0 Replies Latest reply on Apr 13, 2017 5:33 PM by superherosmith

    Windows Event Log Severity in ESM

    superherosmith

      I'm using NXLog to forward Windows Event Logs to our ESM instance.

       

      While most of the event details are clear in ESM, two of them weren't as clear: the actual Windows Event ID itself and also the Severity. I did find an article which described the translation of the IDs (McAfee Corporate KB - Windows Event ID to Nitro Signature ID translation KB74335 ); however, I have not been able to find such a translation or understanding of the Severity for each event.

       

      What is especially unclear is that under the Drilldown menu of a specific event there are several instances with the same Event ID yet varying severity levels.

      Severity.PNG

      Where for this specific event the first four numbers are the same, I would guess there is somewhere a similar translation as with the Event IDs, but I have not been able to find such a guide. Furthermore, why are the last two numbers varying for the same event?

      Severity2.PNG

      And while the previous screenshot and argument may have worked based on a similar pattern, the second screenshot that is from another instance of the same event with the same Event ID from the same system does not. Any clarification would be greatly appreciated.