Event Log page

The Event Log page is where you view the activity and debug events in the Event Log.

Option Definition
Number of events Indicates the number of events that Endpoint Security logged on the system in the last 30 days.
Refreshes the Event Log display with any new event data.
View Logs Folder Opens the folder that contains the log files in Windows Explorer. The folder contains log files for:
  • Activities
  • Debugging
  • Errors

Each log file starts with a header describing each field in the message:

2019-08-22 20:49:04.966Z |Debug | odsbl |mfetp | 3840 | 10772 |ODS |odsruntask.cpp(6115) | Scan item count: 1
DATE Shows log date with YYYY-MM-DD format
TIME(UTC) Shows log time in UTC format.

Endpoint Security client systems follow UTC to align endpoints that are deployed among different timezones. This allows easy analysis and troubleshooting. Endpoint Security Server (extension) logs follows the configured time in the server.

LEVEL Shows one of the following log levels:
  • Activity
  • Debug
  • Error
FACILITY Shows the facility or subsystem name. There are many facilities in Endpoint Security, such as AMSI, Orchestrator, odsbl, Remediationbl, AtpMa, and atpbl.
PROCESS Shows the involved process name. For example, mfetp, mfetp, MFEConsole, and amcfg.
PID Shows the associated process identifier.
TID Shows the associated thread identifier.
TOPIC Shows the name topic that corresponds to a specific Facility. For example, AMSI, AMCoreUtil, RealProtect, JCM, JTI, ODS, and OES.
FILE_NAME(LINE) Shows the file and code line where the log comes from.
MESSAGE Shows the information about what is happening with Endpoint Security.

Show all events Removes any filter.
Filter by Severity Filters events by a severity level:

Alert Shows level 1 severity events only.
Critical and greater Shows levels 1 and 2 severity events only.
Warning and greater Shows levels 1, 2, and 3 severity events only.
Notice and greater Shows levels 1, 2, 3, and 4 severity levels.

Filter by Module Filters events by module.

The features that appear in the drop-down list depend on the features installed on the system at the time you opened the Event Log.

Search Searches the Event Log for a string.
Events per page Selects the number of events to display on a page. (By default, 20 events per page)
Previous page Displays the previous page in the Event Log.
Next page Displays the next page in the Event Log.
Page x of x Selects a page in the Event Log to navigate to.

Enter a number in the Page field and press Enter or click Go to navigate to the page.

Column heading Sorts the event list by...
Date Date the event occurred.
Feature Feature that logged the event.
Action taken Action that Endpoint Security took, if any, in response to the event.

The action is configured in the settings.

Access Denied Prevented access to file.
Allowed Allowed access to file.
Blocked Blocked access to the file.
Cleaned Removed the threat from the file automatically.
Contained Ran the file in a container based on its reputation.
Continue Scanning Detected a threat and continued scanning the next file without taking any action, such as Clean or Delete, on the current file.
Deleted Deleted file automatically.
Moved Moved the file into the Quarantine.
Would Block A rule would have blocked access to the file if the rule was being enforced. Observe mode is enabled.
Would Clean A rule would have cleaned the file if the rule was being enforced. Observe mode is enabled.
Would Contain A rule would have contained the file if the rule was being enforced. Observe mode is enabled.

Severity Severity level of the event.

Critical 1
Major 2
Minor 3
Warning 4
Informational 5