Information Centric Tagging Event Parser
Article ID: 172831
Updated On:
Products
Information Centric Security
Issue/Introduction
This article explains how to install and interpret the Information Centric Tagging (ICT) Event logs in the Event viewer.
The Event Parser was built to read the RAW ICT Windows Event logs created by the ICT client, in a friendly format.
Resolution
Installation
- copy rw-eventlogmessages.dll to a location that is always accessible by the operating system:
- For a x86 based Operative Systems:
x86\rw-eventlogmessages.dll - For x64 based Operative Systems:
x64\rw-eventlogmessages.dll
- For a x86 based Operative Systems:
- Create the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application\Information Centric Tagging -
On this registry key, create the following registry values:
Value NameValue TypeValue DataCategoryCount REG_DWORD 0x00000003 CategoryMessageFile REG_SZ Full path of rw-eventlogmessages.dll
Eg.: C:\filter\rw-eventlogmessages.dllTypesSupported REG_DWORD 0x00000007 EventMessageFile REG_SZ Full path of rw-eventlogmessages.dll
Eg.: C:\filter\rw-eventlogmessages.dll - Restart Event Viewer
Event ID Table
| Category | Level | Event ID | Parameters | Description |
|---|---|---|---|---|
| Agent | Information | 256 | Title, Base | Agent started with success. |
| Agent | Information | 257 | Title, Base | Agent terminated with success. |
| Agent | Information | 258 | Title, Event URL, State configuration, State rules, State watermark, State block paste, Base | Agent contacted web service for user configuration check/update with success. |
| Agent | Information | 259 | Title, Log count, Event URL, Base | Agent sent user LOG to web service with success. |
| Agent | Error | 260 | Title, Base | Agent failed to start. |
| Agent | Error | 261 | Title, Event URL, HTTP error code, Base | Agent could not check/update user configuration. |
| Agent | Error | 262 | Title, Event URL, HTTP error code, Base | Agent failed to send user LOG to web service. |
| Application | Information | 263 | Title, Module name, Process ID, Application path, Base | Application started with success. |
| Application | Information | 264 | Title, Module name, Process ID, Application path, Base | Application terminated with success. |
| Application | Error | 265 | Title, Module name, Base | Application did not start with success. |
| AddIn | Information | 272 | Title, Module name, Process ID, Application path, Base | AddIn started with success. |
| AddIn | Information | 273 | Title, Module name, Process ID, Application path, Base | AddIn terminated with success. |
| AddIn | Error | 274 | Title, Module name, Process ID, Application path, Base | AddIn did not start with success. |
Custom Event IDs
|
Category
|
Level
|
Event ID
|
|---|---|---|
| Agent | Information | 275 |
|
Agent |
Warning | 276 |
| Agent | Error | 277 |
| Application | Information | 275 |
| Application | Warning | 276 |
| Application | Error | 277 |
| AddIn | Information | 275 |
| AddIn | Warning | 276 |
| AddIn | Error | 277 |
Feedback
Yes
No
Powered by
