A large number of events have the user_name field populated with sesuser or sytem

Article:TECH140322  |  Created: 2010-09-20  |  Updated: 2012-06-12  |  Article URL http://www.symantec.com/docs/TECH140322
Article Type
Technical Solution


Subject

Issue



You noticed that you find a large number of activity is generated by a user called sesuser or system.


Cause



This is an agent behavior:

Windows Agent -> When an event is sent to SSIM, the Agent fills the user_name field with “SYSTEM” is user_name not populated
 
On Board(default on the SSIM) Agent -> When an event is sent to SSIM the Agent fills the user_name field with “sesuser” if user_name not populated

 


Solution



 This is working as designed. These fields are getting normalised by the agent.

For more information on normalisation see SSIM_Administrators_Guide.pdf

Section called : "Understanding event normalization" Page 233





Article URL http://www.symantec.com/docs/TECH140322


Terms of use for this information are found in Legal Notices