This table lists all Computer Management events and their unique subtypes specific to this release of App Control.

Note: New or changed events are identified with ** (double-asterisk) in the left column. This allows a search to quickly identify only the new or changed events.
Table 1. Computer Management Events and Subtypes
Subtype ID No. Severity Example Descriptions/Comments
Agent bulk state change finished 412 Info

Computer '$computer$' completed the state transition of all files from '$param1$' to '$param2$'.

Note:Parameters 1 and 2 can be ‘Unapproved’ or ‘Locally Approved’.

Agent bulk state change requested 413 Info '$userName$' requested state transition of all files on computer '$computer$' from '$param1$' to '$param2$'.

Note:Parameters 1 and 2 can be ‘Unapproved’ or ‘Locally Approved’.

Agent config modified 435 Notice

Agent configuration property '$param1$' was created as '$param2$' ($param3$) by '$username$'.

Agent configuration property '$param1$' was modified to '$param2$' ($param3$) by '$username$'.

Agent configuration property '$param1$', value '$param2$' ($param3$) was deleted by '$username$'."

Examples:

Computer retrieved Notifier Logo: Source[$param1$] Attempts[$param2$].

Agent configuration property 'KernelWriteExcludePattern' was modified to '/opt/apps/*' (Enabled) by 'bjones@mycorp.local'.

Agent configuration property 'protocol_message_versions (Linux)' was modified to 'protocol_message_versions=1:4,2:1,3:1,5:4,6:7,7:5,8:3,9:4,10:1,11:1,12:2,13:1,14:1,15:2,16:1,18:1' (Disabled) by 'rgomez@mycorp.local'.

Agent database error 432 Error

Carbon Black App Control Agent had to restore its primary database cache.

Carbon Black App Control Agent had to rebuild its primary database cache and now has to re-initialize.

Carbon Black App Control Agent detected a cache integrity problem.

Unknown error initializing database pool.

Carbon Black App Control Agent had to restore its primary database cache.

Carbon Black App Control Agent had to rebuild its primary database cache and now has to re-initialize.

Carbon Black App Control Agent failed to upgrade its database.

Carbon Black App Control Agent failed to connect to its cache database.

Carbon Black App Control Agent failed to read config list from file.

Carbon Black App Control Agent failed cache verification.

Agent deleted events 414 Notice

Computer '$computer$' deleted $param1$ events.

Note:Param1 is a numeric value.

Agent Enforcement Level changed 407 Notice

Computer '$computer$' changed Enforcement Level from '$param1$' to '$param2$'.

Note: Parameters 1 and 2 are one of the Enforcement Levels or “Local Approval”.

Agent error 431 Error

Unsupported kernel [$kernelversion$] running. Agent will not track files.

Carbon Black App Control Agent was unable to communicate with the kernel. Agent may be unprotected

Unable to connect to the Kernel. Agent will not track files.

Computer failed to receive Notifier Logo: $logoFilePath$.

Free space on Carbon Black App Control Agent drive is low: Drive[$letter$:] Available[$param1$] Total[$param2$] Free[$param3$] Threshold[$param4$]

Upload failed: Retry limit exceeded. File upload canceled for file '$filePath$'. Attempts[$param$]

Agent FIPS status changed 851 Info FIPS status has changed on computer '$computer$' from '$param1$' to $param2$'.
Agent health check 447

Info/

Error/

Warning

Carbon Black App Control Agent is healthy. Options[$param1$].

Carbon Black App Control Agent failed a health check. ErrorsFound[$param2$] Options[$param1$]

Carbon Black App Control Agent detected a problem: $param1$. $param2$

Timestamp of events from computer $computer$ are $param1$ day(s) in the $param2$

Timestamp of events from computer $computer$ are within expected range

Agent health check request 457 Info User '$userName$' requested health check for computer '$computer$'.
Agent notification (other) 1019 Info

Service control notification on '$computer$': $param1$.

Agent notification (session change) 1018 Info

Session change on '$computer$': $param1$.

Agent notification (time change) 1017 Info

System time change on '$computer$': $param1$.

Agent Policy changed 406 Notice

Policy change was scheduled for computer '$computer$' from '$param1$' to '$param2$'.

Agent Policy updated 408 Info

Computer '$computer$' updated Policy from version '$param1$' to '$param2$'.

Agent requires upgrade 415 Notice Agent polled from '$ipaddress$'. Agent Version($param1$). Agent needs to upgrade to latest version.
Agent restart 405 Info

Carbon Black App Control Agent has started, version $param1$.

Agent shutdown 404 Info

Carbon Black App Control Agent was stopped because of a system shutdown.

Agent synchronization finished 411 Info

Computer '$computer$' finished resynchronizing its local state with the Carbon Black App Control Server. (Reason: ‘$param2$’).

Note: Param2 is one of the following: ‘Agent queue size grew too large’, ‘Server request during agent initialization was deferred’, ‘Server request during agent cache consistency scan was deferred’, ‘Server request’, ‘Agent did not have enough history’, ‘Protocol error’, ‘Agent CLI Request’

Agent synchronization requested 418 Info

User '$username$' has requested resynchronization of computer '$computer$' with the Carbon Black App Control Server.

Agent synchronization started 410 Info

Computer '$computer$' started resynchronizing its local state with the Carbon Black App Control Server (Reason: $param2$).

Agent uninstalled 421 Notice Agent has been uninstalled from computer '$computer$'
Agent upgraded 409 Info Computer '$computer$' changed agent version from '$param1$' to '$param2$'.
Automatic resynchronization 425 Info

Carbon Black App Control Server scheduled an auto resync on '$computer$' because agent appears to have gone back in time ($param1$/$param2$).

Note: Param1 is the server’s expected sequence number of an action. Param2 is the sequence number sent by the agent, which can be used for diagnostic purposes with Carbon Black Support.

Cache check complete 416 Info

Cache consistency check stopped Level [$param1$] $param2$

Cache consistency check complete: $param1$ optimizations made, $param2$ corrections.

Note: Param1 is cache consistency level. Param2 is a series of values for diagnosis of what was done during the check, and also indicates whether the check ran to completion (“Successful[1]”) or stopped before completion (“Successful[0]”).

Cache check error 417 Warning Cache consistency error number '$param1$', file '$param2$'.
Cache check start 426 Info Cache consistency check at level '$param1$', flags '$param2$' started.
Cache consistency check request 453 Info

User ‘$userName$’ requested a cache consistency check Level[$param1$] Options[$param2$] for computer ‘$computer$’]

Note: Param1 is the consistency check level chosen by the user and param2 indicates any option checkboxes chosen, such as “Full scan of new files”.

Carbon Black EDR sensor status 458 Info

Carbon Black EDR Sensor Version '$param1' installed and '$param2'.

Carbon Black EDR Sensor is not installed.

Note: param1 is the Carbon Black EDR sensor version; param2 is the sensor state (e.g., ‘Running’).

CLI executed 429 Notice The CLI command “$commandname$” was executed.
CLI password reset 403 Notice The CLI password for computer '$computer$' was reset by '$username$'.
Clone orphaned 446 Info Clone computer '$computer$' was orphaned due to deletion of template '$param1$'.
Clone registered 445 Info Computer '$computer$' was registered as a clone of template '$param1$'.
Computer added 400 Info New computer '$computer$' with Policy '$policyName$' registered from '$ipAddress$'. Agent Version ($param1$).
Computer deleted 401 Info Computer '$computer$' was deleted by '$username$'.
Computer modified 402 Info

Computer '$computer$' was modified by '$username$'.

Computer '$computer$' was moved into the Policy '$policyName$' by '$username$'.

Computer '$computer$' was modified by '$username$' to use automatic Policy assignment.

Computer '$computer$' was restored to its previous Policy by '$username$'.

Computer '$computer$' was scheduled for re-registration by '$username$'.

Duplicate computer '$computer$' with address '$param1$' was re-registered.

Computer from '$param1$' changed its name from '$param2$' to '$param3$'.

Agent upgrade for computer '$computer$' was requested by '$username$'.

Computer reboot request 441 Info User '$username$' requested reboot of computer '$computer$'.
Computer registered 459 Info Computer '$computer$' registered with the server. $param1$ users are currently logged in to the computer.
Configuration changed 434 Info Disk configuration change detected: $param1$ volumes added; $param2$ volumes removed.
Configure agent dumps 452 Info User ‘$userName$’ changed agent dump configuration from $param1$ to $param2$ for computer ‘$computer$’.
Debug level set 451 Info User ‘$userName$’ set debug level for computer ‘$computer$’ from ‘$param1$’ to ‘$param2$’ for $param3$ minutes.
Diagnostic file deletion request 454 Info

User '$userName$' requested deletion of diagnostic files from computer '$computer$.

Duplicate computer registration 433 Warning Error registering computer ‘$computer$’ from $ipaddress$ [$param1$]: unique agent id duplicates that of computer $param2$ from $param3$.
File deleted 460 Info File 'test123.bat' [FBAD9...34F00] was successfully deleted from MYCORP\LAPTOP3
File deletion failed 461 Error

If the deletion failed because it was a file from a protected publisher:

File deletion failure of 'emet_gui.exe' [2024F...41CCD] from MYCORP\LAPTOP3. Error: Microsoft File

If the deletion failed because the agent version doesn’t support server-based deletion:

File deletion failure of 'emet_gui.exe' [2024F...41CCD] from MYCORP\LAPTOP3 because this Agent version doesn’t support it.

If the deletion failed because the file is no longer present on the computer and not in its inventory:

File deletion failure of 'tryme.bat' [76C7F...BD915] from MYCORP\DESKTOP8. Error: Delete Error[C0000034]

File deletion processed (file not found) 466 Info

If a file is exists in a computer’s inventory but is not on disk:

File deletion processed with file not found for [EDBD7...12F06] from MYCORP\DESKTOP9

File deletion requested 464 Info

If the request was to delete a file from one computer:

User 'admin' requested file deletion of all instances of [2488C...558F1] from MYCORP\DESKTOP6.

If the request was to delete a file from all computers:

User 'admin' requested file deletion of all instances of [FBAD9...34F00] from 100 computer(s).

If the request was to delete a file came from an Event Rule:

User 'System' requested file deletion of all instances of [81027...576DA] from MYCORP\DESKTOP6.

File process error 423 Error

Agent on computer '$computer$' is unable to process required update '$param1$' from Carbon Black App Control Server.

File receive error 422 Warning

Agent on computer '$computer$' is unable to download required update '$param1$' from Carbon Black App Control Server.

File upload canceled 438 Info

User '$username$' canceled upload of file [$hash$] from computer '$computer$'.

User '$username$' canceled upload of file '$filepath $' from computer '$computer$'.

File upload completed 439 Info

Upload of file [$hash$] from computer '$computer$' completed.

Upload of file '$filePathAndName$' from computer '$computer$' completed.

File upload deleted 449 Info

User '$username$' deleted uploaded file [$hash$].

User '$username$' deleted uploaded file '$filePathAndName$'.

File upload error 440 Error

Upload of file [$hash$] from computer '$computer$' failed because of error $description$.

Upload of file '$filePathAndName$' from computer '$computer$' failed because of error $description$.

File upload requested 437 Info

User '$username$' requested upload of file [$hash$] from computer '$computer$'.

User '$username$' requested upload of file '$filePathAndName$' from computer '$computer$'.

Upload of file [$hash$] from computer '$computer$' was requested by Event Rule '$ruleName$'.

Installer rescan requested 424 Info User '$username$' has requested rescan of installers on computer '$computer$'.
Local agent cache copy request 455 Info User '$userName$' requested local copy of agent cache for computer '$computer$'.
Lockdown all computers 427 Warning Lockdown All button pressed by '$username$': $param1$ computer(s) have been moved to High Enforcement level.
Prioritize updates request 450 Info

Updates prioritized for computer '$computer$' by user '$userName$'.

Prioritization of updates removed for computer '$computer$' by user '$username$'.

Resend all Policy rules request 456 Info

User '$userName$' requested all Policy rules be resent to computer '$computer$'.

User '$userName$' requested all Policy rules be resent to computer '$computer$' using shared file.

Security Alert 448 Warning

Unauthorized connection attempt: Pid[$processId$] Address[$IPaddress$] to the Notifier client interface

The $fileState$ file '$filePathAndName$' [$hash$] is set to run automatically: $param2$."

Note: fileState is the state of the file in Carbon Black App Control (e.g., Unapproved or Banned). Param2 is a description of the file source (e.g., Service [Microsoft Network Inspection]). The case referred to in the second description does not occur for agents in Low enforcement, and only once per file unless there is a reboot.

Tamper Protection changed 428 Warning

User '$username$' has disabled Tamper Protection on computer '$computer$'.

Template created 442 Info User '$username$' has converted computer '$param1$' to template '$computer$'.
Template deleted 444 Info User '$username$' has deleted template '$computer$'.
Template modified 443 Info User '$username$' has modified template '$computer$'.
Temporary Enforcement Level override 419 Warning A temporary override to place computer '$computer$' in Enforcement Level $param1$ for $param2$ minute(s) has been accepted.
Temporary Enforcement Level restore 420 Notice Computer '$computer$' has been restored to Enforcement Level '$param1$'.
Temporary Policy override generated 436 Info

User '$username$' has generated temporary Policy override code for computer '$computer$' with Enforcement Level '$param1', valid for $param2$ minutes.

Unauthorized computer registration 430 Warning An unauthorized computer registration attempt was made from $ipaddress$ ($param1$).