System Event Types

When an event is generated by the ITM On-Prem (ObserveIT) system, the event name and details appear in the System Events list. The following tables describe the event types, organized per event source, with some possible causes and solutions (as relevant).

Agent Events

Code

Event Name

Category

Severity

Description

1201

Agent Service has started

Functionality

Low

The ITM On-Prem (ObserveIT) Agent Service has reported that it restarted after stopping (code 1202).

1202

Agent Service has stopped

Functionality

High

The ITM On-Prem (ObserveIT) Agent Service has reported that it has stopped. (To receive Agent health check reports, it must be restarted.)

The ITM On-Prem (ObserveIT) Agent Service has reported that it has been manually stopped. (To receive Agent health check reports, it must be restarted.)

1203 Agent service was terminated Functionality High An Agent process was forcibly killed by an external application.

1204

Unrecorded Agent sessions

Functionality

High

There are unrecorded Agent sessions. This occurs when a user ends the Agent process (or disables interception in Unix). To resolve this in Windows, restart the RCDCL process in the Task Manager. On Unix, enable interception using the oitcons utility.

1205 Agent installation files were tampered-with (missing file) Tampering High The ITM On-Prem (ObserveIT) Agent Service has reported that installation files were tampered-with.
1206 Agent installation files were tampered-with (file changed) Tampering High The ITM On-Prem (ObserveIT) Agent Service has reported that installation files were tampered-with.

1207

Agent Registry keys were tampered with

Tampering

High

An ITM On-Prem (ObserveIT) Registry key was changed. Registry keys may have been deleted and/or values changed. This might affect Agent functionality. To resolve this, restore the Registry in the AgentRegistryKeys database table.

1208

Agent Registry keys are now OK

Tampering

Low

The ITM On-Prem (ObserveIT) Agent Service has reported that the Agent Registry keys/configuration files have been restored.

1209

Agent installation files were restored

Tampering

Low

The ITM On-Prem (ObserveIT) Agent Service has reported that installation files were restored after tampering.

1210

Agent installation files were tampered with

Tampering

High

The ITM On-Prem (ObserveIT) Agent Service has reported that installation files were tampered with. Files may have been renamed and/or contents changed. Check the problem and reinstall the Agent, or replace the tampered file with the file version that was installed previously.

1211 Unofficial DLL file was added to agent installation folder Tampering High

A DLL file which is not part of the official agent installation files was added to the installation folder, potentially to tamper and affect agent functionality.

Unofficial DLL is any DLL added to the installation package that was not included by Proofpoint.

1212 Unofficial DLL file was removed from agent installation folder Tampering Low

A DLL file which is not part of the official agent installation files was removed from the installation folder. Installation files were restored.

Unofficial DLL is any DLL added to the installation package that was not included by Proofpoint

1213 Unix Agent interception was tampered-with Agent activity replay data files were tampered-with Tampering High The Unix Agent interception setting was tampered-with, resulting in an unrecorded session. Session data was tampered-with while the Agent was in activity replay mode.
1214 Agent service has stopped as part of shutdown/restart     The ITM On-Prem (ObserveIT) Agent Service has reported that it restarted after shutdown/stopping
1217 Agent activity replay data files were tampered-with Tampering High Session data was tampered-with while the Agent was in activity replay mode.

1218

Agent offline data files were tampered with

Tampering

High

Session data was tampered with while the Agent was in offline mode. Files may have been renamed, or contents changed by a user who worked offline to hide his activities. (Offline files are not sent to the Application Server.) When the Agent is online again, the Agent Service reports the list of files that were tampered with.

1219 Agent Service not responding Functionality High The ITM On-Prem (ObserveIT) Agent Service is down, perhaps due to a network malfunction or disconnection between the Agent and the Application Server, or for unknown reasons.

1220

Process was killed and automatically restarted

Tampering

High

The Agent process was killed and automatically restarted by the Watchdog.

1221

Agent is OK

Communication

Low

The ITM On-Prem (ObserveIT) Agent and service are activated.

1223

Agent is not reporting

Communication

High

There is no heartbeat from the Agent.

1224 Agent service was killed Communication High The Agent service was forcibly killed by an external application.
1225 Unauthorized request was sent by agent Communication High Agent-Server communication failed due to unauthorized request sent by the Agent
1226 Unauthorized request sent by agent was fixed Communication Low Agent-Server communication was authorized and fixed

1230

Agent data loss

Data Loss

High

Data loss occurred while the Agent was running. This may have occurred due to resource overload or some issue with the SQL server or the Application Server. Check that the SQL server and Application Server are working properly.

1231

Offline data loss, threshold exceeded

Data Loss

High

The volume of data exceeded its configured limit while the Agent was in offline mode, resulting in data loss. You must increase the offline data limit in the configuration file.

1232

Offline data loss, lack of disk space

Data Loss

High

Data was lost while the Agent was in offline mode due to insufficient disk space. Increase the disk space to prevent this from recurring.

1233 Activity replay data loss, threshold exceeded Data Loss High The volume of data exceeded its limit while the Agent was in activity replay mode, resulting in data loss.
1234 Activity replay data loss, lack of disk space Data Loss High Data was lost while the Agent was in activity replay mode due to insufficient disk space.

1240

Agent is now recording active sessions

Recording

Low

Agent sessions are now being recorded.

1242 Agent process reactivated by Functionality High The Agent process was reactivated (Watchdog).

1250

Agent recording is enabled via Server Policy

Recording

Low

The recording of user actions was enabled in the Web Console Server Policies configuration.

1251

Agent recording is disabled via Server Policy

Recording

High

The recording of user actions was disabled in the Web Console Server Policies configuration.

1261 Agent does not have Screen Recording permissions Recording Medium The Mac Agent does not have Screen Recording permissions. Update Security & Privacy settings under System Preferences.
1262 Agent Screen Recording permissions enabled Recording Low The Mac Agent was granted Screen Recording permissions and started recording according to policy.
1270 Agent failed to be launched in stealth mode Functionality High The ITM On-Prem (ObserverIT) Agent failed to start stealth mode service and components. The agent continues to work not in stealth mode (while processes and services are not hidden).

1501

Agent interception is off

Recording

High

The Unix Agent internal Watchdog “obitd” service failed to start the ITM On-Prem (ObserveIT) logger after a problem was detected, and recording was disabled. (Another reason could be that someone did this on purpose using the oitcons utility, for example, as part of an upgrade process. To enable interception, use the oitcons utility.)

1502

Agent interception is on

Recording

Low

The Unix Agent interception is on, and recording is enabled.

1602 Agent registration was successful Installation Low The Agent was successfully registered.
1603 Agent installation failed due to incorrect security password Installation Low The Agent installation failed due to incorrect security password.
1604 Agent installation failed Installation Low The Agent installation failed without a security password, or for unknown reasons.
1605 Agent installation with password was successful Installation Low The Agent was successfully installed with a security password.
1606 Agent installation was successful Installation Low The Agent was successfully installed.

1607

Uninstallation of Agent failed due to incorrect security password

Installation

Low

Uninstallation of Agent failed due to an incorrect security password. Check your password and try to uninstall again, and if that fails, contact technical support.

1608 Uninstallation of Agent failed Installation Low Uninstallation of Agent failed without a security password, or for unknown reasons.

1609

Uninstallation of Agent was successful

Installation

Low

The Agent was successfully uninstalled with a security password.

1610 Uninstallation of Agent without a password was successful installation Low The Agent was successfully uninstalled without a security password.

1611

Agent was unregistered from the client

Installation

Medium

The Agent was manually unregistered from the client by the administrator, and removed from the ITM On-Prem (ObserveIT) license. Applies to Unix Agents only.

Note: This event includes all Agents that were manually unregistered from the client or from the Web Console prior to version 5.9.

1612

Agent was automatically unregistered

Installation

Medium

The Agent was automatically unregistered, and was removed from the license.

1613

An unregistered server was activated

Installation

Medium

An unregistered server was activated.

1614

Agent was unregistered from the Web Console

Installation

Medium

The Agent was manually unregistered from the Web Console by the administrator, and removed from the ITM On-Prem (ObserveIT) license.

1700 Agent failed to encrypt offline data Functionality Medium The ITM On-Prem (ObserveIT) Agent failed to encrypt offline data. The agent continues to record as usual, while keeping offline data not encrypted.

Application Server Events

Code

Event Name

Category

Severity

Description

1280 Server does not enforce MTLS Communication Medium When detecting a problem - Server does not enforce Mutual Transport Layer Security (MTLS).
1281 Server was fixed to enforce MTLS Communication Medium When detecting the problem was fixed - Server was fixed to enforce Mutual Transport Layer Security (MTLS).

1301

Application Server is not working properly

Functionality

High

The ITM On-Prem (ObserveIT) Application Server is not working properly. No reply is received when a keepalive request is sent, and the Application Server pool is down. Restart the IIS to restart the Application Server.

1304

Application Server is running

Functionality

Low

The ITM On-Prem (ObserveIT) Application Server has resumed operations.

1310

Application Server successfully saved recorded data

Communication

Low

The ITM On-Prem (ObserveIT) Application Server successfully saved recorded data. 

1311

Application Server unable to save recorded data

Communication

High

The ITM On-Prem (ObserveIT) Application Server failed to save recorded data to the database. Check the SQL server.

1403

Writing data to file system failed

Communication

High

The ITM On-Prem (ObserveIT) Application Server failed to save recorded data on the file system. Check read-write permissions on the file system path.

1404

Writing data to file system succeeded

Communication

Low

The ITM On-Prem (ObserveIT) Application Server successfully saved recorded data on the file system.

Database Server Events

Code

Event Name

Category

Severity

Description

1425

Some data was not recorded in the database

Data Loss

High

Screenshot data and/or Unix commands failed to be saved to the ObserveIT_Data database. Check the accessibility to this database.

Health Monitoring Service Events

Code

Event Name

Category

Severity

Description

1324

Health Monitoring Service is not working properly

Functionality

High

The Health Monitoring Service is not working properly. Perhaps the service was terminated or was configured incorrectly. When this occurs, the Admin Dashboard will not display updated data. To resolve this, restart the Health Monitoring Service (go to Start > Services).

1325

Health Monitoring Service is OK

Functionality

Low

The Health Monitoring Service is OK.

1327

Health Monitoring Service has started

Functionality

Low

The Health Monitoring Service has started.

1328

Health Monitoring Service has stopped

Functionality

Low

The Health Monitoring Service has stopped.

1907 Screenshot Storage Optimizer seems to be down Functionality High

Screenshot Storage Optimizer is down (not sending heartbeat) for at least one hour.

This System Event will not be triggered more than once in one hour.

1908 Screenshot Storage Optimizer is up again Functionality High When Event 1907 recovers, this event triggers.
1910 Registry module is down Functionality High

The Registry module was found to be down.

The Registry module is part of the backend and is in charge of registration of agents against the pool of purchased licenses that happens after installation.

1911 Registry module has recovered Functionality Low

The registry module has recovered successfully.T

he Registry module is part of the backend and is in charge of registration of agents against the pool of purchased licenses that happens after installation.

Identity Theft Events

Code

Event Name

Category

Severity

Description

1100

Login from paired client

Identity Theft

--

A user logged in from a paired client machine. This user-client pair is approved.

1101

Secondary login from paired client

Identity Theft

--

A user logged in via ITM On-Prem (ObserveIT) Secondary Identification from a paired client machine. This user-client pair is valid.

1102

Login from unpaired client

Identity Theft

Low

A user logged in from an unpaired client machine. This user-client pair is NOT valid.

1103

Secondary login from unpaired client

Identity Theft

Low

A user logged in via ITM On-Prem (ObserveIT) Secondary Identification from an unpaired client machine. This user-client pair is NOT valid.

1104

Login with no valid pair

Identity Theft

Medium

A user logged in from an unpaired client machine. This user-client pair is NOT valid and this user is already paired with another client.

1105

Secondary login with no valid pairs

Identity Theft

Medium

A user logged in via ITM On-Prem (ObserveIT) Secondary Identification from an unpaired client machine. This user-client pair is NOT valid and this user is already paired with another client.

1106

Suspected login reported

Identity Theft

High

A user reported a suspicious use of his credentials.

1107

Suspected secondary login reported

Identity Theft

High

A user reported a suspicious use of his credentials via ITM On-Prem (ObserveIT) Secondary Identification.

1108

User-client pairing request

Identity Theft

Low

A user sent a user-client pairing request.

1109

Failed to send an email to user

Identity Theft

Medium

Failed to send a "suspicious use of credentials" email to the user.

Notification Service Events

Code

Event Name

Category

Severity

Description

1302

Notification Service is OK

Functionality

Low

The Notification Service is working properly.

1303

Notification Service is not working properly

Functionality

High

The Notification Service is not working properly. Perhaps the service was terminated or was configured incorrectly. When this occurs, there will be no archives, no event emails, and no scheduled reports. To resolve this, restart the service (go to Start> Services).

1305

Notification Service has started

Functionality

Low

The Notification Service has started.

1306

Notification Service has stopped

Functionality

Low

The Notification Service has stopped. Restart the service (go to Start> Services).

1405

ArcSight file size reached 0.5

Communication

Low

File size reached 0.5 of the maximum size defined.

1406

ArcSight file size reached 0.75

Communication

Medium

File size reached 0.75 of the maximum size defined.

1407

ArcSight file size reached 0.99

Communication

High

File size reached 0.99 of the maximum size defined.

1408

ArcSight file size past maximum

Communication

High

File past the maximum size defined.

1409

Monitor Log could not create directory

Communication

High

You may not have sufficient permissions to create the directory.

1410

Monitor Log could not write to file

Communication

High

You may not have sufficient permissions to write a log file.

1900

Notification Service failed to access the Task Service

Functionality

High

Notification Service failed to access the Task Service for creating a task to manage screenshots storage. Muting this System Event for configured duration (1 hour by default).

1901

Notification Service access to the Task Service was recovered

Functionality

Low

Access from the Notification Service to the Task Service was recovered after previous failures.

Rule Engine Events

Code

Event Name

Category

Severity

Description

1322

Rule Engine Service is not working properly

Functionality

High

The Rule Engine Service was unable to create alert rules. Perhaps the service was terminated or was configured incorrectly. Restart the service (go to Start> Services).

1323

Rule Engine Service is OK

Functionality

Low

The Rule Engine Service is working properly.

1329

Rule Engine Service has started

Functionality

Low

The Rule Engine Service has started.

1330

Rule Engine Service has stopped

Functionality

High

The Rule Engine Service has stopped. Restart the service (go to Start> Services).

Storage Threshold Events

Code

Event Name

Category

Severity

Description

1401

Storage threshold has reached its limit

Data Loss

Medium

The storage threshold (%) has reached its configured limit. Additional storage should be configured.

1402

Allocated storage space has reached its limit

Data Loss

High

The maximum allocated storage space has reached its configured limit. To prevent screen capture data loss, additional storage space must be configured immediately.

Screenshots Storage Optimizer Events

Code

Event Name

Category

Severity

Description

1430

Screenshot Storage Optimizer failed to access the warm (standard) storage

Functionality

High

Screenshot Storage Optimizer failed to access the warm (standard) storage file system due to a storage space or permissions issue. Muting this System Event for configured duration (5 minutes by default).

1431

Screenshot Storage Optimizer failed to access the hot (fast) storage

Functionality

High

Screenshot Storage Optimizer failed to access the Hot (fast) storage file system due to a storage space or permissions issue. Muting this System Event for configured duration (5 minutes by default).

1432

Access from Screenshot Storage Optimizer to the warm (standard) storage was recovered

Functionality

Low

Access from Screenshot Storage Optimizer to the warm (standard) storage file system was recovered after previous failures.

1433

Access from Screenshot Storage Optimizer to the hot (fast) storage was recovered

Functionality

Low

Access from Screenshot Storage Optimizer to the hot (fast) storage file system was recovered after previous failures.

1902

Screenshots Storage Optimizer exceeded the max-attempts to handle specific task.

Functionality

High

The Task Service detects that the Screenshots Storage Optimizer exceeded the max-attempts to successfully handle a task.

1903 The task service detects tasks are overdue for processing Functionality High The task service detects tasks are overdue for processing

Website Categorization Events

Code

Event Name

Category

Severity

Description

1800

Failed to update web categories DB

Communication

High

The periodic update of the Website Categorization DB failed.

1801

Website Categorization service started

Functionality

Low

WebCat service was started successfully.

1802

Website Categorization service stopped

Functionality

High

WebCat service was stopped.

1803

Website Categorization service started with errors

Functionality

High

WebCat service was started with errors.

1804

Successfully downloaded web categories DB for the first time

Communication

Low

After installation, the Website Categorization DB was downloaded successfully.

1805

Failed to download web categories DB for the first time

Communication

High

After installation, the Website Categorization DB failed to be downloaded.

1806

Failed to retrieve web categories

Functionality

High

Failed to retrieve categories of URLs from Website Categorization.

1807

Website Categorization Module does not respond anymore

Functionality

High

Failed to access the Website Categorization Module during several retries. Stopping trying until the end of the session.

1808

Website Categorization Web Service does not respond anymore

Functionality

High

Failed to get category of URL from dedicated web service after several retries. Stopping trying until the end of the session.