| The following Events are generated for Event source = EventTracker |
| Event ID |
Event Description |
| 2001 |
The EventTracker Manager service was started. |
| 2002 |
EventTracker Agent on %1 is running and okay. |
| 2003 |
Accepted EventTracker Viewer connection from %1. |
| 2004 |
The EventTracker Viewer from %1 was disconnected. |
| 2005 |
The EventTracker Manager Console was started. |
| 2006 |
EventTracker Agent on %1 was not running. Restarted successfully. |
| 2007 |
EventTracker Agent on %1 is not running. Failed to restart. |
| 2008 |
Detected system %1 is not reachable. No reply received on ping poll. |
| 2009 |
Detected system %1 is reachable. Reply received on ping poll. |
| 2010 |
Number of events in the database exceeded %1. Please purge the database or you may see slow performance of EventTracker software. |
| 2011 |
System %1 may be generating high number of events. Please filter unnecessary events emitted from this system. |
| 2012 |
Scheduled Report: %1 was generated and emailed successfully. |
| 2013 |
Scheduled Report: %1 was not generated. Please cross-check configuration. |
| 2014 |
Archival of old events done successfully. Status %1. |
| 2015 |
Archival of old events failed. Status %1. |
| 2029 |
Notification: Report file deletion. Following file 'report file' created on 'date' will be deleted on 'date' so, please take back up of the file if required. 'Full path of report file' |
| 3201 |
Detected free space in drive <drive:> is less than N percent. Disk Size: X MB, Free: Y MB |
| 3202 |
Detected Service <Service Name> is not running. |
| 3203 |
Detected Service <Service Name> was restarted successfully. |
| 3204 |
Detected Service <Service Name> could not be restarted. |
| 3206 |
Detected High Memory Usage. More than N percent in use for last X seconds. Peak Memory: Q percent. Total Physical: Y MB, Total Paging: Z MB, Avail Physical: B MB, Avail Paging: C MB. |
| 3207 |
Detected High Cpu Usage. More than N percent in use for last X seconds. |
| 3208 |
Detected software <Some S/W> has been installed on this system. |
| 3209 |
Detected software <Some S/W> has been uninstalled from this system. |
| 3210 |
<Some Log> Event Log is near to its maximum log size. Take administrative actions. Maximum Log Size : X Kilobytes, Current Log Size : Y Kilobytes. |
| 3211 |
<Some Log> Event Log has already reached its maximum log size. New events cannot be logged. Take administrative actions. Maximum Log Size : X Kilobytes. |
| 3212 |
<Some Log> Event Log has reached its maximum size. EventTracker has backed up to <Backup File> and reset the event log. |
| 3213 |
Detected disk usage for drive X: is back to below configured threshold limit. Disk Size: Y MB, Free: Z MB |
| 3214 |
Detected Service <Service Name> is now running. |
| 3215 |
Detected Memory usage is back to below configured threshold limit. Peak Memory: N percent. Total Physical: W MB, Total Paging: X MB, Avail Physical: Y MB, Avail Paging: Z MB. |
| 3216 |
Detected Cpu usage is back to below configured threshold limit. Current cpu usage is N percent. |
| 3217 |
Process <Process Name> has crossed the memory usage limit of N megabytes. Actual Use: M Megabytes |
| 3218 |
Process <Process Name> has crossed the CPU usage limit of X%. Actual Use: Y% |
| 3219 |
The memory usage by process <Process Name> is now normal and below the usage limit of X megabytes. Actual Use: Y Megabytes |
| 3220 |
The CPU usage by process <Process Name> is now normal and below the usage limit of X%. Actual Use: Y% |
| 3221 |
App Open: Exe: <Exe Name> Name: <App Name> Description: <App Description> Version: <App Version> Vendor: <App Vendor> PID: <Process ID> |
| 3222 |
App Close: Exe: <Exe Name> Name: <App Name> PID: <Process ID> |
| 3223 |
TCP connection ESTABLISHED
Type: TCP
Status: New
Local Address: <Local Addr>
Local Port: <Local Port>
Remote Address: <Remote Address>
Remote Port: <Remote Port>
Connection State: <State>
Process Name: <Process Name> |
| 3224 |
TCP connection MODIFIED
Type: TCP
Status: Changed
Local Address: <Local Address>
Local Port: <Local Port>
Remote Address: <Remote Address>
Remote Port: <Remote Port>
New Connection States: <State>
Old Connection States: <State>
Process Name: <Process Name> |
| 3225 |
TCP connection DISCONNECTED
Type: TCP
Status: Deleted
Local Address: <Local Address>
Local Port: <Local Port>
Remote Address: <Remote Address>
Remote Port: <Remote Port>
Connection active time: %<N> secs
Last know Connection State: <State>
Process Name: <Process Name> |
| 3226 |
UDP connection ESTABLISHED
Type: UDP
Status: New
Local Address: <Local Address>
Local Port: <Local Port>
Process Name: <Process Name> |
| 3227 |
UDP connection DISCONNECTED
Type: UDP
Status: Deleted
Local Address: <Local Address>
Local Port: <Local Port>
Connection active time: %<N> secs
Process Name: <Process Name> |
| 3228 |
Detected new drive <H:>
Volume Label: DEEPAK
Volume Serial No: 553439901
Volume ID: \\?\Volume{a6f19931-6ce9-11dd-8f6f-0013d38afad4}\
Type: Removable
File System: FAT32
Network Volume: No
Description: Change affects physical device or drive. |
| 3229 |
Drive <H:> removed.
Network Volume: No
Description: Change affects physical device or drive. |
| 3230 |
Descr : FILE: <File Name> \r\n TYPE: <File Type> \r\n FIELD: <Search String> \r\n ENTRY: <Record Found> \r\n |
| 3231 |
The agent less client <%s> could not be accessed for the last %d poll attempts. Please take administrative action. |
| 3232 |
Disk space availability
Drive C:, Disk Size: 20000 MB, Free: 10980 MB, Free(in percent): 54
Drive D:, Disk Size: 76316 MB, Free: 58921 MB, Free(in percent): 77
Drive E:, Disk Size: 18161 MB, Free: 5109 MB, Free(in percent): 28
Drive G:, Disk Size: 38475 MB, Free: 3482 MB, Free(in percent): 9
Drive H:, Disk Size: 199996 MB, Free: 7782 MB, Free(in percent): 3 |
| 3233 |
action: monitor
orig: pnpl-123-mar_mgmt
i/f_dir: inbound
i/f_name: RTL8023xp7
uuid: <00000000,00000000,00000000,00000000>
product: SmartDefense
__policy_id_tag: product=VPN-1 & FireWall-1[db_tag={A46E46F9-5E4A-4D14-B716-84ED6CB4D88B};mgmt=pnpl-123-mar_mgmt;date=1180443405;policy_name=Standard]
Attack Info: Non MD5-authenticated RIP Protocol Detected on Connection
attack: RIP Enforcement Violation
SmartDefense profile: Default_Protection
src: 192.164.1.1
s_port: rip
dst: 192.164.1.255
service: rip
proto: udp |
| 3234 |
Received Remedial action request for <Action Type> action. |
| 3235 |
Agent <Agent System Name> : Successfully initiated <Action Type> action. |
| 3236 |
Agent <Agent System Name> : Failed to initiate <Action Type> Remedial action. |
| 3237 |
Agent <Agent System Name> : Remedial action is disabled at the agent side. Ignoring the request. Remedial Action: Restart Service (1) action. |
| 3238 |
Matched Remedial action on Manager. |
| 3239 |
USB Monitoring started for H:\
Volume Label: DEEPAK
Volume Serial No: 553439901
Volume ID: \\?\Volume{a6f19931-6ce9-11dd-8f6f-0013d38afad4}\
Type: Removable
File System: FAT32
Network Volume: No
Description: Change affects physical device or drive.
Console User: SPIDER\deepak
Active Users: TOONS\deepak |
| 3240 |
USB Monitoring stopped for H:\
Volume Label: PNPL1
Volume Serial No: 1918040687
Volume ID: \\?\Volume{bf4b109d-44f2-11dd-b2fb-00148549755f}\
Type: Removable
File System: FAT32
Network Volume: No
Description: Change affects physical device or drive.
Console User: TOONS\Sudhish
Active Users: TOONS\sudhish
No files added or modified or deleted. |
| 3241 |
EventTracker has backed up the log file :Security: because its offset has been lost. The backed up file is stored in the following directory F:\Program Files\Prism Microsystems\EventTracker\Agent\SPIDER\Eventlog_1217928508.evt for further analysis. For EventTracker to continue the main log file will be cleared. |
| 3242 |
Media drive <H:> is disabled by EventTracker. Please contact your system administrator.
Volume Label: DEEPAK
Volume Serial No: 553439901
Volume ID: \\?\Volume{a6f19931-6ce9-11dd-8f6f-0013d38afad4}\
Type: Removable
File System: FAT32
Network Volume: No
Description: Change affects physical device or drive. |
| 3243 |
Error ejecting removable device F: |
| 3244 |
Direct log archiver started processing. |
| 3245 |
Direct log archiver successfully processed the following files:
C:\LogFiles\W3SVC1\ex070709.log
C:\LogFiles\W3SVC1\ex070710.log
C:\LogFiles\W3SVC1\ex070712.log |
| 3246 |
Direct log archiver stopped processing.
Total number of files processed: No files are available for processing. OR Direct log archiver stopped processing.
Total number of files processed: 3 |
| 3247 |
Direct log archiver failed to process the following files:
C:\LogFiles\W3SVC1\ex070622.log
C:\LogFiles\W3SVC1\ex070626.log
C:\LogFiles\W3SVC1\ex070628.log |
| 3248 |
Detected following windows updates are installed on this system:
1) KB902848 Title: Outlook Live 2003 Service Pack 2 Date: Wednesday, February 22, 2006
2) KB887619 Title: OneNote 2003 Service Pack 2 Date: Wednesday, February 22, 2006
3) KB887620 Title: Project 2003 Service Pack 2 Date: Wednesday, February 22, 2006
4) KB829019 Title: Microsoft .NET Framework 2.0: x86 (KB829019) Date: Tuesday, January 24, 2006
5) KB887618 Title: Office 2003 Service Pack 2 for Proofing Tools Date: Tuesday, February 21, 2006 |
| 3249 |
EventTracker Agent Configuration Modified
Version: 6.3 - Build 41
Agent System Name: <System Name>
Managers: No change
Event Filters:
Enable High Performance mode: enabled.
System Monitor: No change
Monitor Apps: No change
Services: No change
Log Backup: No change
Processes: No change
Network Connection Monitor: No change
Logfile Monitor: No change |
| 3250 |
Critical Network alarm - Several systems are not reachable \N\NNumber of ping failure in your enterprise have crossed defined limit.\N\NPlease generate a report on event id 2008 to verify that which system are not reachable. |
| 3251 |
Critical alert- Intrusion detected.\N\N\NAn unauthorized and repeated logon request from $IntrEvt1.Description&Client Address: &13.\N\NIt may be due to sophisticated hacking attempt. Please investigate and if required block the IP address on the firewall |
| 3252 |
Critical security alarm - Intrusion is detected - Excessive logon failures \N\N number of log failures in your enterprise have crossed the limit. \NPlease generate a report on event id 676 to verify that which system and user is trying responsible for intrusion. |
| 3253 |
Intrusion is detected - Excessive logon failures due to bad password \N\N Number of log failures in your enterprise have crossed the limit. \N\NPlease generate a report on event id 675 to verify that which system and user is trying responsible for intrusion. |
| 3254 |
DLA File not found for processing in last 24 hour |
| 3256 |
Intrusion Detection: Excessive network logon in your enterprise: \N\NFor more information about this condition\NGenerate a report on event ID 540 using EventTracker - Log Search |
| 3257 |
Intrusion Detection: Excessive network user lockout in your enterprise: \N\NFor more information about this condition\NGenerate a report on event ID 644 using EventTracker - Log Search |
| 3258 |
Intrusion Detection: Excessive user lockout in your enterprise: \N\NFor more information about this condition\NGenerate a report on event ID 539 using EventTracker - Log Search |
| 3259 |
Intrusion Detection: Excessive network logon on computer $ExcessiveC540.ComputerName \N\NFor more information about this condition.\NGenerate a report on event ID 540 using EventTracker - Log Search |
| 3260 |
Intrusion Detection: Excessive Authentication in your enterprise. \N\NFor more information about this condition.\NGenerate a report on event ID 672 using EventTracker - Log Search |
| 3261 |
Intrusion Detection: Excessive network logon on computer $ExcessiveC672.ComputerName \N\NFor more information about this condition.\NGenerate a report on event ID=672 using EventTracker - Log Search |
| 3262 |
Critical security alarm - excessive amount of resource access failures on $ExcessiveC560.ComputerName. \NIt is highly possible that user is persistently trying to access files and operation is not allowed. \N \NGenerate a report for event id 560 by selecting the involved computer names. Examine the origin of the traffic including the user. |
| 3263 |
Intrusion detected\N\NUnauthorized excessive file access failure on $ExcessiveF560.&Object Name:&&New Handle ID:&. \NIt is highly possible that user is persistently trying to access file and operation is not allowed. \N\NGenerate a report for event id 560 by selecting the involved computer names. Examine the origin of the traffic including the user. |
| 3264 |
Intrusion detected:\N\NUnauthorized user $ExcessiveU560.User is persistently attempting to access resources which not permitted. \NIt is highly possible that user is persistently trying to access file and operation is not allowed. \N \NGenerate a report for event id 560 by selecting the involved computer names. Examine the origin of the traffic including the user. |
| 3265 |
High Security Alert:\N\NToo many files are being deleted from $ExcessiveD560.ComputerName \NIt may be a normal deletes. \N\NGenerate a report for event id 560 by selecting the involved computer names. Examine the origin of the traffic including the user. |
| 3266 |
Critical Security alarm: Excessive logon on computer $ExcessiveC528.ComputerName \N\NFor more information about this condition.\NGenerate a report on event ID=528 using EventTracker - Log Search |
| 3267 |
Critical Security alarm: Excessive logon on computer $ExcessiveC529.ComputerName \N\NFor more information about this condition\NGenerate a report on event ID=529 using EventTracker - Log Search |
| 3268 |
Critical Security alarm: Excessive logon on domain $Excessive529.Domain \N\NFor more information about this condition.\NGenerate a report on event ID=529 using EventTracker - Log Search |
| 3271 |
This event indicates that the user has initially logged onto the network. $InitEvt3.Description |
| 3272 |
EventTracker Diagnostics found.
Status: Normal |
| 3280 |
An account was successfully logged on to EventLogCentral
New Logon:
Account Name: <User Name>
Account Domain: <Domain name>
Network Information:
Client Network Address: <Network Address>
Client Browser Version: Gecko v1.0. |
| 3281 |
An account failed to log on to EventLogCentral
Account For Which Logon Failed:
Account Name: <User Name>
Account Domain: <Domain name>
Failure Information:
Failure Reason: Invalid username or password
Network Information:
Client Network Address: <Network Address>
Client Browser Version: Gecko v1.0. |
| 3282 |
An account was logged off from EventLogCentral.
Subject:
Account Name: <User name>
Account Domain: <Domain name>
Network Information:
Client Network Address: <Network Address>
Client Browser Version: IE v7. |
| 3283 |
A scheduled analysis was added from EventTracker
User Information
Account Name: <User name>
Account Domain: <Domain name>
Configuration Information:
Analysis title: Logs - Detail
Analysis type: Logs - Detail
Categories: ***ALERTS***
Schedule Freq: Daily
Schedule Time: 12:00:00 AM
Systems: <System1:System2: . .>
System Groups: <Group1:Group2: . .>
Sites: <Site Name>
Sort by: Log Time
Export type: PDF File (*.pdf)
Analysis Header: PNPL
Analysis Footer: deepak |
| 3284 |
A scheduled analysis was modified from EventLogCentral
User Information:
Account Name: <User name>
Account Domain: <Domain name>
Network Information:
Client Address: <Client Address>
Client Browser Version: IE v7.0
Configuration Information:
Analysis Name: alerts analysis
Old Value:
Description:
Analysis type:Logs
Schedule frequency:Daily
Schedule start time:12:00:00 AM
Schedule, first run:1/29/2009 12:00:00 AM
Email:
Systems:
Site:ETSERVER, Groups:DLA, Systems:attacktest
Refine User:
Refine Desc:
Filter User:
Filter Desc:
Sort by:Computer
Export type:PDF file
RSS feed:None
Report Header:EventLogCentral
Report Footer:deepak
New Value:
Description:
Analysis type:Logs
Schedule frequency:Daily
Schedule start time:12:00:00 AM
Schedule, first run:1/29/2009 12:00:00 AM
Email:deepak@prismmicrosys.com
Systems:
Site:ETSERVER, Groups:DLA, Systems:attacktest
Refine User:
Refine Desc:
Filter User:
Filter Desc:
Sort by:Computer
Export type:PDF file
RSS feed:None
Report Header:EventLogCentral
Report Footer:deepak |
| 3285 |
A scheduled report was deleted from EventTracker
User Information
Account Name: <User name>
Account Domain: <Domain name>
Configuration Information:
Report title: Daily USER Logon
Schedule Freq: Daily
Schedule Time: 2/11/2009 11:59:59 PM |
| 3286 |
A custom column was added from EventTracker
User Information
Account Name: <User name>
Account Domain: <Domain name>
Configuration Information:
Column Name: EmpLogoffTime
Column Key: LogOffTime
Key Value Splitter: :
Key Value Terminator: ;
Custom Resolution: |
| 3287 |
A custom column was modified from EventTracker
User Information
Account Name: <User name>
Account Domain: <Domain name>
Configuration Information:
Old Values:
Column Name: EmpName
Column Key: UserName
Key Value Splitter: :
Key Value Terminator: ;
Custom Resolution:
New Values:
Column Name:
Column Key:
Key Value Splitter: :
Key Value Terminator: ;
Custom Resolution: |
| 3288 |
A custom column was deleted from EventTracker
User Information
Account Name: <User name>
Account Domain: <Domain name>
Configuration Information:
Column Name: U Name
Column Key: UNa |
| 3289 |
A report Configuration was modified from EventTracker
User Information
Account Name: <User name>
Account Domain: <Domain name>
Configuration Information:
Option screen: E-mail Configuration
Old Values:
Authentication: False
Username:
New Values:
Authentication: True
Username: deepak |
| 3290 |
A role was added from EventLogCentral
User Information:
Account Name: <User name>
Account Domain: <Domain name>
Network Information:
Client Address: <Client Address>
Client Browser Version: IE v7.0
Configuration Information:
Role Name: Testrol
|
| 3291 |
A role was modified from EventLogCentral
User Information:
Account Name: <Account name>
Account Domain: <Domain name>
Network Information:
Client Address: <Client Address>
Client Browser Version: IE v7.0
Configuration Information:
Role Name: Testrole
Old Value:Home Alerts,
New Value:Home,Alerts,Advanced,Advanced Compliance,Advanced Security,Advanced Operations,On Demand,Advanced Scheduled Report,Defined Report,Exception,Dashboard,Configuration |
| 3292 |
A role was deleted from EventLogCentral
User Information:
Account Name: <User Name>
Account Domain: <Domain name>
Network Information:
Client Address: <Client address>
Client Browser Version: IE v7.0
Configuration Information:
Role Name: ETREPORT Admin |
