Log attribute group

Data gathered from the Symantec Endpoint Protection log file. If the warehouse default setting is enabled, data for this attribute group is not stored in Tivoli Data Warehouse.

Historical group

This attribute group is not part of the default historical group, and is eligible for use with Tivoli Data Warehouse.

Attribute descriptions

The following list contains information about each attribute in the Log attribute group:

Node attribute - This attribute is a key attribute.
Description
The managed system name of the agent.
Type
String
Timestamp attribute
Description
The local time at the agent when the data was collected.
Type
String
Original Event Timestamp attribute
Description
Time of event in raw encoded format
Type
String
Event Year attribute
Description
Event year
Type
Integer (32-bit numeric property) with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • Value_Exceeds_Maximum (2147483647)
  • Value_Exceeds_Minimum (-2147483648)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Event Month attribute
Description
Month of the event
Type
Integer (32-bit numeric property) with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • Value_Exceeds_Maximum (2147483647)
  • Value_Exceeds_Minimum (-2147483648)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Event Day attribute
Description
Day of the event
Type
Integer (32-bit numeric property) with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • Value_Exceeds_Maximum (2147483647)
  • Value_Exceeds_Minimum (-2147483648)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Event Hour attribute
Description
Hour of the event
Type
Integer (32-bit numeric property) with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • Value_Exceeds_Maximum (2147483647)
  • Value_Exceeds_Minimum (-2147483648)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Event Minutes attribute
Description
Minutes of the event
Type
Integer (32-bit numeric property) with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • Value_Exceeds_Maximum (2147483647)
  • Value_Exceeds_Minimum (-2147483648)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Event Seconds attribute
Description
Seconds of the event
Type
Integer (32-bit numeric property) with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • Value_Exceeds_Maximum (2147483647)
  • Value_Exceeds_Minimum (-2147483648)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Event Number attribute
Description
Indicates the Event Number
Type
DEFAULT with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • GL_EVENT_IS_ALERT (1)
  • GL_EVENT_SCAN_STOP (2)
  • GL_EVENT_SCAN_START (3)
  • GL_EVENT_PATTERN_UPDATE (4)
  • GL_EVENT_INFECTION (5)
  • GL_EVENT_FILE_NOT_OPEN (6)
  • GL_EVENT_LOAD_PATTERN (7)
  • GL_STD_MESSAGE_INFO NOT USED (8)
  • GL_STD_MESSAGE_ERROR NOT USED (9)
  • GL_EVENT_CHECKSUM (10)
  • GL_EVENT_TRAP (11)
  • GL_EVENT_CONFIG_CHANGE (12)
  • GL_EVENT_SHUTDOWN (13)
  • GL_EVENT_STARTUP (14)
  • GL_EVENT_PATTERN_DOWNLOAD (16)
  • GL_EVENT_TOO_MANY_VIRUSES (17)
  • GL_EVENT_FWD_TO_QSERVER (18)
  • GL_EVENT_SCANDLVR (19)
  • GL_EVENT_BACKUP (20)
  • GL_EVENT_SCAN_ABORT (21)
  • GL_EVENT_RTS_LOAD_ERROR (22)
  • GL_EVENT_RTS_LOAD (23)
  • GL_EVENT_RTS_UNLOAD (24)
  • GL_EVENT_REMOVE_CLIENT (25)
  • GL_EVENT_SCAN_DELAYED (26)
  • GL_EVENT_SCAN_RESTART (27)
  • GL_EVENT_ADD_SAVROAMCLIENT_TOSERVER (28)
  • GL_EVENT_REMOVE_SAVROAMCLIENT_FROMSERVER (29)
  • GL_EVENT_LICENSE_WARNING (30)
  • GL_EVENT_LICENSE_ERROR (31)
  • GL_EVENT_LICENSE_GRACE (32)
  • GL_EVENT_UNAUTHORIZED_COMM (33)
  • GL_EVENT_LOG_FWD_THRD_ERR (34)
  • GL_EVENT_LICENSE_INSTALLED (35)
  • GL_EVENT_LICENSE_ALLOCATED (36)
  • GL_EVENT_LICENSE_OK (37)
  • GL_EVENT_LICENSE_DEALLOCATED (38)
  • GL_EVENT_BAD_DEFS_ROLLBACK (39)
  • GL_EVENT_BAD_DEFS_UNPROTECTED (40)
  • GL_EVENT_SAV_PROVIDER_PARSING_ERROR (41)
  • GL_EVENT_RTS_ERROR (42)
  • GL_EVENT_COMPLIANCE_FAIL (43)
  • GL_EVENT_COMPLIANCE_SUCCESS (44)
  • GL_EVENT_SECURITY_SYMPROTECT_POLICYVIOLATION (45)
  • GL_EVENT_ANOMALY_START (46)
  • GL_EVENT_DETECTION_ACTION_TAKEN (47)
  • GL_EVENT_REMEDIATION_ACTION_PENDING (48)
  • GL_EVENT_REMEDIATION_ACTION_FAILED (49)
  • GL_EVENT_REMEDIATION_ACTION_SUCCESSFUL (50)
  • GL_EVENT_ANOMALY_FINISH (51)
  • GL_EVENT_COMMS_LOGIN_FAILED (52)
  • GL_EVENT_COMMS_LOGIN_SUCCESS (53)
  • GL_EVENT_COMMS_UNAUTHORIZED_COMM (54)
  • GL_EVENT_CLIENT_INSTALL_AV (55)
  • GL_EVENT_CLIENT_INSTALL_FW (56)
  • GL_EVENT_CLIENT_UNINSTALL (57)
  • GL_EVENT_CLIENT_UNINSTALL_ROLLBACK (58)
  • GL_EVENT_COMMS_SERVER_GROUP_ROOT_CERT_ISSUE (59)
  • GL_EVENT_COMMS_SERVER_CERT_ISSUE (60)
  • GL_EVENT_COMMS_TRUSTED_ROOT_CHANGE (61)
  • GL_EVENT_COMMS_SERVER_CERT_STARTUP_FAILED (62)
  • GL_EVENT_CLIENT_CHECKIN (63)
  • GL_EVENT_CLIENT_NO_CHECKIN (64)
  • GL_EVENT_SCAN_SUSPENDED (65)
  • GL_EVENT_SCAN_RESUMED (66)
  • GL_EVENT_SCAN_DURATION_INSUFFICIENT (67)
  • GL_EVENT_CLIENT_MOVE (68)
  • GL_EVENT_SCAN_FAILED_ENHANCED (69)
  • GL_EVENT_MAX_EVENT_NUMBER (70)
  • GL_EVENT_HEUR_THREAT_NOW_WHITELISTED (71)
  • GL_EVENT_INTERESTING_PROCESS_DETECTED_START (72)
  • GL_EVENT_LOAD_ERROR_COH (73)
  • GL_EVENT_LOAD_ERROR_SYKNAPPS (74)
  • GL_EVENT_INTERESTING_PROCESS_DETECTED_FINISH (75)
  • GL_EVENT_HPP_SCAN_NOT_SUPPORTED_FOR_OS (76)
  • GL_EVENT_HEUR_THREAT_NOW_KNOWN (77)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Category Number attribute
Description
Category number
Type
DEFAULT with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • GL_CAT_INFECTION (1)
  • GL_CAT_SUMMARY (2)
  • GL_CAT_PATTERN (3)
  • GL_CAT_SECURITY (4)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Logger attribute
Description
Indicates the logger of the event
Type
DEFAULT with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • LOGGER_Scheduled (0)
  • LOGGER_MANUAL (1)
  • LOGGER_Real_Time (2)
  • LOGGER_Console (6)
  • LOGGER_VPDOWN (7)
  • LOGGER_System (8)
  • LOGGER_Startup (9)
  • LOGGER_Client (101)
  • LOGGER_Forwarded (102)
  • Manual Scan (65637)
  • Realtime (131173)
  • System (524389)
  • Defwatch (720997)
  • Client (6619237)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
ComputerID attribute
Description
Computer's name (or IP / IPX address)
Type
String
Username attribute
Description
Name of user
Type
String
Virus Name attribute
Description
Virus Name (Virus Found event only)
Type
String
Virus Location attribute
Description
Virus's Location (Virus Found event only)
Type
String
Primary Action Configuration attribute
Description
Primary Action configuration (Virus Found event only)
Type
DEFAULT with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • Quarantine infected file (1)
  • Rename infected file (2)
  • Delete infected file (3)
  • Leave alone (log only) (4)
  • Clean virus from file (5)
  • Clean or delete macros (6)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Secondary Action Configuration attribute
Description
Secondary Action configuration (Virus Found event only)
Type
DEFAULT with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • Quarantine infected file (1)
  • Rename infected file (2)
  • Delete infected file (3)
  • Leave alone (log only) (4)
  • Clean virus from file (5)
  • Clean or delete macros (6)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Action Taken attribute
Description
Action Taken (Virus Found event only)
Type
DEFAULT with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • Quarantined (1)
  • Renamed (2)
  • Deleted (3)
  • Left alone (4)
  • Cleaned (5)
  • Cleaned or macros deleted (6)
  • Saved file as... (7)
  • Sent to Intel (AMS) (8)
  • Moved to backup location (9)
  • Renamed backup file (10)
  • Undo action in Quarantine View (11)
  • Write protected or lack of permissions - Unable to act on file (12)
  • Backed up file (13)
  • Pending analysis (14)
  • First action was partially successful; second action was Leave Alone. Results of the second action are not mentioned. (15)
  • A process needs to be terminated to remove a risk (16)
  • Prevent a risk from being loggged or a user interface from being displayed (17)
  • Performing a request to restart the computer (18)
  • Shows as Cleaned by Deletion in the Risk History in the UI and the Logs in the SSC (19)
  • Auto-Protect prevented a file from being created; reported 'Access denied.' (20)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Virus Type attribute
Description
Virus Type (Virus Found event only)
Type
DEFAULT with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • VEBOOTVIRUS (1)
  • VEBOOT1VIRUS (3)
  • VEBOOT2VIRUS (5)
  • VEBOOT3VIRUS (9)
  • VEFILEVIRUS (100)
  • VEMUTATIONVIRUS (300)
  • VEFILEMACROVIRUS (500)
  • VEFILE2VIRUS (900)
  • VEFILE3VIRUS (1100)
  • VEMEMORYVIRUS (10000)
  • VEMEMOSVIRUS (30000)
  • VEMEMMCBVIRUS (50000)
  • VEMEMHIGHESTVIRUS (90000)
  • VEVIRUSBEHAVIOR (1000000)
  • VEVIRUS1BEHAVIOR (3000000)
  • VEFILECOMPRESSED (8000000)
  • VEHURISTIC (10000000)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Flags attribute
Description
Indicates what kind of action the Eventblock is.
Type
Integer (32-bit numeric property) with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • Value_Exceeds_Maximum (2147483647)
  • Value_Exceeds_Minimum (-2147483648)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Description attribute
Description
Message that will be found on the "Properties" page (Event Log events only) or message indicating Scan start or Scan stop along with results. (Scan History events only.)
Type
String
ScanID attribute
Description
ID number of associated scan (for Scan History events and Virus Found events)
Type
Integer (32-bit numeric property) with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • Value_Exceeds_Maximum (2147483647)
  • Value_Exceeds_Minimum (-2147483648)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
New Ext attribute
Description
Reserved
Type
String
Group ID attribute
Description
Indicates the Group ID
Type
Integer (32-bit numeric property) with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • Value_Exceeds_Maximum (2147483647)
  • Value_Exceeds_Minimum (-2147483648)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Event Data attribute
Description
Results of a scan
Type
String
Quarantined File ID attribute
Description
Stores the ID of the file in Quarantine if it is Quarantined.
Type
String
Virus ID attribute
Description
ID of the particular virus.
Type
String
Quarantine Forward Status attribute
Description
Indicates the status of the Quarantine attempt.
Type
DEFAULT with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • QF_NONE (0)
  • QF_FAILED (1)
  • QF_OK (2)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Access attribute
Description
Stores the "operation flags"
Type
DEFAULT with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • FA_READ (1)
  • FA_WRITE (2)
  • FA_EXEC (4)
  • FA_IN_TABLE (8)
  • FA_REJECT_ACTION (10)
  • FA_ACTION_COMPLETE (20)
  • FA_DELETE_WHEN_COMPLETE (40)
  • FA_CLIENT_REQUEST (80)
  • FA_OWNED_BY_USER (100)
  • FA_DELETE (200)
  • FA_OWNED_BY_QUEUE (800)
  • FA_FILE_IN_CACHE (1000)
  • FA_SCAN (2000)
  • FA_GET_TRAP_DATA (4000)
  • FA_USE_TRAP_DATA (8000)
  • FA_FILE_NEEDS_SCAN (10000)
  • FA_BEFORE_OPEN (20000)
  • FA_AFTER_OPEN (40000)
  • FA_SCAN_BOOT_SECTOR (80000)
  • FA_COMING_FROM_NAVAP (10000000)
  • FA_BACKUP_TO_QUARANTINE (20000000)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Snd Status attribute
Description
Purpose unknown
Type
String
Compressed attribute
Description
Indicated whether it is or is in a compressed file or not.
Type
DEFAULT with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • No (0)
  • Yes (1)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Depth attribute
Description
Indicates at what depth IN a compressed file the virus was found.
Type
String
Still Infected attribute
Description
Indicates how many files in a compressed container are still infected after a manual or scheduled scan.
Type
String
Definition Info attribute
Description
Version of Virus Definitions Used (Virus Found event only)
Type
String
Definition Sequence Number attribute
Description
The Definition Sequence Number of the Virus Definitions used.
Type
String
Clean Info attribute
Description
Indicates whether file is cleanable or not.
Type
DEFAULT with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • VECLEANABLE (0)
  • VENOCLEANPATTERN (1)
  • VENOTCLEANABLE (2)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Delete Info attribute
Description
Indicates whether the file can be deleted.
Type
DEFAULT with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • VEDELETABLE (4)
  • VENOTDELETABLE (5)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Backup ID attribute
Description
Stores the ID of the file stored in Backup if it is backed up.
Type
String
Parent attribute
Description
Name of Parent if is a Managed Client
Type
String
GUID attribute
Description
GUID of the machine (Virus Found event only)
Type
String
Client Group attribute
Description
Stores the client group, if set.
Type
String
Address attribute
Description
IP or IPX address
Type
String
Domain Name attribute
Description
Server group. Set servers only.
Type
String
NT Domain attribute
Description
Windows domain or workgroup
Type
String
MAC Address attribute
Description
Hardware address
Type
String
Version attribute
Description
Software version
Type
String
Remote Machine attribute
Description
Name of remote computer that attempted to copy a threat locally
Type
String
Remote Machine IP attribute
Description
IP address of remote computer that attempted to copy a threat locally
Type
String
Primary Action Status attribute
Description
Status of Requested Primary Action
Type
DEFAULT with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • No information (0)
  • The file could not be opened (1)
  • The file was wiped clean of data (2)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Secondary Action Status attribute
Description
Status of Requested Primary Action
Type
DEFAULT with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • No information (0)
  • The file could not be opened (1)
  • The file was wiped clean of data (2)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
License Feature Name attribute
Description
License Feature Name
Type
String
License Feature Version attribute
Description
License Feature Version
Type
String
License Serial Number attribute
Description
License Serial Number
Type
String
License Fulfillment ID attribute
Description
License Fulfillment ID
Type
String
License Start Date attribute
Description
License Start Date
Type
String
License Expiration Date attribute
Description
License Expiration Date
Type
String
License Lifecycle attribute
Description
License Lifecycle
Type
String
License Seats Total attribute
Description
License seats total
Type
String
License Seats attribute
Description
License Seats
Type
String
Error Code attribute
Description
Error code
Type
String
License Seats Delta attribute
Description
License seats delta
Type
String
Status attribute
Description
Status
Type
Integer (32-bit numeric property) with enumerated values. The strings are displayed in the Tivoli Enterprise Portal. The warehouse and queries return the values shown in parentheses. The following values are defined:
  • Value_Exceeds_Maximum (2147483647)
  • Value_Exceeds_Minimum (-2147483648)
Any other values will display the actual value returned by the agent in the Tivoli Enterprise Portal.
Domain GUID attribute
Description
Domain GUID
Type
String
Log Session GUID attribute
Description
Log session GUID
Type
String
VBin Session ID attribute
Description
VBin session ID
Type
String
Login Domain attribute
Description
Login Domain
Type
String
Remainder of record attribute
Description
Remainder of record not defined at time of agent creation
Type
String