Syslog messages that do not have an assigned event are logged using one of six generic event IDs:
- SYSTEM
- KERNEL
- PFE
- PIC
- LCC
- SCC
This event ID must be known if you wish to create an event policy that triggers on the syslog message; however, the pseudo-event ID is unfortunately not recorded in the syslog, so it can be difficult to determine what the correct ID is.
To help with this problem, see the event script (capture-pseudo-events.slax) described on this page: Identifying the Correct Pseudo-Event ID