Server Logs

From the Server Logs pages, you can view the following classes of logs:

Configuration Logs

Configuration logs include entries for changes to Traps management service and are classified with the config record type. Traps management service logs these configuration events using one of five categories:
  • Agent Installation—Administrative changes to the Traps agent software. messages.
  • Endpoint Management—Administrative management of Traps software packages.
  • Quarantined Files—Administrative management of quarantined files.
  • Report Management—Activities related to the management and generation of reports in Traps management service.
  • Security Event Management—Administrative management of security events.
  • System Management—Data management actions, such as requesting, downloading, or exporting data.
Each log entry includes the event category that identifies the type of configuration event that occurred, the specific type of event, the severity of the event that corresponds to the event type (Configuration logs all receive the Info severity level), a descriptive message that describes the log event, the username of the administrator who initiated the change, and the date and time the event occurred.
The following table describes the configuration logs that you can view on Traps management service.
Log TypeSeverityRecord TypeCategory
Agent Installation DeletedInfoconfigAgent Installation
Message: Agent Installation package {distributionName} was deleted by user {userFullName} - {userName}
Agent Installation UpdatedInfoconfigAgent Installation
Message: Agent Installation package {distributionName} was updated by user {userFullName} - {userName}
Cancel Endpoint Isolation Message CreatedMediumconfigEndpoint Management
Message: A cancel endpoint isolation message was created for event {preventionKey} on endpoint {endpointID} by user {userFullName} - {userName}
Data DownloadedInfoconfigSystem Management
Message: {Endpoint_Data/Installation_package/WildFire_report} was downloaded from {currentScreen/table} by user {userFullName} - {userName}
Data ExportedInfoconfigSystem Management
Message: Data Exported from {currentScreen\table} by user {userFullName} - {userName}
Default Role ChangedInfoconfigSystem Management
Message: Default role was changed to {newRole} by user {userFullName} - {userName}
Endpoint Action ExecutedInfoconfigEndpoint Management
Message: Endpoint action of type {actionType} was executed on endpoint {endpointName} by user {userFullName} - {userName}
Endpoint Action OmittedInfoconfigEndpoint Management
Message: Actions of type {actionType} were not sent to {ignoredCount} endpoints
Endpoint Data RequestedInfoconfigSystem Management
Message: Endpoint Data was requested from endpoint {endpointName} by user {userFullName} - {userName}
Endpoint Group CreatedInfoconfigEndpoint Management
Message: A new endpoint group {groupName} was created by user {userFullName} - {userName}
Endpoint Group DeletedInfoconfigEndpoint Management
Message: Endpoint group {groupName} was deleted by user {userFullName} - {userName}
Endpoint Group EditedInfoconfigEndpoint Management
Message: Endpoint group {groupName} was edited by user {userFullName} - {userName}
Endpoint Isolation Message CreatedHighconfigEndpoint Management
Message: An endpoint isolation message was created for event {preventionKey} on endpoint {endpointID} by user {userFullName} - {userName}
New Agent Installation CreatedInfoconfigAgent Installation
Message: An agent Installation package {distributionName} was created by user {userFullName} - {userName}
Quarantine Message CreatedMediumconfigSecurity Event Management
Message: A quarantine message was created for event {preventionKey} on endpoint {endpointID} by user {userFullName} - {userName}
Quarantined File RestoreInfoconfigQuarantined Files
Message: Initiated restore {restoredNumber} file(s) with hash(es): {hash}
Report File DownloadInfoconfigReport Management
Message: {type} report file: {reportId} was downloaded successfully by user {userFullName} - {userName}
Reporting Schedule CreatedInfoconfigReport Management
Message: {type} report schedule ID: {scheduleId}, was created successfully by user {userFullName} - {userName}
Reporting Schedule DeletedInfoconfigReport Management
Message: {type} report, schedule ID: {scheduleId}, was deleted successfully by user {userFullName} - {userName}
Reporting Schedule DisabledInfoconfigReport Management
Message: {type} report, schedule ID: {scheduleId}, was disabled successfully by user {userFullName} - {userName}
Reporting Schedule EnabledInfoconfigReport Management
Message: {type} report, schedule ID: {scheduleId}, was enabled successfully by user {userFullName} - {userName}
Restore Message CreatedMediumconfigSecurity Event Management
Message: A restore message was created for event {preventionKey} on endpoint {endpointID} by user {userFullName} - {userName}
Retrieve Data Message CreatedInfoconfigSecurity Event Management
Message: A retrieve security event data message was created for event {preventionKey} on endpoint {endpointID} by user {userFullName} - {userName}
Scan Message CreatedInfoconfigEndpoint Management
Message: Traps Agent scan message created for endpoint {endpointName} by user {userFullName} - {userName}
Security Event ArchivedInfoconfigSecurity Event Management
Message: Security Event {preventionKey} was archived by user {userFullName} - {userName}
Security Event AssignedInfoconfigSecurity Event Management
Message: Security Event {preventionKey} was assigned to {userName} by user {userFullName} - {userName}
Security Event Note AddedInfoconfigSecurity Event Management
Message: A new note was added to Security Event {preventionKey} by user {userFullName} - {userName}
Security Event Status Change OmittedInfoconfigSecurity Event Management
Message: {ignoreCount} not changed to {status} by user {userFullName} - {userName}
Security Event Status ChangedInfoconfigSecurity Event Management
Message: {successMsg} changed to status {status} {ignoreMsg} by user {userFullName} - {userName}
Terminate Process Message CreatedMediumconfigSecurity Event Management
Message: A terminate process message was created for event {preventionKey} on endpoint {endpointID} by user {userFullName} - {userName}
Traps Agent Uninstall Message CreatedInfoconfigEndpoint Management
Message: Traps Agent uninstall message created for endpoint {endpointName} by user {userFullName} - {userName}
Traps Agent Upgrade Message CreatedInfoconfigEndpoint Management
Message: Traps Agent update to version {agentVersion} message was created for endpoint {endpointID} by user {userFullName} - {userName}
User Role AddedInfoconfigSystem Management
Message: User {newUser} was added with role {newRole} by user {userFullName} - {userName}
User Role Added (Default Assigner)InfoconfigSystem Management
Message: User {newUser} has logged in without a role assigned, and was assigned the default role {newRole}
User Role ChangedInfoconfigSystem Management
Message: User {newUser} had its role changed to {newRole} by user {userFullName} - {userName}
User Role DeletedInfoconfigSystem Management
Message: User {newUser} was removed from the system by user {userFullName} - {userName}

Policy Logs

Policy logs include entries for changes to the security policy and are classified with the config record type. Traps management service logs a policy event for the following subclasses of events:
  • Exception Management—Administrative management of policy exceptions.
  • Policy Management—Administrative management of policy rules.
  • Profile Management—Administrative management of security profiles.
  • System Management—Errors applying policies.
Each entry includes the event category that identifies the type of configuration event that occurred, the specific type of event, the severity of the event that corresponds to the event type (Policy logs all receive the Info severity level), a descriptive message that describes the log event, and the date and time the event occurred. If an administrator initiated the change, the entry also includes the username of the administrator.
The following table describes the policy logs that you can view on Traps management service.
Log NameSeverityRecord TypeCategory
Agent Action Command OmittedInfoconfigSystem Management
Message: {samName} command was not sent to {numberOfEndpoints} endpoints
Default Uninstall Password SetInfoconfigProfile Management
Message: Default Uninstall Password was set successfully by user {userFullName} - {userName}
Error Creating Agent Action CommandInfoconfigSystem Management
Message: Failed to send {samName} command to Agent {agentId}
Error Updating Data Retrieve InfoInfoconfigSystem Management
Message: Failed to update information of Data Retrieve command {samId} for Security Event {preventionKey}
Exception DeletedInfoconfigException Management
Message: {exceptionMsg} was deleted by user {userFullName} - {userName}
Exception DisabledInfoconfigException Management
Message: {exceptionMsg} was disabled by user {userFullName} - {userName}
Exception EditedInfoconfigException Management
Message: {exceptionMsg} was edited by user {userFullName} - {userName}
Exception EnabledInfoconfigException Management
Message: {exceptionMsg} was enabled by user {userFullName} - {userName}
Exception Note AddedInfoconfigException Management
Message: A note was added to {exceptionMsg} by user {userFullName} - {userName}
Hash Exception CreatedInfoconfigException Management
Message: Exception was created for hash {hash} overriding the verdict from {hashOldVerdict} to {hashNewVerdict} by user {userFullName} -{userName}
Imported Hash ExceptionInfoconfigException Management
Message: Imported {exceptionCount} hashes by user {userFullName} - {userName}
Imported support exceptionInfoconfigException Management
Message: Imported support exception named: {exceptionName} by user {userFullName} - {userName}
Inserted Hash ExceptionInfoconfigException Management
Message: Inserted hash exceptions: {exceptionID} by user {userFullName} - {userName}
Inserted process exceptionInfoconfigException Management
Message: A new process exception with module {exceptionModule}, process {exceptionProcess} and platform {exceptionPlatform} was Inserted by user {userFullName} - {userName}
New Policy Rule CreatedInfoconfigPolicy Management
Message: A new Traps policy rule {PolicyRuleId} was created by user {userFullName} - {userName}
New Profile CreatedInfoconfigProfile Management
Message: A Traps profile {ProfileName} was created by user {userFullName} - {userName}
Policy Rule DeletedInfoconfigPolicy Management
Message: Traps policy rule {PolicyRuleId} was deleted by user {userFullName} - {userName}
Policy Rule EditedInfoconfigPolicy Management
Message: Traps policy rule {PolicyRuleId} was edited by user {userFullName} - {userName}
Policy Rule ReorderedInfoconfigPolicy Management
Message: Policy Rule {PolicyRuleId} order was changed to {newOrderNumber} by user {userFullName} - {userName}
Policy Rule Status ChangedInfoconfigPolicy Management
Message: Traps policy rule {PolicyRuleId} status was changed to {enabled/disabled} by user {userFullName} - {userName}
Process Exception CreatedInfoconfigException Management
Message: A new process exception with module {exceptionModule}, process {exceptionProcess} and platform {exceptionPlatform} was created from security event {preventionKey} by user {userFullName} - {userName}
Profile DeletedInfoconfigProfile Management
Message: Traps Profile {ProfileName} was deleted by user {userFullName} - {userName}
Profile EditedInfoconfigProfile Management
Message: Traps Profile {ProfileName} was edited by user {userFullName} - {userName}
Support Exception CreatedInfoconfigException Management
Message: An analysis exception on platform {platform} was created from security event {originalEventId} by user {userFullName} - {userName}

System Logs

System logs include entries for changes to the Traps management service and are classified with the system record type. Traps management service logs these system events using one of four categories:
  • Licensing—License capacity and change events.
  • Provisioning—Agent onboarding issues.
  • Security Event—Issues saving prevention data related to a security event.
  • User Authentication—Agent authentication issues commonly due to an unauthorized endpoint.
Each entry includes the event category that identifies the type of event that occurred, the specific type of system event, the severity of the event that corresponds to the event type, a descriptive message that describes the log event, and the date and time the event occurred.
The following table describes the system logs that you can view on Traps management service.
Log NameSeverityRecord TypeCategory
Agent Confirmation FailedHighsystemProvisioning
Message: Agent confirmation failed for agent: {agentId}
Agent Registration FailedHighsystemProvisioning
Message: Agent registration to distribution {distributionId} failed. Error: {tenantId} - {expandedError}
Agent Uninstall FailureHighsystemProvisioning
Message: Agent uninstall failed for agent: {agentId}
Agent is UnauthorizedHighsystemUser Authentication
Message: Agent {agentId} is unauthorized
Duplicate Agent IDMediumsystemUser Authentication
Message: Tried to create token data for duplicate agent id {agentId}
Failed Getting SubdomainHighsystemProvisioning
Message: Core subdomain query failed for agent: {agentId}
Failed to Save PreventionHighsystemSecurity Event
Message: Failed to store prevention data in db for preventionKey {preventionKey}.
License Capacity GraceMediumsystemLicensing
Message: Licenses pool reached capacity grace
License Capacity ReachedMediumsystemLicensing
Message: Licenses pool reached full capacity
License Capacity WarningMediumsystemLicensing
Message: Licenses pool reached {percent}% capacity, {licensedAgents} out of {licensesAmount} agents installed.
License Expiration WarningMediumsystemLicensing
Message: License will expire in less then {days} days.
License ExpiredMediumsystemLicensing
Message: License expired
Tenant Created SuccessfullyInfosystemProvisioning
Message: Tenant {tenantExternalName} was created successfully
Tenant DS Pairing Modification FailedHighsystemProvisioning
Message: Tenant {tenantExternalName} directory service pairing modification failed, status code: {statusCode}
Tenant DS Pairing Modification SuccessfullyInfosystemProvisioning
Message: Tenant {tenantExternalName} paired successfully with directory service {dsName} by user: {activeUser}
Tenant DS pairing removal successfullyInfosystemProvisioning
Message: Tenant {tenantExternalName} pairing successfully removed with directory service by user: {activeUser}
Tenant License Expansion FailedHighsystemProvisioning
Message: Tenant {tenantExternalName} license expansion failed, status code: {statusCode}
Tenant License Expansion SuccessfullyInfosystemProvisioning
Message: Tenant {tenantExternalName} number of licenses was expended successfully, new number of licenses: {newLicenseNumber}
Tenant License Renewed FailedHighsystemProvisioning
Message: Tenant {tenantExternalName} license renewal failed, status code: {statusCode}
Tenant License Renewed SuccessfullyInfosystemProvisioning
Message: Tenant {tenantExternalName} license was renewed successfully, new expiration date: {newLicenseExpirationDate}
Tenant Name Modification FailedHighsystemProvisioning
Message: Tenant {tenantExternalName} name modification failed, status code: {statusCode}
Tenant Name Modification SuccessfullyInfosystemProvisioning
Message: Tenant {oldName} was modified with name: {newName} by user: {activeUser}
Tenant is ActiveInfosystemProvisioning
Message: Tenant {tenantName} is active
Unauthorized Agent RequestHighsystemUser Authentication
Message: Got request from unauthorized agent {agentId}
User LoginInfosystemProvisioning
Message: User {username} has logged in with role {role}
WildFire Api Key Modification FailedHighsystemProvisioning
Message: Tenant {tenantExternalName} WF api key modification failed, status code: {statusCode}
WildFire Api Key Modified SuccessfullyInfosystemProvisioning
Message: Tenant {tenantExternalName} WF api key successfully modified by user: {activeUser}

Related Documentation