cancel
Showing results for 
Search instead for 
Did you mean: 
yd9038
Level 9
Report Inappropriate Content
Message 1 of 3

SIEM Health Related Sig IDs I found helpful for Alarms&Reports

306-1Backup Configuration Change
306-2Backup Performed
306-4Event Partition Detach
306-5Flow Partition Detach
306-6Data Retention Configuration Change
306-7Data Allocation Configuration Change
306-8Indexing Configuration Change
306-11User Login
306-14User Account Change
306-15Policy Add
306-16Policy Modify
306-17Policy Delete
306-18Device Add
306-19Device Delete
306-20Rule Add
306-21Rule Modify
306-22Rule Delete
306-23Variable Add
306-24Variable Modify
306-25Variable Delete
306-28EPO Tags Applied
306-31Failed User Login
306-32ESM Reboot
306-34Log Partition Rolled Off
306-50File Deleted
306-52VA Data Engine status aler
306-50010McAfee EDB database server state change alert
306-50017User Device Login
306-50023SNMP collector state change alert
306-50027Health monitor internal alert
306-50034OPSEC retriever state change alert
306-50043VA Data Engine status alert:
306-50047The logging of data to the ELM is significantly behind.
306-50054A RAID error has occurred
306-50077Error in SSH communication  
306-50079User Device Failed Login
306-50080A physical network interface connection has been made or removed
306-50085System integrity check failure
306-51Get VA Data Success
329-10ACE Status Change Alarm
2 Replies
yd9038
Level 9
Report Inappropriate Content
Message 2 of 3

Re: SIEM Health Related Sig IDs I found helpful for Alarms&Reports

306-50027Health monitor internal alert
Process filterctl is not running.
The subsystem has recovered (Filter Control).
The subsystem has recovered (Collectors Control).
The subsystem has recovered (Parser Control).
Failed to get status from parsersctl.
Failed to get status from collectorsctl.
Failed to get status from filterctl.

Re: SIEM Health Related Sig IDs I found helpful for Alarms&Reports

We found this also comes up for the 306-500727 Health monitor internal alert:

     Bad data files detected; they have not been fully parsed!

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community