A large number of events have the user_name field populated with sesuser or sytem
| Article:TECH140322 | | | Created: 2010-09-20 | | | Updated: 2012-06-12 | | | Article URL http://www.symantec.com/docs/TECH140322 |
Problem
You noticed that you find a large number of activity is generated by a user called sesuser or system.
Cause
This is an agent behavior:
Windows Agent -> When an event is sent to SSIM, the Agent fills the user_name field with “SYSTEM” is user_name not populated
On Board(default on the SSIM) Agent -> When an event is sent to SSIM the Agent fills the user_name field with “sesuser” if user_name not populated
Solution
This is working as designed. These fields are getting normalised by the agent.
For more information on normalisation see SSIM_Administrators_Guide.pdf
Section called : "Understanding event normalization" Page 233
|
|
Article URL http://www.symantec.com/docs/TECH140322
Terms of use for this information are found in Legal Notices
Thank you.