Sentinel: Sentinel Internal and system events

  • 3640781
  • 19-Jan-2007
  • 26-Apr-2012


Sentinel 5.1.x
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows 2000 Server
RedHat Linux
Solaris 9


What are Sentinel's Internal and system events?


Internal or System Events is a means to report on the status and status change of the system. There are two types of events generated by the internal system, they are:

  • Internal events: Internal events are informational and describe a single state or change of state in the system. They report when a user logs in or fails to authenticate, when a process is started or a correlation rule is activated.
  • Performance events: Performance events are generated on a periodic basis and describe average resources used by different parts of the system.

All system events populate the following attributes

  • ST (Sensor Type)field: for internal events it is set to 'I' and for performance events it is set to 'P'
  • Event ID: a unique UUID for the event
  • Event Time: the time the event was generated
  • Source: the UUID of the process that generated the event
  • Sensor Name: the name of the process that generated the event (for example, DAS_Binary)
  • RV32(Device Category): set to 'ESEC'
  • Agent: 'Performance' for performance events and 'Internal' for internal events

In addition to the common attributes, every system event also sets the resource, subresource, the severity, the event name, and the message tags. For internal events, the event name specific enough to identify the exact meaning of the event (for example, UserAuthenticationFailed). The message tags adds some specific detail; in the above example the message tag will contain the name of the user, the OS name if available, and the machine name). For performance events the event name is generic describing the type of statistical data and the data itself is in the message tag. Performance events are sent directly to the database. To view them, do a quick query.