Intel AMT Features > Access Monitor > Detailed Description > Event Groups and Event IDs

Event Groups and Event IDs

The Auditor determines which events can be audited. Starting in Release 8.0, there are default settings for which events are monitored by the Auditor.

The AMT_AuditPolicyRule.SetAuditPolicy method enables or disables the monitoring of a single event type. The AMT_AuditPolicyRule.SetAuditPolicyBulk method (added in Release 7.0) enables or disables the monitoring of multiple event types.

Individual events can be flagged for greater monitoring at two levels: critical and super_critical.

Critical events

Any event type can be marked as “critical”, meaning that if the event fails to be logged for any reason (e.g., the audit log is full or locked or due to a flash wear-out event) the event will be prevented from occurring, since it cannot be logged. It is possible to configure the audit log policy before enabling the audit log itself.

Super_critical events

Beginning in Release 12.0, certain event types are defined as “super_critical”. These events are:

   Unprovisioning

   Opening of an SOL, Storage, or KVM redirection session

   Setting boot options for remote control operations

   Transition to post-provisioning mode when Intel AMT provisioning is complete

Super_critical events have the following properties:

   They are always logged regardless of the current logging policies, and even if the Audit Log is disabled.

   The last 5 super_critical events are kept in the log even if the log rolls over or is cleared.

   If the audit log is locked or full, the operation will fail. The only exception is unprovisioning when the audit log is full and rollover is disabled; in this case, rollover will be enabled and the unprovisioning will be executed and logged.

For backwards compatibility purposes, AMT_AuditPolicyRule.PolicyType will return “CRITICAL” for these events instead of defining a new PolicyType.

General information

Some actions may be logged and yet not be completed due to a defined limitation (e.g., attempting to delete a resource while it is still in use). This has been indicated on some of these events as “attempting” to perform the action.

The events are divided into functional groups, and each group has an application ID. Each event type within a functional group has an event ID. An event is uniquely identified by the Event Group (Application ID) and the Event ID.

For detailed descriptions of the events, including parameters and what triggers adding the event to the audit log, refer to the event groups described in the following table. The table also identifies the events that are automatically enabled starting in Release 8.0.

Application ID

Event Group

8.0 Default Setting

16

Security Admin Events

ALL except Flash Wear-Out Counters Reset (ID=15) and Power Package Modified (ID=16) events

17

Remote Control Events

ALL

18

Redirection Manager Events

ALL

19

Firmware Update Manager Events

ALL

20

Security Audit Log Events

ALL

21

Network Time Events

ALL

22

Network Administration Events

NONE

23

Storage Administration Events

NONE

24

Event Manager Events

NONE

25

System Defense (SD) Manager Events

NONE

26

Agent Presence Manager Events

NONE

27

Wireless Configuration Events

NONE except Wireless profile modified (ID=3) and Wireless link preference changed (ID=4) events.

28

EAC Events

NONE

29

KVM Events

ALL

30

User Opt-In Events

ALL

31

Reserved

NONE

32

Screen Blanking

NONE

0 = start screen blanking

1= stop screen blanking

33

Watchdog Events (Implemented in Intel AMT Version 11.0)

NONE

 

 

Copyright © 2006-2022, Intel Corporation. All rights reserved.