Check Point Infinity solution includes multiple log fields, representing the diversity of Check Point's products. The log fields' mapping will help you understand security threats, logs language to better use complex queries, and your SIEM.
Two types of logs are available:
Security Logs - Generated by a Security Gateway, Harmony Endpoint, or Harmony Mobile.
Field name as it appears in raw log (If the field appears in a table, the table's name will appear inside parentheses)
Field Display Name
Field name as it appears in SmartConsole
Description
Field information
Type
One of these:
Field Type
Description
int
Stores an integer
ipaddr
IP address
guid
Global Unique Identifier
luuid
Log Unification Unique ID
string
Sequence of alphanumeric text or other symbols
Blade Name
Name of blade as it appears in raw log
Blade Display Name
Name of blade as it appears in SmartConsole
Best practices for field mapping usage (SIEM integration)
In case you are using a SIEM platform and want to integrate Check Point logs into it, use the Log Exporter tool.
Disclaimer - These fields are only used for Check Point internal purposes. Therefore, these fields do not appear in the table below:
flags
ifdir
ifname
__policy_id_tag
version
rounded_bytes
__interface
mgmt
db_tag
update_service
Configuration files
You can get the information about the log fields in one of these files (do not edit them) on your Management Server:
$RTDIR/log_indexer/conf/LogFields.xml
$RTDIR/log_exporter/conf/LogFields.xml
Security Logs
Enter a string to filter this table:
Field Name
Field Display Name
Type
Description
Indexed
Added in Version
Common Fields
bytes
Total Bytes
int
Number of bytes received during a connection
No
confidence_level
Confidence Level
int
Confidence level determined by ThreatCloud Possible values:
0 - N/A
1 - Low
2 - Medium-Low
3 - Medium
4 - Medium-High
5 - High
Yes
calc_desc
Description
string
Log description
Yes
dst
Destination
ipaddr
Destination IP address
Yes
dst_country
Destination Country
string
Destination country
Yes
dst_ip
N/A
ipaddr
Destination IP address
Yes
dst_user_name
Destination User Name
string
Connected username for the destination IP
Yes
email_id
Email ID
string
Email number in SMTP connection
Yes
email_subject
Email Subject
string
Original email subject
Yes
email_session_id
Email Session ID
string
Connection UUID
Yes
event_count
Event Count
int
Number of events associated with the log
No
failure_impact
Failure Impact
string
The impact of update service failure
Yes
file_id
File Id
int
Unique file identifier
Yes
file_type
File Type
string
Classified file type
Yes
file_name
File Name
string
Malicious file name / Matched file size
Yes
file_size
File Size
int
Attachment file size / Matched file size
Yes
file_md5
File MD5
string
File MD5 checksum
Yes
file_sha1
File SHA1
string
File SHA1 checksum
Yes
file_sha256
File SHA-256
string
File SHA256 checksum
Yes
from
Sender
string
Source mail address
Yes
to
Recipient
string
Source mail recipient
Yes
id
N/A
int
Override application ID
Yes
information
Information
string
Status of policy installation for a specific Software Blade (used only for Anti-Bot and Anti-Virus)
Yes
interface_name
Interface
string
The name of the Security Gateway interface, through which a connection passes
Yes
interfacedir
Direction
string
Connection direction
Yes
layer_name
Layer Name
string
Layer name (match table, Threat Prevention match table)
No
layer_uuid
N/A
string
Layer UUID (match table, Threat Prevention match table)
Yes
log_id
Log ID
int
Unique identity for logs includes: Type, Family, Product/Blade, Category
Yes
loguid
N/A
luuid
UUID of unified logs
Yes
malware_action
Malware Action
string
Description of detected malware activity
Yes
malware_family
Malware Family
string
Additional information on protection
Yes
malware_rule_id
Threat Prevention Rule ID
string
Threat Prevention rule ID (Threat Prevention match table)
Yes
malware_rule_name
Threat Prevention Rule Name
string
Threat Prevention rule name (Threat Prevention match table)
No
app_category
Primary Category
string
Application category
Yes
matched_category
Matched Category
string
Name of the matched category (match table)
No
origin
Orig
string
Name of the first Security Gateway that reported this event
Yes
origin_ip
N/A
ipaddr
IP address of the Security Gateway that generated this log
Yes
origin_sic_name
N/A
string
SIC name of the Security Gateway
Yes
policy
Threat Prevention Policy
string
Name of the Threat Policy that this Security Gateway fetched
No
policy_mgmt
Policy Management
string
Name of the Management Server that manages this Security Gateway
Yes
policy_name
Policy Name
string
Name of the last policy that this Security Gateway fetched
Yes
product
Blade
string
Product name
Yes
product_family
Product Family
int
The product family the blade/product belongs to Possible values:
0 - Network
1 - Endpoint
2 - Access
3 - Threat
4 - Mobile
Yes
protection_id
Protection ID
string
Protection malware ID
Yes
protection_name
Protection Name
string
Specific signature name of the attack
No
protection_type
Protection Type
string
Type of protection used to detect the attack
No
proto
IP Protocol
int
Protocol
Yes
protocol
Protocol
string
Protocol detected on the connection
No
proxy_src_ip
Proxied Source IP
ipaddr
Sender source IP (even when using proxy)
Yes
reason
Reason
string
Information on the error occurred
Yes
received_bytes
Received Bytes
int
Number of bytes received during connection
No
resource
Resource
string
Resource from the HTTP request
Yes
rule
Rule
int
Matched rule number (match table)
Yes
rule_action
Action
string
Action of the matched rule in the Access Control policy
Yes
rule_name
Access Rule Name
string
Name of the Access Control rule (match table)
No
rule_uid
Policy Rule UID
string
Rule ID in the Access Control policy to which the connection was matched (match table)
Yes
scan_direction
File-Direction
string
Scan direction Possible options:
From external / dmz / internal to external / dmz / internal
To/from this Security Gateway
Yes
sent_bytes
Sent Bytes
int
Number of bytes sent during the connection
No
session_id
Session Identification
luuid
Log UID
Yes
sequencenum
Sequencenum
int
Number added to order logs with the same Linux timestamp and origin (Security Gateway that generated these logs)
Yes
service/fservice
Destination Port
int/string
Connection (service) destination port
Yes
service_id
Service ID
string
Service found for the connection (by the destination port)
Yes
severity
Severity
int/string
Threat severity determined by ThreatCloud Possible values:
0 - Informational
1 - Low
2 - Medium
3 - High
4 - Critical
Yes
source_os
Source OS
string
OS of the computer that generated the attack
Yes
src
Source
ipaddr
Client source IP address
Yes
src_ip
Source IP
ipaddr
Source IP
Yes
src_country
Source Country
string
Country name, derived from connection source IP address
No
src_user_name
Source User Name
string
Username connected to the source IP
No
s_port
Source Port
int
Source host port number
Yes
src_port
N/A
int
Source host port number
Yes
ticket_id
Ticket ID
string
Unique ID per file
Yes
time
Time
string
The timestamp when the log was created
Yes
tls_server_host_name
TLS Server Host Name
string
SNI/CN from the encrypted TLS connection used by URL Filtering for categorization
Yes
R80.40
type
Type
string
Log type
Yes
verdict
Verdict
string
Threat Emulation engine verdict Possible values:
Malicious
Benign
Error
Yes
user
User
string
Source username
Yes
vendor_list
Vendor List
string
The vendor name that provided the verdict for a malicious URL
Yes
web_client_type
Client Type
string
Web client detected in the HTTP request (e.g: Chrome)
No
web_server_type
Server Type
string
Web server detected in the HTTP response
No
conn_direction
Connection Direction
string
Direction of the connection
No
host_type
Host Type
string
Host type
No
Security Gateway - Advanced Log Information
^^log_server
Log Server
string
Name of the Log Server
No
^^log_file_name
Log File Name
string
Name of the log file
No
^^log_file_id
Log File ID
string
ID of the log file
No
^^log_file_position
Log File Position
string
Position of the log record in the log file
No
Security Gateway - Firewall Fields
inzone
Source Zone
string
Indicates whether the source zone is internal or external
No
outzone
Destination Zone
string
Indicates whether the destination zone is internal or external
No
sub_policy_name
N/A
string
Layer name
Yes
sub_policy_uid
N/A
string
Layer UID
Yes
fw_message
Firewall Message
string
Used for various firewall errors
Yes
message
Message
string
ISP link has failed
Yes
isp_link
ISP link
string
Name of ISP link
Yes
fw_subproduct
Subproduct
string
Can be VPN or non-VPN
Yes
sctp_error
N/A
string
Error information, what caused SCTP to fail due to "out_of_state"
Yes
chunk_type
N/A
string
Chunk of the SCTP stream
Yes
sctp_association_state
N/A
string
The bad state you were trying to update to
Yes
tcp_packet_out_of_state
TCP packet out of state
string
State violation
Yes
tcp_flags
TCP Flags
string
TCP packet flags (SYN, ACK, etc.,)
Yes
connectivity_level
Connectivity Level
string
Log for a new connection in wire mode
Yes
ip_option
IP Option
int
IP option that was dropped
Yes
tcp_state
N/A
string
Log with a TCP state change
Yes
expire_time
N/A
timestmp
Connection closing time
Yes
icmp_type
ICMP Type
int
In case a connection is ICMP, type info will be added to the log
Yes
icmp_code
ICMP Code
int
In case a connection is ICMP, ICMP code info will be added to the log
Yes
rpc_prog
RPC Program
int
Log for new RPC state - prog values
Yes
dce-rpc_interface_uuid
DCE-RPC Interface UUID
uuid
Log for new RPC state - UUID values
Yes
start_time
Start Time
timestmp
Session start time
Yes
elapsed
Elapsed
time
Time passed since start time
No
packets_per_second
Packets Per Second
int
Number of packets per second in the connection
No
packets
Packets
int
Number of packets encountered in the connection
No
client_inbound_packets
Client Inbound Packets
int
Number of packets, received by the client
No
client_outbound_packets
Client Outbound Packets
int
Number of packets, sent from the client
No
server_inbound_packets
Server Inbound Packets
int
Number of packets, received by the server
No
server_outbound_packets
Server Outbound Packets
int
Number of packets, sent from the server
No
client_inbound_bytes
Client Inbound Bytes
int
Number of bytes received by the client
No
client_outbound_bytes
Client Outbound Bytes
int
Number of bytes sent from the client
No
server_inbound_bytes
Server Inbound Bytes
int
Number of packets received by the server
No
server_outbound_bytes
Server Outbound Bytes
int
Number of packets sent from the server
No
client_inbound_interface
Client Inbound Interface
string
Gateway interface, where the connection is received from in case of an outbound connection
No
client_outbound_interface
Client Outbound Interface
string
Gateway interface, where the connection is sent from, in case of an inbound connection
No
server_inbound_interface
Server Inbound Interface
string
Gateway interface, where the connection is received from, in case of an inbound connection
No
server_outbound_interface
Server Outbound Interface
string
Gateway interface, where the connection is sent from, in case of an outbound connection
No
icmp
ICMP
string
ICMP message, will be added to the connection log
Yes
capture_uuid
Captured UUID
luuid
UUID generated for the capture. Used when enabling the capture when logging.
Yes
packet_length
Packet Length
string
Length of the packet
Yes
expected_length
Expected Length
string
Expected length of the packet
No
diameter_app_name
N/A
string
The name defined/pre-configured for the diameter application
Yes
diameter_app_ID
N/A
int
The ID of diameter application
Yes
diameter_cmd_code
N/A
int
Diameter not allowed application command id
Yes
diameter_msg_type
N/A
string
Diameter message type
Yes
info
Information
string
Rule information on the blocked diameter CMD
Yes
cp_message
N/A
string
Used to log a general message
Yes
log_delay
Log Delay
int
When a new connection is created that matches an Accept Template, the Security Gateway generates a log to indicating this. To decrease the logging load, the Security Gateway aggregates all the logs that are related to a specific Accept Template until it reaches specific thresholds. Then, the Security Gateway sends the aggregated log. If the Security Gateway needs to expire a specific Accept Template, it immediately sends all the aggregated logs that are related to this Accept Template. If there is only one such log, the Security Gateway sends a regular non-aggregated log and generates an additional log with the Log Delay time to show the time that elapsed from the event, for which the Accept Template log was created.
Yes
connection_count
Connections
int
Number of connections
No
active_conn_elapsed
Active Connection Elapsed
int
Total time of the connection
No
during_sec
Duration in Seconds
int
Duration of the connection (seconds)
No
fragments_dropped
Duration in Seconds
int
Number of dropped fragments in the connection
No
ip_offset
IP Offset
int
Offset of the fragment in the connection
No
Security Gateway - Anti-Spam Fields
email_spam_category
Email Spam Category
string
Email categories Possible values:
Spam
Not spam
Phishing
Yes
email_control
Email Control
string
Engine name
Yes
email_control_analysis
Email Control Analysis
string
Message classification, received from spam vendor engine
Yes
email_session_id
Email Session ID
string
Internal session ID
Yes
email_id
Email ID
string
Internal email ID
Yes
email_recipients_num
Email Recipients Number
int
Number of recipients
No
from
From
string
Sender email address
Yes
to
Recipient
string
Recipient email address
Yes
reason
Reason
string
Description of log's reason
Yes
Security Gateway - Anti-Virus Fields
scan_result
Scan Result
string
"Infected", or description of a failure
Yes
triggered_by
N/A
string
Engine or Software Blade that triggered the log
Yes
original_queue_id
Original Queue ID
string
Original Postfix email queue ID
Yes
risk
N/A
string
Risk level received from the engine
Yes
resource
Resource
string
In case of a malicious URL, the resource field will include that URL
Yes
email_recipients_num
Email Recipients Number
int
Number of recipients
Yes
observable_name
N/A
string
IoC observable signature name
Yes
observable_id
N/A
string
IoC observable signature ID
Yes
observable_comment
N/A
string
IoC observable signature description
Yes
indicator_name
Indicator Name
string
IoC indicator name
Yes
indicator_description
N/A
string
IoC indicator description
Yes
indicator_reference
N/A
string
IoC indicator reference
Yes
indicator_uuid
N/A
string
IoC indicator UUID
Yes
reason
Reason
string
Description of the log's reason
Yes
Security Gateway - Application Control & URL Filtering Fields
appi_name
Application Name
string
Application name (match table)
Yes
app_desc
Application Description
string
Application description (match table)
No
app_id
Application ID
int
Application ID (match table)
No
app_properties
Additional Categories
string
Application categories (match table)
Yes
app_risk
Application Risk
int
Application risk (match table) Possible values:
0 - Unknown
1 - Very low
2 - Low
3 - Medium
4 - High
5 - Critical
Yes
app_rule_id
Application Rule ID
string
Rule number
Yes
app_rule_name
Application Rule Name
string
Rule name
No
app_sig_id
Application Signature ID
string
The signature ID, by which the application was detected (match table)
Service ID, can work with multiple servers, treated as "services"
Yes
icap_server_name
N/A
string
Server name
Yes
internal_error
N/A
string
Internal error, for troubleshooting
Yes
verdict
Verdict
string
Enforcement per HTTP connection Possible values:
Accept
Block-Reject
Data-modification
Yes
icap_more_info
N/A
string
Free text for verdict
Yes
reply_status
N/A
int
ICAP reply status code, e.g., 200 or 204
Yes
icap_server_service
N/A
string
Service name, as given in the ICAP URI
Yes
mirror_and_decrypt_type
N/A
string
Information about decrypt and forward Possible values:
Mirror only
Decrypt and Mirror
Partial mirroring (HTTPS Inspection Bypass)
Yes
interface_name
N/A
string
Designated interface for Mirror and Decrypt
Yes
session_uid
N/A
int
HTTP session ID
Yes
Security Gateway - Identity Awareness Fields
broker_publisher
Broker Publisher
ipaddr
IP address of the broker publisher who shared the session information
Yes
R80.40
src_machine_name
Source Machine Name
string
Machine name connected to the source IP address
No
src_user_dn
N/A
string
User distinguished name connected to the source IP address
Yes
src_user_group
Source User Group
string
User Group name
No
proxy_user_name
N/A
string
Username connected to the proxy IP address
Yes
proxy_machine_name
N/A
string
Machine name connected to the proxy IP address
Yes
proxy_user_dn
N/A
string
User distinguished name connected to the proxy IP address
Yes
dst_machine_name
Destination Machine Name
string
Machine name connected to the destination IP address
No
identity_type
Identity Type
string
Identity type (user, machine)
Yes
Security Gateway - IPS Fields
resource
Resource
string
Malicious domain
Yes
query
Query
string
DNS query
Yes
dns_query
DNS query
string
DNS query
Yes
dns_type
DNS Type
string
DNS query type
Yes
inspection_item
N/A
string
Blade element performed inspection
Yes
performance_impact
Performance Impact
int
Protection performance impact
Yes
inspection_category
N/A
string
Inspection category: protocol anomaly, signature etc.
Yes
inspection_profile
N/A
string
Profile which the activated protection belongs to
Yes
inspection_information
N/A
string
Attack or violation description
Yes
message
Message
string
Additional information
Yes
suppressed_logs
Suppressed Logs
int
Total number of aggregated malicious connections
Yes
summary
N/A
string
Summary message for non-compliant DNS traffic drops or detects
Yes
tid
Tunnel ID
int
DNS Transaction ID
Yes
dns_message_type
N/A
string
DNS message type Possible values:
Query
Response
Authoritative response
Yes
question_rdata
N/A
string
List of question records domains
Yes
answer_rdata
N/A
string
List of answer resource records to the questioned domains
Yes
authority_rdata
N/A
string
List of authoritative servers
Yes
additional_rdata
N/A
string
List of additional resource records
Yes
files_names
N/A
string
List of files requested by FTP
Yes
ftp_user
N/A
string
FTP username
Yes
mime_from
N/A
string
Sender's address
Yes
mime_to
N/A
string
List of receiver address
Yes
cc
N/A
string
List of CC addresses
Yes
bcc
N/A
string
List of BCC addresses
Yes
content_type
Content Type
string
Mail content type Possible values:
application
msword
text/html
image/gif
and so on
Yes
subject
Subject
string
Mail subject
Yes
user_agent
N/A
string
String that identifies the requesting software user-agent
Yes
referrer
N/A
string
Referrer HTTP request header, previous web page address.
Yes
http_location
N/A
string
Response header, indicates the URL to redirect a page to
Yes
content_disposition
N/A
string
Indicates how the content is expected to be displayed inline in the web browser
Yes
via
N/A
string
"Via" header is added by proxies for tracking purposes to avoid sending requests in loop
Yes
http_server
N/A
string
Server HTTP header value, contains information about the software used by the origin server, which handles the request
Yes
content_length
N/A
string
Indicates the size of the entity-body of the HTTP header
Yes
method
N/A
string
HTTP method (GET, POST, PUT, etc.)
Yes
status
Status
string
HTTP status code
Yes
authorization
N/A
string
Authorization HTTP header value
Yes
http_host
N/A
string
Domain name of the server that the HTTP request is sent to
Yes
industry_reference
Industry Reference
string
CVE registry entry
No
inspection_settings_log
N/A
string
Indicates that the log was released by inspection settings
Yes
caused_quarantine
Caused Quarantine
string
Indicates whether attack caused a quarantine
No
Security Gateway - Mail Transfer Agent (MTA) Fields
email_control
Email Control
string
Engine name
Yes
email_message_id
Email Message ID
string
Email session ID (unique ID of the mail)
Yes
email_session_id
Email Session ID
string
Internal session ID
Yes
email_recipients_num
Email Recipients Number
int
Number of recipients
Yes
email_id
Email ID
string
Internal email ID
Yes
email_queue_id
Email Queue ID
string
Postfix email queue ID
Yes
email_queue_name
Email Queue Name
string
Postfix email queue name
Yes
original_queue_id
Original Queue ID
string
Original postfix email queue ID
Yes
file_name
File Name
string
Malicious file name
Yes
failure_reason
Failure Reason
string
MTA failure description
Yes
email_headers
N/A
string
String containing all the email headers
Yes
arrival_time
Arrival Time
timestmp
Email arrival timestamp
Yes
email_status
Email Status
string
Describes the email's state Possible options:
delivered
deferred
skipped
bounced
hold
new
scan_started
scan_ended
Yes
status_update
Last status update
timestmp
Last time log was updated
Yes
original_queue_id
Original Queue ID
string
Original postfix email queue ID
Yes
scan_started
Scan Started
timestmp
Beginning of the scanning process timestamp
Yes
scan_ended
Scan Ended
timestmp
End of the scanning process timestamp
Yes
delivery_time
Delivery Time
timestmp
Timestamp of when email was delivered (MTA finished handling the email
Yes
links_num
Links Number
int
Number of links in the mail
Yes
attachments_num
Attachments Number
int
Number of attachments in the mail
Yes
email_content
Email Content
string
Mail contents Possible options:
attachments/links
attachments/links/text only
Yes
Security Gateway - Mobile Access Fields
user_group
User Group
string
The group to which the user belongs, upon login
Yes
cvpn_resource
Application
string
Mobile Access application
Yes
cvpn_category
Mobile Access Category
string
Mobile Access application type
Yes
url
URL
string
Translated URL
Yes
outgoing_url
Outgoing Url
string
Untranslated URL, as seen inside the internal network
Yes
reject_id
Reject ID
string
A reject ID that corresponds to the one presented in the Mobile Access error page
Yes
fs-proto
N/A
string
The file share protocol used in Mobile Access File Share application
Yes
session_uid
Mobile Access Session UID
guid
Mobile Access session identification
Yes
Security Gateway - NAT Fields
allocated_ports
Allocated Ports
int
Amount of allocated NAT ports
Yes
R80.40
capacity
Capacity
int
Capacity of the NAT ports
Yes
R80.40
ports_usage
Ports Usage
int
Percentage of allocated NAT ports
Yes
R80.40
nat_exhausted_pool
Nat Exhausted Pool
string
4-tuple of an exhausted NAT pool
Yes
R80.40
R80.10, R80.20, and R80.30 Jumbo Hotfixes
xlatesrc
Xlate (NAT) Source IP
ipaddr
Source IPv4 address after applying NAT
Yes
xlatedst
Xlate (NAT) Destination IP
ipaddr
Destination IPv4 address after applying NAT
Yes
xlatesint
Xlate (NAT) Source Port
int
Source port after applying Hide NAT on the source IP address
Yes
xlatedint
Xlate (NAT) Destination Port
int
Destination port after applying NAT
Yes
nat_rulenum
NAT Rule Number
int
NAT rulebase first matched rule
Yes
nat_addtnl_rulenum
NAT Additional Rule Number
int
When matching 2 automatic rules, the second rule match is shown. Otherwise, this field has the value 0.
Yes
message_info
Message Information
string
Used for information messages, for example: NAT connection has ended
Yes
nat46
N/A
string
NAT46 status In most cases "enabled"
Yes
end_time
N/A
timestmp
TCP connection end time
Yes
tcp_end_reason
N/A
string
Reason for TCP connection closure
Yes
nat_rulenum
NAT Rule Number
int
NAT rulebase first matched rule
Yes
cgnat
CGNAT Information
string
Describes the NAT allocation for specific subscriber
No
Subscriber
Subscriber IP
ipaddr
Source IP address before CGNAT
Yes
hide_ip
N/A
ipaddr
Source IP address to be used after CGNAT
Yes
int_start
N/A
int
Subscriber start integer to be used for NAT
Yes
int_end
N/A
int
Subscriber end integer to be used for NAT
Yes
Security Gateway - SecureXL Fields
drop_reason
Drop Reason
string
Aggregated logs of dropped packets
Yes
packet_amount
N/A
int
Number of packets dropped
No
packets
Packets
string
Connection tuple: Source IP address Source Port Destination IP address Destination Port Protocol Number
Yes
monitor_reason
N/A
string
Aggregated logs of monitored packets
Yes
message_info
Message Information
string
Information on multicast packet dropped
Yes
drops_amount
N/A
int
Amount of multicast packets dropped
Yes
securexl_message
N/A
string
Two options for a SecureXL message: 1. Missed accounting records after heavy load on the logging system 2. FireWall log message regarding a packet drop