Data delivered to EtherStat

<< Click to Display Table of Contents >>

Navigation:  Sensor Settings > EtherSensor Agent >

Data delivered to EtherStat

The agent delivers the data to the EtherStat server in the following two cases:

1. Regularly, based on the configuration.

2. In case of an event, which should be reported by EtherSensor Agent according to the configuration.

Data sent regularly:

The list of equipment
It is only sent when the EtherSensor Agent is started; after that, only changes are delivered (triggered by a change event). This list contains data structures for the devices installed on the workstation. All equipment details are extracted from device Properties in Windows Device Manager using the corresponding WinAPI in the following format:

Device name.

Device description.

Manufacturer name.

Corresponding Device Id.

GUID Class of the device in the {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} format.

List of Hardware Ids of the device.

Name of the service with which the device communicates.

The list of installed applications and services
It is only sent when the EtherSensor Agent is started; after that, the data are only delivered in case of a change event. This list contains data structures for the software installed on the workstation. All software details are extracted from the Windows registry using WinAPI in the following format:

Product name.

Manufacturer name.

Current product version.

Product installation path.

The following registry keys are used to extract information:

HKML\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKML\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_USERS\<Search in each registry>\Software\Microsoft\Windows\CurrentVersion\Uninstall

OS details
Is sent based on the OSMonitor configuration tag. These are the details of the Windows operating system installed on the workstation. They are extracted using the WinAPI:

Name, current version, type and status of the operating system.

Serial number in the XXXXX-XXXXX-XXXXX-XXXXX format.

Architecture (x86 or x64).

System and/or domain computer name.

Physical disk partition and directory of the operating system.

Date and time of the last system restart, and date of the last system update (OS installation date if no restart has been made yet). The current workstation time is also sent.

Model and manufacturer of the system board.

Number of physical and logical processes running.

Size of the operating system paging file.

Network adapter details
Is sent based on the NETMonitor configuration tag. A separate message containing description and settings is created for each adapter. Network adapter details and configuration are extracted using the WinAPI and have the following format:

Adapter name.

Manufacturer name.

The MAC address, IP addresses, subnet mask, DNS address settings, etc.

Network and/or domain computer name.

DHCP enabled flag.

Network adapter GUID.

Maximum data transfer rate of the network adapter (in bits per second).

Current load of the computer
These data are extracted using WinAPI and contain the following:

Current CPU load in percent.

Current RAM usage in percent.

Current HDD usage in percent.

Free HDD space.

Data sent on an event:

Changes in the list of installed software
This event is triggered when newly installed applications are detected or existing applications are removed from the workstation. Information on the software installed or removed is extracted from the Windows registry using WinAPI and has the following format:

Product name.

Manufacturer name.

Current product version.

Product installation path.

Changes in the list of installed equipment
This event is triggered when a newly installed or removed device is detected on the workstation. All the equipment details are extracted from device Properties in Windows Device manager using the corresponding WinAPI and have the following format:

Device name.

Device description.

Manufacturer name.

Corresponding Device Id

GUID Class of the device in the {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} format.

List of Hardware Ids of the device.

Name of the service with which the device communicates.

Process starts and stops, associated with the TCP session
This event is triggered when a new process is detected or stopped. When a new process is detected the corresponding process data structure is sent with the following details:

Process name.

Command line with the arguments of the process.

Directory path of the process.

Process use time by the user.

The ProcessID, SessionID and ParentID identifiers.

When the process is stopped, the ProcessID and SessionID identifiers of the session created by the process are sent.

Data sent to the server when a user performs actions in the system:

When a user logs into the system:

Domain name to which the user belongs.

User account name.

SID - unique user ID in the operating system.

SessionID - session number on the computer.

Name of the mode of operation of the user at the workstation: console or rdp.

Date and time when the user logged into the system.

When a user logs out of the system:

SID - unique user ID in the operating system.

SessionID - session number on the computer.

Date and time when the user logged out of the system.

When a user account is locked or unlocked:

SID - unique user ID in the operating system.

SessionID - session number on the computer.

When the active window is changed:

Current window title.

ID of the owner process of the window.