Management Service Logs

View information for the Traps management service logs. These include logs related to configuration, policy, and system events.
From
Management Service
, you can view the following classes of logs:

Configuration Logs

Configuration logs include entries for changes to Traps management service and are classified with the config record type. Traps management service logs these configuration events using one of five categories:
  • Agent Installation
    —Administrative changes to the Traps agent software. messages.
  • Endpoint Management
    —Administrative management of Traps software packages.
  • Quarantined Files
    —Administrative management of quarantined files.
  • Report Management
    —Activities related to the management and generation of reports in Traps management service.
  • Security Event Management
    —Administrative management of security events.
  • System Management
    —Data management actions, such as requesting, downloading, or exporting data.
Each log entry includes the event category that identifies the type of configuration event that occurred, the specific type of event, the severity of the event that corresponds to the event type (Configuration logs all receive the Info severity level), a descriptive message that describes the log event, the username of the administrator who initiated the change, and the date and time the event occurred.
The following table describes the configuration logs that you can view on Traps management service.
Log Type
Severity
Record Type
Category
Abort Scan Message Requested
Info
config
Endpoint Management
Message:
Traps Agent abort scan message requested for {samCount} endpoint(s) by user {userFullName} - {userName}
Agent Installation Deleted
Info
config
Agent Installation
Message:
Agent Installation package {distributionName} was deleted by user {userFullName} - {userName}
Agent Installation Updated
Info
config
Agent Installation
Message:
Agent Installation package {distributionName} was updated by user {userFullName} - {userName}
Cancel Endpoint Isolation Message Created
Medium
config
Endpoint Management
Message:
A cancel endpoint isolation message was created for event {preventionKey} on endpoint {endpointID} by user {userFullName} - {userName}
Data Exported - Legacy
Info
config
System Management
Message:
Data Exported from {currentScreen\table} by user {userFullName} - {userName}
Default Role Changed
Info
config
System Management
Message:
Default role was changed to {newRole} by user {userFullName} - {userName}
Endpoint Action Executed
Info
config
Endpoint Management
Message:
Endpoint action of type {actionType} was executed on endpoint {endpointName} by user {userFullName} - {userName}
Endpoint Action Omitted
Info
config
Endpoint Management
Message:
Actions of type {actionType} were not sent to {ignoredCount} endpoints
Endpoint Data Export Downloaded
Info
config
Endpoint Management
Message:
Export report of endpoints was downloaded by user {userFullName} - {userName}
Endpoint Data Exported
Info
config
Endpoint Management
Message:
Initiated export of {count} endpoints by user {userFullName} - {userName}
Endpoint Data Requested
Info
config
System Management
Message:
Endpoint Data was requested from {samCount} endpoint(s) by user {userFullName} - {userName}
Endpoint Data Requested - Legacy
Info
config
System Management
Message:
Endpoint Data was requested from endpoint {endpointName} by user {userFullName} - {userName}
Endpoint Group Created
Info
config
Endpoint Management
Message:
A new endpoint group {groupName} was created by user {userFullName} - {userName}
Endpoint Group Deleted
Info
config
Endpoint Management
Message:
Endpoint group {groupName} was deleted by user {userFullName} - {userName}
Endpoint Group Edited
Info
config
Endpoint Management
Message:
Endpoint group {groupName} was edited by user {userFullName} - {userName}
Endpoint Isolation Message Created
High
config
Endpoint Management
Message:
An endpoint isolation message was created for event {preventionKey} on endpoint {endpointID} by user {userFullName} - {userName}
Endpoint Logs Export Downloaded
Info
config
System Management
Message:
Export report of endpoint logs was downloaded by user {userFullName} - {userName}
Endpoint Logs Exported
Info
config
System Management
Message:
Initiated export of {count} endpoint logs by user {userFullName} - {userName}
Live Terminal Message Created
Medium
config
Endpoint Management
Message:
A Live Terminal initiation message was created, session ID {sessionId}, for endpoint {endpointID} by user {userFullName} - {userName}
Management Service Logs Export Downloaded
Info
config
System Management
Message:
Export report of management service logs was downloaded by user {userFullName} - {userName}
Management Service Logs Exported
Info
config
System Management
Message:
Initiated export of {count} management service logs by user {userFullName} - {userName}
New Agent Installation Created
Info
config
Agent Installation
Message:
An agent Installation package {distributionName} was created by user {userFullName} - {userName}
Quarantine Message Created
Medium
config
Security Event Management
Message:
A quarantine message was created for event {preventionKey} on endpoint {endpointID} by user {userFullName} - {userName}
Quarantined File Restore
Info
config
Quarantined Files
Message:
Initiated restore action on {restoredNumber} endpoint(s) with hash(es): {hash}
Report File Download
Info
config
Report Management
Message:
{type} report file: {reportId} was downloaded successfully by user {userFullName} - {userName}
Reporting Schedule Created
Info
config
Report Management
Message:
{type} report schedule ID: {scheduleId}, was created successfully by user {userFullName} - {userName}
Reporting Schedule Deleted
Info
config
Report Management
Message:
{type} report, schedule ID: {scheduleId}, was deleted successfully by user {userFullName} - {userName}
Reporting Schedule Disabled
Info
config
Report Management
Message:
{type} report, schedule ID: {scheduleId}, was disabled successfully by user {userFullName} - {userName}
Reporting Schedule Enabled
Info
config
Report Management
Message:
{type} report, schedule ID: {scheduleId}, was enabled successfully by user {userFullName} - {userName}
Restore Message Created
Medium
config
Security Event Management
Message:
A restore message was created for event {preventionKey} on endpoint {endpointID} by user {userFullName} - {userName}
Restore Message Requested
Medium
config
Security Event Management
Message:
Initiated restore action on {agentCount} endpoint(s) for hash {hash} by user {userFullName} - {userName}
Retrieve Data Message Created
Info
config
Security Event Management
Message:
A retrieve security event data message was created for event {preventionKey} on endpoint {endpointID} by user {userFullName} - {userName}
Retrieve Data Message Requested
Info
config
Security Event Management
Message:
A retrieve security event data message was requested for {samCount} events by user {userFullName} - {userName}
Retrieve Files Message Created For Endpoint
Info
config
Endpoint Management
Message:
A retrieve files message was created for {samCount} endpoint(s) by user {userFullName} - {userName}
Retrieve Files Message Created For Security Event
Info
config
Security Event Management
Message:
A retrieve files message was created for event {preventionKey} on endpoint {endpointID} by user {userFullName} - {userName}
Scan Message Created - Legacy
Info
config
Endpoint Management
Message:
Traps Agent scan message created for endpoint {endpointName} by user {userFullName} - {userName}
Scan Message Requested
Info
config
Endpoint Management
Message:
Traps Agent scan message requested for {samCount} endpoint(s) by user {userFullName} - {userName}
Security Event Archived
Info
config
Security Event Management
Message:
Security Event {preventionKey} was archived by user {userFullName} - {userName}
Security Event Assigned
Info
config
Security Event Management
Message:
Security Event {preventionKey} was assigned to {userName} by user {userFullName} - {userName}
Security Event Export Downloaded
Info
config
Security Event Management
Message:
Export report of security events was downloaded by user {userFullName} - {userName}
Security Event Exported
Info
config
Security Event Management
Message:
Initiated export of {count} security events by user {userFullName} - {userName}
Security Event Note Added
Info
config
Security Event Management
Message:
A new note was added to Security Event {preventionKey} by user {userFullName} - {userName}
Security Event Status Change Omitted
Info
config
Security Event Management
Message:
{ignoreCount} not changed to {status} by user {userFullName} - {userName}
Security Event Status Changed
Info
config
Security Event Management
Message:
{successMsg} changed to status {status} {ignoreMsg} by user {userFullName} - {userName}
Terminate Process Message Created
Medium
config
Security Event Management
Message:
A terminate process message was created for event {preventionKey} on endpoint {endpointID} by user {userFullName} - {userName}
Traps Agent Uninstall Message Created - Legacy
Info
config
Endpoint Management
Message:
Traps Agent uninstall message created for endpoint {endpointName} by user {userFullName} - {userName}
Traps Agent Uninstall Message Requested
Info
config
Endpoint Management
Message:
Traps Agent uninstall message requested for {samCount} endpoint(s) by user {userFullName} - {userName}
Traps Agent Upgrade Message Created - Legacy
Info
config
Endpoint Management
Message:
Traps Agent update to version {agentVersion} message was created for endpoint {endpointID} by user {userFullName} - {userName}
Traps Agent Upgrade Message Requested
Info
config
Endpoint Management
Message:
Traps Agent upgrade to version {agentVersion} message was requested for {samCount} endpoint(s) by user {userFullName} - {userName}
User Role Added
Info
config
System Management
Message:
User {newUser} was added with role {newRole} by user {userFullName} - {userName}
User Role Added (Default Assigner)
Info
config
System Management
Message:
User {newUser} has logged in without a role assigned, and was assigned the default role {newRole}
User Role Changed
Info
config
System Management
Message:
User {newUser} had its role changed to {newRole} by user {userFullName} - {userName}
User Role Deleted
Info
config
System Management
Message:
User {newUser} was removed from the system by user {userFullName} - {userName}

Policy Logs

Policy logs include entries for changes to the security policy and are classified with the config record type. Traps management service logs a policy event for the following subclasses of events:
  • Exception Management
    —Administrative management of policy exceptions.
  • Policy Management
    —Administrative management of policy rules.
  • Profile Management
    —Administrative management of security profiles.
  • System Management
    —Errors applying policies.
Each entry includes the event category that identifies the type of configuration event that occurred, the specific type of event, the severity of the event that corresponds to the event type (Policy logs all receive the Info severity level), a descriptive message that describes the log event, and the date and time the event occurred. If an administrator initiated the change, the entry also includes the username of the administrator.
The following table describes the policy logs that you can view on Traps management service.
Log Name
Severity
Record Type
Category
Agent Action Command Omitted
Info
config
System Management
Message:
{samName} command was not sent to {numberOfEndpoints} endpoints
Default Uninstall Password Set
Info
config
Profile Management
Message:
Default Uninstall Password was set successfully by user {userFullName} - {userName}
Error Creating Agent Action Command
Info
config
System Management
Message:
Failed to send {samName} command to Agent {agentId}
Error Updating Data Retrieve Info
Info
config
System Management
Message:
Failed to update information of Data Retrieve command {samId} for Security Event {preventionKey}
Exception Deleted
Info
config
Exception Management
Message:
{exceptionMsg} was deleted by user {userFullName} - {userName}
Exception Disabled
Info
config
Exception Management
Message:
{exceptionMsg} was disabled by user {userFullName} - {userName}
Exception Edited
Info
config
Exception Management
Message:
{exceptionMsg} was edited by user {userFullName} - {userName}
Exception Enabled
Info
config
Exception Management
Message:
{exceptionMsg} was enabled by user {userFullName} - {userName}
Exception Note Added
Info
config
Exception Management
Message:
A note was added to {exceptionMsg} by user {userFullName} - {userName}
Hash Exception Created
Info
config
Exception Management
Message:
Exception was created for hash {hash} overriding the verdict from {hashOldVerdict} to {hashNewVerdict} by user {userFullName} -{userName}
Imported Hash Exception
Info
config
Exception Management
Message:
Imported {exceptionCount} hashes by user {userFullName} - {userName}
Imported support exception
Info
config
Exception Management
Message:
Imported support exception named: {exceptionName} by user {userFullName} - {userName}
Inserted Hash Exception
Info
config
Exception Management
Message:
Inserted hash exceptions: {exceptionID} by user {userFullName} - {userName}
Inserted process exception
Info
config
Exception Management
Message:
A new process exception with module {exceptionModule}, process {exceptionProcess} and platform {exceptionPlatform} was Inserted by user {userFullName} - {userName}
New Policy Rule Created
Info
config
Policy Management
Message:
A new Traps policy rule {PolicyRuleId} was created by user {userFullName} - {userName}
New Profile Created
Info
config
Profile Management
Message:
A Traps profile {ProfileName} was created by user {userFullName} - {userName}
Policy Rule Deleted
Info
config
Policy Management
Message:
Traps policy rule {PolicyRuleId} was deleted by user {userFullName} - {userName}
Policy Rule Edited
Info
config
Policy Management
Message:
Traps policy rule {PolicyRuleId} was edited by user {userFullName} - {userName}
Policy Rule Reordered
Info
config
Policy Management
Message:
Policy Rule {PolicyRuleId} order was changed to {newOrderNumber} by user {userFullName} - {userName}
Policy Rule Status Changed
Info
config
Policy Management
Message:
Traps policy rule {PolicyRuleId} status was changed to {enabled/disabled} by user {userFullName} - {userName}
Process Exception Created
Info
config
Exception Management
Message:
A new process exception with module {exceptionModule}, process {exceptionProcess} and platform {exceptionPlatform} was created from security event {preventionKey} by user {userFullName} - {userName}
Profile Deleted
Info
config
Profile Management
Message:
Traps Profile {ProfileName} was deleted by user {userFullName} - {userName}
Profile Edited
Info
config
Profile Management
Message:
Traps Profile {ProfileName} was edited by user {userFullName} - {userName}
Support Exception Created
Info
config
Exception Management
Message:
An analysis exception on platform {platform} was created from security event {originalEventId} by user {userFullName} - {userName}

System Logs

System logs include entries for changes to the Traps management service and are classified with the system record type. Traps management service logs these system events using one of four categories:
  • Licensing
    —License capacity and change events.
  • Provisioning
    —Agent onboarding issues.
  • Security Event
    —Issues saving prevention data related to a security event.
  • User Authentication
    —Agent authentication issues commonly due to an unauthorized endpoint.
Each entry includes the event category that identifies the type of event that occurred, the specific type of system event, the severity of the event that corresponds to the event type, a descriptive message that describes the log event, and the date and time the event occurred.
The following table describes the system logs that you can view on Traps management service.
Log Name
Severity
Record Type
Category
Agent Confirmation Failed
High
system
Provisioning
Message:
Agent confirmation failed for agent: {agentId}
Agent Registration Failed
High
system
Provisioning
Message:
Agent registration to distribution {distributionId} failed. Error: {tenantId} - {expandedError}
Agent Uninstall Failure
High
system
Provisioning
Message:
Agent uninstall failed for agent: {agentId}
Agent is Unauthorized
High
system
User Authentication
Message:
Agent {agentId} is unauthorized
Duplicate Agent ID
Medium
system
User Authentication
Message:
Tried to create token data for duplicate agent id {agentId}
Failed Getting Subdomain
High
system
Provisioning
Message:
Core subdomain query failed for agent: {agentId}
Failed to Save Prevention
High
system
Security Event
Message:
Failed to store prevention data in db for preventionKey {preventionKey}.
License Capacity Grace
Medium
system
Licensing
Message:
Licenses pool reached capacity grace
License Capacity Reached
Medium
system
Licensing
Message:
Licenses pool reached full capacity
License Capacity Warning
Medium
system
Licensing
Message:
Licenses pool reached {percent}% capacity, {licensedAgents} out of {licensesAmount} agents installed.
License Expiration Warning
Medium
system
Licensing
Message:
License will expire in less then {days} days.
License Expired
Medium
system
Licensing
Message:
License expired
Tenant Created Successfully
Info
system
Provisioning
Message:
Tenant {tenantExternalName} was created successfully
Tenant DS Pairing Modification Failed
High
system
Provisioning
Message:
Tenant {tenantExternalName} directory service pairing modification failed, status code: {statusCode}
Tenant DS Pairing Modification Successfully
Info
system
Provisioning
Message:
Tenant {tenantExternalName} paired successfully with directory service {dsName} by user: {activeUser}
Tenant DS pairing removal successfully
Info
system
Provisioning
Message:
Tenant {tenantExternalName} pairing successfully removed with directory service by user: {activeUser}
Tenant License Expansion Failed
High
system
Provisioning
Message:
Tenant {tenantExternalName} license expansion failed, status code: {statusCode}
Tenant License Expansion Successfully
Info
system
Provisioning
Message:
Tenant {tenantExternalName} number of licenses was expended successfully, new number of licenses: {newLicenseNumber}
Tenant License Renewed Failed
High
system
Provisioning
Message:
Tenant {tenantExternalName} license renewal failed, status code: {statusCode}
Tenant License Renewed Successfully
Info
system
Provisioning
Message:
Tenant {tenantExternalName} license was renewed successfully, new expiration date: {newLicenseExpirationDate}
Tenant Name Modification Failed
High
system
Provisioning
Message:
Tenant {tenantExternalName} name modification failed, status code: {statusCode}
Tenant Name Modification Successfully
Info
system
Provisioning
Message:
Tenant {oldName} was modified with name: {newName} by user: {activeUser}
Tenant is Active
Info
system
Provisioning
Message:
Tenant {tenantName} is active
Unauthorized Agent Request
High
system
User Authentication
Message:
Got request from unauthorized agent {agentId}
User Login
Info
system
Provisioning
Message:
User {username} has logged in with role {role}
WildFire Api Key Modification Failed
High
system
Provisioning
Message:
Tenant {tenantExternalName} WF api key modification failed, status code: {statusCode}
WildFire Api Key Modified Successfully
Info
system
Provisioning
Message:
Tenant {tenantExternalName} WF api key successfully modified by user: {activeUser}

Related Documentation