Javascript is required for MOREAL Online Documentation to function properly. Please enable Javascript by adjusting your browser settings.

MOREAL Event field documentation

This is a comprehensive list of all possible event fields appearing on MOREAL, some fields may not be populated depending on
context, vendor or available information.
Also, wherever Possible Values are listed as “n/a” that means that the field is usually a free-form text field or there are no preset values.

Name Description Possible values
Generic
@id Unique identifier for the log event n/a
@source_event Source type of the event n/a
@timestamp Timestamp of when the log event was received by MOREAL n/a
@vendor Vendor of the device that generated the log event n/a
branch_id Child organization ID of the device n/a
destination_as_name Autonomous System Name of the destination IP n/a
destination_as_number Autonomous System Number of the destination IP n/a
destination_city_name City name of the destination IP n/a
destination_continent_code 2-letter continent code of the destination IP n/a
destination_country_code 3-letter country code of the destination IP n/a
destination_country_name Country name of the destination IP n/a
destination_latitude Latitude of the destination IP n/a
destination_longitude Longitude of the destination IP n/a
destination_reverse_dns Reverse DNS of the destination IP n/a
device_ip Public IP of the device n/a
device_name Name of the device as registered in MOREAL n/a
device_serial Unique identifier of the device n/a
direction Direction of the event in/out/prv/unknown
domain Name of the virtual device if any n/a
event_timestamp Timestamp of when the log event was generated by the device in UNIX format n/a
level Syslog severity level of the event n/a
log_id Unique identifier of the log type n/a
organization_id Top-level organization ID of the customer n/a
scope Scope of the event n/a
source_as_name Autonomous System Name of the source IP n/a
source_as_number Autonomous System Number of the source IP n/a
source_city_name City name of the source IP n/a
source_continent_code 2-letter continent code of the source IP n/a
source_country_code 3-letter country code of the source IP n/a
source_country_code Country name of the source IP n/a
source_latitude Latitude of the source IP n/a
source_longitude Longitude of the source IP n/a
source_reverse_dns Reverse DNS of the source IP n/a
subtype Subtype of the event n/a
type Type of the event n/a
Traffic Event fields
action Firewall action allow/deny
application_name Name of the application n/a
category Category of application n/a
connection_type Whether the event describes a session (bi-directional) or flow (uni-directional) session/flow
destination_group Identified destination user’s group of the session n/a
destination_interface Destination interface of the session n/a
destination_ip Destination IP of the session n/a
destination_mac_address Destination MAC of the session n/a
destination_name Destination host name n/a
destination_port Destination port of the session n/a
destination_user Identified destination user of the session n/a
destination_vlan Name of the destination VLAN n/a
destination_zone Destination zone of the session n/a
duration Duration of session in seconds n/a
error Error message n/a
icmp_code Code of the ICMP request. Relevant to type n/a
icmp_type Type of the ICMP request n/a
info Generic information about action n/a
nat_type Type of NAT performed n/a
policy_id ID of the policy applied on the session n/a
policy_name Name of the policy applied on the session n/a
profile Name of the security profile n/a
protocol IP Protocol Name n/a
reason Reason for session closing n/a
received_bytes Number of received bytes n/a
received_packets Number of received packets n/a
sample_rate Sampling rate of an Sflow event n/a
sent_bytes Number of sent bytes n/a
sent_packets Number of sent packets n/a
service Service of the session. If unavailable, it’s proto/destination_port. n/a
session_flags Flags associated with the session n/a
session_id Unique identifier of the session as reported by the device n/a
session Whether the session started or ended. start/end
shaper_dropped_received_bytes Received bytes dropped by shaper – QoS specific n/a
shaper_dropped_sent_bytes Sent bytes dropped by shaper – QoS specific n/a
shaper_per_ip_dropped_bytes Bytes dropped by shaper per IP – QoS specific n/a
shaper_per_ip_name Name of the per-IP shaper – QoS specific n/a
shaper_received_name Name of the inbound traffic shaper – QoS specific n/a
shaper_sent_name Name of the outbound traffic shaper – QoS specific n/a
source_group Identified source user’s group of the session n/a
source_interface Source interface of the session n/a
source_ip Source IP of the session n/a
source_mac_address Source MAC of the session n/a
source_name Source host name n/a
source_port Source port of the session n/a
source_user Identified source user of the session n/a
source_vlan Name of the source VLAN n/a
source_zone Source zone of the session n/a
subaction Sub-Action of the firewall depending on action
subtype Whether the event refers to usual or management traffic data/mgmt
tcp_flags Flags set for TCP sessions n/a
total_bytes Total bytes n/a
total_packets Total packets n/a
translated_destination_ip Translated destination IP in NAT mode n/a
translated_destination_name Translated destination name in NAT mode n/a
translated_destination_port Translated destination port in NAT mode n/a
translated_source_interface Translated interface in NAT mode n/a
translated_source_ip Translated source IP in NAT mode n/a
translated_source_name Translated source name in NAT mode n/a
translated_source_port Translated source port in NAT mode n/a
ttl Time-To-Live of an Sflow event n/a
Threat Event fields
action Action performed by the security device n/a
category Threat category as reported by the vendor n/a
cve CVE associated with the threat if applicable n/a
destination_group Identified destionation user’s group of the session n/a
destination_interface Destination interface of the session n/a
destination_ip Destination IP of the session n/a
destination_port Destination port of the session n/a
destination_user Identified destination user of the session n/a
direction direction of the event n/a
file_hash Checksum of the file infected n/a
file_name Name of the file n/a
file_type n/a
from Sender’s email address in case of threat through email n/a
hash_type Type of hash function used n/a
info General infomation for the event n/a
policy_id Identification number of the policy applied to the event n/a
policy_name Name of the policy applied to the event n/a
profile Security profile that recognized the threat n/a
protocol protocol used in the connection n/a
ref Threat information reference URL n/a
service Service of the session n/a
session_id Unique identifier of the session as reported by the device n/a
severity Severity of the threat n/a
source_group Identified source user’s group of the session n/a
source_interface Source interface of the session n/a
source_ip Source IP if the session n/a
source_port Source port of the session n/a
source_user Identified source user of the session n/a
subaction Sub-action performed by the security device n/a
subtype Subtype of the attack malware/ips/anomaly
threat_id Unique identifier of the threat n/a
threat_name Name of the identified threat n/a
to Recipient’s email address in case of threat through email n/a
url Source URL of the threat (malware) n/a
Email Event fields
action Action taken by the device n/a
attachment Whether email has attachment or not yes/no
cc CC list of the email n/a
destination_group Identified destination user’s group of the session n/a
destination_interface Destination interface of the session n/a
destination_ip Destination IP of the session n/a
destination_port Destination port of the session n/a
destination_user Identified destination user of the session n/a
from Sender of the email n/a
info General event information n/a
policy_id ID of the policy applied to the session n/a
policy_name Name of the policy n/a
profile Name of the security profile n/a
service Service of the session n/a
session_id Unique identifier of the session as reported by the device n/a
size Size of the email/attachments in bytes n/a
source_group Identified source user’s group of the session n/a
source_interface Source interface of the session n/a
source_ip Source IP of the session n/a
source_port Source port of the session n/a
source_user Identified source user of the session n/a
subaction Subaction taken by the device n/a
subject Subject of the email n/a
subtype Subtype of the event regular/spam
to Recipient of the email n/a
VPN Event fields
action Action taken by the device n/a
cookies Cookies exchanged, source/destination n/a
destination_group Identified destination user’s group of the session n/a
destination_interface Destination interface of the event n/a
destination_ip Destination IP of the event n/a
destination_port Destination port of the event n/a
destination_spi Destination SPI n/a
destination_user Identified destination user of the session n/a
duration Duration of the tunnel in seconds n/a
error Error message related to event n/a
info General info of the event n/a
mode Negotiation mode, IPSec relevant main, aggresive
phase Negotiation phase n/a
reason Reason of the error occured n/a
received_bytes Received bytes through tunnel n/a
sent_bytes Sent bytes through tunnel n/a
source_group Identified source user’s group of the session n/a
source_interface Source interface of the event n/a
source_ip Source IP of the event n/a
source_port Source port of the event n/a
source_spi Source SPI n/a
source_user Identified source user of the session n/a
state State of the tunnel n/a
subtype Subtype of the event ssl/ipsec
total_bytes Integer n/a
tunnel_id Unique identification of the tunnel n/a
tunnel_ip Tunnel end IP address n/a
tunnel_name Tunnel name n/a
System Events fields
action Action taken by the device n/a
destination_ip Destination IP of the event n/a
error Error associated with the event n/a
info Additional information n/a
nat_type Type of NAT performed n/a
object Event-related object n/a
protocol Protocol used in the session n/a
source_interface Source interface of the event n/a
source_ip Source IP of the event n/a
state State of the module associated to the event n/a
subtype subtype of the event n/a
translated_destination_ip Translated destination IP in NAT mode n/a
translated_destination_name Translated destination name in NAT mode n/a
translated_destination_port Translated destination port in NAT mode n/a
translated_source_interface Translated interface in NAT mode n/a
translated_source_ip Translated source IP in NAT mode n/a
translated_source_name Translated source name in NAT mode n/a
translated_source_port Translated source port in NAT mode n/a
AAA Event fields
action Action performed by the device n/a
destination_interface Destination interface n/a
destination_ip Destination IP address related to the event n/a
error Error related to the event n/a
info Extra information to the log event n/a
object Object referring to the event n/a
reason Reason of error n/a
service Service used if device is accesed remotely n/a
source_group Identified source user’s group of the session n/a
source_interface Source interface of the session n/a
source_ip Source IP address related to the event n/a
source_name Identified source host name of the session n/a
source_user Identified source user of the session n/a
subtype subtype of the event authen/author/account
ui Method used if device is accesed locally n/a
Access Control Event fields
action Action taken by the devie n/a
application_name Application name related to the session n/a
category category of the application n/a
client_type User agent n/a
destination_ip Destination IP of the event n/a
destination_name Top-level domain of the destination link – http://example.com/link n/a
destination_port Destination port of the event n/a
info Information related to the event n/a
policy_id identifier of the policy applied to the session n/a
policy_name Name of the policy applied to the session n/a
profile Security profile n/a
protocol protocol used in the session n/a
received_bytes Received bytes n/a
reference Referral URL if request type is referral n/a
request_type Request type direct/referral
resource_type MIME Type of the resource,e.g. “image/gif” n/a
resource Relative path of the destination link – http://example.com /link n/a
sent_bytes Sent bytes n/a
server_type Server type n/a
service Service used in the session n/a
session_id Unique identifier of the session as reported by the device n/a
source_ip Source IP of the event n/a
source_port Source port of the event n/a
source_user Source user n/a
state State of the session n/a
subaction Sub-action taken by the device n/a
subtype Subtype of the event web/app
total_bytes Total bytes n/a
Performance Event fields
cpu CPU used by the system as percentage n/a
max_sessions Max sessions supported by the device n/a
memory Memory used by the system as percentage n/a
object_id Identification of the object n/a
object Object related to the event n/a
setup_rate No. of new connections/sec n/a
subtype Subtype of the event n/a
total_sessions Total sessions of the device n/a

MOREAL Event Field documentation