Skip to content
  • There are no suggestions because the search field is empty.

Global Audit Logging Operation Reference

This topic lists message types being logged by the various NetWitness components. Most messages plainly state the operation being logged; when necessary the meaning of the message is explained.

After you create a global audit logging configuration, audit logs automatically go to the external syslog system in the format specified in the selected audit logging template. The message types being logged by the various NetWitness components are shown in the following tables.

CARLOS

The following table lists the operations logged by CARLOS.

  • Serial #: 1
  • Operation Name: SetProviderConfiguration
  • Meaning: A new notification server (for example, SMTP server) was added or updated

  • Serial #: 2
  • Operation Name: SetInstanceConfiguration
  • Meaning: A new notification type (for example, email
    destination) was added or updated

  • Serial #: 3
  • Operation Name: SetTemplateDefinition
  • Meaning: A new template was added or updated

  • Serial #: 4
  • Operation Name: RemoveProviderConfiguration
  • Meaning: A notification server was removed

  • Serial #: 5
  • Operation Name: RemoveInstanceConfiguration
  • Meaning: A notification type was removed

  • Serial #: 6
  • Operation Name: RemoveTemplateDefinition
  • Meaning: A template definition was removed

  • Serial #: 7
  • Operation Name: Commit
  • Meaning: A configuration bean change was committed

  • Serial #: 8
  • Operation Name: Set
  • Meaning: A JMX property value was set via NetWitness Explore view

ESA

The following table lists the operations logged by the Event Stream Analysis (ESA).

  • Serial #: 9
  • Operation Name: SetSourceRequest
  • Meaning: A concentrator was added or updated to ESA as source

  • Serial #: 10
  • Operation Name: RemoveSourceRequest
  • Meaning: A concentrator was removed from ESA as source

  • Serial #: 11
  • Operation Name: SetEplModule
  • Meaning: An EPL module was deployed or updated to ESA

  • Serial #: 12
  • Operation Name: RemoveEplModule
  • Meaning: An EPL module was removed from ESA

  • Serial #: 13
  • Operation Name: SetEnrichmentSourceRequest
  • Meaning: An ESA enrichment source was added/updated

  • Serial #: 14
  • Operation Name: RemoveEnrichmentSourceRequest
  • Meaning: An ESA enrichment source was removed

  • Serial #: 15
  • Operation Name: SetDatabaseReference
  • Meaning: An enrichment database reference was made to ESA

  • Serial #: 16
  • Operation Name: UpdateEnrichmentData
  • Meaning: Data rows added to an ESA enrichment source

  • Serial #: 17
  • Operation Name: SetEnrichmentConnection
  • Meaning: A connection was made between an EPL module and an enrichment source

  • Serial #: 18
  • Operation Name: RemoveEnrichmentConnection
  • Meaning: A connection between an EPL module and an enrichment source was removed

  • Serial #: 19
  • Operation Name: DisableTrialModule
  • Meaning: ESA Trial rules were disabled

Investigation

The following table lists the operations logged by Investigations.

  • Serial #: 1
  • Operation Name: VisualizePreferences
  • Meaning: Operations related to Informer Visualization Request.

  • Serial #: 2
  • Operation Name: ParallelCoordinates
  • Meaning: Operations related to Loading of Co-Ordinate View Navigation.

  • Serial #: 3
  • Operation Name: TimeLine
  • Meaning: Operations related to Loading of Timeline View Navigation.

  • Serial #: 4
  • Operation Name: ExteralQuery
  • Meaning: Operation when a Direct Query is fired via URL.

  • Serial #: 5
  • Operation Name: PrintView
  • Meaning: Operations to open Investigation in Print View.

  • Serial #: 6
  • Operation Name: submitExtractFiles
  • Meaning: Operation to submit a Request to Extract files from Sessions.

  • Serial #: 7
  • Operation Name: submitExtractLogs
  • Meaning: Operation to submit a Request to Extract Logs from Sessions.

  • Serial #: 8
  • Operation Name: submitExtractPcap
  • Meaning: Operation to submit a Request to Extract Sessions from Sessions.

  • Serial #: 9
  • Operation Name: DataScienceDrill
  • Meaning: Operation to investigate from Data Science Report.

  • Serial #: 10
  • Operation Name: breadCrumbs
  • Meaning: Operation to access the Query Breadcumbs.

  • Serial #: 11
  • Operation Name: Create
  • Meaning: Operation when a new Investigation Query is being saved as a predicate to be used for URL Integration.

  • Serial #: 12
  • Operation Name: userPredicates
  • Meaning: Operation to access Recent Queries of a user.

  • Serial #: 13
  • Operation Name: chartDefaultMetas
  • Meaning: Operation to access last used Meta for generating Coordinate Chart.

  • Serial #: 14
  • Operation Name: defaultDevice
  • Meaning:

  • Serial #: 18
  • Operation Name: topValues
  • Meaning: Operation to get the Top Values for Metas. Normally called from Top Values Dashlet.

  • Serial #: 19
  • Operation Name: MetaLanguages
  • Meaning: Operation to read the Meta Languages from a Device.

  • Serial #: 20
  • Operation Name: MetaGroups
  • Meaning: Operations related to Investigation Meta Groups.

  • Serial #: 21
  • Operation Name: DefaultMetaKeys
  • Meaning: Operations related to Investigation Default Meta Keys.

  • Serial #: 22
  • Operation Name: UpdateDefaultMetaKeys
  • Meaning: Operations to update Investigation Default Meta Keys.

  • Serial #: 23
  • Operation Name: UpdateMetaGroup
  • Meaning: Operations to update Investigation Meta Groups.

  • Serial #: 24
  • Operation Name: ApplyMetaGroup
  • Meaning: Operations to use Investigation Meta Groups.

  • Serial #: 25
  • Operation Name: DeactivateMetaGroup
  • Meaning: Operations to reset Investigation Meta Groups in UI.

  • Serial #: 26
  • Operation Name: DeleteMetaGroup
  • Meaning: Operations to remove Investigation Meta Group.

  • Serial #: 27
  • Operation Name: DeleteMetaGroups
  • Meaning: Operations to remove multiple Investigation Meta Groups.

  • Serial #: 28
  • Operation Name: ImportMetaGroups
  • Meaning: Operations to import Investigation Meta Groups.

  • Serial #: 29
  • Operation Name: ExportMetaGroup
  • Meaning: Operations to export multiple Investigation Meta Groups.

  • Serial #: 30
  • Operation Name: GeoMap
  • Meaning: Operation to access the Geo Map View of Investigation.

  • Serial #: 31
  • Operation Name: deleteEndpointCache
  • Meaning: Operation to clear Reconstruction Cache of a Device.

  • Serial #: 32
  • Operation Name: delete
  • Meaning: Operation to delete Alert Templates.

  • Serial #: 33
  • Operation Name: CustomColumnGroup
  • Meaning: Operation to apply or read Custom Column Group.

  • Serial #: 34
  • Operation Name: Import
  • Meaning: Operations related to Import of Column Group or Profiles.

  • Serial #: 35
  • Operation Name: Export
  • Meaning: Operations related to Export of Column Group or Profiles.

  • Serial #: 36
  • Operation Name: SaveProfile
  • Meaning: Operation to save an Investigation Profile.

  • Serial #: 37
  • Operation Name: ApplyProfile
  • Meaning: Operation to apply an Investigation Profile.

  • Serial #: 38
  • Operation Name: DeactivateProfile
  • Meaning: Operation to deactivate an Investigation Profile.

  • Serial #: 39
  • Operation Name: DeleteProfile
  • Meaning: Operation to delete an Investigation Profile.

  • Serial #: 40
  • Operation Name: DeleteProfiles
  • Meaning: Operation to delete multiple Investigation Profiles.

,> ,> Reporting Engine,>The following table lists the operations logged by the Reporting Engine.,>Serial #Operation NameMeaning1TEMPLATEFor all operations related to template2CHARTFor all operations related to chart3REPORTFor all operations related to report4RULEFor all operations related to rule5IMAGEFor all operations related to Logo Images used in Reports.6LISTFor all operations related to list7ALERTFor all operations related to alert8CONFIGFor all operations related to configuration change9SCHEDULEFor all operations related to schedule10ROLEFor all operations related to role/authorization11BATCH_JOBFor all operations related to batch jobs12SCHEDULERFor all operations related to scheduler13QUERYPROCESSORFor all operations related to queryprocessor14FORMATTERFor all operations related to formatter15OUTPUTACTIONFor all operations related to outputaction16STATUSMANAGERFor all operations related to statusmanager17BATCH_RUNDEFFor all operations related to batch rundef18CHARTGROUPFor all operations related to chart group19REPORTGROUPFor all operations related to report group20RULEGROUPFor all operations related to rule group21LISTGROUPFor all operations related to list group22DISKSPACEFor all operations related to disk space,> Warehouse Connector,>The following table lists the operations logged by the Warehouse Connector.,>Serial #Operation NameMeaning1LockBox Password CreateOperation to create LockBox Password.2LockBox Password UpdateOperation to update LockBox Password.3LockBox Password RefreshOperation to refresh LockBox Password.4Adding StreamOperation to add a Stream.5Adding SourceOperation to add a Source.6Adding DestinationOperation to add a Destination.7RemovingOperation to remove a Source, Stream, or Destination.8Changing PasswordOperation to change the Password.9Updating SourceOperation to update a Source.10Adding Source to StreamOperation to add a Source to a Stream.11Deleting Source from StreamOperation to delete a Source from a Stream.12Setting Destination to StreamOperation to set a Destination to a Stream.13Finalizing StreamOperation to finalize a Stream and initiate the aggregation.14Stopping StreamOperation to stop a Stream.15Starting StreamOperation to start a Stream.16Reloading StreamOperation to reload a Stream.,> Health & Wellness,>The following table lists the operations logged by Health & Wellness.,>Serial #Operation NameMeaning1SavePolicyRequestOperation while adding or modifying a Policy.2RemovePolicyRequestOperation while removing a Policy.,>,>, , , , , ,>,>,>, ,