3119 lines
138 KiB
SQL
3119 lines
138 KiB
SQL
create database IF NOT EXISTS tsg_galaxy_v3 ON CLUSTER js_datahouse;
|
|
|
|
CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.dos_event_local on cluster js_datahouse (
|
|
vsys_id Int32 COMMENT 'Vsys ID',
|
|
recv_time Int64 COMMENT 'Receive Time',
|
|
log_id UInt64 COMMENT 'Log ID',
|
|
profile_id Int64 COMMENT 'Profile ID',
|
|
start_time Int64 COMMENT 'Start Time',
|
|
end_time Int64 COMMENT 'End Time',
|
|
attack_type String COMMENT 'Attack Type',
|
|
severity String COMMENT 'Severity',
|
|
conditions String COMMENT 'Conditions',
|
|
destination_ip String COMMENT 'Destination IP',
|
|
destination_country String COMMENT 'Destination Country',
|
|
source_ip_list String COMMENT 'Source IP List',
|
|
source_country_list String COMMENT 'Source Country List',
|
|
session_rate Int64 COMMENT 'Sessions/s',
|
|
packet_rate Int64 COMMENT 'Packets/s',
|
|
bit_rate Int64 COMMENT 'Bits/s'
|
|
|
|
) ENGINE = ReplicatedMergeTree('/clickhouse/tables/{shard}/dos_event_local', '{replica}')
|
|
PARTITION BY toYYYYMMDD(toDate(recv_time))
|
|
ORDER BY (vsys_id,destination_ip,recv_time,log_id)
|
|
TTL toDateTime(recv_time) + toIntervalSecond(15552000)
|
|
;
|
|
|
|
CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.dos_event on cluster js_datahouse (
|
|
vsys_id Int32 COMMENT 'Vsys ID',
|
|
recv_time Int64 COMMENT 'Receive Time',
|
|
log_id UInt64 COMMENT 'Log ID',
|
|
profile_id Int64 COMMENT 'Profile ID',
|
|
start_time Int64 COMMENT 'Start Time',
|
|
end_time Int64 COMMENT 'End Time',
|
|
attack_type String COMMENT 'Attack Type',
|
|
severity String COMMENT 'Severity',
|
|
conditions String COMMENT 'Conditions',
|
|
destination_ip String COMMENT 'Destination IP',
|
|
destination_country String COMMENT 'Destination Country',
|
|
source_ip_list String COMMENT 'Source IP List',
|
|
source_country_list String COMMENT 'Source Country List',
|
|
session_rate Int64 COMMENT 'Sessions/s',
|
|
packet_rate Int64 COMMENT 'Packets/s',
|
|
bit_rate Int64 COMMENT 'Bits/s'
|
|
)
|
|
ENGINE =Distributed(js_datahouse,tsg_galaxy_v3,dos_event_local,rand());
|
|
|
|
|
|
CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.assessment_event_local on cluster js_datahouse (
|
|
log_id UInt64 COMMENT 'Log ID',
|
|
recv_time Int64 COMMENT 'Receive Time',
|
|
vsys_id Int64 COMMENT 'Vsys ID',
|
|
assessment_date Int64 COMMENT 'Assessment Date',
|
|
lot_number String COMMENT 'Lot Number',
|
|
file_name String COMMENT 'File Name',
|
|
assessment_file String COMMENT 'Assessment File',
|
|
assessment_type String COMMENT 'Assessment Type',
|
|
features String COMMENT 'Features',
|
|
size Int64 COMMENT 'Size',
|
|
file_checksum_sha String COMMENT 'File Checksum SHA'
|
|
)
|
|
ENGINE = ReplicatedMergeTree('/clickhouse/tables/{shard}/assessment_event_local', '{replica}')
|
|
PARTITION BY toYYYYMMDD(toDate(recv_time))
|
|
ORDER BY (vsys_id,recv_time,log_id)
|
|
TTL toDateTime(recv_time) + toIntervalSecond(15552000)
|
|
;
|
|
|
|
CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.assessment_event on cluster js_datahouse (
|
|
log_id UInt64 COMMENT 'Log ID',
|
|
recv_time Int64 COMMENT 'Receive Time',
|
|
vsys_id Int64 COMMENT 'Vsys ID',
|
|
assessment_date Int64 COMMENT 'Assessment Date',
|
|
lot_number String COMMENT 'Lot Number',
|
|
file_name String COMMENT 'File Name',
|
|
assessment_file String COMMENT 'Assessment File',
|
|
assessment_type String COMMENT 'Assessment Type',
|
|
features String COMMENT 'Features',
|
|
size Int64 COMMENT 'Size',
|
|
file_checksum_sha String COMMENT 'File Checksum SHA'
|
|
)
|
|
ENGINE =Distributed(js_datahouse,tsg_galaxy_v3,assessment_event_local,rand());
|
|
|
|
|
|
CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.session_record_local on cluster js_datahouse (
|
|
recv_time Int64 COMMENT 'Receive Time',
|
|
log_id UInt64 COMMENT 'Log ID',
|
|
decoded_as String COMMENT 'Decoded AS',
|
|
session_id UInt64 COMMENT 'Session ID',
|
|
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
|
|
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
|
|
duration_ms Int32 COMMENT 'Duration',
|
|
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
|
|
ingestion_time Int64 COMMENT 'Ingestion Time',
|
|
processing_time Int64 COMMENT 'Processing Time',
|
|
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
|
|
device_id String COMMENT 'Device ID',
|
|
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
|
|
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
|
|
device_tag String COMMENT 'Device Tag',
|
|
data_center String COMMENT 'Data Center',
|
|
device_group String COMMENT 'Device Group',
|
|
sled_ip String COMMENT 'Sled IP',
|
|
address_type Int32 COMMENT 'Address Type',
|
|
vsys_id Int32 COMMENT 'Vsys ID',
|
|
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
|
|
flags Int64 COMMENT 'Flags',
|
|
flags_identify_info String COMMENT 'Flags Identify Info',
|
|
security_rule_list Array(Int64) COMMENT 'Security Rule List',
|
|
security_action String COMMENT 'Security Action',
|
|
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
|
|
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
|
|
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
|
|
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
|
|
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
|
|
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
|
|
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
|
|
proxy_action String COMMENT 'Proxy Action',
|
|
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
|
|
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
|
|
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
|
|
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
|
|
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
|
|
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
|
|
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
|
|
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
|
|
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
|
|
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
|
|
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
|
|
client_ip String COMMENT 'Client IP',
|
|
client_port Int32 COMMENT 'Client Port',
|
|
client_os_desc String COMMENT 'Client OS Description',
|
|
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
|
|
client_asn Nullable(Int64) COMMENT 'Client ASN',
|
|
subscriber_id String COMMENT 'Subscriber ID',
|
|
imei String COMMENT 'IMEI',
|
|
imsi String COMMENT 'IMSI',
|
|
phone_number String COMMENT 'Phone Number',
|
|
apn String COMMENT 'APN',
|
|
server_ip String COMMENT 'Server IP',
|
|
server_port Int32 COMMENT 'Server Port',
|
|
server_os_desc String COMMENT 'Server OS Description',
|
|
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
|
|
server_asn Nullable(Int64) COMMENT 'Server ASN',
|
|
server_fqdn String COMMENT 'Server FQDN',
|
|
server_domain String COMMENT 'Server Domain',
|
|
app_transition String COMMENT 'Application Transition',
|
|
app LowCardinality(String) COMMENT 'Application',
|
|
app_debug_info String COMMENT 'Application Debug Info',
|
|
app_content String COMMENT 'Application Content',
|
|
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
|
|
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
|
|
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
|
|
dns_message_id Nullable(Int32) COMMENT 'DNS Message ID',
|
|
dns_qr Nullable(Int32) COMMENT 'DNS QR',
|
|
dns_opcode Nullable(Int32) COMMENT 'DNS OPCODE',
|
|
dns_aa Nullable(Int32) COMMENT 'DNS AA',
|
|
dns_tc Nullable(Int32) COMMENT 'DNS TC',
|
|
dns_rd Nullable(Int32) COMMENT 'DNS RD',
|
|
dns_ra Nullable(Int32) COMMENT 'DNS RA',
|
|
dns_rcode Nullable(Int32) COMMENT 'DNS RCODE',
|
|
dns_qdcount Nullable(Int32) COMMENT 'DNS QDCOUNT',
|
|
dns_ancount Nullable(Int32) COMMENT 'DNS ANCOUNT',
|
|
dns_nscount Nullable(Int32) COMMENT 'DNS NSCOUNT',
|
|
dns_arcount Nullable(Int32) COMMENT 'DNS ARCOUNT',
|
|
dns_qname String COMMENT 'DNS QNAME',
|
|
dns_qtype Nullable(Int32) COMMENT 'DNS QTYPE',
|
|
dns_qclass Nullable(Int32) COMMENT 'DNS QCLASS',
|
|
dns_cname String COMMENT 'DNS CNAME',
|
|
dns_sub Nullable(Int32) COMMENT 'DNS SUB',
|
|
dns_rr String COMMENT 'DNS RR',
|
|
dns_response_latency_ms Nullable(Int32) COMMENT 'DNS Response Latency',
|
|
http_url String COMMENT 'HTTP URL',
|
|
http_host String COMMENT 'HTTP Host',
|
|
http_request_line String COMMENT 'HTTP Request Line',
|
|
http_response_line String COMMENT 'HTTP Response Line',
|
|
http_request_body String COMMENT 'HTTP Request Body',
|
|
http_response_body String COMMENT 'HTTP Response Body',
|
|
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
|
|
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
|
|
http_cookie String COMMENT 'HTTP Cookie',
|
|
http_referer String COMMENT 'HTTP Referer',
|
|
http_user_agent String COMMENT 'HTTP User-Agent',
|
|
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
|
|
http_request_content_type String COMMENT 'HTTP Request Content-Type',
|
|
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
|
|
http_response_content_type String COMMENT 'HTTP Response Content-Type',
|
|
http_set_cookie String COMMENT 'HTTP Set-Cookie',
|
|
http_version String COMMENT 'HTTP Version',
|
|
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
|
|
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
|
|
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
|
|
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
|
|
ssl_version String COMMENT 'SSL Version',
|
|
ssl_sni String COMMENT 'SSL SNI',
|
|
ssl_san String COMMENT 'SSL SAN',
|
|
ssl_cn String COMMENT 'SSL CN',
|
|
ssl_handshake_latency_ms Nullable(Int32) COMMENT 'SSL Handshake Latency',
|
|
ssl_ja3_hash String COMMENT 'SSL JA3 Fingerprint',
|
|
ssl_ja3s_hash String COMMENT 'SSL JA3 Hash',
|
|
ssl_cert_issuer String COMMENT 'SSL JA3S Fingerprint',
|
|
ssl_cert_subject String COMMENT 'SSL JA3S Hash',
|
|
ssl_esni_flag Nullable(Int32) COMMENT 'SSL Issuer',
|
|
ssl_ech_flag Nullable(Int32) COMMENT 'SSL Subject',
|
|
dtls_cookie String COMMENT 'DTLS Cookie',
|
|
dtls_version String COMMENT 'DTLS Version',
|
|
dtls_sni String COMMENT 'DTLS SNI',
|
|
dtls_san String COMMENT 'DTLS SAN',
|
|
dtls_cn String COMMENT 'DTLS CN',
|
|
dtls_handshake_latency_ms Nullable(Int32) COMMENT 'DTLS Handshake Latency',
|
|
dtls_ja3_fingerprint String COMMENT 'DTLS JA3 Fingerprint',
|
|
dtls_ja3_hash String COMMENT 'DTLS JA3 Hash',
|
|
dtls_cert_issuer String COMMENT 'DTLS Certificate Issuer',
|
|
dtls_cert_subject String COMMENT 'DTLS Certificate Subject',
|
|
mail_protocol_type String COMMENT 'MAIL Protocol Type',
|
|
mail_account String COMMENT 'MAIL Account',
|
|
mail_from_cmd String COMMENT 'MAIL From CMD',
|
|
mail_to_cmd String COMMENT 'MAIL To CMD',
|
|
mail_from String COMMENT 'MAIL From',
|
|
mail_password String COMMENT 'MAIL Password',
|
|
mail_to String COMMENT 'MAIL To',
|
|
mail_cc String COMMENT 'MAIL CC',
|
|
mail_bcc String COMMENT 'MAIL BCC',
|
|
mail_subject String COMMENT 'MAIL Subject',
|
|
mail_subject_charset String COMMENT 'MAIL Subject Charset',
|
|
mail_attachment_name String COMMENT 'MAIL Content',
|
|
mail_attachment_name_charset String COMMENT 'MAIL Content Charset',
|
|
mail_eml_file String COMMENT 'MAIL Attachment Name',
|
|
ftp_account String COMMENT 'FTP Account',
|
|
ftp_url String COMMENT 'FTP URL',
|
|
ftp_link_type String COMMENT 'FTP Link Type',
|
|
quic_version String COMMENT 'QUIC Version',
|
|
quic_sni String COMMENT 'QUIC SNI',
|
|
quic_user_agent String COMMENT 'QUIC User-Agent',
|
|
rdp_cookie String COMMENT 'RDP Cookie',
|
|
rdp_security_protocol String COMMENT 'RDP Security Protocol',
|
|
rdp_client_channels String COMMENT 'RDP Client Channels',
|
|
rdp_keyboard_layout String COMMENT 'RDP Keyboard Layout',
|
|
rdp_client_version String COMMENT 'RDP Client Version',
|
|
rdp_client_name String COMMENT 'RDP Client Name',
|
|
rdp_client_product_id String COMMENT 'RDP Client Product ID',
|
|
rdp_desktop_width String COMMENT 'RDP Desktop Width',
|
|
rdp_desktop_height String COMMENT 'RDP Desktop Height',
|
|
rdp_requested_color_depth String COMMENT 'RDP Requested Color Depth',
|
|
rdp_certificate_type String COMMENT 'RDP Certificate Type',
|
|
rdp_certificate_count Nullable(Int32) COMMENT 'RDP Certificate Count',
|
|
rdp_certificate_permanent Nullable(Int32) COMMENT 'RDP Certificate Permanent',
|
|
rdp_encryption_level String COMMENT 'RDP Encryption Level',
|
|
rdp_encryption_method String COMMENT 'RDP Encryption Method',
|
|
ssh_version String COMMENT 'SSH Version',
|
|
ssh_auth_success String COMMENT 'SSH Authentication Result',
|
|
ssh_client_version String COMMENT 'SSH Client Version',
|
|
ssh_server_version String COMMENT 'SSH Server Version',
|
|
ssh_cipher_alg String COMMENT 'SSH Encryption Algorithm',
|
|
ssh_mac_alg String COMMENT 'SSH Signing Algorithm',
|
|
ssh_compression_alg String COMMENT 'SSH Compression Algorithm',
|
|
ssh_kex_alg String COMMENT 'SSH Key Exchange Algorithm',
|
|
ssh_host_key_alg String COMMENT 'SSH Server Host Key Algorithm',
|
|
ssh_host_key String COMMENT 'SSH Server Key Fingerprint',
|
|
ssh_hassh String COMMENT 'SSH HASSH',
|
|
sip_call_id String COMMENT 'SIP Call-ID',
|
|
sip_originator_description String COMMENT 'SIP Originator',
|
|
sip_responder_description String COMMENT 'SIP Responder',
|
|
sip_user_agent String COMMENT 'SIP User-Agent',
|
|
sip_server String COMMENT 'SIP Server',
|
|
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
|
|
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
|
|
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
|
|
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
|
|
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
|
|
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
|
|
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
|
|
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
|
|
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
|
|
sip_bye String COMMENT 'SIP Bye',
|
|
rtp_payload_type_c2s Nullable(Int32) COMMENT 'RTP Payload Type(C2S)',
|
|
rtp_payload_type_s2c Nullable(Int32) COMMENT 'RTP Payload Type(S2C)',
|
|
rtp_pcap_path String COMMENT 'RTP PCAP',
|
|
rtp_originator_dir Nullable(Int32) COMMENT 'RTP Direction',
|
|
stratum_cryptocurrency String COMMENT 'Stratum Cryptocurrency',
|
|
stratum_mining_pools String COMMENT 'Stratum Mining Pools',
|
|
stratum_mining_program String COMMENT 'Stratum Mining Program',
|
|
stratum_mining_subscribe String COMMENT 'Stratum Mining Subscribe',
|
|
sent_pkts Int64 COMMENT 'Packets Sent',
|
|
received_pkts Int64 COMMENT 'Packets Received',
|
|
sent_bytes Int64 COMMENT 'Bytes Sent',
|
|
received_bytes Int64 COMMENT 'Bytes Received',
|
|
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
|
|
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
|
|
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
|
|
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
|
|
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
|
|
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
|
|
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
|
|
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
|
|
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
|
|
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
|
|
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
|
|
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
|
|
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
|
|
packet_capture_file String COMMENT 'Packet Capture File',
|
|
in_src_mac String COMMENT 'Incoming Source MAC',
|
|
out_src_mac String COMMENT 'Outgoing Source MAC',
|
|
in_dest_mac String COMMENT 'Incoming Destination MAC',
|
|
out_dest_mac String COMMENT 'Outgoing Destination MAC',
|
|
encapsulation String COMMENT 'Encapsulation',
|
|
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
|
|
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
|
|
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
|
|
)
|
|
ENGINE = ReplicatedMergeTree('/clickhouse/tables/{shard}/session_record_local', '{replica}')
|
|
PARTITION BY toYYYYMMDD(toDate(recv_time))
|
|
ORDER BY (vsys_id, security_action,proxy_action,decoded_as,data_center, device_group,recv_time)
|
|
TTL toDateTime(recv_time) + toIntervalSecond(15552000)
|
|
;
|
|
|
|
|
|
CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.session_record on cluster js_datahouse (
|
|
recv_time Int64 COMMENT 'Receive Time',
|
|
log_id UInt64 COMMENT 'Log ID',
|
|
decoded_as String COMMENT 'Decoded AS',
|
|
session_id UInt64 COMMENT 'Session ID',
|
|
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
|
|
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
|
|
duration_ms Int32 COMMENT 'Duration',
|
|
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
|
|
ingestion_time Int64 COMMENT 'Ingestion Time',
|
|
processing_time Int64 COMMENT 'Processing Time',
|
|
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
|
|
device_id String COMMENT 'Device ID',
|
|
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
|
|
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
|
|
device_tag String COMMENT 'Device Tag',
|
|
data_center String COMMENT 'Data Center',
|
|
device_group String COMMENT 'Device Group',
|
|
sled_ip String COMMENT 'Sled IP',
|
|
address_type Int32 COMMENT 'Address Type',
|
|
vsys_id Int32 COMMENT 'Vsys ID',
|
|
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
|
|
flags Int64 COMMENT 'Flags',
|
|
flags_identify_info String COMMENT 'Flags Identify Info',
|
|
security_rule_list Array(Int64) COMMENT 'Security Rule List',
|
|
security_action String COMMENT 'Security Action',
|
|
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
|
|
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
|
|
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
|
|
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
|
|
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
|
|
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
|
|
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
|
|
proxy_action String COMMENT 'Proxy Action',
|
|
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
|
|
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
|
|
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
|
|
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
|
|
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
|
|
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
|
|
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
|
|
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
|
|
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
|
|
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
|
|
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
|
|
client_ip String COMMENT 'Client IP',
|
|
client_port Int32 COMMENT 'Client Port',
|
|
client_os_desc String COMMENT 'Client OS Description',
|
|
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
|
|
client_asn Nullable(Int64) COMMENT 'Client ASN',
|
|
subscriber_id String COMMENT 'Subscriber ID',
|
|
imei String COMMENT 'IMEI',
|
|
imsi String COMMENT 'IMSI',
|
|
phone_number String COMMENT 'Phone Number',
|
|
apn String COMMENT 'APN',
|
|
server_ip String COMMENT 'Server IP',
|
|
server_port Int32 COMMENT 'Server Port',
|
|
server_os_desc String COMMENT 'Server OS Description',
|
|
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
|
|
server_asn Nullable(Int64) COMMENT 'Server ASN',
|
|
server_fqdn String COMMENT 'Server FQDN',
|
|
server_domain String COMMENT 'Server Domain',
|
|
app_transition String COMMENT 'Application Transition',
|
|
app LowCardinality(String) COMMENT 'Application',
|
|
app_debug_info String COMMENT 'Application Debug Info',
|
|
app_content String COMMENT 'Application Content',
|
|
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
|
|
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
|
|
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
|
|
dns_message_id Nullable(Int32) COMMENT 'DNS Message ID',
|
|
dns_qr Nullable(Int32) COMMENT 'DNS QR',
|
|
dns_opcode Nullable(Int32) COMMENT 'DNS OPCODE',
|
|
dns_aa Nullable(Int32) COMMENT 'DNS AA',
|
|
dns_tc Nullable(Int32) COMMENT 'DNS TC',
|
|
dns_rd Nullable(Int32) COMMENT 'DNS RD',
|
|
dns_ra Nullable(Int32) COMMENT 'DNS RA',
|
|
dns_rcode Nullable(Int32) COMMENT 'DNS RCODE',
|
|
dns_qdcount Nullable(Int32) COMMENT 'DNS QDCOUNT',
|
|
dns_ancount Nullable(Int32) COMMENT 'DNS ANCOUNT',
|
|
dns_nscount Nullable(Int32) COMMENT 'DNS NSCOUNT',
|
|
dns_arcount Nullable(Int32) COMMENT 'DNS ARCOUNT',
|
|
dns_qname String COMMENT 'DNS QNAME',
|
|
dns_qtype Nullable(Int32) COMMENT 'DNS QTYPE',
|
|
dns_qclass Nullable(Int32) COMMENT 'DNS QCLASS',
|
|
dns_cname String COMMENT 'DNS CNAME',
|
|
dns_sub Nullable(Int32) COMMENT 'DNS SUB',
|
|
dns_rr String COMMENT 'DNS RR',
|
|
dns_response_latency_ms Nullable(Int32) COMMENT 'DNS Response Latency',
|
|
http_url String COMMENT 'HTTP URL',
|
|
http_host String COMMENT 'HTTP Host',
|
|
http_request_line String COMMENT 'HTTP Request Line',
|
|
http_response_line String COMMENT 'HTTP Response Line',
|
|
http_request_body String COMMENT 'HTTP Request Body',
|
|
http_response_body String COMMENT 'HTTP Response Body',
|
|
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
|
|
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
|
|
http_cookie String COMMENT 'HTTP Cookie',
|
|
http_referer String COMMENT 'HTTP Referer',
|
|
http_user_agent String COMMENT 'HTTP User-Agent',
|
|
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
|
|
http_request_content_type String COMMENT 'HTTP Request Content-Type',
|
|
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
|
|
http_response_content_type String COMMENT 'HTTP Response Content-Type',
|
|
http_set_cookie String COMMENT 'HTTP Set-Cookie',
|
|
http_version String COMMENT 'HTTP Version',
|
|
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
|
|
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
|
|
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
|
|
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
|
|
ssl_version String COMMENT 'SSL Version',
|
|
ssl_sni String COMMENT 'SSL SNI',
|
|
ssl_san String COMMENT 'SSL SAN',
|
|
ssl_cn String COMMENT 'SSL CN',
|
|
ssl_handshake_latency_ms Nullable(Int32) COMMENT 'SSL Handshake Latency',
|
|
ssl_ja3_hash String COMMENT 'SSL JA3 Fingerprint',
|
|
ssl_ja3s_hash String COMMENT 'SSL JA3 Hash',
|
|
ssl_cert_issuer String COMMENT 'SSL JA3S Fingerprint',
|
|
ssl_cert_subject String COMMENT 'SSL JA3S Hash',
|
|
ssl_esni_flag Nullable(Int32) COMMENT 'SSL Issuer',
|
|
ssl_ech_flag Nullable(Int32) COMMENT 'SSL Subject',
|
|
dtls_cookie String COMMENT 'DTLS Cookie',
|
|
dtls_version String COMMENT 'DTLS Version',
|
|
dtls_sni String COMMENT 'DTLS SNI',
|
|
dtls_san String COMMENT 'DTLS SAN',
|
|
dtls_cn String COMMENT 'DTLS CN',
|
|
dtls_handshake_latency_ms Nullable(Int32) COMMENT 'DTLS Handshake Latency',
|
|
dtls_ja3_fingerprint String COMMENT 'DTLS JA3 Fingerprint',
|
|
dtls_ja3_hash String COMMENT 'DTLS JA3 Hash',
|
|
dtls_cert_issuer String COMMENT 'DTLS Certificate Issuer',
|
|
dtls_cert_subject String COMMENT 'DTLS Certificate Subject',
|
|
mail_protocol_type String COMMENT 'MAIL Protocol Type',
|
|
mail_account String COMMENT 'MAIL Account',
|
|
mail_from_cmd String COMMENT 'MAIL From CMD',
|
|
mail_to_cmd String COMMENT 'MAIL To CMD',
|
|
mail_from String COMMENT 'MAIL From',
|
|
mail_password String COMMENT 'MAIL Password',
|
|
mail_to String COMMENT 'MAIL To',
|
|
mail_cc String COMMENT 'MAIL CC',
|
|
mail_bcc String COMMENT 'MAIL BCC',
|
|
mail_subject String COMMENT 'MAIL Subject',
|
|
mail_subject_charset String COMMENT 'MAIL Subject Charset',
|
|
mail_attachment_name String COMMENT 'MAIL Content',
|
|
mail_attachment_name_charset String COMMENT 'MAIL Content Charset',
|
|
mail_eml_file String COMMENT 'MAIL Attachment Name',
|
|
ftp_account String COMMENT 'FTP Account',
|
|
ftp_url String COMMENT 'FTP URL',
|
|
ftp_link_type String COMMENT 'FTP Link Type',
|
|
quic_version String COMMENT 'QUIC Version',
|
|
quic_sni String COMMENT 'QUIC SNI',
|
|
quic_user_agent String COMMENT 'QUIC User-Agent',
|
|
rdp_cookie String COMMENT 'RDP Cookie',
|
|
rdp_security_protocol String COMMENT 'RDP Security Protocol',
|
|
rdp_client_channels String COMMENT 'RDP Client Channels',
|
|
rdp_keyboard_layout String COMMENT 'RDP Keyboard Layout',
|
|
rdp_client_version String COMMENT 'RDP Client Version',
|
|
rdp_client_name String COMMENT 'RDP Client Name',
|
|
rdp_client_product_id String COMMENT 'RDP Client Product ID',
|
|
rdp_desktop_width String COMMENT 'RDP Desktop Width',
|
|
rdp_desktop_height String COMMENT 'RDP Desktop Height',
|
|
rdp_requested_color_depth String COMMENT 'RDP Requested Color Depth',
|
|
rdp_certificate_type String COMMENT 'RDP Certificate Type',
|
|
rdp_certificate_count Nullable(Int32) COMMENT 'RDP Certificate Count',
|
|
rdp_certificate_permanent Nullable(Int32) COMMENT 'RDP Certificate Permanent',
|
|
rdp_encryption_level String COMMENT 'RDP Encryption Level',
|
|
rdp_encryption_method String COMMENT 'RDP Encryption Method',
|
|
ssh_version String COMMENT 'SSH Version',
|
|
ssh_auth_success String COMMENT 'SSH Authentication Result',
|
|
ssh_client_version String COMMENT 'SSH Client Version',
|
|
ssh_server_version String COMMENT 'SSH Server Version',
|
|
ssh_cipher_alg String COMMENT 'SSH Encryption Algorithm',
|
|
ssh_mac_alg String COMMENT 'SSH Signing Algorithm',
|
|
ssh_compression_alg String COMMENT 'SSH Compression Algorithm',
|
|
ssh_kex_alg String COMMENT 'SSH Key Exchange Algorithm',
|
|
ssh_host_key_alg String COMMENT 'SSH Server Host Key Algorithm',
|
|
ssh_host_key String COMMENT 'SSH Server Key Fingerprint',
|
|
ssh_hassh String COMMENT 'SSH HASSH',
|
|
sip_call_id String COMMENT 'SIP Call-ID',
|
|
sip_originator_description String COMMENT 'SIP Originator',
|
|
sip_responder_description String COMMENT 'SIP Responder',
|
|
sip_user_agent String COMMENT 'SIP User-Agent',
|
|
sip_server String COMMENT 'SIP Server',
|
|
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
|
|
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
|
|
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
|
|
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
|
|
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
|
|
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
|
|
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
|
|
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
|
|
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
|
|
sip_bye String COMMENT 'SIP Bye',
|
|
rtp_payload_type_c2s Nullable(Int32) COMMENT 'RTP Payload Type(C2S)',
|
|
rtp_payload_type_s2c Nullable(Int32) COMMENT 'RTP Payload Type(S2C)',
|
|
rtp_pcap_path String COMMENT 'RTP PCAP',
|
|
rtp_originator_dir Nullable(Int32) COMMENT 'RTP Direction',
|
|
stratum_cryptocurrency String COMMENT 'Stratum Cryptocurrency',
|
|
stratum_mining_pools String COMMENT 'Stratum Mining Pools',
|
|
stratum_mining_program String COMMENT 'Stratum Mining Program',
|
|
stratum_mining_subscribe String COMMENT 'Stratum Mining Subscribe',
|
|
sent_pkts Int64 COMMENT 'Packets Sent',
|
|
received_pkts Int64 COMMENT 'Packets Received',
|
|
sent_bytes Int64 COMMENT 'Bytes Sent',
|
|
received_bytes Int64 COMMENT 'Bytes Received',
|
|
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
|
|
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
|
|
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
|
|
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
|
|
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
|
|
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
|
|
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
|
|
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
|
|
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
|
|
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
|
|
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
|
|
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
|
|
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
|
|
packet_capture_file String COMMENT 'Packet Capture File',
|
|
in_src_mac String COMMENT 'Incoming Source MAC',
|
|
out_src_mac String COMMENT 'Outgoing Source MAC',
|
|
in_dest_mac String COMMENT 'Incoming Destination MAC',
|
|
out_dest_mac String COMMENT 'Outgoing Destination MAC',
|
|
encapsulation String COMMENT 'Encapsulation',
|
|
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
|
|
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
|
|
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
|
|
)
|
|
ENGINE =Distributed(js_datahouse,tsg_galaxy_v3,session_record_local,rand());
|
|
|
|
|
|
|
|
CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.security_event_local on cluster js_datahouse (
|
|
recv_time Int64 COMMENT 'Receive Time',
|
|
log_id UInt64 COMMENT 'Log ID',
|
|
decoded_as String COMMENT 'Decoded AS',
|
|
session_id UInt64 COMMENT 'Session ID',
|
|
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
|
|
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
|
|
duration_ms Int32 COMMENT 'Duration',
|
|
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
|
|
ingestion_time Int64 COMMENT 'Ingestion Time',
|
|
processing_time Int64 COMMENT 'Processing Time',
|
|
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
|
|
device_id String COMMENT 'Device ID',
|
|
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
|
|
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
|
|
device_tag String COMMENT 'Device Tag',
|
|
data_center String COMMENT 'Data Center',
|
|
device_group String COMMENT 'Device Group',
|
|
sled_ip String COMMENT 'Sled IP',
|
|
address_type Int32 COMMENT 'Address Type',
|
|
vsys_id Int32 COMMENT 'Vsys ID',
|
|
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
|
|
flags Int64 COMMENT 'Flags',
|
|
flags_identify_info String COMMENT 'Flags Identify Info',
|
|
security_rule_list Array(Int64) COMMENT 'Security Rule List',
|
|
security_action String COMMENT 'Security Action',
|
|
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
|
|
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
|
|
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
|
|
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
|
|
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
|
|
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
|
|
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
|
|
proxy_action String COMMENT 'Proxy Action',
|
|
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
|
|
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
|
|
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
|
|
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
|
|
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
|
|
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
|
|
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
|
|
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
|
|
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
|
|
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
|
|
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
|
|
client_ip String COMMENT 'Client IP',
|
|
client_port Int32 COMMENT 'Client Port',
|
|
client_os_desc String COMMENT 'Client OS Description',
|
|
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
|
|
client_asn Nullable(Int64) COMMENT 'Client ASN',
|
|
subscriber_id String COMMENT 'Subscriber ID',
|
|
imei String COMMENT 'IMEI',
|
|
imsi String COMMENT 'IMSI',
|
|
phone_number String COMMENT 'Phone Number',
|
|
apn String COMMENT 'APN',
|
|
server_ip String COMMENT 'Server IP',
|
|
server_port Int32 COMMENT 'Server Port',
|
|
server_os_desc String COMMENT 'Server OS Description',
|
|
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
|
|
server_asn Nullable(Int64) COMMENT 'Server ASN',
|
|
server_fqdn String COMMENT 'Server FQDN',
|
|
server_domain String COMMENT 'Server Domain',
|
|
app_transition String COMMENT 'Application Transition',
|
|
app LowCardinality(String) COMMENT 'Application',
|
|
app_debug_info String COMMENT 'Application Debug Info',
|
|
app_content String COMMENT 'Application Content',
|
|
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
|
|
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
|
|
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
|
|
dns_message_id Nullable(Int32) COMMENT 'DNS Message ID',
|
|
dns_qr Nullable(Int32) COMMENT 'DNS QR',
|
|
dns_opcode Nullable(Int32) COMMENT 'DNS OPCODE',
|
|
dns_aa Nullable(Int32) COMMENT 'DNS AA',
|
|
dns_tc Nullable(Int32) COMMENT 'DNS TC',
|
|
dns_rd Nullable(Int32) COMMENT 'DNS RD',
|
|
dns_ra Nullable(Int32) COMMENT 'DNS RA',
|
|
dns_rcode Nullable(Int32) COMMENT 'DNS RCODE',
|
|
dns_qdcount Nullable(Int32) COMMENT 'DNS QDCOUNT',
|
|
dns_ancount Nullable(Int32) COMMENT 'DNS ANCOUNT',
|
|
dns_nscount Nullable(Int32) COMMENT 'DNS NSCOUNT',
|
|
dns_arcount Nullable(Int32) COMMENT 'DNS ARCOUNT',
|
|
dns_qname String COMMENT 'DNS QNAME',
|
|
dns_qtype Nullable(Int32) COMMENT 'DNS QTYPE',
|
|
dns_qclass Nullable(Int32) COMMENT 'DNS QCLASS',
|
|
dns_cname String COMMENT 'DNS CNAME',
|
|
dns_sub Nullable(Int32) COMMENT 'DNS SUB',
|
|
dns_rr String COMMENT 'DNS RR',
|
|
dns_response_latency_ms Nullable(Int32) COMMENT 'DNS Response Latency',
|
|
http_url String COMMENT 'HTTP URL',
|
|
http_host String COMMENT 'HTTP Host',
|
|
http_request_line String COMMENT 'HTTP Request Line',
|
|
http_response_line String COMMENT 'HTTP Response Line',
|
|
http_request_body String COMMENT 'HTTP Request Body',
|
|
http_response_body String COMMENT 'HTTP Response Body',
|
|
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
|
|
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
|
|
http_cookie String COMMENT 'HTTP Cookie',
|
|
http_referer String COMMENT 'HTTP Referer',
|
|
http_user_agent String COMMENT 'HTTP User-Agent',
|
|
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
|
|
http_request_content_type String COMMENT 'HTTP Request Content-Type',
|
|
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
|
|
http_response_content_type String COMMENT 'HTTP Response Content-Type',
|
|
http_set_cookie String COMMENT 'HTTP Set-Cookie',
|
|
http_version String COMMENT 'HTTP Version',
|
|
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
|
|
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
|
|
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
|
|
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
|
|
ssl_version String COMMENT 'SSL Version',
|
|
ssl_sni String COMMENT 'SSL SNI',
|
|
ssl_san String COMMENT 'SSL SAN',
|
|
ssl_cn String COMMENT 'SSL CN',
|
|
ssl_handshake_latency_ms Nullable(Int32) COMMENT 'SSL Handshake Latency',
|
|
ssl_ja3_hash String COMMENT 'SSL JA3 Fingerprint',
|
|
ssl_ja3s_hash String COMMENT 'SSL JA3 Hash',
|
|
ssl_cert_issuer String COMMENT 'SSL JA3S Fingerprint',
|
|
ssl_cert_subject String COMMENT 'SSL JA3S Hash',
|
|
ssl_esni_flag Nullable(Int32) COMMENT 'SSL Issuer',
|
|
ssl_ech_flag Nullable(Int32) COMMENT 'SSL Subject',
|
|
dtls_cookie String COMMENT 'DTLS Cookie',
|
|
dtls_version String COMMENT 'DTLS Version',
|
|
dtls_sni String COMMENT 'DTLS SNI',
|
|
dtls_san String COMMENT 'DTLS SAN',
|
|
dtls_cn String COMMENT 'DTLS CN',
|
|
dtls_handshake_latency_ms Nullable(Int32) COMMENT 'DTLS Handshake Latency',
|
|
dtls_ja3_fingerprint String COMMENT 'DTLS JA3 Fingerprint',
|
|
dtls_ja3_hash String COMMENT 'DTLS JA3 Hash',
|
|
dtls_cert_issuer String COMMENT 'DTLS Certificate Issuer',
|
|
dtls_cert_subject String COMMENT 'DTLS Certificate Subject',
|
|
mail_protocol_type String COMMENT 'MAIL Protocol Type',
|
|
mail_account String COMMENT 'MAIL Account',
|
|
mail_from_cmd String COMMENT 'MAIL From CMD',
|
|
mail_to_cmd String COMMENT 'MAIL To CMD',
|
|
mail_from String COMMENT 'MAIL From',
|
|
mail_password String COMMENT 'MAIL Password',
|
|
mail_to String COMMENT 'MAIL To',
|
|
mail_cc String COMMENT 'MAIL CC',
|
|
mail_bcc String COMMENT 'MAIL BCC',
|
|
mail_subject String COMMENT 'MAIL Subject',
|
|
mail_subject_charset String COMMENT 'MAIL Subject Charset',
|
|
mail_attachment_name String COMMENT 'MAIL Content',
|
|
mail_attachment_name_charset String COMMENT 'MAIL Content Charset',
|
|
mail_eml_file String COMMENT 'MAIL Attachment Name',
|
|
ftp_account String COMMENT 'FTP Account',
|
|
ftp_url String COMMENT 'FTP URL',
|
|
ftp_link_type String COMMENT 'FTP Link Type',
|
|
quic_version String COMMENT 'QUIC Version',
|
|
quic_sni String COMMENT 'QUIC SNI',
|
|
quic_user_agent String COMMENT 'QUIC User-Agent',
|
|
rdp_cookie String COMMENT 'RDP Cookie',
|
|
rdp_security_protocol String COMMENT 'RDP Security Protocol',
|
|
rdp_client_channels String COMMENT 'RDP Client Channels',
|
|
rdp_keyboard_layout String COMMENT 'RDP Keyboard Layout',
|
|
rdp_client_version String COMMENT 'RDP Client Version',
|
|
rdp_client_name String COMMENT 'RDP Client Name',
|
|
rdp_client_product_id String COMMENT 'RDP Client Product ID',
|
|
rdp_desktop_width String COMMENT 'RDP Desktop Width',
|
|
rdp_desktop_height String COMMENT 'RDP Desktop Height',
|
|
rdp_requested_color_depth String COMMENT 'RDP Requested Color Depth',
|
|
rdp_certificate_type String COMMENT 'RDP Certificate Type',
|
|
rdp_certificate_count Nullable(Int32) COMMENT 'RDP Certificate Count',
|
|
rdp_certificate_permanent Nullable(Int32) COMMENT 'RDP Certificate Permanent',
|
|
rdp_encryption_level String COMMENT 'RDP Encryption Level',
|
|
rdp_encryption_method String COMMENT 'RDP Encryption Method',
|
|
ssh_version String COMMENT 'SSH Version',
|
|
ssh_auth_success String COMMENT 'SSH Authentication Result',
|
|
ssh_client_version String COMMENT 'SSH Client Version',
|
|
ssh_server_version String COMMENT 'SSH Server Version',
|
|
ssh_cipher_alg String COMMENT 'SSH Encryption Algorithm',
|
|
ssh_mac_alg String COMMENT 'SSH Signing Algorithm',
|
|
ssh_compression_alg String COMMENT 'SSH Compression Algorithm',
|
|
ssh_kex_alg String COMMENT 'SSH Key Exchange Algorithm',
|
|
ssh_host_key_alg String COMMENT 'SSH Server Host Key Algorithm',
|
|
ssh_host_key String COMMENT 'SSH Server Key Fingerprint',
|
|
ssh_hassh String COMMENT 'SSH HASSH',
|
|
sip_call_id String COMMENT 'SIP Call-ID',
|
|
sip_originator_description String COMMENT 'SIP Originator',
|
|
sip_responder_description String COMMENT 'SIP Responder',
|
|
sip_user_agent String COMMENT 'SIP User-Agent',
|
|
sip_server String COMMENT 'SIP Server',
|
|
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
|
|
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
|
|
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
|
|
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
|
|
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
|
|
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
|
|
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
|
|
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
|
|
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
|
|
sip_bye String COMMENT 'SIP Bye',
|
|
rtp_payload_type_c2s Nullable(Int32) COMMENT 'RTP Payload Type(C2S)',
|
|
rtp_payload_type_s2c Nullable(Int32) COMMENT 'RTP Payload Type(S2C)',
|
|
rtp_pcap_path String COMMENT 'RTP PCAP',
|
|
rtp_originator_dir Nullable(Int32) COMMENT 'RTP Direction',
|
|
stratum_cryptocurrency String COMMENT 'Stratum Cryptocurrency',
|
|
stratum_mining_pools String COMMENT 'Stratum Mining Pools',
|
|
stratum_mining_program String COMMENT 'Stratum Mining Program',
|
|
stratum_mining_subscribe String COMMENT 'Stratum Mining Subscribe',
|
|
sent_pkts Int64 COMMENT 'Packets Sent',
|
|
received_pkts Int64 COMMENT 'Packets Received',
|
|
sent_bytes Int64 COMMENT 'Bytes Sent',
|
|
received_bytes Int64 COMMENT 'Bytes Received',
|
|
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
|
|
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
|
|
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
|
|
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
|
|
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
|
|
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
|
|
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
|
|
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
|
|
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
|
|
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
|
|
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
|
|
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
|
|
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
|
|
packet_capture_file String COMMENT 'Packet Capture File',
|
|
in_src_mac String COMMENT 'Incoming Source MAC',
|
|
out_src_mac String COMMENT 'Outgoing Source MAC',
|
|
in_dest_mac String COMMENT 'Incoming Destination MAC',
|
|
out_dest_mac String COMMENT 'Outgoing Destination MAC',
|
|
encapsulation String COMMENT 'Encapsulation',
|
|
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
|
|
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
|
|
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
|
|
)
|
|
ENGINE = ReplicatedMergeTree('/clickhouse/tables/{shard}/security_event_local', '{replica}')
|
|
PARTITION BY toYYYYMMDD(toDate(recv_time))
|
|
ORDER BY (vsys_id, security_action,proxy_action,decoded_as,data_center, device_group,recv_time)
|
|
TTL toDateTime(recv_time) + toIntervalSecond(15552000)
|
|
;
|
|
|
|
CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.security_event on cluster js_datahouse (
|
|
recv_time Int64 COMMENT 'Receive Time',
|
|
log_id UInt64 COMMENT 'Log ID',
|
|
decoded_as String COMMENT 'Decoded AS',
|
|
session_id UInt64 COMMENT 'Session ID',
|
|
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
|
|
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
|
|
duration_ms Int32 COMMENT 'Duration',
|
|
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
|
|
ingestion_time Int64 COMMENT 'Ingestion Time',
|
|
processing_time Int64 COMMENT 'Processing Time',
|
|
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
|
|
device_id String COMMENT 'Device ID',
|
|
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
|
|
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
|
|
device_tag String COMMENT 'Device Tag',
|
|
data_center String COMMENT 'Data Center',
|
|
device_group String COMMENT 'Device Group',
|
|
sled_ip String COMMENT 'Sled IP',
|
|
address_type Int32 COMMENT 'Address Type',
|
|
vsys_id Int32 COMMENT 'Vsys ID',
|
|
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
|
|
flags Int64 COMMENT 'Flags',
|
|
flags_identify_info String COMMENT 'Flags Identify Info',
|
|
security_rule_list Array(Int64) COMMENT 'Security Rule List',
|
|
security_action String COMMENT 'Security Action',
|
|
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
|
|
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
|
|
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
|
|
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
|
|
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
|
|
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
|
|
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
|
|
proxy_action String COMMENT 'Proxy Action',
|
|
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
|
|
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
|
|
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
|
|
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
|
|
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
|
|
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
|
|
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
|
|
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
|
|
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
|
|
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
|
|
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
|
|
client_ip String COMMENT 'Client IP',
|
|
client_port Int32 COMMENT 'Client Port',
|
|
client_os_desc String COMMENT 'Client OS Description',
|
|
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
|
|
client_asn Nullable(Int64) COMMENT 'Client ASN',
|
|
subscriber_id String COMMENT 'Subscriber ID',
|
|
imei String COMMENT 'IMEI',
|
|
imsi String COMMENT 'IMSI',
|
|
phone_number String COMMENT 'Phone Number',
|
|
apn String COMMENT 'APN',
|
|
server_ip String COMMENT 'Server IP',
|
|
server_port Int32 COMMENT 'Server Port',
|
|
server_os_desc String COMMENT 'Server OS Description',
|
|
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
|
|
server_asn Nullable(Int64) COMMENT 'Server ASN',
|
|
server_fqdn String COMMENT 'Server FQDN',
|
|
server_domain String COMMENT 'Server Domain',
|
|
app_transition String COMMENT 'Application Transition',
|
|
app LowCardinality(String) COMMENT 'Application',
|
|
app_debug_info String COMMENT 'Application Debug Info',
|
|
app_content String COMMENT 'Application Content',
|
|
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
|
|
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
|
|
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
|
|
dns_message_id Nullable(Int32) COMMENT 'DNS Message ID',
|
|
dns_qr Nullable(Int32) COMMENT 'DNS QR',
|
|
dns_opcode Nullable(Int32) COMMENT 'DNS OPCODE',
|
|
dns_aa Nullable(Int32) COMMENT 'DNS AA',
|
|
dns_tc Nullable(Int32) COMMENT 'DNS TC',
|
|
dns_rd Nullable(Int32) COMMENT 'DNS RD',
|
|
dns_ra Nullable(Int32) COMMENT 'DNS RA',
|
|
dns_rcode Nullable(Int32) COMMENT 'DNS RCODE',
|
|
dns_qdcount Nullable(Int32) COMMENT 'DNS QDCOUNT',
|
|
dns_ancount Nullable(Int32) COMMENT 'DNS ANCOUNT',
|
|
dns_nscount Nullable(Int32) COMMENT 'DNS NSCOUNT',
|
|
dns_arcount Nullable(Int32) COMMENT 'DNS ARCOUNT',
|
|
dns_qname String COMMENT 'DNS QNAME',
|
|
dns_qtype Nullable(Int32) COMMENT 'DNS QTYPE',
|
|
dns_qclass Nullable(Int32) COMMENT 'DNS QCLASS',
|
|
dns_cname String COMMENT 'DNS CNAME',
|
|
dns_sub Nullable(Int32) COMMENT 'DNS SUB',
|
|
dns_rr String COMMENT 'DNS RR',
|
|
dns_response_latency_ms Nullable(Int32) COMMENT 'DNS Response Latency',
|
|
http_url String COMMENT 'HTTP URL',
|
|
http_host String COMMENT 'HTTP Host',
|
|
http_request_line String COMMENT 'HTTP Request Line',
|
|
http_response_line String COMMENT 'HTTP Response Line',
|
|
http_request_body String COMMENT 'HTTP Request Body',
|
|
http_response_body String COMMENT 'HTTP Response Body',
|
|
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
|
|
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
|
|
http_cookie String COMMENT 'HTTP Cookie',
|
|
http_referer String COMMENT 'HTTP Referer',
|
|
http_user_agent String COMMENT 'HTTP User-Agent',
|
|
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
|
|
http_request_content_type String COMMENT 'HTTP Request Content-Type',
|
|
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
|
|
http_response_content_type String COMMENT 'HTTP Response Content-Type',
|
|
http_set_cookie String COMMENT 'HTTP Set-Cookie',
|
|
http_version String COMMENT 'HTTP Version',
|
|
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
|
|
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
|
|
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
|
|
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
|
|
ssl_version String COMMENT 'SSL Version',
|
|
ssl_sni String COMMENT 'SSL SNI',
|
|
ssl_san String COMMENT 'SSL SAN',
|
|
ssl_cn String COMMENT 'SSL CN',
|
|
ssl_handshake_latency_ms Nullable(Int32) COMMENT 'SSL Handshake Latency',
|
|
ssl_ja3_hash String COMMENT 'SSL JA3 Fingerprint',
|
|
ssl_ja3s_hash String COMMENT 'SSL JA3 Hash',
|
|
ssl_cert_issuer String COMMENT 'SSL JA3S Fingerprint',
|
|
ssl_cert_subject String COMMENT 'SSL JA3S Hash',
|
|
ssl_esni_flag Nullable(Int32) COMMENT 'SSL Issuer',
|
|
ssl_ech_flag Nullable(Int32) COMMENT 'SSL Subject',
|
|
dtls_cookie String COMMENT 'DTLS Cookie',
|
|
dtls_version String COMMENT 'DTLS Version',
|
|
dtls_sni String COMMENT 'DTLS SNI',
|
|
dtls_san String COMMENT 'DTLS SAN',
|
|
dtls_cn String COMMENT 'DTLS CN',
|
|
dtls_handshake_latency_ms Nullable(Int32) COMMENT 'DTLS Handshake Latency',
|
|
dtls_ja3_fingerprint String COMMENT 'DTLS JA3 Fingerprint',
|
|
dtls_ja3_hash String COMMENT 'DTLS JA3 Hash',
|
|
dtls_cert_issuer String COMMENT 'DTLS Certificate Issuer',
|
|
dtls_cert_subject String COMMENT 'DTLS Certificate Subject',
|
|
mail_protocol_type String COMMENT 'MAIL Protocol Type',
|
|
mail_account String COMMENT 'MAIL Account',
|
|
mail_from_cmd String COMMENT 'MAIL From CMD',
|
|
mail_to_cmd String COMMENT 'MAIL To CMD',
|
|
mail_from String COMMENT 'MAIL From',
|
|
mail_password String COMMENT 'MAIL Password',
|
|
mail_to String COMMENT 'MAIL To',
|
|
mail_cc String COMMENT 'MAIL CC',
|
|
mail_bcc String COMMENT 'MAIL BCC',
|
|
mail_subject String COMMENT 'MAIL Subject',
|
|
mail_subject_charset String COMMENT 'MAIL Subject Charset',
|
|
mail_attachment_name String COMMENT 'MAIL Content',
|
|
mail_attachment_name_charset String COMMENT 'MAIL Content Charset',
|
|
mail_eml_file String COMMENT 'MAIL Attachment Name',
|
|
ftp_account String COMMENT 'FTP Account',
|
|
ftp_url String COMMENT 'FTP URL',
|
|
ftp_link_type String COMMENT 'FTP Link Type',
|
|
quic_version String COMMENT 'QUIC Version',
|
|
quic_sni String COMMENT 'QUIC SNI',
|
|
quic_user_agent String COMMENT 'QUIC User-Agent',
|
|
rdp_cookie String COMMENT 'RDP Cookie',
|
|
rdp_security_protocol String COMMENT 'RDP Security Protocol',
|
|
rdp_client_channels String COMMENT 'RDP Client Channels',
|
|
rdp_keyboard_layout String COMMENT 'RDP Keyboard Layout',
|
|
rdp_client_version String COMMENT 'RDP Client Version',
|
|
rdp_client_name String COMMENT 'RDP Client Name',
|
|
rdp_client_product_id String COMMENT 'RDP Client Product ID',
|
|
rdp_desktop_width String COMMENT 'RDP Desktop Width',
|
|
rdp_desktop_height String COMMENT 'RDP Desktop Height',
|
|
rdp_requested_color_depth String COMMENT 'RDP Requested Color Depth',
|
|
rdp_certificate_type String COMMENT 'RDP Certificate Type',
|
|
rdp_certificate_count Nullable(Int32) COMMENT 'RDP Certificate Count',
|
|
rdp_certificate_permanent Nullable(Int32) COMMENT 'RDP Certificate Permanent',
|
|
rdp_encryption_level String COMMENT 'RDP Encryption Level',
|
|
rdp_encryption_method String COMMENT 'RDP Encryption Method',
|
|
ssh_version String COMMENT 'SSH Version',
|
|
ssh_auth_success String COMMENT 'SSH Authentication Result',
|
|
ssh_client_version String COMMENT 'SSH Client Version',
|
|
ssh_server_version String COMMENT 'SSH Server Version',
|
|
ssh_cipher_alg String COMMENT 'SSH Encryption Algorithm',
|
|
ssh_mac_alg String COMMENT 'SSH Signing Algorithm',
|
|
ssh_compression_alg String COMMENT 'SSH Compression Algorithm',
|
|
ssh_kex_alg String COMMENT 'SSH Key Exchange Algorithm',
|
|
ssh_host_key_alg String COMMENT 'SSH Server Host Key Algorithm',
|
|
ssh_host_key String COMMENT 'SSH Server Key Fingerprint',
|
|
ssh_hassh String COMMENT 'SSH HASSH',
|
|
sip_call_id String COMMENT 'SIP Call-ID',
|
|
sip_originator_description String COMMENT 'SIP Originator',
|
|
sip_responder_description String COMMENT 'SIP Responder',
|
|
sip_user_agent String COMMENT 'SIP User-Agent',
|
|
sip_server String COMMENT 'SIP Server',
|
|
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
|
|
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
|
|
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
|
|
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
|
|
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
|
|
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
|
|
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
|
|
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
|
|
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
|
|
sip_bye String COMMENT 'SIP Bye',
|
|
rtp_payload_type_c2s Nullable(Int32) COMMENT 'RTP Payload Type(C2S)',
|
|
rtp_payload_type_s2c Nullable(Int32) COMMENT 'RTP Payload Type(S2C)',
|
|
rtp_pcap_path String COMMENT 'RTP PCAP',
|
|
rtp_originator_dir Nullable(Int32) COMMENT 'RTP Direction',
|
|
stratum_cryptocurrency String COMMENT 'Stratum Cryptocurrency',
|
|
stratum_mining_pools String COMMENT 'Stratum Mining Pools',
|
|
stratum_mining_program String COMMENT 'Stratum Mining Program',
|
|
stratum_mining_subscribe String COMMENT 'Stratum Mining Subscribe',
|
|
sent_pkts Int64 COMMENT 'Packets Sent',
|
|
received_pkts Int64 COMMENT 'Packets Received',
|
|
sent_bytes Int64 COMMENT 'Bytes Sent',
|
|
received_bytes Int64 COMMENT 'Bytes Received',
|
|
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
|
|
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
|
|
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
|
|
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
|
|
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
|
|
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
|
|
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
|
|
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
|
|
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
|
|
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
|
|
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
|
|
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
|
|
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
|
|
packet_capture_file String COMMENT 'Packet Capture File',
|
|
in_src_mac String COMMENT 'Incoming Source MAC',
|
|
out_src_mac String COMMENT 'Outgoing Source MAC',
|
|
in_dest_mac String COMMENT 'Incoming Destination MAC',
|
|
out_dest_mac String COMMENT 'Outgoing Destination MAC',
|
|
encapsulation String COMMENT 'Encapsulation',
|
|
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
|
|
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
|
|
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
|
|
)
|
|
ENGINE =Distributed(js_datahouse,tsg_galaxy_v3,security_event_local,rand());
|
|
|
|
|
|
CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.monitor_event_local on cluster js_datahouse (
|
|
recv_time Int64 COMMENT 'Receive Time',
|
|
log_id UInt64 COMMENT 'Log ID',
|
|
decoded_as String COMMENT 'Decoded AS',
|
|
session_id UInt64 COMMENT 'Session ID',
|
|
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
|
|
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
|
|
duration_ms Int32 COMMENT 'Duration',
|
|
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
|
|
ingestion_time Int64 COMMENT 'Ingestion Time',
|
|
processing_time Int64 COMMENT 'Processing Time',
|
|
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
|
|
device_id String COMMENT 'Device ID',
|
|
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
|
|
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
|
|
device_tag String COMMENT 'Device Tag',
|
|
data_center String COMMENT 'Data Center',
|
|
device_group String COMMENT 'Device Group',
|
|
sled_ip String COMMENT 'Sled IP',
|
|
address_type Int32 COMMENT 'Address Type',
|
|
vsys_id Int32 COMMENT 'Vsys ID',
|
|
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
|
|
flags Int64 COMMENT 'Flags',
|
|
flags_identify_info String COMMENT 'Flags Identify Info',
|
|
security_rule_list Array(Int64) COMMENT 'Security Rule List',
|
|
security_action String COMMENT 'Security Action',
|
|
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
|
|
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
|
|
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
|
|
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
|
|
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
|
|
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
|
|
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
|
|
proxy_action String COMMENT 'Proxy Action',
|
|
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
|
|
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
|
|
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
|
|
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
|
|
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
|
|
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
|
|
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
|
|
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
|
|
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
|
|
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
|
|
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
|
|
client_ip String COMMENT 'Client IP',
|
|
client_port Int32 COMMENT 'Client Port',
|
|
client_os_desc String COMMENT 'Client OS Description',
|
|
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
|
|
client_asn Nullable(Int64) COMMENT 'Client ASN',
|
|
subscriber_id String COMMENT 'Subscriber ID',
|
|
imei String COMMENT 'IMEI',
|
|
imsi String COMMENT 'IMSI',
|
|
phone_number String COMMENT 'Phone Number',
|
|
apn String COMMENT 'APN',
|
|
server_ip String COMMENT 'Server IP',
|
|
server_port Int32 COMMENT 'Server Port',
|
|
server_os_desc String COMMENT 'Server OS Description',
|
|
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
|
|
server_asn Nullable(Int64) COMMENT 'Server ASN',
|
|
server_fqdn String COMMENT 'Server FQDN',
|
|
server_domain String COMMENT 'Server Domain',
|
|
app_transition String COMMENT 'Application Transition',
|
|
app LowCardinality(String) COMMENT 'Application',
|
|
app_debug_info String COMMENT 'Application Debug Info',
|
|
app_content String COMMENT 'Application Content',
|
|
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
|
|
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
|
|
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
|
|
dns_message_id Nullable(Int32) COMMENT 'DNS Message ID',
|
|
dns_qr Nullable(Int32) COMMENT 'DNS QR',
|
|
dns_opcode Nullable(Int32) COMMENT 'DNS OPCODE',
|
|
dns_aa Nullable(Int32) COMMENT 'DNS AA',
|
|
dns_tc Nullable(Int32) COMMENT 'DNS TC',
|
|
dns_rd Nullable(Int32) COMMENT 'DNS RD',
|
|
dns_ra Nullable(Int32) COMMENT 'DNS RA',
|
|
dns_rcode Nullable(Int32) COMMENT 'DNS RCODE',
|
|
dns_qdcount Nullable(Int32) COMMENT 'DNS QDCOUNT',
|
|
dns_ancount Nullable(Int32) COMMENT 'DNS ANCOUNT',
|
|
dns_nscount Nullable(Int32) COMMENT 'DNS NSCOUNT',
|
|
dns_arcount Nullable(Int32) COMMENT 'DNS ARCOUNT',
|
|
dns_qname String COMMENT 'DNS QNAME',
|
|
dns_qtype Nullable(Int32) COMMENT 'DNS QTYPE',
|
|
dns_qclass Nullable(Int32) COMMENT 'DNS QCLASS',
|
|
dns_cname String COMMENT 'DNS CNAME',
|
|
dns_sub Nullable(Int32) COMMENT 'DNS SUB',
|
|
dns_rr String COMMENT 'DNS RR',
|
|
dns_response_latency_ms Nullable(Int32) COMMENT 'DNS Response Latency',
|
|
http_url String COMMENT 'HTTP URL',
|
|
http_host String COMMENT 'HTTP Host',
|
|
http_request_line String COMMENT 'HTTP Request Line',
|
|
http_response_line String COMMENT 'HTTP Response Line',
|
|
http_request_body String COMMENT 'HTTP Request Body',
|
|
http_response_body String COMMENT 'HTTP Response Body',
|
|
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
|
|
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
|
|
http_cookie String COMMENT 'HTTP Cookie',
|
|
http_referer String COMMENT 'HTTP Referer',
|
|
http_user_agent String COMMENT 'HTTP User-Agent',
|
|
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
|
|
http_request_content_type String COMMENT 'HTTP Request Content-Type',
|
|
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
|
|
http_response_content_type String COMMENT 'HTTP Response Content-Type',
|
|
http_set_cookie String COMMENT 'HTTP Set-Cookie',
|
|
http_version String COMMENT 'HTTP Version',
|
|
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
|
|
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
|
|
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
|
|
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
|
|
ssl_version String COMMENT 'SSL Version',
|
|
ssl_sni String COMMENT 'SSL SNI',
|
|
ssl_san String COMMENT 'SSL SAN',
|
|
ssl_cn String COMMENT 'SSL CN',
|
|
ssl_handshake_latency_ms Nullable(Int32) COMMENT 'SSL Handshake Latency',
|
|
ssl_ja3_hash String COMMENT 'SSL JA3 Fingerprint',
|
|
ssl_ja3s_hash String COMMENT 'SSL JA3 Hash',
|
|
ssl_cert_issuer String COMMENT 'SSL JA3S Fingerprint',
|
|
ssl_cert_subject String COMMENT 'SSL JA3S Hash',
|
|
ssl_esni_flag Nullable(Int32) COMMENT 'SSL Issuer',
|
|
ssl_ech_flag Nullable(Int32) COMMENT 'SSL Subject',
|
|
dtls_cookie String COMMENT 'DTLS Cookie',
|
|
dtls_version String COMMENT 'DTLS Version',
|
|
dtls_sni String COMMENT 'DTLS SNI',
|
|
dtls_san String COMMENT 'DTLS SAN',
|
|
dtls_cn String COMMENT 'DTLS CN',
|
|
dtls_handshake_latency_ms Nullable(Int32) COMMENT 'DTLS Handshake Latency',
|
|
dtls_ja3_fingerprint String COMMENT 'DTLS JA3 Fingerprint',
|
|
dtls_ja3_hash String COMMENT 'DTLS JA3 Hash',
|
|
dtls_cert_issuer String COMMENT 'DTLS Certificate Issuer',
|
|
dtls_cert_subject String COMMENT 'DTLS Certificate Subject',
|
|
mail_protocol_type String COMMENT 'MAIL Protocol Type',
|
|
mail_account String COMMENT 'MAIL Account',
|
|
mail_from_cmd String COMMENT 'MAIL From CMD',
|
|
mail_to_cmd String COMMENT 'MAIL To CMD',
|
|
mail_from String COMMENT 'MAIL From',
|
|
mail_password String COMMENT 'MAIL Password',
|
|
mail_to String COMMENT 'MAIL To',
|
|
mail_cc String COMMENT 'MAIL CC',
|
|
mail_bcc String COMMENT 'MAIL BCC',
|
|
mail_subject String COMMENT 'MAIL Subject',
|
|
mail_subject_charset String COMMENT 'MAIL Subject Charset',
|
|
mail_attachment_name String COMMENT 'MAIL Content',
|
|
mail_attachment_name_charset String COMMENT 'MAIL Content Charset',
|
|
mail_eml_file String COMMENT 'MAIL Attachment Name',
|
|
ftp_account String COMMENT 'FTP Account',
|
|
ftp_url String COMMENT 'FTP URL',
|
|
ftp_link_type String COMMENT 'FTP Link Type',
|
|
quic_version String COMMENT 'QUIC Version',
|
|
quic_sni String COMMENT 'QUIC SNI',
|
|
quic_user_agent String COMMENT 'QUIC User-Agent',
|
|
rdp_cookie String COMMENT 'RDP Cookie',
|
|
rdp_security_protocol String COMMENT 'RDP Security Protocol',
|
|
rdp_client_channels String COMMENT 'RDP Client Channels',
|
|
rdp_keyboard_layout String COMMENT 'RDP Keyboard Layout',
|
|
rdp_client_version String COMMENT 'RDP Client Version',
|
|
rdp_client_name String COMMENT 'RDP Client Name',
|
|
rdp_client_product_id String COMMENT 'RDP Client Product ID',
|
|
rdp_desktop_width String COMMENT 'RDP Desktop Width',
|
|
rdp_desktop_height String COMMENT 'RDP Desktop Height',
|
|
rdp_requested_color_depth String COMMENT 'RDP Requested Color Depth',
|
|
rdp_certificate_type String COMMENT 'RDP Certificate Type',
|
|
rdp_certificate_count Nullable(Int32) COMMENT 'RDP Certificate Count',
|
|
rdp_certificate_permanent Nullable(Int32) COMMENT 'RDP Certificate Permanent',
|
|
rdp_encryption_level String COMMENT 'RDP Encryption Level',
|
|
rdp_encryption_method String COMMENT 'RDP Encryption Method',
|
|
ssh_version String COMMENT 'SSH Version',
|
|
ssh_auth_success String COMMENT 'SSH Authentication Result',
|
|
ssh_client_version String COMMENT 'SSH Client Version',
|
|
ssh_server_version String COMMENT 'SSH Server Version',
|
|
ssh_cipher_alg String COMMENT 'SSH Encryption Algorithm',
|
|
ssh_mac_alg String COMMENT 'SSH Signing Algorithm',
|
|
ssh_compression_alg String COMMENT 'SSH Compression Algorithm',
|
|
ssh_kex_alg String COMMENT 'SSH Key Exchange Algorithm',
|
|
ssh_host_key_alg String COMMENT 'SSH Server Host Key Algorithm',
|
|
ssh_host_key String COMMENT 'SSH Server Key Fingerprint',
|
|
ssh_hassh String COMMENT 'SSH HASSH',
|
|
sip_call_id String COMMENT 'SIP Call-ID',
|
|
sip_originator_description String COMMENT 'SIP Originator',
|
|
sip_responder_description String COMMENT 'SIP Responder',
|
|
sip_user_agent String COMMENT 'SIP User-Agent',
|
|
sip_server String COMMENT 'SIP Server',
|
|
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
|
|
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
|
|
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
|
|
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
|
|
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
|
|
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
|
|
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
|
|
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
|
|
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
|
|
sip_bye String COMMENT 'SIP Bye',
|
|
rtp_payload_type_c2s Nullable(Int32) COMMENT 'RTP Payload Type(C2S)',
|
|
rtp_payload_type_s2c Nullable(Int32) COMMENT 'RTP Payload Type(S2C)',
|
|
rtp_pcap_path String COMMENT 'RTP PCAP',
|
|
rtp_originator_dir Nullable(Int32) COMMENT 'RTP Direction',
|
|
stratum_cryptocurrency String COMMENT 'Stratum Cryptocurrency',
|
|
stratum_mining_pools String COMMENT 'Stratum Mining Pools',
|
|
stratum_mining_program String COMMENT 'Stratum Mining Program',
|
|
stratum_mining_subscribe String COMMENT 'Stratum Mining Subscribe',
|
|
sent_pkts Int64 COMMENT 'Packets Sent',
|
|
received_pkts Int64 COMMENT 'Packets Received',
|
|
sent_bytes Int64 COMMENT 'Bytes Sent',
|
|
received_bytes Int64 COMMENT 'Bytes Received',
|
|
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
|
|
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
|
|
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
|
|
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
|
|
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
|
|
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
|
|
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
|
|
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
|
|
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
|
|
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
|
|
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
|
|
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
|
|
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
|
|
packet_capture_file String COMMENT 'Packet Capture File',
|
|
in_src_mac String COMMENT 'Incoming Source MAC',
|
|
out_src_mac String COMMENT 'Outgoing Source MAC',
|
|
in_dest_mac String COMMENT 'Incoming Destination MAC',
|
|
out_dest_mac String COMMENT 'Outgoing Destination MAC',
|
|
encapsulation String COMMENT 'Encapsulation',
|
|
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
|
|
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
|
|
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
|
|
)
|
|
ENGINE = ReplicatedMergeTree('/clickhouse/tables/{shard}/monitor_event_local', '{replica}')
|
|
PARTITION BY toYYYYMMDD(toDate(recv_time))
|
|
ORDER BY (vsys_id, security_action,proxy_action,decoded_as,data_center, device_group,recv_time)
|
|
TTL toDateTime(recv_time) + toIntervalSecond(15552000)
|
|
;
|
|
|
|
CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.monitor_event on cluster js_datahouse (
|
|
recv_time Int64 COMMENT 'Receive Time',
|
|
log_id UInt64 COMMENT 'Log ID',
|
|
decoded_as String COMMENT 'Decoded AS',
|
|
session_id UInt64 COMMENT 'Session ID',
|
|
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
|
|
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
|
|
duration_ms Int32 COMMENT 'Duration',
|
|
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
|
|
ingestion_time Int64 COMMENT 'Ingestion Time',
|
|
processing_time Int64 COMMENT 'Processing Time',
|
|
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
|
|
device_id String COMMENT 'Device ID',
|
|
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
|
|
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
|
|
device_tag String COMMENT 'Device Tag',
|
|
data_center String COMMENT 'Data Center',
|
|
device_group String COMMENT 'Device Group',
|
|
sled_ip String COMMENT 'Sled IP',
|
|
address_type Int32 COMMENT 'Address Type',
|
|
vsys_id Int32 COMMENT 'Vsys ID',
|
|
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
|
|
flags Int64 COMMENT 'Flags',
|
|
flags_identify_info String COMMENT 'Flags Identify Info',
|
|
security_rule_list Array(Int64) COMMENT 'Security Rule List',
|
|
security_action String COMMENT 'Security Action',
|
|
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
|
|
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
|
|
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
|
|
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
|
|
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
|
|
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
|
|
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
|
|
proxy_action String COMMENT 'Proxy Action',
|
|
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
|
|
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
|
|
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
|
|
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
|
|
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
|
|
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
|
|
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
|
|
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
|
|
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
|
|
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
|
|
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
|
|
client_ip String COMMENT 'Client IP',
|
|
client_port Int32 COMMENT 'Client Port',
|
|
client_os_desc String COMMENT 'Client OS Description',
|
|
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
|
|
client_asn Nullable(Int64) COMMENT 'Client ASN',
|
|
subscriber_id String COMMENT 'Subscriber ID',
|
|
imei String COMMENT 'IMEI',
|
|
imsi String COMMENT 'IMSI',
|
|
phone_number String COMMENT 'Phone Number',
|
|
apn String COMMENT 'APN',
|
|
server_ip String COMMENT 'Server IP',
|
|
server_port Int32 COMMENT 'Server Port',
|
|
server_os_desc String COMMENT 'Server OS Description',
|
|
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
|
|
server_asn Nullable(Int64) COMMENT 'Server ASN',
|
|
server_fqdn String COMMENT 'Server FQDN',
|
|
server_domain String COMMENT 'Server Domain',
|
|
app_transition String COMMENT 'Application Transition',
|
|
app LowCardinality(String) COMMENT 'Application',
|
|
app_debug_info String COMMENT 'Application Debug Info',
|
|
app_content String COMMENT 'Application Content',
|
|
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
|
|
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
|
|
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
|
|
dns_message_id Nullable(Int32) COMMENT 'DNS Message ID',
|
|
dns_qr Nullable(Int32) COMMENT 'DNS QR',
|
|
dns_opcode Nullable(Int32) COMMENT 'DNS OPCODE',
|
|
dns_aa Nullable(Int32) COMMENT 'DNS AA',
|
|
dns_tc Nullable(Int32) COMMENT 'DNS TC',
|
|
dns_rd Nullable(Int32) COMMENT 'DNS RD',
|
|
dns_ra Nullable(Int32) COMMENT 'DNS RA',
|
|
dns_rcode Nullable(Int32) COMMENT 'DNS RCODE',
|
|
dns_qdcount Nullable(Int32) COMMENT 'DNS QDCOUNT',
|
|
dns_ancount Nullable(Int32) COMMENT 'DNS ANCOUNT',
|
|
dns_nscount Nullable(Int32) COMMENT 'DNS NSCOUNT',
|
|
dns_arcount Nullable(Int32) COMMENT 'DNS ARCOUNT',
|
|
dns_qname String COMMENT 'DNS QNAME',
|
|
dns_qtype Nullable(Int32) COMMENT 'DNS QTYPE',
|
|
dns_qclass Nullable(Int32) COMMENT 'DNS QCLASS',
|
|
dns_cname String COMMENT 'DNS CNAME',
|
|
dns_sub Nullable(Int32) COMMENT 'DNS SUB',
|
|
dns_rr String COMMENT 'DNS RR',
|
|
dns_response_latency_ms Nullable(Int32) COMMENT 'DNS Response Latency',
|
|
http_url String COMMENT 'HTTP URL',
|
|
http_host String COMMENT 'HTTP Host',
|
|
http_request_line String COMMENT 'HTTP Request Line',
|
|
http_response_line String COMMENT 'HTTP Response Line',
|
|
http_request_body String COMMENT 'HTTP Request Body',
|
|
http_response_body String COMMENT 'HTTP Response Body',
|
|
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
|
|
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
|
|
http_cookie String COMMENT 'HTTP Cookie',
|
|
http_referer String COMMENT 'HTTP Referer',
|
|
http_user_agent String COMMENT 'HTTP User-Agent',
|
|
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
|
|
http_request_content_type String COMMENT 'HTTP Request Content-Type',
|
|
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
|
|
http_response_content_type String COMMENT 'HTTP Response Content-Type',
|
|
http_set_cookie String COMMENT 'HTTP Set-Cookie',
|
|
http_version String COMMENT 'HTTP Version',
|
|
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
|
|
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
|
|
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
|
|
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
|
|
ssl_version String COMMENT 'SSL Version',
|
|
ssl_sni String COMMENT 'SSL SNI',
|
|
ssl_san String COMMENT 'SSL SAN',
|
|
ssl_cn String COMMENT 'SSL CN',
|
|
ssl_handshake_latency_ms Nullable(Int32) COMMENT 'SSL Handshake Latency',
|
|
ssl_ja3_hash String COMMENT 'SSL JA3 Fingerprint',
|
|
ssl_ja3s_hash String COMMENT 'SSL JA3 Hash',
|
|
ssl_cert_issuer String COMMENT 'SSL JA3S Fingerprint',
|
|
ssl_cert_subject String COMMENT 'SSL JA3S Hash',
|
|
ssl_esni_flag Nullable(Int32) COMMENT 'SSL Issuer',
|
|
ssl_ech_flag Nullable(Int32) COMMENT 'SSL Subject',
|
|
dtls_cookie String COMMENT 'DTLS Cookie',
|
|
dtls_version String COMMENT 'DTLS Version',
|
|
dtls_sni String COMMENT 'DTLS SNI',
|
|
dtls_san String COMMENT 'DTLS SAN',
|
|
dtls_cn String COMMENT 'DTLS CN',
|
|
dtls_handshake_latency_ms Nullable(Int32) COMMENT 'DTLS Handshake Latency',
|
|
dtls_ja3_fingerprint String COMMENT 'DTLS JA3 Fingerprint',
|
|
dtls_ja3_hash String COMMENT 'DTLS JA3 Hash',
|
|
dtls_cert_issuer String COMMENT 'DTLS Certificate Issuer',
|
|
dtls_cert_subject String COMMENT 'DTLS Certificate Subject',
|
|
mail_protocol_type String COMMENT 'MAIL Protocol Type',
|
|
mail_account String COMMENT 'MAIL Account',
|
|
mail_from_cmd String COMMENT 'MAIL From CMD',
|
|
mail_to_cmd String COMMENT 'MAIL To CMD',
|
|
mail_from String COMMENT 'MAIL From',
|
|
mail_password String COMMENT 'MAIL Password',
|
|
mail_to String COMMENT 'MAIL To',
|
|
mail_cc String COMMENT 'MAIL CC',
|
|
mail_bcc String COMMENT 'MAIL BCC',
|
|
mail_subject String COMMENT 'MAIL Subject',
|
|
mail_subject_charset String COMMENT 'MAIL Subject Charset',
|
|
mail_attachment_name String COMMENT 'MAIL Content',
|
|
mail_attachment_name_charset String COMMENT 'MAIL Content Charset',
|
|
mail_eml_file String COMMENT 'MAIL Attachment Name',
|
|
ftp_account String COMMENT 'FTP Account',
|
|
ftp_url String COMMENT 'FTP URL',
|
|
ftp_link_type String COMMENT 'FTP Link Type',
|
|
quic_version String COMMENT 'QUIC Version',
|
|
quic_sni String COMMENT 'QUIC SNI',
|
|
quic_user_agent String COMMENT 'QUIC User-Agent',
|
|
rdp_cookie String COMMENT 'RDP Cookie',
|
|
rdp_security_protocol String COMMENT 'RDP Security Protocol',
|
|
rdp_client_channels String COMMENT 'RDP Client Channels',
|
|
rdp_keyboard_layout String COMMENT 'RDP Keyboard Layout',
|
|
rdp_client_version String COMMENT 'RDP Client Version',
|
|
rdp_client_name String COMMENT 'RDP Client Name',
|
|
rdp_client_product_id String COMMENT 'RDP Client Product ID',
|
|
rdp_desktop_width String COMMENT 'RDP Desktop Width',
|
|
rdp_desktop_height String COMMENT 'RDP Desktop Height',
|
|
rdp_requested_color_depth String COMMENT 'RDP Requested Color Depth',
|
|
rdp_certificate_type String COMMENT 'RDP Certificate Type',
|
|
rdp_certificate_count Nullable(Int32) COMMENT 'RDP Certificate Count',
|
|
rdp_certificate_permanent Nullable(Int32) COMMENT 'RDP Certificate Permanent',
|
|
rdp_encryption_level String COMMENT 'RDP Encryption Level',
|
|
rdp_encryption_method String COMMENT 'RDP Encryption Method',
|
|
ssh_version String COMMENT 'SSH Version',
|
|
ssh_auth_success String COMMENT 'SSH Authentication Result',
|
|
ssh_client_version String COMMENT 'SSH Client Version',
|
|
ssh_server_version String COMMENT 'SSH Server Version',
|
|
ssh_cipher_alg String COMMENT 'SSH Encryption Algorithm',
|
|
ssh_mac_alg String COMMENT 'SSH Signing Algorithm',
|
|
ssh_compression_alg String COMMENT 'SSH Compression Algorithm',
|
|
ssh_kex_alg String COMMENT 'SSH Key Exchange Algorithm',
|
|
ssh_host_key_alg String COMMENT 'SSH Server Host Key Algorithm',
|
|
ssh_host_key String COMMENT 'SSH Server Key Fingerprint',
|
|
ssh_hassh String COMMENT 'SSH HASSH',
|
|
sip_call_id String COMMENT 'SIP Call-ID',
|
|
sip_originator_description String COMMENT 'SIP Originator',
|
|
sip_responder_description String COMMENT 'SIP Responder',
|
|
sip_user_agent String COMMENT 'SIP User-Agent',
|
|
sip_server String COMMENT 'SIP Server',
|
|
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
|
|
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
|
|
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
|
|
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
|
|
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
|
|
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
|
|
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
|
|
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
|
|
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
|
|
sip_bye String COMMENT 'SIP Bye',
|
|
rtp_payload_type_c2s Nullable(Int32) COMMENT 'RTP Payload Type(C2S)',
|
|
rtp_payload_type_s2c Nullable(Int32) COMMENT 'RTP Payload Type(S2C)',
|
|
rtp_pcap_path String COMMENT 'RTP PCAP',
|
|
rtp_originator_dir Nullable(Int32) COMMENT 'RTP Direction',
|
|
stratum_cryptocurrency String COMMENT 'Stratum Cryptocurrency',
|
|
stratum_mining_pools String COMMENT 'Stratum Mining Pools',
|
|
stratum_mining_program String COMMENT 'Stratum Mining Program',
|
|
stratum_mining_subscribe String COMMENT 'Stratum Mining Subscribe',
|
|
sent_pkts Int64 COMMENT 'Packets Sent',
|
|
received_pkts Int64 COMMENT 'Packets Received',
|
|
sent_bytes Int64 COMMENT 'Bytes Sent',
|
|
received_bytes Int64 COMMENT 'Bytes Received',
|
|
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
|
|
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
|
|
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
|
|
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
|
|
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
|
|
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
|
|
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
|
|
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
|
|
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
|
|
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
|
|
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
|
|
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
|
|
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
|
|
packet_capture_file String COMMENT 'Packet Capture File',
|
|
in_src_mac String COMMENT 'Incoming Source MAC',
|
|
out_src_mac String COMMENT 'Outgoing Source MAC',
|
|
in_dest_mac String COMMENT 'Incoming Destination MAC',
|
|
out_dest_mac String COMMENT 'Outgoing Destination MAC',
|
|
encapsulation String COMMENT 'Encapsulation',
|
|
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
|
|
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
|
|
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
|
|
)
|
|
ENGINE =Distributed(js_datahouse,tsg_galaxy_v3,monitor_event_local,rand());
|
|
|
|
|
|
|
|
CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.transaction_record_local on cluster js_datahouse (
|
|
recv_time Int64 COMMENT 'Receive Time',
|
|
log_id UInt64 COMMENT 'Log ID',
|
|
decoded_as String COMMENT 'Decoded AS',
|
|
session_id UInt64 COMMENT 'Session ID',
|
|
ingestion_time Int64 COMMENT 'Ingestion Time',
|
|
processing_time Int64 COMMENT 'Processing Time',
|
|
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
|
|
address_type Int32 COMMENT 'Address Type',
|
|
vsys_id Int32 COMMENT 'Vsys ID',
|
|
client_ip String COMMENT 'Client IP',
|
|
client_port Int32 COMMENT 'Client Port',
|
|
server_ip String COMMENT 'Server IP',
|
|
server_port Int32 COMMENT 'Server Port',
|
|
sent_pkts Int64 COMMENT 'Packets Sent',
|
|
received_pkts Int64 COMMENT 'Packets Received',
|
|
sent_bytes Int64 COMMENT 'Bytes Sent',
|
|
received_bytes Int64 COMMENT 'Bytes Received',
|
|
dns_message_id Nullable(Int32) COMMENT 'DNS Message ID',
|
|
dns_qr Nullable(Int32) COMMENT 'DNS QR',
|
|
dns_opcode Nullable(Int32) COMMENT 'DNS OPCODE',
|
|
dns_aa Nullable(Int32) COMMENT 'DNS AA',
|
|
dns_tc Nullable(Int32) COMMENT 'DNS TC',
|
|
dns_rd Nullable(Int32) COMMENT 'DNS RD',
|
|
dns_ra Nullable(Int32) COMMENT 'DNS RA',
|
|
dns_rcode Nullable(Int32) COMMENT 'DNS RCODE',
|
|
dns_qdcount Nullable(Int32) COMMENT 'DNS QDCOUNT',
|
|
dns_ancount Nullable(Int32) COMMENT 'DNS ANCOUNT',
|
|
dns_nscount Nullable(Int32) COMMENT 'DNS NSCOUNT',
|
|
dns_arcount Nullable(Int32) COMMENT 'DNS ARCOUNT',
|
|
dns_qname String COMMENT 'DNS QNAME',
|
|
dns_qtype Nullable(Int32) COMMENT 'DNS QTYPE',
|
|
dns_qclass Nullable(Int32) COMMENT 'DNS QCLASS',
|
|
dns_cname String COMMENT 'DNS CNAME',
|
|
dns_sub Nullable(Int32) COMMENT 'DNS SUB',
|
|
dns_rr String COMMENT 'DNS RR',
|
|
dns_response_latency_ms Nullable(Int32) COMMENT 'DNS Response Latency',
|
|
http_url String COMMENT 'HTTP URL',
|
|
http_host String COMMENT 'HTTP Host',
|
|
http_request_line String COMMENT 'HTTP Request Line',
|
|
http_response_line String COMMENT 'HTTP Response Line',
|
|
http_request_body String COMMENT 'HTTP Request Body',
|
|
http_response_body String COMMENT 'HTTP Response Body',
|
|
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
|
|
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
|
|
http_cookie String COMMENT 'HTTP Cookie',
|
|
http_referer String COMMENT 'HTTP Referer',
|
|
http_user_agent String COMMENT 'HTTP User-Agent',
|
|
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
|
|
http_request_content_type String COMMENT 'HTTP Request Content-Type',
|
|
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
|
|
http_response_content_type String COMMENT 'HTTP Response Content-Type',
|
|
http_set_cookie String COMMENT 'HTTP Set-Cookie',
|
|
http_version String COMMENT 'HTTP Version',
|
|
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
|
|
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
|
|
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
|
|
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
|
|
mail_protocol_type String COMMENT 'MAIL Protocol Type',
|
|
mail_account String COMMENT 'MAIL Account',
|
|
mail_from_cmd String COMMENT 'MAIL From CMD',
|
|
mail_to_cmd String COMMENT 'MAIL To CMD',
|
|
mail_from String COMMENT 'MAIL From',
|
|
mail_password String COMMENT 'MAIL Password',
|
|
mail_to String COMMENT 'MAIL To',
|
|
mail_cc String COMMENT 'MAIL CC',
|
|
mail_bcc String COMMENT 'MAIL BCC',
|
|
mail_subject String COMMENT 'MAIL Subject',
|
|
mail_subject_charset String COMMENT 'MAIL Subject Charset',
|
|
mail_attachment_name String COMMENT 'MAIL Content',
|
|
mail_attachment_name_charset String COMMENT 'MAIL Content Charset',
|
|
mail_eml_file String COMMENT 'MAIL Attachment Name',
|
|
sip_call_id String COMMENT 'SIP Call-ID',
|
|
sip_originator_description String COMMENT 'SIP Originator',
|
|
sip_responder_description String COMMENT 'SIP Responder',
|
|
sip_user_agent String COMMENT 'SIP User-Agent',
|
|
sip_server String COMMENT 'SIP Server',
|
|
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
|
|
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
|
|
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
|
|
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
|
|
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
|
|
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
|
|
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
|
|
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
|
|
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
|
|
sip_bye String COMMENT 'SIP Bye'
|
|
)
|
|
ENGINE = ReplicatedMergeTree('/clickhouse/tables/{shard}/transaction_record_local', '{replica}')
|
|
PARTITION BY toYYYYMMDD(toDate(recv_time))
|
|
ORDER BY (vsys_id,session_id,recv_time)
|
|
TTL toDateTime(recv_time) + toIntervalSecond(15552000)
|
|
;
|
|
|
|
|
|
CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.transaction_record on cluster js_datahouse (
|
|
recv_time Int64 COMMENT 'Receive Time',
|
|
log_id UInt64 COMMENT 'Log ID',
|
|
decoded_as String COMMENT 'Decoded AS',
|
|
session_id UInt64 COMMENT 'Session ID',
|
|
ingestion_time Int64 COMMENT 'Ingestion Time',
|
|
processing_time Int64 COMMENT 'Processing Time',
|
|
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
|
|
address_type Int32 COMMENT 'Address Type',
|
|
vsys_id Int32 COMMENT 'Vsys ID',
|
|
client_ip String COMMENT 'Client IP',
|
|
client_port Int32 COMMENT 'Client Port',
|
|
server_ip String COMMENT 'Server IP',
|
|
server_port Int32 COMMENT 'Server Port',
|
|
sent_pkts Int64 COMMENT 'Packets Sent',
|
|
received_pkts Int64 COMMENT 'Packets Received',
|
|
sent_bytes Int64 COMMENT 'Bytes Sent',
|
|
received_bytes Int64 COMMENT 'Bytes Received',
|
|
dns_message_id Nullable(Int32) COMMENT 'DNS Message ID',
|
|
dns_qr Nullable(Int32) COMMENT 'DNS QR',
|
|
dns_opcode Nullable(Int32) COMMENT 'DNS OPCODE',
|
|
dns_aa Nullable(Int32) COMMENT 'DNS AA',
|
|
dns_tc Nullable(Int32) COMMENT 'DNS TC',
|
|
dns_rd Nullable(Int32) COMMENT 'DNS RD',
|
|
dns_ra Nullable(Int32) COMMENT 'DNS RA',
|
|
dns_rcode Nullable(Int32) COMMENT 'DNS RCODE',
|
|
dns_qdcount Nullable(Int32) COMMENT 'DNS QDCOUNT',
|
|
dns_ancount Nullable(Int32) COMMENT 'DNS ANCOUNT',
|
|
dns_nscount Nullable(Int32) COMMENT 'DNS NSCOUNT',
|
|
dns_arcount Nullable(Int32) COMMENT 'DNS ARCOUNT',
|
|
dns_qname String COMMENT 'DNS QNAME',
|
|
dns_qtype Nullable(Int32) COMMENT 'DNS QTYPE',
|
|
dns_qclass Nullable(Int32) COMMENT 'DNS QCLASS',
|
|
dns_cname String COMMENT 'DNS CNAME',
|
|
dns_sub Nullable(Int32) COMMENT 'DNS SUB',
|
|
dns_rr String COMMENT 'DNS RR',
|
|
dns_response_latency_ms Nullable(Int32) COMMENT 'DNS Response Latency',
|
|
http_url String COMMENT 'HTTP URL',
|
|
http_host String COMMENT 'HTTP Host',
|
|
http_request_line String COMMENT 'HTTP Request Line',
|
|
http_response_line String COMMENT 'HTTP Response Line',
|
|
http_request_body String COMMENT 'HTTP Request Body',
|
|
http_response_body String COMMENT 'HTTP Response Body',
|
|
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
|
|
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
|
|
http_cookie String COMMENT 'HTTP Cookie',
|
|
http_referer String COMMENT 'HTTP Referer',
|
|
http_user_agent String COMMENT 'HTTP User-Agent',
|
|
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
|
|
http_request_content_type String COMMENT 'HTTP Request Content-Type',
|
|
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
|
|
http_response_content_type String COMMENT 'HTTP Response Content-Type',
|
|
http_set_cookie String COMMENT 'HTTP Set-Cookie',
|
|
http_version String COMMENT 'HTTP Version',
|
|
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
|
|
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
|
|
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
|
|
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
|
|
mail_protocol_type String COMMENT 'MAIL Protocol Type',
|
|
mail_account String COMMENT 'MAIL Account',
|
|
mail_from_cmd String COMMENT 'MAIL From CMD',
|
|
mail_to_cmd String COMMENT 'MAIL To CMD',
|
|
mail_from String COMMENT 'MAIL From',
|
|
mail_password String COMMENT 'MAIL Password',
|
|
mail_to String COMMENT 'MAIL To',
|
|
mail_cc String COMMENT 'MAIL CC',
|
|
mail_bcc String COMMENT 'MAIL BCC',
|
|
mail_subject String COMMENT 'MAIL Subject',
|
|
mail_subject_charset String COMMENT 'MAIL Subject Charset',
|
|
mail_attachment_name String COMMENT 'MAIL Content',
|
|
mail_attachment_name_charset String COMMENT 'MAIL Content Charset',
|
|
mail_eml_file String COMMENT 'MAIL Attachment Name',
|
|
sip_call_id String COMMENT 'SIP Call-ID',
|
|
sip_originator_description String COMMENT 'SIP Originator',
|
|
sip_responder_description String COMMENT 'SIP Responder',
|
|
sip_user_agent String COMMENT 'SIP User-Agent',
|
|
sip_server String COMMENT 'SIP Server',
|
|
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
|
|
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
|
|
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
|
|
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
|
|
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
|
|
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
|
|
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
|
|
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
|
|
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
|
|
sip_bye String COMMENT 'SIP Bye'
|
|
)
|
|
ENGINE =Distributed(js_datahouse,tsg_galaxy_v3,transaction_record_local,rand());
|
|
|
|
|
|
|
|
alter table tsg_galaxy_v3.session_record_local on cluster js_datahouse add INDEX IF NOT EXISTS client_index client_ip type bloom_filter(0.05) GRANULARITY 1;
|
|
alter table tsg_galaxy_v3.transaction_record_local on cluster js_datahouse add INDEX IF NOT EXISTS client_index client_ip type bloom_filter(0.05) GRANULARITY 1;
|
|
|
|
|
|
CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.voip_record_local on cluster js_datahouse (
|
|
recv_time Int64 COMMENT 'Receive Time',
|
|
log_id UInt64 COMMENT 'Log ID',
|
|
decoded_as String COMMENT 'Decoded AS',
|
|
session_id UInt64 COMMENT 'Session ID',
|
|
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
|
|
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
|
|
duration_ms Int32 COMMENT 'Duration',
|
|
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
|
|
ingestion_time Int64 COMMENT 'Ingestion Time',
|
|
processing_time Int64 COMMENT 'Processing Time',
|
|
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
|
|
device_id String COMMENT 'Device ID',
|
|
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
|
|
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
|
|
device_tag String COMMENT 'Device Tag',
|
|
data_center String COMMENT 'Data Center',
|
|
device_group String COMMENT 'Device Group',
|
|
sled_ip String COMMENT 'Sled IP',
|
|
address_type Int32 COMMENT 'Address Type',
|
|
vsys_id Int32 COMMENT 'Vsys ID',
|
|
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
|
|
flags Int64 COMMENT 'Flags',
|
|
flags_identify_info String COMMENT 'Flags Identify Info',
|
|
security_rule_list Array(Int64) COMMENT 'Security Rule List',
|
|
security_action String COMMENT 'Security Action',
|
|
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
|
|
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
|
|
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
|
|
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
|
|
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
|
|
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
|
|
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
|
|
proxy_action String COMMENT 'Proxy Action',
|
|
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
|
|
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
|
|
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
|
|
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
|
|
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
|
|
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
|
|
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
|
|
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
|
|
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
|
|
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
|
|
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
|
|
client_ip String COMMENT 'Client IP',
|
|
client_port Int32 COMMENT 'Client Port',
|
|
client_os_desc String COMMENT 'Client OS Description',
|
|
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
|
|
client_asn Nullable(Int64) COMMENT 'Client ASN',
|
|
subscriber_id String COMMENT 'Subscriber ID',
|
|
imei String COMMENT 'IMEI',
|
|
imsi String COMMENT 'IMSI',
|
|
phone_number String COMMENT 'Phone Number',
|
|
apn String COMMENT 'APN',
|
|
server_ip String COMMENT 'Server IP',
|
|
server_port Int32 COMMENT 'Server Port',
|
|
server_os_desc String COMMENT 'Server OS Description',
|
|
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
|
|
server_asn Nullable(Int64) COMMENT 'Server ASN',
|
|
server_fqdn String COMMENT 'Server FQDN',
|
|
server_domain String COMMENT 'Server Domain',
|
|
app_transition String COMMENT 'Application Transition',
|
|
app LowCardinality(String) COMMENT 'Application',
|
|
app_debug_info String COMMENT 'Application Debug Info',
|
|
app_content String COMMENT 'Application Content',
|
|
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
|
|
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
|
|
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
|
|
sip_call_id String COMMENT 'SIP Call-ID',
|
|
sip_originator_description String COMMENT 'SIP Originator',
|
|
sip_responder_description String COMMENT 'SIP Responder',
|
|
sip_user_agent String COMMENT 'SIP User-Agent',
|
|
sip_server String COMMENT 'SIP Server',
|
|
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
|
|
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
|
|
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
|
|
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
|
|
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
|
|
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
|
|
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
|
|
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
|
|
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
|
|
sip_bye String COMMENT 'SIP Bye',
|
|
rtp_payload_type_c2s Nullable(Int32) COMMENT 'RTP Payload Type(C2S)',
|
|
rtp_payload_type_s2c Nullable(Int32) COMMENT 'RTP Payload Type(S2C)',
|
|
rtp_pcap_path String COMMENT 'RTP PCAP',
|
|
rtp_originator_dir Nullable(Int32) COMMENT 'RTP Direction',
|
|
sent_pkts Int64 COMMENT 'Packets Sent',
|
|
received_pkts Int64 COMMENT 'Packets Received',
|
|
sent_bytes Int64 COMMENT 'Bytes Sent',
|
|
received_bytes Int64 COMMENT 'Bytes Received',
|
|
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
|
|
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
|
|
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
|
|
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
|
|
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
|
|
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
|
|
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
|
|
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
|
|
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
|
|
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
|
|
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
|
|
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
|
|
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
|
|
packet_capture_file String COMMENT 'Packet Capture File',
|
|
in_src_mac String COMMENT 'Incoming Source MAC',
|
|
out_src_mac String COMMENT 'Outgoing Source MAC',
|
|
in_dest_mac String COMMENT 'Incoming Destination MAC',
|
|
out_dest_mac String COMMENT 'Outgoing Destination MAC',
|
|
encapsulation String COMMENT 'Encapsulation',
|
|
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
|
|
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
|
|
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
|
|
)
|
|
ENGINE = ReplicatedMergeTree('/clickhouse/tables/{shard}/voip_record_local', '{replica}')
|
|
PARTITION BY toYYYYMMDD(toDate(recv_time))
|
|
ORDER BY (vsys_id,decoded_as,data_center, device_group,recv_time)
|
|
TTL toDateTime(recv_time) + toIntervalSecond(15552000)
|
|
;
|
|
|
|
CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.voip_record on cluster js_datahouse (
|
|
recv_time Int64 COMMENT 'Receive Time',
|
|
log_id UInt64 COMMENT 'Log ID',
|
|
decoded_as String COMMENT 'Decoded AS',
|
|
session_id UInt64 COMMENT 'Session ID',
|
|
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
|
|
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
|
|
duration_ms Int32 COMMENT 'Duration',
|
|
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
|
|
ingestion_time Int64 COMMENT 'Ingestion Time',
|
|
processing_time Int64 COMMENT 'Processing Time',
|
|
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
|
|
device_id String COMMENT 'Device ID',
|
|
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
|
|
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
|
|
device_tag String COMMENT 'Device Tag',
|
|
data_center String COMMENT 'Data Center',
|
|
device_group String COMMENT 'Device Group',
|
|
sled_ip String COMMENT 'Sled IP',
|
|
address_type Int32 COMMENT 'Address Type',
|
|
vsys_id Int32 COMMENT 'Vsys ID',
|
|
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
|
|
flags Int64 COMMENT 'Flags',
|
|
flags_identify_info String COMMENT 'Flags Identify Info',
|
|
security_rule_list Array(Int64) COMMENT 'Security Rule List',
|
|
security_action String COMMENT 'Security Action',
|
|
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
|
|
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
|
|
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
|
|
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
|
|
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
|
|
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
|
|
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
|
|
proxy_action String COMMENT 'Proxy Action',
|
|
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
|
|
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
|
|
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
|
|
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
|
|
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
|
|
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
|
|
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
|
|
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
|
|
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
|
|
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
|
|
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
|
|
client_ip String COMMENT 'Client IP',
|
|
client_port Int32 COMMENT 'Client Port',
|
|
client_os_desc String COMMENT 'Client OS Description',
|
|
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
|
|
client_asn Nullable(Int64) COMMENT 'Client ASN',
|
|
subscriber_id String COMMENT 'Subscriber ID',
|
|
imei String COMMENT 'IMEI',
|
|
imsi String COMMENT 'IMSI',
|
|
phone_number String COMMENT 'Phone Number',
|
|
apn String COMMENT 'APN',
|
|
server_ip String COMMENT 'Server IP',
|
|
server_port Int32 COMMENT 'Server Port',
|
|
server_os_desc String COMMENT 'Server OS Description',
|
|
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
|
|
server_asn Nullable(Int64) COMMENT 'Server ASN',
|
|
server_fqdn String COMMENT 'Server FQDN',
|
|
server_domain String COMMENT 'Server Domain',
|
|
app_transition String COMMENT 'Application Transition',
|
|
app LowCardinality(String) COMMENT 'Application',
|
|
app_debug_info String COMMENT 'Application Debug Info',
|
|
app_content String COMMENT 'Application Content',
|
|
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
|
|
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
|
|
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
|
|
sip_call_id String COMMENT 'SIP Call-ID',
|
|
sip_originator_description String COMMENT 'SIP Originator',
|
|
sip_responder_description String COMMENT 'SIP Responder',
|
|
sip_user_agent String COMMENT 'SIP User-Agent',
|
|
sip_server String COMMENT 'SIP Server',
|
|
sip_originator_sdp_connect_ip String COMMENT 'SIP Originator IP',
|
|
sip_originator_sdp_media_port Nullable(Int32) COMMENT 'SIP Originator Port',
|
|
sip_originator_sdp_media_type String COMMENT 'SIP Originator Media Type',
|
|
sip_originator_sdp_content String COMMENT 'SIP Originator Content',
|
|
sip_responder_sdp_connect_ip String COMMENT 'SIP Responder IP',
|
|
sip_responder_sdp_media_port Nullable(Int32) COMMENT 'SIP Responder Port',
|
|
sip_responder_sdp_media_type String COMMENT 'SIP Responder Media Type',
|
|
sip_responder_sdp_content String COMMENT 'SIP Responder Content',
|
|
sip_duration_s Nullable(Int32) COMMENT 'SIP Duration',
|
|
sip_bye String COMMENT 'SIP Bye',
|
|
rtp_payload_type_c2s Nullable(Int32) COMMENT 'RTP Payload Type(C2S)',
|
|
rtp_payload_type_s2c Nullable(Int32) COMMENT 'RTP Payload Type(S2C)',
|
|
rtp_pcap_path String COMMENT 'RTP PCAP',
|
|
rtp_originator_dir Nullable(Int32) COMMENT 'RTP Direction',
|
|
sent_pkts Int64 COMMENT 'Packets Sent',
|
|
received_pkts Int64 COMMENT 'Packets Received',
|
|
sent_bytes Int64 COMMENT 'Bytes Sent',
|
|
received_bytes Int64 COMMENT 'Bytes Received',
|
|
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
|
|
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
|
|
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
|
|
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
|
|
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
|
|
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
|
|
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
|
|
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
|
|
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
|
|
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
|
|
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
|
|
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
|
|
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
|
|
packet_capture_file String COMMENT 'Packet Capture File',
|
|
in_src_mac String COMMENT 'Incoming Source MAC',
|
|
out_src_mac String COMMENT 'Outgoing Source MAC',
|
|
in_dest_mac String COMMENT 'Incoming Destination MAC',
|
|
out_dest_mac String COMMENT 'Outgoing Destination MAC',
|
|
encapsulation String COMMENT 'Encapsulation',
|
|
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
|
|
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
|
|
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
|
|
)
|
|
ENGINE =Distributed(js_datahouse,tsg_galaxy_v3,voip_record_local,rand());
|
|
|
|
|
|
|
|
CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.proxy_event_local on cluster js_datahouse (
|
|
recv_time Int64 COMMENT 'Receive Time',
|
|
log_id UInt64 COMMENT 'Log ID',
|
|
decoded_as String COMMENT 'Decoded AS',
|
|
session_id UInt64 COMMENT 'Session ID',
|
|
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
|
|
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
|
|
duration_ms Int32 COMMENT 'Duration',
|
|
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
|
|
ingestion_time Int64 COMMENT 'Ingestion Time',
|
|
processing_time Int64 COMMENT 'Processing Time',
|
|
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
|
|
device_id String COMMENT 'Device ID',
|
|
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
|
|
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
|
|
device_tag String COMMENT 'Device Tag',
|
|
data_center String COMMENT 'Data Center',
|
|
device_group String COMMENT 'Device Group',
|
|
sled_ip String COMMENT 'Sled IP',
|
|
address_type Int32 COMMENT 'Address Type',
|
|
vsys_id Int32 COMMENT 'Vsys ID',
|
|
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
|
|
flags Int64 COMMENT 'Flags',
|
|
flags_identify_info String COMMENT 'Flags Identify Info',
|
|
security_rule_list Array(Int64) COMMENT 'Security Rule List',
|
|
security_action String COMMENT 'Security Action',
|
|
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
|
|
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
|
|
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
|
|
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
|
|
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
|
|
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
|
|
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
|
|
proxy_action String COMMENT 'Proxy Action',
|
|
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
|
|
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
|
|
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
|
|
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
|
|
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
|
|
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
|
|
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
|
|
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
|
|
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
|
|
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
|
|
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
|
|
client_ip String COMMENT 'Client IP',
|
|
client_port Int32 COMMENT 'Client Port',
|
|
client_os_desc String COMMENT 'Client OS Description',
|
|
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
|
|
client_asn Nullable(Int64) COMMENT 'Client ASN',
|
|
subscriber_id String COMMENT 'Subscriber ID',
|
|
imei String COMMENT 'IMEI',
|
|
imsi String COMMENT 'IMSI',
|
|
phone_number String COMMENT 'Phone Number',
|
|
apn String COMMENT 'APN',
|
|
server_ip String COMMENT 'Server IP',
|
|
server_port Int32 COMMENT 'Server Port',
|
|
server_os_desc String COMMENT 'Server OS Description',
|
|
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
|
|
server_asn Nullable(Int64) COMMENT 'Server ASN',
|
|
server_fqdn String COMMENT 'Server FQDN',
|
|
server_domain String COMMENT 'Server Domain',
|
|
app_transition String COMMENT 'Application Transition',
|
|
app LowCardinality(String) COMMENT 'Application',
|
|
app_debug_info String COMMENT 'Application Debug Info',
|
|
app_content String COMMENT 'Application Content',
|
|
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
|
|
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
|
|
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
|
|
http_url String COMMENT 'HTTP URL',
|
|
http_host String COMMENT 'HTTP Host',
|
|
http_request_line String COMMENT 'HTTP Request Line',
|
|
http_response_line String COMMENT 'HTTP Response Line',
|
|
http_request_body String COMMENT 'HTTP Request Body',
|
|
http_response_body String COMMENT 'HTTP Response Body',
|
|
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
|
|
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
|
|
http_cookie String COMMENT 'HTTP Cookie',
|
|
http_referer String COMMENT 'HTTP Referer',
|
|
http_user_agent String COMMENT 'HTTP User-Agent',
|
|
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
|
|
http_request_content_type String COMMENT 'HTTP Request Content-Type',
|
|
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
|
|
http_response_content_type String COMMENT 'HTTP Response Content-Type',
|
|
http_set_cookie String COMMENT 'HTTP Set-Cookie',
|
|
http_version String COMMENT 'HTTP Version',
|
|
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
|
|
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
|
|
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
|
|
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
|
|
doh_url String COMMENT 'DoH URL',
|
|
doh_host String COMMENT 'DoH Host',
|
|
doh_request_line String COMMENT 'DoH Request Line',
|
|
doh_response_line String COMMENT 'DoH Response Line',
|
|
doh_cookie String COMMENT 'DoH Cookie',
|
|
doh_referer String COMMENT 'DoH Referer',
|
|
doh_user_agent String COMMENT 'DoH User-Agent',
|
|
doh_content_length String COMMENT 'DoH Content Length',
|
|
doh_content_type String COMMENT 'DoH Content Type',
|
|
doh_set_cookie String COMMENT 'DoH Set Cookie',
|
|
doh_version String COMMENT 'DoH Version',
|
|
doh_message_id Int64 COMMENT 'DoH Message ID',
|
|
doh_qr Nullable(Int64) COMMENT 'DoH QR',
|
|
doh_opcode Nullable(Int64) COMMENT 'DoH OPCODE',
|
|
doh_aa Nullable(Int64) COMMENT 'DoH AA',
|
|
doh_tc Nullable(Int64) COMMENT 'DoH TC',
|
|
doh_rd Nullable(Int64) COMMENT 'DoH RD',
|
|
doh_ra Nullable(Int64) COMMENT 'DoH RA',
|
|
doh_rcode Nullable(Int64) COMMENT 'DoH RCODE',
|
|
doh_qdcount Nullable(Int64) COMMENT 'DoH QDCOUNT',
|
|
doh_ancount Nullable(Int64) COMMENT 'DoH ANCOUNT',
|
|
doh_nscount Nullable(Int64) COMMENT 'DoH NSCOUNT',
|
|
doh_arcount Nullable(Int64) COMMENT 'DoH ARCOUNT',
|
|
doh_qname String COMMENT 'DoH QNAME',
|
|
doh_qtype Nullable(Int64) COMMENT 'DoH QTYPE',
|
|
doh_qclass Nullable(Int64) COMMENT 'DoH QCLASS',
|
|
doh_cname String COMMENT 'DoH CNAME',
|
|
doh_sub Nullable(Int64) COMMENT 'DoH SUB',
|
|
doh_rr String COMMENT 'DoH RR',
|
|
sent_pkts Int64 COMMENT 'Packets Sent',
|
|
received_pkts Int64 COMMENT 'Packets Received',
|
|
sent_bytes Int64 COMMENT 'Bytes Sent',
|
|
received_bytes Int64 COMMENT 'Bytes Received',
|
|
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
|
|
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
|
|
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
|
|
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
|
|
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
|
|
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
|
|
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
|
|
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
|
|
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
|
|
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
|
|
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
|
|
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
|
|
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
|
|
packet_capture_file String COMMENT 'Packet Capture File',
|
|
in_src_mac String COMMENT 'Incoming Source MAC',
|
|
out_src_mac String COMMENT 'Outgoing Source MAC',
|
|
in_dest_mac String COMMENT 'Incoming Destination MAC',
|
|
out_dest_mac String COMMENT 'Outgoing Destination MAC',
|
|
encapsulation String COMMENT 'Encapsulation',
|
|
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
|
|
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
|
|
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
|
|
)
|
|
ENGINE = ReplicatedMergeTree('/clickhouse/tables/{shard}/proxy_event_local', '{replica}')
|
|
PARTITION BY toYYYYMMDD(toDate(recv_time))
|
|
ORDER BY (vsys_id,proxy_action,decoded_as,data_center, device_group,recv_time)
|
|
TTL toDateTime(recv_time) + toIntervalSecond(15552000)
|
|
;
|
|
|
|
|
|
CREATE TABLE IF NOT EXISTS tsg_galaxy_v3.proxy_event on cluster js_datahouse (
|
|
recv_time Int64 COMMENT 'Receive Time',
|
|
log_id UInt64 COMMENT 'Log ID',
|
|
decoded_as String COMMENT 'Decoded AS',
|
|
session_id UInt64 COMMENT 'Session ID',
|
|
start_timestamp_ms DateTime64(3) COMMENT 'Start Time',
|
|
end_timestamp_ms DateTime64(3) COMMENT 'End Time',
|
|
duration_ms Int32 COMMENT 'Duration',
|
|
tcp_handshake_latency_ms Nullable(Int32) COMMENT 'TCP Handshake Latency',
|
|
ingestion_time Int64 COMMENT 'Ingestion Time',
|
|
processing_time Int64 COMMENT 'Processing Time',
|
|
insert_time Int64 MATERIALIZED toUnixTimestamp(now()) COMMENT 'Insert Time',
|
|
device_id String COMMENT 'Device ID',
|
|
out_link_id Nullable(Int32) COMMENT 'Outgoing Link ID',
|
|
in_link_id Nullable(Int32) COMMENT 'Incoming Link ID',
|
|
device_tag String COMMENT 'Device Tag',
|
|
data_center String COMMENT 'Data Center',
|
|
device_group String COMMENT 'Device Group',
|
|
sled_ip String COMMENT 'Sled IP',
|
|
address_type Int32 COMMENT 'Address Type',
|
|
vsys_id Int32 COMMENT 'Vsys ID',
|
|
t_vsys_id Int32 COMMENT 'Traffic Vsys ID',
|
|
flags Int64 COMMENT 'Flags',
|
|
flags_identify_info String COMMENT 'Flags Identify Info',
|
|
security_rule_list Array(Int64) COMMENT 'Security Rule List',
|
|
security_action String COMMENT 'Security Action',
|
|
monitor_rule_list Array(Int64) COMMENT 'Monitor Rule List',
|
|
shaping_rule_list Array(Int64) COMMENT 'Shaping Rule List',
|
|
proxy_rule_list Array(Int64) COMMENT 'Proxy Rule List',
|
|
statistics_rule_list Array(Int64) COMMENT 'Statistics Rule List',
|
|
sc_rule_list Array(Int64) COMMENT 'Service Chaining Rule List',
|
|
sc_rsp_raw Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Raw)',
|
|
sc_rsp_decrypted Array(Int64) COMMENT 'Service Chaining Rendered Service Path (Decrypted)',
|
|
proxy_action String COMMENT 'Proxy Action',
|
|
proxy_pinning_status Nullable(Int32) COMMENT 'Proxy Pinning Status',
|
|
proxy_intercept_status Nullable(Int32) COMMENT 'Proxy Intercept Status',
|
|
proxy_passthrough_reason String COMMENT 'Proxy Passthrough Reason',
|
|
proxy_client_side_latency_ms Nullable(Int32) COMMENT 'Proxy Client-Side Latency',
|
|
proxy_server_side_latency_ms Nullable(Int32) COMMENT 'Proxy Server-Side Latency',
|
|
proxy_client_side_version String COMMENT 'Proxy Client-Side Version',
|
|
proxy_server_side_version String COMMENT 'Proxy Server-Side Version',
|
|
proxy_cert_verify Nullable(Int32) COMMENT 'Proxy Certificate Verify',
|
|
proxy_intercept_error String COMMENT 'Proxy Intercept Error',
|
|
monitor_mirrored_pkts Nullable(Int32) COMMENT 'Monitor Mirrored Packets',
|
|
monitor_mirrored_bytes Nullable(Int32) COMMENT 'Monitor Mirrored Bytes',
|
|
client_ip String COMMENT 'Client IP',
|
|
client_port Int32 COMMENT 'Client Port',
|
|
client_os_desc String COMMENT 'Client OS Description',
|
|
client_geolocation LowCardinality(String) COMMENT 'Client Geolocation',
|
|
client_asn Nullable(Int64) COMMENT 'Client ASN',
|
|
subscriber_id String COMMENT 'Subscriber ID',
|
|
imei String COMMENT 'IMEI',
|
|
imsi String COMMENT 'IMSI',
|
|
phone_number String COMMENT 'Phone Number',
|
|
apn String COMMENT 'APN',
|
|
server_ip String COMMENT 'Server IP',
|
|
server_port Int32 COMMENT 'Server Port',
|
|
server_os_desc String COMMENT 'Server OS Description',
|
|
server_geolocation LowCardinality(String) COMMENT 'Server Geolocation',
|
|
server_asn Nullable(Int64) COMMENT 'Server ASN',
|
|
server_fqdn String COMMENT 'Server FQDN',
|
|
server_domain String COMMENT 'Server Domain',
|
|
app_transition String COMMENT 'Application Transition',
|
|
app LowCardinality(String) COMMENT 'Application',
|
|
app_debug_info String COMMENT 'Application Debug Info',
|
|
app_content String COMMENT 'Application Content',
|
|
fqdn_category_list Array(Int64) COMMENT 'FQDN Category List',
|
|
ip_protocol LowCardinality(String) COMMENT 'IP Protocol',
|
|
decoded_path LowCardinality(String) COMMENT 'Decoded Path',
|
|
http_url String COMMENT 'HTTP URL',
|
|
http_host String COMMENT 'HTTP Host',
|
|
http_request_line String COMMENT 'HTTP Request Line',
|
|
http_response_line String COMMENT 'HTTP Response Line',
|
|
http_request_body String COMMENT 'HTTP Request Body',
|
|
http_response_body String COMMENT 'HTTP Response Body',
|
|
http_proxy_flag Nullable(Int32) COMMENT 'HTTP Proxy Flag',
|
|
http_sequence Nullable(Int32) COMMENT 'HTTP Sequence',
|
|
http_cookie String COMMENT 'HTTP Cookie',
|
|
http_referer String COMMENT 'HTTP Referer',
|
|
http_user_agent String COMMENT 'HTTP User-Agent',
|
|
http_request_content_length Nullable(Int64) COMMENT 'HTTP Request Content-Length',
|
|
http_request_content_type String COMMENT 'HTTP Request Content-Type',
|
|
http_response_content_length Nullable(Int64) COMMENT 'HTTP Response Content-Length',
|
|
http_response_content_type String COMMENT 'HTTP Response Content-Type',
|
|
http_set_cookie String COMMENT 'HTTP Set-Cookie',
|
|
http_version String COMMENT 'HTTP Version',
|
|
http_status_code Nullable(Int32) COMMENT 'HTTP Status Code',
|
|
http_response_latency_ms Nullable(Int32) COMMENT 'HTTP Response Latency',
|
|
http_session_duration_ms Nullable(Int32) COMMENT 'HTTP Session Duration',
|
|
http_action_file_size Nullable(Int64) COMMENT 'HTTP Action File Size',
|
|
doh_url String COMMENT 'DoH URL',
|
|
doh_host String COMMENT 'DoH Host',
|
|
doh_request_line String COMMENT 'DoH Request Line',
|
|
doh_response_line String COMMENT 'DoH Response Line',
|
|
doh_cookie String COMMENT 'DoH Cookie',
|
|
doh_referer String COMMENT 'DoH Referer',
|
|
doh_user_agent String COMMENT 'DoH User-Agent',
|
|
doh_content_length String COMMENT 'DoH Content Length',
|
|
doh_content_type String COMMENT 'DoH Content Type',
|
|
doh_set_cookie String COMMENT 'DoH Set Cookie',
|
|
doh_version String COMMENT 'DoH Version',
|
|
doh_message_id Int64 COMMENT 'DoH Message ID',
|
|
doh_qr Nullable(Int64) COMMENT 'DoH QR',
|
|
doh_opcode Nullable(Int64) COMMENT 'DoH OPCODE',
|
|
doh_aa Nullable(Int64) COMMENT 'DoH AA',
|
|
doh_tc Nullable(Int64) COMMENT 'DoH TC',
|
|
doh_rd Nullable(Int64) COMMENT 'DoH RD',
|
|
doh_ra Nullable(Int64) COMMENT 'DoH RA',
|
|
doh_rcode Nullable(Int64) COMMENT 'DoH RCODE',
|
|
doh_qdcount Nullable(Int64) COMMENT 'DoH QDCOUNT',
|
|
doh_ancount Nullable(Int64) COMMENT 'DoH ANCOUNT',
|
|
doh_nscount Nullable(Int64) COMMENT 'DoH NSCOUNT',
|
|
doh_arcount Nullable(Int64) COMMENT 'DoH ARCOUNT',
|
|
doh_qname String COMMENT 'DoH QNAME',
|
|
doh_qtype Nullable(Int64) COMMENT 'DoH QTYPE',
|
|
doh_qclass Nullable(Int64) COMMENT 'DoH QCLASS',
|
|
doh_cname String COMMENT 'DoH CNAME',
|
|
doh_sub Nullable(Int64) COMMENT 'DoH SUB',
|
|
doh_rr String COMMENT 'DoH RR',
|
|
sent_pkts Int64 COMMENT 'Packets Sent',
|
|
received_pkts Int64 COMMENT 'Packets Received',
|
|
sent_bytes Int64 COMMENT 'Bytes Sent',
|
|
received_bytes Int64 COMMENT 'Bytes Received',
|
|
tcp_c2s_ip_fragments Nullable(Int64) COMMENT 'Client-to-Server IP Fragments',
|
|
tcp_s2c_ip_fragments Nullable(Int64) COMMENT 'Server-to-Client IP Fragments',
|
|
tcp_c2s_lost_bytes Nullable(Int64) COMMENT 'Client-to-Server Lost Bytes',
|
|
tcp_s2c_lost_bytes Nullable(Int64) COMMENT 'Server-to-Client Lost Bytes',
|
|
tcp_c2s_o3_pkts Nullable(Int64) COMMENT 'Client-to-Server Out-of-OrderPackets',
|
|
tcp_s2c_o3_pkts Nullable(Int64) COMMENT 'Server-to-Client Out-of-Order Packets',
|
|
tcp_c2s_rtx_pkts Nullable(Int64) COMMENT 'Client-to-Server Retransmission Packets',
|
|
tcp_s2c_rtx_pkts Nullable(Int64) COMMENT 'Server-to-Client Retransmission Packets',
|
|
tcp_c2s_rtx_bytes Nullable(Int64) COMMENT 'Client-to-Server Retransmission Bytes',
|
|
tcp_s2c_rtx_bytes Nullable(Int64) COMMENT 'Server-to-Client Retransmission Bytes',
|
|
tcp_rtt_ms Nullable(Int32) COMMENT 'Round-trip Time',
|
|
tcp_client_isn Nullable(Int64) COMMENT 'Client ISN',
|
|
tcp_server_isn Nullable(Int64) COMMENT 'Server ISN',
|
|
packet_capture_file String COMMENT 'Packet Capture File',
|
|
in_src_mac String COMMENT 'Incoming Source MAC',
|
|
out_src_mac String COMMENT 'Outgoing Source MAC',
|
|
in_dest_mac String COMMENT 'Incoming Destination MAC',
|
|
out_dest_mac String COMMENT 'Outgoing Destination MAC',
|
|
encapsulation String COMMENT 'Encapsulation',
|
|
dup_traffic_flag Nullable(Int32) COMMENT 'Duplicate Traffic Flag',
|
|
tunnel_endpoint_a_desc String COMMENT 'Tunnel Endpoint A Description',
|
|
tunnel_endpoint_b_desc String COMMENT 'Tunnel Endpoint B Description'
|
|
)
|
|
ENGINE =Distributed(js_datahouse,tsg_galaxy_v3,proxy_event_local,rand());
|
|
|
|
|
|
-- tsg_galaxy_v3.security_event_materialized_view
|
|
CREATE MATERIALIZED VIEW IF NOT EXISTS tsg_galaxy_v3.security_event_materialized_view on cluster js_datahouse
|
|
TO tsg_galaxy_v3.security_event_local
|
|
(
|
|
recv_time Int64,
|
|
log_id UInt64,
|
|
decoded_as String,
|
|
session_id UInt64,
|
|
start_timestamp_ms DateTime64(3),
|
|
end_timestamp_ms DateTime64(3),
|
|
duration_ms Int32,
|
|
tcp_handshake_latency_ms Nullable(Int32),
|
|
ingestion_time Int64,
|
|
processing_time Int64,
|
|
-- insert_time Int64 MATERIALIZED toUnixTimestamp(now()),
|
|
device_id String,
|
|
out_link_id Nullable(Int32),
|
|
in_link_id Nullable(Int32),
|
|
device_tag String,
|
|
data_center String,
|
|
device_group String,
|
|
sled_ip String,
|
|
address_type Int32,
|
|
vsys_id Int32,
|
|
t_vsys_id Int32,
|
|
flags Int64,
|
|
flags_identify_info String,
|
|
security_rule_list Array(Int64),
|
|
security_action String,
|
|
monitor_rule_list Array(Int64),
|
|
shaping_rule_list Array(Int64),
|
|
proxy_rule_list Array(Int64),
|
|
statistics_rule_list Array(Int64),
|
|
sc_rule_list Array(Int64),
|
|
sc_rsp_raw Array(Int64),
|
|
sc_rsp_decrypted Array(Int64),
|
|
proxy_action String,
|
|
proxy_pinning_status Nullable(Int32),
|
|
proxy_intercept_status Nullable(Int32),
|
|
proxy_passthrough_reason String,
|
|
proxy_client_side_latency_ms Nullable(Int32),
|
|
proxy_server_side_latency_ms Nullable(Int32),
|
|
proxy_client_side_version String,
|
|
proxy_server_side_version String,
|
|
proxy_cert_verify Nullable(Int32),
|
|
proxy_intercept_error String,
|
|
monitor_mirrored_pkts Nullable(Int32),
|
|
monitor_mirrored_bytes Nullable(Int32),
|
|
client_ip String,
|
|
client_port Int32,
|
|
client_os_desc String,
|
|
client_geolocation LowCardinality(String),
|
|
client_asn Nullable(Int64),
|
|
subscriber_id String,
|
|
imei String,
|
|
imsi String,
|
|
phone_number String,
|
|
apn String,
|
|
server_ip String,
|
|
server_port Int32,
|
|
server_os_desc String,
|
|
server_geolocation LowCardinality(String),
|
|
server_asn Nullable(Int64),
|
|
server_fqdn String,
|
|
server_domain String,
|
|
app_transition String,
|
|
app LowCardinality(String),
|
|
app_debug_info String,
|
|
app_content String,
|
|
fqdn_category_list Array(Int64),
|
|
ip_protocol LowCardinality(String),
|
|
decoded_path LowCardinality(String),
|
|
dns_message_id Nullable(Int32),
|
|
dns_qr Nullable(Int32),
|
|
dns_opcode Nullable(Int32),
|
|
dns_aa Nullable(Int32),
|
|
dns_tc Nullable(Int32),
|
|
dns_rd Nullable(Int32),
|
|
dns_ra Nullable(Int32),
|
|
dns_rcode Nullable(Int32),
|
|
dns_qdcount Nullable(Int32),
|
|
dns_ancount Nullable(Int32),
|
|
dns_nscount Nullable(Int32),
|
|
dns_arcount Nullable(Int32),
|
|
dns_qname String,
|
|
dns_qtype Nullable(Int32),
|
|
dns_qclass Nullable(Int32),
|
|
dns_cname String,
|
|
dns_sub Nullable(Int32),
|
|
dns_rr String,
|
|
dns_response_latency_ms Nullable(Int32),
|
|
http_url String,
|
|
http_host String,
|
|
http_request_line String,
|
|
http_response_line String,
|
|
http_request_body String,
|
|
http_response_body String,
|
|
http_proxy_flag Nullable(Int32),
|
|
http_sequence Nullable(Int32),
|
|
http_cookie String,
|
|
http_referer String,
|
|
http_user_agent String,
|
|
http_request_content_length Nullable(Int64),
|
|
http_request_content_type String,
|
|
http_response_content_length Nullable(Int64),
|
|
http_response_content_type String,
|
|
http_set_cookie String,
|
|
http_version String,
|
|
http_status_code Nullable(Int32),
|
|
http_response_latency_ms Nullable(Int32),
|
|
http_session_duration_ms Nullable(Int32),
|
|
http_action_file_size Nullable(Int64),
|
|
ssl_version String,
|
|
ssl_sni String,
|
|
ssl_san String,
|
|
ssl_cn String,
|
|
ssl_handshake_latency_ms Nullable(Int32),
|
|
ssl_ja3_hash String,
|
|
ssl_ja3s_hash String,
|
|
ssl_cert_issuer String,
|
|
ssl_cert_subject String,
|
|
ssl_esni_flag Nullable(Int32),
|
|
ssl_ech_flag Nullable(Int32),
|
|
dtls_cookie String,
|
|
dtls_version String,
|
|
dtls_sni String,
|
|
dtls_san String,
|
|
dtls_cn String,
|
|
dtls_handshake_latency_ms Nullable(Int32),
|
|
dtls_ja3_fingerprint String,
|
|
dtls_ja3_hash String,
|
|
dtls_cert_issuer String,
|
|
dtls_cert_subject String,
|
|
mail_protocol_type String,
|
|
mail_account String,
|
|
mail_from_cmd String,
|
|
mail_to_cmd String,
|
|
mail_from String,
|
|
mail_password String,
|
|
mail_to String,
|
|
mail_cc String,
|
|
mail_bcc String,
|
|
mail_subject String,
|
|
mail_subject_charset String,
|
|
mail_attachment_name String,
|
|
mail_attachment_name_charset String,
|
|
mail_eml_file String,
|
|
ftp_account String,
|
|
ftp_url String,
|
|
ftp_link_type String,
|
|
quic_version String,
|
|
quic_sni String,
|
|
quic_user_agent String,
|
|
rdp_cookie String,
|
|
rdp_security_protocol String,
|
|
rdp_client_channels String,
|
|
rdp_keyboard_layout String,
|
|
rdp_client_version String,
|
|
rdp_client_name String,
|
|
rdp_client_product_id String,
|
|
rdp_desktop_width String,
|
|
rdp_desktop_height String,
|
|
rdp_requested_color_depth String,
|
|
rdp_certificate_type String,
|
|
rdp_certificate_count Nullable(Int32),
|
|
rdp_certificate_permanent Nullable(Int32),
|
|
rdp_encryption_level String,
|
|
rdp_encryption_method String,
|
|
ssh_version String,
|
|
ssh_auth_success String,
|
|
ssh_client_version String,
|
|
ssh_server_version String,
|
|
ssh_cipher_alg String,
|
|
ssh_mac_alg String,
|
|
ssh_compression_alg String,
|
|
ssh_kex_alg String,
|
|
ssh_host_key_alg String,
|
|
ssh_host_key String,
|
|
ssh_hassh String,
|
|
sip_call_id String,
|
|
sip_originator_description String,
|
|
sip_responder_description String,
|
|
sip_user_agent String,
|
|
sip_server String,
|
|
sip_originator_sdp_connect_ip String,
|
|
sip_originator_sdp_media_port Nullable(Int32),
|
|
sip_originator_sdp_media_type String,
|
|
sip_originator_sdp_content String,
|
|
sip_responder_sdp_connect_ip String,
|
|
sip_responder_sdp_media_port Nullable(Int32),
|
|
sip_responder_sdp_media_type String,
|
|
sip_responder_sdp_content String,
|
|
sip_duration_s Nullable(Int32),
|
|
sip_bye String,
|
|
rtp_payload_type_c2s Nullable(Int32),
|
|
rtp_payload_type_s2c Nullable(Int32),
|
|
rtp_pcap_path String,
|
|
rtp_originator_dir Nullable(Int32),
|
|
stratum_cryptocurrency String,
|
|
stratum_mining_pools String,
|
|
stratum_mining_program String,
|
|
stratum_mining_subscribe String,
|
|
sent_pkts Int64,
|
|
received_pkts Int64,
|
|
sent_bytes Int64,
|
|
received_bytes Int64,
|
|
tcp_c2s_ip_fragments Nullable(Int64),
|
|
tcp_s2c_ip_fragments Nullable(Int64),
|
|
tcp_c2s_lost_bytes Nullable(Int64),
|
|
tcp_s2c_lost_bytes Nullable(Int64),
|
|
tcp_c2s_o3_pkts Nullable(Int64),
|
|
tcp_s2c_o3_pkts Nullable(Int64),
|
|
tcp_c2s_rtx_pkts Nullable(Int64),
|
|
tcp_s2c_rtx_pkts Nullable(Int64),
|
|
tcp_c2s_rtx_bytes Nullable(Int64),
|
|
tcp_s2c_rtx_bytes Nullable(Int64),
|
|
tcp_rtt_ms Nullable(Int32),
|
|
tcp_client_isn Nullable(Int64),
|
|
tcp_server_isn Nullable(Int64),
|
|
packet_capture_file String,
|
|
in_src_mac String,
|
|
out_src_mac String,
|
|
in_dest_mac String,
|
|
out_dest_mac String,
|
|
encapsulation String,
|
|
dup_traffic_flag Nullable(Int32),
|
|
tunnel_endpoint_a_desc String,
|
|
tunnel_endpoint_b_desc String
|
|
)
|
|
AS
|
|
SELECT
|
|
recv_time,
|
|
log_id,
|
|
decoded_as,
|
|
session_id,
|
|
start_timestamp_ms,
|
|
end_timestamp_ms,
|
|
duration_ms,
|
|
tcp_handshake_latency_ms,
|
|
ingestion_time,
|
|
processing_time,
|
|
-- insert_time,
|
|
device_id,
|
|
out_link_id,
|
|
in_link_id,
|
|
device_tag,
|
|
data_center,
|
|
device_group,
|
|
sled_ip,
|
|
address_type,
|
|
vsys_id,
|
|
t_vsys_id,
|
|
flags,
|
|
flags_identify_info,
|
|
security_rule_list,
|
|
security_action,
|
|
monitor_rule_list,
|
|
shaping_rule_list,
|
|
proxy_rule_list,
|
|
statistics_rule_list,
|
|
sc_rule_list,
|
|
sc_rsp_raw,
|
|
sc_rsp_decrypted,
|
|
proxy_action,
|
|
proxy_pinning_status,
|
|
proxy_intercept_status,
|
|
proxy_passthrough_reason,
|
|
proxy_client_side_latency_ms,
|
|
proxy_server_side_latency_ms,
|
|
proxy_client_side_version,
|
|
proxy_server_side_version,
|
|
proxy_cert_verify,
|
|
proxy_intercept_error,
|
|
monitor_mirrored_pkts,
|
|
monitor_mirrored_bytes,
|
|
client_ip,
|
|
client_port,
|
|
client_os_desc,
|
|
client_geolocation,
|
|
client_asn,
|
|
subscriber_id,
|
|
imei,
|
|
imsi,
|
|
phone_number,
|
|
apn,
|
|
server_ip,
|
|
server_port,
|
|
server_os_desc,
|
|
server_geolocation,
|
|
server_asn,
|
|
server_fqdn,
|
|
server_domain,
|
|
app_transition,
|
|
app,
|
|
app_debug_info,
|
|
app_content,
|
|
fqdn_category_list,
|
|
ip_protocol,
|
|
decoded_path,
|
|
dns_message_id,
|
|
dns_qr,
|
|
dns_opcode,
|
|
dns_aa,
|
|
dns_tc,
|
|
dns_rd,
|
|
dns_ra,
|
|
dns_rcode,
|
|
dns_qdcount,
|
|
dns_ancount,
|
|
dns_nscount,
|
|
dns_arcount,
|
|
dns_qname,
|
|
dns_qtype,
|
|
dns_qclass,
|
|
dns_cname,
|
|
dns_sub,
|
|
dns_rr,
|
|
dns_response_latency_ms,
|
|
http_url,
|
|
http_host,
|
|
http_request_line,
|
|
http_response_line,
|
|
http_request_body,
|
|
http_response_body,
|
|
http_proxy_flag,
|
|
http_sequence,
|
|
http_cookie,
|
|
http_referer,
|
|
http_user_agent,
|
|
http_request_content_length,
|
|
http_request_content_type,
|
|
http_response_content_length,
|
|
http_response_content_type,
|
|
http_set_cookie,
|
|
http_version,
|
|
http_status_code,
|
|
http_response_latency_ms,
|
|
http_session_duration_ms,
|
|
http_action_file_size,
|
|
ssl_version,
|
|
ssl_sni,
|
|
ssl_san,
|
|
ssl_cn,
|
|
ssl_handshake_latency_ms,
|
|
ssl_ja3_hash,
|
|
ssl_ja3s_hash,
|
|
ssl_cert_issuer,
|
|
ssl_cert_subject,
|
|
ssl_esni_flag,
|
|
ssl_ech_flag,
|
|
dtls_cookie,
|
|
dtls_version,
|
|
dtls_sni,
|
|
dtls_san,
|
|
dtls_cn,
|
|
dtls_handshake_latency_ms,
|
|
dtls_ja3_fingerprint,
|
|
dtls_ja3_hash,
|
|
dtls_cert_issuer,
|
|
dtls_cert_subject,
|
|
mail_protocol_type,
|
|
mail_account,
|
|
mail_from_cmd,
|
|
mail_to_cmd,
|
|
mail_from,
|
|
mail_password,
|
|
mail_to,
|
|
mail_cc,
|
|
mail_bcc,
|
|
mail_subject,
|
|
mail_subject_charset,
|
|
mail_attachment_name,
|
|
mail_attachment_name_charset,
|
|
mail_eml_file,
|
|
ftp_account,
|
|
ftp_url,
|
|
ftp_link_type,
|
|
quic_version,
|
|
quic_sni,
|
|
quic_user_agent,
|
|
rdp_cookie,
|
|
rdp_security_protocol,
|
|
rdp_client_channels,
|
|
rdp_keyboard_layout,
|
|
rdp_client_version,
|
|
rdp_client_name,
|
|
rdp_client_product_id,
|
|
rdp_desktop_width,
|
|
rdp_desktop_height,
|
|
rdp_requested_color_depth,
|
|
rdp_certificate_type,
|
|
rdp_certificate_count,
|
|
rdp_certificate_permanent,
|
|
rdp_encryption_level,
|
|
rdp_encryption_method,
|
|
ssh_version,
|
|
ssh_auth_success,
|
|
ssh_client_version,
|
|
ssh_server_version,
|
|
ssh_cipher_alg,
|
|
ssh_mac_alg,
|
|
ssh_compression_alg,
|
|
ssh_kex_alg,
|
|
ssh_host_key_alg,
|
|
ssh_host_key,
|
|
ssh_hassh,
|
|
sip_call_id,
|
|
sip_originator_description,
|
|
sip_responder_description,
|
|
sip_user_agent,
|
|
sip_server,
|
|
sip_originator_sdp_connect_ip,
|
|
sip_originator_sdp_media_port,
|
|
sip_originator_sdp_media_type,
|
|
sip_originator_sdp_content,
|
|
sip_responder_sdp_connect_ip,
|
|
sip_responder_sdp_media_port,
|
|
sip_responder_sdp_media_type,
|
|
sip_responder_sdp_content,
|
|
sip_duration_s,
|
|
sip_bye,
|
|
rtp_payload_type_c2s,
|
|
rtp_payload_type_s2c,
|
|
rtp_pcap_path,
|
|
rtp_originator_dir,
|
|
stratum_cryptocurrency,
|
|
stratum_mining_pools,
|
|
stratum_mining_program,
|
|
stratum_mining_subscribe,
|
|
sent_pkts,
|
|
received_pkts,
|
|
sent_bytes,
|
|
received_bytes,
|
|
tcp_c2s_ip_fragments,
|
|
tcp_s2c_ip_fragments,
|
|
tcp_c2s_lost_bytes,
|
|
tcp_s2c_lost_bytes,
|
|
tcp_c2s_o3_pkts,
|
|
tcp_s2c_o3_pkts,
|
|
tcp_c2s_rtx_pkts,
|
|
tcp_s2c_rtx_pkts,
|
|
tcp_c2s_rtx_bytes,
|
|
tcp_s2c_rtx_bytes,
|
|
tcp_rtt_ms,
|
|
tcp_client_isn,
|
|
tcp_server_isn,
|
|
packet_capture_file,
|
|
in_src_mac,
|
|
out_src_mac,
|
|
in_dest_mac,
|
|
out_dest_mac,
|
|
encapsulation,
|
|
dup_traffic_flag,
|
|
tunnel_endpoint_a_desc,
|
|
tunnel_endpoint_b_desc
|
|
FROM tsg_galaxy_v3.session_record_local
|
|
WHERE empty(security_rule_list) = 0
|
|
;
|
|
|
|
-- tsg_galaxy_v3.monitor_event_materialized_view
|
|
CREATE MATERIALIZED VIEW IF NOT EXISTS tsg_galaxy_v3.monitor_event_materialized_view on cluster js_datahouse
|
|
TO tsg_galaxy_v3.monitor_event_local
|
|
(
|
|
recv_time Int64,
|
|
log_id UInt64,
|
|
decoded_as String,
|
|
session_id UInt64,
|
|
start_timestamp_ms DateTime64(3),
|
|
end_timestamp_ms DateTime64(3),
|
|
duration_ms Int32,
|
|
tcp_handshake_latency_ms Nullable(Int32),
|
|
ingestion_time Int64,
|
|
processing_time Int64,
|
|
-- insert_time Int64 MATERIALIZED toUnixTimestamp(now()),
|
|
device_id String,
|
|
out_link_id Nullable(Int32),
|
|
in_link_id Nullable(Int32),
|
|
device_tag String,
|
|
data_center String,
|
|
device_group String,
|
|
sled_ip String,
|
|
address_type Int32,
|
|
vsys_id Int32,
|
|
t_vsys_id Int32,
|
|
flags Int64,
|
|
flags_identify_info String,
|
|
security_rule_list Array(Int64),
|
|
security_action String,
|
|
monitor_rule_list Array(Int64),
|
|
shaping_rule_list Array(Int64),
|
|
proxy_rule_list Array(Int64),
|
|
statistics_rule_list Array(Int64),
|
|
sc_rule_list Array(Int64),
|
|
sc_rsp_raw Array(Int64),
|
|
sc_rsp_decrypted Array(Int64),
|
|
proxy_action String,
|
|
proxy_pinning_status Nullable(Int32),
|
|
proxy_intercept_status Nullable(Int32),
|
|
proxy_passthrough_reason String,
|
|
proxy_client_side_latency_ms Nullable(Int32),
|
|
proxy_server_side_latency_ms Nullable(Int32),
|
|
proxy_client_side_version String,
|
|
proxy_server_side_version String,
|
|
proxy_cert_verify Nullable(Int32),
|
|
proxy_intercept_error String,
|
|
monitor_mirrored_pkts Nullable(Int32),
|
|
monitor_mirrored_bytes Nullable(Int32),
|
|
client_ip String,
|
|
client_port Int32,
|
|
client_os_desc String,
|
|
client_geolocation LowCardinality(String),
|
|
client_asn Nullable(Int64),
|
|
subscriber_id String,
|
|
imei String,
|
|
imsi String,
|
|
phone_number String,
|
|
apn String,
|
|
server_ip String,
|
|
server_port Int32,
|
|
server_os_desc String,
|
|
server_geolocation LowCardinality(String),
|
|
server_asn Nullable(Int64),
|
|
server_fqdn String,
|
|
server_domain String,
|
|
app_transition String,
|
|
app LowCardinality(String),
|
|
app_debug_info String,
|
|
app_content String,
|
|
fqdn_category_list Array(Int64),
|
|
ip_protocol LowCardinality(String),
|
|
decoded_path LowCardinality(String),
|
|
dns_message_id Nullable(Int32),
|
|
dns_qr Nullable(Int32),
|
|
dns_opcode Nullable(Int32),
|
|
dns_aa Nullable(Int32),
|
|
dns_tc Nullable(Int32),
|
|
dns_rd Nullable(Int32),
|
|
dns_ra Nullable(Int32),
|
|
dns_rcode Nullable(Int32),
|
|
dns_qdcount Nullable(Int32),
|
|
dns_ancount Nullable(Int32),
|
|
dns_nscount Nullable(Int32),
|
|
dns_arcount Nullable(Int32),
|
|
dns_qname String,
|
|
dns_qtype Nullable(Int32),
|
|
dns_qclass Nullable(Int32),
|
|
dns_cname String,
|
|
dns_sub Nullable(Int32),
|
|
dns_rr String,
|
|
dns_response_latency_ms Nullable(Int32),
|
|
http_url String,
|
|
http_host String,
|
|
http_request_line String,
|
|
http_response_line String,
|
|
http_request_body String,
|
|
http_response_body String,
|
|
http_proxy_flag Nullable(Int32),
|
|
http_sequence Nullable(Int32),
|
|
http_cookie String,
|
|
http_referer String,
|
|
http_user_agent String,
|
|
http_request_content_length Nullable(Int64),
|
|
http_request_content_type String,
|
|
http_response_content_length Nullable(Int64),
|
|
http_response_content_type String,
|
|
http_set_cookie String,
|
|
http_version String,
|
|
http_status_code Nullable(Int32),
|
|
http_response_latency_ms Nullable(Int32),
|
|
http_session_duration_ms Nullable(Int32),
|
|
http_action_file_size Nullable(Int64),
|
|
ssl_version String,
|
|
ssl_sni String,
|
|
ssl_san String,
|
|
ssl_cn String,
|
|
ssl_handshake_latency_ms Nullable(Int32),
|
|
ssl_ja3_hash String,
|
|
ssl_ja3s_hash String,
|
|
ssl_cert_issuer String,
|
|
ssl_cert_subject String,
|
|
ssl_esni_flag Nullable(Int32),
|
|
ssl_ech_flag Nullable(Int32),
|
|
dtls_cookie String,
|
|
dtls_version String,
|
|
dtls_sni String,
|
|
dtls_san String,
|
|
dtls_cn String,
|
|
dtls_handshake_latency_ms Nullable(Int32),
|
|
dtls_ja3_fingerprint String,
|
|
dtls_ja3_hash String,
|
|
dtls_cert_issuer String,
|
|
dtls_cert_subject String,
|
|
mail_protocol_type String,
|
|
mail_account String,
|
|
mail_from_cmd String,
|
|
mail_to_cmd String,
|
|
mail_from String,
|
|
mail_password String,
|
|
mail_to String,
|
|
mail_cc String,
|
|
mail_bcc String,
|
|
mail_subject String,
|
|
mail_subject_charset String,
|
|
mail_attachment_name String,
|
|
mail_attachment_name_charset String,
|
|
mail_eml_file String,
|
|
ftp_account String,
|
|
ftp_url String,
|
|
ftp_link_type String,
|
|
quic_version String,
|
|
quic_sni String,
|
|
quic_user_agent String,
|
|
rdp_cookie String,
|
|
rdp_security_protocol String,
|
|
rdp_client_channels String,
|
|
rdp_keyboard_layout String,
|
|
rdp_client_version String,
|
|
rdp_client_name String,
|
|
rdp_client_product_id String,
|
|
rdp_desktop_width String,
|
|
rdp_desktop_height String,
|
|
rdp_requested_color_depth String,
|
|
rdp_certificate_type String,
|
|
rdp_certificate_count Nullable(Int32),
|
|
rdp_certificate_permanent Nullable(Int32),
|
|
rdp_encryption_level String,
|
|
rdp_encryption_method String,
|
|
ssh_version String,
|
|
ssh_auth_success String,
|
|
ssh_client_version String,
|
|
ssh_server_version String,
|
|
ssh_cipher_alg String,
|
|
ssh_mac_alg String,
|
|
ssh_compression_alg String,
|
|
ssh_kex_alg String,
|
|
ssh_host_key_alg String,
|
|
ssh_host_key String,
|
|
ssh_hassh String,
|
|
sip_call_id String,
|
|
sip_originator_description String,
|
|
sip_responder_description String,
|
|
sip_user_agent String,
|
|
sip_server String,
|
|
sip_originator_sdp_connect_ip String,
|
|
sip_originator_sdp_media_port Nullable(Int32),
|
|
sip_originator_sdp_media_type String,
|
|
sip_originator_sdp_content String,
|
|
sip_responder_sdp_connect_ip String,
|
|
sip_responder_sdp_media_port Nullable(Int32),
|
|
sip_responder_sdp_media_type String,
|
|
sip_responder_sdp_content String,
|
|
sip_duration_s Nullable(Int32),
|
|
sip_bye String,
|
|
rtp_payload_type_c2s Nullable(Int32),
|
|
rtp_payload_type_s2c Nullable(Int32),
|
|
rtp_pcap_path String,
|
|
rtp_originator_dir Nullable(Int32),
|
|
stratum_cryptocurrency String,
|
|
stratum_mining_pools String,
|
|
stratum_mining_program String,
|
|
stratum_mining_subscribe String,
|
|
sent_pkts Int64,
|
|
received_pkts Int64,
|
|
sent_bytes Int64,
|
|
received_bytes Int64,
|
|
tcp_c2s_ip_fragments Nullable(Int64),
|
|
tcp_s2c_ip_fragments Nullable(Int64),
|
|
tcp_c2s_lost_bytes Nullable(Int64),
|
|
tcp_s2c_lost_bytes Nullable(Int64),
|
|
tcp_c2s_o3_pkts Nullable(Int64),
|
|
tcp_s2c_o3_pkts Nullable(Int64),
|
|
tcp_c2s_rtx_pkts Nullable(Int64),
|
|
tcp_s2c_rtx_pkts Nullable(Int64),
|
|
tcp_c2s_rtx_bytes Nullable(Int64),
|
|
tcp_s2c_rtx_bytes Nullable(Int64),
|
|
tcp_rtt_ms Nullable(Int32),
|
|
tcp_client_isn Nullable(Int64),
|
|
tcp_server_isn Nullable(Int64),
|
|
packet_capture_file String,
|
|
in_src_mac String,
|
|
out_src_mac String,
|
|
in_dest_mac String,
|
|
out_dest_mac String,
|
|
encapsulation String,
|
|
dup_traffic_flag Nullable(Int32),
|
|
tunnel_endpoint_a_desc String,
|
|
tunnel_endpoint_b_desc String
|
|
)
|
|
AS
|
|
SELECT
|
|
recv_time,
|
|
log_id,
|
|
decoded_as,
|
|
session_id,
|
|
start_timestamp_ms,
|
|
end_timestamp_ms,
|
|
duration_ms,
|
|
tcp_handshake_latency_ms,
|
|
ingestion_time,
|
|
processing_time,
|
|
-- insert_time,
|
|
device_id,
|
|
out_link_id,
|
|
in_link_id,
|
|
device_tag,
|
|
data_center,
|
|
device_group,
|
|
sled_ip,
|
|
address_type,
|
|
vsys_id,
|
|
t_vsys_id,
|
|
flags,
|
|
flags_identify_info,
|
|
security_rule_list,
|
|
security_action,
|
|
monitor_rule_list,
|
|
shaping_rule_list,
|
|
proxy_rule_list,
|
|
statistics_rule_list,
|
|
sc_rule_list,
|
|
sc_rsp_raw,
|
|
sc_rsp_decrypted,
|
|
proxy_action,
|
|
proxy_pinning_status,
|
|
proxy_intercept_status,
|
|
proxy_passthrough_reason,
|
|
proxy_client_side_latency_ms,
|
|
proxy_server_side_latency_ms,
|
|
proxy_client_side_version,
|
|
proxy_server_side_version,
|
|
proxy_cert_verify,
|
|
proxy_intercept_error,
|
|
monitor_mirrored_pkts,
|
|
monitor_mirrored_bytes,
|
|
client_ip,
|
|
client_port,
|
|
client_os_desc,
|
|
client_geolocation,
|
|
client_asn,
|
|
subscriber_id,
|
|
imei,
|
|
imsi,
|
|
phone_number,
|
|
apn,
|
|
server_ip,
|
|
server_port,
|
|
server_os_desc,
|
|
server_geolocation,
|
|
server_asn,
|
|
server_fqdn,
|
|
server_domain,
|
|
app_transition,
|
|
app,
|
|
app_debug_info,
|
|
app_content,
|
|
fqdn_category_list,
|
|
ip_protocol,
|
|
decoded_path,
|
|
dns_message_id,
|
|
dns_qr,
|
|
dns_opcode,
|
|
dns_aa,
|
|
dns_tc,
|
|
dns_rd,
|
|
dns_ra,
|
|
dns_rcode,
|
|
dns_qdcount,
|
|
dns_ancount,
|
|
dns_nscount,
|
|
dns_arcount,
|
|
dns_qname,
|
|
dns_qtype,
|
|
dns_qclass,
|
|
dns_cname,
|
|
dns_sub,
|
|
dns_rr,
|
|
dns_response_latency_ms,
|
|
http_url,
|
|
http_host,
|
|
http_request_line,
|
|
http_response_line,
|
|
http_request_body,
|
|
http_response_body,
|
|
http_proxy_flag,
|
|
http_sequence,
|
|
http_cookie,
|
|
http_referer,
|
|
http_user_agent,
|
|
http_request_content_length,
|
|
http_request_content_type,
|
|
http_response_content_length,
|
|
http_response_content_type,
|
|
http_set_cookie,
|
|
http_version,
|
|
http_status_code,
|
|
http_response_latency_ms,
|
|
http_session_duration_ms,
|
|
http_action_file_size,
|
|
ssl_version,
|
|
ssl_sni,
|
|
ssl_san,
|
|
ssl_cn,
|
|
ssl_handshake_latency_ms,
|
|
ssl_ja3_hash,
|
|
ssl_ja3s_hash,
|
|
ssl_cert_issuer,
|
|
ssl_cert_subject,
|
|
ssl_esni_flag,
|
|
ssl_ech_flag,
|
|
dtls_cookie,
|
|
dtls_version,
|
|
dtls_sni,
|
|
dtls_san,
|
|
dtls_cn,
|
|
dtls_handshake_latency_ms,
|
|
dtls_ja3_fingerprint,
|
|
dtls_ja3_hash,
|
|
dtls_cert_issuer,
|
|
dtls_cert_subject,
|
|
mail_protocol_type,
|
|
mail_account,
|
|
mail_from_cmd,
|
|
mail_to_cmd,
|
|
mail_from,
|
|
mail_password,
|
|
mail_to,
|
|
mail_cc,
|
|
mail_bcc,
|
|
mail_subject,
|
|
mail_subject_charset,
|
|
mail_attachment_name,
|
|
mail_attachment_name_charset,
|
|
mail_eml_file,
|
|
ftp_account,
|
|
ftp_url,
|
|
ftp_link_type,
|
|
quic_version,
|
|
quic_sni,
|
|
quic_user_agent,
|
|
rdp_cookie,
|
|
rdp_security_protocol,
|
|
rdp_client_channels,
|
|
rdp_keyboard_layout,
|
|
rdp_client_version,
|
|
rdp_client_name,
|
|
rdp_client_product_id,
|
|
rdp_desktop_width,
|
|
rdp_desktop_height,
|
|
rdp_requested_color_depth,
|
|
rdp_certificate_type,
|
|
rdp_certificate_count,
|
|
rdp_certificate_permanent,
|
|
rdp_encryption_level,
|
|
rdp_encryption_method,
|
|
ssh_version,
|
|
ssh_auth_success,
|
|
ssh_client_version,
|
|
ssh_server_version,
|
|
ssh_cipher_alg,
|
|
ssh_mac_alg,
|
|
ssh_compression_alg,
|
|
ssh_kex_alg,
|
|
ssh_host_key_alg,
|
|
ssh_host_key,
|
|
ssh_hassh,
|
|
sip_call_id,
|
|
sip_originator_description,
|
|
sip_responder_description,
|
|
sip_user_agent,
|
|
sip_server,
|
|
sip_originator_sdp_connect_ip,
|
|
sip_originator_sdp_media_port,
|
|
sip_originator_sdp_media_type,
|
|
sip_originator_sdp_content,
|
|
sip_responder_sdp_connect_ip,
|
|
sip_responder_sdp_media_port,
|
|
sip_responder_sdp_media_type,
|
|
sip_responder_sdp_content,
|
|
sip_duration_s,
|
|
sip_bye,
|
|
rtp_payload_type_c2s,
|
|
rtp_payload_type_s2c,
|
|
rtp_pcap_path,
|
|
rtp_originator_dir,
|
|
stratum_cryptocurrency,
|
|
stratum_mining_pools,
|
|
stratum_mining_program,
|
|
stratum_mining_subscribe,
|
|
sent_pkts,
|
|
received_pkts,
|
|
sent_bytes,
|
|
received_bytes,
|
|
tcp_c2s_ip_fragments,
|
|
tcp_s2c_ip_fragments,
|
|
tcp_c2s_lost_bytes,
|
|
tcp_s2c_lost_bytes,
|
|
tcp_c2s_o3_pkts,
|
|
tcp_s2c_o3_pkts,
|
|
tcp_c2s_rtx_pkts,
|
|
tcp_s2c_rtx_pkts,
|
|
tcp_c2s_rtx_bytes,
|
|
tcp_s2c_rtx_bytes,
|
|
tcp_rtt_ms,
|
|
tcp_client_isn,
|
|
tcp_server_isn,
|
|
packet_capture_file,
|
|
in_src_mac,
|
|
out_src_mac,
|
|
in_dest_mac,
|
|
out_dest_mac,
|
|
encapsulation,
|
|
dup_traffic_flag,
|
|
tunnel_endpoint_a_desc,
|
|
tunnel_endpoint_b_desc
|
|
FROM tsg_galaxy_v3.session_record_local
|
|
WHERE empty(monitor_rule_list) = 0
|
|
;
|