Submit a ticketCall us

Systems Monitoring for Dummies
Our new eBook will teach you the fundamentals and help you create monitors and alerts that are effective, meaningful, and actionable. Monitoring is more than a checkbox on your to-do list. This free eBook will give you practical advice to help you succeed in all aspects of monitoring – discovery, alerting, remediation, and troubleshooting. Don’t miss out on this indispensable resource for newbies, experienced IT pros, and everyone in between. Register Now.

Home > Success Center > Archive > 2017October31 - LEM Deletes > Event Data Fields

Event Data Fields

Table of contents
No headers
Created by Caroline Juszczak, last modified by Kevin.Swinson on Oct 31, 2017

Views: 17 Votes: 0 Revisions: 5

The following table explains the meaning of each grid column or data field that can appear in various alert grids, event grids, and information panes throughout the Console. The actual columns and fields that are shown vary according to the alert, view, or grid you are working with. But the meaning of these fields remains the same, regardless of where you see them.

For convenience, the fields are listed in alphabetical order.

Grid column or field Description


The name of the event.


The name of the dial-up or VPN connection.


The current status of the dial-up or VPN connection.


The destination IP address of the network traffic.


The destination port number of the network traffic.


The source network node for the alert data. This is usually a manager or an agent and is the same as the InsertionIP field. It can also be a network device, such as firewall or an intrusion detection system that may be sending log files over a remote logging protocol.


The time the network node generated the data. This is usually the same as the InsertionTime field, but they can differ when the agent or manager is reading historical data, or if a network device has an incorrect time setting.


A short summary of the alert details. Additional details appear in the following fields, but EventInfo provides enough information to view a  snapshot of the alert information.


Additional information relevant to the alert, but not reflected in other fields. This can include information useful for correlating or summarizing alert information in addition to the EventInfo field.


The node the log message came from (the LEM or agent that collected the message for forwarding to nDepth).


The originating network device (if different than the node) that the message came from. Normally, Host and HostFromData are the same, but in the case of a remote logging device (such as a firewall) this field reports the original remote device's address.


The name of the correlation that caused this alert. The InferenceRule field will generally be blank, but in cases where the alert was related to a rule, it displays the rule name.


The manager or agent that first created the alert. This is the source that first read the log data from a file or other source.


The time the manager or agent first created the alert. This time indicates when the data was read from a log file or other source.


The IP address associated with the alert. This is a composite field, drawn from several different alert fields. It shows all the IP addresses that appear in alert data.


The name of the Manager that received the alert. For data generated from an Agent, this is the Manager the Agent is connected to.


In the Event explorer's event grid, the Order field indicates when each event occurred:

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0F0/030/Icon-BeforeEvent.pngindicates the event occurred before the central event shown in the event map.

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0F0/030/Icon-CentralEvent.pngindicates the event occurred during (as part of) the central event shown in the event map.

File:Success_Center/Reusable_content_-_InfoDev/LEMUserGuide_MT/0F0/030/Icon-AfterEvent.pngindicates the event occurred after the central event shown in the event map.


Displays the protocol associated with this alert (TCP or UDP).


A unique identifier for the original data. Generally, the ProviderSID field includes information that can be used in researching information on the alert in the originating network device vendor's documentation.


The IP address the network traffic is coming from.


The port number the network traffic is coming from.


The Alias Name entered when configuring the connector on the manager or agent.


The actual connector that generated the log message.


Connector category for the connector that generated the log message.


The user name associated with the alert. This is a composite field, drawn from several different alert fields. It shows all the places that user names appear in alert data.


Last modified