ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
#rule:100 RULE_FIRE Host/Application Execute/Query Nothing Application Normal Success
PROFILE:001 PATTERNDISCOVERYRUN_STARTED Host/Application/Service Execute/Query Nothing Application Informational Attempt
PROFILE:002 PATTERNDISCOVERYRUN_FINISHED Host/Application/Service Execute/Query Application Informational Success
activelist:101 ACTIVE_LIST_ADD An entry was added to an
Active List Host/Application Modify/Configuration Nothing Application Normal Success
activelist:102 ACTIVE_LIST_REMOVE An entry was removed
from an Active List Host/Application Modify/Configuration Nothing Application Normal Success
activelist:103 ACTIVE_LIST_UPDATE An entry was changed
in an Active List Host/Application Modify/Configuration Nothing Application Normal Success
activelist:104
ACTIVE_LIST_EXPIRE An entry was removed
from an Active List because the last update to the
value was older than the expiration period
Host/Application Modify/Configuration Application Informational Success
activelist:105 ACTIVE_LIST_EVICT Host/Resource Check/Resource Application Informational/Alert Success
actor:100 ACTOR_DELETE Nothing Nothing Nothing Nothing Nothing Nothing
actor:102 ACTOR_ADD Nothing Nothing Nothing Nothing Nothing Nothing
actor:110 ACTOR_SINGLE_VALUE_UPDATE Nothing Nothing Nothing Nothing Nothing Nothing
actor:111 ACTOR_MULTI_VALUE_ADD Nothing Nothing Nothing Nothing Nothing Nothing
actor:112 ACTOR_MULTI_VALUE_DELETE Nothing Nothing Nothing Nothing Nothing Nothing
agent:000 AGENT Host/Application Nothing Nothing Application Normal Nothing
agent:001 Agent Connection Host/Application Access/Start Nothing Application Normal Success
agent:002 Agent Reconnected Host/Application Access/Start Nothing Application Informational Success
agent:003 Agent Zombie Host/Application Execute Nothing Application Informational/Error Failure
agent:004 Agent Disconnect Host/Application Access/Stop Nothing Application Informational Success
agent:006 Unknown Agent Attempted to Connect Host/Application Access/Start Nothing Application Suspicious Attempt
agent:007 AGENT_REGISTRATION_SUCCESS Agent was
successfully registered with Manager Host/Application Access Nothing Application Normal Success
agent:008 AGENT_REGISTRATION_FAILURE Agent was
not successfully registered with Manager Host/Application Access Nothing Application Informational/Error Failure
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
agent:009
AGENT_CONNECTION_REFUSED Manager
rejected a connection attempt from an Agent for
reasons other than authentication failure
Host/Application Access Nothing Application Informational/Error Failure
agent:010 AGENT_UPGRADE_SUCCESS Agent upgrade
succeeded Host/Application Modify/Content Nothing Application Normal Success
agent:011 AGENT_UPGRADE_FAILURE Agent upgrade
failed Host/Application Modify/Content Nothing Application Informational/Error Failure
agent:012
AGENT_TIME_DEVICE_FAILURE Agent
detected source events from a sensor device
containing incorrect time stamps
Host/Application Execute/Response Application Informational/Warn
ing Success
agent:013 AGENT_DEVICE_FOUND Agent noted that a
new sensor device is sending events Host/Application Communicate/Query Nothing Application Normal Success
agent:014
AGENT_SYSLOG_AGGREGATION_FAILURE
Agent could not find a base event referenced in a
syslog aggregate event
Host/Application Execute/Query Nothing Application Informational/Error Failure
agent:015 AGENT_CONNECTION_DEVICE_FAILURE
Agent could not connect to the sensor device's log Host/Application Access/Start Nothing Application Informational/Error Failure
agent:016
AGENT_CONNECTION_DEVICE_SUCCESS
Agent successfully connected to the sensor
device's log
Host/Application Access/Start Nothing Application Normal Success
agent:017 AGENT_COMMAND_SUCCESS Agent
successfully executed a command Host/Application Execute/Query Application Normal Success
agent:018 AGENT_COMMAND_FAILURE Agent could
not execute a command Host/Application Execute/Query Application Informational/Error Failure
agent:019
AGENT_CACHE_CACHING Agent is caching
events because they could not be immediately
transmitted to the Manager
Host/Application Execute/Response Application Informational/Warn
ing Success
agent:020 AGENT_CACHE_EMPTY Agent has emptied its
cache of events Host/Application/Service Execute/Response Nothing Application Normal Success
agent:021 AGENT_NTCOLLECTOR_ERROR Agent could
not communicate with an NT collector sensor Host/Application Communicate/Query Nothing Application Informational/Error Failure
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
agent:022 AGENT_CONFIGURATION_FAILURE Agent
could not process a reconfiguration request Host/Application Modify/Configuration Nothing Application Informational/Error Failure
agent:023 AGENT_CHECKPOINT_ERROR Agent could
not communicate with a CheckPoint sensor Host/Application Execute Nothing Application Informational/Error Failure
agent:024 AGENT_CHECKPOINT_WARN Agent is having
difficulty communicating with CheckPoint Host/Application Execute Nothing Application
Informational/Warn
ing Failure
agent:025 AGENT_UPDATE_SUCCESS Agent content was
successfully updated Host/Application Modify/Configuration Nothing Application Normal Success
agent:026 AGENT_UPDATE_FAILURE Agent content
update failed Host/Application Modify/Configuration Nothing Application Informational/Error Failure
agent:027 AGENT_ACS_ERROR Host/Application/Service Execute/Query Nothing Application Informational/Error Failure
agent:028 AGENT_UNEXPECTED_ERROR Agent
experienced an unexpected problem Host/Application/Service Execute/Query Nothing Application Informational/Error Failure
agent:029 AGENT_CACHE_DROPPED Agent was forced
to drop some of its cached data Host/Resource Execute/Query Nothing Application
Informational/Warn
ing Failure
agent:030 AGENT_STARTED Agent started Host/Application/Service Execute/Start Nothing Application Normal Success
agent:031 AGENT_SHUTTINGDOWN Agent shutdown Host/Application/Service Execute/Stop Nothing Application Normal Success
agent:032 AGENT_CONFIGURATION_CHANGED Agent
configuration was successfully changed Host/Application/Service Modify/Configuration Nothing Application Informational Success
agent:033
AGENT_DATABASE_PASSWORD_CHANGE
D The password used by an Agent to access a
database has changed
Host/Application Authentication/Modif
y Application Informational Success
agent:034 AGENT_DEVICE_UPDATED The Agent has
been directed to monitor a different device (sensor) Host/Application Modify/Configuration Application Informational Success
agent:035
AGENT_TIME_FAILURE The Agent has
detected event time stamps that fall outside the
valid range
Host/Application Execute/Response Application Informational/Warn
ing Success
agent:036 AGENT_UPGRADE_STARTED Host/Application Modify/Content Application Informational Attempt
agent:037 AGENT_UPGRADE_ROLLBACK_STARTED Host/Application Modify/Content Application Informational Attempt
agent:038 AGENT_UPGRADE_ROLLBACK_SUCCESS Host/Application Modify/Content Application Informational Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
agent:039 AGENT_UPGRADE_ROLLBACK_FAILURE Host/Application Modify/Content Application Informational/Error Failure
agent:040
AGENT_INTEGRITY These warn about
incoming non-internal events that have no raw
event data. If the user does want to protect his
event integrity, then these alerts should be given
attention since they probably imply that a
Connector has been improperly written such that
events are being generated without raw event data
Host/Application Execute/Response Application Informational/Warn
ing Success
agent:041 AGENT_COMMAND_SENTTOAGENT Host/Application Communicate/Query Application Informational Success
agent:050 Nothing Nothing Nothing Nothing Nothing Nothing
agent:100 AGENT_CONNECTION Host/Application Access Nothing Application Normal Attempt
agent:101 AGENT_CONNECTION_ESTABLISH Agent has
just connected to Manager Host/Application Access Nothing Application Normal Success
agent:102 AGENT_CONNECTION_ZOMBIE Agent is
sending events but no heartbeats Host/Application Communicate/Query Application Informational/Error Failure
agent:103 AGENT_CONNECTION_DROP Agent is sending
neither events nor heartbeats Host/Application Communicate/Query Application Informational/Alert Failure
agent:104
AGENT_CONNECTION_UNKNOWN_AGENT
an unknown Agent attempted to connect to the
Manager
Host/Application Access Nothing Application Informational/Error Failure
agent:105
AGENT_CONNECTION_ID_MISMATCH an
Agent presented an incorrect shared secret when
authenticating
Host/Application Communicate/Query Nothing Application Informational/Error Failure
agent:106 AGENT_SIDETABLE_OVERFLOW Host/Resource Check/Resource Application Informational/Warn
ing Failure
agent:107 AGENT_SIDETABLE_OVERFLOW_DETECTE
D_ON_AGENT_SIDE Host/Resource Check/Resource Application
Informational/Warn
ing Failure
agent:108 AGENT_CONNECTION_BLACKLISTED_AGE
NT Host/Application Communicate/Query Application
Informational/Warn
ing Attempt
assetaging:000 ASSET_AGING Host/Application/Service Execute/Response Application Informational Success
assetaging:100 ASSET_AGING_DISABLED Host/Application/Service Modify/Configuration Application Informational Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
assetaging:101 ASSET_AGING_DELETED Nothing Nothing Nothing Nothing Nothing Nothing
authentication:000 AUTHENTICATION Host/Application Authentication Nothing Application Normal Attempt
authentication:100 AUTHENTICATION_LOGIN Successful client
login Host/Application Authentication/Verify Nothing Application Normal Success
authentication:101 AUTHENTICATION_LOGIN_FAIL Failed client
login Host/Application Authentication/Verify Nothing Application
Informational/Warn
ing Failure
authentication:102 AUTHENTICATION_LOGOUT Client logout Host/Application Access/Stop Nothing Application Normal Success
authentication:103 AUTHENTICATION_LOGOUT_TIME Client
timed out due to inactivity Host/Application Access/Stop Nothing Application Normal Success
authentication:104
AUTHENTICATION_LOGIN_EXCESSIVE_FAI
LURES Client suffered too many login failures
within a short time period
Host/Application Authentication/Modif
y Application
Informational/Warn
ing Success
authentication:105 AUTHENTICATION_NON_FIPS_USER Host/Application Authentication/Verify Application Informational/Warn
ing Failure
authentication:200 AUTHENTICATION_AGENT Successful Agent
authentication Host/Application Authentication/Verify Nothing Application Normal Success
authentication:201 AUTHENTICATION_AGENT_FAIL Agent
authentication failed Host/Application Authentication/Verify Nothing Application
Informational/Warn
ing Failure
authentication:202 AUTHENTICATION_NON_FIPS_AGENT Host/Application Authentication/Verify Application Informational/Warn
ing Failure
authentication:203 AUTHENTICATION_ARCHIVE_AGENT_FAIL Host/Application/Service Execute/Query Application Informational/Error Failure
authentication:300 AUTHENTICATION_CLIENT_REFUSED Client
failed to authenticate successfully Host/Application Authentication/Verify Application
Informational/Warn
ing Failure
authorization:100 AUTHORIZATION_SERVICE_REFUSED
Manager refused to authorize client Host/Application Authentication/Verify Nothing Application
Informational/Warn
ing Failure
authorization:101
it gets sent whenever a client attempts an XML
RPC call, but the manager no longer knows about
the session.
Host/Resource Access/Start Nothing Application Compromise/Confi
dentiality Attempt
buffer:001 BUFFER_OVERFILL A buffer overflowed Host/Resource Check/Resource Nothing Application Informational/Warn
ing Failure
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
cache:000 CACHE Host/Resource Application
cache:100 CACHE_OVERFLOW Host/Resource Check/Resource Application Informational/Warn
ing Failure
capsmanager:000 CAPS_MANAGER_ABORT The memory usage
manager has deactivated a configuration resource Host/Application Execute/Query Application Informational/Alert Success
capsmanager:001
The memory usage manager has asked a
configuration resource to reduce its memory usage
The memory usage manager has asked a
configuration resource to reduce its memory usage
Host/Application Execute/Query Application Informational/Warn
ing Success
capsmanager:100 CAPS_MANAGER_REDUCE Host/Application Execute/Query Application Informational/Warn
ing Success
channel:001 CHANNEL_ATTACHED An Active Channel was
opened Host/Application Execute/Query Nothing Application Normal Success
channel:002 CHANNEL_EMPTY An empty Active Channel
was opened Host/Application
Communicate/Respon
se Nothing Application Informational Success
channel:003 CHANNEL_QUERY_COMPLETED The initial
query for an Active Channel has completed. Host/Application Execute/Query Application Informational Success
channel:004 CHANNEL_QUERY_SLOW Host/Application Execute/Response Application Informational Success
cpu:100 Global CPU Linux /Monitor/CPU/Usage /proc/stat Host/Application Execute/Response Application Informational Success
cpu:101 Per CPU Linux /Monitor/CPUn/Usage /proc/stat Host/Application Execute/Response Application Informational Success
dashboard:001
DASHBOARD_ATTACHED Generated the first
time a client begins requesting data from each Data
Monitor
Host/Application Execute/Query Nothing Application Normal Success
database:000 DATABASE Host/Application/Database Nothing Nothing Application Normal Nothing
database:100 DATABASE_TABLESPACE_LOW Database
tablespace is low and will be deactivated Host/Application/Database Check/Resource Nothing Application Informational/Alert Failure
database:101 DATABASE_ERROR_FATAL Database has
generated a fatal error and will be deactivated Host/Application/Database Execute Nothing Application Informational/Alert Failure
database:102 DATABASE_REACTIVATED Database has been
reactivated Host/Application/Database Execute/Start Nothing Application Normal Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
database:103
DATABASE_TABLESPACE_AVALIABLE
Database has more tablespace available after
detecting a low tablespace condition
Host/Application/Database Check/Resource Application Informational Success
database:104 DATABASE_EVENT_DISCARDED Host/Application/Database/Data Delete Application Informational Success
datamonitor:000 DATA_MONITOR Host/Application Nothing Nothing
Security
Information
Manager
Informational Nothing
datamonitor:100 DATA_MONITOR_MOVING_AVERAGE Host/Application Execute/Response Nothing
Security
Information
Manager
Informational Success
datamonitor:101 DATA_MONITOR_MOVING_AVERAGE_THR
ESHOLD Host/Application Execute/Response Nothing
Security
Information
Manager
Informational Success
datamonitor:102
DATA_MONITOR_MOVING_AVERAGE_THR
ESHOLD_FALLING Moving Average Data
Monitor detected a rapidly falling moving average
Host/Application Execute/Response Nothing
Security
Information
Manager
Informational Success
datamonitor:103
DATA_MONITOR_MOVING_AVERAGE_THR
ESHOLD_RISING Moving Average Data Monitor
detected a rapidly rising moving average
Host/Application Execute/Response Nothing
Security
Information
Manager
Informational Success
datamonitor:104
DATA_MONITOR_MOVING_AVERAGE_STA
TUS Moving Average Data Monitor reporting the
current moving average
Host/Application Execute/Response Nothing
Security
Information
Manager
Informational Success
datamonitor:105
DATA_MONITOR_MOVING_AVERAGE_VAL
UE_ADD Moving Average Data Monitor started
tracking a new key value
Host/Application Execute/Response
Security
Information
Manager
Informational Success
datamonitor:106
DATA_MONITOR_MOVING_AVERAGE_VAL
UE_REMOVE Moving Average Data Monitor
stopped tracking a key value
Host/Application Execute/Response
Security
Information
Manager
Informational Success
datamonitor:200 DATA_MONITOR_STATISTICS Statistical Data
Monitor reporting a change in status Host/Application Execute/Response Nothing
Security
Information
Manager
Informational Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
datamonitor:201
DATA_MONITOR_STATISTICS_VALUE_ADD
Statistical Data Monitor started tracking a new key
value
Host/Application Execute/Response
Security
Information
Manager
Informational Success
datamonitor:202
DATA_MONITOR_STATISTICS_VALUE_REM
OVE Statistical Data Monitor stopped tracking a
key value
Host/Application Execute/Response
Security
Information
Manager
Informational Success
datamonitor:300
DATA_MONITOR_CORRELATION Correlation
Data Monitor reporting a correlated or non-
correlated event
Host/Application Execute/Response Nothing
Security
Information
Manager
Informational Success
datamonitor:400 DATA_MONITOR_SET_VALUE State changed
in Last State Data Monitor Host/Application Execute/Query
Security
Information
Manager
Normal Success
datamonitor:401 DATA_MONITOR_SET_VALUE_USER State
changed manually in Last State Data Monitor Host/Application Execute/Query
Security
Information
Manager
Normal Success
datamonitor:402
DATA_MONITOR_REMOVE_VALUE_USER
Key value removed manually in Last State Data
Monitor
Host/Application Execute/Response
Security
Information
Manager
Informational Success
datamonitor:500 DATA_MONITOR_TOP_VALUE_COUNT Host/Application Execute/Response
Security
Information
Manager
Informational Success
datamonitor:501 DATA_MONITOR_TOP_VALUE_COUNT_VA
LUE_ADD Host/Application Execute/Response
Security
Information
Manager
Informational Success
datamonitor:502 DATA_MONITOR_TOP_VALUE_COUNT_VA
LUE_REMOVE Host/Application Execute/Response
Security
Information
Manager
Informational Success
disk:102 Per disk read Linux /Monitor/Disk/drive/Read
/proc/diskstats Host/Application Execute/Response Application Informational Success
disk:103 Per disk write Linux /Monitor/Disk/drive/Write
/proc/diskstats Host/Application Execute/Response Application Informational Success
domain:000 DOMAIN Host/Application Execute/Response Application Informational Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
domain:100 DOMAIN_OUT_OF_COLUMNS Host/Application/Service Execute/Response Application Informational/Error Success
domain:101 DOMAIN_AUTOGENERATED Nothing Nothing Nothing Nothing Nothing Nothing
domain:102 DOMAIN_FIELD_AUTOGENERATED Nothing Nothing Nothing Nothing Nothing Nothing
domain:103 DOMAIN_INVALID_URI Nothing Nothing Nothing Nothing Nothing Nothing
filestore:000 FILESTORE Nothing Nothing Nothing Nothing Nothing Nothing
filestore:100 FILESTORE_DROPPED_EVENT Host/Application/Service Execute/Query Application Informational Success
filestore:101 FILESTORE_EXCEEDED_BLOCKSIZE Host/Application/Service Execute/Response Application Success
group:100 Group delete Host/Application Authorization/Delete Application Informational Success
group:101 Group update Host/Application Authorization/Modify Application Informational Success
group:102 group add Host/Application Authorization/Add Application Informational Success
integrationcommand:
000 INTEGRATION_COMMAND Nothing Nothing Nothing Nothing Nothing Nothing
integrationcommand:
100 INTEGRATION_COMMAND_SUCCEEDED Nothing Nothing Nothing Nothing Nothing Nothing
integrationcommand:
101 INTEGRATION_COMMAND_FAILED Nothing Nothing Nothing Nothing Nothing Nothing
license:100 LICENSE_ASSETS_TOTAL_COUNT Host/Application/Service Execute/Response Application Informational Success
license:101 LICENSE_DEVICES_TOTAL_COUNT Host/Application/Service Execute/Response Application Informational Success
license:102 LICENSE_ACTORS_TOTAL_COUNT Host/Application/Service Execute/Response Application Informational Success
license:103 LICENSE_CONSOLE_USERS_TOTAL_COUN
T Host/Application/Service Execute/Response Application Informational Success
license:104 LICENSE_WEB_USERS_TOTAL_COUNT Host/Application/Service Execute/Response Application Informational Success
license:105 LICENSE_EPS_INCOMING_TOTAL_COUNT Host/Application/Service Execute/Response Application Informational Success
manager:000 MANAGER Host/Application Nothing Nothing Application Normal Nothing
manager:100 MANAGER_START Manager has started Host/Application Execute/Start Nothing Application Normal Success
manager:101 MANAGER_STOP A clean Manager shutdown
has been requested Host/Application Execute/Stop Application Informational Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
manager:200 MANAGER_EVENTFLOW_STOPPED Manager
has stopped the event flow Host/Application/Service Execute/Stop Nothing Application
Informational/Warn
ing Failure
manager:201 MANAGER_EVENTFLOW_RESTARTED
Manager has allowed the event flow to resume Host/Application/Service Execute/Start Nothing Application Normal Success
manager:202 MANAGER_SUBSYSTEM_OK A subsystem of
the Manager is functioning normally Host/Application Execute/Response Application Normal Success
manager:203
MANAGER_SUBSYSTEM_WARNING A
subsystem of the Manager has detected a possible
problem
Host/Application Execute/Response Application Informational/Warn
ing Failure
manager:204
MANAGER_SUBSYSTEM_ERROR A
subsystem of the Manager has detected a
confirmed problem
Host/Application Execute/Query Application Informational/Error Failure
memory:100 Platform memory Linux
/Monitor/Memory/Usage/Platform /proc/meminfo Host/Resource/Memory Execute/Response Application Informational Success
memory:101 JVM memory (all) /Monitor/Memory/Usage/Jvm
MemoryMXBean Host/Application Execute/Response Application Informational Success
memory:102
Platform buffers memory Linux
/Monitor/Memory/Usage/Platform/Buffers
/proc/meminfo
Host/Application Execute/Response Application Informational Success
memory:103
Platform cached memory Linux
/Monitor/Memory/Usage/Platform/Cached
/proc/meminfo
Host/Application Execute/Response Application Informational Success
memory:104
Platform free memory Linux
/Monitor/Memory/Usage/Platform/Free
/proc/meminfo
Host/Application Execute/Response Application Informational Success
memory:105
JVM heap memory (all)
/Monitor/Memory/Usage/Jvm/Heap
MemoryMXBean
Host/Application Execute/Response Application Informational Success
memory:106
JVM non-heap memory (all)
/Monitor/Memory/Usage/Jvm/NonHeap
MemoryMXBean
Host/Application Execute/Response Application Informational Success
monitor:100 MONITOR_ACTIVE_CHANNELS_OPEN Host/Application Execute/Response Application Informational Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
monitor:101 MONITOR_DATAMONITORS_ACTIVE_PROB
ES Host/Application Execute/Response Application Informational Success
monitor:102 MONITOR_EVENT_BROKER_INSERT_TIME Host/Application Execute/Response Application Informational Success
monitor:103 MONITOR_EVENT_BROKER_LOAD Host/Application Execute/Response Application Informational Success
monitor:104 MONITOR_AGENTS_EVENTS_OUTPUT Host/Application Execute/Response Application Informational Success
monitor:105 MONITOR_AGENTS_EVENTS_INPUT Host/Application Execute/Response Application Informational Success
monitor:106 MONITOR_AGENTS_EVENTS_FILTERED Host/Application Execute/Response Application Informational Success
monitor:107 MONITOR_AGENTS_EVENTS_AGGREGATE
D Host/Application Execute/Response Application Informational Success
monitor:108 MONITOR_AGENTS_EPS Host/Application Execute/Response Application Informational Success
monitor:109 MONITOR_AGENTS_EPS_OUTPUT Host/Application Execute/Response Application Informational Success
monitor:110 MONITOR_AGENTS_EPS_INPUT Host/Application Execute/Response Application Informational Success
monitor:111 MONITOR_AGENTS_EPS_FILTERED Host/Application Execute/Response Application Informational Success
monitor:112 MONITOR_AGENTS_EPS_AGGREGATED Host/Application Execute/Response Application Informational Success
monitor:113 MONITOR_AGENTS_CACHE_SIZE Host/Resource/Memory Execute/Response Application Informational Success
monitor:114 MONITOR_ACTIVE_LISTS_ENTRIES Host/Application Execute/Response Application Informational Success
monitor:115 MONITOR_ACTIVE_LISTS_TEMPORARY_LI
STS Host/Application Execute/Response Application Informational Success
monitor:116 MONITOR_ACTIVE_LISTS_USAGE Host/Application Execute/Response Application Informational Success
monitor:117 MONITOR_ACTIVE_LISTS_ENTRY_PERCEN
T_USED Host/Application Execute/Response Application Informational Success
monitor:118 MONITOR_ACTIVE_LISTS_TEMPORARY_LI
ST_COUNT Host/Application Execute/Response Application Informational Success
monitor:119 MONITOR_ACTIVE_LISTS_TEMPORARY_LI
ST_ENTRY_COUNT Host/Application Execute/Response Application Informational Success
monitor:120 MONITOR_TOTAL_EVENTS_OUTPUT Host/Application Execute/Response Application Informational Success
monitor:121 MONITOR_TOTAL_EVENTS_INPUT Host/Application Execute/Response Application Informational Success
monitor:122 MONITOR_TOTAL_EVENTS_FILTERED Host/Application Execute/Response Application Informational Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
monitor:123 MONITOR_TOTAL_EVENTS_AGGREGATED Host/Application Execute/Response Application Informational Success
monitor:124 MONITOR_TOTAL_EPS Host/Application Execute/Response Application Informational Success
monitor:125 MONITOR_TOTAL_EPS_OUTPUT Host/Application Execute/Response Application Informational Success
monitor:126 MONITOR_TOTAL_EPS_INPUT Host/Application Execute/Response Application Informational Success
monitor:127 MONITOR_TOTAL_EPS_FILTERED Host/Application Execute/Response Application Informational Success
monitor:128 MONITOR_TOTAL_EPS_AGGREGATED Host/Application Execute/Response Application Informational Success
monitor:129 MONITOR_TOTAL_CACHE_SIZE Host/Resource/Memory Execute/Response Application Informational Success
monitor:130 MONITOR_REPORTS_RUNNING Host/Application Execute/Response Application Informational Success
monitor:131 MONITOR_REPORTS_RUNNING_QUERYING
_DB Host/Application Execute/Response Application Informational Success
monitor:132 MONITOR_REPORTS_RUNNING_RENDERIN
G Host/Application Execute/Response Application Informational Success
monitor:140 MONITOR_EVENT_BROKER_RETRIEVAL_TI
ME Host/Application Execute/Response Application Informational Success
monitor:141 MONITOR_TOTAL_EVENTS_OUTPUT Host/Application Execute/Response Application Informational Success
monitor:142 MONITOR_TOTAL_EVENTS_INPUT Host/Application Execute/Response Application Informational Success
monitor:143 MONITOR_TOTAL_EVENTS_FILTERED Host/Application Execute/Response Application Informational Success
monitor:144 MONITOR_TOTAL_EVENTS_AGGREGATED Host/Application Execute/Response Application Informational Success
monitor:145 MONITOR_TOTAL_EPS Host/Application Execute/Response Application Informational Success
monitor:146 MONITOR_TOTAL_EPS_OUTPUT Host/Application Execute/Response Application Informational Success
monitor:147 MONITOR_TOTAL_EPS_INPUT Host/Application Execute/Response Application Informational Success
monitor:148 MONITOR_TOTAL_EPS_FILTERED Host/Application Execute/Response Application Informational Success
monitor:149 MONITOR_TOTAL_EPS_AGGREGATED Host/Application Execute/Response Application Informational Success
monitor:150 MONITOR_TOTAL_CACHE_SIZE Host/Resource/Memory Execute/Response Application Informational Success
monitor:151 MONITOR_RULES_TOTAL_EVENT_COUNT Host/Application Execute/Response Application Informational Success
monitor:152 MONITOR_RULES_INSERTED_EVENT_COU
NT Host/Application Execute/Response Application Informational Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
monitor:153 MONITOR_RULES_GENERATED_EVENT_CO
UNT Host/Application Execute/Response Application Informational Success
monitor:154 MONITOR_RULES_PARTIAL_MATCH_COUN
T Host/Application Execute/Response Application Informational Success
monitor:155 MONITOR_RULES_GC_EVENT_COUNT Host/Application Execute/Response Application Informational Success
monitor:156 MONITOR_RULES_GROUPBY_CELLS_SIZE Host/Application Execute/Response Application Informational Success
monitor:157 MONITOR_RULES_ACTIVE_RULES_COUNT Host/Application Execute/Response Application Informational Success
monitor:158 MONITOR_RULES_ACTIONS_TAKEN_COUN
T Host/Application Execute/Response Application Informational Success
monitor:159 MONITOR_RULES_GENERATED_EVENT_CO
UNT Host/Application Execute/Response Application Informational Success
monitor:160 MONITOR_SESSIONS_ACTIVE_TOTAL Host/Application Execute/Response Application Informational Success
monitor:161 MONITOR_ZONE_EVAL_COUNT Host/Application Execute/Response Application Informational Success
monitor:171 MONITOR_RESOURCES_ACTIVITY_INSERT Host/Resource Execute/Response Application Informational Success
monitor:172 MONITOR_RESOURCES_ACTIVITY_UPDAT
E Host/Resource Execute/Response Application Informational Success
monitor:173 MONITOR_RESOURCES_ACTIVITY_DELETE Host/Resource Execute/Response Application Informational Success
monitor:174 MONITOR_ACTIVE_CHANNELS_EVENTS_IN
SERT Host/Application Execute/Response Application Informational Success
monitor:175 MONITOR_ACTIVE_CHANNELS_EVENTS_C
HANGE Host/Application Execute/Response Application Informational Success
monitor:180 MONITOR_NOTIFICATION_NEW_COUNT Host/Application Execute/Response Application Informational Success
monitor:181 MONITOR_NOTIFICATION_ESCALATED_CO
UNT Host/Application Execute/Response Application Informational Success
monitor:190 MONITOR_PATTERNS_RUN_COUNT Host/Application Execute/Response Application Informational Success
monitor:191 MONITOR_PATTERNS_RUN_QUEUED Host/Application Execute/Response Application Informational Success
monitor:200 MONITOR_ASSETS_TOTAL_COUNT Host/Application Execute/Response Application Informational Success
monitor:201 MONITOR_ASSETS_SCANNER_EPS Host/Application Execute/Response Application Informational Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
monitor:202 MONITOR_ASSETS_RESOLUTIONS_PER_SE
COND Host/Application Execute/Response Application Informational Success
monitor:203 MONITOR_ASSETS_AVERAGE_TIME_SCAN
NER_EVENTS Host/Application Execute/Response Application Informational Success
monitor:204 MONITOR_ASSETS_RESOLUTIONS_AVERA
GE_TIME Host/Application Execute/Response Application Informational Success
monitor:205 MONITOR_ASSETS_RESOLUTIONS_AVERA
GE_TIME_SOURCE Host/Application Execute/Response Application Informational Success
monitor:206 MONITOR_ASSETS_RESOLUTIONS_AVERA
GE_TIME_DESTINATION Host/Application Execute/Response Application Informational Success
monitor:210 MONITOR_SIDETABLE_GEO_INFO_HIT_RA
TE Host/Application/Database Execute/Response Application Informational Success
monitor:211 MONITOR_SIDETABLE_GEO_INFO_INSERTS Host/Application/Database Execute/Response Application Informational Success
monitor:212 MONITOR_SIDETABLE_GEO_INFO_CACHE_
MISSES Host/Application/Database Execute/Response Application Informational Success
monitor:213 MONITOR_SIDETABLE_GEO_INFO_SIZE Host/Application/Database Execute/Response Application Informational Success
monitor:214 MONITOR_SIDETABLE_CATEGORY_HIT_R
ATE Host/Application/Database Execute/Response Application Informational Success
monitor:215 MONITOR_SIDETABLE_CATEGORY_INSERT
S Host/Application/Database Execute/Response Application Informational Success
monitor:216 MONITOR_SIDETABLE_CATEGORY_CACHE
_MISSES Host/Application/Database Execute/Response Application Informational Success
monitor:217 MONITOR_SIDETABLE_CATEGORY_SIZE Host/Application/Database Execute/Response Application Informational Success
monitor:218 MONITOR_SIDETABLE_AGENT_HIT_RATE Host/Application/Database Execute/Response Application Informational Success
monitor:219 MONITOR_SIDETABLE_AGENT_INSERTS Host/Application/Database Execute/Response Application Informational Success
monitor:220 MONITOR_SIDETABLE_AGENT_CACHE_MI
SSES Host/Application/Database Execute/Response Application Informational Success
monitor:221 MONITOR_SIDETABLE_AGENT_SIZE Host/Application/Database Execute/Response Application Informational Success
monitor:222 MONITOR_SIDETABLE_DEVICE_HIT_RATE Host/Application/Database Execute/Response Application Informational Success
monitor:223 MONITOR_SIDETABLE_DEVICE_INSERTS Host/Application/Database Execute/Response Application Informational Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
monitor:224 MONITOR_SIDETABLE_DEVICE_CACHE_MI
SSES Host/Application/Database Execute/Response Application Informational Success
monitor:225 MONITOR_SIDETABLE_DEVICE_SIZE Host/Application/Database Execute/Response Application Informational Success
monitor:226 MONITOR_SIDETABLE_LABELS_HIT_RATE Host/Application/Database Execute/Response Application Informational Success
monitor:227 MONITOR_SIDETABLE_LABELS_INSERTS Host/Application/Database Execute/Response Application Informational Success
monitor:228 MONITOR_SIDETABLE_LABELS_CACHE_MI
SSES Host/Application/Database Execute/Response Application Informational Success
monitor:229 MONITOR_SIDETABLE_LABELS_SIZE Host/Application/Database Execute/Response Application Informational Success
monitor:230 MONITOR_FLOW_EVENT_RATE Host/Application Execute/Response Application Informational Success
monitor:231 MONITOR_FLOW_EVENT_COUNT Host/Application Execute/Response Application Informational Success
monitor:232 MONITOR_RULES_EVENTS_MATCHING_AN
Y_RULE_COUNT Host/Application Execute/Response Application Informational Success
monitor:233 MONITOR_RULES_EVENTS_MATCHING_FIL
TER_RULE_COUNT Host/Application Execute/Response Application Informational Success
monitor:234 MONITOR_RULES_EVENTS_MATCHING_JOI
N_RULE_COUNT Host/Application Execute/Response Application Informational Success
monitor:235 MONITOR_RULES_MATCH_COUNT Host/Application Execute/Response Application Informational Success
monitor:240 MONITOR_TC_SIZE Host/Application Execute/Response Application Informational Success
monitor:260 MONITOR_SESSION_LISTS_LIST_COUNT Host/Application Execute/Response Application Informational Success
monitor:261 MONITOR_SESSION_LISTS_ENTRY_COUNT Host/Application Execute/Response Application Informational Success
monitor:262 MONITOR_SESSION_LISTS_ENTRY_CAPACI
TY Host/Application Execute/Response Application Informational Success
monitor:263 MONITOR_SESSION_LISTS_ENTRY_PERCE
NT_USED Host/Application Execute/Response Application Informational Success
monitor:264 MONITOR_SESSION_LISTS_QUERIES_PER_S
ECOND Host/Application Execute/Response Application Informational Success
monitor:265 MONITOR_SESSION_LISTS_CHANGES_PER_
SECOND Host/Application Execute/Response Application Informational Success
monitor:270 MONITOR_DB_FREESPACE_ARC_EVENT Host/Application Execute/Response Application Informational Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
monitor:271 MONITOR_DB_FREESPACE_ARC_EVENT_IN
DEX Host/Application Execute/Response Application Informational Success
monitor:272 MONITOR_DB_FREESPACE_ARC_SYSTEM Host/Application Execute/Response Application Informational Success
monitor:273 MONITOR_DB_FREESPACE_ARC_SYSTEM_I
NDEX Host/Application Execute/Response Application Informational Success
monitor:274 MONITOR_DB_FREESPACE_ARC_DBSM_TE
ST Host/Application Execute/Response Application Informational Success
monitor:275 MONITOR_DB_FREESPACE_ARC_EVENT_P
CT Host/Application Execute/Response Application Informational Success
monitor:276 MONITOR_DB_FREESPACE_ARC_EVENT_IN
DEX_PCT Host/Application Execute/Response Application Informational Success
monitor:277 MONITOR_DB_FREESPACE_ARC_SYSTEM_
PCT Host/Application Execute/Response Application Informational Success
monitor:278 MONITOR_DB_FREESPACE_ARC_SYSTEM_I
NDEX_PCT Host/Application Execute/Response Application Informational Success
monitor:279 MONITOR_DB_FREESPACE_ARC_DBSM_TE
ST_PCT Host/Application Execute/Response Application Informational Success
network:100 Per interface network input Linux
/Monitor/Network/Usage/iface/In /proc/net/dev Host/Application Execute/Response Application Informational Success
network:101 Per interface network output Linux
/Monitor/Network/Usage/iface/Out /proc/net/dev Host/Application Execute/Response Application Informational Success
network:102
Per interface network packet input Linux
/Monitor/Network/Usage/iface/PacketsIn
/proc/net/dev
Host/Application Execute/Response Application Informational Success
network:103
Per interface network packet output Linux
/Monitor/Network/Usage/iface/PacketsOut
/proc/net/dev
Host/Application Execute/Response Application Informational Success
notification:000 NOTIFICATION Host/Application Modify/Configuration Nothing Application Normal Nothing
notification:100 NOTIFICATION_TRANSPORT_DISABLE
Notification has been disabled Host/Application Modify/Configuration Nothing Application Informational/Alert Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
notification:101
NOTIFICATION_DISABLE_QUEUE_OVERFL
OW Notification has been disabled because the
queue of notifications to be sent is too large
Host/Application Modify/Configuration Nothing Application Informational/Alert Success
notification:102 NOTIFICATION_TRANSPORT_ENABLE
Notification has been enabled Host/Application Modify/Configuration Nothing Application Normal Success
notification:103
NOTIFICATION_ENABLE_QUEUE Notification
has been enabled because the queue of
notifications is back under control
Host/Application Modify/Configuration Nothing Application Normal Success
notification:104
NOTIFICATION_DESTINATION_DISABLE A
particular Notification Destination has been
disabled
Host/Application Modify/Configuration Nothing Application Normal Success
notification:105
NOTIFICATION_DESTINATION_DISABLE_T
RAFFIC A particular Notification Destination has
been disabled because too much traffic has been
directed at that Destination
Host/Application Modify/Configuration Nothing Application Normal Success
notification:106
NOTIFICATION_DESTINATION_ENABLE A
particular Notification Destination has been
enabled
Host/Application Modify/Configuration Nothing Application Normal Success
notification:107 NOTIFICATION_EXPIRED A Notification
expired without being acknowledged Host/Application Execute/Response Nothing Application Informational/Error Failure
notification:108
NOTIFICATION_UNDELIVERABLE No
functioning Destination could be located for this
Notification
Host/Application Execute/Response Nothing Application Informational/Error Failure
notification:109 NOTIFICATION_PURGED Old Notification has
been purged Host/Application Modify/Configuration Nothing Application Normal Success
notification:110 NOTIFICATION_ESCALATED Notification has
been escelated to the next Destination level Host/Application/Service Execute/Query Nothing Application Informational Success
notification:111
NOTIFICATION_SENT_REQUIRES_ACKNOW
LEDGMENT A Notification that requires
acknowledgement has been sent
Host/Application Execute/Query Application Informational Success
notification:111v null Host/Application/Service Execute/Response Nothing Application Informational Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
notification:112
generated when an informative notification is sent
A Notification that does not require
acknowledgement has been sent
Host/Application/Service Execute/Response Nothing Application Informational Success
notification:200 NOTIFICATION_GROUP_TEST Sent a test
Notification to this Destination Group Host/Application Execute/Query Nothing Application Normal Success
notification:300 NOTIFICATION_ACKNOWLEDGE This
Notification has been acknowledged Host/Application Execute/Query Nothing Application Normal Success
notification:301 NOTIFICATION_RESOLVE This Notification
has been resolved Host/Application/Service Modify/Configuration Nothing Application Informational Success
partitionarchiver:000 PARTITION_ARCHIVER_NO_OPERATION Host/Application/Service Application Normal Attempt
partitionarchiver:100 PARTITION_ARCHIVER_FULL_SUCCESS The
partition was successfully archived Host/Application/Service Execute/Response Nothing Application Normal Success
partitionarchiver:200 PARTITION_ARCHIVER_PARTIAL_SUCCESS
There was a problem while archiving the partition Host/Application/Service Execute/Response Nothing Application Informational Success
partitionarchiver:300 PARTITION_ARCHIVER_DISABLED Partition
archiving is disabled Host/Application/Service Modify/Configuration Nothing Application Informational Success
partitionarchiver:400
PARTITION_ARCHIVER_TIMED_OUT
Partition archiving did not complete in the alotted
time
Host/Application/Service Execute/Response Nothing Application Informational/Error Failure
partitionarchiver:500 PARTITION_ARCHIVER_TOTAL_FAILURE
Partition archiving failed Host/Application/Service Execute/Response Nothing Application Informational/Error Failure
partitionarchiver:600
PARTITION_ARCHIVER_UNEXPECTED_ERR
OR There was an unexpected error while archiving
partitions
Host/Application/Service Execute/Response Nothing Application Informational/Error Failure
partitionmanager:000 PARTITION_MANAGER_NO_OPERATION Host/Application/Service Application Normal Attempt
partitionmanager:100 PARTITION_MANAGER_FULL_SUCCESS
Partitions have been successfully managed Host/Application/Service Execute/Response Nothing Application Normal Success
partitionmanager:200 PARTITION_MANAGER_PARTIAL_SUCCESS
There was a problem managing partitions Host/Application/Service Execute/Response Nothing Application Informational Success
partitionmanager:300 PARTITION_MANAGER_DISABLED The
partition manager has been disabled Host/Application/Service Modify/Configuration Application Informational Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
partitionmanager:500 PARTITION_MANAGER_TOTAL_FAILURE
Partitions could not be managed Host/Application/Service Execute/Response Nothing Application Informational/Error Failure
partitionmanager:600
PARTITION_MANAGER_UNEXPECTED_ERR
OR There was an unexpected error while
managing partitions
Host/Application/Service Execute/Response Nothing Application Informational/Error Failure
pattern:001 NEW_PATTERN_DISCOVERED A previously
unknown pattern of events was discovered Host/Application Execute/Response Application Informational Success
pattern:002
PATTERN_REDISCOVERED A previously
discovered pattern of events was observed once
again
Host/Application Execute/Response Application Informational Success
queryviewer:100 QUERY_VIEWER_QUERY_SUCCEEDED Nothing Nothing Nothing Nothing Nothing Nothing
queryviewer:101 QUERY_VIEWER_QUERY_FAILED Nothing Nothing Nothing Nothing Nothing Nothing
quota:000 QUOTA Host/Resource Execute/Response Nothing Application Informational Attempt
quota:100 QUOTA_MET resource usage has fallen below the
fixed quota level Host/Resource Check/Resource Nothing Application Normal Success
quota:101 QUOTA_EXCEED resource usage has exceeded
the fixed quota level Host/Resource Check/Resource Nothing Application
Informational/Warn
ing Failure
quota:102 QUOTA_ASSET_AUTOCREATION Asset
autocreation has exceeded a fixed quota Host/Application Execute/Response Application Informational/Alert Success
quota:103 QUOTA_ASSET_AUTOCREATION_RATE
Asset autocreation is proceeding too rapidly Host/Application Execute/Response Application
Informational/Warn
ing Success
report:000 REPORT Host/Application Nothing Nothing Application Normal Nothing
report:100 REPORT_GENERATE Generated a new Archived
Report configuration resource Host/Application Execute/Response Nothing Application Normal Success
report:101 REPORT_GENERATE_FAIL Failed to generate a
new Archived Report configuration resource Host/Application Execute/Response Nothing Application Informational/Error Failure
report:102 REPORT_DELTA Generated a new delta
Archived Report configuration resource Host/Application Execute/Response Nothing Application Normal Success
report:103 REPORT_CANCELLED This Report run was
cancelled by a user Host/Application Execute/Response Application Informational Failure
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
report:104 REPORT_GENERATE_STARTED Host/Application Execute/Query Application Normal Attempt
report:105 REPORT_HALTED_BECAUSE_EMPTY Host/Application/Service Execute/Stop Application Informational/Error Success
resource:000 RESOURCE Host/Application Nothing Nothing Application Normal Nothing
resource:100 RESOURCE_DELETE Deleted a configuration
resource Host/Application Modify/Configuration Nothing Application Normal Success
resource:101 RESOURCE_UPDATE Updated a configuration
resource Host/Application Modify/Configuration Nothing Application Normal Success
resource:102 RESOURCE_ADD Added a new configuration
resource Host/Application Modify/Configuration Nothing Application Normal Success
resource:103 RESOURCE_LOCKED Resource has been locked
for edit Host/Application Modify/Configuration Nothing Application Normal Success
resource:104 RESOURCE_UNLOCKED Host/Application/Service Execute/Query Application Informational Attempt
resourcereference:000
RESOURCE_REFERENCE Nothing Nothing Nothing Application Normal Nothing
resourcereference:100
RESOURCE_REFERENCE_UNRESOLVED_UR
I Could not locate a configuration resource using
the given universal resource identifer (URI)
Host/Application Execute/Query Nothing Application Informational/Error Failure
rule:000 RULE Nothing Nothing Nothing Application Nothing Nothing
rule:100 RULE_FIRE Host/Application Execute/Query Application Normal Success
rule:101 RULE_MATCH Rule fired OnEveryEvent Host/Application Execute/Query Application Normal Success
rule:102 RULE_FIRST_MATCH Rule fired OnFirstEvent Host/Application Execute/Query Application Normal Success
rule:103 RULE_SUBSEQUENT_MATCH Rule fired
OnSubsequentEvents Host/Application Execute/Query Application Normal Success
rule:104 RULE_AGGREGATE Rule fired
OnEveryThreshold Host/Application Execute/Query Nothing Application Normal Success
rule:105 RULE_FIRST_AGGREGATE Rule fired
OnFirstThreshold Host/Application Execute/Query Nothing Application Normal Success
rule:106 RULE_SUBSEQUENT_AGGREGATE Rule fired
OnSubsequentThresholds Host/Application Execute/Query Nothing Application Normal Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
rule:107 RULE_FINAL_AGGREGATE Rule fired
OnTimeUnitExpiration Host/Application Execute/Query Nothing Application Normal Success
rule:108 RULE_FIRE_ON_TIME_UNIT Host/Application Execute/Query Application Normal Success
rule:300 RULE_ACTION Host/Application Execute/Response Nothing Application Normal Success
rule:301 RULE_ACTION_SET_SEVERITY Set Severity
action (deprecated) Host/Application Modify/Content Nothing Application Normal Success
rule:302 RULE_ACTION_SET_EVENT_ATTRIBUTE Set
Event Attribute action Host/Application Modify/Content Nothing Application Normal Success
rule:303 RULE_ACTION_SEND_TO_NOTIFIER Send to
Notifier action Host/Application Execute/Response Nothing Application Informational Success
rule:304 RULE_ACTION_EXECUTE_COMMAND
Execute Command action Host/Application Execute/Query Nothing Application Informational Success
rule:305 RULE_ACTION_EXPORT Export... action Host/Application Execute/Response Nothing Application Informational Success
rule:306 RULE_ACTION_CASE_NEW Create New Case
action Host/Application Modify/Content Nothing Application Informational Success
rule:307 RULE_ACTION_CASE_ADD Add to Case action Host/Application Modify/Content Nothing Application Informational Success
rule:308 RULE_ACTION_CASE_NEW_FAIL Create New
Case action failed Host/Application Modify/Content Application Informational/Error Failure
rule:309 RULE_ACTION_CASE_ADD_FAIL Add to Case
action failed Host/Application Modify/Content Application Informational/Error Failure
rule:310 RULE_ACTION_ACTIVE_LIST_ADD Add to
Active List action Host/Application Modify/Content Nothing Application Informational Success
rule:311 RULE_ACTION_ACTIVE_LIST_MOVE Move
between Active Lists action (deprecated) Host/Application Modify/Content Nothing Application Informational Success
rule:312 RULE_ACTION_ACTIVE_LIST_REMOVE
Remove from Active List action Host/Application Modify/Content Nothing Application Informational Success
rule:313 RULE_ACTION_EXECUTE_AGENT_COMMA
ND Execute Agent Command action Host/Application Execute/Query Application Informational Success
rule:314 RULE_ACTION_SEND_TO_OPENVIEW Send
to OpenView action Host/Application Execute/Response Application Informational Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
rule:315 RULE_ACTION_ASSET_CATEGORY_ADD Nothing Nothing Nothing Nothing Nothing Nothing
rule:316 RULE_ACTION_ASSET_CATEGORY_REMOV
E Nothing Nothing Nothing Nothing Nothing Nothing
rule:500 RULE_WARNING Host/Application Check/Configuration Nothing Application Informational/Error Failure
rule:501 RULE_WARNING_LOOP Rule is firing on
events generated by itself Host/Application Check/Configuration Nothing Application Informational/Error Failure
rule:700 RULE_DEACTIVATE Rule has been deactivated Host/Application Modify/Configuration Nothing Application Informational Success
rule:701
RULE_DEACTIVATE_UNSAFE Rule has been
deactivated because it is unsafe (excessive
recursion or excessive event matching)
Host/Application Modify/Configuration Nothing Application Informational/Warn
ing Success
rule:702 RULE_ACTIVATE Rule has been activated Host/Application Modify/Configuration Nothing Application Informational Success
rule:703
RULE_ACTIVATE_UNSAFE Rule has been re-
activated after having been deactivated because it
is unsafe (excessive recursion or excessive event
matching)
Host/Application Modify/Configuration Application Informational Success
rule:801 RULE_SCHEDULED_START Host/Application Execute/Query Application Informational Attempt
rule:802 RULE_SCHEDULED_FINISH Host/Application Execute/Query Application Informational Success
scanner:000 SCANNER_EVENTS_HANDLER Host/Application/Service Execute/Response Application Informational Success
scanner:100 SCANNER_EVENTS_HANDLER_ASSETS Host/Application/Service Execute/Response Application Informational Success
scanner:101 SCANNER_EVENTS_HANDLER_ASSETS_RE
SOURCE_UPDATED Host/Application/Service Execute/Query Application Informational Success
scanner:102 SCANNER_EVENTS_HANDLER_ASSETS_RE
SOURCE_DELETED Host/Application/Service Execute/Query Application Informational Success
scanner:103
SCANNER_EVENTS_HANDLER_ASSETS_DY
NAMIC_ZONE_INVALID_NO_MAC_NO_HOS
T
Host/Application/Service Execute/Response Application Informational Success
scanner:104 SCANNER_EVENTS_HANDLER_ASSETS_IN
VALID_NO_ADDRESS_NO_HOST Host/Application/Service Execute/Response Application Informational Success
scanner:105 SCANNER_EVENTS_HANDLER_ASSETS_IN
VALID_NO_NAME Host/Application/Service Execute/Response Application Informational Success
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
scheduler:000 SCHEDULER Host/Application Nothing Nothing Application Normal Nothing
scheduler:100
SCHEDULER_SKIP_DELAY The task Scheduler
skipped a scheduled task execution because the
scheduler was not allowed to run
Host/Application Execute/Query Nothing Application Informational/Warn
ing Failure
scheduler:101
SCHEDULER_SKIP_RUNNING The task
Scheduler skipped a scheduled task invocation
because the last invocation of the task is still
executing
Host/Application Execute/Query Nothing Application Informational/Warn
ing Failure
scheduler:102
SCHEDULER_SKIP_QUEUE_FULL A task was
skipped because too many tasks were queued
already
Host/Application/Service Execute/Query Nothing Application Informational/Error Failure
scheduler:103 SCHEDULER_RESERVED_THREADS Host/Application/Service Execute/Query Application Informational/Error Failure
scheduler:200 SCHEDULER_EXECUTE A task has been
executed Host/Application Execute/Query Nothing Application Normal Success
scheduler:201 SCHEDULER_EXECUTE_FAIL A task failed to
execute Host/Application Execute/Query Nothing Application Informational/Error Failure
scheduler:300 SCHEDULER_ADD A new task has been
scheduled Host/Application Modify/Configuration Nothing Application Normal Success
scheduler:301 SCHEDULER_ADD_FAIL A new task could not
be scheduled Host/Application Modify/Configuration Nothing Application Informational/Error Failure
scheduler:302 SCHEDULER_ENABLE Enable a task Host/Application Modify/Configuration Nothing Application Normal Success
scheduler:303 SCHEDULER_ENABLE_FAIL Could not enable
a task Host/Application Modify/Configuration Nothing Application Informational/Error Failure
scheduler:304 SCHEDULER_DELETE Deleted a task Host/Application Modify/Configuration Nothing Application Normal Success
scheduler:305 SCHEDULER_DELETE_FAIL Failed to delete a
task Host/Application Modify/Configuration Nothing Application Informational/Error Failure
scheduler:306 SCHEDULER_DISABLED Disable a task Host/Application/Service Execute/Stop Nothing Application Informational Success
scheduler:307 SCHEDULER_DISABLE_FAIL Could not
disable a task Host/Application/Service Execute/Stop Nothing Application Informational/Error Failure
search:301 SEARCH_QUERY_FAILURE Host/Application Execute/Query Application Informational/Error Failure
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
search:302 SEARCH_QUERY_SUCCESS Host/Application Execute/Query Application Informational Success
search:303 SEARCH_QUERY_EMPTY Host/Application Execute/Response Application Informational Success
searchindex:100 SEARCH_INDEX_CREATE The search index
was created Host/Application Execute/Query Application Normal Success
searchindex:101
The search index was updated to reflect changes to
configuration resources The search index was
updated to reflect changes to configuration
resources
Host/Application Execute/Query Application Informational Success
searchindex:200 SEARCH_INDEX_UPDATE Host/Application Execute/Query Application Normal Success
searchindex:300 SEARCH_INDEX_HANG Host/Application Execute/Query Application Informational Attempt
searchindex:400 SEARCH_INDEX_TIMEOUT Host/Application Execute/Query Application Informational/Error Failure
sessionlist:101 SESSION_LIST_ADD Host/Application Modify/Configuration Application Informational Success
sessionlist:102 SESSION_LIST_REMOVE Host/Application Modify/Configuration Application Informational Success
sessionlist:103 SESSION_LIST_UPDATE Host/Application Modify/Configuration Application Informational Success
sessionlist:104 SESSION_LIST_EXPIRE Host/Application Modify/Configuration Application Informational Success
sessionlist:201 SESSION_LIST_PARTITION_DROP Nothing Nothing Nothing Nothing Nothing Nothing
sessionlist:202 SESSION_LIST_PARTITION_DROP_FAIL Nothing Nothing Nothing Nothing Nothing Nothing
sessionlist:301 SESSION_LIST_CACHE_MISS_DROP Host/Application/Service Execute/Query Application Informational Attempt
sidetable:101 SITETABLE_SPACE_LOW Host/Application/Database Check/Resource Nothing Application Informational/Warn
ing Failure
sidetable:102 SITETABLE_SPACE_FULL Host/Application/Database Check/Resource Nothing Application Informational/Error Failure
sidetable:103
SIDETABLE_CACHE_HITRATE_LOW Too
many cache misses for a particular database side
table
Host/Application Execute/Response Nothing Application Informational Success
test:000 TEST Host/Application Execute Nothing Application Informational Success
test:100 TEST_STRESS A stress test event (used by QA
tools) Host/Application Execute Nothing Application Informational Success
trend:000 TREND Host/Application Application
trend:100 TREND_RUN_STARTED Nothing Nothing Nothing Nothing Nothing Nothing
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
trend:101 TREND_RUN_SUCCESS Nothing Nothing Nothing Nothing Nothing Nothing
trend:102 TREND_RUN_FAILURE Nothing Nothing Nothing Nothing Nothing Nothing
trend:201 TREND_SCAVENGE_SUCCESS Nothing Nothing Nothing Nothing Nothing Nothing
trend:202 TREND_SCAVENGE_FAILURE Nothing Nothing Nothing Nothing Nothing Nothing
trend:301 TREND_PARTITION_ADD Nothing Nothing Nothing Nothing Nothing Nothing
trend:302 TREND_PARTITION_DROP Nothing Nothing Nothing Nothing Nothing Nothing
trend:303 TREND_PARTITION_ADD_FAIL Nothing Nothing Nothing Nothing Nothing Nothing
trend:304 TREND_PARTITION_DROP_FAIL Nothing Nothing Nothing Nothing Nothing Nothing
trend:401 TREND_SET_ACTIVE Nothing Nothing Nothing Nothing Nothing Nothing
trend:402 TREND_SET_INACTIVE Nothing Nothing Nothing Nothing Nothing Nothing
trend:501 TREND_TASK_STARTED Nothing Nothing Nothing Nothing Nothing Nothing
trend:502 TREND_TASK_ENDED Nothing Nothing Nothing Nothing Nothing Nothing
trend:601 TREND_SYSTEM_DEACTIVATED Nothing Nothing Nothing Nothing Nothing Nothing
trend:700 TREND_ACTION Nothing Nothing Nothing Nothing Nothing Nothing
trend:701 TREND_ACTION_ACTIVELIST_ADD Nothing Nothing Nothing Nothing Nothing Nothing
user:100 user delete Host/Application Authentication/Delete Application Informational Success
user:101 user update Host/Application Authentication/Modif
y Application Informational Success
user:102 user add Host/Application Authentication/Add Application Informational Success
validation:000
VALIDATION Validation:000 is not referred by
any components, so you can ignore it for now. But
in the future, we might use it.
Host/Application Application
validation:100
VALIDATION_DEPENDENT Validation:100 is
sent when a resource becomes invalid due to
dependency constraint violation. Typically it
happens during dependency validation phase. For
example, a filter is deleted from the system, and
the deletion will invalidate a rule that depends on
Host/Resource Check/Configuration Application Informational/Warn
ing Failure
ArcSight Specific Device Event Class IDs DeviceEventClassId
Description Object Behavior Technique Device Group Significance Outcome
this filter. In this case, a validation:100 internal
event will be sent.