Traffic log fields

Traffic logs for Private Access are exported using the Administration > Log management feature. The table lists traffic log fields included in the log export file.

Note: Not all of the fields detailed appear in every log record. Each record includes the log fields relevant to that transaction.
Table 1. Traffic log fields in log version 1.4.0
Field name Description
acc_elapsed (connection) Elapsed time of connection in seconds
acc_rx_bytes Number of bytes received during connection
acc_rx_packets Number of packets received during connection
acc_tx_bytes Number of bytes sent during connection
acc_tx_packets Number of packets sent during connection
action_title The action applied by the service:
  • Allow
  • Discard
  • Discard (passive)
  • Permit
  • Refuse
  • Terminate
  • Terminate (failed)
  • Terminate (passive)
  • Terminate (reset)
  • Wait for authentication
  • Wait for further actions
  • Wait for RPC reply
additional_situation_title The identifier of a web category that was detected simultaneously with the situation that caused sending this event
alert_severity_title Severity of the situation:
  • Info
  • Low
  • High
  • Critical
anomaly_situation The identifier for a potentially evasion-related anomaly seen in the connection before the situation that caused sending this event
anomaly_situation_config_type Configuration type of potential evasion-related anomalies seen in the connection before the situation that caused sending this event
anomaly_situation_title Name of a potentially evasion-related anomaly seen in the connection before the situation that caused sending this event
cipher_alg Cipher algorithm
comp_id The identifier of the creator of the log entry
comp_id_title The identifier of the service element that created the log entry
conn_direction Connection direction:
  • Unknown
  • Client
  • Unspecified
  • Server
data_type_title The log data type, value is typically: Inspection Monitoring
dep_traffic_log_version Version number of the log format. As changes are made to the attributes included in the logs, the version number will be incremented.
dport Connection destination protocol port
dst Connection destination IP address
dst_interface Destination interface ID
dst_interface_config_type Used to identify private application traffic type. May be used for troubleshooting.
dst_interface_title The type of destination interface:
  • Loopback
  • Interface
dst_zone_title Used to identify private application traffic type. May be used for troubleshooting.
event_id Event ID, unique within one sender
event_title The title of the logged service event. Values include:
  • New connection
  • Connection closed
  • Connection report
  • Related packet
  • Connection discarded
  • Incomplete connection closed
  • Connection refused
  • State sync configuration changed
  • Packet discarded
facility_title The processing function that created this log event. Values include:
  • Packet Filtering
  • Inspection
file_length  File length
file_md5_hash  The MD5 checksum of the file that is scanned
file_name  Name of file
file_transfer_dir_title  File transfer direction of the file
file_type_config_type  Type of configuration file (used for sub-directory selection)
file_type_title  Type of file being transferred
fp_proxy_connection_id Identifies the Forcepoint proxy used. May be used for troubleshooting.
fp_proxy_geolocation_id When set, indicates that this log record refers to private application traffic.
http_request_host HTTP request host
http_request_method HTTP request method
http_request_uri HTTP request URI
http_response_code HTTP response code
icmp_code ICMP code attribute
icmp_type ICMP type attribute
icmp_type_title Title of ICMP type. Values include:
  • Echo Reply
  • Destination Unreachable
  • Source Quench
  • Redirect
  • Alternate Host Address
  • Echo
  • Router Advertisement
  • Router Solicitation
  • Time Exceeded
  • Parameter Problem
  • Timestamp
  • Timestamp Reply
  • Information Request
  • Information Reply
  • Address Mask Request
  • Address Mask Reply
  • Traceroute
  • Datagram Conversion Error
  • Mobile Host Redirect
  • IPv6 Where-Are-You
  • IPv6 I-Am-Here
  • Mobile Registration Request
  • Mobile Registration Reply
  • Domain Name Request
  • Domain Name Reply
  • SKIP
  • Photuris
info_msg Information message
ip_dest Destination IP field in packet header
ip_source Source IP field in packet header
ip_version Version of IP header
ips_appid_category_title Category of the application identified in ip_appid_title. Used for outbound internet traffic.
ips_appid_parent_category_title Parent category of the application identified in ip_appid_title. Used for outbound internet traffic.
ips_appid_title Name of the application detected in the connection
kind_title Log message kind. All records in the traffic logs will have the same title.
location The geographic location of the end user client (e.g. "Canada")
log_id Data identifier
main_archive_file_name  Name of the archive file that contains the reported
nat_dport For future use
nat_dst For future use
nat_sport For future use
nat_src For future use
port_dest TCP or UDP destination port in packet header
port_source TCP or UDP source port in packet header
private_ip The internal network IP address of the end user client
protocol IP protocol
public_ip The public (egress) IP address of the end user client
ref_hint_ref_id Index to related log entries. For example, a reference that links all the log entries related to an FTP connection.
related_connection_ref_comp_id The comp ID of the referred event
related_connection_ref_creation_time The creation time of the referred event
related_connection_ref_event_id The event ID of the referred event
related_connection_ref_termination Number of seconds the referenced connection lasted
rule For future use
rule_config_type For future use
rule_context For future use
rule_counters For future use
rule_id For future use
rule_removed For future use
rule_title For future use
rwp_http_user_agent HTTP User-Agent
situation_title Situation titles identify particular traffic signature patterns that have been identified by the service
sport Connection source protocol port
src Connection source IP address
src_interface Source interface ID
src_interface_title The type of source interface:
  • Loopback
  • Interface
  • Tunnel Interface
src_site_title Name of the customer site
src_tunnel_title Name of the connection (tunnel) connecting the customer site to the service
srczone_id The ID of the customer site
srczone_title Name of the customer site as it appears in the management portal
srvhelper_id Protocol agent identification
tcp_handshake_seen Boolean: true if the TCP connection initial handshake was seen
tcp_missing_data_seen Boolean: true if some of the TCP segments that belong to the stream have not been seen by inspection. This can occur with loose mode connection tracking and in capture mode.
tenant_id Tenant identifier
timestamp Time of creating the event record
tls_certificate_verify_error_code_title  TLS/SSL certificate verification error code. Values include:
  • Unable to get issuer certificate
  • Unable to get certificate CRL
  • Unable to decrypt certificate signature
  • Unable to decrypt CRL signature
  • Unable to decode issuer public key
  • Certificate signature failure
  • CRL signature failure
  • Certificate not yet valid
  • Certificate has expired
  • CRL not yet valid
  • CRL has expired
  • Format error in certificate Not Before field
  • Format error in certificate Not After field
  • Format error in CRL Last Update field
  • Format error in CRL Next Update field
  • Out of memory
  • Self signed certificate
  • Self signed certificate in certificate chain
  • Unknown issuer: no CA certificate configured
  • Unable to verify the first certificate
  • Certificate chain too long
  • Certificate revoked
  • Invalid CA certificate
  • Path length constraint exceeded
  • Unsupported certificate purpose
  • Certificate not trusted
  • Certificate rejected
  • Subject issuer mismatch
  • Authority and subject key identifier mismatch
  • Authority and issuer serial number mismatch
  • Key usage does not include certificate signing
  • Unable to get CRL issuer certificate
  • Unhandled critical extension
  • Key usage does not include CRL signing
  • Unhandled critical CRL extension
  • Invalid non-CA certificate (has CA markings)
  • Proxy path length constraint exceeded
  • Key usage does not include digital signature
  • Proxy certificates not allowed
  • Invalid extension
  • Invalid policy extension
  • No explicit policy
  • RFC 3779 resource not subset of the resources of the parent
  • Application verification failure
  • Certificate syntax error
  • Unspecified Certificate Verification Error
tls_ciphersuite TLS/SSL cipher suite
tls_domain Domain name field in SSL/TLS certificate
tls_handshake_downgraded Boolean: true if the TLS handshake was downgraded
tls_protocol_version TLS/SSL protocol version
type_title Indicates the type of log event. Values include:
  • Undefined
  • Emergency - system unusable
  • System alert
  • Critical error
  • Error
  • Warning
  • Notification
  • Informational
url Requested URL
user_domain For future use
user_private_id Unique identifier for a user, used to anonymize end users in the log export
username Private ID of the user associated with the request. See user_private_id.