Руководство Разработчика для Cisco Cisco Firepower Management Center 2000
7-8
FireSIGHT System Database Access Guide
Chapter 7 Schema: Connection Log Tables
connection_summary
connection_log Joins
The following table describes the joins you can perform using the
connection_log
table.
connection_log Sample Query
The following query returns up to 25 connection event records from the
connection_log
table, sorted in
descending order based on packet timestamps.
SELECT first_packet_sec, last_packet_sec, initiator_ipaddr, responder_ipaddr,
security_zone_ingress_name, security_zone_egress_name, initiator_port, protocol_name,
responder_port, application_protocol_id, client_application_id, web_application_id, url,
url_category, url_reputation
FROM connection_log
WHERE first_packet_sec <= UNIX_TIMESTAMP("2011-10-01 00:00:00") ORDER BY
first_packet_sec
DESC, last_packet_sec DESC LIMIT 0, 25;
connection_summary
The
connection_summary
table contains information on connection summaries or aggregated
connections. The FireSIGHT System aggregates connections over five-minute intervals. To be
aggregated, connections must:
aggregated, connections must:
•
have the same source and destination IP addresses
•
use the same protocol
•
use the same application
•
either be detected by the same managed device (for sessions detected by managed devices with
FireSIGHT) or be exported by the same NetFlow-enabled device and processed by the same
managed device
FireSIGHT) or be exported by the same NetFlow-enabled device and processed by the same
managed device
Table 7-3
connection_log Joins
You can join this table on...
And...
application_protocol_id
or
client_application_id
or
web_application_id
initiator_ipaddr
or
responder_ipaddr