A large number of events have the user_name field populated with sesuser or sytem

Article:TECH140322  |  Created: 2010-09-20  |  Updated: 2012-06-12  |  Article URL http://www.symantec.com/docs/TECH140322
Article Type
Technical Solution



You noticed that you find a large number of activity is generated by a user called sesuser or system.


This is an agent behavior:

Windows Agent -> When an event is sent to SSIM, the Agent fills the user_name field with “SYSTEM” is user_name not populated
On Board(default on the SSIM) Agent -> When an event is sent to SSIM the Agent fills the user_name field with “sesuser” if user_name not populated



 This is working as designed. These fields are getting normalised by the agent.

For more information on normalisation see SSIM_Administrators_Guide.pdf

Section called : "Understanding event normalization" Page 233

Article URL http://www.symantec.com/docs/TECH140322

Terms of use for this information are found in Legal Notices