Table of contents

Log inspection events

For general best practices related to events, see Events in Workload Security.

To see the log inspection events captured by Workload Security, go to Events & Reports > Events > Log Inspection Events.

Information displayed for log inspection events

These columns can be displayed on the log inspection events page. You can click Columns to select which columns are displayed in the table.

  • Time: Time the event took place on the computer.
  • Computer: The computer on which this event was logged. If the computer has been removed, this entry reads "Unknown Computer".
  • Reason: The log inspection rule associated with this event.
  • Tag(s): Any tags attached with the event.
  • Description: Description of the rule.
  • Rank: The ranking system provides a way to quantify the importance of events. By assigning asset values to computers, and assigning severity values to log inspection rules, the importance (rank) of an event is calculated by multiplying the two values together. This allows you to sort events by rank.
  • Severity: The log inspection rule's severity value.
  • Groups: Group that the rule belongs to.
  • Program Name: Program name. This is obtained from the syslog header of the event.
  • Event: The name of the event.
  • Location: Where the log came from.
  • Source IP: The packet's source IP.
  • Source Port: The packet's source port.
  • Destination IP: The packet's destination IP address.
  • Destination Port: The packet's destination port.
  • Protocol: Possible values are ICMP, ICMPV6, IGMP, GGP, TCP, PUP, UDP, IDP, ND, RAW, TCP+UDP, and Other: nnn where nnn represents a three digit decimal value.
  • Action: The action taken within the event
  • Source User: Originating user within the event.
  • Destination User: Destination user within the event.
  • Event HostName: Hostname of the event source.
  • ID: Any ID decoded as the ID from the event.
  • Status: The decoded status within the event.
  • Command: The command being called within the event.
  • URL: The URL within the event.
  • Data: Any additional data extracted from the event.
  • System Name: The system name within the event.
  • Rule Matched: Rule number that was matched.
  • Event Origin: The Workload Security component from which the event originated.

Log inspection security events

ID Severity Event
8100 Error Log Inspection Engine Error
8101 Warning Log Inspection Engine Warning
8102 Info Log Inspection Engine Initialized

For system events related to log inspection, see System events.