Audit Events
Audit events are events generated within the Manager to mark a wide variety of routine actions that can occur manually or automatically, such as adding an event to a case or when a Moving Average data monitor detects a rapidly rising moving average. Audit events have many applications, which can include notifications, task validation, compliance tracking, automated housekeeping, and system administration.
This topic lists the ArcSight audit events you can use in rules, filters, and other analytical or administrative resources. Observe the way these events are used in the standard system-related content for examples of how to apply them.
In the table Audit Events on Resources, use the Audit Event Category to locate events. Use the Device Event Class (DEC) ID string in rules and filters. The Audit Event Description reflects the resource name you see in active channel grids. Additional details, when necessary, appear in the Notes column.
Compare audit events, which report on system activity, with Status Monitor events, which provide information about a wide variety of system states.
All resources (except actors, groups, and users) use the general audit events described in “Resources (Configuration Events Common to Most Resources),” in when a resource is added, deleted, updated, locked, or unlocked. Actors, groups, and users each use their own unique set of audit events. Other resources present unique audit events that are listed in this section in alphabetical order by resource.
Tip: To get additional details within the “update resource” audit events (beyond what is provided by default), you can enable a resource audit property called resource.audit.update.uris
in the file server.properties
on the Manager to specify which resources should show extended audit event information.
For information on Logger audit events, see the Logger Administrator’s Guide appendix, “Logger Audit Events.”