HTTP response code
icmp_code ICMP code attribute
icmp_type ICMP type attribute
icmp_type_title Title of ICMP type:
  • Echo Reply
  • Destination Unreachable
  • Source Quench
  • Redirect
  • Alternate Host Address
  • Echo
  • Router Advertisement
  • Router Solicitation
  • Time Exceeded
  • Parameter Problem
  • Timestamp
  • Timestamp Reply
  • Information Request
  • Information Reply
  • Address Mask Request
  • Address Mask Reply
  • Traceroute
  • Datagram Conversion Error
  • Mobile Host Redirect
  • IPv6 Where-Are-You
  • IPv6 I-Am-Here
  • Mobile Registration Request
  • Mobile Registration Reply
  • Domain Name Request
  • Domain Name Reply
  • SKIP
  • Photuris
info_msg Information message
ip_dest Destination IP field in packet header
ip_source Source IP field in packet header
ip_version Version of IP header
ips_appid_title Network application detected in the connection
kind_title Log message kind. All records in the traffic logs will have the same title.
log_id Data identifier
port_dest TCP or UDP destination port in packet header
port_source TCP or UDP source port in packet header
protocol IP protocol
ref_hint.ref_hint_ref_id Index to related log entries. For example, a reference that links all the log entries related to an FTP connection.
rwp_http_user_agent HTTP User-Agent
situation_title Situation titles identify particular traffic signature patterns that have been identified by the service
sport Connection source protocol port
src Connection source IP address
src_interface Source interface
srvhelper_id Protocol agent identification
tcp_handshake_seen Boolean: true if the TCP connection initial handshake was seen
tcp_missing_data_seen Boolean: true if some of the TCP segments that belong to the stream have not been seen by inspection. This can occur with loose mode connection tracking and in capture mode.
tenant_id Tenant identifier
timestamp Time of creating the event record
tls_protocol_version TLS/SSL protocol version
tls_ciphersuite TLS/SSL cipher suite
cipher_alg Cipher algorithm
tls_handshake_downgraded Boolean: true if the TLS handshake was downgraded
type_title Indicates the type of log event. Values include:
  • Undefined
  • Emergency - system unusable
  • System alert
  • Critical error
  • Error
  • Warning
  • Notification
  • Informational
url Requested URL
1773 Reference to connection: contains a reference to the *related_connection subfields.
anomaly_situation Potentially evasion-related anomalies seen in the connection before the situation that caused sending this event
anomaly_situation_config_type Configuration type of potential evasion-related anomalies seen in the connection before the situation that caused sending this event
anomaly_situation_title Potentially evasion-related anomalies seen in the connection before the situation that caused sending this event
file_length  File length
file_md5_hash  The MD5 checksum of the file that is scanned
main_archive_file_name  Name of the archive file that contains the reported
file_name  Name of file
file_transfer_dir_title  File transfer direction of the file
file_type_config_type  Type of configuration file (used for sub-directory selection)
file_type_title  Type of file being transferred
tls_certificate_verify_error_code_title  TLS/SSL certificate verification error code. Values include:
  • Unable to get issuer certificate
  • Unable to get certificate CRL
  • Unable to decrypt certificate signature5: Unable to decrypt CRL signature
  • Unable to decode issuer public key
  • Certificate signature failure
  • CRL signature failure
  • Certificate not yet valid
  • Certificate has expired
  • CRL not yet valid
  • CRL has expired
  • Format error in certificate Not Before field
  • Format error in certificate Not After field
  • Format error in CRL Last Update field
  • Format error in CRL Next Update field
  • Out of memory
  • Self signed certificate
  • Self signed certificate in certificate chain
  • Unknown issuer: no CA certificate configured
  • Unable to verify the first certificate
  • Certificate chain too long
  • Certificate revoked
  • Invalid CA certificate
  • Path length constraint exceeded
  • Unsupported certificate purpose
  • Certificate not trusted
  • Certificate rejected
  • Subject issuer mismatch
  • Authority and subject key identifier mismatch
  • Authority and issuer serial number mismatch
  • Key usage does not include certificate signing
  • Unable to get CRL issuer certificate
  • Unhandled critical extension
  • Key usage does not include CRL signing
  • Unhandled critical CRL extension
  • Invalid non-CA certificate (has CA markings)
  • Proxy path length constraint exceeded
  • Key usage does not include digital signature
  • Proxy certificates not allowed
  • Invalid extension
  • Invalid policy extension
  • No explicit policy
  • RFC 3779 resource not subset of the resources of the parent
  • Application verification failure
  • Certificate syntax error
  • Unspecified Certificate Verification Error
tls_domain Domain name field in SSL/TLS certificate