Data Classification Suite for

Windows (On-premises)
5.1
Event Logging User Guide
Copyright Terms and Conditions

Copyright © Fortra, LLC and its group of companies. All trademarks and registered trademarks are the property of their respective
owners.
The content in this document is protected by the Copyright Laws of the United States of America and other countries worldwide.
The unauthorized use and/or duplication of this material without express and written permission from Fortra is strictly prohibited.
Excerpts and links may be used, provided that full and clear credit is given to Fortra with appropriate and specific direction to the
original content.
202410221023
Table of Contents

About this guide 5

Audience 5

Client Auditing 6

Configure maximum sizes for Loggers 6

About Event Logging 6

Enable/disable Client Loggers 7

Filter Event Logging on client machines 7

About the Text File Logger 10

About the Windows Event Log Logger 10

About the Analytics Collector Logger 12

About the Syslog Server Logger 12

About the McAfee Logger 12

Event Logging 13

Common parameters 13

Common parameters for DCS for Outlook Events 15

Common parameters for DCS for Office Events 17

Common parameters for DCS for Desktop Events 18

Service Start & Stop operations 19

Event and Policy processing 31

Common parameters for Action Events 53

Events for Specific Action types 54

Event Logging User Guide www.fortra.com page: 3

Table of Contents

Logging information 78

Contacting Fortra 80

Event Logging User Guide www.fortra.com page: 4

 About this guide / Audience

About this guide

This document includes a list of the Event IDs that are available for the Fortra's Data
Classification Suite (DCS) Administration Console (On-premises) and the suite of products
including Fortra's DCS for Outlook (On-premises),Fortra's DCS for Office (On-premises), and
Fortra's DCS for Desktop (On-premises).

This guide:

l explains how to configure Event Logging on client machines

l describes the various loggers
l describes the location of the loggers and how to configure a maximum size
l lists the DCS for Windows Event IDs

Audience
This guide is for administrators who want to configure or use Event IDs to learn more about
the Fortra's Data Classification Suite (DCS) for Windows (On-premises). These Event IDs are
useful for troubleshooting and for refining Policies.

Event Logging User Guide www.fortra.com page: 5

 Client Auditing / Configure maximum sizes for Loggers

Client Auditing
Logging can be enabled or disabled for the various available loggers.

Logging severities can also be selected for each logger.

Maximums can be defined for each logger to ensure that the file size of logging data is kept
within an acceptable range for your organization.

Configure maximum sizes for Loggers

You can configure maximum sizes for the supported logging mechanisms. Fortra does not
send logging information to the Configuration database.

Logging memory requirements are variable and depend upon whether you are logging to the
client or DCS Administration Console or both, and which logging method you choose (file,
Windows Events Log, ePO, or Syslog).

NOTE: The volume of logging information generated is dependent on user activity. The
size of the logs depends on the volume of emails, documents, and files classified and
the number of Policies that are applied as these items are generated and shared. The
logging level will also impact the size of log.

About Event Logging

Event Logging can be used to log:

l user activity
l service activity related to DCS for Windows applications

The Administrator can set up direct logging so that logging information is sent to selected
users.

The following diagram illustrates the recommended Event Logging configuration. See
Enable/disable Client Loggers on page 7 for more information.

The Client machines log directly to the McAfee and Syslog central logging servers.

Event Logging User Guide www.fortra.com page: 6

 Client Auditing / Enable/disable Client Loggers

Enable/disable Client Loggers

1. Select the System Settings tab.
The System Settings page appears.
2. Select Client Auditing to configure the logging behavior on client machines.
3. Click the check boxes to select the Loggers you want to enable. Clear the check
boxes you want to disable.
l See About the Text File Logger on page 10 for more information about the Text File
Logger.
l See About the Windows Event Log Logger on page 10 for more information about
the Windows Event Log Logger.
l See About the Analytics Collector Logger on page 12 for more information about the
Analytics Collector Logger.
l See About the Syslog Server Logger on page 12 for more information about the
Syslog Server Logger.
l See About the McAfee Logger on page 12 for more information about the McAfee
Logger.

Filter Event Logging on client machines

Event Logging User Guide www.fortra.com page: 7

 Client Auditing / Filter Event Logging on client machines

By default, all Events are reported in Event logs. The size of log files and the total volume of
logged information depends on user activity. Each email, document, or file that is classified
and each Policy that is applied increases the volume of logged information. Over time,
logged information can take up a significant amount of disk space.

Depending on your organization’s requirements, some of this logged information may be

unnecessary or unwanted. To reduce the volume of logged information, you can control the
types of Events that are logged as well as the Event parameters that are logged for each
Event.

View Events in System Settings

All logged Events are listed in the Administrator Console under System Settings > Client
Auditing. The Event list can be filtered according to Event Code, Event Name, Severity, or
Group. Filtering is useful if you want to view a specific Event or subset of Events.

1. Select the System Settings tab from the top menu bar.
2. Select Client Auditing from the System Settings menu bar on the left side of the
screen.
3. Select the Events tab (selected by default).
4. Click the Filter icon to the right of the filter you want to apply (Event Code, Event
Name, Severity, or Group).
5. Specify the filter details in the dialog box that appears then click the Filter button.
6. Repeat for any additional filters you want to apply.
NOTE: Ifyou apply more than one filter, subsequent filters will be applied to the results of
the previous filters. To clear a filter, click the Filter icon, then click the Clear button in
the dialog box that appears.

Filter Notes
Event Filter by Event Code. Select an operator (“Equal to”, “Greater than”, or “Less
Code than”) then enter the Event number.
Event Filter by Event Name. Select an operator (“Starts with” or “Contains”) then
Name specify the partial or complete Event name.
Severity Filter by the severity of the Event. Select one or more of the following:

l Informational
l Alert
l Error
l Warning

Event Logging User Guide www.fortra.com page: 8

 Client Auditing / Filter Event Logging on client machines

Filter Notes
Group Filter by the Group to which the Event belongs. Select one or more of the
following:

l Service Health
l Policy Execution Basics
l Policy Execution Details
l Downgrade & Upgrade
l Object Classified
l Other
l Interoperation
l Patrol

Exclude Events from Event Logs

All Events are logged by default. The inclusion/exclusion of Events can be configured either
by:

l locating the Events to be excluded in the Event list, then clear each unwanted Event
in the “Included” column
l clearing “Included” in the table header, then checking only those Events you want to
include in the Event logs

Excluding Event parameters (properties) from Event Logs

All Event parameters (properties) are logged by default. To exclude unnecessary or
unwanted parameters:

1. Select the System Settings tab from the top menu bar.
2. Select Client Auditing from the System Settings menu bar on the left side of the
screen.
3. Select the Properties tab.
4. Expand the folder containing the parameters you want to exclude.
5. Clear the parameters to be excluded from logging.
NOTE: You cannot exclude certain parameters from Event logging, including: the
computer, the computer’s IP address, the date, the user, the EventID, the type, the
severity, and the source.

Event Logging User Guide www.fortra.com page: 9

 Client Auditing / About the Text File Logger

About the Text File Logger

When this local file logging method is enabled, the Titus.AuditLogs.log file contains all the
log information that is also found in the Windows Event Logs.

Text File logging is enabled by default in the DCS Administration Console.

The applications also generate debug logs. For more information, see Logging information
on page 78.

Text File Log location

The Text File log can be found in the following location:
%programdata%\TITUS\Titus.AuditLogs.log.

Configure the maximum size for the Text File Logger

The maximum size of the Text File Log file can be configured by editing the
Titus.Enterprise.Client.Service.exe.config file.

1. Go to C:\Program Files\Titus\Titus Services\EnterpriseClientService.

2. Open Titus.Enterprise.Client.Service.exe.config in a text editor.
3. Change the following values:
l maxSizeRollBackups
l maximumFileSize
4. Save the file.

About the Windows Event Log Logger

The Windows Event Log is the primary storage mechanism for audit logs, and is enabled by
default for Client Auditing.

Windows Event Log location

1. Open Event Viewer.
2. Cclick Applications and Services Logs on the left side menu.

Event Logging User Guide www.fortra.com page: 10

 Client Auditing / About the Windows Event Log Logger

3. Select TITUS and the Operational sub-folder to view the Event Logs.

Configure the maximum size for the Windows Event Logger

The maximum size of the Windows Event Log file is configurable. The maximum size of the
Event Log is 1 MB by default. 1 MB may not be sufficient for logging on behalf of multiple
clients.

The following link describes how to update the maximum size of the Windows Event Log
file:

http://technet.microsoft.com/en-us/library/cc748849.aspx

Event Logging User Guide www.fortra.com page: 11

 Client Auditing / About the Analytics Collector Logger

About the Analytics Collector Logger

The log events, generated on DCS clients when the Analytics Collector is enabled, are stored
in the DCS Analytics Collector database. This database is created, and its location defined
when you install the DCS Analytics Collector.

The size of the database is determined by the selected Event IDs and the parameters of the
Events. These can be enabled or disabled. See Filter Event Logging on client machines on
page 7 for more information.

About the Syslog Server Logger

Syslog Server location
The location of the Syslog Server logs is specified in the Syslog settings. A Server and port
number are required.

Configure the maximum size for the Syslog Server Logger

The logging configuration for the Syslog Server depends upon the specific Syslog Server in
use in your organization. The relevant Syslog Server documentation would provide the
necessary information about configuring log maximums and roll-over if implemented.

About the McAfee Logger

Fortra supports logging entries into the McAfee ePO Server.

McAfee Log location

The location of the McAfee log is defined during the McAfee set up process. The
applications can be configured to send logs to the McAfee Agent installed on the same
system.

Configure the maximum size for the ePO Logger

For information on maximum size for the ePO Logger, contact McAfee support.

Event Logging User Guide www.fortra.com page: 12

 Event Logging / Common parameters

Event Logging
DCS for Windows logs Client applications and Titus Services.

Common parameters
Each Event Log contains the following parameters. These parameters display the output for Windows Event Logs. The
output format and content may vary amongst the other logging output targets.

Name Description Sample Data

Date Data and time that the log entry Date="2014-11-19T16:19:24Z"
was created.
Displayed in an ISO standard format, with the time zone specified.
EventId Numeric event type identifier. EventId="2260"
EventType Textual identifier of the event type. EventType="Run Document Inspector"
Severity Describes the severity of the log Level="Informational"
entry.

Event Logging User Guide www.fortra.com page: 13

 Event Logging / Common parameters

Name Description Sample Data

Source Software component which Source=“DCS for Outlook”
generated the event.
When logging to Windows Event server this maps to “Provider name".

Possible values include:

l DCS for Outlook

l DCS for Office
l DCS for Desktop
l Audit
l Management
l Metadata
l Policy
l Settings
l Admin
l Client
Computer The client machine name Machine="Alice-MCH625"
User User credential or user context SAMPLECorp\Alice.Smith
identity for this log entry.
The user name is displayed for messages that are a result of a user action (e.g.
email sent). For messages about service start or stop the account for the service is
displayed.
ComputerIPv4Address The computer which generated the IPV4="10.10.10.200"
event.
This provides useful information when a computer can connect from different
locations.

Event Logging User Guide www.fortra.com page: 14

 Event Logging / Common parameters for DCS for Outlook Events

Name Description Sample Data

ComputerIPv6Address The computer which generated the IPV6="fe80::5ac:5bd1:3590:c711%25"
event.
This provides useful information when a computer can connect from different
locations.
MachineOS This is not logged in file logs, but Windows 8.1
previously we did log it to EPO.
McAfeeProductCode S_TCD4300
Configuration Name of the Configuration file MyCompany
targeted to the current user.
ItemType Using the values currently used in Enumeration
equivalent ECA property:
messageType

Common parameters for DCS for Outlook Events

Each DCS for Outlook Event contains the following parameters in addition to the items listed in Common parameters on
page 13.

Name Description Sample Data

EmailSubject Email message subject. Meeting Notes
EmailSender Email address of message sender. [email protected]
MailUser The Microsoft Outlook authenticated user. Domain\Alice.Smith
ItemType Using the values currently used in enumeration
equivalent ECA property: messageType

Event Logging User Guide www.fortra.com page: 15

 Event Logging / Common parameters for DCS for Outlook Events

Name Description Sample Data

ItemID The ItemID is unique to each machine. It is 3f716f33-145d-46a1-bd9a-888ab27fbc77
generated by Fortra and stored with the
message. The ItemID is a GUID (Globally
Unique Identifier).
Recipients The following information is captured for <Recipients><Recipient RecipientType="To" Name="[email protected]"
this parameter: Address="[email protected]" /></Recipients>

Properties per Recipient:

l RecipientType: { TO, CC, BCC }

l Name: Alice Smith”
l Address:
[email protected]
l isDL (Is Distribution List) Boolean
Attachments Properties per Attachment: <Attachments>

Name : File name with extension <Attachment Name=”filename.extension” DisplayName=”display name” />

DisplayName: file name </Attachments>

Attachments The name of the attachment including the <Attachments><AttachmentFileName1=”filename.extension”/>
file extension.
Configuration Name of the Configuration file targeted to MyCompany
the current user.
Production The edition of the DCS software Military
Edition (Professional or Military)

Event Logging User Guide www.fortra.com page: 16

 Event Logging / Common parameters for DCS for Office Events

Name Description Sample Data

Metadata The metadata assigned to the email <metadata xmlns:m="http://www.titus.com/ns/" id="6b6c8e90-f0ba-4a1a-808c-
message. The Id is a unique Id for this set 9c11f4768463"><m:Classification
of metadata. value="Internal"><alt>Classification=Internal</alt></m:Classification><m:MultiSelect
value="Can"><alt>MultiSelect=Can</alt></m:MultiSelect></metadata>

Common parameters for DCS for Office Events

Each DCS for Office Event contains the following parameters in addition to the items listed in Common parameters on page
13.

Name Description Sample Data

HostProduct This parameter is generated not only on start-up because the log can Microsoft Word
apply to Word, Excel, PowerPoint
HostProductVersion Version of Microsoft Office Product OfficeProductVersion
ItemType Using the values currently used in equivalent ECA property: Enumeration
messageType
ItemID The ItemID is a GUID for each document. It is generated by Fortra and {{Document ID}}
stored with the file.
Configuration Name of the Configuration targeted to the current user MyCompany
FileName Name of the Microsoft Office document. Sample.docx
Path Reader can infer the fully qualified name as a concatenation of path & C:\USERS\Alice (not including the file name)
filename.

Event Logging User Guide www.fortra.com page: 17

 Event Logging / Common parameters for DCS for Desktop Events

Name Description Sample Data

Metadata The metadata assigned to the email message. The Id is a unique Id for <metadata xmlns:m="http://www.titus.com/ns/"
this set of metadata. id="6b6c8e90-f0ba-4a1a-808c-9c11f4768463">
<m:Classification value="Internal">
<alt>Classification=Internal</alt>
</m:Classification><m:MultiSelect
value="Can"><alt>MultiSelect=Can</alt>
</m:MultiSelect></metadata>

Common parameters for DCS for Desktop Events

Each DCS for Desktop Event contains the following in addition to the items listed in Common parameters on page 13.

Name Description Sample Data

ItemType Using the values currently used in equivalent ECA property: Enumeration
messageType
ItemID The ItemID is unique to each machine. It is generated by Fortra and {{Document ID}} (a GUID)
stored with the file.
FileName Name of the file. Sampledocument.pdf
Path Reader can infer the fully qualified name as a concatenation of path C:\USERS\Alice\.....(not including the filename)
& filename
Configuration Name of the Configuration targeted to the current user. MyCompany
Metadata Metadata applied to the document. <metadata xmlns:m="http://www.titus.com/ns/"
id="6b6c8e90-f0ba-4a1a-808c-9c11f4768463">
<m:Classification value="Internal">
<alt>Classification=Internal</alt>
</m:Classification><m:MultiSelect
value="Can"><alt>MultiSelect=Can</alt>
</m:MultiSelect></metadata>

Event Logging User Guide www.fortra.com page: 18

 Event Logging / Service Start & Stop operations

Service Start & Stop operations

The 1000 series of Event IDs identify service events not related to Policy processing.

Application Event Type Event Description (Not Severity When Logged Parameters & Notes
Source ID Logged)
Audit Log Started 1000 Service/ Product Information When a piece of Data Common Parameters
Service started Classification software
successfully starts. Common Email
Management Parameters if the
Service source=DCS for
Outlook
Metadata
Service Common Office
Parameters if the
Policy Service source=DCS for Office

Settings Common File

Service Parameters if the
source=Patrol
DCS for
Outlook HostProduct (when
source is DCS for
DCS for Office)
Office

Patrol (Part
of DCS for
Desktop)

Event Logging User Guide www.fortra.com page: 19

 Event Logging / Service Start & Stop operations

Application Event Type Event Description (Not Severity When Logged Parameters & Notes
Source ID Logged)
Audit Log NotStarted 1001 Startup failed Alert See 1000 – started. Common Parameters
Service
If the software repeatedly Error=<error
Management tries & fails to start this may message>
Service get logged many times in
succession. DCS for Office
Metadata
Service Including a start failure due DCS for Desktop
to dependencies.
Policy Service DCS for Outlook

Settings
Service

Data Service

DCS for
Office

DCS for
Desktop

DCS for
Outlook

Event Logging User Guide www.fortra.com page: 20

 Event Logging / Service Start & Stop operations

Application Event Type Event Description (Not Severity When Logged Parameters & Notes
Source ID Logged)
Audit Log Stopped 1003 Service stopped Information When a piece of Data Common Parameters
Service Classification software
stops. HostProduct (when
Management source is DCS for
Service Office)

Metadata
Service

Policy Service

Settings
Service

Data Service

DCS for
Office

DCS for
Outlook

Patrol (Part
of DCS for
Desktop)

Event Logging User Guide www.fortra.com page: 21

 Event Logging / Service Start & Stop operations

Application Event Type Event Description (Not Severity When Logged Parameters & Notes
Source ID Logged)
DCS for ServiceResponseFailure 1010 Service Response Error When one of the sources Common Parameters
Outlook Failure calls to a Service and
doesn’t get a satisfactory Common Email
DCS for response. Parameters if the
Office source=DCS for
Once these start you may Outlook
DCS for get many of them until the
Desktop problem is resolved Common Office
Parameters if the
Patrol (Part source=DCS for Office
of DCS for
Desktop) Common File
Parameters if the
source=DCS for
Desktop

URL=<url> (includes
service name)

Error=<message>
Management ServiceNot 1011 Service is not Alert When the management Common Parameters
Service Installed installed service detects that another
service is not installed. ServiceName=<name>
Health
Service Once these start you may
get many of them until the
HealthTask problem is resolved

Event Logging User Guide www.fortra.com page: 22

 Event Logging / Service Start & Stop operations

Application Event Type Event Description (Not Severity When Logged Parameters & Notes
Source ID Logged)
Management ProductNot 1012 One component is Alert See 1000 – started. Common Parameters
Service Started reporting that
(Admin another component One ServiceNot ProductName=<nam
console only) is not successfully Started (or NotStarted) e> (name of the Data
started message can be expected Classification
DCS for instead of a Started component, or other
Outlook message if the start fails for service we depend on
some reason. which is not started)
DCS for
Office If the software repeatedly Error=< message >
tries & fails to start this may (this parameter is
DCS for get logged many times in optional, include it if
Desktop succession. you have something
helpful to explain why)
Health
Service

HealthTask
Management ServerNotFound 1013 Server Not Found Warning Common Parameters
Service
(shared server not Server=<url>
found)
Management ServerFound 1014 Server Found Information Common Parameters
Service
Server=<url>

Event Logging User Guide www.fortra.com page: 23

 Event Logging / Service Start & Stop operations

Application Event Type Event Description (Not Severity When Logged Parameters & Notes
Source ID Logged)
Management ProductDisabled 1015 Product Disabled Alert This is logged when some Common Parameters
Service piece of Data Classification
(DCS for software detects that a ProductName={DCS
DCS for Outlook/DCS for Product= {DCS for Office, for Office, DCS for
Office Office/Patroldisable DCS for Outlook, Patrol} is Outlook, DCS for
d) disabled as an add-in. it may Desktop (Patrol)}
DCS for be the product itself which
Outlook detects it or the HostProduct (when
management service. “Product” = DCS for
DCS for Office)
Desktop and Once this happens it is likely
Patrol to get logged frequently until
the problem is resolved.
HealthService

HealthTask

Client Service
HealthService ProductRestarted 1016 One component has Information This is logged when one Common Parameters
successfully component has detected
HealthTask restarted another that another is disabled (or ProductName=<name
stopped in the case of a of restarted
Client Service service) , and then component>
successfully restarts it

Event Logging User Guide www.fortra.com page: 24

 Event Logging / Service Start & Stop operations

Application Event Type Event Description (Not Severity When Logged Parameters & Notes
Source ID Logged)
HealthService UnexpectedProductModificati 1017 One component has Alert This is logged when one Common Parameters
on detected an attempt component has detected
Management to modify another that another has been ProductName=<name
Service product modified, probably in its of stopped
registry level configuring. component>
This is only used for
unacceptable modifications, Error=<explanatory
which could be evidence of message>
an insider threat, or poor
system administration.
DCS for ProductResponding 1018 Product Response Information When one of those sources Common Parameters
Outlook Success calls to another component
(usually a service) and does ProductName=<name
DCS for get a satisfactory response. of called component>
Office This should only be logged
once in the restart process
DCS for
Desktop
Management Error 1020 Software has Error Whenever one of these Common Parameters
Service encountered an error services encounters an
error, other than an error Error=<message>
covered by one of the other
more specific event codes. Path=<folder path>
Optional, used where
the error involves a
directory
Settings DataFolderSetError 1021 Alert Common Parameters
Service

Event Logging User Guide www.fortra.com page: 25

 Event Logging / Service Start & Stop operations

Application Event Type Event Description (Not Severity When Logged Parameters & Notes
Source ID Logged)
Management ConfigurationVersionChecked 1023 The desktop has Information This is logged whenever the Common Parameters
Service checked a LAN/http local services reach out to
location to see if check the TCPG file on a LastModifiedDate=tim
there is a new shared file server or web estamp of last update
configuration file server. It is also logged to configuration file.
when the local TCPG file is
checked to be an accurate
copy of the LAN version.

The frequency of this

matches the checking
frequency configured in the
Admin Console System
Settings.
Management ConfigurationUpdated 1024 The desktop has Information Common Parameters
Service successfully updated
the configuration file PreviousModifiedDate
form a LAN/http =timestamp of last
location update to replaced
configuration file.

LastModifiedDate
=timestamp of last
update to new
configuration file.

Event Logging User Guide www.fortra.com page: 26

 Event Logging / Service Start & Stop operations

Application Event Type Event Description (Not Severity When Logged Parameters & Notes
Source ID Logged)
Management ConfigurationUpdateFailed 1025 If the update was Error Common Parameters
Service attempted, but failed
for some reason, like OldVersion = Schema
insufficient disc version number of
space. current configuration
file

NewVersion=Schema
version number of new
configuration file.

PreviousModifiedDate
=timestamp of last
update to replaced
configuration file.

LastModifiedDate
=timestamp of last
update to new
configuration file.

Event Logging User Guide www.fortra.com page: 27

 Event Logging / Service Start & Stop operations

Application Event Type Event Description (Not Severity When Logged Parameters & Notes
Source ID Logged)
Management NoConfigurationForUser 1026 A Configuration file is Error This would be logged when Common Parameters
Service downloaded and a user starts working with
working, but no DCS for Office, DCS for LastModifiedDate
DCS for Configuration is Desktop. DCS for Outlook =timestamp of last
Outlook found for the current but the current configuration update to
user file doesn’t contain a configuration file.
DCS for configuration targeted to
Office that user name.

DCS for
Desktop

Patrol (Part
of DCS for
Desktop)

Event Logging User Guide www.fortra.com page: 28

 Event Logging / Service Start & Stop operations

Application Event Type Event Description (Not Severity When Logged Parameters & Notes
Source ID Logged)
Management ConfigurationFileDownloaded 1027 A new version of the Informational A new version of the Common parameters
Service configuration file has configuration file has been
been downloaded found and downloaded. The LastModifiedDate
overall sequence is: =timestamp of last
update to new
ConfigurationVersionCheck downloaded
ed configuration file.

(if newer file available then:

ConfigurationFileDownloade
d

Then either

ConfigurationUpdated

Or

ConfigurationUpdateFailed)
Management ConfigurationFileGenerated 1028 Informational Generated when new empty Common parameters
Service TITUS.TCPG is auto-
generated by client service OldVersion= date/
due to invalid TITUS.TCPG timestamp of last
configuration file

Event Logging User Guide www.fortra.com page: 29

 Event Logging / Service Start & Stop operations

Application Event Type Event Description (Not Severity When Logged Parameters & Notes
Source ID Logged)
Client Service ProductReenabled 1030 DCS for Outlook/DCS Informational When the add-in was Common Parameters
for Office re-enabled disabled somehow, and was
DCS for automatically then re-enabled by our client ProductName={DCS
Office service or our repeating for Office, DCS for
watcher task. The source is Outlook, DCS for
DCS for the piece of software which Desktop}
Outlook did the re-enabling
(Product name is the
name of the PEP
which was re-enabled)
Client Service ProductRe- 1031 DCS for Outlook/DCS Error When the add-in was Common Parameters
enableFailed for Office Re-enable disabled somehow, and a re-
DCS for was attempted, but enable was attempted by ProductName={DCS
Office failed our client service or our for Office, DCS for
repeating watcher task, but Outlook, DCS for
DCS for failed. The source is the Desktop}
Outlook piece of software which
attempted the re-enabling. (Product name is the
name of the PEP
which was attempted
to re-enable)

Error=<error
message>

Event Logging User Guide www.fortra.com page: 30

 / Event and Policy processing

Event and Policy processing

The 2000 series of Event IDs indicate Policy processing.

The 3000 series of Event IDs indicate user Responses to Warning Dialogs.

The 4000 series of Event IDs indicate events at the client application level with no clear lineage to Event-Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
Policy PolicyStarted 2000 Policy Request Successful Informatio This occurs when a Policy Common Parameters
Service n object is invoked due to an
Event. PolicyEvent=<event
name>

PolicyName=<policy
name>

Condition=<Boolean>

Transaction={id
number}

Event Logging User Guide www.fortra.com page: 31

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
Policy RuleStarted 2010 When a Rule is executed Informatio This occurs when a Rule object Common Parameters
Service repeatedly for all recipients n is invoked by a Policy Object.
or attachments this should Only when the Policy condition PolicyName=<policy
only be logged once is true and the conditions of name>
any rules higher in the hierarchy
are true. RuleName=<rulenam
e>
It is not guaranteed whether the
RuleStarted events will precede Condition=<Boolean>
or follow the associated Policy
Started event, but they will be Transaction = {id
connected by a common number}
Transaction ID.

Similarly it is not guaranteed

that Rule events within a Policy
will match the order of the tree
they were authored in
DCS for RMSOnChange 2042 A Policy has been Informatio See Event ID 2100 Common Parameters
Office triggered, and executed n
successfully that results in Common Action
a change to the RMS Parameters
template applied to a
document Common Office
Parameters if the
source=DCS for
Office

Event Logging User Guide www.fortra.com page: 32

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for ExternalProcessingAppliedOn 2450 An action of type External Informatio Common Parameters
Outlook Send processing was triggered n
and succeeded Common Action
Parameters

Common Email
Parameters
DCS for ExternalProcessingOnSendFai 2451 An action of type External Warning Common Parameters
Outlook led processing was triggered
but failed Common Action
Parameters

Common Email
Parameters
DCS for ExternalProcessingAppliedOn 2460 An action of type External Informatio Common Parameters
Office Save processing was triggered n
and succeeded Common Action
Parameters

Common Email
Parameters
DCS for ExternalProcessingOnSaveFail 2461 An action of type External Warning Common Parameters
Office ed processing was triggered
but failed Common Action
Parameters

Common Email
Parameters

Event Logging User Guide www.fortra.com page: 33

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for ObligationWarning 3001 The user chooses to Warning This occurs when the user Common Parameters
Outlook OverriddenWithJustification override one or more receives an Alert dialog in DCS
classification obligations for Outlook when they try to Common Email
(Downgrade/Upgrade/Cha override a classification Parameters
nge) and a Justification obligation when sending an
Reason was supplied. email. Justification=<drop
list and/or text entry>

If both a drop list

entry and a text entry
are used the two will
be concatenated
separated by “ : “
DCS for ReturnToMessage 3002 DCS for Outlook user Informatio Common Parameters
Outlook chooses to return to email n
message to correct policy Common Email
warning prior to sending Parameters
DCS for RemoveRecipients 3003 DCS for Outlook user Informatio Common Parameters
Outlook removes recipients who do n
not meet policy Common Email
requirements (e.g. Safe Parameters
Recipient)
In this case
Recipients list will
show the recipients
after the removal

Event Logging User Guide www.fortra.com page: 34

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for UpgradeToMatchAttachment 3004 DCS for Outlook user Informatio Common Parameters
Outlook decides to upgrade email n
message classification to Common Email
match attachment’s Parameters
classification (e.g.
Attachment Check policy) FieldName=name of
the metadata field
which was changed

OldValue=Metadata
field value before the
change

DCS for MessageCorrection 3005 DCS for Outlook user
Outlook decides to change email
message text when faced
with a policy warning
NewValue= Metadata
field value after the
change
Informatio This event is only logged on Common Parameters
n close of dialog/committed user
choice, not on every change in Common Email
the Select Dialog. Parameters

Event Logging User Guide www.fortra.com page: 35

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for DowngradeAllowed 3010 A downgrade (change of Informatio Common Parameters
Outlook field to a lower level) was n
allowed Common Email
DCS for Parameters if the
Office source=DCS for
Outlook
DCS for
Desktop Common Office
Parameters if the
Patrol source=DCS for
(Part of Office
DCS for
Desktop) Common File
Parameters if the
source=DCS for
Desktop

MetadataField =name
of the metadata field
which was changed

MetadataValueBefore
=Metadata field value
before the change

MetadataValueAfter =
Metadata field value
after the change

Event Logging User Guide www.fortra.com page: 36

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for DowngradePrevented 3011 A downgrade (change of Warning Common Parameters
Outlook field to a lower level) was
prevented Common Email
DCS for Parameters if the
Office source=DCS for
Outlook
DCS for
Desktop Common Office
Parameters if the
source=DCS for
Office

Common File
Parameters if the
source=DCS for
Desktop

Event Logging User Guide www.fortra.com page: 37

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for ChangeAllowed 3020 A change of field value Informatio Common Parameters
Outlook (where there is no level or n
order of sensitivity) was Common Email
DCS for allowed Parameters if the
Office source=DCS for
Outlook

Common Office
Parameters if the
source=DCS for
Office

MetadataField =name
of the metadata field
which was changed

MetadataValueBefore
=Metadata field value
before the change

MetadataValueAfter =
Metadata field value
after the
changeFieldName

Event Logging User Guide www.fortra.com page: 38

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for ChangePrevented 3021 A change of field value Warning Common Parameters
Outlook (where there is no level or
order of sensitivity) was Common Email
DCS for prevented Parameters if the
Office source=DCS for
Outlook

Common Office
Parameters if the
source=DCS for
Office

Event Logging User Guide www.fortra.com page: 39

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for UpgradeAllowed 3030 A upgrade (change of field Informatio Common Parameters
Outlook to a higher level) was n
allowed Common Email
DCS for Parameters if the
Office source=DCS for
Outlook
DCS for
Desktop Common Office
Parameters if the
Patrol source=DCS for
(Part of Office
DCS for
Desktop) Common File
Parameters if the
source=DCS for
Desktop

MetadataField =name
of the metadata field
which was changed

MetadataValueBefore
=Metadata field value
before the change

MetadataValueAfter =
Metadata field value
after the change

Event Logging User Guide www.fortra.com page: 40

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for UpgradePrevented 3031 A upgrade (change of field Warning Common Parameters
Outlook to a higher level) was
prevented Common Email
DCS for Parameters if the
Office source=DCS for
Outlook
DCS for
Desktop Common Office
Parameters if the
source=DCS for
Office

Common File
Parameters if the
source=DCS for
Desktop
DCS for UnhandledItemSent 4000 Unhandled Item sent Informatio When an unhandled item is Common Parameters
Outlook n sent from Microsoft Outlook.
e.g. Custom form Common Email
Parameters
DCS for EmailItemSent 4001 Mail Item sent Informatio When an email is sent from Common Parameters
Outlook n Microsoft Outlook (moves from
Outbox to Sent Items) Common Email
Parameters
This event is generated for new
emails, a reply or forward. The
event is also generated when
the items is sent from Drafts.

Event Logging User Guide www.fortra.com page: 41

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for MeetingItemSent 4002 Meeting Item sent Informatio When a meeting item is sent Common Parameters
Outlook n from Microsoft Outlook (moves
from Outbox to Sent Items) Common Email
Parameters
Could be a new meeting, could
be a change to invitees, title
etc.
DCS for AppointmentItemSent 4003 AppointmentItem Informatio When an Appointment item is Common Parameters
Outlook Sent n sent from Microsoft Outlook
(moves from Outbox to Sent Common Email
Items) Parameters

Could be a new appointment,

could be a change to invitees,
title etc.
DCS for ReportItemSent 4004 Report Item Sent Informatio When an Report item in Outlook Common Parameters
Outlook n is sent (moves from Outbox to
Sent Items).
DCS for PostItemSent 4005 Post Item Sent Informatio When a post item is sent Common Parameters
Outlook n (actually posted) from Outlook.
See Common Email
https://docs.microsoft.com/en- Parameters
us/office/vba/api/Outlook.Post
Item for details.
DCS for TaskRequestItemSent 4006 Task Request Item sent Informatio When a Task item is sent from Common Parameters
Outlook n Microsoft Outlook (moves from
Outbox to Sent Items). This Common Email
only occurs when you assign Parameters
the task to another person.

Event Logging User Guide www.fortra.com page: 42

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for TaskRequestAcceptItemSent 4007 Task Request Accept Item Informatio When a Task Request accept Common Parameters
Outlook sent n item is sent from Microsoft
Outlook (moves from Outbox to Common Email
Sent Items). This only occurs Parameters
when someone else assigns a
task to you and you Accept the
request.
DCS for TaskRequestDeclineItemSent 4008 Task Request Decline Item Informatio When a Task Request accept Common Parameters
Outlook sent n item is sent from Microsoft
Outlook (moves from Outbox to Common Email
Sent Items). This only occurs Parameters
when someone else assigns a
task to you and you Accept the
request.
DCS for TaskRequestUpdateItemSent 4009 Task Request Update Item Informatio When a Task Request Update Common Parameters
Outlook n item is sent from Microsoft
Outlook (moves from Outbox to Common Email
Sent Items). This only occurs Parameters
when someone else assigns a
task to you, and you Accept the
request, but then change some
detail (such as due date) and
send the update.
DCS for TaskItemSent 4010 Task Item Sent Informatio When a Task Item is sent from Common Parameters
Outlook n Microsoft Outlook (moves from
Outbox to Sent Items). Common Email
Parameters

Event Logging User Guide www.fortra.com page: 43

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for EmailPrinted 4011 printed as a user action Informatio When the user prints an email Common Parameters
Outlook n from within Microsoft Outlook.
This event is generated when it Common Email
DCS for is sent to the printer rather than Parameters if the
Office when it actually gets printed. source=DCS for
Outlook

Common Office
Parameters if the
source=DCS for
Office

Printer={printer
name/port}
DCS for SendPrevented 4012 Sending an email (or other Warning Sending an email (or other Common Parameters
Outlook Microsoft Outlook item) Microsoft Outlook item) was
was prevented prevented because the Service Common Email
layer is not Microsoft working parameters
well and is not available to
process policies and ensure
compliance.

Event Logging User Guide www.fortra.com page: 44

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for Save 4020 TCOOnBeforeSave Informatio When a Microsoft Office Common Parameters
Office n document Save is attempted.
This includes both manual save Common Office
and save invoked as a side Parameters
effect of Close.

A Save event is not logged

when editing a document from
a shared drive, such as
OneDrive, even if it is enabled in
System Settings. See
Enable/disable Client Loggers
on page 7
DCS for Verifying TrustedLabelsFailed 4021 Verifying Trusted Labels Error Common Parameters
Outlook Failed
Common Email
DCS for Parameters if the
Office source=DCS for
Outlook

Common Office
Parameters if the
source=DCS for
Office

Event Logging User Guide www.fortra.com page: 45

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for TrustedLabelFailure 4023 Trusted Labels unable to Error Common Parameters
Outlook be applied to
message/document. Common Email
DCS for Parameters if the
Office source=DCS for
Outlook

Common Office
Parameters if the
source=DCS for
Office
DCS for RMSActivityFailed 4024 DCS for Office Alert Error Common Parameters
Office
Common Office
parameters
DCS for Alert 4025 DCS for Office Alert Informatio Common Parameters
Outlook n
Common Email
DCS for Parameters if the
Office source=DCS for
Outlook

Common Office
Parameters if the
source=DCS for
Office

Event Logging User Guide www.fortra.com page: 46

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for SavePrevented 4026 Document Save was Warning Sending a Word Document (or Common Parameters
Office prevented other Microsoft Office
document) was prevented Common Office
because the Service layer is not parameters
working well and is not
available to process policies
and ensure compliance.
DCS for PrintPrevented 4027 Document Print was Warning Printing a Word Document (or Common Parameters
Office prevented other MS Office document) was
prevented because the Service Common Office
layer is not working well and is parameters
not available to process
policies and ensure
compliance.
DCS for UploadToCloud 4028 A document was saved to Informatio After the save/upload is Common Parameters
Office a cloud service (Box or n successfully completed.
Dropbox) successfully Common Office
When the save is done via a parameters
Box/Dropbox specific button,
not just saving it a synced local
folder.

Event Logging User Guide www.fortra.com page: 47

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for UploadToCloudFailed 4029 A document was saved to Warning After the save/upload is Common Parameters
Office a cloud service (Box or attempted but not successfully
Dropbox) but failed completed. Common Office
parameters
When the save is done via a
Box/Dropbox specific button,
not just saving it a synced local
folder.

LabelMappingSuccess
DCS for LabelMappingSuccess 4036 Informatio Common Parameters
Office n
Common Email
DCS for Parameters if the
Desktop source=DCS for
Outlook
DCS for
Outlook Common Office
Parameters if the
Metadat source=DCS for
a Service Office

Common File
Parameters if the
source=DCS for
Desktop

Event Logging User Guide www.fortra.com page: 48

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for SharepointMismatch 4037 SharePoint mismatch on Warning Common Parameters
Office server & document
properties Common Office
Parameters
DCS for MetadataAdded 4040 Metadata added Informatio A file which was not previously Common properties
Desktop n classified has had metadata for DCS for Desktop
successful added, via DCS for operations
Desktop.
<Transaction>
(common for many
files changed as a
single user action)
DCS for MetadataAddFailed 4041 Metadata add failed Error The user tried to add metadata Common Parameters
Desktop to a file which was not
previously classified via DCS Common properties
for Desktop. One possible for DCS for Desktop
reason is that the file was read- operations
only.
<Transaction>
(common for many
files changed as a
single user action)

Error=<id>

Event Logging User Guide www.fortra.com page: 49

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for MetadataUpdated 4050 Metadata updated Informatio A file which was previously Common Parameters
Desktop n classified has had metadata
successful changed, via DCS Common properties
for Desktop. for DCS for Desktop
operations

TransactionID
(common for many
files changed as a
single user action)
DCS for MetadataUpdateFailed 4051 Metadata update failed Error The user tried to update Common properties
Desktop metadata to a file which was for DCS for Desktop
previously classified via DCS operations
for Desktop. One possible
reason is that the file was read- TransactionID
only. (common for many
files changed as a
single user action)
DCS for AdditionalRecipients 4052 Additional recipients Informatio When an email or meeting Common Parameters
Outlook Record n invite is sent to many recipients
(~300) the list on the original Common Email
event is truncated to avoid Parameters
breaking a limit. This event
record is used to carry the
overflow from the preceding
send event.

Event Logging User Guide www.fortra.com page: 50

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for OPTIN 4060 User changed their opt-in Informatio Value=TRUE/FALSE
Outlook setting n
(the new value as set
DCS for by the user)
Office
Common Email
Parameters if the
source=DCS for
Outlook

Common Office
Parameters
DCS for AttachmentError 4070 Error occurred in Error An Error occurred in processing Common Parameters
Outlook processing an attachment an attachment, particularly
likely in processing Common Email
attachments within zip files. parameters

Error=<error
message>

Only data for the

Attachment which
caused the error, not
the other attachments
DCS for ExternalProcessingAppliedOn 4080 External processing was Informatio Common Parameters
Outlook Open implicitly invoked during a n
Microsoft Outlook open Common Email
operation, and succeeded. parameters

Event Logging User Guide www.fortra.com page: 51

 / Event and Policy processing

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for ExternalProcessingOnOpenFai 4081 External processing was Warning Common Parameters
Outlook led implicitly invoked during a
Microsoft Outlook open Common Email
operation, and succeeded. parameters
Patrol FolderDeleted 5001 A watched folder is deleted Warning This would happen in close to Common Parameters
(does not apply to sub- real time
folders)
Patrol FileNotProcessed 5002 A file is locked or some Warning This would happen in close to Common Parameters
other error occurs, real time
preventing classification or Path=<folder path>
protection
FileName=<unproces
sed file name>

Event Logging User Guide www.fortra.com page: 52

 / Common parameters for Action Events

Common parameters for Action Events

Name Description Sample
Data
PolicyName The Policy which invoked this action, via a Rule. Visual
Markings
RuleName The Rule which invoked this action. Apply
Internal
Watermark
ActionName The name of this Action object (there is no need to log the WM Internal
action type, it is implicit in the event ID & Event type.
Transaction In all cases the Transaction ID must match for the Policy {id number}
started event, the rules it invokes and the actions they
invoke.

The Transaction ID identifies a set of Policy, Rule and

Actions logs which stem from the same ever event &
policy.

Event Logging User Guide www.fortra.com page: 53

 / Events for Specific Action types

Events for Specific Action types

Each Action type generates an Information, Warning, or Error Event.

Event Logging User Guide www.fortra.com page: 54

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for Acknowledgement 2100 An Action of type Information When an Action Common
Outlook Acknowledgement has been of the named Parameters
triggered type has been
triggered. It is Common
not guaranteed Action
whether this Parameters
will appear
before or after
the RuleStarted
event for the
rule which
triggered the
action, but they
are connected
by the
Transaction ID
and Rule name.

It is not
guaranteed
that events for
multiple
Actions
invoked by a
Rule will be
logged in the
order they were
authored in.

Event Logging User Guide www.fortra.com page: 55

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for AddKeywords 2110 An Action of type Add Information See Event ID Common
Office Keywords has been triggered 2100 Parameters

Common
Action
Parameters

Common
Office
Parameters
DCS for AlertLogOnly 2120 An Action of type Alert has been Information See Event ID Common
Outlook triggered, the Author set 2100 Parameters
Severity is “Log only”
DCS for Common
Office Action
Parameters
DCS for
Desktop Common Email
Parameters if
the
source=DCS
for Outlook

Common
Office
Parameters if
the
source=
DCS for Office

Event Logging User Guide www.fortra.com page: 56

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for AlertWarning 2121 An Action of type Alert has been Warn See Event ID Common
Outlook triggered, the Author set 2100 Parameters
Severity is "Warn"
DCS for Common
Office Action
Parameters
DCS for
Desktop Common Email
Parameters if
the
source=DCS
for Outlook

Common
Office
Parameters if
the
source=
DCS for Office

Event Logging User Guide www.fortra.com page: 57

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for AlertPrevent 2122 An Action of type Alert has been Warning See Event ID Common
Outlook triggered, the Author set 2100 Parameters
Severity is “Prevent”
DCS for Common
Office Action
Parameters

Common Email
Parameters if
the
source=DCS
for Outlook

Common
Office
Parameters if
the
source=
DCS for Office
DCS for ApplyHeadersFooters 2130 An Action of type Apply Information See Event ID Common
Office Headers/Footers has been 2100 Parameters
triggered
Common
Action
Parameters

Common
Office
Parameters

Event Logging User Guide www.fortra.com page: 58

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for ApplyPortionMarking 2350 An Action of type Apply Portion Information See Event ID Common
Office Marking has been triggered 2100 Parameters

Common
Action
Parameters

Common
Office
Parameters

Event Logging User Guide www.fortra.com page: 59

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for RMSApplied 2140 An Action of type Apply RMS Information See Event ID Common
Outlook Policy has been triggered, and 2100 Parameters
executed successfully
DCS for Common
Office Action
Parameters
Patrol
(Part of Common Email
DCS for Parameters if
Desktop) the
source=DCS
for Outlook

Common
Office
Parameters if
the
source=
DCS for Office

Common
Desktop
Parameters if
the
source=Patrol

Event Logging User Guide www.fortra.com page: 60

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for RMSApplyFailed 2141 An Action of type Apply RMS Error See Event ID Common
Outlook Policy has been triggered, but 2100 Parameters
failed
DCS for Common
Office Action
Parameters
Patrol
(Part of Common Email
DCS for Parameters if
Desktop the
source=DCS
for Outlook

Common
Office
Parameters if
the
source=
DCS for Office

Common
Desktop
Parameters if
the
source=Patrol

Event Logging User Guide www.fortra.com page: 61

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for ApplyWatermark 2150 An Action of type Apply Information See Event ID Common
Office Watermark has been triggered 2100 Parameters

Common
Action
Parameters

Common
Office
Parameters
DCS for BCCAuditing 2160 An Action of type BCC Auditing Information See Event ID Common
Outlook has been triggered 2100 Parameters

Common
Action
Parameters

Common Email
Parameters
DCS for BodyTagging 2170 An Action of type Body Tagging Information See Event ID Common
Outlook has been triggered 2100 Parameters

Common
Action
Parameters

Common Email
Parameters

Event Logging User Guide www.fortra.com page: 62

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for ClassificationAlert LogOnly 2180 An Action of type Classification Information See Event ID Common
Outlook Alert has been triggered, the 2100 Parameters
Author set Severity is “log only”
Common
Action
Parameters

Common Email
Parameters
DCS for ClassificationAlertWarning 2181 An Action of type Classification Warning See Event ID Common
Outlook Alert has been triggered, the 2100 Parameters
Author set Severity is “Warning”
Common
Action
Parameters

Common Email
Parameters
DCS for ClassificationAlertPrevent 2182 An Action of type Classification Warning See Event ID Common
Outlook Alert has been triggered, the 2100 Parameters
Classification set Severity is
“PREVENT” Common
Action
Parameters

Common Email
Parameters

Event Logging User Guide www.fortra.com page: 63

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for ContentAlertLogOnly 2190 An Action of type Content Alert Information See Event ID Common
Outlook has been triggered, the Author 2100 Parameters
set Severity is “log only”
DCS for Common
Office Action
Parameters

Common Email
Parameters if
the
source=DCS
for Outlook

Common
Office
Parameters if
the
source=
DCS for Office

Event Logging User Guide www.fortra.com page: 64

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for ContentAlertWarning 2191 An Action of type Content Alert Warning See Event ID Common
Outlook has been triggered, the Author 2100 Parameters
set Severity is “Warning”
DCS for Common
Office Action
Parameters

Common Email
Parameters if
the
source=DCS
for Outlook

Common
Office
Parameters if
the
source=
DCS for Office

Event Logging User Guide www.fortra.com page: 65

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for ContentAlertPrevent 2192 An Action of type Content Alert Warning See Event ID Common
Outlook has been triggered, the Author 2100 Parameters
set Severity is “PREVENT”
DCS for Common
Office Action
Parameters

Common Email
Parameters if
the
source=DCS
for Outlook

Common
Office
Parameters if
the
source=
DCS for Office
DCS for CustomXHeader 2200 An Action of type Custom X- Information See Event ID Common
Outlook Header has been triggered 2100 Parameters

Common
Action
Parameters

Common Email
Parameters

Event Logging User Guide www.fortra.com page: 66

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for OutlookCategories 2210 An Action of type Outlook Information See Event ID Common
Outlook Categories has been triggered 2100 Parameters

Common
Action
Parameters
DCS for RecipientAlertLogOnly 2220 An Action of type Content Alert Information See Event ID Common
Outlook has been triggered, the Author 2100 Parameters
set Severity is “log only”
Common
Action
Parameters

Common Email
Parameters
DCS for RecipientAlertWarning 2221 An Action of type Content Alert Warning See Event ID Common
Outlook has been triggered, the Author 2100 Parameters
set Severity is “Warning”
Common
Action
Parameters

Common Email
Parameters

Event Logging User Guide www.fortra.com page: 67

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for RecipientAlertPrevent 2222 An Action of type Content Alert Warning See Event ID Common
Outlook has been triggered, the Author 2100 Parameters
set Severity is “PREVENT”
Common
Action
Parameters

Common Email
Parameters
DCS for RMSAction 2230 An Action of type RMS Action Warning See Event ID Common
Outlook has been triggered 2100 Parameters

Common
Action
Parameters

Common Email
Parameters
DCS for RemoveBookmarks 2240 An Action of type Remove Information See Event ID Common
Office Bookmarks has been triggered 2100 Parameters

Common
Action
Parameters

Common
office
Parameters

Event Logging User Guide www.fortra.com page: 68

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for RemoveRMSPolicy 2250 An Action of type Remove RMS Information See Event ID Common
Office from Documents has been 2100 Parameters
triggered
Common
Action
Parameters

Common
Office
Parameters
DCS for RunDocumentInspector 2260 An Action of type Run Information See Event ID Common
Office Document Inspector has been 2100 Parameters
triggered
Common
Action
Parameters

Common
Office
Parameters

Event Logging User Guide www.fortra.com page: 69

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for SetClassification 2270 An Action of type Set Information See Event ID Common
Office Classification has been 2100 Parameters
triggered
Patrol Common
(Part of Action
DCS for Parameters
Desktop)
Common
Office
Parameters if
the
source=
DCS for Office

Common
Desktop
Parameters if
the
source=Patrol
DCS for SetCustomProperties 2280 An Action of type Set Custom Information See Event ID Common
Office Properties has been triggered 2100 Parameters

Common
Action
Parameters

Common
Office
Parameters

Event Logging User Guide www.fortra.com page: 70

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for SetDocumentServerProperties 2290 An Action of type Set Document Information See Event ID Common
Office Server Properties has been 2100 Parameters
triggered
Common
Action
Parameters

Common
Office
Parameters
DCS for SetClassificationWarning 2311 An Action of type Set Message Warning See Event ID Common
Outlook Classification has been 2100 Parameters
triggered with warning if it fails
to set. Common
Action
Parameters

Common Email
Parameters
DCS for SetClassificationLogOnly 2310 An Action of type Set message Information See Event ID Common
Outlook Classification has been 2100 Parameters
triggered, with log only if it fails
to set. Common
Action
Parameters

Common Email
Parameters

Event Logging User Guide www.fortra.com page: 71

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for SetClassificationPrevent 2312 An Action of type Set message Warning See Event ID Common
Outlook Classification has been 2100 Parameters
triggered with prevent send if it
fails to set. Common
Action
Parameters

Common Email
Parameters
DCS for SMIMEApplied 2330 An Action of type S/MIME has Information See Event ID Common
Outlook been triggered 2100 Parameters

Common
Action
Parameters

Common Email
Parameters
DCS for SMIMEApplyFailed 2331 An Action of type S/MIME has Error See Event ID Common
Outlook been triggered, we were unable 2100 Parameters
to complete
Common
Action
Parameters

Common Email
Parameters

Event Logging User Guide www.fortra.com page: 72

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for SubjectLabeling 2340 An Action of type Subject Information See Event ID Common
Outlook Labeling has been triggered 2100 Parameters

Common
Action
Parameters

Common Email
Parameters
DCS for SystemNotification 2370 An Action of type System Information See Event ID Common
Outlook Notification has been triggered, 2100 Parameters
and succeeded
DCS for Common
Office Action
Parameters
DCS for SystemNotificationFailed 2371 An Action of type System Error See Event ID Common
Outlook Notification has been triggered, 2100 Parameters
but failed for some reason.
DCS for Common
Office Action
Parameters
DCS for
Desktop Error=<Error
message>

Event Logging User Guide www.fortra.com page: 73

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for TaskPaneAlert 2410 An Action of type Task Pane Information See Event ID Common
Office Alert has been triggered 2100 Parameters

Common
Action
Parameters

Common
Office
Parameters
DCS for MAPIProperty 2420 An Action of type MAPI Information See Event ID Common
Outlook Property has been triggered 2100 Parameters

Common
Action
Parameters

Common Email
Parameters
DCS for BoxMetadataApplied 2440 An action of type Add Box Information See Event ID Common
Office Metadata was triggered, and 2100 Parameters
succeeded
Common
Action
Parameters

Common
Office
Parameters

Event Logging User Guide www.fortra.com page: 74

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for BoxMetadataApplyFailed 2441 An action of type Add Box Warning See Event ID Common
Office Metadata was triggered, but 2100 Parameters
failed
Common
Action
Parameters

Common
Office
Parameters
DCS for OfficeAttachmentsProtectedOnSend 2470 An action of type Password- Information See Event ID Common
Outlook Protect Office Attachments was 2100 Parameters
triggered, and succeeded
Common
Action
Parameters

Common
Office
Parameters
DCS for OfficeAttachmentsProtectedOnSendFailed 2471 An action of type Password- Error See Event ID Common
Outlook Protect Office Attachments was 2100 Parameters
triggered, and failed
Common
Action
Parameters

Common
Office
Parameters

Event Logging User Guide www.fortra.com page: 75

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for AttachmentClassification 2472 An action of type Set Information See Event ID Common
Outlook Attachment Classifications was 2100 Parameters
triggered, and succeeded
Common
Action
Parameters

Common Email
Parameters
DCS for AttachmentClassificationFailed 2473 An action of type Set Error See Event ID Common
Outlook Attachment Classifications was 2100 Parameters
triggered, and failed
Common
NOTE: Thisevent is only Action
logged when DCS for Parameters
Outlook fails to classify any
attachments. Common Email
Parameters
DCS for CustomActionApplied 2480 A Custom Action was executed Information See Event ID Common
Outlook successfully. 2100 Parameters

DCS for Common

Office Action
Parameters
DCS for
Desktop

Event Logging User Guide www.fortra.com page: 76

 / Events for Specific Action types

Source Event Type Event Description (Not Logged) Severity When Logged Parameters
ID
DCS for CustomActionFailed 2481 A Custom Action was executed Error See Event ID Common
Outlook and returned False. 2100 Parameters

DCS for See the Fortra's Data Common

Office Classification Suite (DCS) for Action
Windows (On-premises) Parameters
DCS for Extensibility Guide for more
Desktop information.

Event Logging User Guide www.fortra.com page: 77

 / Logging information

Logging information
If you are experiencing problems with Data Classification, log into the Support Portal.

In order to resolve issues quickly and efficiently, Support will ask for a Client log, Services
logs from the Client machine, the Client Configuration file TITUS.tcpg, and any other
information that can help replicate the issue.

The following application logs can be used for troubleshooting purposes.

1. Click in the Ribbon for Microsoft Outlook or Microsoft Office.

OR
Right-click a file from the Windows Explorer menu for DCS for Desktop. If you are
using Windows 11, select Show more options when you right-click a file to classify it.
2. Select About.
3. Click View Log. If disabled, press Alt + l (lower case L).

Log locations
Client

Log Type Location

DCS for %localappdata%\TITUS\MessageClassification for Microsoft
Outlook Debug Outlook.htm
Log
DCS for Office %localappdata%\TITUS\Document Classification for Word.htm
Debug Log
%localappdata%\TITUS\Document Classification for PowerPoint.htm

%localappdata%\TITUS\Document Classification for Excel.htm

DCS for %localappdata%\TITUS\Classification for Desktop.htm
Desktop Debug
Log

Event Logging User Guide www.fortra.com page: 78

 / Logging information

Log Type Location

Patrol Debug %localappdata%\TITUS\FileWatcher.log
Log
Look for the following in the above log for information about which files
are being processed, which actions are being applied and the results:

Titus.FileWatcher.Bus.FileExaminedMessageHandler
Client Install %temp%
Debug Log
Search for any files beginning with “Titus”.
Titus Services %programdata%\TITUS\
Debug Log
Client %programdata%\TITUS\Titus.tcpg
Configuration
Debug Log

Administration Console

Log Type Location

Install Debug Log %temp%

Search for any files beginning with “Titus”.

Administration and Services Debug Log %programdata%\TITUS\

Search for any files with a LOG extension.

Event Logging User Guide www.fortra.com page: 79

 Contacting Fortra /

Contacting Fortra
Please contact Fortra for questions or to receive information about Data Classification Suite
for Windows (On-premises).

For additional resources, or to contact Technical Support, visit our website at

https://dataclassification.fortra.com/ or support.fortra.com. You can email Support at
[email protected].

Gather and organize as much information as possible about the problem including job/error
logs, screen shots or anything else to document the issue.

Event Logging User Guide www.fortra.com page: 80