Agent Change Event Variables
Table of Contents
4.2 (EoS)
Expand all | Collapse all
-
- Set Up the Endpoint Infrastructure
- Activate Traps Licenses
-
- Endpoint Infrastructure Installation Considerations
- TLS/SSL Encryption for Traps Components
- Configure the MS-SQL Server Database
- Install the Endpoint Security Manager Server Software
- Install the Endpoint Security Manager Console Software
- Manage Proxy Communication with the Endpoint Security Manager
- Load Balance Traffic to ESM Servers
-
- Malware Protection Policy Best Practices
- Malware Protection Flow
- Manage Trusted Signers
-
- Remove an Endpoint from the Health Page
- Install an End-of-Life Traps Agent Version
-
-
- Traps Troubleshooting Resources
- Traps and Endpoint Security Manager Processes
- ESM Tech Support File
-
- Access Cytool
- View the Status of the Agent Using Cytool
- View Processes Currently Protected by Traps Using Cytool
- Manage Logging of Traps Components Using Cytool
- Restore a Quarantined File Using Cytool
- View Statistics for a Protected Process Using Cytool
- View Details About the Traps Local Analysis Module Using Cy...
- View Hash Details About a File Using Cytool
Agent Change Event Variables
Agent change events occur on the endpoint and include
changes to content updates, licenses, software, connection status,
one-time action rules, processes and services, and quarantined files.
The ESM Console lists these events the Monitor - Agent Logging
Events category. The following table displays the most commonly
specified variables in agent-related events.
Name | Meaning |
|---|---|
dhost | Machine name of the endpoint |
duser | User who is logged in to the endpoint |
msg | Description of the nature of the event |
Module | Name of the exploit protection module (EPM) |
ContentVersion | Content update version |
ModuleVersion | Local analysis module version |
For example, consider the output for an Agent Service
Start event in CEF format:
Sep 28 2016 17:38:48 172.16.183.173 CEF:0|Palo Alto Networks|Traps Agent|3.4.1.16709|Traps Service Status Change|Agent|6|rt=Sep 28 2016 17:38:48 dhost=traps-win7x86 duser=Traps msg=Agent Service Status Changed: Stopped-> Running
Notice that this event uses several common variables, namely: dhost, duser,
and msg.