Symantec™ Sygate Enterprise Protection Database Schema Reference Guide docx

Agent Behavior Log Column Name Comment Data Type system GMT, which is server side time.. Agent Behavior Log Column Name Comment Data Type END_TIME The end time of security issue.. Age

Database Schema Reference Guide

Release 5.1

Copyright Information

Copyright © 2005 Symantec Corporation All rights reserved Symantec, the Symantec Logo, Sygate, the Sygate ‘S’ Logo, Host Integrity, and AutoLocation are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S and other countries Other names may be trademarks of their respective owners

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT

TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE

FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE

Table of Contents

Preface v

Intended Audience v

Related Product Information v

Getting Technical Support v

Chapter 1 Database Schema Overview 1

Chapter 2 Symantec Policy Manager Database Schema 3

Agent Behavior Log Schema 4

Agent Packet Log Schema 6

Agent Security Log Schema 8

Agent System Log Schema 10

Agent Traffic Log Schema 11

Basic Metadata Schema 14

Binary File Schema 15

Computer Application Schema 16

Enforcer Client Log Schema 17

Enforcer System Log Schema 19

Enforcer Traffic Log Schema 20

Identity Map Schema 22

LAN Device Detected Schema 23

LAN Device Excluded Schema 24

Legacy Agent Schema 25

Local Metadata Schema 26

Log Config Schema 27

Reports Schema 28

SE Global Schema 29

SEM Agent Schema 30

SEM Application Schema 32

SEM Client Schema 33

SEM Computer Schema 34

Serial Numbers Schema 36

Server Admin Log Schema 37

Server Client Log Schema 38

Server System Log Schema 39

Server Enforcer Log Schema 40

Server Policy Log Schema 41

System State Schema 42

Preface

This document, the Database Schema Reference Guide, describes the database schema for the

Symantec™ Policy Manager database (for either Embedded or Microsoft SQL databases)

Intended Audience

This information is for database administrators who may need to generate specialized

reports from the information in the database

Related Product Information

For information about setting up the Policy Manager database, see the Policy Manager

Installation Guide

For other administrative information about the Policy Manager database, see the Policy Manager Administration Guide

This information is also available online in the Policy Manager online help

For information about known problems with this release, refer to the Readme.txt file

Getting Technical Support

Symantec Corporation provides a wide variety of service and support programs Contact Enterprise Support through its web site, by email, or by telephone

Web site: www.sygate.com/support

Email address: EnterpriseSupport@sygate.com

Toll free number: (877) TECH-800 (832-4800)

Chapter 1 Database Schema Overview

The Policy Manager database is where all the information concerning the Symantec software and associated security information is located The information is stored in a series of tables,

the database schema

Each table contains three columns and one or more rows Each table has the same columns

in the same order:

An asterisk designates the primary key in the tables The primary key is a column or a set of

columns that uniquely identify all the rows in a table Primary keys may not contain null values No two rows can have the same primary key value; therefore, a primary key value always uniquely identifies a single row More than one key can uniquely identify rows in a

table, each of these keys is called a candidate key Only one candidate can be chosen as the

primary key of a table; all other candidate keys are known as alternate keys

In a normalized table, all of the data values in each row are fully dependent on the primary key For example, in a normalized employee table that has EmployeeID as the primary key, all of the columns should contain data related to a specific employee The table should not have a column called DepartmentName because the name of the department is dependent

on a department ID, not on an employee ID

Chapter 2 Symantec Policy Manager Database Schema

This chapter describes each table in alphabetical order

If you are using Symantec Network Access Control, some of the tables (and some fields in the tables) are not used because related functionality is not included For example, Agent Traffic, Packet, and Behavior logs are not used

Agent Behavior Log Schema

Not used in Symantec Network Access Control

This table lists the database schema for the Agent Behavior logs There are actually two

tables for this schema When logs are stored, the Policy Manager uses the first table until it is

full It then switches to using the second table The data in the first table is kept intact until

the second table fills Then it starts to fill the first table again This cycle is continuous

Agent Behavior Log

Column Name Comment Data Type

system (GMT), which is server side time NUMBER(13)

ENCODED_API_NAME

The TCP/UDP port in local machine (host byte-order) It is only valid on

TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP On other event, it is always zero

VARCHAR2(256)

Agent Behavior Log

Column Name Comment Data Type

END_TIME

The end time of security issue End time is optional field because we may fail to detect whats the exact end time of traffic, like UDP On those cases, the end time is equal to begin time

NUMBER(13)

RULE_ID

The id of rule triggered by the event It is always 0 if rule id is not specified in security rule The field is helpful to security rule troubleshooting If multiple rules matched, it logs the rule that has finial decision on PacketProc (pass/block/drop)

CHAR(32)

RULE_NAME

The name of rule triggered by the event It

is always empty string if rule name is not specified in security rule It is for troubleshooting also In theory, IT admin can know the rule by id However, name gives user a direct view of rule that could

be used

VARCHAR2(256)

CALLER_PROCESS_ID ID of the Process that triggers the logging NUMBER(13)

CALLER_PROCESS_NAME

The full path of application involved It may

be empty if unknown application or OS itself is involved with that or no application involved

Also, it may be empty if profile says dont log application name in raw traffic log

VARCHAR2(256)

CALLER_RETURN_ADDRESS

Return address of the caller This field allows our software to detect the calling module that makes the API call

NUMBER(13)

CALLER_RETURN_MODULE_NAME Module name of caller See

“CallerReturnAddress for more info VARCHAR2(256)

PARAMETER

Parameters that were used in the API call

Each parameter was converted to STRING format and separated by one space character Double quotation characters within the string are escaped

by a \ char

VARCHAR2(256)

action It is true if action::alert is true NUMBER(10) SEND_SNMP_TRAP It reflects the send SNMP trap action It is

Agent Packet Log Schema

Not used in Symantec Network Access Control

This table lists the database schema for the Agent Packet logs There are actually two tables for this schema When logs are stored, the Policy Manager uses the first table until it is full

It then switches to using the second table The data in the first table is kept intact until the second table fills Then it starts to fill the first table again This cycle is continuous

Agent Packet Log

Column Name Comment Data Type

USN A usn based serial number, this ID is not unique NUMBER(13)

DOMAIN_ID GUID of the domain, which the log belongs to CHAR(32)

SERVER_ID GUID of the server, which the log belongs to CHAR(32)

GROUP_ID GUID of the group, which the log belongs to CHAR(32)

COMPUTER_ID GUID of the Agent computer, which the log

TIME_STAMP The time when the event is logged into system

LOCAL_HOST_IP The IP address of local computer (IPv4) NUMBER(10)

REMOTE_HOST_IP The IP address of remote computer (IPv4) NUMBER(10)

REMOTE_HOST_NAME The name of remote computer (it may be empty if

LOCAL_PORT

The TCP/UDP port in local machine (host order) It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP For other events, it is always zero

byte-NUMBER(10)

REMOTE_PORT

The TCP/UDP port in remote machine (host order) It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP For other events, it is always zero

byte-NUMBER(10)

TRAFFIC_DIRECTION The direction of traffic Enum ( unknown=0;

APP_NAME

The full path of application involved It may be empty if unknown application is involved with that

or no application involved For example, the ping

of death DoS attacking does not have AppName because it attacks OS itself

VARCHAR2(256)

ALERT It reflects the alert attribute in profile action It is

Agent Packet Log

Column Name Comment Data Type

SEND_SNMP_TRAP It reflects the send SNMP trap action It is true if

EVENT_DATA Additional data in binary format This field is

Agent Security Log Schema

This table lists the database schema for the Agent Security logs There are actually two tables for this schema When logs are stored, the Policy Manager uses the first table until it is full

It then switches to using the second table The data in the first table is kept intact until the second table fills Then it starts to fill the first table again This cycle is continuous

Agent Security Log

Column Name Comment Data Type

USN A usn based serial number, this ID is not unique NUMBER(13)

DOMAIN_ID GUID of the domain, which the log belongs to CHAR(32)

SITE_ID GUID of the site, which the log belongs to CHAR(32)

SERVER_ID GUID of the server, which the log belongs to CHAR(32)

GROUP_ID GUID of the group, which the log belongs to CHAR(32)

COMPUTER_ID GUID of the Agent computer, which the log

TIME_STAMP The time when the event is logged into system

SEVERITY

It is severity defined in Security Rule

Critical - 0 - 3 Major - 4 - 7 Minor - 8 - 11 Info - 12 - 15

NUMBER(10)

LOCAL_HOST_IP The IP address of local computer (IPv4) NUMBER(10)

REMOTE_HOST_IP The IP address of remote computer (IPv4) NUMBER(10)

REMOTE_HOST_NAME The Name of remote computer (it may be empty if

TRAFFIC_DIRECTION The direction of traffic Enum ( unknown=0;

NETWORK_PROTOCOL The protocol type: Enum (OTHERS=1; TCP

Agent Security Log

Column Name Comment Data Type

HACK_TYPE

The field is reserved for future version

In V3.0:

It is intrusion ID if Event ID is TSLOG_SEC_INTRUSION_DETECTEDIt is reason if event ID is TSLOG_SEC_NO_AVIt is bit mask (Bit31 Bit30 … Bit0)

Bit 0 - Process is not running Bit 1 - Signature is out of date Bit 2 - Recovery was made (no matter if it succeed or failed)

Bit 3 to bit 31 is reserved, must be zero Multiple bits may be set, i.e 0x3 means that process is not running and signature is out-of-date

It is additional information if event ID is TSLOG_SEC_AV,

Bit 0 - undefined, must be zero Bit 1 - undefined, must be zero Bit 2 - Recovery was made (no matter if it succeeded or failed

NUMBER(13)

REPETITION

The number of attacking Sometimes, a hacker may do mass of attacking attempt, it may be damped to one event by log system

NUMBER(10)

APP_NAME

The full path of application involved It may be empty if unknown application is involved with that

or no application involved For example, the ping

of death DoS attacking does not have AppName because it attacks OS itself

VARCHAR2(256)

EVENT_DESC Description of the event Usually, first line of

description is treated as “summary” VARCHAR2(256) EVENT_DATA Additional data in binary format This field is

ALERT It reflects the alert attribute in profile action It is

SEND_SNMP_TRAP It reflects the send SNMP trap action It is true if

Agent System Log Schema

This table lists the database schema for the Agent System logs There are actually two tables for this schema When logs are stored, the Policy Manager uses the first table until it is full

It then switches to using the second table The data in the first table is kept intact until the second table fills Then it starts to fill the first table again This cycle is continuous

Agent System Log

Column Name Comments Data Type

DOMAIN_ID GUID of the domain, which the log belongs

SITE_ID GUID of the site, which the log belongs to CHAR(32)

SERVER_ID GUID of the server, which the log belongs

GROUP_ID GUID of the group, which the log belongs to CHAR(32)

COMPUTER_ID GUID of the Agent computer, which the log

TIME_STAMP The time when the event is logged into

system (GMT), which is server side time NUMBER(13)

SEVERITY The type of event Could be: INFO= 0,

WARNING = 1, ERROR = 2, FATAL = 3 NUMBER(10)

HARDWARE_KEY Hash of Computer Hardware information CHAR(32)

EVENT_SOURCE The data source, such as NETPORT,

EVENT_DESC Description of the event Usually, first line of

description is treated as “summary” VARCHAR2(256) EVENT_DATA Additional data in binary format This field is

SEND_SNMP_TRAP It reflects the send SNMP trap action It is

Agent Traffic Log Schema

Not used in Symantec Network Access Control

This table lists the database schema for the Agent Traffic logs There are actually two tables for this schema When logs are stored, the Policy Manager uses the first table until it is full

It then switches to using the second table The data in the first table is kept intact until the second table fills Then it starts to fill the first table again This cycle is continuous

Agent Traffic Log

Column Name Comments Data Type

DOMAIN_ID GUID of the domain, which the log belongs

SITE_ID GUID of the site, which the log belongs to CHAR(32)

SERVER_ID GUID of the server, which the log belongs

GROUP_ID GUID of the group, which the log belongs to CHAR(32)

COMPUTER_ID GUID of the Agent computer, which the log

TIME_STAMP The time when the event is logged into

system (GMT), which is server side time NUMBER(13)

SEVERITY

It is severity defined in Security Rule

Critical - 0 - 3 Major - 4 - 7 Minor - 8 - 11 Info - 12 - 15

NUMBER(10)

HARDWARE_KEY Hash of Computer Hardware information CHAR(32)

LOCAL_HOST_IP The IP address of local computer (IPv4) NUMBER(10)

REMOTE_HOST_IP The IP address of remote computer (IPv4) NUMBER(10)

REMOTE_HOST_NAME The Name of remote computer (it may be

empty if name solution failed) VARCHAR2(64) NETWORK_PROTOCOL The protocol type: Enum (OTHERS=1; TCP

The TCP/UDP port in local machine (host byte-order) It is only valid on

Agent Traffic Log

Column Name Comments Data Type

REMOTE_PORT

The TCP/UDP port in remote machine (host byte-order) It is only valid on

TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP For other events, it is always zero

NUMBER(10)

TRAFFIC_DIRECTION The direction of traffic Enum ( unknown=0;

END_TIME

The end time of security issue End time is optional field because we may fail to detect what’s the exact end time of traffic, like UDP In those cases, the end time is equal

NUMBER(10)

APP_NAME

The full path of application involved It may

be empty if unknown application is involved with that or no application involved For example, the ping of death DoS attacking does not have AppName because it attacks the OS itself

CHAR(32)

RULE_NAME

The name of rule triggered by the event It is always empty string if rule name is not specified in security rule It is for troubleshooting also In theory, IT admin can know the rule by ID However, name gives user a direct view of rule that could be useful for QA troubleshooting and

standalone version of Trident

VARCHAR2(256)

ALERT It reflects the alert attribute in profile action

It is true if action::alert is true NUMBER(3) SEND_SNMP_TRAP It reflects the send SNMP trap action It is

LOCAL_HOST_MAC The MAC address of local computer VARCHAR2(18) REMOTE_HOST_MAC The MAC address of remote computer VARCHAR2(18) LOCATION_NAME The location used when event occurs VARCHAR2(256)

Agent Traffic Log

Column Name Comments Data Type

Basic Metadata Schema

This table lists basic metadata schema information

Basic Metadata

Column Name Comments Data Type

DELETED

The deleted flag of the schema object:

Deleted - 1 Not Deleted - 0

NUMBER(3)

OWNER GUID of the owner It field only apply to

TIME_STAMP Time of the record modified, used to resolve

*Indicates the primary key, PK_BASIC_METADATA

Binary File Schema

This table lists binary schema information

Binary File

Column Name Comments Data Type

DELETED

The deleted flag of the schema object:

Deleted - 1 Not Deleted - 0

NUMBER(3)

OWNER GUID of the owner It field only apply to

TIME_STAMP Time of the record modification, used to

DOMAIN_ID GUID of the domain that the binary file

*Indicates the primary key, PK_BINARY_FILE

Computer Application Schema

This table lists computer application schema

Computer Application

Column Name Comments Data Type

DOMAIN_ID* GUID of the domain, which the Agent

APP_HASH* Hash value of the learned application

LAST_ACCESS_TIME Last access time of the application on the

TIME_STAMP Time of the record modified, used to resolve

DELETED

The deleted flag of the schema object:

Deleted - 1 Not Deleted - 0

NUMBER(3)

*Indicates the primary key, PK_COMPUTER_APPLICATION

Enforcer Client Log Schema

This table lists the database schema for the Enforcer Client logs There are actually two tables for this schema When logs are stored, the Policy Manager uses the first table until it is full It then switches to using the second table The data in the first table is kept intact until the second table fills Then it starts to fill the first table again This cycle is continuous

Enforcer Client Log

Column Name Comments Data Type

DOMAIN_ID GUID of the domain, which the log belongs

SITE_ID GUID of the site, which the log belongs to CHAR(32)

TIME_STAMP The time when the event is logged into

system (GMT), which is server side time NUMBER(13)

Enforcer Client Log

Column Name Comments Data Type