What are the custom events generated by EventTracker?

The following Events are generated for Event source = EventTracker
Event ID Event Description
2001 The EventTracker Manager service was started.
2002 EventTracker Agent on %1 is running and okay.
2003 Accepted EventTracker Viewer connection from %1.
2004 The EventTracker Viewer from %1 was disconnected.
2005 The EventTracker Manager Console was started.
2006 EventTracker Agent on %1 was not running. Restarted successfully.
2007 EventTracker Agent on %1 is not running. Failed to restart.
2008 Detected system %1 is not reachable. No reply received on ping poll.
2009 Detected system %1 is reachable. Reply received on ping poll.
2010 Number of events in the database exceeded %1. Please purge the database or you may see slow performance of EventTracker software.
2011 System %1 may be generating high number of events. Please filter unnecessary events emitted from this system.
2012 Scheduled Report: %1 was generated and emailed successfully.
2013 Scheduled Report: %1 was not generated. Please cross-check configuration.
2014 Archival of old events done successfully. Status %1.
2015 Archival of old events failed. Status %1.
2016 Archive CAB integrity check failed.
CAB Name:%1
MDB Name:%2
2017 Archive CAB integrity check successful. CAB Name: %1 MDB Name: %2
2018 Archive CAB extraction failed. Unable to proceed with verification.
CAB Name:%1
MDB Name:%2
2019 Archive CAB extraction success. CAB Name: %1 MDB Name: %2
2020 Archive CAB integrity check process started.
2021 Archive CAB integrity check process completed.
Total CABs Processed:%1
CABs Passed:%2
CABs Failed:%3
2022 Knowledge base file for suspicious network activity downloaded succesfully.
2023 Failed to download knowledge base file file for suspicious network activity, due to %1.
2024 System running out of disk space to process Scheduled Reports.
2025 Collection Point Success: Issdbv3 successfully sent to Collection Master at: suppserver.
2026 Collection Point Error: Unable to Connect to Collection Master at: %1. Error code : 10061
OR Collection Point Error: Network Connection lost with Collection Master Ip Address %1. Error code : 0
2027 Collection Master Success: Alerts Cache DB successfully received from %1
OR Collection Point Error: Network Connection lost with Collection Master Ip Address %1. Error code : 0
2028 Collection Master Error: Unable to connect CollectionPointInfo.mdb Datbase. OR
Collection Master Error: Socket API : send failed. Error code : 10054. OR
Collection Master Error: SQL Statement %1 Error code : 0
2029 Notification: Report file deletion. Following file ‘report file’ created on ‘date’ will be deleted on ‘date’ so, please take back up of the file if required. ‘Full path of report file’
2030 Could not find Event Tracker Receiver configuration file Retrieved from the previous version.
2031 Could not find EventTracker Receiver configuration file and any of its previous versions Using default configurations
2032 EventTracker configurations modified on for the sections.
2033 Type: Backup/Restore
Status: Success/Failed/Interrupted
Log: Xml Format (with each backup/restore element status).
2036 Scheduled Report: %1.
Error Code:%2
The table could not be found.
EventTracker will automatically retry to generate this report.
2037 Detected out of ordinary activity:
Event ID: %1
Number of activities in 24 hours: %2
Normal average: %3
Variation in%: %4
2038 Detected out of ordinary activity:
Event ID: %1
Number of activities in 24 hours: %2
Normal average: %3
Variation in%: %4
2039 Successfully purged the old data.
Purge Frequency in days: %1
Purged the data till: %2
2040 New activity found:
Event ID: %1
System: %2
Time:%3
2041 This Event is logged when report breaking starts due to large data.
Description :
Queue Id: %1
Reort Title: Logs-Detail
Original Queue Type: Queued/Schedule
Original Start Time: %2
Original End Time: %3
Truncate End Time: %4
2042 Agent Configuration update attempted on %1
User: Domain/Username
Status: Failed/Success
Reason: Descriptive msg for failure with error codes etc (applicable only for failures)
2043 No events received from %1 in last 24 hours
2044 SNMP Get failed for the server %1
2045 Vulnerability parser source: QualysParser.exe
Found host name=%1,IPAddress=%2, FQDN=%4, NetBIOS Name=, DNS name=, Vulnerability value=%5 and StartTime=%6
2046 Agent DLA file receive attempt
Agent: %1
File: %2
Status: %3
2047 Configuration Assessment (SCAP) attempt
Agent: %1 (In case of failure in forming the input file, all machine names will come here)
BenchmarkTitle: %2
Status: Success/Failed
Reason: Descriptive message for failure with error codes etc
2048 Direct log archiver (success/failed) purged the following log files:
Folder Name: %1
Files: <list of files >
Configured days: %3
2049 Failed to import the SCAP content from .
User: %1
ERROR – description of error
2050 EventTracker patch applied
2050 EventTracker patch applied
2051 Failed to commit CAB file on EventVault.
File Name: %1
Storage Path: %2
Error Code: %3
Description: %4
2052 Generated by receiver when alert suppression occurs
2053 scheduled Discovery Invoked.
2054 Scheduled Discovery Completed.
2056 Generated with EventTracker backup status
2057 Generated with EventTracker restore status
2059 Usage data submission requested.
2061 Scheduled report generated successfully
2100 A category group was created in the EventTracker application

User Information
Account Name : <read from session>
Account Domain: <Current Domain>

Network Information
Client Address: <IP Address>
Client Browser :< browser from which app is run>

Configuration Information

Name : <Value>
Parent: <Value>

2101 A category group was modified in the EventTracker application

User Information
Account Name : <read from session>
Account Domain: <Current Domain>

Network Information
Client Address: <IP Address>
Client Browser :<browser from which app is run>

Configuration Information

Old value

Name : <Value>

New value

Name : <Value>

2102 A category group was deleted in the EventTracker application

User Information
Account Name : <read from session>
Account Domain: <Current Domain>

Network Information
Client Address: <IP Address>
Client Browser :< browser from which app is run>

Configuration Information

Name : <Value>

2103 A category group was moved in the EventTracker application

User Information
Account Name : <read from session>
Account Domain: <Current Domain>

Network Information
Client Address: <IP Address>
Client Browser :< browser from which app is run>

Configuration Information

Name : <Value>

Old value

Parent: <Value>

New value

Parent : <Value>

2104 A category was created in the EventTracker application

User Information
Account Name : <read from session>
Account Domain: <Current Domain>

Network Information
Client Address: <IP Address>
Client Browser :< browser from which app is run>

Configuration Information

Name : <Value>
Parent: <Value>
Description: <Value>

Event Details:
Rule <1>
<event information here. >

2105 A category was modified in the EventTracker application

User Information
Account Name : <read from session>
Account Domain: <Current Domain>

Network Information
Client Address: <IP Address>
Client Browser :< browser from which app is run>

Configuration Information

Name : <Value>
Parent: <Value>

Old value

Description: <Value>

Event Details:
Rule <1>
<event information here.>

New value

Description: <Value>

Event Details:
Rule <1>
<event information here. >

2106 A category was deleted in the EventTracker application

User Information
Account Name : <read from session>
Account Domain: <Current Domain>

Network Information
Client Address: <IP Address>
Client Browser :< browser from which app is run>

Configuration Information

Name : <Value>

2111 A behavior rule was added in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:

Rule Name: <Rule Name>
Show For:<Value>
Breakup Column Name: <Value>
Breakup Display Name: <Value>
Breakup Seperator: <Value>
Breakup Terminator: <Value>

Process Rule <Rule Number>
Process Column Name: <Value>
Process Display Name:<Value>
Seperator: <Value>
Terminator: <Value>

Event Rule <Rule Number>
Log Type: <Value>
Event Type: <Value>
Category: <Value>
Event ID:<Value>
Source: <Value>
User: <Value>
Description: <Value>
Description Exception:<Value>

2112 A BehaviorRule was InActivated in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:

Old value
Rule Name: <Value>
Active: <Value>

New value
Rule Name: <Value>
Active: <Value>

2113 Modified the behavior settings configuration information in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:

Old value
User Event Threshold : <Value>
Purge user data older than : <Value>
Behaviour Event Threshold : <Value>
Behaviour Correlation Threshold : <Value>
Behaviour Learning Period Value : <Value>
Top activities displayed : <Value>
Enterprise activity interval : <Value>
DNS Url : <Value>
ProcessLib : <Value>
Monitor enterprise activity : Yes/No
Select Purge user data older than : <Value>
User Behaviour Correlation Monitoring : Yes/No
Behaviour Learning Period : <Value>
Select DNS : <Value>
Select Process : <Value>

New value
User Event Threshold : <Value>
Purge user data older than : <Value>
Behaviour Event Threshold : <Value>
Behaviour Correlation Threshold : <Value>
Behaviour Learning Period Value : <Value>
Top activities displayed : <Value>
Enterprise activity interval : <Value>
DNS Url : <Value>
ProcessLib : <Value>
Monitor enterprise activity : Yes/No
Select Purge user data older than : <Value>
User Behaviour Correlation Monitoring : Yes/No
Behaviour Learning Period : <Value>
Select DNS : <Value>
Select Process : <Value>

2114 IP lookup reputation website added.

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Display Name:<Value>
Url:<Value>

2115 IP lookup reputation website updated.

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Display Name:<Value>
Url:<Value>

2116 IP lookup reputation website deleted.

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Display Name:<Value>
Url:<Value>

2117 IP lookup reputation website Deactivated.

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Display Name: <Value>
Url: <Value>

2118 A behavior rule was deleted in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:

Rule Name: <Value>

2119 Existing baseline of behavior learning reset

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Behaviour baseline: Reset

2121 Weightage was added for a <category/Event Type/Log Type/Keyword/Event ID/Event Source/User> in EventTracker application
User Information:
Account Name: <Value>
Account Domain: <Value>Network Information:
Client Address: <Value>
Client Browser Version: <Value>Configuration Information
Name : <Value>
Weightage: <Value>
2122 Weightage was modified for a <category/Event Type/Log Type/Keyword/Event ID/Event Source/User> in EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information

Old Value
Name : <Value>
Weightage: <Value>

New Value
Name : <Value>
Weightage:<Value>

2123 Weightage was deleted for a <Keyword/Event ID/Event Source/User> in EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information

Name : <Value>
Weightage: <Value>

2131 Modified the EventVault configuration information in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:

Old value
ArchiveFrequency: <Value>
ArchivePath: <Value>
ArchivePurgeFrequency: <Value>

New value
ArchiveFrequency: <Value>
ArchivePath: <Value>
ArchivePurgeFrequency: <Value>

2136 A eventvault explorer configuration was modified in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Old configuration:
SQL Server Enterprise: <Value>
Max history count: <Value>
New configuration:
SQL Server Enterprise: <Value>
Max history count: <Value>

2137 Persisted data was purged from EventTracker.

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Report name: <Value>
Purge From Datetime: <Value>
Purge To Datetime: <Value>

2141 A Collection Master was added in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:

New value
Destination Name:<Value>
PortNo:<Value>
Description:
Active: <Value>
QueueCabs: <Value>
Encrypt Data: <Value>

2142 A Collection Master was modified in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Old value:
Destination Name: <Value>
PortNo: <Value>
Description::
Active: <Value>
Encrypt Data: <Value>

New value
Destination Name:<Value>
PortNo:<Value>
Description:
Active: <Value>
QueueCabs: <Value>
Encrypt Data: <Value>

2143 A Collection Master was deleted in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:

Collection Master:<Value>

2147 Collection Point deleted successfully.

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Collection Point Name: <Value>
Collection Point Display Name: <Value>

2148 A Collection Master CAB was deleted in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:

Cab Name:<Value>

2151 A Behavior filter list was added in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:

New value
Behavior Type:<Value>
Behavior Filter:<Value>

2152 A Behavior filter list was modified in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:

Old value
Behavior Type:<Value>
Behavior Filter:<Value>
New value
Behavior Type:<Value>
Behavior Filter:<Value>

2153 A Behavior filter list was deleted in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:

Behavior Type:<Value>
Behavior filter:<Value>

2161 A new entry has been added in Dla configuration by the EventTracker application.

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Configuration name: <Value>
Field seperator: <Value>
Logfile extension: <Value>
Logfile folder: <Value>
Log type: <Value>

2162 An entry has been modified in Dla configuration by the EventTracker application.

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Configuration name
Old value: <Value>
New value: <Value>

2163 Dla entry(s) has been deleted in Manager configuration by EventTracker application.

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Configuration name: <Value>
Field seperator: <Value>
Logfile extension: <Value>
Logfile folder: <Value>
Log type: <Value>

2164 Port information was added in Netflow Receiver by EventTracker application.

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Port number: <Value>
Drop rate: <Value>
Decode packet: <Value>
Record binary: <Value>

2165 Port information was modified in Netflow Receiver by EventTracker application.

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Old Value
Port number: <Value>
Drop rate: <Value>
Decode packet: <Value>
Record binary: <Value>
New Value
Port number: <Value>
Drop rate: <Value>
Decode packet: <Value>
Record binary: <Value>

2166 Port was deleted from Netflow Receiver in EventTracker application.

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Deleted Port details
Port number: <Value>
Drop Rate: <Value>
Decode Packet: <Value>
Record Binary: <Value>

2167 Syslog port has been added in EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
A new syslog port is added
Receiver port number: <Value>
Description: <Value>
Cache path: <Value>
Override archive purge frequency: <Value>

2168 Syslog port has been modified in EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Old value
Receiver port number: <Value>
Description: <Value>
Cache path: <Value>
Override archive purge frequency: <Value>
New value
Receiver port number: <Value>
Description: <Value>
Cache path: <Value>
Override archive purge frequency: <Value>
Archive purge frequency: <Value>

2169 Syslog port has been deleted in EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Deleted syslog port details
Receiver port number: <Value>
Description: <Value>
Cache path: <Value>
Override archive purge frequency: <Value>
Archive purge frequency: <Value>

2170 VCP port has been added in EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
A new VCP port is added
Port number: <Value>
Description: <Value>
Cache path: <Value>
Override archive purge frequency: <Value>
Archive purge frequency: <Value>

2171 VCP port has been added in EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
A new VCP port is added
Port number: <Value>
Description: <Value>
Cache path: <Value>
Override archive purge frequency: <Value>
Archive purge frequency: <Value>

2172 VCP port has been deleted in EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Deleted VCP port details
Port number: <Value>
Description: <Value>
Cache path: <Value>
Override archive purge frequency: <Value>
Archive purge frequency: <Value>

2173 Manager configuration information has been modified in EventTracker application.

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Netflow receiver
Old value: <Value>
New value: <Value>

2174 Email configuration has been modified in EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
SMTP Server
Old value: <Value>
New value: <Value>

2181 Report settings have been modified in EventTracker application.

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information:
Report header
Old value: <Value>
New value: <Value>

2191 A system group was added in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information

Name : <Value>
Description: <Value>
Group with Systems based on
<System Type:/IP Subnet:/Selected Systems:> <values here>

2192 A system group was deleted in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information

Name : <Value>

2193 A system group was modified in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information

Name : <Value>

Old value

Description: <Value>
Systems: <Value>

New value
Description: <Value>
Systems: <Value>

2194 A system was assigned an asset value in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information

Name : <Value>

Old value

Asset value: <Value>

New value

Asset value: <Value>

2196 A system was deleted in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information

Name : <Value>

2197 A system’s agent components were removed in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information

Name : <Value>

2209 An incident was acknowledged in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information
Incident Name: <Value>
Event ID:<Value>
Event Time:<Value>
Event Source:<Value>
Log Type:<Value>
Event Type: <Value>
User:<Value>
Description:<Value>
Risk Value:<Value>
Risk Description:<Value>

2210 An incident was un-acknowledged in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information
Incident Name: <Value>
Event ID:<Value>
Event Time:<Value>
Event Source:<Value>
Log Type:<Value>
Event Type: <Value>
User:<Value>
Description:<Value>
Risk Value:<Value>
Risk Description:<Value>

2211 An Alert was added in the EventTracker application
User Information:
Account Name: <Value>
Account Domain: <Value>Network Information:
Client Address: <Value>
Client Browser Version: <Value>Configuration Information
Name : <Value>
Thread level: <Value>
Threshold level: <Value>
Status: <Active/Inactive>Event Details:
Rule <Number>
<event information here. Repeat for as many entered.>Event Filters:
Rule <Number>
<event information here. Repeat for as many entered.>

Custom Details:
<custom information here>

Groups/Systems:
<Groups/systems selected here>

Actions:

E-mail
<details here>

RSS:
<details here>

Beep:
<details here>

Net Message:
<details here>

SNMP:
<details here>

Syslog:
<details here>

Agent Remedial Action:
<details here>

Console Remedial Action:
<details here>

2212 An alert was deleted in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information

Name : <Value>

2213 An alert was <Activated/Inactivated> in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information

Name : <Value>
Status: Active/Inactive

2214 An action was modified for an alert in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information

Name : <Value>

Old Value

Actions:
<E-mail:/RSS:/Beep:Net Message:/SNMP:/Syslog:/Agent Remedial Action:/Console Remedial Action:>
<details here>

New value

<E-mail:/RSS:/Beep:Net Message:/SNMP:/Syslog:/Agent Remedial Action:/Console Remedial Action:>
<details here>

2215 An alert was <Activated/Inactivated> in the EventTracker application

An Alert was modified in the EventTracker application
User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information

Old Value

Name : <Value>
Thread level: <Value>
Threshold level: <Value>
Status: <Active/Inactive>

Event Details:
Rule <Number>
<event information here. Repeat for as many entered.>

Event Filters:
Rule <Number>
<event information here. Repeat for as many entered.>

Custom Details:
<custom information here>

Groups/Systems:
<Groups/systems selected here>

Actions:

E-mail
<details here>

RSS:
<details here>

Beep:
<details here>

Net Message:
<details here>

SNMP:
<details here>

Syslog:
<details here>

Agent Remedial Action:
<details here>

Console Remedial Action:
<details here>

New value

Name : <Value>
Thread level: <Value>
Threshold level: <Value>
Status: <Active/Inactive>

Event Details:
Rule <Number>
<event information here. Repeat for as many entered.>

Event Filters:
Rule <Number>
<event information here. Repeat for as many entered.>

Custom Details:
<custom information here>

Groups/Systems:
<Groups/systems selected here>

Actions:

E-mail
<details here>

RSS:
<details here>

Beep:
<details here>

Net Message:
<details here>

SNMP:
<details here>

Syslog:
<details here>

Agent Remedial Action:
<details here>

Console Remedial Action:
<details here></td>
</tr>

3201 Detected free space in drive <drive:> is less than N percent. Disk Size: X MB, Free: Y MB
3202 Detected Service <Service Name> is not running.
3203 Detected Service <Service Name> was restarted successfully.
3204 Detected Service <Service Name> could not be restarted.
3206 Detected High Memory Usage. More than N percent in use for last X seconds. Peak Memory: Q percent. Total Physical: Y MB, Total Paging: Z MB, Avail Physical: B MB, Avail Paging: C MB.
3207 Detected High Cpu Usage. More than N percent in use for last X seconds.
3208 Detected software <Some S/W> has been installed on this system.
3209 Detected software <Some S/W> has been uninstalled from this system.
3210 <Some Log> Event Log is near to its maximum log size. Take administrative actions. Maximum Log Size : X Kilobytes, Current Log Size : Y Kilobytes.
3211 <Some Log> Event Log has already reached its maximum log size. New events cannot be logged. Take administrative actions. Maximum Log Size : X Kilobytes.
3212 <Some Log> Event Log has reached its maximum size. EventTracker has backed up to <Backup File> and reset the event log.
3213 Detected disk usage for drive X: is back to below configured threshold limit. Disk Size: Y MB, Free: Z MB
3214 Detected Service <Service Name> is now running.
3215 Detected Memory usage is back to below configured threshold limit. Peak Memory: N percent. Total Physical: W MB, Total Paging: X MB, Avail Physical: Y MB, Avail Paging: Z MB.
3216 Detected Cpu usage is back to below configured threshold limit. Current cpu usage is N percent.
3217 Process <Process Name> has crossed the memory usage limit of N megabytes. Actual Use: M Megabytes
3218 Process <Process Name> has crossed the CPU usage limit of X%. Actual Use: Y%
3219 The memory usage by process <Process Name> is now normal and below the usage limit of X megabytes. Actual Use: Y Megabytes
3220 The CPU usage by process <Process Name> is now normal and below the usage limit of X%. Actual Use: Y%
3221 App Open: Exe: <Exe Name> Name: <App Name> Description: <App Description> Version: <App Version> Vendor: <App Vendor> PID: <Process ID>
3222 App Close: Exe: <Exe Name> Name: <App Name> PID: <Process ID>
3223 TCP connection ESTABLISHED
Type: TCP
Status: New
Local Address: <Local Addr>
Local Port: <Local Port>
Remote Address: <Remote Address>
Remote Port: <Remote Port>
Connection State: <State>
Process Name: <Process Name>
3224 TCP connection MODIFIED
Type: TCP
Status: Changed
Local Address: <Local Address>
Local Port: <Local Port>
Remote Address: <Remote Address>
Remote Port: <Remote Port>
New Connection States: <State>
Old Connection States: <State>
Process Name: <Process Name>
3225 TCP connection DISCONNECTED
Type: TCP
Status: Deleted
Local Address: <Local Address>
Local Port: <Local Port>
Remote Address: <Remote Address>
Remote Port: <Remote Port>
Connection active time: %<N> secs
Last know Connection State: <State>
Process Name: <Process Name>
3226 UDP connection ESTABLISHED
Type: UDP
Status: New
Local Address: <Local Address>
Local Port: <Local Port>
Process Name: <Process Name>
3227 UDP connection DISCONNECTED
Type: UDP
Status: Deleted
Local Address: <Local Address>
Local Port: <Local Port>
Connection active time: %<N> secs
Process Name: <Process Name>
3228 Detected new drive <H:>
Volume Label:
Volume Serial No: 553439901
Volume ID: \\?\Volume{a6f19931-6ce9-11dd-8f6f-0013d38afad4}\
Type: Removable
File System: FAT32
Network Volume: No
Description: Change affects physical device or drive.
3229 Drive <H:> removed.
Network Volume: No
Description: Change affects physical device or drive.
3230 Descr : FILE: <File Name> \r\n TYPE: <File Type> \r\n FIELD: <Search String> \r\n ENTRY: <Record Found> \r\n
3231 The agent less client <%s> could not be accessed for the last %d poll attempts. Please take administrative action.
3232 Disk space availability
Drive C:, Disk Size: 20000 MB, Free: 10980 MB, Free(in percent): 54
Drive D:, Disk Size: 76316 MB, Free: 58921 MB, Free(in percent): 77
Drive E:, Disk Size: 18161 MB, Free: 5109 MB, Free(in percent): 28
Drive G:, Disk Size: 38475 MB, Free: 3482 MB, Free(in percent): 9
Drive H:, Disk Size: 199996 MB, Free: 7782 MB, Free(in percent): 3
3233 action: monitor
orig:
i/f_dir: inbound
i/f_name: RTL8023xp7
uuid: <00000000,00000000,00000000,00000000>
product: SmartDefense
__policy_id_tag: product=VPN-1 & FireWall-1[db_tag={A46E46F9-5E4A-4D14-B716-84ED6CB4D88B};mgmt=123-mar_mgmt;date=1180443405;policy_name=Standard]
Attack Info: Non MD5-authenticated RIP Protocol Detected on Connection
attack: RIP Enforcement Violation
SmartDefense profile: Default_Protection
src: 192.164.1.1
s_port: rip
dst: 192.164.1.255
service: rip
proto: udp
3234 Received Remedial action request for <Action Type> action.
3235 Agent <Agent System Name> : Successfully initiated <Action Type> action.
3236 Agent <Agent System Name> : Failed to initiate <Action Type> Remedial action.
3237 Agent <Agent System Name> : Remedial action is disabled at the agent side. Ignoring the request. Remedial Action: Restart Service (1) action.
3238 Matched Remedial action on Manager.
3239 USB Monitoring started for H:\
Volume Label:
Volume Serial No: 553439901
Volume ID: \\?\Volume{a6f19931-6ce9-11dd-8f6f-0013d38afad4}\
Type: Removable
File System: FAT32
Network Volume: No
Description: Change affects physical device or drive.
Console User:
Active Users:
3240 USB Monitoring stopped for H:\
Volume Label:
Volume Serial No: 1918040687
Volume ID: \\?\Volume{bf4b109d-44f2-11dd-b2fb-00148549755f}\
Type: Removable
File System: FAT32
Network Volume: No
Description: Change affects physical device or drive.
Console User:
Active Users:
No files added or modified or deleted.
3241 EventTracker has backed up the log file :Security: because its offset has been lost. The backed up file is stored in the following directory F:\Program Files\Prism Microsystems\EventTracker\Agent\SPIDER\Eventlog_1217928508.evt for further analysis. For EventTracker to continue the main log file will be cleared.
3242 Media drive <H:> is disabled by EventTracker. Please contact your system administrator.
Volume Label:
Volume Serial No: 553439901
Volume ID: \\?\Volume{a6f19931-6ce9-11dd-8f6f-0013d38afad4}\
Type: Removable
File System: FAT32
Network Volume: No
Description: Change affects physical device or drive.
3243 Error ejecting removable device F:
3244 Direct log archiver started processing.
3245 Direct log archiver successfully processed the following files:
C:\LogFiles\W3SVC1\ex070709.log
C:\LogFiles\W3SVC1\ex070710.log
C:\LogFiles\W3SVC1\ex070712.log
3246 Direct log archiver stopped processing.
Total number of files processed: No files are available for processing. OR Direct log archiver stopped processing.
Total number of files processed: 3
3247 Direct log archiver failed to process the following files:
C:\LogFiles\W3SVC1\ex070622.log
C:\LogFiles\W3SVC1\ex070626.log
C:\LogFiles\W3SVC1\ex070628.log
3248 Detected following windows updates are installed on this system:
1) KB902848 Title: Outlook Live 2003 Service Pack 2 Date: Wednesday, February 22, 2006
2) KB887619 Title: OneNote 2003 Service Pack 2 Date: Wednesday, February 22, 2006
3) KB887620 Title: Project 2003 Service Pack 2 Date: Wednesday, February 22, 2006
4) KB829019 Title: Microsoft .NET Framework 2.0: x86 (KB829019) Date: Tuesday, January 24, 2006
5) KB887618 Title: Office 2003 Service Pack 2 for Proofing Tools Date: Tuesday, February 21, 2006
3249 EventTracker Agent Configuration Modified
Version: 6.3 – Build 41
Agent System Name: <System Name>
Managers: No change
Event Filters:
Enable High Performance mode: enabled.
System Monitor: No change
Monitor Apps: No change
Services: No change
Log Backup: No change
Processes: No change
Network Connection Monitor: No change
Logfile Monitor: No change
3250 Critical Network alarm – Several systems are not reachable \N\NNumber of ping failure in your enterprise have crossed defined limit.\N\NPlease generate a report on event id 2008 to verify that which system are not reachable.
3251 Critical alert- Intrusion detected.\N\N\NAn unauthorized and repeated logon request from $IntrEvt1.Description&Client Address: &13.\N\NIt may be due to sophisticated hacking attempt. Please investigate and if required block the IP address on the firewall
3252 Critical security alarm – Intrusion is detected – Excessive logon failures \N\N number of log failures in your enterprise have crossed the limit. \NPlease generate a report on event id 676 to verify that which system and user is trying responsible for intrusion.
3253 Intrusion is detected – Excessive logon failures due to bad password \N\N Number of log failures in your enterprise have crossed the limit. \N\NPlease generate a report on event id 675 to verify that which system and user is trying responsible for intrusion.
3254 DLA File not found for processing in last 24 hour
3256 Intrusion Detection: Excessive network logon in your enterprise: \N\NFor more information about this condition\NGenerate a report on event ID 540 using EventTracker – Log Search
3257 Intrusion Detection: Excessive network user lockout in your enterprise: \N\NFor more information about this condition\NGenerate a report on event ID 644 using EventTracker – Log Search
3258 Intrusion Detection: Excessive user lockout in your enterprise: \N\NFor more information about this condition\NGenerate a report on event ID 539 using EventTracker – Log Search
3259 Intrusion Detection: Excessive network logon on computer $ExcessiveC540.ComputerName \N\NFor more information about this condition.\NGenerate a report on event ID 540 using EventTracker – Log Search
3260 Intrusion Detection: Excessive Authentication in your enterprise. \N\NFor more information about this condition.\NGenerate a report on event ID 672 using EventTracker – Log Search
3261 Intrusion Detection: Excessive network logon on computer $ExcessiveC672.ComputerName \N\NFor more information about this condition.\NGenerate a report on event ID=672 using EventTracker – Log Search
3262 Critical security alarm – excessive amount of resource access failures on $ExcessiveC560.ComputerName. \NIt is highly possible that user is persistently trying to access files and operation is not allowed. \N \NGenerate a report for event id 560 by selecting the involved computer names. Examine the origin of the traffic including the user.
3263 Intrusion detected\N\NUnauthorized excessive file access failure on $ExcessiveF560.&Object Name:&&New Handle ID:&. \NIt is highly possible that user is persistently trying to access file and operation is not allowed. \N\NGenerate a report for event id 560 by selecting the involved computer names. Examine the origin of the traffic including the user.
3264 Intrusion detected:\N\NUnauthorized user $ExcessiveU560.User is persistently attempting to access resources which not permitted. \NIt is highly possible that user is persistently trying to access file and operation is not allowed. \N \NGenerate a report for event id 560 by selecting the involved computer names. Examine the origin of the traffic including the user.
3265 High Security Alert:\N\NToo many files are being deleted from $ExcessiveD560.ComputerName \NIt may be a normal deletes. \N\NGenerate a report for event id 560 by selecting the involved computer names. Examine the origin of the traffic including the user.
3266 Critical Security alarm: Excessive logon on computer $ExcessiveC528.ComputerName \N\NFor more information about this condition.\NGenerate a report on event ID=528 using EventTracker – Log Search
3267 Critical Security alarm: Excessive logon on computer $ExcessiveC529.ComputerName \N\NFor more information about this condition\NGenerate a report on event ID=529 using EventTracker – Log Search
3268 Critical Security alarm: Excessive logon on domain $Excessive529.Domain \N\NFor more information about this condition.\NGenerate a report on event ID=529 using EventTracker – Log Search
3271 This event indicates that the user has initially logged onto the network. $InitEvt3.Description
3272 EventTracker Diagnostics found.Status: Normal
3273 Used for vmware logs by EventTracker Agent.

Also for Succesful creation of manual collection point

3274 Used for vmware logs by EventTracker Agent. Event Source will be VMWARE

Also for Successful creation of manual collection point. Event Source will be EventTracker

3275 Collection Point: <CP Name> deleted successfully
Drop Data: <True/False>
3276 A system’s type was modified in the EventTracker application

User Information:
Account Name: <Value>
Account Domain: <Value>

Network Information:
Client Address: <Value>
Client Browser Version: <Value>

Configuration Information
Name : <Value>
Old value
Type: <Value>
New value
Type: <Value>

3277 Agent Installation Status : <Install / Upgrade>
Agent version on system Agent Systemname : < Agent version >
OS Type : <OS Type >
File Versions :
etagent.exe <Version / Tme stamp >
etagent.dll <Version / Tme stamp >
etaconfig.exe <Version / Tme stamp >
etaconfig.ini <Tme stamp>
3278 EventTracker Agent Configuration Modified
Version:<EvenTracker Build Number>
Agent <System Name>Managers: No change
Event Filters: No change
System Monitor: No change
Monitor Apps: No change
Services: No change
Log Backup: No change
Processes: No change
Network Connection Monitor: No change
Logfile Monitor: No changeSystem(s) requested for configuration changes:
<system names>
3279 Agent DLA file send attempt
Manager: <system names>
File: <EC file name>
Status: Success/Failed
Reason: Descriptive message for failure with error codes etc (applicable only for failures)
3280 An account was successfully logged on to EventLogCentralNew Logon:

Account Name: <User Name>
Account Domain: <Domain name>

Network Information:

Client Network Address: <Network Address>
Client Browser Version: Gecko v1.0.

3281 An account failed to log on to EventLogCentralAccount For Which Logon Failed:

Account Name: <User Name>
Account Domain: <Domain name>

Failure Information:

Failure Reason: Invalid username or password

Network Information:

Client Network Address: <Network Address>
Client Browser Version: Gecko v1.0.

3282 An account was logged off from EventLogCentral.Subject:

Account Name: <User name>
Account Domain: <Domain name>

Network Information:

Client Network Address: <Network Address>
Client Browser Version: IE v7.

3283 A scheduled analysis was added from EventTracker
User Information
Account Name: <User name>
Account Domain: <Domain name>
Configuration Information:
Analysis title: Logs – Detail
Analysis type: Logs – Detail
Categories: ***ALERTS***
Schedule Freq: Daily
Schedule Time: 12:00:00 AM
Systems: <System1:System2: . .>
System Groups: <Group1:Group2: . .>
Sites: <Site Name>
Sort by: Log Time
Export type: PDF File (*.pdf)
Analysis Header:
Analysis Footer:
3284 A scheduled analysis was modified from EventLogCentralUser Information:
Account Name: <User name>
Account Domain: <Domain name>Network Information:Client Address: <Client Address>
Client Browser Version: IE v7.0Configuration Information:Analysis Name: alerts analysis
Old Value:
Description:
Analysis type:Logs
Schedule frequency:Daily
Schedule start time:12:00:00 AM
Schedule, first run:1/29/2009 12:00:00 AM
Email:
Systems:
Site:ETSERVER, Groups:DLA, Systems:attacktest

Refine User:
Refine Desc:
Filter User:
Filter Desc:
Sort by:Computer
Export type:PDF file
RSS feed:None
Report Header:EventLogCentral
Report Footer:

New Value:
Description:
Analysis type:Logs
Schedule frequency:Daily
Schedule start time:12:00:00 AM
Schedule, first run:1/29/2009 12:00:00 AM
Email:
Systems:
Site:ETSERVER, Groups:DLA, Systems:attacktest

Refine User:
Refine Desc:
Filter User:
Filter Desc:
Sort by:Computer
Export type:PDF file
RSS feed:None
Report Header:EventLogCentral
Report Footer:

3285 A scheduled report was deleted from EventTracker
User Information
Account Name: <User name>
Account Domain: <Domain name>
Configuration Information:
Report title: Daily USER Logon
Schedule Freq: Daily
Schedule Time: 2/11/2009 11:59:59 PM
3286 A custom column was added from EventTracker
User Information
Account Name: <User name>
Account Domain: <Domain name>
Configuration Information:
Column Name: EmpLogoffTime
Column Key: LogOffTime
Key Value Splitter: :
Key Value Terminator: ;
Custom Resolution:
3287 A custom column was modified from EventTracker
User Information
Account Name: <User name>
Account Domain: <Domain name>
Configuration Information:
Old Values:
Column Name: EmpName
Column Key: UserName
Key Value Splitter: :
Key Value Terminator: ;
Custom Resolution:
New Values:
Column Name:
Column Key:
Key Value Splitter: :
Key Value Terminator: ;
Custom Resolution:
3288 A custom column was deleted from EventTracker
User Information
Account Name: <User name>
Account Domain: <Domain name>
Configuration Information:
Column Name: U Name
Column Key: UNa
3289 A report Configuration was modified from EventTracker
User Information
Account Name: <User name>
Account Domain: <Domain name>
Configuration Information:
Option screen: E-mail Configuration
Old Values:
Authentication: False
Username:
New Values:
Authentication: True
Username:
3290 A role was added from EventLogCentralUser Information:
Account Name: <User name>
Account Domain: <Domain name>Network Information:
Client Address: <Client Address>
Client Browser Version: IE v7.0Configuration Information:
Role Name: Testrol
3291 A role was modified from EventLogCentralUser Information:
Account Name: <Account name>
Account Domain: <Domain name>Network Information:
Client Address: <Client Address>
Client Browser Version: IE v7.0Configuration Information:
Role Name: Testrole
Old Value:Home Alerts,New Value:Home,Alerts,Advanced,Advanced Compliance,Advanced Security,Advanced Operations,On Demand,Advanced Scheduled Report,Defined Report,Exception,Dashboard,Configuration
3292 A role was deleted from EventLogCentralUser Information:
Account Name: <User Name>
Account Domain: <Domain name>Network Information:
Client Address: <Client address>
Client Browser Version: IE v7.0
Configuration Information:Role Name: ETREPORT Admin
3500 EventTracker Agent has successfully received and processed the file <File Name>
Contents that are read.
InputDir =
OutputDir =
Schema Path = C:\Program Files\Prism Microsystems\EventTracker\Agent\xml
OVALDefXslValid = 0
OVALDefXslFile = oval-definitions-schematron.xsl
XCCDFXsdValid = 1
XCCDFXsdFile = xccdf-1.1.4.xsd
OVALResultApplyXSL = 1
OVALResultXSLFile = results_to_html.xsl
OVALSysCharFile = OVALSysChar.xml
OVALTransFile = OVALResults.html
XCCDFResultFile = XCCDFResults.xml
XCCDFResultApplyXSL = 0
XCCDFResultXSLFile = xccdf_to_docx.xsl
XCCDFTransFile = XCCDFResults.docx
InputFolderName = C:\Program Files\Prism Microsystems\EventTracker\Agent\SCAP\NEMO\Input1270544121516
OutputFolderName = C:\Program Files\Prism Microsystems\EventTracker\Agent\SCAP\NEMO\Output1270544121516
BenchmarkProfile = DISA-Gold
BenchmarkId = 55
SchedulesId = 4
3501 EventTracker Agent has successfully generated the XCCDF result file.List of files that are generated.

OVALTransFilePath = C:\Program Files\Prism Microsystems\EventTracker\Agent\SCAP\NEMO\Output1270543003612\OVALResults.html,
OVALResultPath = C:\Program Files\Prism Microsystems\EventTracker\Agent\SCAP\NEMO\Output1270543003612\OVAL_Result.xml,
OVALSysCharPath = C:\Program Files\Prism Microsystems\EventTracker\Agent\SCAP\NEMO\Output1270543003612\OVALSysChar.xml,
XCCDFResultPath = C:\Program Files\Prism Microsystems\EventTracker\Agent\SCAP\NEMO\Output1270543003612\XCCDFResults.xml.

3502 Agent FDCC process attempt
Manager: <System Name >
Status: Success
3503 Agent FDCC process attempt
Manager: <System Name >
Status: Failed/Success
Reason: Descriptive message for failure with error codes etc (applicable only for failures)
3505 [Info/Error] License Data receive failed
3506 [Info/Error] EventTracker Agent Configuration update requested from Manager
3507 [Info/Error] EventTracker Agent Script File Execution success/Failure
3508 [Warning] System Handle crossed the threshold limit.
3508 [Info] System Handle Usage is normal and below the usage limit.
3509 [Warning] System Thread crossed the threshold limit.
3509 [Info] System Thread Usage is normal and below the usage limit.
3510 [Warning] Process Handle crossed the threshold limit.
3510 [Info] Process Handle Usage is normal and below the usage limit.
3511 [Warning] Process Thread crossed the threshold limit.
3511 [Info] Process Thread Usage is normal and below the usage limit.