Log View Database Schema Parent topic

The following table combines tblMsgEntries_[Server Name] and tblFilterEntries_[Server Name].

View [vwMsgFilterEntriesTmp_[Server Name]]

Field Name
From Table
From Field
Description
msg_entry_id
tblFilterEntries_[Server Name]
msg_entry_id
Primary key of the table [tblMsgEntries_[Server Name]]
msg_delivery_time
tblMsgEntries_[Server Name]
msg_delivery_time
The message delivery time
msg_found_at
tblMsgEntries_[Server Name]
msg_found_at
The place where this message is found at
msg_source
tblMsgEntries_[Server Name]
msg_source
The semi-colon delimited sender list
msg_destination
tblMsgEntries_[Server Name]
msg_destination
The semi-colon delimited recipient list
msg_subject
tblMsgEntries_[Server Name]
msg_subject
The subject of this message
filter_id
tblFilterEntries_[Server Name]
filter_id
Primary key of the table [tblFilterEntries_[Server Name]]
filter_scan_time
tblFilterEntries_[Server Name]
filter_scan_time
The scan time
filter_rule
tblFilterEntries_[Server Name]
filter_rule
The filter rule triggered. Virus/malware name for security risk filter, rule name for content filter, and file type blocked by attachment blocking filter (such as .exe), risk level of a malicious URL for Web Reputation filter
file_original
tblFilterEntries_[Server Name]
file_original
The original file name that triggered the rule
filter_action
tblFilterEntries_[Server Name]
filter_action
The result of the action taken
filter_reason
tblFilterEntries_[Server Name]
filter_reason
The detailed information about how the content is being detected for content violation, malicious URL for Web Reputation filter
filter_rule_supplement
tblFilterEntries_[Server Name]
filter_rule_supplement
The virus/malware type, used to separate virus and spyware
url_category
tblFilterEntries_[Server Name]
url_category
The category of the detected URL
DataContent
tblFilterEntries_[Server Name]
DataContent
Matched content
msg_id
tblMsgEntries_[Server Name]
msg_id
Message ID
dda_int_mode
tblMsgEntries_[Server Name]
dda_int_mode
To indicate which integration mode is used: inline mode or monitor mode
dda_coworking_status
tblMsgEntries_[Server Name]
dda_coworking_status
DTAS agent working status with Virtual Analyzer like uploading, duplicate checking, querying result, and so on
dda_ui_status
tblMsgEntries_[Server Name]
dda_ui_status
Show the status of sample handling, such as unrated, being analyzed, rated, aborted, and other status on the UI
sent_to_dda_time
tblMsgEntries_[Server Name]
sent_to_dda_time
The time of sending sample to Virtual Analyzer server
orgsha1
tblMsgEntries_[Server Name]
orgsha1
The SHA1 value of the sample
is_ransomeware
tblMsgEntries_[Server Name]
is_ransomeware
Indicate whether the threat is ransomware
The following table combines table tblStorageEntries_[Server Name] and view vwMsgFilterEntriesTmp_[Server Name].

View [vwMsgFilterEntries_[Server Name]]

Field Name
From Table
From Field
Description
filter_scan_time
vwMsgFilterEntriesTmp_[Server Name]
filter_scan_time
The scan time
msg_delivery_time
vwMsgFilterEntriesTmp_[Server Name]
msg_delivery_time
The message delivery time
msg_found_at
vwMsgFilterEntriesTmp_[Server Name]
msg_found_at
The place where this message is found at
msg_source
vwMsgFilterEntriesTmp_[Server Name]
msg_source
The semi-colon delimited sender list
msg_destination
vwMsgFilterEntriesTmp_[Server Name]
msg_destination
The semi-colon delimited recipient list
msg_subject
vwMsgFilterEntriesTmp_[Server Name]
msg_subject
The subject of this message
filter_rule
vwMsgFilterEntriesTmp_[Server Name]
filter_rule
The filter rule triggered. Virus/malware name for security risk filter, rule name for content filter, and file type blocked by attachment blocking filter (such as .exe), risk level of a malicious URL for Web Reputation filter
filter_reason
vwMsgFilterEntriesTmp_[Server Name]
filter_reason
Detailed information about how the content is being detected for content violation, malicious URL for Web Reputation filter
file_original
vwMsgFilterEntriesTmp_[Server Name]
file_original
The original filename that triggered the rule
msg_entry_id
vwMsgFilterEntriesTmp_[Server Name]
msg_entry_id
Primary key of the table [tblMsgEntries_[Server Name]]
filter_id
vwMsgFilterEntriesTmp_[Server Name]
filter_id
Primary key of the table [tblFilterEntries_[Server Name]]
filter_action
vwMsgFilterEntriesTmp_[Server Name]
filter_action
The result of the action taken
storage_entry_id
tblStorageEntries_[Server Name]
storage_entry_id
Primary key of the table [tblStorageEntries_[Server Name]]
storage_path
tblStorageEntries_[Server Name]
storage_path
The path the file saved to
storage_reason
tblStorageEntries_[Server Name]
storage_reason
The reason (quarantine, archive, or backup) to make this storage entry
filter_rule_supplement
vwMsgFilterEntriesTmp_[Server Name]
filter_rule_supplement
The virus/malware type, used to separate virus and spyware
url_category
tblFilterEntries_[Server Name]
url_category
url_category
DataContent
tblFilterEntries_[Server Name]
DataContent
Matched content
msg_id
tblMsgEntries_[Server Name]
msg_id
Message ID
dda_int_mode
tblMsgEntries_[Server Name]
dda_int_mode
To indicate which integration mode is used: inline mode or monitor mode
dda_coworking_status
tblMsgEntries_[Server Name]
dda_coworking_status
DTAS agent working status with Virtual Analyzer like uploading, duplicate checking, querying result, and so on
dda_ui_status
tblMsgEntries_[Server Name]
dda_ui_status
Show the status of sample handling, such as unrated, being analyzed, rated, aborted, and other status on the UI
sent_to_dda_time
tblMsgEntries_[Server Name]
sent_to_dda_time
The time of sending sample to Virtual Analyzer server
orgsha1
tblMsgEntries_[Server Name]
orgsha1
The SHA1 value of the sample
is_ransomeware
tblMsgEntries_[Server Name]
is_ransomeware
Indicate whether the threat is ransomware
The following table combines table tblMsgEntries_[Server Name] and tblStorageEntries_[Server Name].

View [vwMsgStorageEntries_[Server Name]]

Field Name
From Table
From Field
Description
storage_entry_id
tblStorageEntries_[Server Name]
storage_entry_id
Primary key of the table [tblStorageEntries_[Server Name]]
msg_source
tblMsgEntries_[Server Name]
msg_source
The semi-colon delimited sender list
msg_destination
tblMsgEntries_[Server Name]
msg_destination
The semi-colon delimited recipient list
msg_subject
tblMsgEntries_[Server Name]
msg_subject
The subject of this message
filter_id
tblStorageEntries_[Server Name]
filter_id
Primary key of the table [tblFilterEntries_[Server Name]]
filter_scan_time
tblStorageEntries_[Server Name]
filter_scan_time
The scan time
filter_rule
tblStorageEntries_[Server Name]
filter_rule
The filter rule triggered. Virus/malware name for security risk filter, rule name for content filter, and file type blocked by attachment blocking filter (such as .exe), risk level of a malicious URL for Web Reputation filter
file_original
tblStorageEntries_[Server Name]
file_original
The original filename that triggered the rule
filter_action
tblStorageEntries_[Server Name]
filter_action
The result of the action taken
storage_reason
tblStorageEntries_[Server Name]
storage_reason
The reason (quarantine, archive, or backup) for this storage entry
storage_resend_count
tblStorageEntries_[Server Name]
storage_resend_count
The count of this entry has been resent
The following table selects blocked attachments data from view vwMsgFilterEntries_[Server Name].

View [vwABLogs_[Server Name]]

Field Name
From Table
From Field
Description
storage_entry_id
vwMsgFilterEntries_[Server Name]
storage_entry_id
Primary key of the table [tblStorageEntries_[Server Name]]
filter_scan_time
vwMsgFilterEntries_[Server Name]
filter_scan_time
The scan time
msg_delivery_time
vwMsgFilterEntries_[Server Name]
msg_delivery_time
The message delivery time
msg_found_at
vwMsgFilterEntries_[Server Name]
msg_found_at
The place where this message is found at
msg_source
vwMsgFilterEntries_[Server Name]
msg_source
The semi-colon delimited sender list
msg_destination
vwMsgFilterEntries_[Server Name]
msg_destination
The semi-colon delimited recipient list
msg_subject
vwMsgFilterEntries_[Server Name]
msg_subject
The subject of this message
filter_rule_cf
vwMsgFilterEntries_[Server Name]
filter_rule
File type blocked by attachment blocking filter (such as .exe)
filter_original
vwMsgFilterEntries_[Server Name]
filter_original
The original filename that triggered the rule
filter_action
vwMsgFilterEntries_[Server Name]
filter_action
The result of action taken. Reference [action_description.xml], which is located in %SMEX_HOME%\ web\xml
Note
Note
%SMEX_HOME% represents the SMEX installation directory. By default, this is C:\Program Files\Trend Micro\Smex\
filter_id
vwMsgFilterEntries_[Server Name]
filter_id
Primary key of the table [tblFilterEntries_[Server Name]]
The following table selects security risk scan data from view vwMsgFilterEntries_[Server Name].

View [vwAVLogs_[Server Name]]

Field Name
From Table
From Field
Description
storage_entry_id
vwMsgFilterEntries_[Server Name]
storage_entry_id
Primary key of the table tblStorageEntries_[Server Name]
filter_scan_time
vwMsgFilterEntries_[Server Name]
filter_scan_time
The scan time
msg_delivery_time
vwMsgFilterEntries_[Server Name]
msg_delivery_time
The message delivery time
msg_found_at
vwMsgFilterEntries_[Server Name]
msg_found_at
The place where this message is found at
msg_source
vwMsgFilterEntries_[Server Name]
msg_source
The semi-colon delimited sender list
msg_destination
vwMsgFilterEntries_[Server Name]
msg_destination
The semi-colon delimited recipient list
msg_subject
vwMsgFilterEntries_[Server Name]
msg_subject
The subject of this message
filter_rule_av
vwMsgFilterEntries_[Server Name]
filter_rule
Virus/malware name
filter_original
vwMsgFilterEntries_[Server Name]
filter_original
The original filename that triggered the rule
filter_action
vwMsgFilterEntries_[Server Name]
filter_action
The result of action taken. Reference [action_description.xml], which is located in %SMEX_HOME%\ web\xml.
Note
Note
%SMEX_HOME% represents the SMEX installation directory. By default, this is C:\Program Files\Trend Micro\Smex\
filter_rule_supplement
vwMsgFilterEntries_[Server Name]
filter_rule_supplement
The virus/malware type, used to separate virus and spyware.
filter_id
vwMsgFilterEntries_[Server Name]
filter_id
Primary key of the table [tblFilterEntries_[Server Name]]
storage_reason
vwMsgFilterEntries_[Server Name]
storage_reason
The reason (quarantine, archive, or backup) for this storage entry.
detected_by
vwMsgFilterEntries_[Server Name]
detected_by
The scan mechanism that detected the security risk
Possible values:
  • 1 - Virus Scan Engine
  • 2 - ATSE
  • 3 - Virtual Analyzer
is_ransomeware
vwMsgFilterEntries_[Server Name]
is_ransomeware
Indicate whether the threat is ransomware
The following table selects content violation data from view vwMsgFilterEntries_[Server Name].

View [vwCFLogs_[Server Name]]

Field Name
From Table
From Field
Description
storage_entry_id
vwMsgFilterEntries_[Server Name]
storage_entry_id
Primary key of the table tblStorageEntries_[Server Name]
filter_scan_time
vwMsgFilterEntries_[Server Name]
filter_scan_time
The scan time
msg_delivery_time
vwMsgFilterEntries_[Server Name]
msg_delivery_time
The message delivery time
msg_found_at
vwMsgFilterEntries_[Server Name]
msg_found_at
The place where this message is found at
msg_source
vwMsgFilterEntries_[Server Name]
msg_source
The semi-colon delimited sender list
msg_destination
vwMsgFilterEntries_[Server Name]
msg_destination
The semi-colon delimited recipient list
msg_subject
vwMsgFilterEntries_[Server Name]
msg_subject
The subject of this message
filter_rule_cf
vwMsgFilterEntries_[Server Name]
filter_rule
Rule name for content filter
filter_original
vwMsgFilterEntries_[Server Name]
filter_original
The original filename that triggered the rule
filter_action
vwMsgFilterEntries_[Server Name]
filter_action
The result of action taken. Reference [action_description.xml], which is located in %SMEX_HOME%\ web\xml.
Note
Note
%SMEX_HOME% represents the SMEX installation directory. By default, this is C:\Program Files\Trend Micro\Smex\
filter_reason
vwMsgFilterEntries_[Server Name]
filter_reason
Detailed information about how the content is being detected for content violation, malicious URL for Web Reputation filter
filter_id
vwMsgFilterEntries_[Server Name]
filter_id
Primary key of the table [tblFilterEntries_[Server Name]]
The following table selects Data Loss Prevention incident data from view vwMsgFilterEntries_[Server Name].

View [vwDLPLogs_[Server Name]]

Field Name
From Table
From Field
Description
storage_entry_id
vwMsgFilterEntries_[Server Name]
storage_entry_id
Primary key of the table [tblStorageEntries_[Server Name]]
filter_scan_time
vwMsgFilterEntries_[Server Name]
filter_scan_time
The scan time
msg_delivery_time
vwMsgFilterEntries_[Server Name]
msg_delivery_time
The message delivery time
msg_found_at
vwMsgFilterEntries_[Server Name]
msg_found_at
The place where this message is found at
msg_source
vwMsgFilterEntries_[Server Name]
msg_source
The semi-colon delimited sender list
msg_destination
vwMsgFilterEntries_[Server Name]
msg_destination
The semi-colon delimited recipient list
msg_subject
vwMsgFilterEntries_[Server Name]
msg_subject
The subject of this message
filter_rule_dlp
vwMsgFilterEntries_[Server Name]
filter_rule
Rule name for Data Loss Prevention
filter_action
vwMsgFilterEntries_[Server Name]
filter_action
The result of action taken. Reference [action_description.xml], which is located in %SMEX_HOME%\ web\xml
Note
Note
%SMEX_HOME% represents the SMEX installation directory. By default, this is C:\Program Files\Trend Micro\Smex\
file_original
vwMsgFilterEntries_[Server Name]
file_original
The original filename that triggered the rule
filter_template
vwMsgFilterEntries_[Server Name]
filter_reason
The triggered Data Loss Prevention template
DataContent
tblFilterEntries_[Server Name]
DataContent
Matched content
The following table selects unscannable message data from view vwMsgFilterEntries_[Server Name].

View [vwUSLogs_[Server Name]]

Field Name
From Table
From Field
Description
storage_entry_id
vwMsgFilterEntries_[Server Name]
storage_entry_id
Primary key of the table tblStorageEntries_[Server Name]
filter_scan_time
vwMsgFilterEntries_[Server Name]
filter_scan_time
The scan time
msg_delivery_time
vwMsgFilterEntries_[Server Name]
msg_delivery_time
The message delivery time
msg_found_at
vwMsgFilterEntries_[Server Name]
msg_found_at
The place where this message is found at
msg_source
vwMsgFilterEntries_[Server Name]
msg_source
The semi-colon delimited sender list
msg_destination
vwMsgFilterEntries_[Server Name]
msg_destination
The semi-colon delimited recipient list
msg_subject
vwMsgFilterEntries_[Server Name]
msg_subject
The subject of this message
filter_rule_us
vwMsgFilterEntries_[Server Name]
filter_rule
Unscannable reason
filter_original
vwMsgFilterEntries_[Server Name]
filter_original
The original filename that triggered the rule
filter_action
vwMsgFilterEntries_[Server Name]
filter_action
The result of action taken. Reference [action_description.xml], which is located in %SMEX_HOME%\ web\xml.
Note
Note
%SMEX_HOME% represents the SMEX installation directory. By default, this is C:\Program Files\Trend Micro\Smex\
filter_id
vwMsgFilterEntries_[Server Name]
filter_id
Primary key of the table [tblFilterEntries_[Server Name]]
storage_reason
vwMsgFilterEntries_[Server Name]
storage_reason
The reason (quarantine, archive, or backup) for this storage entry.
The following table selects storage data from view vwMsgFilterEntries_[Server Name].

View [vwQuarantineLogs_[Server Name]]

Field Name
From Table
From Field
Description
storage_entry_id
vwMsgFilterEntries_[Server Name]
storage_entry_id
Primary key of the table [tblStorageEntries_[Server Name]]
filter_scan_time
vwMsgFilterEntries_[Server Name]
filter_scan_time
The scan time
msg_source
vwMsgFilterEntries_[Server Name]
msg_source
The semi-colon delimited sender list
msg_destination
vwMsgFilterEntries_[Server Name]
msg_destination
The semi-colon delimited recipient list
msg_subject
vwMsgFilterEntries_[Server Name]
msg_subject
The subject of this message
filter_rule
vwMsgFilterEntries_[Server Name]
filter_rule
The filter rule triggered. Virus/malware name for security risk filter, rule name for content filter, and file type blocked by attachment blocking filter(such as .exe), risk level of a malicious URL for Web Reputation filter
storage_resend_count
vwMsgFilterEntries_[Server Name]
storage_resend_count
The count of this entry has been resent
storage_reason
vwMsgFilterEntries_[Server Name]
storage_reason
The reason (quarantine, archive, or backup) for this storage entry.
The following table selects data about malicious URL from view vwMsgStorageEntries_[Server Name].

View [vwWTPLogs_[Server Name]]

Field Name
From Table
From Field
Description
filter_scan_time
vwMsgFilterEntries_[Server Name]
filter_scan_time
The scan time
msg_delivery_time
vwMsgFilterEntries_[Server Name]
msg_delivery_time
The message delivery time
msg_source
vwMsgFilterEntries_[Server Name]
msg_source
The semi-colon delimited sender list
msg_destination
vwMsgFilterEntries_[Server Name]
msg_destination
The semi-colon delimited recipient list
msg_subject
vwMsgFilterEntries_[Server Name]
msg_subject
The subject of this message
risk_level
vwMsgFilterEntries_[Server Name]
risk_level
The determined risk level for an advanced threat Possible values:
  • 0 - Suspicious (Detected by Advanced Threat Scan Engine (ATSE))
  • 1 - Low
  • 2 - Medium
  • 3 - High
  • 4 - Suspicious (Detected by Virtual Analyzer)
Suspicious_url
vwMsgFilterEntries_[Server Name]
filter_reason
Suspicious URL
filter_action
filter_action
The result of action taken. Reference [action_description.xml], which is located in %SMEX_HOME%\ web\xml.
Note
Note
%SMEX_HOME% represents the SMEX installation directory. By default, this is C:\Program Files\Trend Micro\Smex\
filter_id
vwMsgFilterEntries_[Server Name]
filter_id
Primary key of the table [tblFilterEntries_[Server Name]]
storage_entry_id
vwMsgFilterEntries_[Server Name]
storage_entry_id
Primary key of the table [tblStorageEntries_[Server Name]]
url_category
tblFilterEntries_[Server Name]
url_category
The category of the detected URL
is_ransomeware
vwMsgFilterEntries_[Server Name]
is_ransomeware
Indicate whether the threat is ransomware
The following table selects data about working DDAn logs.

View [vwDDANCoWorkingLogs _[Server Name]]

Field Name
From Table
From Field
Description
msg_id
vwMsgFilterEntries_[Server Name]
msg_id
Message ID
filter_scan_time
vwMsgFilterEntries_[Server Name]
filter_scan_time
The scan time
msg_delivery_time
vwMsgFilterEntries_[Server Name]
msg_delivery_time
The message delivery time
msg_found_at
vwMsgFilterEntries_[Server Name]
msg_found_at
The place where this message was found
msg_source
vwMsgFilterEntries_[Server Name]
msg_source
The semi-colon delimited sender list
msg_destination
vwMsgFilterEntries_[Server Name]
msg_destination
The semi-colon delimited recipient list
msg_subject
vwMsgFilterEntries_[Server Name]
msg_subject
The subject of this message
filter_rule_av
vwMsgFilterEntries_[Server Name]
filter_rule
Virus/malware name
filter_reason
vwMsgFilterEntries_[Server Name]
filter_reason
Detailed information about how the content is being detected for content violation, malicious URL for Web Reputation filter
file_original
vwMsgFilterEntries_[Server Name]
file_original
The original filename that triggered the rule
filter_action
vwMsgFilterEntries_[Server Name]
filter_action
The result of action taken. Reference [action_description.xml], which is located in %SMEX_HOME%\ web\xml
Note
Note
%SMEX_HOME% represents the SMEX installation directory. By default, this is C:\Program Files\Trend Micro\Smex\
filter_rule_supplement
vwMsgFilterEntries_[Server Name]
filter_rule_supplement
The virus/malware type, used to separate virus and spyware
detected_by
vwMsgFilterEntries_[Server Name]
detected_by
The scan mechanism that detected the security risk
Possible values:
  • 1 - Virus Scan Engine
  • 2 - ATSE
  • 3 - Virtual Analyzer
risk_level
vwMsgFilterEntries_[Server Name]
risk_level
The determined risk level for an advanced threat
Possible values:
  • 0 - Suspicious (ATSE)
  • 1 - Low
  • 2 - Medium
  • 3 - High
  • 4 - Suspicious (Virtual Analyzer)
atse_aggressive_level
vwMsgFilterEntries_[Server Name]
atse_aggressive_level
ATSE scan level
detected_rule_category
vwMsgFilterEntries_[Server Name]
detected_rule_category
ATSE detected rule category
dda_int_mode
vwMsgFilterEntries_[Server Name]
dda_int_mode
To indicate which integration mode is used: inline mode or monitor mode
dda_coworking_status
vwMsgFilterEntries_[Server Name]
dda_coworking_status
DTAS agent working status with Virtual Analyzer like uploading, duplicate checking, querying result, and so on
dda_ui_status
vwMsgFilterEntries_[Server Name]
dda_ui_status
Show the status of sample handling, such as unrated, being analyzed, rated, aborted, and other status on the UI
sent_to_dda_time
vwMsgFilterEntries_[Server Name]
sent_to_dda_time
The time of sending sample to Virtual Analyzer server
orgsha1
vwMsgFilterEntries_[Server Name]
orgsha1
The SHA1 value of the sample

Example 1: Query information about the virus log, content filtering log, or attachment blocking log from tables ‘vwAVLogs_[Server Name]’,‘vwCFLogs_[Server Name]’, ‘vwABLogs_[Server Name]’ between 12/12/2008 09:00:00’ AND ‘12/18/2008 09:00:00’

SELECT msg_source,msg_destination,filter_rule_av
FROM vwAVLogs_[Server Name]
WHERE filter_scan_time 
BETWEEN ‘2008-12-12 09:00:00’ AND ‘2008-12-19 09:00:00’
ORDER BY filter_scan_time;
SELECT *
FROM vwCFLogs_[Server Name]
WHERE filter_scan_time 
BETWEEN ‘2008-12-12 09:00:00’ AND ‘2008-12-19 09:00:00’
ORDER BY filter_scan_time;
SELECT *
FROM vwABLogs_[Server Name]
WHERE filter_scan_time 
BETWEEN ‘2008-12-12 09:00:00’ AND ‘2008-12-19 09:00:00’
ORDER BY filter_scan_time;

Example 2: Get Storage Log

SELECT * 
FROM vwMsgStorageEntries_[Server Name] 
WHERE filter_scan_time 
BETWEEN  ‘2008-12-12 09:00:00’ AND ‘2008-12-19 09:00:00’
ORDER BY filter_scan_time;