Contents
- Appendices
- Commands for components manual starting and installing
- Normalized event data model
- Correlation event fields
- Audit event fields
- Event fields with general information
- User was successfully logged in or failed to log in
- User login successfully changed
- User role was successfully changed
- Other data of the user was successfully changed
- User successfully logged out
- User password was successfully changed
- User was successfully created
- User access token was successfully changed
- Service was successfully created
- Service was successfully deleted
- Service was successfully reloaded
- Service was successfully restarted
- Service was successfully started
- Service was successfully paired
- Service status was changed
- Storage index was deleted by user
- Storage partition was deleted automatically due to expiration
- Active list was successfully cleared or operation failed
- Active list item was successfully deleted or operation was unsuccessful
- Active list was successfully imported or operation failed
- Active list was exported successfully
- Resource was successfully added
- Resource was successfully deleted
- Resource was successfully updated
- Asset was successfully created
- Asset was deleted successfully
- Asset category was successfully added
- Asset category was deleted successfully
- Settings were successfully updated
Appendices
This section provides information that complements the main document text with reference information.
Commands for components manual starting and installing
This section contains the parameters of KUMA's executable file /opt/kaspersky/kuma/kuma that can be used to manually start or install KUMA services. This may be useful for when you need to see output in the server operating system console.
Commands parameters
Commands |
Description |
|
Start KUMA administration tools. |
|
Install, start, or uninstall a Collector service. |
|
Install, start, or uninstall a Core service. |
|
Install, start, or uninstall a Correlator service. |
|
Get information about available commands and parameters. |
|
Get information about license. |
|
Start or install a Storage. |
|
Get information about version of the program. |
Flags:
-h, --h are used to get help about any kuma command. For example, kuma <component> --help.
Examples:
kuma versionis used to get version of the KUMA installerkuma core -his used to get help aboutcorecommand of KUMA installerkuma collector --core <address of the server where the collector should obtain its settings> --id <ID of the installed service> --api.port <port>is used to start collector service installation.
Normalized event data model
This section presents the KUMA normalized event data model. All events that are processed by KUMA Correlator to detect alerts must be compliant to this model.
Events that are not compliant to this data model must be imported into this format (or normalized) using Collectors.
Normalized event data model
Field name |
Field type |
Description |
AggregationRuleName |
Internal |
The name of the aggregation rule that processed the event. |
BaseEventIDs |
Internal |
IDs of events that triggered creation of the correlation event. |
Code |
Internal |
In a base event, this is the code of a process, function or operation return from the source. In a correlation event, the alert code for the first line support or the template code of the notification to be submitted is written to this field. |
CorrelationRuleName |
Internal |
It is filled in only for the correlation event. The name of the correlation rule that gave rise to the correlation event. |
ID |
Internal |
Unique event ID of UID type. The collector generates the ID for the base event that is generated in the collector. The correlator generates the ID of the correlation event. The ID never changes its value. You can search for the event in Storage using this ID. |
Raw |
Internal |
Text of the source "as is" event. |
Score |
Internal |
It is filled in for events that were processed by the triggered correlation rule. This is the priority of the identified <incident> that was specified in the correlation rule. |
ServiceAddress |
Internal |
IP address of the host on which the service is deployed. |
ServiceID |
Internal |
Identifier of a service instance: correlator, collector, storage. |
ServiceKind |
Internal |
Service type: correlator, collector, storage |
ServiceName |
Internal |
The name of the service instance that the KUMA administrator assigns the service when it is created. |
Tactic |
Internal |
Name of the tactic from MITRE |
Technique |
Internal |
Name of the technique from MITRE |
Timestamp |
Internal |
Timestamp of the base event created in the collector. Timestamp of the correlation event created in the collector. |
Extra |
Internal |
Used for mapping unparsed values during event normalization. |
TICategories |
Internal |
Threat intelligence categories that were received from external TI sources in response to receiving event indicators. |
DeviceVendor |
CEF |
Name of the log source producer. The value is taken from the raw event. The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source. |
DeviceProduct |
CEF |
Product name from the log source. The value is taken from the raw event. The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source. |
DeviceVersion |
CEF |
Product version from the log source. The value is taken from the raw event. The DeviceVendor, DeviceProduct, and DeviceVersion all uniquely identify the log source. |
DeviceEventClassID |
CEF |
Unique ID for the event type from the log source. Certain log sources categorize events. |
Name |
CEF |
Event name in the raw event. |
Severity |
CEF |
Error priority from the raw event. This can be a Severity field or a Level field, etc., depending on the log. |
DeviceAction |
CEF |
Action taken by the asset. The action that was taken by the producer of the log source. For example, blocked, detected. |
ApplicationProtocol |
CEF |
Application Level Protocol (HTTP, HTTPS, Telnet, and so on) |
DeviceCustomIPv6Address1 |
CEF |
Field for mapping the String type value that cannot be mapped to any other data model element. It can be used to process the logs of network assets where you need to distinguish between the IP addresses of various assets (for firewalls, etc.). The field is customizable. |
DeviceCustomIPv6Address1Label |
CEF |
Field for describing the purpose of the DeviceCustomIPv6Address1 field. |
DeviceCustomIPv6Address2 |
CEF |
Field for mapping the String type value that cannot be mapped to any other data model element. It can be used to process the logs of network assets where you need to distinguish between the IP addresses of various assets (for firewalls, etc.). The field is customizable. |
DeviceCustomIPv6Address2Label |
CEF |
Field for describing the purpose of the DeviceCustomIPv6Address2 field. |
DeviceCustomIPv6Address3 |
CEF |
Field for mapping the String type value that cannot be mapped to any other data model element. It can be used to process the logs of network assets where you need to distinguish between the IP addresses of various assets (for firewalls, etc.). The field is customizable. |
DeviceCustomIPv6Address3Label |
CEF |
Field for describing the purpose of the DeviceCustomIPv6Address3 field. |
DeviceCustomIPv6Address4 |
CEF |
Field for mapping the String type value that cannot be mapped to any other data model element. It can be used to process the logs of network assets where you need to distinguish between the IP addresses of various assets (for firewalls, etc.). The field is customizable. |
DeviceCustomIPv6Address4Label |
CEF |
Field for describing the purpose of the DeviceCustomIPv6Address4 field. |
DeviceEventCategory |
CEF |
The raw event category from the diagram of categorization of log producer events. |
DeviceCustomFloatingPoint1 |
CEF |
Field for mapping the Float type value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomFloatingPoint1Label |
CEF |
Field for describing the purpose of the DeviceCustomFloatingPoint1 field. |
DeviceCustomFloatingPoint2 |
CEF |
Field for mapping the Float type value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomFloatingPoint2Label |
CEF |
Field for describing the purpose of the DeviceCustomFloatingPoint2 field. |
DeviceCustomFloatingPoint3 |
CEF |
Field for mapping the Float type value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomFloatingPoint3Label |
CEF |
Field for describing the purpose of the DeviceCustomFloatingPoint3 field. |
DeviceCustomFloatingPoint4 |
CEF |
Field for mapping the Float type value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomFloatingPoint4Label |
CEF |
Field for describing the purpose of the DeviceCustomFloatingPoint4 field. |
DeviceCustomNumber1 |
CEF |
Field for mapping the integer value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomNumber1Label |
CEF |
Field for describing the purpose of the DeviceCustomNumber1 field. |
DeviceCustomNumber2 |
CEF |
Field for mapping the integer value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomNumber2Label |
CEF |
Field for describing the purpose of the DeviceCustomNumber2 field. |
DeviceCustomNumber3 |
CEF |
Field for mapping the integer value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomNumber3Label |
CEF |
Field for describing the purpose of the DeviceCustomNumber3 field. |
BaseEventCount |
CEF |
For a correlation event, this is the number of base events that were processed by the correlation rule that generated the correlation event. |
DeviceCustomString1 |
CEF |
Field for mapping the string value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomString1Label |
CEF |
Field for describing the purpose of the DeviceCustomString1 field. |
DeviceCustomString2 |
CEF |
Field for mapping the string value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomString2Label |
CEF |
Field for describing the purpose of the DeviceCustomString2 field. |
DeviceCustomString3 |
CEF |
Field for mapping the string value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomString3Label |
CEF |
Field for describing the purpose of the DeviceCustomString3 field. |
DeviceCustomString4 |
CEF |
Field for mapping the string value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomString4Label |
CEF |
Field for describing the purpose of the DeviceCustomString4 field. |
DeviceCustomString5 |
CEF |
Field for mapping the string value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomString5Label |
CEF |
Field for describing the purpose of the DeviceCustomString5 field. |
DeviceCustomString6 |
CEF |
Field for mapping the string value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomString6Label |
CEF |
Field for describing the purpose of the DeviceCustomString6 field. |
DestinationDnsDomain |
CEF |
The DNS domain portion of the complete fully qualified domain name (FQDN) of the destination, if the raw event contains the values of the traffic sender and recipient. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationServiceName |
CEF |
Service name on the traffic recipient's side. For example, "sshd". This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationTranslatedAddress |
CEF |
IP address of the traffic recipient asset (after the address is translated). This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationTranslatedPort |
CEF |
Port number on the traffic recipient asset (after the recipient address is translated). This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DeviceCustomDate1 |
CEF |
Field for mapping the Timestamp type value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomDate1Label |
CEF |
Field for describing the purpose of the DeviceCustomDate1 field. |
DeviceCustomDate2 |
CEF |
Field for mapping the Timestamp type value that cannot be mapped to any other data model element. The field is customizable. |
DeviceCustomDate2Label |
CEF |
Field for describing the purpose of the DeviceCustomDate2 field. |
DeviceDirection |
CEF |
This field stores a description of the connection direction from the raw event. |
DeviceDnsDomain |
CEF |
The DNS domain part of the complete fully qualified domain name (FQDN) of the asset IP address from which the raw event was received. |
DeviceExternalID |
CEF |
External unique asset (product) ID, if it is communicated in the raw event. |
DeviceFacility |
CEF |
Facility from the raw event, if one exists. For example, the Facility field in the Syslog can be used to transmit the OS component name where an error occurred. |
DeviceInboundInterface |
CEF |
Name of the incoming connection interface. |
DeviceNtDomain |
CEF |
Windows Domain Name of the asset |
DeviceOutboundInterface |
CEF |
Name of the outgoing connection interface. |
DevicePayloadID |
CEF |
The payload's unique ID associated with the raw event. |
DeviceProcessName |
CEF |
Name of the process from the raw event |
DeviceTranslatedAddress |
CEF |
Retranslated IP address of the asset from which the raw event was received. |
DestinationHostName |
CEF |
Host name of the traffic receiver. FQDN of the traffic recipient, if available. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationMacAddress |
CEF |
MAC address of the traffic recipient asset. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationNtDomain |
CEF |
Windows Domain Name of the traffic recipient asset. |
DestinationProcessID |
CEF |
ID of the system process that is associated with the traffic recipient in the raw event. For example, if Process ID 105 is specified in the event, then DestinationProcessId=105 This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationUserPrivileges |
CEF |
Names of security roles that identify user privileges at the destination. For example, "User", "Guest", "Administrator", etc. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationProcessName |
CEF |
Name of the system process at the destination. For example, "sshd", "telnet", etc. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationPort |
CEF |
Port number at the destination. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationAddress |
CEF |
Destination IPv4 address. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DeviceTimeZone |
CEF |
Time zone of the asset where the event was generated |
DestinationUserID |
CEF |
User name at the destination. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DestinationUserName |
CEF |
User name at the destination. It may contain the email address of the user. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
DeviceAddress |
CEF |
IPv4 address of the asset from which the event was received. |
DeviceHostName |
CEF |
Name of the asset host from which the event was received. FQDN of the asset, if available. |
DeviceMacAddress |
CEF |
MAC address of the asset from which the event was received. FQDN of the asset, if available. |
DeviceProcessID |
CEF |
ID of the system process on the asset that generated the event. |
EndTime |
CEF |
Timestamp when the event was terminated.. |
ExternalID |
CEF |
ID of the asset that generated the event. |
FileCreateTime |
CEF |
Time of file creation from the event. |
FileHash |
CEF |
Hash of file |
FileID |
CEF |
File ID, if one exists |
FileModificationTime |
CEF |
Time of last edit of the file |
FilePath |
CEF |
File path, including the filename |
FilePermission |
CEF |
List of file permissions. |
FileType |
CEF |
File type. For example, application, pipe, socket, etc. |
FlexDate1 |
CEF |
Field for mapping the Timestamp type value that cannot be mapped to any other data model element. The field is customizable. |
FlexDate1Label |
CEF |
Field for describing the purpose of the flexDate1Label field. |
FlexString1 |
CEF |
Field for mapping the String type value that cannot be mapped to any other data model element. The field is customizable. |
FlexString1Label |
CEF |
Field for describing the purpose of the flexString1Label field. |
FlexString2 |
CEF |
Field for mapping the String type value that cannot be mapped to any other data model element. The field is customizable. |
FlexString2Label |
CEF |
Field for describing the purpose of the flexString2Label field. |
FlexNumber1 |
CEF |
Field for mapping the integer type that cannot be mapped to any other data model element. The field is customizable. |
FlexNumber1Label |
CEF |
Field for describing the purpose of the flexNumber1Label field. |
FlexNumber2 |
CEF |
Field for mapping the integer type that cannot be mapped to any other data model element. The field is customizable. |
FlexNumber2Label |
CEF |
Field for describing the purpose of the flexNumber2Label field. |
FileName |
CEF |
Filename without specifying the file path. |
FileSize |
CEF |
File size |
BytesIn |
CEF |
Number of obtained bytes that were received from the source and transmitted to the destination. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
Message |
CEF |
Short name of the error (problem) from the event. |
OldFileCreateTime |
CEF |
Time of the old file creation from the event. |
OldFileHash |
CEF |
Hash of the old file |
OldFileID |
CEF |
ID of the old file, if one exists. |
OldFileModificationTime |
CEF |
Time when the old file was changed last |
OldFileName |
CEF |
Name of the old file (without a file path) |
OldFilePath |
CEF |
Path to the old file, including the filename |
OldFilePermission |
CEF |
List of the old file permissions. |
OldFileSize |
CEF |
Size of the old file |
OldFileType |
CEF |
File type. For example, application, pipe, socket, etc. |
BytesOut |
CEF |
Number of sent bytes. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
EventOutcome |
CEF |
Result of the Action execution. For example, "success", "failure". |
TransportProtocol |
CEF |
Protocol name of the 4 level OSI (TCP, UDP, etc.) |
Reason |
CEF |
Short description of the audit reason in the audit messages. |
RequestUrl |
CEF |
Requested URL |
RequestClientApplication |
CEF |
User Agent that processed the Request |
RequestContext |
CEF |
Description of the Request context |
RequestCookies |
CEF |
Cookies related to the Request |
RequestMethod |
CEF |
Method that was used to access the URL (POST, GET, etc.) |
DeviceReceiptTime |
CEF |
Time when the event was received |
SourceHostName |
CEF |
Name of the host of the traffic source. FQDN of the traffic source, if available. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceDnsDomain |
CEF |
Windows Domain Name of the traffic source asset. |
SourceServiceName |
CEF |
Name of the service at the traffic source. For example, "sshd". This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceTranslatedAddress |
CEF |
Source translated IPv4 address. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceTranslatedPort |
CEF |
Number of the translated port at the source. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceMacAddress |
CEF |
MAC address of the traffic source asset. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceNtDomain |
CEF |
Windows Domain Name of the traffic source asset. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceProcessID |
CEF |
System process ID that is associated with the traffic source in the raw event. For example, if Process ID 105 is specified in the event, SourceProcessId=105 This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceUserPrivileges |
CEF |
Names of security roles that identify user privileges at the source. For example, "User", "Guest", "Administrator", etc. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceProcessName |
CEF |
Name of the system process at the source. For example, "sshd", "telnet", etc. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourcePort |
CEF |
Port number at the source. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceAddress |
CEF |
Source IPv4 address. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
StartTime |
CEF |
Timestamp of the action associated with the event began. |
SourceUserID |
CEF |
User ID at the source. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
SourceUserName |
CEF |
User name at the source. It may contain the email address of the user. This is used to process network traffic logs in which you need to be able to distinguish between the source and destination. |
Type |
CEF |
The following values are available:
|
CorrelationBucketHash |
CEF |
Correlation Bucket key. Correlation event fields are used when generating a key. Used when generating notifications for the user. |
GroupedBy |
CEF |
List of names of the fields that were used for grouping in the correlation rule. It is filled in only for the correlation event. |
tenantID |
CEF |
Tenant ID |
Correlation event fields
Correlation events are created by the KUMA Correlators when specified the conditions, set in the Configuration rules are met. The correlation event conforms to the normalized event data model.
Correlation event fields
Field |
Description |
|
Unique identifier |
|
Indicator of the correlation event type. The correlation event corresponds to the value of |
|
Correlation event name. By default, the name of the parent correlation rule (the Correlation rule resource that created the correlation event) is used. This can be changed in the Correlation rule settings in the Enrichment group of settings parameters. |
|
Time and date of correlation event creation. |
|
Identifier of the parent correlation rule that triggered the event. |
|
Name of the parent correlation rule. |
|
Priority of the correlation event |
|
Identifier of the correlator service that created the event. |
|
|
|
|
|
The number of base events that are related to the correlation event. |
|
List of IDs of base events that were used as the basis for the correlation event. For DrillDown. |
|
List of unique addresses, hosts, users, and IDs of assets that were affected by the potential incident |
<Fields that are selected in the Identical fields field in the Correlation rule resource parameters> |
Copied from the events, processed by the Correlation rule. |
Audit event fields
Audit events are created when certain security-related actions happen in KUMA; these events are used to ensure system integrity. This section contain information about audit event fields.
Event fields with general information
Every audit event has the event fields described below.
Event field name |
Field value |
ID |
Unique event ID in the form of a UUID. |
Timestamp |
Event time. |
DeviceHostName |
The event source host. For audit events, it is the hostname where kuma-core is installed, because it is the source of events. |
Type |
Type of the audit event. For audit event the value is |
User was successfully logged in or failed to log in
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login. |
SourceUserID |
User ID. |
Message |
Description of the error; appears only if an error occurred during login. Otherwise, the field will be empty. |
User login successfully changed
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to change data. |
SourceUserID |
User ID that was used to change data. |
DestinationUserName |
User login whose data was changed. |
DestinationUserID |
User ID whose data was changed. |
DeviceCustomString1 |
Current value of the login. |
DeviceCustomString1Label |
|
DeviceCustomString2 |
Value of the login before it was changed. |
DeviceCustomString2Label |
|
User role was successfully changed
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to change data. |
SourceUserID |
User ID that was used to change data. |
DestinationUserName |
User login whose data was changed. |
DestinationUserID |
User ID whose data was changed. |
DeviceCustomString1 |
Current value of the role. |
DeviceCustomString1Label |
|
DeviceCustomString2 |
Value of the role before it was changed. |
DeviceCustomString2Label |
|
Other data of the user was successfully changed
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to change data. |
SourceUserID |
User ID that was used to change data. |
DestinationUserName |
User login whose data was changed. |
DestinationUserID |
User ID whose data was changed. |
User successfully logged out
This event appears only when the user pressed the logout button.
This event will not appear if the user is logged out due to the end of the session or if the user logs in again from another browser.
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login. |
SourceUserID |
User ID. |
User password was successfully changed
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to change data. |
SourceUserID |
User ID that was used to change data. |
DestinationUserName |
User login whose data was changed. |
DestinationUserID |
User ID whose data was changed. |
User was successfully created
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to create the user account. |
SourceUserID |
User ID that was used to create the user account. |
DestinationUserName |
User login for which the user account was created. |
DestinationUserID |
User ID for which the user account was created. |
DeviceCustomString1 |
Role of the created user. |
DeviceCustomString1Label |
|
User access token was successfully changed
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to change data. |
SourceUserID |
User ID that was used to change data. |
DestinationUserName |
User login whose data was changed. |
DestinationUserID |
User ID whose data was changed. |
Service was successfully created
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to create the service. |
SourceUserID |
User ID that was used to create the service. |
DeviceExternalID |
Service ID. |
DeviceProcessName |
Service name. |
DeviceFacility |
Service type. |
Service was successfully deleted
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to delete the service. |
SourceUserID |
User ID that was used to delete the service. |
DeviceExternalID |
Service ID. |
DeviceProcessName |
Service name. |
DeviceFacility |
Service type. |
DestinationAddress |
The address of the machine that was used to start the service. If the service has never been started before, the field will be empty. |
DestinationHostName |
The FQDN of the machine that was used to start the service. If the service has never been started before, the field will be empty. |
Service was successfully reloaded
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to create the service. |
SourceUserID |
User ID that was used to create the service. |
DeviceExternalID |
Service ID. |
DeviceProcessName |
Service name. |
DeviceFacility |
Service type. |
Service was successfully restarted
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to create the service. |
SourceUserID |
User ID that was used to create the service. |
DeviceExternalID |
Service ID. |
DeviceProcessName |
Service name. |
DeviceFacility |
Service type. |
Service was successfully started
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
Address that reported information about service start. It may be a proxy address if the information passed through a proxy. |
SourcePort |
Port that reported information about service start. It may be a proxy port if the information passed through a proxy. |
DeviceExternalID |
Service ID. |
DeviceProcessName |
Service name. |
DeviceFacility |
Service type. |
DestinationAddress |
Address of the machine where the service was started. |
DestinationHostName |
FQDN of the machine where the service was started. |
Service was successfully paired
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
Address that sent a service pairing request. It may be a proxy address if the request passed through a proxy. |
SourcePort |
Port that sent a service pairing request. It may be a proxy port if the request passed through a proxy. |
DeviceExternalID |
Service ID. |
DeviceProcessName |
Service name. |
DeviceFacility |
Service type. |
Service status was changed
Event field name |
Field value |
DeviceAction |
|
DeviceExternalID |
Service ID. |
DeviceProcessName |
Service name. |
DeviceFacility |
Service type. |
DestinationAddress |
Address of the machine where the service was started. |
DestinationHostName |
FQDN of the machine where the service was started. |
DeviceCustomString1 |
|
DeviceCustomString1Label |
|
DeviceCustomString2 |
|
DeviceCustomString2Label |
|
Storage index was deleted by user
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to create the service. |
SourceUserID |
User ID that was used to create the service. |
Name |
Index name. |
Message |
|
Storage partition was deleted automatically due to expiration
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
Name |
Index name |
SourceServiceName |
|
Message |
|
Active list was successfully cleared or operation failed
This event can arrive with a succeeded or failed status.
Since the request to clear the active list is made over a remote connection, a data transfer error may occur both before deletion and after deletion.
This means that the active list may be cleared successfully, but the event will still have the failed status. So, in fact, EventOutcome returns the TCP/IP connection status of the request, not the succeeded or failed status of the active list clearing.
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to clear the active list. |
SourceUserID |
User ID that was used to clear the active list. |
DeviceExternalID |
Service ID for which the active list is cleared. |
ExternalID |
Active list ID. |
Name |
Active list name. |
Message |
If EventOutcome = |
Active list item was successfully deleted or operation was unsuccessful
This event can arrive with a succeeded or failed status.
Since the request to delete the active list item is made over a remote connection, a data transfer error may occur both before deletion and after deletion.
This means that the active list item may be deleted successfully, but the event will still have the failed status. So, in fact, EventOutcome returns the TCP/IP connection status of the request, not the succeeded or failed status of the active list item deletion.
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to delete the item from the active list. |
SourceUserID |
User ID that was used to delete the item from the active list. |
DeviceExternalID |
Service ID for which the active list is cleared. |
ExternalID |
Active list ID. |
Name |
Active list name. |
DeviceCustomString1 |
Key name. |
DeviceCustomString1Label |
|
Message |
If EventOutcome = |
Active list was successfully imported or operation failed
Imported partially over a remote connection.
An error may occur during the operation, which means that EventOutcome = failed may also mean a connection error, where data may be either partially or completely imported.
But in most cases, the error means that the data was not imported or was partially imported.
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to perform the import. |
SourceUserID |
User ID that was used to perform the import. |
DeviceExternalID |
Service ID for which an import was performed. |
ExternalID |
Active list ID. |
Name |
Active list name. |
Message |
If EventOutcome = |
Active list was exported successfully
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to perform the export. |
SourceUserID |
User ID that was used to perform the export. |
DeviceExternalID |
Service ID for which an export was performed. |
ExternalID |
Active list ID. |
Name |
Active list name. |
Resource was successfully added
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to add the resource. |
SourceUserID |
User ID that was used to add the resource. |
DeviceExternalID |
Resource ID. |
DeviceProcessName |
Resource name. |
DeviceFacility |
Resource type:
|
Resource was successfully deleted
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to delete the resource. |
SourceUserID |
User ID that was used to delete the resource. |
DeviceExternalID |
Resource ID. |
DeviceProcessName |
Resource name. |
DeviceFacility |
Resource type:
|
Resource was successfully updated
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to update the resource. |
SourceUserID |
User ID that was used to update the resource. |
DeviceExternalID |
Resource ID. |
DeviceProcessName |
Resource name. |
DeviceFacility |
Resource type:
|
Asset was successfully created
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to add the asset. |
SourceUserID |
User ID that was used to add the asset. |
DeviceExternalID |
Asset ID. |
SourceHostName |
Asset ID. |
Name |
Asset name. |
DeviceCustomString1 |
Comma-separated IP addresses of the asset. |
DeviceCustomString1Label |
|
Asset was deleted successfully
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to add the asset. |
SourceUserID |
User ID that was used to add the asset. |
DeviceExternalID |
Asset ID. |
SourceHostName |
Asset ID. |
Name |
Asset name. |
DeviceCustomString1 |
Comma-separated IP addresses of the asset. |
DeviceCustomString1Label |
|
Asset category was successfully added
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to add the category. |
SourceUserID |
User ID that was used to add the category. |
DeviceExternalID |
Category ID. |
Name |
Category name. |
Asset category was deleted successfully
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to delete the category. |
SourceUserID |
User ID that was used to delete the category. |
DeviceExternalID |
Category ID. |
Name |
Category name. |
Settings were successfully updated
Event field name |
Field value |
DeviceAction |
|
EventOutcome |
|
SourceTranslatedAddress |
This field contains the value of the HTTP header x-real-ip or x-forwarded-for. If these headers are absent, the field will be empty. |
SourceAddress |
The address from which the user logged in. If the user logged in using a proxy, there will be a proxy address. |
SourcePort |
Port from which the user logged in. If the user logged in using a proxy, there will be a port on the proxy side. |
SourceUserName |
User login that was used to update the settings. |
SourceUserID |
User ID that was used to update the settings. |
DeviceFacility |
Type of settings. |