Does E-Security log internal events?
Yes. Version 5.1 will log internal or system events and display them in the console.
Internal or System Events
Internal or System Events is a means to report on the status and status change of the system. There are two types of events generated by the internal system, they are:
Internal events are informational and describe a single state or change of state in the system. They report when a user logs in or fails to authenticate, when a process is started or a correlation rule is activated. Performance events are generated on a periodic basis and describe average resources used by different parts of the system.
All system events populate the following attributes
§ST (Sensor Type) field: for internal events it is set to âIâ and for performance events it is set to âPâ
§Event ID: a unique UUID for the event
§Event Time: the time the event was generated
§Source: the UUID of the process that generated the event
§Sensor Name: the name of the process that generated the event (for example, DAS_Binary)
§RV32 (Device Category): set to âESECâ
§Agent: âPerformanceâ for performance events and âInternalâ for internal events
In addition to the common attributes, every system event also sets the resource, subresource, the severity, the event name and the message tags. For internal events, the event name specific enough to identify the exact meaning of the event (for example, UserAuthenticationFailed). The message tags adds some specific detail; in the above example the message tag will contain the name of the user, the OS name if available and the machine name). For performance events the event name is generic describing the type of statistical data and the data itself is in the message tag.
Performance events are sent directly to the database. To view them, do a quick query.