Proofpoint | ObserveIT On-Premises Insider Threat Management
Event Types
When an event is generated by the ObserveIT system, the event name and details appear in the System Events list. The following tables describe the event types, organized per event source, with some possible causes and solutions (as relevant).
Agent Events
|
Code |
Event Name |
Category |
Severity |
Description |
|---|---|---|---|---|
|
1201 |
Agent Service has started |
Functionality |
Low |
The ObserveIT Agent Service has reported that it restarted after stopping (code 1202). |
|
1202 |
Agent Service has stopped |
Functionality |
High |
The ObserveIT Agent Service has reported that it has stopped. (To receive Agent health check reports, it must be restarted.) |
| 1203 | Agent service was terminated | Functionality | High | An Agent process was forcibly killed by an external application. |
|
1204 |
Unrecorded Agent sessions |
Functionality |
High |
There are unrecorded Agent sessions. This occurs when a user ends the Agent process (or disables interception in Unix). To resolve this in Windows, restart the RCDCL process in the Task Manager. On Unix, enable interception using the oitcons utility. |
| 1205 | Agent installation files were tampered-with (missing file) | Tampering | High | The ObserveIT Agent Service has reported that installation files were tampered-with. |
| 1206 | Agent installation files were tampered-with (file changed) | Tampering | High | The ObserveIT Agent Service has reported that installation files were tampered-with. |
|
1207 |
Agent Registry keys were tampered with |
Tampering |
High |
An ObserveIT Registry key was changed. Registry keys may have been deleted and/or values changed. This might affect Agent functionality. To resolve this, restore the Registry in the AgentRegistryKeys database table. |
|
1208 |
Agent Registry keys are now OK |
Tampering |
Low |
The ObserveIT Agent Service has reported that the Agent Registry keys/configuration files have been restored. |
|
1209 |
Agent installation files were restored |
Tampering |
Low |
The ObserveIT Agent Service has reported that installation files were restored after tampering. |
|
1210 |
Agent installation files were tampered with |
Tampering |
High |
The ObserveIT Agent Service has reported that installation files were tampered with. Files may have been renamed and/or contents changed. Check the problem and reinstall the Agent, or replace the tampered file with the file version that was installed previously. |
| 1213 | Unix Agent interception was tampered-with Agent activity replay data files were tampered-with | Tampering | High | The Unix Agent interception setting was tampered-with, resulting in an unrecorded session. Session data was tampered-with while the Agent was in activity replay mode. |
| 1217 | Agent activity replay data files were tampered-with | Tampering | High | Session data was tampered-with while the Agent was in activity replay mode. |
|
1218 |
Agent offline data files were tampered with |
Tampering |
High |
Session data was tampered with while the Agent was in offline mode. Files may have been renamed, or contents changed by a user who worked offline to hide his activities. (Offline files are not sent to the Application Server.) When the Agent is online again, the Agent Service reports the list of files that were tampered with. |
| 1219 | Agent Service not responding | Functionality | High | The ObserveIT Agent Service is down, perhaps due to a network malfunction or disconnection between the Agent and the Application Server, or for unknown reasons. |
|
1220 |
Process was killed and automatically restarted |
Tampering |
High |
The Agent process was killed and automatically restarted by the Watchdog. |
|
1221 |
Agent is OK |
Communication |
Low |
The ObserveIT Agent and service are activated. |
|
1223 |
Agent is not reporting |
Communication |
High |
There is no heartbeat from the Agent. |
| 1224 | Agent service was killed | Communication | High | The Agent service was forcibly killed by an external application. |
|
1230 |
Agent data loss |
Data Loss |
High |
Data loss occurred while the Agent was running. This may have occurred due to resource overload or some issue with the SQL server or the Application Server. Check that the SQL server and Application Server are working properly. |
|
1231 |
Offline data loss, threshold exceeded |
Data Loss |
High |
The volume of data exceeded its configured limit while the Agent was in offline mode, resulting in data loss. You must increase the offline data limit in the configuration file. |
|
1232 |
Offline data loss, lack of disk space |
Data Loss |
High |
Data was lost while the Agent was in offline mode due to insufficient disk space. Increase the disk space to prevent this from recurring. |
| 1233 | Activity replay data loss, threshold exceeded | Data Loss | High | The volume of data exceeded its limit while the Agent was in activity replay mode, resulting in data loss. |
| 1234 | Activity replay data loss, lack of disk space | Data Loss | High | Data was lost while the Agent was in activity replay mode due to insufficient disk space. |
|
1240 |
Agent is now recording active sessions |
Recording |
Low |
Agent sessions are now being recorded. |
| 1242 | Agent process reactivated by | Functionality | High | The Agent process was reactivated (Watchdog). |
|
1250 |
Agent recording is enabled via Server Policy |
Recording |
Low |
The recording of user actions was enabled in the Web Console Server Policies configuration. |
|
1251 |
Agent recording is disabled via Server Policy |
Recording |
High |
The recording of user actions was disabled in the Web Console Server Policies configuration. |
| 1261 | Agent does not have Screen Recording permissions | Recording | Medium | The Mac Agent does not have Screen Recording permissions. Update Security & Privacy settings under System Preferences. |
| 1262 | Agent Screen Recording permissions enabled | Recording | Low | The Mac Agent was granted Screen Recording permissions and started recording according to policy. |
| 1270 | Agent failed to be launched in stealth mode | Functionality | High | The ObserveIT agent failed to start stealth mode service and components. The agent continues to work not in stealth mode (while processes and services are not hidden). |
|
1501 |
Agent interception is off |
Recording |
High |
The Unix Agent internal Watchdog “obitd” service failed to start the ObserveIT logger after a problem was detected, and recording was disabled. (Another reason could be that someone did this on purpose using the oitcons utility, for example, as part of an upgrade process. To enable interception, use the oitcons utility.) |
|
1502 |
Agent interception is on |
Recording |
Low |
The Unix Agent interception is on, and recording is enabled. |
| 1602 | Agent registration was successful | Installation | Low | The Agent was successfully registered. |
| 1603 | Agent installation failed due to incorrect security password | Installation | Low | The Agent installation failed due to incorrect security password. |
| 1604 | Agent installation failed | Installation | Low | The Agent installation failed without a security password, or for unknown reasons. |
| 1605 | Agent installation with password was successful | Installation | Low | The Agent was successfully installed with a security password. |
| 1606 | Agent installation was successful | Installation | Low | The Agent was successfully installed. |
|
1607 |
Uninstallation of Agent failed due to incorrect security password |
Installation |
Low |
Uninstallation of Agent failed due to an incorrect security password. Check your password and try to uninstall again, and if that fails, contact technical support. |
| 1608 | Uninstallation of Agent failed | Installation | Low | Uninstallation of Agent failed without a security password, or for unknown reasons. |
|
1609 |
Uninstallation of Agent was successful |
Installation |
Low |
The Agent was successfully uninstalled with a security password. |
| 1610 | Uninstallation of Agent without a password was successful | installation | Low | The Agent was successfully uninstalled without a security password. |
|
1611 |
Agent was unregistered from the client |
Installation |
Medium |
The Agent was manually unregistered from the client by the administrator, and removed from the ObserveIT license. Applies to Unix Agents only. Note: This event includes all Agents that were manually unregistered from the client or from the Web Console prior to version 5.9. |
|
1612 |
Agent was automatically unregistered |
Installation |
Medium |
The Agent was automatically unregistered, and was removed from the license. |
|
1613 |
An unregistered server was activated |
Installation |
Medium |
An unregistered server was activated. |
|
1614 |
Agent was unregistered from the Web Console |
Installation |
Medium |
The Agent was manually unregistered from the Web Console by the administrator, and removed from the ObserveIT license. |
| 1700 | Agent failed to encrypt offline data | Functionality | Medium | The ObserveIT agent failed to encrypt offline data. The agent continues to record as usual, while keeping offline data not encrypted. |
Application Server Events
|
Code |
Event Name |
Category |
Severity |
Description |
|---|---|---|---|---|
| 1280 | Server does not enforce MTLS | Communication | Medium | When detecting a problem - Server does not enforce MTLS. |
| 1281 | Server was fixed to enforce MTLS | Communication | Medium | When detecting the problem was fixed - Server was fixed to enforce MTLS. |
|
1301 |
Application Server is not working properly |
Functionality |
High |
The ObserveIT Application Server is not working properly. No reply is received when a keepalive request is sent, and the Application Server pool is down. Restart the IIS to restart the Application Server. |
|
1304 |
Application Server is running |
Functionality |
Low |
The ObserveIT Application Server has resumed operations. |
|
1310 |
Application Server successfully saved recorded data |
Communication |
Low |
The ObserveIT Application Server successfully saved recorded data. |
|
1311 |
Application Server unable to save recorded data |
Communication |
High |
The ObserveIT Application Server failed to save recorded data to the database. Check the SQL server. |
|
1403 |
Writing data to file system failed |
Communication |
High |
The ObserveIT Application Server failed to save recorded data on the file system. Check read-write permissions on the file system path. |
|
1404 |
Writing data to file system succeeded |
Communication |
Low |
The ObserveIT Application Server successfully saved recorded data on the file system. |
Database Server Events
|
Code |
Event Name |
Category |
Severity |
Description |
|---|---|---|---|---|
|
1425 |
Some data was not recorded in the database |
Data Loss |
High |
Screenshot data and/or Unix commands failed to be saved to the ObserveIT_Data database. Check the accessibility to this database. |
Health Monitoring Service Events
|
Code |
Event Name |
Category |
Severity |
Description |
|---|---|---|---|---|
|
1324 |
Health Monitoring Service is not working properly |
Functionality |
High |
The Health Monitoring Service is not working properly. Perhaps the service was terminated or was configured incorrectly. When this occurs, the Admin Dashboard will not display updated data. To resolve this, restart the Health Monitoring Service (go to Start > Services). |
|
1325 |
Health Monitoring Service is OK |
Functionality |
Low |
The Health Monitoring Service is OK. |
|
1327 |
Health Monitoring Service has started |
Functionality |
Low |
The Health Monitoring Service has started. |
|
1328 |
Health Monitoring Service has stopped |
Functionality |
Low |
The Health Monitoring Service has stopped. |
Identity Theft Events
|
Code |
Event Name |
Category |
Severity |
Description |
|---|---|---|---|---|
|
1100 |
Login from paired client |
Identity Theft |
-- |
A user logged in from a paired client machine. This user-client pair is approved. |
|
1101 |
Secondary login from paired client |
Identity Theft |
-- |
A user logged in via ObserveIT Secondary Identification from a paired client machine. This user-client pair is valid. |
|
1102 |
Login from unpaired client |
Identity Theft |
Low |
A user logged in from an unpaired client machine. This user-client pair is NOT valid. |
|
1103 |
Secondary login from unpaired client |
Identity Theft |
Low |
A user logged in via ObserveIT Secondary Identification from an unpaired client machine. This user-client pair is NOT valid. |
|
1104 |
Login with no valid pair |
Identity Theft |
Medium |
A user logged in from an unpaired client machine. This user-client pair is NOT valid and this user is already paired with another client. |
|
1105 |
Secondary login with no valid pairs |
Identity Theft |
Medium |
A user logged in via ObserveIT Secondary Identification from an unpaired client machine. This user-client pair is NOT valid and this user is already paired with another client. |
|
1106 |
Suspected login reported |
Identity Theft |
High |
A user reported a suspicious use of his credentials. |
|
1107 |
Suspected secondary login reported |
Identity Theft |
High |
A user reported a suspicious use of his credentials via ObserveIT Secondary Identification. |
|
1108 |
User-client pairing request |
Identity Theft |
Low |
A user sent a user-client pairing request. |
|
1109 |
Failed to send an email to user |
Identity Theft |
Medium |
Failed to send a "suspicious use of credentials" email to the user. |
Notification Service Events
|
Code |
Event Name |
Category |
Severity |
Description |
|---|---|---|---|---|
|
1302 |
Notification Service is OK |
Functionality |
Low |
The Notification Service is working properly. |
|
1303 |
Notification Service is not working properly |
Functionality |
High |
The Notification Service is not working properly. Perhaps the service was terminated or was configured incorrectly. When this occurs, there will be no archives, no event emails, and no scheduled reports. To resolve this, restart the service (go to Start> Services). |
|
1305 |
Notification Service has started |
Functionality |
Low |
The Notification Service has started. |
|
1306 |
Notification Service has stopped |
Functionality |
Low |
The Notification Service has stopped. Restart the service (go to Start> Services). |
|
1405 |
ArcSight file size reached 0.5 |
Communication |
Low |
File size reached 0.5 of the maximum size defined. |
|
1406 |
ArcSight file size reached 0.75 |
Communication |
Medium |
File size reached 0.75 of the maximum size defined. |
|
1407 |
ArcSight file size reached 0.99 |
Communication |
High |
File size reached 0.99 of the maximum size defined. |
|
1408 |
ArcSight file size past maximum |
Communication |
High |
File past the maximum size defined. |
|
1409 |
Monitor Log could not create directory |
Communication |
High |
You may not have sufficient permissions to create the directory. |
|
1410 |
Monitor Log could not write to file |
Communication |
High |
You may not have sufficient permissions to write a log file. |
|
1900 |
Notification Service failed to access the Task Service |
Functionality |
High |
Notification Service failed to access the Task Service for creating a task to manage screenshots storage. Muting this System Event for configured duration (1 hour by default). |
|
1901 |
Notification Service access to the Task Service was recovered |
Functionality |
Low |
Access from the Notification Service to the Task Service was recovered after previous failures. |
Rule Engine Events
|
Code |
Event Name |
Category |
Severity |
Description |
|---|---|---|---|---|
|
1322 |
Rule Engine Service is not working properly |
Functionality |
High |
The Rule Engine Service was unable to create alert rules. Perhaps the service was terminated or was configured incorrectly. Restart the service (go to Start> Services). |
|
1323 |
Rule Engine Service is OK |
Functionality |
Low |
The Rule Engine Service is working properly. |
|
1329 |
Rule Engine Service has started |
Functionality |
Low |
The Rule Engine Service has started. |
|
1330 |
Rule Engine Service has stopped |
Functionality |
High |
The Rule Engine Service has stopped. Restart the service (go to Start> Services). |
Storage Threshold Events
|
Code |
Event Name |
Category |
Severity |
Description |
|---|---|---|---|---|
|
1401 |
Storage threshold has reached its limit |
Data Loss |
Medium |
The storage threshold (%) has reached its configured limit. Additional storage should be configured. |
|
1402 |
Allocated storage space has reached its limit |
Data Loss |
High |
The maximum allocated storage space has reached its configured limit. To prevent screen capture data loss, additional storage space must be configured immediately. |
Screenshots Storage Optimizer Events
|
Code |
Event Name |
Category |
Severity |
Description |
|---|---|---|---|---|
|
1430 |
Screenshot Storage Optimizer failed to access the warm (standard) storage |
Functionality |
High |
Screenshot Storage Optimizer failed to access the warm (standard) storage file system due to a storage space or permissions issue. Muting this System Event for configured duration (5 minutes by default). |
|
1431 |
Screenshot Storage Optimizer failed to access the hot (fast) storage |
Functionality |
High |
Screenshot Storage Optimizer failed to access the Hot (fast) storage file system due to a storage space or permissions issue. Muting this System Event for configured duration (5 minutes by default). |
|
1432 |
Access from Screenshot Storage Optimizer to the warm (standard) storage was recovered |
Functionality |
Low |
Access from Screenshot Storage Optimizer to the warm (standard) storage file system was recovered after previous failures. |
|
1433 |
Access from Screenshot Storage Optimizer to the hot (fast) storage was recovered |
Functionality |
Low |
Access from Screenshot Storage Optimizer to the hot (fast) storage file system was recovered after previous failures. |
|
1902 |
Screenshots Storage Optimizer exceeded the max-attempts to handle specific task. |
Functionality |
High |
The Task Service detects that the Screenshots Storage Optimizer exceeded the max-attempts to successfully handle a task. |
| 1903 | The task service detects tasks are overdue for processing | Functionality | High | The task service detects tasks are overdue for processing |
Website Categorization Events
|
Code |
Event Name |
Category |
Severity |
Description |
|---|---|---|---|---|
|
1800 |
Failed to update web categories DB |
Communication |
High |
The periodic update of the Website Categorization DB failed. |
|
1801 |
Website Categorization service started |
Functionality |
Low |
WebCat service was started successfully. |
|
1802 |
Website Categorization service stopped |
Functionality |
High |
WebCat service was stopped. |
|
1803 |
Website Categorization service started with errors |
Functionality |
High |
WebCat service was started with errors. |
|
1804 |
Successfully downloaded web categories DB for the first time |
Communication |
Low |
After installation, the Website Categorization DB was downloaded successfully. |
|
1805 |
Failed to download web categories DB for the first time |
Communication |
High |
After installation, the Website Categorization DB failed to be downloaded. |
|
1806 |
Failed to retrieve web categories |
Functionality |
High |
Failed to retrieve categories of URLs from Website Categorization. |
|
1807 |
Website Categorization Module does not respond anymore |
Functionality |
High |
Failed to access the Website Categorization Module during several retries. Stopping trying until the end of the session. |
|
1808 |
Website Categorization Web Service does not respond anymore |
Functionality |
High |
Failed to get category of URL from dedicated web service after several retries. Stopping trying until the end of the session. |