About Event Log Tags

The Tags data column contains "tags" for events related to applications, endpoints, policies, and servers. To learn about tags and their meanings, see the following table:

Table 1. Event Log Tags

Tag

Description

Log Types

application-start

Application start explicitly allowed or blocked by policy

  • Policy actions

fallback-action

Application start passively allowed because of missing rule information or an error collecting rule or application information

  • Policy actions

file-access

Application access explicitly allowed or blocked by policy

  • Policy actions

inventory

Application included in endpoint inventory

  • Endpoint inventories

  • Known applications

log-only

Application start or access tracked but no actions applied because log-only mode is enabled

  • Policy actions

lockdown-action

Application start or access blocked because the application was added to the endpoint after a Lockdown rule was applied

  • Policy actions

multiuser-rule-conflict-action

Application or child-process start or access blocked by the policy of another logged on user.

  • Policy actions

no-connection-to-server-action

Application start or access blocked because the application was not explicitly allowed by the policy and the agent is unable to connect to the server to determine if the application should be allowed as matching a Certified Safe Software List package

  • Policy actions

rule-action

Application start explicitly allowed or blocked by Allow or Block rule

  • Policy actions

safe-match

Application exactly matches its Certified Safe Software List package

  • Known applications

safe-match-loose

Application in Certified Safe Software List, but not as part of its typical application package

  • Endpoint inventories

  • Policy actions

  • Known applications

safe-unchecked

Application pending look-up in Certified Safe Software List

  • Endpoint inventories

  • Policy actions

safe-unknown

Application does not match any Certified Safe Software List package

  • Endpoint inventories

  • Policy actions

  • Known applications

safe-version-<version>

For example, "safe-version-01.192"

Application evaluated against this Certified Safe Software version

  • Endpoint inventories

  • Policy actions

  • Known applications

trust-level-medium

Application explicitly allowed that has a Trusted Source level of Medium

  • Policy actions

trust-level-high

Application explicitly allowed that has a Trusted Source level of High

  • Policy actions

trust-level-very-high

Application explicitly allowed that has a Trusted Source level of Very High

  • Policy actions

trusted-source-permanent-action

Application's child-process temporarily allowed by a Trusted Source level of Medium

  • Policy actions

trusted-source-temporary-action

Application's child-process permanently allowed by a Trusted Source level of High or Very High

  • Policy actions
Parent topic: Query Logs Screen