The Enhanced Event Logging System

Database table overview

The following columns and their characteristics are defined in all database tables created using eels_db_admin(1Meels). Use this description of the database columns to determine which column names you can use in SQL queries.

EELS database columns

Column name Data type Use

UniqEventID float8 A unique sequence number (generated by the EELS daemon.)

SequenceNumber int4 A sequence number for this record, if the original event record had to span multiple database records (automatically generated by the EELS daemon)

ProcessID int4 The UNIX process ID of the originator of this message

GroupID varchar(64) The GID of the process that generated this message

LightWeightProcessID int4 The LWP ID of the originator of the message

LogSystemsSource varchar(128) The name of the message originator, for example, syslog, Audit and so on

Length int4 The total length of the data portion of this message

VersionID int4 The EELS version number

TimeOffset double The offset in milli-seconds from the beginning of the EPOCH that this event occurred

TimeUncertaintyInterval int4 The uncertainty in milliseconds of the offset

TimeUncertaintyIndicator int4 The uncertainty indicator as a percentage of confidence in the uncertainty interval

TimeSource varchar(255) The signal or source of trusted time. This is usually a hostname or address of a network time server

TimeZone varchar(64) The timezone format as defined in the Single UNIX specification

EventNumber int4 The event type number

EventNumberStr varchar(255) The event type description

Outcome int4 The outcome of this event

OriginatorHostName varchar(255) The name of the host that requested the recording of this event

OriginatorServiceName varchar(255) The name of the service that requested the recording of this event

OriginatorLocationAddress varchar(255) The address of the service that requested the recording of this event

OriginatorServiceType varchar(255) An optional list of the supported functions provided by the originator

OriginatorAuthAuthority varchar(255) The Authentication Authority that detected the event. An example of an authentication authority is the hostname of the machine that generated the event

OriginatorPrincipalName varchar(255) The UNIX user name the process was running as when it requested the recording of this event

OriginatorPrincipalID varchar(255) The UNIX UID the process was running as when it requested the recording of this event

InitiatorAuthAuthority varchar(255) The initiator represents the principle that is accountable for the initiation of the event. This field contains the hostname that is responsible for the event

InitiatorDomainSpecificName varchar(255) The username that is responsible for the generation of the event

InitiatorDomainSpecificID varchar(255) The UID that is responsible for the generation of the event

TargetLocationName varchar(255) The target represents the object that was the target of activity that caused the event to be generated.For example, a file or a record within a database

TargetLocationAddress varchar(255) The address of service that was the target of activity that caused the event to be generated

TargetServiceType varchar(255) An optional list of the supported functions provided by the target

TargetAuthAuthority varchar(255) The Authentication Authority that was the target of the event

TargetPrincipalName varchar(255) The username associated with the target process

TargetPrincipalID varchar(255) The UID associated with the target process

PtrToSourceDomain varchar(255) For imported records use this field to point to the original location of this record in the originating log file

SourceSpecificInformation varchar(255) Information specific to this source of events, that could be details such as, syslog levels and facilities

EventSpecificInformation varchar(???) The data section of the message. If the amount of data exceeds the maximum record size supported by your database additional records are created by EELS to contain the remaining message and the SequenceNumber field is incremented

If you are unfamiliar with SQL, some SQL basics are introduced in ``Basic SQL tips''.

Column name	Data type	Use
UniqEventID	float8	A unique sequence number (generated by the EELS daemon.)
SequenceNumber	int4	A sequence number for this record, if the original event record had to span multiple database records (automatically generated by the EELS daemon)
ProcessID	int4	The UNIX process ID of the originator of this message
GroupID	varchar(64)	The GID of the process that generated this message
LightWeightProcessID	int4	The LWP ID of the originator of the message
LogSystemsSource	varchar(128)	The name of the message originator, for example, syslog, Audit and so on
Length	int4	The total length of the data portion of this message
VersionID	int4	The EELS version number
TimeOffset	double	The offset in milli-seconds from the beginning of the EPOCH that this event occurred
TimeUncertaintyInterval	int4	The uncertainty in milliseconds of the offset
TimeUncertaintyIndicator	int4	The uncertainty indicator as a percentage of confidence in the uncertainty interval
TimeSource	varchar(255)	The signal or source of trusted time. This is usually a hostname or address of a network time server
TimeZone	varchar(64)	The timezone format as defined in the Single UNIX specification
EventNumber	int4	The event type number
EventNumberStr	varchar(255)	The event type description
Outcome	int4	The outcome of this event
OriginatorHostName	varchar(255)	The name of the host that requested the recording of this event
OriginatorServiceName	varchar(255)	The name of the service that requested the recording of this event
OriginatorLocationAddress	varchar(255)	The address of the service that requested the recording of this event
OriginatorServiceType	varchar(255)	An optional list of the supported functions provided by the originator
OriginatorAuthAuthority	varchar(255)	The Authentication Authority that detected the event. An example of an authentication authority is the hostname of the machine that generated the event
OriginatorPrincipalName	varchar(255)	The UNIX user name the process was running as when it requested the recording of this event
OriginatorPrincipalID	varchar(255)	The UNIX UID the process was running as when it requested the recording of this event
InitiatorAuthAuthority	varchar(255)	The initiator represents the principle that is accountable for the initiation of the event. This field contains the hostname that is responsible for the event
InitiatorDomainSpecificName	varchar(255)	The username that is responsible for the generation of the event
InitiatorDomainSpecificID	varchar(255)	The UID that is responsible for the generation of the event
TargetLocationName	varchar(255)	The target represents the object that was the target of activity that caused the event to be generated.For example, a file or a record within a database
TargetLocationAddress	varchar(255)	The address of service that was the target of activity that caused the event to be generated
TargetServiceType	varchar(255)	An optional list of the supported functions provided by the target
TargetAuthAuthority	varchar(255)	The Authentication Authority that was the target of the event
TargetPrincipalName	varchar(255)	The username associated with the target process
TargetPrincipalID	varchar(255)	The UID associated with the target process
PtrToSourceDomain	varchar(255)	For imported records use this field to point to the original location of this record in the originating log file
SourceSpecificInformation	varchar(255)	Information specific to this source of events, that could be details such as, syslog levels and facilities
EventSpecificInformation	varchar(???)	The data section of the message. If the amount of data exceeds the maximum record size supported by your database additional records are created by EELS to contain the remaining message and the SequenceNumber field is incremented