Cisco Cisco Firepower Management Center 2000 Guia Do Programador
3-2
FireSIGHT System Database Access Guide
Chapter 3 Schema: System-Level Tables
fireamp_event
audit_log Joins
You cannot perform joins on the
audit_log
table.
audit_log Sample Query
The following query returns up to the 25 most recent audit log entries, sorted by time.
SELECT from_unixtime(action_time_sec)
AS Time, user, subsystem, message, source, count(*)
AS Total
FROM audit_log
GROUP BY source, subsystem, user, message
ORDER BY source DESC;
fireamp_event
The
fireamp_event
table contains information on malware events. These events contain information on
malware detected or quarantined within a cloud, the detection method, and hosts and users affected by
the malware. New fields were added to identify the application which triggered the event, how the event
is handled, and to correlate the event with connection, intrusion, and file events.
the malware. New fields were added to identify the application which triggered the event, how the event
is handled, and to correlate the event with connection, intrusion, and file events.
For more information, see the following sections:
•
•
•
fireamp_event Fields
The following table describes the database fields you can access in the
fireamp_event
table.
subsystem
The menu path the user followed to generate the audit record.
user
The user name of the user who triggered the audit event.
Table 3-2
audit_log Fields (continued)
Field
Description
Table 3-3
fireamp_event Fields
Field
Description
application_id
ID number that maps to the application performing the file transfer.
application_name
Name of the application performing the transfer.
client_application_id
The internal identification number for the client application, if applicable.
client_application_name
The name of the client application, if applicable.