Symantec™ Sygate Enterprise Protection
Database Schema Reference Guide

Release 5.1


Copyright Information
Copyright © 2005 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, Sygate, the Sygate ‘S’ Logo, Host Integrity,
and AutoLocation are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other
names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse
engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec
Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED
CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT
TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION
SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE
FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS
DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, CA 95014

Documentation Build 5.1.0.6500
Published December 19, 2005

iii
Table of Contents
Preface v
Intended Audience v
Related Product Information v

Getting Technical Support v
Chapter 1. Database Schema Overview 1
Chapter 2. Symantec Policy Manager Database Schema 3
Agent Behavior Log Schema 4
Agent Packet Log Schema 6
Agent Security Log Schema 8
Agent System Log Schema 10
Agent Traffic Log Schema 11
Basic Metadata Schema 14
Binary File Schema 15
Computer Application Schema 16
Enforcer Client Log Schema 17
Enforcer System Log Schema 19
Enforcer Traffic Log Schema 20
Identity Map Schema 22
LAN Device Detected Schema 23
LAN Device Excluded Schema 24
Legacy Agent Schema 25
Local Metadata Schema 26
Log Config Schema 27
Reports Schema 28
SE Global Schema 29
SEM Agent Schema 30
SEM Application Schema 32
SEM Client Schema 33
SEM Computer Schema 34
Serial Numbers Schema 36
Server Admin Log Schema 37
Server Client Log Schema 38
Server System Log Schema 39

Server Enforcer Log Schema 40
Server Policy Log Schema 41
System State Schema 42

Symantec Database Schema Reference Guide
iv

v
Preface
This document, the Database Schema Reference Guide, describes the database schema for the
Symantec™ Policy Manager database (for either Embedded or Microsoft SQL databases).
Intended Audience
This information is for database administrators who may need to generate specialized
reports from the information in the database.
Related Product Information
For information about setting up the Policy Manager database, see the Policy Manager
Installation Guide.
For other administrative information about the Policy Manager database, see the Policy
Manager Administration Guide.
This information is also available online in the Policy Manager online help.
For information about known problems with this release, refer to the Readme.txt file.
Getting Technical Support
Symantec Corporation provides a wide variety of service and support programs. Contact
Enterprise Support through its web site, by email, or by telephone.
Web site: www.sygate.com/support
Email address:
Toll free number: (877) TECH-800 (832-4800)

Symantec Database Schema Reference Guide
vi


1
Chapter 1. Database Schema Overview
The Policy Manager database is where all the information concerning the Symantec software
and associated security information is located. The information is stored in a series of tables,
the database schema.
Each table contains three columns and one or more rows. Each table has the same columns
in the same order:
• Column Name
• Comments
• Data Type
Column Name
This column contains the name of the database field.
Comments
The comments column explains the purpose of the field and any additional pertinent
information.
Data Type
The data type column shows the physical make up of the data. The different types of data
are:
• CHAR
• VARCHAR
• NUMBER
• RAW
In addition, the data type column indicates the physical length of the field with a number in
parenthesis. For example, CHAR(24) indicates a character field with a length of 24
characters.
Symantec Database Schema Reference Guide
2
Primary Key
An asterisk designates the primary key in the tables. The primary key is a column or a set of

columns that uniquely identify all the rows in a table. Primary keys may not contain null
values. No two rows can have the same primary key value; therefore, a primary key value
always uniquely identifies a single row. More than one key can uniquely identify rows in a
table, each of these keys is called a candidate key. Only one candidate can be chosen as the
primary key of a table; all other candidate keys are known as alternate keys.
In a normalized table, all of the data values in each row are fully dependent on the primary
key. For example, in a normalized employee table that has EmployeeID as the primary key,
all of the columns should contain data related to a specific employee. The table should not
have a column called DepartmentName because the name of the department is dependent
on a department ID, not on an employee ID.

3
Chapter 2. Symantec Policy Manager Database
Schema
This chapter describes each table in alphabetical order.
If you are using Symantec Network Access Control, some of the tables (and some fields in
the tables) are not used because related functionality is not included. For example, Agent
Traffic, Packet, and Behavior logs are not used.
Symantec Database Schema Reference Guide
4
Agent Behavior Log Schema
Not used in Symantec Network Access Control.
This table lists the database schema for the Agent Behavior logs. There are actually two
tables for this schema. When logs are stored, the Policy Manager uses the first table until it is
full. It then switches to using the second table. The data in the first table is kept intact until
the second table fills. Then it starts to fill the first table again. This cycle is continuous.
Agent Behavior Log
Column Name Comment Data Type
USN
A

usn based serial number, this ID is not
unique.
NUMBER(13)
DOMAIN_ID
GUID of the domain, which the log
belongs to.
CHAR(32)
SITE_ID GUID of the site, which the log belongs to. CHAR(32)
SERVER_ID
GUID of the server, which the log belongs
to.
CHAR(32)
GROUP_ID
GUID of the group, which the log belongs
to.
CHAR(32)
COMPUTER_ID
GUID of the Agent computer, which the
log belongs to.
CHAR(32)
TIME_STAMP
The time when the event is logged into
system (GMT), which is server side time.
NUMBER(13)
EVENT_ID
A
event id from send Agent. NUMBER(10)
EVENT_TIME The event generated time (GMT). NUMBER(13)
SEVERITY
The seriousness of the event

0 is most serious
NUMBER(10)
AGENT_ID GUID of the Agent. CHAR(32)
HARDWARE_KEY Hash of Computer Hardware information. CHAR(32)
HOST_NAME Host Name of Agent machine. VARCHAR2(256)
ACTION
What we did:
0 = allow,
1 = block,
2 = ask,
3 = continue,
4 = terminate
NUMBER(10)
TEST_MODE
Was this rule run in test mode?
0 = no, else yes
NUMBER(10)
DESCRIPTION Description. VARCHAR2(256)
VAPI_NAME
The Name of remote computer (it may be
empty if name solve failed).
VARCHAR2(256)
ENCODED_API_NAME
The TCP/UDP port in local machine (host
byte-order). It is only valid on
TSE_TRAFFIC_TCP and
TSE_TRAFFIC_UDP. On other event, it is
always zero.
VARCHAR2(256)
BEGIN_TIME The begin time of security issue. NUMBER(13)

Symantec Policy Manager Database Schema
5
Agent Behavior Log
Column Name Comment Data Type
END_TIME
The end time of security issue. End time is
optional field because we may fail to
detect whats the exact end time of traffic,
like UDP. On those cases, the end time is
equal to begin time.
NUMBER(13)
RULE_ID
The id of rule triggered by the event. It is
always 0 if rule id is not specified in
security rule. The field is helpful to security
rule troubleshooting. If multiple rules
matched, it logs the rule that has finial
decision on PacketProc (pass/block/drop).
CHAR(32)
RULE_NAME
The name of rule triggered by the event. It
is always empty string if rule name is not
specified in security rule. It is for
troubleshooting also. In theory, IT admin
can know the rule by id. However, name
gives user a direct view of rule that could
be used.
VARCHAR2(256)
CALLER_PROCESS_ID ID of the Process that triggers the logging. NUMBER(13)
CALLER_PROCESS_NAME

The full path of application involved. It may
be empty if unknown application or OS
itself is involved with that or no application
involved.
A
lso, it may be empty if profile says dont
log application name in raw traffic log.
VARCHAR2(256)
CALLER_RETURN_ADDRESS
Return address of the caller. This field
allows our software to detect the calling
module that makes the API call.
NUMBER(13)
CALLER_RETURN_MODULE_NAME
Module name of caller. See
“CallerReturnAddress for more info.
VARCHAR2(256)
PARAMETER
Parameters that were used in the API call.
Each parameter was converted to
STRING format and separated by one
space character. Double quotation
characters within the string are escaped
by a \ char.
VARCHAR2(256)
ALERT
It reflects the alert attribute in profile
action. It is true if action::alert is true.
NUMBER(10)
SEND_SNMP_TRAP

It reflects the send SNMP trap action. It is
true if send is true.
NUMBER(3)
USER_NAME Login user name. VARCHAR2(256)
DOMAIN_NAME Login domain name. VARCHAR2(256)
RESERVED_INT1 Reserved for future use NUMBER(10)
RESERVED_INT2 Reserved for future use NUMBER(10)
RESERVED_BIGINT1 Reserved for future use NUMBER(13)
RESERVED_BIGINT2 Reserved for future use NUMBER(13)
RESERVED_CHAR1 Reserved for future use CHAR(32)
RESERVED_CHAR2 Reserved for future use CHAR(32)
RESERVED_VARCHAR1 Reserved for future use VARCHAR2(260)
RESERVED_BINARY Reserved for future use RAW
Symantec Database Schema Reference Guide
6
Agent Packet Log Schema
Not used in Symantec Network Access Control.
This table lists the database schema for the Agent Packet logs. There are actually two tables
for this schema. When logs are stored, the Policy Manager uses the first table until it is full.
It then switches to using the second table. The data in the first table is kept intact until the
second table fills. Then it starts to fill the first table again. This cycle is continuous.
Agent Packet Log
Column Name Comment Data Type
USN
A
usn based serial number, this ID is not unique. NUMBER(13)
DOMAIN_ID GUID of the domain, which the log belongs to. CHAR(32)
SITE_ID GUID of the site, which the log belongs to. CHAR(32)
SERVER_ID GUID of the server, which the log belongs to. CHAR(32)
GROUP_ID GUID of the group, which the log belongs to. CHAR(32)

COMPUTER_ID
GUID of the Agent computer, which the log
belongs to.
CHAR(32)
TIME_STAMP
The time when the event is logged into system
(GMT), which is server side time.
NUMBER(13)
EVENT_ID
A
event id from send Agent. NUMBER(10)
EVENT_TIME The event generated time (GMT). NUMBER(13)
AGENT_ID GUID of the Agent. CHAR(32)
HARDWARE_KEY Hash of Computer Hardware information. CHAR(32)
HOST_NAME Host Name of Agent machine. VARCHAR2(256)
LOCAL_HOST_IP The IP address of local computer (IPv4). NUMBER(10)
REMOTE_HOST_IP The IP address of remote computer (IPv4). NUMBER(10)
REMOTE_HOST_NAME
The name of remote computer (it may be empty if
name solve failed).
VARCHAR2(64)
LOCAL_PORT
The TCP/UDP port in local machine (host byte-
order). It is only valid on TSE_TRAFFIC_TCP and
TSE_TRAFFIC_UDP. For other events, it is
always zero.
NUMBER(10)
REMOTE_PORT
The TCP/UDP port in remote machine (host byte-
order). It is only valid on TSE_TRAFFIC_TCP and

TSE_TRAFFIC_UDP. For other events, it is
always zero.
NUMBER(10)
TRAFFIC_DIRECTION
The direction of traffic. Enum ( unknown=0;
inbound = 1; outbound = 2)
NUMBER(3)
BLOCKED Specify if the traffic was blocked. NUMBER(3)
APP_NAME
The full path of application involved. It may be
empty if unknown application is involved with that
or no application involved. For example, the ping
of death DoS attacking does not have AppName
because it attacks OS itself.
VARCHAR2(256)
ALERT
It reflects the alert attribute in profile action. It is
true if action::alert is true.
NUMBER(3)
Symantec Policy Manager Database Schema
7
Agent Packet Log
Column Name Comment Data Type
SEND_SNMP_TRAP
It reflects the send SNMP trap action. It is true if
send is true.
NUMBER(3)
EVENT_DATA
A
dditional data in binary format. This field is

optional.
RAW
RESERVED_INT1 Reserved for future use NUMBER(10)
RESERVED_INT2 Reserved for future use NUMBER(10)
RESERVED_BIGINT1 Reserved for future use NUMBER(13)
RESERVED_BIGINT2 Reserved for future use NUMBER(13)
RESERVED_CHAR1 Reserved for future use CHAR(32)
RESERVED_CHAR2 Reserved for future use CHAR(32)
RESERVED_VARCHAR1 Reserved for future use VARCHAR2(260)

Symantec Database Schema Reference Guide
8
Agent Security Log Schema
This table lists the database schema for the Agent Security logs. There are actually two tables
for this schema. When logs are stored, the Policy Manager uses the first table until it is full.
It then switches to using the second table. The data in the first table is kept intact until the
second table fills. Then it starts to fill the first table again. This cycle is continuous.
Agent Security Log
Column Name Comment Data Type
USN
A
usn based serial number, this ID is not unique. NUMBER(13)
DOMAIN_ID GUID of the domain, which the log belongs to. CHAR(32)
SITE_ID GUID of the site, which the log belongs to. CHAR(32)
SERVER_ID GUID of the server, which the log belongs to. CHAR(32)
GROUP_ID GUID of the group, which the log belongs to. CHAR(32)
COMPUTER_ID
GUID of the Agent computer, which the log
belongs to.
CHAR(32)

TIME_STAMP
The time when the event is logged into system
(GMT), which is server side time.
NUMBER(13)
EVENT_ID
A
event ID from send Agent. NUMBER(10)
EVENT_TIME The event generated time (GMT). NUMBER(13)
SEVERITY
It is severity defined in Security Rule.
Critical 0 - 3
Major 4 - 7
Minor 8 - 11
Info 12 - 15
NUMBER(10)
AGENT_ID GUID of the Agent. CHAR(32)
HARDWARE_KEY Hash of Computer Hardware information. CHAR(32)
HOST_NAME Host Name of Agent machine. VARCHAR2(256)
LOCAL_HOST_IP The IP address of local computer (IPv4). NUMBER(10)
REMOTE_HOST_IP The IP address of remote computer (IPv4). NUMBER(10)
REMOTE_HOST_NAME
The Name of remote computer (it may be empty if
name solve failed).
VARCHAR2(64)
TRAFFIC_DIRECTION
The direction of traffic. Enum ( unknown=0;
inbound = 1; outbound = 2)
NUMBER(3)
NETWORK_PROTOCOL
The protocol type: Enum (OTHERS=1; TCP

=2;UDP = 3; ICMP = 4).
NUMBER(3)
Symantec Policy Manager Database Schema
9
Agent Security Log
Column Name Comment Data Type
HACK_TYPE
The field is reserved for future version.
In V3.0:
It is intrusion ID if Event ID is
TSLOG_SEC_INTRUSION_DETECTEDIt is
reason if event ID is TSLOG_SEC_NO_AVIt is bit
mask (Bit31 Bit30 … Bit0)
Bit 0 Process is not running
Bit 1 Signature is out of date
Bit 2 Recovery was made (no matter if it
succeed or failed)
Bit 3 to bit 31 is reserved, must be zero. Multiple
bits may be set, i.e. 0x3 means that process is not
running and signature is out-of-date.
It is additional information if event ID is
TSLOG_SEC_AV,
Bit 0 undefined, must be zero
Bit 1 undefined, must be zero
Bit 2 Recovery was made (no matter if it
succeeded or failed.
NUMBER(10)
BEGIN_TIME The begin time of security issue. NUMBER(13)
END_TIME
The end time of security issue. End time is

optional field because we may fail to detect what’s
the exact end time of traffic, like UDP. On those
cases, the end time is equal to begin time.
NUMBER(13)
REPETITION
The number of attacking. Sometimes, a hacker
may do mass of attacking attempt, it may be
damped to one event by log system.
NUMBER(10)
APP_NAME
The full path of application involved. It may be
empty if unknown application is involved with that
or no application involved. For example, the ping
of death DoS attacking does not have AppName
because it attacks OS itself.
VARCHAR2(256)
EVENT_DESC
Description of the event. Usually, first line of
description is treated as “summary”.
VARCHAR2(256)
EVENT_DATA
A
dditional data in binary format. This field is
optional.
RAW
ALERT
It reflects the alert attribute in profile action. It is
true if action::alert is true.
NUMBER(3)
SEND_SNMP_TRAP

It reflects the send SNMP trap action. It is true if
send is true.
NUMBER(3)
LOCAL_HOST_MAC The MAC address of local computer. VARCHAR2(18)
REMOTE_HOST_MAC The MAC address of remote computer. VARCHAR2(18)
LOCATION_NAME The location used when event occurs. VARCHAR2(256)

Symantec Database Schema Reference Guide
10
Agent System Log Schema
This table lists the database schema for the Agent System logs. There are actually two tables
for this schema. When logs are stored, the Policy Manager uses the first table until it is full.
It then switches to using the second table. The data in the first table is kept intact until the
second table fills. Then it starts to fill the first table again. This cycle is continuous.
Agent System Log
Column Name Comments Data Type
USN
A
usn based serial number, this ID is not
unique.
NUMBER(13)
DOMAIN_ID
GUID of the domain, which the log belongs
to.
CHAR(32)
SITE_ID GUID of the site, which the log belongs to. CHAR(32)
SERVER_ID
GUID of the server, which the log belongs
to.
CHAR(32)

GROUP_ID GUID of the group, which the log belongs to. CHAR(32)
COMPUTER_ID
GUID of the Agent computer, which the log
belongs to.
CHAR(32)
TIME_STAMP
The time when the event is logged into
system (GMT), which is server side time.
NUMBER(13)
EVENT_ID
A
event id from send Agent. NUMBER(10)
EVENT_TIME The event generated time (GMT). NUMBER(13)
SEVERITY
The type of event. Could be: INFO= 0,
WARNING = 1, ERROR = 2, FATAL = 3
NUMBER(10)
AGENT_ID GUID of the Agent. CHAR(32)
HARDWARE_KEY Hash of Computer Hardware information. CHAR(32)
HOST_NAME Host Name of Agent machine. VARCHAR2(256)
CATEGORY Reserved for future use. NUMBER(10)
EVENT_SOURCE
The data source, such as NETPORT,
NATSRV, etc.
VARCHAR2(32)
EVENT_DESC
Description of the event. Usually, first line of
description is treated as “summary”.
VARCHAR2(256)
EVENT_DATA

A
dditional data in binary format. This field is
optional.
RAW
SEND_SNMP_TRAP
It reflects the send SNMP trap action. It is
true if send is true.
NUMBER(3)
RESERVED_INT1 Reserved for future use NUMBER(10)
RESERVED_INT2 Reserved for future use NUMBER(10)
RESERVED_BIGINT1 Reserved for future use NUMBER(13)
RESERVED_BIGINT2 Reserved for future use NUMBER(13)
RESERVED_CHAR1 Reserved for future use CHAR(32)
RESERVED_CHAR2 Reserved for future use CHAR(32)
RESERVED_VARCHAR1 Reserved for future use VARCHAR2(260)
RESERVED_BINARY Reserved for future use RAW
Symantec Policy Manager Database Schema
11
Agent Traffic Log Schema
Not used in Symantec Network Access Control.
This table lists the database schema for the Agent Traffic logs. There are actually two tables
for this schema. When logs are stored, the Policy Manager uses the first table until it is full.
It then switches to using the second table. The data in the first table is kept intact until the
second table fills. Then it starts to fill the first table again. This cycle is continuous.
Agent Traffic Log
Column Name Comments Data Type
USN
A
usn based serial number, this ID is not
unique

NUMBER(13)
DOMAIN_ID
GUID of the domain, which the log belongs
to.
CHAR(32)
SITE_ID GUID of the site, which the log belongs to. CHAR(32)
SERVER_ID
GUID of the server, which the log belongs
to.
CHAR(32)
GROUP_ID GUID of the group, which the log belongs to. CHAR(32)
COMPUTER_ID
GUID of the Agent computer, which the log
belongs to.
CHAR(32)
TIME_STAMP
The time when the event is logged into
system (GMT), which is server side time.
NUMBER(13)
EVENT_ID
A
event ID from send Agent. NUMBER(10)
EVENT_TIME The event generated time (GMT). NUMBER(13)
SEVERITY
It is severity defined in Security Rule.
Critical 0 - 3
Major 4 - 7
Minor 8 - 11
Info 12 - 15
NUMBER(10)

AGENT_ID GUID of the Agent. CHAR(32)
HARDWARE_KEY Hash of Computer Hardware information. CHAR(32)
HOST_NAME Host Name of Agent machine. VARCHAR2(256)
LOCAL_HOST_IP The IP address of local computer (IPv4). NUMBER(10)
REMOTE_HOST_IP The IP address of remote computer (IPv4). NUMBER(10)
REMOTE_HOST_NAME
The Name of remote computer (it may be
empty if name solution failed).
VARCHAR2(64)
NETWORK_PROTOCOL
The protocol type: Enum (OTHERS=1; TCP
=2;UDP = 3; ICMP = 4).
NUMBER(3)
LOCAL_PORT
The TCP/UDP port in local machine (host
byte-order). It is only valid on
TSE_TRAFFIC_TCP and
TSE_TRAFFIC_UDP. For other events, it is
always zero
NUMBER(10)
Symantec Database Schema Reference Guide
12
Agent Traffic Log
Column Name Comments Data Type
REMOTE_PORT
The TCP/UDP port in remote machine (host
byte-order). It is only valid on
TSE_TRAFFIC_TCP and
TSE_TRAFFIC_UDP. For other events, it is
always zero.

NUMBER(10)
TRAFFIC_DIRECTION
The direction of traffic. Enum ( unknown=0;
inbound = 1; outbound = 2)
NUMBER(3)
BEGIN_TIME The begin time of security issue NUMBER(13)
END_TIME
The end time of security issue. End time is
optional field because we may fail to detect
what’s the exact end time of traffic, like
UDP. In those cases, the end time is equal
to begin time.
NUMBER(13)
REPETITION
The number of attacking. Sometime, a
hacker may do mass of attacking attempt, it
may be damped to one event by log system.
NUMBER(10)
APP_NAME
The full path of application involved. It may
be empty if unknown application is involved
with that or no application involved. For
example, the ping of death DoS attacking
does not have AppName because it attacks
the OS itself.
VARCHAR2(256)
BLOCKED Specify if the traffic was blocked. NUMBER(3)
RULE_ID
The id of rule triggered by the event. It is
always 0 if rule id is not specified in security

rule. The field is helpful to security rule
troubleshooting. If multiple rules matched, it
logs the rule that has finial decision on
PacketProc (pass/block/drop). CMS admin
can know which rule allow/disallow the
traffic.
CHAR(32)
RULE_NAME
The name of rule triggered by the event. It is
always empty string if rule name is not
specified in security rule. It is for
troubleshooting also. In theory, IT admin
can know the rule by ID. However, name
gives user a direct view of rule that could be
useful for QA troubleshooting and
standalone version of Trident.
VARCHAR2(256)
ALERT
It reflects the alert attribute in profile action.
It is true if action::alert is true.
NUMBER(3)
SEND_SNMP_TRAP
It reflects the send SNMP trap action. It is
true if send is true.
NUMBER(3)
LOCAL_HOST_MAC The MAC address of local computer. VARCHAR2(18)
REMOTE_HOST_MAC The MAC address of remote computer. VARCHAR2(18)
LOCATION_NAME The location used when event occurs. VARCHAR2(256)
USER_NAME Login user name. VARCHAR2(256)
DOMAIN_NAME Login domain name. VARCHAR2(256)

RESERVED_INT1 Reserved for future use NUMBER(10)
RESERVED_INT2 Reserved for future use NUMBER(10)
Symantec Policy Manager Database Schema
13
Agent Traffic Log
Column Name Comments Data Type
RESERVED_BIGINT1 Reserved for future use NUMBER(13)
RESERVED_BIGINT2 Reserved for future use NUMBER(13)
RESERVED_CHAR1 Reserved for future use CHAR(32)
RESERVED_CHAR2 Reserved for future use CHAR(32)
RESERVED_VARCHAR1 Reserved for future use VARCHAR2(260)
RESERVED_BINARY Reserved for future use RAW
Symantec Database Schema Reference Guide
14
Basic Metadata Schema
This table lists basic metadata schema information.
Basic Metadata
Column Name Comments Data Type
CHECKSUM Checksum of XML content. CHAR(32)
CONTENT XML content of the schema object. LONG RAW
DELETED
The deleted flag of the schema object:
Deleted - 1
Not Deleted - 0
NUMBER(3)
ID* GUID of the schema object. CHAR(32)
OWNER
GUID of the owner. It field only apply to
private object.
CHAR(32)

TIME_STAMP
Time of the record modified, used to resolve
merge conflict.
NUMBER(13)
TYPE Type name of the schema object. VARCHAR2(256)
USN Upate serial number. Used by replication. NUMBER(13)
DOMAIN_ID
GUID of the domain that the object belong
to.
SemRootConfig and SemSite do not have
DOMAIN_ID.
CHAR(32)
REF_ID Reference ID VARCHAR2(32)
NAME Name VARCHAR2(2000)
DESCRIPTION Description VARCHAR2(256)
LAST_MODIFY_TIME Date last modified NUMBER(13)
RESERVED_INT1 Reserved for future use NUMBER(10)
RESERVED_INT2 Reserved for future use NUMBER(10)
RESERVED_BIGINT1 Reserved for future use NUMBER(13)
RESERVED_BIGINT2 Reserved for future use NUMBER(13)
RESERVED_CHAR1 Reserved for future use CHAR(32)
RESERVED_CHAR2 Reserved for future use CHAR(32)
RESERVED_VARCHAR1 Reserved for future use VARCHAR2(260)
RESERVED_BINARY Reserved for future use RAW
*Indicates the primary key, PK_BASIC_METADATA
Symantec Policy Manager Database Schema
15
Binary File Schema
This table lists binary schema information.
Binary File

Column Name Comments Data Type
CHECKSUM Checksum of XML content. CHAR(32)
CONTENT XML content of the schema object. LONG RAW
DELETED
The deleted flag of the schema object:
Deleted - 1
Not Deleted - 0
NUMBER(3)
ID* GUID of the schema object. CHAR(32)
OWNER
GUID of the owner. It field only apply to
private object.
CHAR(32)
TIME_STAMP
Time of the record modification, used to
resolve merge conflicts.
NUMBER(13)
TYPE Type name of the schema object. VARCHAR2(256)
USN Update serial number. Used by replication. NUMBER(13)
DOMAIN_ID
GUID of the domain that the binary file
belongs to.
CHAR(32)
RESERVED_INT1 Reserved for future use NUMBER(10)
RESERVED_INT2 Reserved for future use NUMBER(10)
RESERVED_BIGINT1 Reserved for future use NUMBER(13)
RESERVED_BIGINT2 Reserved for future use NUMBER(13)
RESERVED_CHAR1 Reserved for future use CHAR(32)
RESERVED_CHAR2 Reserved for future use CHAR(32)
RESERVED_VARCHAR1 Reserved for future use VARCHAR2(260)

RESERVED_BINARY Reserved for future use RAW
*Indicates the primary key, PK_BINARY_FILE
Symantec Database Schema Reference Guide
16
Computer Application Schema
This table lists computer application schema.
Computer Application
Column Name Comments Data Type
AGENT_ID* GUID of the Agent. CHAR(32)
DOMAIN_ID*
GUID of the domain, which the Agent
belongs to.
CHAR(32)
APP_HASH*
Hash value of the learned application
record.
CHAR(32)
LOCATION_ID* GUID of the location. CHAR(32)
COMPUTER_ID GUID of the computer. CHAR(32)
GROUP_ID Group GUID in SEM5. CHAR(32)
LAST_ACCESS_TIME
Last access time of the application on the
computer (GMT).
NUMBER(13)
USN Update serial number. Used by replication NUMBER(13)
TIME_STAMP
Time of the record modified, used to resolve
merge conflict.
NUMBER(13)
DELETED

The deleted flag of the schema object:
Deleted - 1
Not Deleted - 0
NUMBER(3)
RESERVED_INT1 Reserved for future use NUMBER(10)
RESERVED_INT2 Reserved for future use NUMBER(10)
RESERVED_BIGINT1 Reserved for future use NUMBER(13)
RESERVED_BIGINT2 Reserved for future use NUMBER(13)
RESERVED_CHAR1 Reserved for future use CHAR(32)
RESERVED_CHAR2 Reserved for future use CHAR(32)
RESERVED_VARCHAR1 Reserved for future use VARCHAR2(260)
RESERVED_BINARY Reserved for future use RAW
*Indicates the primary key, PK_COMPUTER_APPLICATION
Symantec Policy Manager Database Schema
17
Enforcer Client Log Schema
This table lists the database schema for the Enforcer Client logs. There are actually two
tables for this schema. When logs are stored, the Policy Manager uses the first table until it is
full. It then switches to using the second table. The data in the first table is kept intact until
the second table fills. Then it starts to fill the first table again. This cycle is continuous.
Enforcer Client Log
Column Name Comments Data Type
USN
A
usn based serial number, this ID is not
unique.
NUMBER(13)
DOMAIN_ID
GUID of the domain, which the log belongs
to.

CHAR(32)
SITE_ID GUID of the site, which the log belongs to. CHAR(32)
TIME_STAMP
The time when the event is logged into
system (GMT), which is server side time.
NUMBER(13)
EVENT_ID
A
n event ID from send Agent . NUMBER(10)
EVENT_TIME The event generated time (GMT). NUMBER(13)
ENFORCER_ID GUID of the Enforcer. CHAR(32)
ENFORCER_TYPE Enforcer type. NUMBER(3)
CLIENT_ID Client IP address. CHAR(32)
REMOTE_HOST Remote host name. VARCHAR2(256)
ACTION
Enforcer’s action on this client.

A
uthenticated:
A
gent’s UID is correct

Rejected:
A
gent’s UID is wrong or there’s no Agent
running

Disconnected:
A
gent disconnects from Enforcer or

Enforcer service stops

Passed:
A
gent has passed host integrity check

Failed:
A
gent failed on host integrity check.
VARCHAR2(256)
PERIOD
The period in seconds Enforcer will take
action on the client. Only valid when action
is equal to Rejected and Disconnected. For
other actions, this field must be 0.
NUMBER(10)
EVENT_DESC
Description of the event. Usually, first line of
description is treated as “summary”.
VARCHAR2(256)
REMOTE_HOST_MAC Remote Host MAC address. VARCHAR2(17)
REMOTE_HOST_INFO Remote Host information. VARCHAR2(128)
EXTENDED_INFO
A
dditional information. VARCHAR2(1024)
Symantec Database Schema Reference Guide
18
Enforcer Client Log
Column Name Comments Data Type
RESERVED_INT1 Reserved for future use NUMBER(10)

RESERVED_INT2 Reserved for future use NUMBER(10)
RESERVED_BIGINT1 Reserved for future use NUMBER(13)
RESERVED_BIGINT2 Reserved for future use NUMBER(13)
RESERVED_CHAR1 Reserved for future use CHAR(32)
RESERVED_CHAR2 Reserved for future use CHAR(32)
RESERVED_VARCHAR1 Reserved for future use VARCHAR2(260)
RESERVED_BINARY Reserved for future use RAW

Symantec Policy Manager Database Schema
19
Enforcer System Log Schema
This table lists the database schema for the Enforcer System logs. There are actually two
tables for this schema. When logs are stored, the Policy Manager uses the first table until it is
full. It then switches to using the second table. The data in the first table is kept intact until
the second table fills. Then it starts to fill the first table again. This cycle is continuous.
Enforcer System Log
Column Name Comments Data Type
USN
A
usn based serial number, this ID is not
unique.
NUMBER(13)
SITE_ID GUID of the site, which the log belongs to. CHAR(32)
TIME_STAMP
The time when the event is logged into
system (GMT), which is server side time.
NUMBER(13)
EVENT_ID
A
event ID from send Agent. NUMBER(10)

EVENT_TIME The event generated time (GMT). NUMBER(13)
ENFORCER_ID GUID of the enforcer. CHAR(32)
ENFORCER_TYPE Enforcer type. NUMBER(3)
SEVERITY
The type of event. Could be: INFO= 0,
WARNING = 1, ERROR = 2, FATAL = 3.
NUMBER(10)
EVENT_DESC
Description of the event. Usually, first line of
description is treated as “summary”.
VARCHAR2(256)
RESERVED_INT1 Reserved for future use NUMBER(10)
RESERVED_INT2 Reserved for future use NUMBER(10)
RESERVED_BIGINT1 Reserved for future use NUMBER(13)
RESERVED_BIGINT2 Reserved for future use NUMBER(13)
RESERVED_CHAR1 Reserved for future use CHAR(32)
RESERVED_CHAR2 Reserved for future use CHAR(32)
RESERVED_VARCHAR1 Reserved for future use VARCHAR2(260)
RESERVED_BINARY Reserved for future use RAW