ArcSight Specific Device Event Class IDs

ArcSight Specific Device Event Class IDs
DeviceEventClassId Description Object Behavior Technique Device Group Significance Outcome
#rule:100 RULE_FIRE Host/Application Execute/Query Nothing Application Normal Success

PROFILE:001 PATTERNDISCOVERYRUN_STARTED Host/Application/Service Execute/Query Nothing Application Informational Attempt
PROFILE:002 PATTERNDISCOVERYRUN_FINISHED Host/Application/Service Execute/Query Application Informational Success
ACTIVE_LIST_ADD An entry was added to an
activelist:101 Host/Application Modify/Configuration Nothing Application Normal Success
Active List
ACTIVE_LIST_REMOVE An entry was removed
from an Active List
ACTIVE_LIST_UPDATE An entry was changed
in an Active List
ACTIVE_LIST_EXPIRE An entry was removed
activelist:104 from an Active List because the last update to the Host/Application Modify/Configuration Application Informational Success
value was older than the expiration period
activelist:105 ACTIVE_LIST_EVICT Host/Resource Check/Resource Application Informational/Alert Success
actor:100 ACTOR_DELETE Nothing Nothing Nothing Nothing Nothing Nothing
actor:102 ACTOR_ADD Nothing Nothing Nothing Nothing Nothing Nothing
actor:110 ACTOR_SINGLE_VALUE_UPDATE Nothing Nothing Nothing Nothing Nothing Nothing
actor:111 ACTOR_MULTI_VALUE_ADD Nothing Nothing Nothing Nothing Nothing Nothing
actor:112 ACTOR_MULTI_VALUE_DELETE Nothing Nothing Nothing Nothing Nothing Nothing
agent:000 AGENT Host/Application Nothing Nothing Application Normal Nothing
agent:001 Agent Connection Host/Application Access/Start Nothing Application Normal Success
agent:002 Agent Reconnected Host/Application Access/Start Nothing Application Informational Success
agent:003 Agent Zombie Host/Application Execute Nothing Application Informational/Error Failure
agent:004 Agent Disconnect Host/Application Access/Stop Nothing Application Informational Success
agent:006 Unknown Agent Attempted to Connect Host/Application Access/Start Nothing Application Suspicious Attempt
AGENT_REGISTRATION_SUCCESS Agent was
agent:007 Host/Application Access Nothing Application Normal Success
successfully registered with Manager
AGENT_REGISTRATION_FAILURE Agent was
agent:008 Host/Application Access Nothing Application Informational/Error Failure
not successfully registered with Manager
AGENT_CONNECTION_REFUSED Manager
agent:009 rejected a connection attempt from an Agent for Host/Application Access Nothing Application Informational/Error Failure
reasons other than authentication failure
AGENT_UPGRADE_SUCCESS Agent upgrade
agent:010 Host/Application Modify/Content Nothing Application Normal Success
succeeded
AGENT_UPGRADE_FAILURE Agent upgrade
agent:011 Host/Application Modify/Content Nothing Application Informational/Error Failure
failed
AGENT_TIME_DEVICE_FAILURE Agent
Informational/Warn
agent:012 detected source events from a sensor device Host/Application Execute/Response Application Success
ing
containing incorrect time stamps
AGENT_DEVICE_FOUND Agent noted that a
agent:013 Host/Application Communicate/Query Nothing Application Normal Success
new sensor device is sending events
AGENT_SYSLOG_AGGREGATION_FAILURE
agent:014 Agent could not find a base event referenced in a Host/Application Execute/Query Nothing Application Informational/Error Failure
syslog aggregate event
AGENT_CONNECTION_DEVICE_FAILURE
agent:015 Host/Application Access/Start Nothing Application Informational/Error Failure
Agent could not connect to the sensor device's log
AGENT_CONNECTION_DEVICE_SUCCESS
agent:016 Agent successfully connected to the sensor Host/Application Access/Start Nothing Application Normal Success
device's log
AGENT_COMMAND_SUCCESS Agent
agent:017 Host/Application Execute/Query Application Normal Success
successfully executed a command
AGENT_COMMAND_FAILURE Agent could
agent:018 Host/Application Execute/Query Application Informational/Error Failure
not execute a command
AGENT_CACHE_CACHING Agent is caching
Informational/Warn
agent:019 events because they could not be immediately Host/Application Execute/Response Application Success
ing
transmitted to the Manager
AGENT_CACHE_EMPTY Agent has emptied its
agent:020 Host/Application/Service Execute/Response Nothing Application Normal Success
cache of events
AGENT_NTCOLLECTOR_ERROR Agent could
agent:021 Host/Application Communicate/Query Nothing Application Informational/Error Failure
not communicate with an NT collector sensor
AGENT_CONFIGURATION_FAILURE Agent
agent:022 Host/Application Modify/Configuration Nothing Application Informational/Error Failure
could not process a reconfiguration request
AGENT_CHECKPOINT_ERROR Agent could
agent:023 Host/Application Execute Nothing Application Informational/Error Failure
not communicate with a CheckPoint sensor
AGENT_CHECKPOINT_WARN Agent is having Informational/Warn
agent:024 Host/Application Execute Nothing Application Failure
difficulty communicating with CheckPoint ing
AGENT_UPDATE_SUCCESS Agent content was
agent:025 Host/Application Modify/Configuration Nothing Application Normal Success
successfully updated
AGENT_UPDATE_FAILURE Agent content
agent:026 Host/Application Modify/Configuration Nothing Application Informational/Error Failure
update failed
agent:027 AGENT_ACS_ERROR Host/Application/Service Execute/Query Nothing Application Informational/Error Failure
AGENT_UNEXPECTED_ERROR Agent
agent:028 Host/Application/Service Execute/Query Nothing Application Informational/Error Failure
experienced an unexpected problem
AGENT_CACHE_DROPPED Agent was forced Informational/Warn
agent:029 Host/Resource Execute/Query Nothing Application Failure
to drop some of its cached data ing
agent:030 AGENT_STARTED Agent started Host/Application/Service Execute/Start Nothing Application Normal Success
agent:031 AGENT_SHUTTINGDOWN Agent shutdown Host/Application/Service Execute/Stop Nothing Application Normal Success
AGENT_CONFIGURATION_CHANGED Agent
agent:032 Host/Application/Service Modify/Configuration Nothing Application Informational Success
configuration was successfully changed
AGENT_DATABASE_PASSWORD_CHANGE
Authentication/Modif
agent:033 D The password used by an Agent to access a Host/Application Application Informational Success
y
database has changed
AGENT_DEVICE_UPDATED The Agent has
agent:034 Host/Application Modify/Configuration Application Informational Success
been directed to monitor a different device (sensor)
AGENT_TIME_FAILURE The Agent has
Informational/Warn
agent:035 detected event time stamps that fall outside the Host/Application Execute/Response Application Success
ing
valid range
agent:036 AGENT_UPGRADE_STARTED Host/Application Modify/Content Application Informational Attempt
agent:037 AGENT_UPGRADE_ROLLBACK_STARTED Host/Application Modify/Content Application Informational Attempt
agent:038 AGENT_UPGRADE_ROLLBACK_SUCCESS Host/Application Modify/Content Application Informational Success
agent:039 AGENT_UPGRADE_ROLLBACK_FAILURE Host/Application Modify/Content Application Informational/Error Failure

AGENT_INTEGRITY These warn about
incoming non-internal events that have no raw
event data. If the user does want to protect his
Informational/Warn
agent:040 event integrity, then these alerts should be given Host/Application Execute/Response Application Success
ing
attention since they probably imply that a
Connector has been improperly written such that
events are being generated without raw event data
agent:041 AGENT_COMMAND_SENTTOAGENT Host/Application Communicate/Query Application Informational Success
agent:050 Nothing Nothing Nothing Nothing Nothing Nothing
agent:100 AGENT_CONNECTION Host/Application Access Nothing Application Normal Attempt
AGENT_CONNECTION_ESTABLISH Agent has
agent:101 Host/Application Access Nothing Application Normal Success
just connected to Manager
AGENT_CONNECTION_ZOMBIE Agent is
agent:102 Host/Application Communicate/Query Application Informational/Error Failure
sending events but no heartbeats
AGENT_CONNECTION_DROP Agent is sending
agent:103 Host/Application Communicate/Query Application Informational/Alert Failure
neither events nor heartbeats
AGENT_CONNECTION_UNKNOWN_AGENT
agent:104 an unknown Agent attempted to connect to the Host/Application Access Nothing Application Informational/Error Failure
Manager
AGENT_CONNECTION_ID_MISMATCH an
agent:105 Agent presented an incorrect shared secret when Host/Application Communicate/Query Nothing Application Informational/Error Failure
authenticating
Informational/Warn
agent:106 AGENT_SIDETABLE_OVERFLOW Host/Resource Check/Resource Application Failure
ing
AGENT_SIDETABLE_OVERFLOW_DETECTE Informational/Warn
agent:107 Host/Resource Check/Resource Application Failure
D_ON_AGENT_SIDE ing
AGENT_CONNECTION_BLACKLISTED_AGE Informational/Warn
agent:108 Host/Application Communicate/Query Application Attempt
NT ing
assetaging:000 ASSET_AGING Host/Application/Service Execute/Response Application Informational Success
assetaging:100 ASSET_AGING_DISABLED Host/Application/Service Modify/Configuration Application Informational Success
assetaging:101 ASSET_AGING_DELETED Nothing Nothing Nothing Nothing Nothing Nothing

authentication:000 AUTHENTICATION Host/Application Authentication Nothing Application Normal Attempt
AUTHENTICATION_LOGIN Successful client
authentication:100 Host/Application Authentication/Verify Nothing Application Normal Success
login
AUTHENTICATION_LOGIN_FAIL Failed client Informational/Warn
authentication:101 Host/Application Authentication/Verify Nothing Application Failure
login ing
authentication:102 AUTHENTICATION_LOGOUT Client logout Host/Application Access/Stop Nothing Application Normal Success
AUTHENTICATION_LOGOUT_TIME Client
authentication:103 Host/Application Access/Stop Nothing Application Normal Success
timed out due to inactivity
AUTHENTICATION_LOGIN_EXCESSIVE_FAI
Authentication/Modif Informational/Warn
authentication:104 LURES Client suffered too many login failures Host/Application Application Success
y ing
within a short time period
Informational/Warn
authentication:105 AUTHENTICATION_NON_FIPS_USER Host/Application Authentication/Verify Application Failure
ing
AUTHENTICATION_AGENT Successful Agent
authentication:200 Host/Application Authentication/Verify Nothing Application Normal Success
authentication
AUTHENTICATION_AGENT_FAIL Agent Informational/Warn
authentication:201 Host/Application Authentication/Verify Nothing Application Failure
authentication failed ing
Informational/Warn
authentication:202 AUTHENTICATION_NON_FIPS_AGENT Host/Application Authentication/Verify Application Failure
ing
authentication:203 AUTHENTICATION_ARCHIVE_AGENT_FAIL Host/Application/Service Execute/Query Application Informational/Error Failure
AUTHENTICATION_CLIENT_REFUSED Client Informational/Warn
authentication:300 Host/Application Authentication/Verify Application Failure
failed to authenticate successfully ing
AUTHORIZATION_SERVICE_REFUSED Informational/Warn
authorization:100 Host/Application Authentication/Verify Nothing Application Failure
Manager refused to authorize client ing
it gets sent whenever a client attempts an XML
Compromise/Confi
authorization:101 RPC call, but the manager no longer knows about Host/Resource Access/Start Nothing Application Attempt
dentiality
the session.
Informational/Warn
buffer:001 BUFFER_OVERFILL A buffer overflowed Host/Resource Check/Resource Nothing Application Failure
ing
cache:000 CACHE Host/Resource Application

Informational/Warn
cache:100 CACHE_OVERFLOW Host/Resource Check/Resource Application Failure
ing
CAPS_MANAGER_ABORT The memory usage
capsmanager:000 Host/Application Execute/Query Application Informational/Alert Success
manager has deactivated a configuration resource
The memory usage manager has asked a
configuration resource to reduce its memory usage Informational/Warn
capsmanager:001 Host/Application Execute/Query Application Success
The memory usage manager has asked a ing
configuration resource to reduce its memory usage
Informational/Warn
capsmanager:100 CAPS_MANAGER_REDUCE Host/Application Execute/Query Application Success
ing
CHANNEL_ATTACHED An Active Channel was
channel:001 Host/Application Execute/Query Nothing Application Normal Success
opened
CHANNEL_EMPTY An empty Active Channel Communicate/Respon
channel:002 Host/Application Nothing Application Informational Success
was opened se
CHANNEL_QUERY_COMPLETED The initial
channel:003 Host/Application Execute/Query Application Informational Success
query for an Active Channel has completed.
channel:004 CHANNEL_QUERY_SLOW Host/Application Execute/Response Application Informational Success
cpu:100 Global CPU Linux /Monitor/CPU/Usage /proc/stat Host/Application Execute/Response Application Informational Success
cpu:101 Per CPU Linux /Monitor/CPUn/Usage /proc/stat Host/Application Execute/Response Application Informational Success
DASHBOARD_ATTACHED Generated the first
dashboard:001 time a client begins requesting data from each Data Host/Application Execute/Query Nothing Application Normal Success
Monitor
database:000 DATABASE Host/Application/Database Nothing Nothing Application Normal Nothing
DATABASE_TABLESPACE_LOW Database
database:100 Host/Application/Database Check/Resource Nothing Application Informational/Alert Failure
tablespace is low and will be deactivated
DATABASE_ERROR_FATAL Database has
database:101 Host/Application/Database Execute Nothing Application Informational/Alert Failure
generated a fatal error and will be deactivated
DATABASE_REACTIVATED Database has been
database:102 Host/Application/Database Execute/Start Nothing Application Normal Success
reactivated
DATABASE_TABLESPACE_AVALIABLE
database:103 Database has more tablespace available after Host/Application/Database Check/Resource Application Informational Success
detecting a low tablespace condition
database:104 DATABASE_EVENT_DISCARDED Host/Application/Database/Data Delete Application Informational Success
Security
datamonitor:000 DATA_MONITOR Host/Application Nothing Nothing Information Informational Nothing
Manager
Security
datamonitor:100 DATA_MONITOR_MOVING_AVERAGE Host/Application Execute/Response Nothing Information Informational Success
Manager
Security
DATA_MONITOR_MOVING_AVERAGE_THR
datamonitor:101 Host/Application Execute/Response Nothing Information Informational Success
ESHOLD
Manager
DATA_MONITOR_MOVING_AVERAGE_THR Security
datamonitor:102 ESHOLD_FALLING Moving Average Data Host/Application Execute/Response Nothing Information Informational Success
Monitor detected a rapidly falling moving average Manager
DATA_MONITOR_MOVING_AVERAGE_THR Security
datamonitor:103 ESHOLD_RISING Moving Average Data Monitor Host/Application Execute/Response Nothing Information Informational Success
detected a rapidly rising moving average Manager
DATA_MONITOR_MOVING_AVERAGE_STA Security
datamonitor:104 TUS Moving Average Data Monitor reporting the Host/Application Execute/Response Nothing Information Informational Success
current moving average Manager
DATA_MONITOR_MOVING_AVERAGE_VAL Security
datamonitor:105 UE_ADD Moving Average Data Monitor started Host/Application Execute/Response Information Informational Success
tracking a new key value Manager
DATA_MONITOR_MOVING_AVERAGE_VAL Security
datamonitor:106 UE_REMOVE Moving Average Data Monitor Host/Application Execute/Response Information Informational Success
stopped tracking a key value Manager
Security
DATA_MONITOR_STATISTICS Statistical Data
datamonitor:200 Host/Application Execute/Response Nothing Information Informational Success
Monitor reporting a change in status
Manager
DATA_MONITOR_STATISTICS_VALUE_ADD Security
datamonitor:201 Statistical Data Monitor started tracking a new key Host/Application Execute/Response Information Informational Success
value Manager
DATA_MONITOR_STATISTICS_VALUE_REM Security
datamonitor:202 OVE Statistical Data Monitor stopped tracking a Host/Application Execute/Response Information Informational Success
key value Manager
DATA_MONITOR_CORRELATION Correlation Security
datamonitor:300 Data Monitor reporting a correlated or non- Host/Application Execute/Response Nothing Information Informational Success
correlated event Manager
Security
DATA_MONITOR_SET_VALUE State changed
datamonitor:400 Host/Application Execute/Query Information Normal Success
in Last State Data Monitor
Manager
Security
DATA_MONITOR_SET_VALUE_USER State
datamonitor:401 Host/Application Execute/Query Information Normal Success
changed manually in Last State Data Monitor
Manager
DATA_MONITOR_REMOVE_VALUE_USER Security
datamonitor:402 Key value removed manually in Last State Data Host/Application Execute/Response Information Informational Success
Monitor Manager
Security
datamonitor:500 DATA_MONITOR_TOP_VALUE_COUNT Host/Application Execute/Response Information Informational Success
Manager
Security
DATA_MONITOR_TOP_VALUE_COUNT_VA
datamonitor:501 Host/Application Execute/Response Information Informational Success
LUE_ADD
Manager
Security
DATA_MONITOR_TOP_VALUE_COUNT_VA
datamonitor:502 Host/Application Execute/Response Information Informational Success
LUE_REMOVE
Manager
Per disk read Linux /Monitor/Disk/drive/Read
disk:102 Host/Application Execute/Response Application Informational Success
/proc/diskstats
Per disk write Linux /Monitor/Disk/drive/Write
disk:103 Host/Application Execute/Response Application Informational Success
/proc/diskstats
domain:000 DOMAIN Host/Application Execute/Response Application Informational Success
domain:100 DOMAIN_OUT_OF_COLUMNS Host/Application/Service Execute/Response Application Informational/Error Success

domain:101 DOMAIN_AUTOGENERATED Nothing Nothing Nothing Nothing Nothing Nothing
domain:102 DOMAIN_FIELD_AUTOGENERATED Nothing Nothing Nothing Nothing Nothing Nothing
domain:103 DOMAIN_INVALID_URI Nothing Nothing Nothing Nothing Nothing Nothing
filestore:000 FILESTORE Nothing Nothing Nothing Nothing Nothing Nothing
filestore:100 FILESTORE_DROPPED_EVENT Host/Application/Service Execute/Query Application Informational Success
filestore:101 FILESTORE_EXCEEDED_BLOCKSIZE Host/Application/Service Execute/Response Application Success
group:100 Group delete Host/Application Authorization/Delete Application Informational Success
group:101 Group update Host/Application Authorization/Modify Application Informational Success
group:102 group add Host/Application Authorization/Add Application Informational Success
integrationcommand:
INTEGRATION_COMMAND Nothing Nothing Nothing Nothing Nothing Nothing
000
integrationcommand:
INTEGRATION_COMMAND_SUCCEEDED Nothing Nothing Nothing Nothing Nothing Nothing
100
integrationcommand:
INTEGRATION_COMMAND_FAILED Nothing Nothing Nothing Nothing Nothing Nothing
101
license:100 LICENSE_ASSETS_TOTAL_COUNT Host/Application/Service Execute/Response Application Informational Success
license:101 LICENSE_DEVICES_TOTAL_COUNT Host/Application/Service Execute/Response Application Informational Success
license:102 LICENSE_ACTORS_TOTAL_COUNT Host/Application/Service Execute/Response Application Informational Success
LICENSE_CONSOLE_USERS_TOTAL_COUN
license:103 Host/Application/Service Execute/Response Application Informational Success
T
license:104 LICENSE_WEB_USERS_TOTAL_COUNT Host/Application/Service Execute/Response Application Informational Success
license:105 LICENSE_EPS_INCOMING_TOTAL_COUNT Host/Application/Service Execute/Response Application Informational Success
manager:000 MANAGER Host/Application Nothing Nothing Application Normal Nothing
manager:100 MANAGER_START Manager has started Host/Application Execute/Start Nothing Application Normal Success
MANAGER_STOP A clean Manager shutdown
manager:101 Host/Application Execute/Stop Application Informational Success
has been requested
MANAGER_EVENTFLOW_STOPPED Manager Informational/Warn

manager:200 Host/Application/Service Execute/Stop Nothing Application Failure
has stopped the event flow ing
MANAGER_EVENTFLOW_RESTARTED
manager:201 Host/Application/Service Execute/Start Nothing Application Normal Success
Manager has allowed the event flow to resume
MANAGER_SUBSYSTEM_OK A subsystem of
manager:202 Host/Application Execute/Response Application Normal Success
the Manager is functioning normally
MANAGER_SUBSYSTEM_WARNING A
Informational/Warn
manager:203 subsystem of the Manager has detected a possible Host/Application Execute/Response Application Failure
ing
problem
MANAGER_SUBSYSTEM_ERROR A
manager:204 subsystem of the Manager has detected a Host/Application Execute/Query Application Informational/Error Failure
confirmed problem
Platform memory Linux
memory:100 Host/Resource/Memory Execute/Response Application Informational Success
/Monitor/Memory/Usage/Platform /proc/meminfo
JVM memory (all) /Monitor/Memory/Usage/Jvm
memory:101 Host/Application Execute/Response Application Informational Success
MemoryMXBean
Platform buffers memory Linux
memory:102 /Monitor/Memory/Usage/Platform/Buffers Host/Application Execute/Response Application Informational Success
/proc/meminfo
Platform cached memory Linux
memory:103 /Monitor/Memory/Usage/Platform/Cached Host/Application Execute/Response Application Informational Success
/proc/meminfo
Platform free memory Linux
memory:104 /Monitor/Memory/Usage/Platform/Free Host/Application Execute/Response Application Informational Success
/proc/meminfo
JVM heap memory (all)
memory:105 /Monitor/Memory/Usage/Jvm/Heap Host/Application Execute/Response Application Informational Success
MemoryMXBean
JVM non-heap memory (all)
memory:106 /Monitor/Memory/Usage/Jvm/NonHeap Host/Application Execute/Response Application Informational Success
MemoryMXBean
monitor:100 MONITOR_ACTIVE_CHANNELS_OPEN Host/Application Execute/Response Application Informational Success
MONITOR_DATAMONITORS_ACTIVE_PROB
monitor:101 Host/Application Execute/Response Application Informational Success
ES
monitor:102 MONITOR_EVENT_BROKER_INSERT_TIME Host/Application Execute/Response Application Informational Success
monitor:103 MONITOR_EVENT_BROKER_LOAD Host/Application Execute/Response Application Informational Success
monitor:104 MONITOR_AGENTS_EVENTS_OUTPUT Host/Application Execute/Response Application Informational Success
monitor:105 MONITOR_AGENTS_EVENTS_INPUT Host/Application Execute/Response Application Informational Success
monitor:106 MONITOR_AGENTS_EVENTS_FILTERED Host/Application Execute/Response Application Informational Success
MONITOR_AGENTS_EVENTS_AGGREGATE
D
monitor:108 MONITOR_AGENTS_EPS Host/Application Execute/Response Application Informational Success
monitor:109 MONITOR_AGENTS_EPS_OUTPUT Host/Application Execute/Response Application Informational Success
monitor:110 MONITOR_AGENTS_EPS_INPUT Host/Application Execute/Response Application Informational Success
monitor:111 MONITOR_AGENTS_EPS_FILTERED Host/Application Execute/Response Application Informational Success
monitor:112 MONITOR_AGENTS_EPS_AGGREGATED Host/Application Execute/Response Application Informational Success
monitor:113 MONITOR_AGENTS_CACHE_SIZE Host/Resource/Memory Execute/Response Application Informational Success
monitor:114 MONITOR_ACTIVE_LISTS_ENTRIES Host/Application Execute/Response Application Informational Success
MONITOR_ACTIVE_LISTS_TEMPORARY_LI
STS
monitor:116 MONITOR_ACTIVE_LISTS_USAGE Host/Application Execute/Response Application Informational Success
MONITOR_ACTIVE_LISTS_ENTRY_PERCEN
T_USED
ST_COUNT
ST_ENTRY_COUNT
monitor:120 MONITOR_TOTAL_EVENTS_OUTPUT Host/Application Execute/Response Application Informational Success
monitor:121 MONITOR_TOTAL_EVENTS_INPUT Host/Application Execute/Response Application Informational Success
monitor:122 MONITOR_TOTAL_EVENTS_FILTERED Host/Application Execute/Response Application Informational Success
monitor:123 MONITOR_TOTAL_EVENTS_AGGREGATED Host/Application Execute/Response Application Informational Success

monitor:124 MONITOR_TOTAL_EPS Host/Application Execute/Response Application Informational Success
monitor:125 MONITOR_TOTAL_EPS_OUTPUT Host/Application Execute/Response Application Informational Success
monitor:126 MONITOR_TOTAL_EPS_INPUT Host/Application Execute/Response Application Informational Success
monitor:127 MONITOR_TOTAL_EPS_FILTERED Host/Application Execute/Response Application Informational Success
monitor:128 MONITOR_TOTAL_EPS_AGGREGATED Host/Application Execute/Response Application Informational Success
monitor:129 MONITOR_TOTAL_CACHE_SIZE Host/Resource/Memory Execute/Response Application Informational Success
monitor:130 MONITOR_REPORTS_RUNNING Host/Application Execute/Response Application Informational Success
MONITOR_REPORTS_RUNNING_QUERYING
_DB
MONITOR_REPORTS_RUNNING_RENDERIN
G
MONITOR_EVENT_BROKER_RETRIEVAL_TI
ME
monitor:141 MONITOR_TOTAL_EVENTS_OUTPUT Host/Application Execute/Response Application Informational Success
monitor:142 MONITOR_TOTAL_EVENTS_INPUT Host/Application Execute/Response Application Informational Success
monitor:143 MONITOR_TOTAL_EVENTS_FILTERED Host/Application Execute/Response Application Informational Success
monitor:144 MONITOR_TOTAL_EVENTS_AGGREGATED Host/Application Execute/Response Application Informational Success
monitor:145 MONITOR_TOTAL_EPS Host/Application Execute/Response Application Informational Success
monitor:146 MONITOR_TOTAL_EPS_OUTPUT Host/Application Execute/Response Application Informational Success
monitor:147 MONITOR_TOTAL_EPS_INPUT Host/Application Execute/Response Application Informational Success
monitor:148 MONITOR_TOTAL_EPS_FILTERED Host/Application Execute/Response Application Informational Success
monitor:149 MONITOR_TOTAL_EPS_AGGREGATED Host/Application Execute/Response Application Informational Success
monitor:150 MONITOR_TOTAL_CACHE_SIZE Host/Resource/Memory Execute/Response Application Informational Success
monitor:151 MONITOR_RULES_TOTAL_EVENT_COUNT Host/Application Execute/Response Application Informational Success
MONITOR_RULES_INSERTED_EVENT_COU
NT
MONITOR_RULES_GENERATED_EVENT_CO
UNT
MONITOR_RULES_PARTIAL_MATCH_COUN
T
monitor:155 MONITOR_RULES_GC_EVENT_COUNT Host/Application Execute/Response Application Informational Success
monitor:156 MONITOR_RULES_GROUPBY_CELLS_SIZE Host/Application Execute/Response Application Informational Success
monitor:157 MONITOR_RULES_ACTIVE_RULES_COUNT Host/Application Execute/Response Application Informational Success
MONITOR_RULES_ACTIONS_TAKEN_COUN
T
MONITOR_RULES_GENERATED_EVENT_CO
UNT
monitor:160 MONITOR_SESSIONS_ACTIVE_TOTAL Host/Application Execute/Response Application Informational Success
monitor:161 MONITOR_ZONE_EVAL_COUNT Host/Application Execute/Response Application Informational Success
monitor:171 MONITOR_RESOURCES_ACTIVITY_INSERT Host/Resource Execute/Response Application Informational Success
MONITOR_RESOURCES_ACTIVITY_UPDAT
monitor:172 Host/Resource Execute/Response Application Informational Success
E
monitor:173 MONITOR_RESOURCES_ACTIVITY_DELETE Host/Resource Execute/Response Application Informational Success
MONITOR_ACTIVE_CHANNELS_EVENTS_IN
SERT
MONITOR_ACTIVE_CHANNELS_EVENTS_C
HANGE
monitor:180 MONITOR_NOTIFICATION_NEW_COUNT Host/Application Execute/Response Application Informational Success
MONITOR_NOTIFICATION_ESCALATED_CO
UNT
monitor:190 MONITOR_PATTERNS_RUN_COUNT Host/Application Execute/Response Application Informational Success
monitor:191 MONITOR_PATTERNS_RUN_QUEUED Host/Application Execute/Response Application Informational Success
monitor:200 MONITOR_ASSETS_TOTAL_COUNT Host/Application Execute/Response Application Informational Success
monitor:201 MONITOR_ASSETS_SCANNER_EPS Host/Application Execute/Response Application Informational Success
MONITOR_ASSETS_RESOLUTIONS_PER_SE
COND
MONITOR_ASSETS_AVERAGE_TIME_SCAN
NER_EVENTS
MONITOR_ASSETS_RESOLUTIONS_AVERA
GE_TIME
GE_TIME_SOURCE
GE_TIME_DESTINATION
MONITOR_SIDETABLE_GEO_INFO_HIT_RA
monitor:210 Host/Application/Database Execute/Response Application Informational Success
TE
monitor:211 MONITOR_SIDETABLE_GEO_INFO_INSERTS Host/Application/Database Execute/Response Application Informational Success
MONITOR_SIDETABLE_GEO_INFO_CACHE_
MISSES
monitor:213 MONITOR_SIDETABLE_GEO_INFO_SIZE Host/Application/Database Execute/Response Application Informational Success
MONITOR_SIDETABLE_CATEGORY_HIT_R
ATE
MONITOR_SIDETABLE_CATEGORY_INSERT
S
MONITOR_SIDETABLE_CATEGORY_CACHE
_MISSES
monitor:217 MONITOR_SIDETABLE_CATEGORY_SIZE Host/Application/Database Execute/Response Application Informational Success
monitor:218 MONITOR_SIDETABLE_AGENT_HIT_RATE Host/Application/Database Execute/Response Application Informational Success
monitor:219 MONITOR_SIDETABLE_AGENT_INSERTS Host/Application/Database Execute/Response Application Informational Success
MONITOR_SIDETABLE_AGENT_CACHE_MI
SSES
monitor:221 MONITOR_SIDETABLE_AGENT_SIZE Host/Application/Database Execute/Response Application Informational Success
monitor:222 MONITOR_SIDETABLE_DEVICE_HIT_RATE Host/Application/Database Execute/Response Application Informational Success
monitor:223 MONITOR_SIDETABLE_DEVICE_INSERTS Host/Application/Database Execute/Response Application Informational Success
MONITOR_SIDETABLE_DEVICE_CACHE_MI
SSES
monitor:225 MONITOR_SIDETABLE_DEVICE_SIZE Host/Application/Database Execute/Response Application Informational Success
monitor:226 MONITOR_SIDETABLE_LABELS_HIT_RATE Host/Application/Database Execute/Response Application Informational Success
monitor:227 MONITOR_SIDETABLE_LABELS_INSERTS Host/Application/Database Execute/Response Application Informational Success
MONITOR_SIDETABLE_LABELS_CACHE_MI
SSES
monitor:229 MONITOR_SIDETABLE_LABELS_SIZE Host/Application/Database Execute/Response Application Informational Success
monitor:230 MONITOR_FLOW_EVENT_RATE Host/Application Execute/Response Application Informational Success
monitor:231 MONITOR_FLOW_EVENT_COUNT Host/Application Execute/Response Application Informational Success
MONITOR_RULES_EVENTS_MATCHING_AN
Y_RULE_COUNT
MONITOR_RULES_EVENTS_MATCHING_FIL
TER_RULE_COUNT
MONITOR_RULES_EVENTS_MATCHING_JOI
N_RULE_COUNT
monitor:235 MONITOR_RULES_MATCH_COUNT Host/Application Execute/Response Application Informational Success
monitor:240 MONITOR_TC_SIZE Host/Application Execute/Response Application Informational Success
monitor:260 MONITOR_SESSION_LISTS_LIST_COUNT Host/Application Execute/Response Application Informational Success
monitor:261 MONITOR_SESSION_LISTS_ENTRY_COUNT Host/Application Execute/Response Application Informational Success
MONITOR_SESSION_LISTS_ENTRY_CAPACI
TY
MONITOR_SESSION_LISTS_ENTRY_PERCE
NT_USED
MONITOR_SESSION_LISTS_QUERIES_PER_S
ECOND
MONITOR_SESSION_LISTS_CHANGES_PER_
SECOND
monitor:270 MONITOR_DB_FREESPACE_ARC_EVENT Host/Application Execute/Response Application Informational Success
MONITOR_DB_FREESPACE_ARC_EVENT_IN
DEX
monitor:272 MONITOR_DB_FREESPACE_ARC_SYSTEM Host/Application Execute/Response Application Informational Success
MONITOR_DB_FREESPACE_ARC_SYSTEM_I
NDEX
MONITOR_DB_FREESPACE_ARC_DBSM_TE
ST
MONITOR_DB_FREESPACE_ARC_EVENT_P
CT
MONITOR_DB_FREESPACE_ARC_EVENT_IN
DEX_PCT
MONITOR_DB_FREESPACE_ARC_SYSTEM_
PCT
MONITOR_DB_FREESPACE_ARC_SYSTEM_I
NDEX_PCT
MONITOR_DB_FREESPACE_ARC_DBSM_TE
ST_PCT
Per interface network input Linux
network:100 Host/Application Execute/Response Application Informational Success
/Monitor/Network/Usage/iface/In /proc/net/dev
Per interface network output Linux
network:101 Host/Application Execute/Response Application Informational Success
/Monitor/Network/Usage/iface/Out /proc/net/dev
Per interface network packet input Linux
network:102 /Monitor/Network/Usage/iface/PacketsIn Host/Application Execute/Response Application Informational Success
/proc/net/dev
Per interface network packet output Linux
network:103 /Monitor/Network/Usage/iface/PacketsOut Host/Application Execute/Response Application Informational Success
/proc/net/dev
notification:000 NOTIFICATION Host/Application Modify/Configuration Nothing Application Normal Nothing
NOTIFICATION_TRANSPORT_DISABLE
notification:100 Host/Application Modify/Configuration Nothing Application Informational/Alert Success
Notification has been disabled
NOTIFICATION_DISABLE_QUEUE_OVERFL
notification:101 OW Notification has been disabled because the Host/Application Modify/Configuration Nothing Application Informational/Alert Success
queue of notifications to be sent is too large
NOTIFICATION_TRANSPORT_ENABLE
notification:102 Host/Application Modify/Configuration Nothing Application Normal Success
Notification has been enabled
NOTIFICATION_ENABLE_QUEUE Notification
notification:103 has been enabled because the queue of Host/Application Modify/Configuration Nothing Application Normal Success
notifications is back under control
NOTIFICATION_DESTINATION_DISABLE A
notification:104 particular Notification Destination has been Host/Application Modify/Configuration Nothing Application Normal Success
disabled
NOTIFICATION_DESTINATION_DISABLE_T
RAFFIC A particular Notification Destination has
been disabled because too much traffic has been
directed at that Destination
NOTIFICATION_DESTINATION_ENABLE A
notification:106 particular Notification Destination has been Host/Application Modify/Configuration Nothing Application Normal Success
enabled
NOTIFICATION_EXPIRED A Notification
notification:107 Host/Application Execute/Response Nothing Application Informational/Error Failure
expired without being acknowledged
NOTIFICATION_UNDELIVERABLE No
notification:108 functioning Destination could be located for this Host/Application Execute/Response Nothing Application Informational/Error Failure
Notification
NOTIFICATION_PURGED Old Notification has
been purged
NOTIFICATION_ESCALATED Notification has
notification:110 Host/Application/Service Execute/Query Nothing Application Informational Success
been escelated to the next Destination level
NOTIFICATION_SENT_REQUIRES_ACKNOW
notification:111 LEDGMENT A Notification that requires Host/Application Execute/Query Application Informational Success
acknowledgement has been sent
notification:111v null Host/Application/Service Execute/Response Nothing Application Informational Success
generated when an informative notification is sent

notification:112 A Notification that does not require Host/Application/Service Execute/Response Nothing Application Informational Success
acknowledgement has been sent
NOTIFICATION_GROUP_TEST Sent a test
notification:200 Host/Application Execute/Query Nothing Application Normal Success
Notification to this Destination Group
NOTIFICATION_ACKNOWLEDGE This
notification:300 Host/Application Execute/Query Nothing Application Normal Success
Notification has been acknowledged
NOTIFICATION_RESOLVE This Notification
notification:301 Host/Application/Service Modify/Configuration Nothing Application Informational Success
has been resolved
partitionarchiver:000 PARTITION_ARCHIVER_NO_OPERATION Host/Application/Service Application Normal Attempt
PARTITION_ARCHIVER_FULL_SUCCESS The
partitionarchiver:100 Host/Application/Service Execute/Response Nothing Application Normal Success
partition was successfully archived
PARTITION_ARCHIVER_PARTIAL_SUCCESS
partitionarchiver:200 Host/Application/Service Execute/Response Nothing Application Informational Success
There was a problem while archiving the partition
PARTITION_ARCHIVER_DISABLED Partition
partitionarchiver:300 Host/Application/Service Modify/Configuration Nothing Application Informational Success
archiving is disabled
PARTITION_ARCHIVER_TIMED_OUT
partitionarchiver:400 Partition archiving did not complete in the alotted Host/Application/Service Execute/Response Nothing Application Informational/Error Failure
time
PARTITION_ARCHIVER_TOTAL_FAILURE
partitionarchiver:500 Host/Application/Service Execute/Response Nothing Application Informational/Error Failure
Partition archiving failed
PARTITION_ARCHIVER_UNEXPECTED_ERR
partitionarchiver:600 OR There was an unexpected error while archiving Host/Application/Service Execute/Response Nothing Application Informational/Error Failure
partitions
partitionmanager:000 PARTITION_MANAGER_NO_OPERATION Host/Application/Service Application Normal Attempt
PARTITION_MANAGER_FULL_SUCCESS
partitionmanager:100 Host/Application/Service Execute/Response Nothing Application Normal Success
Partitions have been successfully managed
PARTITION_MANAGER_PARTIAL_SUCCESS
partitionmanager:200 Host/Application/Service Execute/Response Nothing Application Informational Success
There was a problem managing partitions
PARTITION_MANAGER_DISABLED The
partitionmanager:300 Host/Application/Service Modify/Configuration Application Informational Success
partition manager has been disabled
PARTITION_MANAGER_TOTAL_FAILURE
partitionmanager:500 Host/Application/Service Execute/Response Nothing Application Informational/Error Failure
Partitions could not be managed
PARTITION_MANAGER_UNEXPECTED_ERR
partitionmanager:600 OR There was an unexpected error while Host/Application/Service Execute/Response Nothing Application Informational/Error Failure
managing partitions
NEW_PATTERN_DISCOVERED A previously
pattern:001 Host/Application Execute/Response Application Informational Success
unknown pattern of events was discovered
PATTERN_REDISCOVERED A previously
pattern:002 discovered pattern of events was observed once Host/Application Execute/Response Application Informational Success
again
queryviewer:100 QUERY_VIEWER_QUERY_SUCCEEDED Nothing Nothing Nothing Nothing Nothing Nothing
queryviewer:101 QUERY_VIEWER_QUERY_FAILED Nothing Nothing Nothing Nothing Nothing Nothing
quota:000 QUOTA Host/Resource Execute/Response Nothing Application Informational Attempt
QUOTA_MET resource usage has fallen below the
quota:100 Host/Resource Check/Resource Nothing Application Normal Success
fixed quota level
QUOTA_EXCEED resource usage has exceeded Informational/Warn
quota:101 Host/Resource Check/Resource Nothing Application Failure
the fixed quota level ing
QUOTA_ASSET_AUTOCREATION Asset
quota:102 Host/Application Execute/Response Application Informational/Alert Success
autocreation has exceeded a fixed quota
QUOTA_ASSET_AUTOCREATION_RATE Informational/Warn
quota:103 Host/Application Execute/Response Application Success
Asset autocreation is proceeding too rapidly ing
report:000 REPORT Host/Application Nothing Nothing Application Normal Nothing
REPORT_GENERATE Generated a new Archived
report:100 Host/Application Execute/Response Nothing Application Normal Success
Report configuration resource
REPORT_GENERATE_FAIL Failed to generate a
report:101 Host/Application Execute/Response Nothing Application Informational/Error Failure
new Archived Report configuration resource
REPORT_DELTA Generated a new delta
report:102 Host/Application Execute/Response Nothing Application Normal Success
Archived Report configuration resource
REPORT_CANCELLED This Report run was
report:103 Host/Application Execute/Response Application Informational Failure
cancelled by a user
report:104 REPORT_GENERATE_STARTED Host/Application Execute/Query Application Normal Attempt

report:105 REPORT_HALTED_BECAUSE_EMPTY Host/Application/Service Execute/Stop Application Informational/Error Success
resource:000 RESOURCE Host/Application Nothing Nothing Application Normal Nothing
RESOURCE_DELETE Deleted a configuration
resource:100 Host/Application Modify/Configuration Nothing Application Normal Success
resource
RESOURCE_UPDATE Updated a configuration
resource
RESOURCE_ADD Added a new configuration
resource
RESOURCE_LOCKED Resource has been locked
for edit
resource:104 RESOURCE_UNLOCKED Host/Application/Service Execute/Query Application Informational Attempt
resourcereference:000
RESOURCE_REFERENCE Nothing Nothing Nothing Application Normal Nothing
RESOURCE_REFERENCE_UNRESOLVED_UR
resourcereference:100
I Could not locate a configuration resource using Host/Application Execute/Query Nothing Application Informational/Error Failure
the given universal resource identifer (URI)
rule:000 RULE Nothing Nothing Nothing Application Nothing Nothing
rule:100 RULE_FIRE Host/Application Execute/Query Application Normal Success
rule:101 RULE_MATCH Rule fired OnEveryEvent Host/Application Execute/Query Application Normal Success
rule:102 RULE_FIRST_MATCH Rule fired OnFirstEvent Host/Application Execute/Query Application Normal Success
RULE_SUBSEQUENT_MATCH Rule fired
rule:103 Host/Application Execute/Query Application Normal Success
OnSubsequentEvents
RULE_AGGREGATE Rule fired
rule:104 Host/Application Execute/Query Nothing Application Normal Success
OnEveryThreshold
RULE_FIRST_AGGREGATE Rule fired
OnFirstThreshold
RULE_SUBSEQUENT_AGGREGATE Rule fired
OnSubsequentThresholds
RULE_FINAL_AGGREGATE Rule fired

OnTimeUnitExpiration
rule:108 RULE_FIRE_ON_TIME_UNIT Host/Application Execute/Query Application Normal Success
rule:300 RULE_ACTION Host/Application Execute/Response Nothing Application Normal Success
RULE_ACTION_SET_SEVERITY Set Severity
rule:301 Host/Application Modify/Content Nothing Application Normal Success
action (deprecated)
RULE_ACTION_SET_EVENT_ATTRIBUTE Set
rule:302 Host/Application Modify/Content Nothing Application Normal Success
Event Attribute action
RULE_ACTION_SEND_TO_NOTIFIER Send to
rule:303 Host/Application Execute/Response Nothing Application Informational Success
Notifier action
RULE_ACTION_EXECUTE_COMMAND
rule:304 Host/Application Execute/Query Nothing Application Informational Success
Execute Command action
rule:305 RULE_ACTION_EXPORT Export... action Host/Application Execute/Response Nothing Application Informational Success
RULE_ACTION_CASE_NEW Create New Case
rule:306 Host/Application Modify/Content Nothing Application Informational Success
action
rule:307 RULE_ACTION_CASE_ADD Add to Case action Host/Application Modify/Content Nothing Application Informational Success
RULE_ACTION_CASE_NEW_FAIL Create New
rule:308 Host/Application Modify/Content Application Informational/Error Failure
Case action failed
RULE_ACTION_CASE_ADD_FAIL Add to Case
rule:309 Host/Application Modify/Content Application Informational/Error Failure
action failed
RULE_ACTION_ACTIVE_LIST_ADD Add to
Active List action
RULE_ACTION_ACTIVE_LIST_MOVE Move
between Active Lists action (deprecated)
RULE_ACTION_ACTIVE_LIST_REMOVE
Remove from Active List action
RULE_ACTION_EXECUTE_AGENT_COMMA
rule:313 Host/Application Execute/Query Application Informational Success
ND Execute Agent Command action
RULE_ACTION_SEND_TO_OPENVIEW Send
rule:314 Host/Application Execute/Response Application Informational Success
to OpenView action
rule:315 RULE_ACTION_ASSET_CATEGORY_ADD Nothing Nothing Nothing Nothing Nothing Nothing

RULE_ACTION_ASSET_CATEGORY_REMOV
rule:316 Nothing Nothing Nothing Nothing Nothing Nothing
E
rule:500 RULE_WARNING Host/Application Check/Configuration Nothing Application Informational/Error Failure
RULE_WARNING_LOOP Rule is firing on
rule:501 Host/Application Check/Configuration Nothing Application Informational/Error Failure
events generated by itself
rule:700 RULE_DEACTIVATE Rule has been deactivated Host/Application Modify/Configuration Nothing Application Informational Success
RULE_DEACTIVATE_UNSAFE Rule has been
Informational/Warn
rule:701 deactivated because it is unsafe (excessive Host/Application Modify/Configuration Nothing Application Success
ing
recursion or excessive event matching)
rule:702 RULE_ACTIVATE Rule has been activated Host/Application Modify/Configuration Nothing Application Informational Success
RULE_ACTIVATE_UNSAFE Rule has been re-
activated after having been deactivated because it
rule:703 Host/Application Modify/Configuration Application Informational Success
is unsafe (excessive recursion or excessive event
matching)
rule:801 RULE_SCHEDULED_START Host/Application Execute/Query Application Informational Attempt
rule:802 RULE_SCHEDULED_FINISH Host/Application Execute/Query Application Informational Success
scanner:000 SCANNER_EVENTS_HANDLER Host/Application/Service Execute/Response Application Informational Success
scanner:100 SCANNER_EVENTS_HANDLER_ASSETS Host/Application/Service Execute/Response Application Informational Success
SCANNER_EVENTS_HANDLER_ASSETS_RE
scanner:101 Host/Application/Service Execute/Query Application Informational Success
SOURCE_UPDATED
SCANNER_EVENTS_HANDLER_ASSETS_RE
scanner:102 Host/Application/Service Execute/Query Application Informational Success
SOURCE_DELETED
SCANNER_EVENTS_HANDLER_ASSETS_DY
scanner:103 NAMIC_ZONE_INVALID_NO_MAC_NO_HOS Host/Application/Service Execute/Response Application Informational Success
T
SCANNER_EVENTS_HANDLER_ASSETS_IN
scanner:104 Host/Application/Service Execute/Response Application Informational Success
VALID_NO_ADDRESS_NO_HOST
SCANNER_EVENTS_HANDLER_ASSETS_IN
scanner:105 Host/Application/Service Execute/Response Application Informational Success
VALID_NO_NAME
scheduler:000 SCHEDULER Host/Application Nothing Nothing Application Normal Nothing

SCHEDULER_SKIP_DELAY The task Scheduler
Informational/Warn
scheduler:100 skipped a scheduled task execution because the Host/Application Execute/Query Nothing Application Failure
ing
scheduler was not allowed to run
SCHEDULER_SKIP_RUNNING The task
Scheduler skipped a scheduled task invocation Informational/Warn
scheduler:101 Host/Application Execute/Query Nothing Application Failure
because the last invocation of the task is still ing
executing
SCHEDULER_SKIP_QUEUE_FULL A task was
scheduler:102 skipped because too many tasks were queued Host/Application/Service Execute/Query Nothing Application Informational/Error Failure
already
scheduler:103 SCHEDULER_RESERVED_THREADS Host/Application/Service Execute/Query Application Informational/Error Failure
SCHEDULER_EXECUTE A task has been
scheduler:200 Host/Application Execute/Query Nothing Application Normal Success
executed
SCHEDULER_EXECUTE_FAIL A task failed to
scheduler:201 Host/Application Execute/Query Nothing Application Informational/Error Failure
execute
SCHEDULER_ADD A new task has been
scheduler:300 Host/Application Modify/Configuration Nothing Application Normal Success
scheduled
SCHEDULER_ADD_FAIL A new task could not
scheduler:301 Host/Application Modify/Configuration Nothing Application Informational/Error Failure
be scheduled
scheduler:302 SCHEDULER_ENABLE Enable a task Host/Application Modify/Configuration Nothing Application Normal Success
SCHEDULER_ENABLE_FAIL Could not enable
a task
scheduler:304 SCHEDULER_DELETE Deleted a task Host/Application Modify/Configuration Nothing Application Normal Success
SCHEDULER_DELETE_FAIL Failed to delete a
task
scheduler:306 SCHEDULER_DISABLED Disable a task Host/Application/Service Execute/Stop Nothing Application Informational Success
SCHEDULER_DISABLE_FAIL Could not
scheduler:307 Host/Application/Service Execute/Stop Nothing Application Informational/Error Failure
disable a task
search:301 SEARCH_QUERY_FAILURE Host/Application Execute/Query Application Informational/Error Failure
search:302 SEARCH_QUERY_SUCCESS Host/Application Execute/Query Application Informational Success

search:303 SEARCH_QUERY_EMPTY Host/Application Execute/Response Application Informational Success
SEARCH_INDEX_CREATE The search index
searchindex:100 Host/Application Execute/Query Application Normal Success
was created
The search index was updated to reflect changes to
configuration resources The search index was
searchindex:101 Host/Application Execute/Query Application Informational Success
updated to reflect changes to configuration
resources
searchindex:200 SEARCH_INDEX_UPDATE Host/Application Execute/Query Application Normal Success
searchindex:300 SEARCH_INDEX_HANG Host/Application Execute/Query Application Informational Attempt
searchindex:400 SEARCH_INDEX_TIMEOUT Host/Application Execute/Query Application Informational/Error Failure
sessionlist:101 SESSION_LIST_ADD Host/Application Modify/Configuration Application Informational Success
sessionlist:102 SESSION_LIST_REMOVE Host/Application Modify/Configuration Application Informational Success
sessionlist:103 SESSION_LIST_UPDATE Host/Application Modify/Configuration Application Informational Success
sessionlist:104 SESSION_LIST_EXPIRE Host/Application Modify/Configuration Application Informational Success
sessionlist:201 SESSION_LIST_PARTITION_DROP Nothing Nothing Nothing Nothing Nothing Nothing
sessionlist:202 SESSION_LIST_PARTITION_DROP_FAIL Nothing Nothing Nothing Nothing Nothing Nothing
sessionlist:301 SESSION_LIST_CACHE_MISS_DROP Host/Application/Service Execute/Query Application Informational Attempt
Informational/Warn
sidetable:101 SITETABLE_SPACE_LOW Host/Application/Database Check/Resource Nothing Application Failure
ing
sidetable:102 SITETABLE_SPACE_FULL Host/Application/Database Check/Resource Nothing Application Informational/Error Failure
SIDETABLE_CACHE_HITRATE_LOW Too
sidetable:103 many cache misses for a particular database side Host/Application Execute/Response Nothing Application Informational Success
table
test:000 TEST Host/Application Execute Nothing Application Informational Success
TEST_STRESS A stress test event (used by QA
test:100 Host/Application Execute Nothing Application Informational Success
tools)
trend:000 TREND Host/Application Application
trend:100 TREND_RUN_STARTED Nothing Nothing Nothing Nothing Nothing Nothing
trend:101 TREND_RUN_SUCCESS Nothing Nothing Nothing Nothing Nothing Nothing

trend:102 TREND_RUN_FAILURE Nothing Nothing Nothing Nothing Nothing Nothing
trend:201 TREND_SCAVENGE_SUCCESS Nothing Nothing Nothing Nothing Nothing Nothing
trend:202 TREND_SCAVENGE_FAILURE Nothing Nothing Nothing Nothing Nothing Nothing
trend:301 TREND_PARTITION_ADD Nothing Nothing Nothing Nothing Nothing Nothing
trend:302 TREND_PARTITION_DROP Nothing Nothing Nothing Nothing Nothing Nothing
trend:303 TREND_PARTITION_ADD_FAIL Nothing Nothing Nothing Nothing Nothing Nothing
trend:304 TREND_PARTITION_DROP_FAIL Nothing Nothing Nothing Nothing Nothing Nothing
trend:401 TREND_SET_ACTIVE Nothing Nothing Nothing Nothing Nothing Nothing
trend:402 TREND_SET_INACTIVE Nothing Nothing Nothing Nothing Nothing Nothing
trend:501 TREND_TASK_STARTED Nothing Nothing Nothing Nothing Nothing Nothing
trend:502 TREND_TASK_ENDED Nothing Nothing Nothing Nothing Nothing Nothing
trend:601 TREND_SYSTEM_DEACTIVATED Nothing Nothing Nothing Nothing Nothing Nothing
trend:700 TREND_ACTION Nothing Nothing Nothing Nothing Nothing Nothing
trend:701 TREND_ACTION_ACTIVELIST_ADD Nothing Nothing Nothing Nothing Nothing Nothing
user:100 user delete Host/Application Authentication/Delete Application Informational Success
Authentication/Modif
user:101 user update Host/Application Application Informational Success
y
user:102 user add Host/Application Authentication/Add Application Informational Success
VALIDATION Validation:000 is not referred by
validation:000 any components, so you can ignore it for now. But Host/Application Application
in the future, we might use it.
VALIDATION_DEPENDENT Validation:100 is
sent when a resource becomes invalid due to
dependency constraint violation. Typically it Informational/Warn
validation:100 Host/Resource Check/Configuration Application Failure
happens during dependency validation phase. For ing
example, a filter is deleted from the system, and
the deletion will invalidate a rule that depends on
this filter. In this case, a validation:100 internal

event will be sent.

ArcSight Specific Device Event Class IDs

Caricato da

Informazioni sul documento

Descrizione originale:

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

ArcSight Specific Device Event Class IDs

Caricato da

Copyright:

Formati disponibili

ArcSight Specific Device Event Class IDs

DeviceEventClassId Description Object Behavior Technique Device Group Significance Outcome

#rule:100 RULE_FIRE Host/Application Execute/Query Nothing Application Normal Success

agent:039 AGENT_UPGRADE_ROLLBACK_FAILURE Host/Application Modify/Content Application Informational/Error Failure

assetaging:101 ASSET_AGING_DELETED Nothing Nothing Nothing Nothing Nothing Nothing

cache:000 CACHE Host/Resource Application

domain:100 DOMAIN_OUT_OF_COLUMNS Host/Application/Service Execute/Response Application Informational/Error Success

MANAGER_EVENTFLOW_STOPPED Manager Informational/Warn

monitor:123 MONITOR_TOTAL_EVENTS_AGGREGATED Host/Application Execute/Response Application Informational Success

generated when an informative notification is sent

report:104 REPORT_GENERATE_STARTED Host/Application Execute/Query Application Normal Attempt

RULE_FINAL_AGGREGATE Rule fired

rule:315 RULE_ACTION_ASSET_CATEGORY_ADD Nothing Nothing Nothing Nothing Nothing Nothing

scheduler:000 SCHEDULER Host/Application Nothing Nothing Application Normal Nothing

search:302 SEARCH_QUERY_SUCCESS Host/Application Execute/Query Application Informational Success

trend:101 TREND_RUN_SUCCESS Nothing Nothing Nothing Nothing Nothing Nothing

this filter. In this case, a validation:100 internal

Potrebbero piacerti anche