Obs/bin/GMA/Monitoring/Agent/initconfig/2.0/Standard/ReservedEventsTeam3Offline-Content.xml
<?xml version="1.0" encoding="utf-8"?>
<MonitoringManagement version="1.0" timestamp="2022-09-09T18:03:54.8774890Z"> <!-- Autogenerated version comment - DO NOT REMOVE: AzSecPackShipVersion=4.22.0.2 --> <Events> <EtwProviders> <!-- ACMS events added 09/20/2019 All those events are emitted from the client agent of dSMS service, ACMS. The information in those events will be used by dSMS teams and customers for: 1) Monitor the state of ACMS (started, stopped) 2) Monitor the state of delivered secrets (latest version installed on box) 3) Investigate any ACMS client issues (critial/error messages) The frequency for most events should be greater than 24 hours, since the ACMS polls dSMS to check for any updates in every 24-36 hours by default. The size of each event data should be less than 1k. Most of them contains informational string message only. --> <EtwProvider guid="71E8EB64-FA6A-45F0-9162-9194C04C6D17" format="Manifest" storeType="Local" manifest="Extensions\AzureSecurityPack\CredentialsManagementEtw.man" duration="PT5M"> <Event id="1" eventName="CredsMgmtCriticalMessage" /> <Event id="6" eventName="CredsMgmtCredentialsManagerStarted" /> <Event id="7" eventName="CredsMgmtCredentialsManagerStopped" /> <Event id="8" eventName="CredsMgmtPeriodicPollingStarted" /> <Event id="9" eventName="CredsMgmtPeriodicPollingCompleted" /> <Event id="10" eventName="CredsMgmtPeriodicPollingFailed" /> <Event id="11" eventName="CredsMgmtCertificateInstalled" /> <Event id="12" eventName="CredsMgmtCertificateUpdated" /> <Event id="13" eventName="CredsMgmtCertificateLinked" /> <Event id="14" eventName="CredsMgmtCertificateDeleted" /> <Event id="15" eventName="CredsMgmtExistingManagedCertificate" /> <Event id="16" eventName="CredsMgmtUpdatedSecureBlob" /> <Event id="17" eventName="CredsMgmtCaCertificateInstalled" /> <Event id="25" eventName="CredsMgmtNewSignalReceived" /> <Event id="26" eventName="CredsMgmtNewSignalActionTaken" /> </EtwProvider> </EtwProviders> <!-- WindowsEventLogSubscriptions documentation: https://jarvis.dc.ad.msft.net/?page=documents§ion=9c95f4eb-8689-4c9f-81bf-82d688e860fd&id=4da06081-ef7e-4c76-9475-497738167549 --> <WindowsEventLogSubscriptions> <Subscription eventName="ACMSEventLocal" query="Microsoft-Windows Azure-Security-Credentials Management/Operational!*[System[(EventID=1) or (EventID=6) or (EventID=7) or (EventID=8) or (EventID=9) or (EventID=10) or (EventID=11) or (EventID=12) or (EventID=13) or (EventID=14) or (EventID=15)or (EventID=16) or (EventID=17) or (EventID=18) or (EventID=19) or (EventID=20)or (EventID=23) or (EventID=24) or (EventID=25) or (EventID=26)]]" storeType="Local"> <Column name="EventProvider"> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType"> <Value>/Event/System/EventID</Value> </Column> <Column name="TimeCreated"> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data</Value> </Column> </Subscription> <Subscription eventName="ACMSEventLocal" query="Microsoft-Windows Azure-Security-Credentials Management/Admin!*[System[(EventID=1) or (EventID=6) or (EventID=7) or (EventID=8) or (EventID=9) or (EventID=10) or (EventID=11) or (EventID=12) or (EventID=13) or (EventID=14) or (EventID=15)or (EventID=16) or (EventID=17) or (EventID=18) or (EventID=19) or (EventID=20)or (EventID=23) or (EventID=24) or (EventID=25) or (EventID=26)]]" storeType="Local"> <Column name="EventProvider"> <Value>/Event/System/Provider/@Name</Value> </Column> <Column name="EventType"> <Value>/Event/System/EventID</Value> </Column> <Column name="TimeCreated"> <Value>/Event/System/TimeCreated/@SystemTime</Value> </Column> <Column name="EventPayload" defaultAssignment=""> <Value>/Event/EventData/Data</Value> </Column> </Subscription> </WindowsEventLogSubscriptions> <!-- Derived Events to tag the ACMS events with Azure Identity --> <DerivedEvents> <!-- Documentation for event fields can be found here: https://jarvis-west.dc.ad.msft.net/?page=documents§ion=9c95f4eb-8689-4c9f-81bf-82d688e860fd&id=ac0084ad-5065-4b16-8f7d-0a5193143378#/ --> <DerivedEvent source="ACMSEventLocal" eventName="AsmSec3Data" storeType="CentralBond" priority="High" duration="PT1M" retryTimeout="PT10080M" account="AzSecurityStore" retentionInDays="180"> <Query><![CDATA[ let ReportingIdentity=GetStaticEnvironmentVariable("MA_HEARTBEAT_IDENTITY") let AssetIdentity=GetStaticEnvironmentVariable("MA_AZURE_IDENTITY") let NodeIdentity="" let NodeType="" select ReportingIdentity, AssetIdentity, NodeIdentity, NodeType, EventProvider, EventType, TimeCreated, EventPayload ]]></Query> </DerivedEvent> </DerivedEvents> </Events> </MonitoringManagement> |