30.16 Access Manager Audit Events and Data

This section contains all the audit events logged by Access Manager Appliance. Each event has EventID, Description, Originator Title, Target Title, Subtarget Title, Text1 Title, Text2 Title, Text3 Title, Value1 Title, Value1 Type, Group Title, Data Length, and Data Type values stored. Each field contains a single character token (such as B, U, Y, and so on) that represent the data fields of the audit event, with each letter representing a different data field. The mapping of the character tokens to data fields is found in the nids_en.lscfile.

Audit events are device-specific. You can select events for the following devices:

  • Administration Console: In Administration Console Dashboard, click Auditing.

  • Identity Server: Click Devices > Identity Servers > Edit > Auditing and > Logging.

  • Access Gateway: Click Devices > Access Gateways > Edit > Auditing.

JavaScript Object Notation (JSON) Event Format

Sample JSON Format

This event is generated when you select the Risk-Based Authentication Succeeded option under Audit Logging on the Logging page of an Identity Server configuration.

The following is a sample JSON event format of a Risk-Based authentication:

{
"appName" : "Novell Access Manager",
"Component" : "nidp",
"timeStamp" : "Fri, 31 Jul 2015 17:30:57 +0530",
"eventId" : "002E0025",
"Description": "NIDS: Risk based additional authentication executed successfully   for user",
"Originator": "9772686A5705BA6C",
"Target": "cn=admin,o=novell",
"SubTarget": "3883A05A302BA3BDC7899AF05810B08B",
"stringValue1": "35",
"stringValue2": "medium",
"stringValue3": "null",
"numericValue1": "0",
"numericValue2": "0",
"numericValue3": "0",
"Data": "MTY0Ljk5LjEzNy41Mg==",
"Message": "[Fri, 31 Jul 2015 17:30:57 +0530] [Novell Access Manager\nidp]: AMDEVICEID#9772686A5705BA6C: AMAUTHID#3883A05A302BA3BDC7899AF05810B08B: Risk based authentication successful for user: [cn=admin,o=novell]. RiskScore: [35] RiskLevel: [Medium] Additional authentication class: [$SF] Client IP Address: [164.99.137.52]",
}

NOTE:The IP address within the event is encoded in the base64 format.

The following table lists the event fields with its corresponding description:

Field

Description

appName

Specifies the name of the product.

Component

Specifies the name of the Access Manager component. For example, “nipd” identifies that the audit is triggered by Identity Server.

timeStamp

Specifies the time when the event occurred.

eventId

Specifies the event ID. For example, 002E0025. To view all the events and their corresponding event IDs, see the below sections.

Description

Describes the event.

Originator

Specifies the ID of the device that generated this event. For example, 9772686A5705BA6C is the device with ID “idp-9772686A5705BA6C”

Target

Specifies the target on which this action is executed. In the above example, the action is risk-based authentication, hence the target is the user id for which the risk was assessed.

SubTarget

Specifies the additional details about the target.

stringValue1

Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass.

stringValue2

Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass.

stringValue3

Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass.

numbericValue1

Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass.

numbericValue2

Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass.

numbericValue3

Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass.

Data

Specifies an event-specific data.

Message

Specifies a friendly detailed message related to the event.

NOTE:The Syslog agents use the following message format: rfc3164. For more information, see RFC 3164 documentation.

This section discusses the following audit events:

30.16.1 NIDS: Sent a Federate Request (002e0001)

This event is generated when you select the Federation Request Sent option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Sent a federate request.

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: LDAP Auth: User DN Other Auth: User GUID

SubTarget (Y): null

Text1 (S): null

Text2 (T): null

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.2 NIDS: Received a Federate Request (002e0002)

This event is generated when you select the Federation Request Handled option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Received a federate request.

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: LDAP Auth: User DN Other Auth: User GUID

SubTarget (Y): null

Text1 (S): Schema Title: Provider Identifier; Data Description: Service Provider ID

Text2 (T): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.3 NIDS: Sent a Defederate Request (002e0003)

This event is generated when you select the Defederation Request Sent option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Sent a defederate request.

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: LDAP Auth: User DN Other Auth: User GUID

SubTarget (Y): null

Text1 (S): Schema Title: Provider Identifier; Data Description: Service Provider ID

Text2 (T): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.4 NIDS: Received a Defederate Request (002e0004)

This event is generated when you select the Defederation Request Handled option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Received a defederate request

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: LDAP Auth: User DN Other Auth: User GUID

SubTarget (Y): null

Text1 (S): Schema Title: Provider Identifier Data Description: Service Provider ID

Text2 (T): null

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.5 NIDS: Sent a Register Name Request (002e0005)

Description: NIDS: Sent a register name request

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): null

Text1 (S): null

Text2 (T): null

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.6 NIDS: Received a Register Name Request (002e0006)

This event is generated when you select the Register Name Request Handled option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Received a register name request

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): null

Text1 (S): null

Text2 (T): null

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.7 NIDS: Logged Out an Authentication that Was Provided to a Remote Consumer (002e0007)

This event is generated when you select the Logout Provided option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Logged out an authentication that was provided to a remote consumer

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: LDAP Auth: User DN Other Auth: User GUID

SubTarget (Y): null

Text1 (S): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text2 (T): null

Text3 (F): null

Value1 (1): Schema Title: Timed Out Data Description: 0 = other reason 1 = timed out

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.8 NIDS: Logged out a Local Authentication (002e0008)

This event is generated when you select the Logout Local option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Logged out a local authentication

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: LDAP Auth: User DN Other Auth: User GUID

SubTarget (Y): null

Text1 (S): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:

Text2 (T): null

Text3 (F): null

Value1 (1): Schema Title: Timed Out Data Description: 0 = other reason 1 = timed out

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.9 NIDS: Provided an Authentication to a Remote Consumer (002e0009)

This event is generated when you select the Login Consumed option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Provided an authentication to a remote consumer

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN

SubTarget (Y): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text1 (S): Schema Title: Authentication Type Data Description: Authentication Profile

Text2 (T): Schema Title: Authentication Entity Name Data Description: Authentication Source

Text3 (F): Schema Title: Contract Class or Method Name Data Description: Authentication Contract URI

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): Schema Title: Client IP Address Description: IP Address of the host from which the authentication succeeded.

30.16.10 NIDS: User Session Was Authenticated (002e000a)

This event is generated when you select the Login Provided option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: User session was authenticated

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN

SubTarget (Y): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:) + IDP Ancestral session id if at all exists seperated by '-'

Text1 (S): Schema Title: Authentication Type Data Description: Authentication Profile

Text2 (T): Schema Title: Authentication Entity Name Data Description: Authentication Source

Text3 (F): Schema Title: User Agent and Cluster Name Data Description: User agent and cluster name of IDP seperated by '-'

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): Schema Title: Client IP Address Description: IP Address of the host from which the authentication succeeded.

30.16.11 NIDS: Failed to Provide an Authentication to a Remote Consumer (002e000b)

This event is generated when you select the Login Consumed Failure option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Failed to provide an authentication to a remote consumer

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN

SubTarget (Y): null

Text1 (S): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text2 (T): Schema Title: Provider Identifier Data Description: Service Provider ID

Text3 (F): Schema Title: Reason Data Description: Reason Message

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.12 NIDS: User Session Authentication Failed (002e000c)

This event is generated when you select the Login Provided Failure option under Audit Logging on the Logging page of an Identity Server configuration. Use the Description field and the Text3 (F) field to determine whether the failure came from a contract, SAML 1.1, SAML 2.0, or Liberty.

Description: NIDS: User session authentication failed. This string plus one of the following phrases: for a contract failure, Contract Execution; for a SAML 1.1 failure, SAML Assertion; for a SAML 2.0 failure, SAML2 SSO; for a Liberty failure, Liberty SSO.

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: Authentication Contract Name Data Description: Contract URI

SubTarget (Y): Schema Title: User Identifier Data Description: User DN

Text1 (S): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text2 (T): Schema Title: Reason Data Description: Reason Message

Text3 (F): Schema Title: Authentication Source Data Description: Contains a JSON object comprising information such as user agent, cluster ID for Identity Server, service provider name, and PID. For a contract, contains the authentication method name; for Liberty, contains the service provider IP; for SAML 1.1, contains the SAML assertion issuer; for SAML 2.0, contains the service provider IP.

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): Schema Title: Client IP Address Description: IP Address of the host from which the authentication failed.

30.16.13 NIDS: Received an Attribute Query Request (002e000d)

This event is generated when you select the Attribute Query Request Handled option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Received an attribute query request

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: LDAP Auth: User DN Other Auth: User GUID

SubTarget (Y): null

Text1 (S): Schema Title: Provider Identifier Data Description: Service Provider ID

Text2 (T): Schema Title: Attribute Names Data Description: Requested Attributes

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.14 NIDS: User Account Provisioned (002e000e)

This event is generated when you select the User Account Provisioned option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: User account provisioned

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Store Identifier Data Description: Displayable user name

SubTarget (Y): null

Text1 (S): Schema Title: User Identifier Data Description: Authentication User Name

Text2 (T): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.15 NIDS: Failed to Provision a User Account (002e000f)

This event is generated when you select the User Account Provisioned Failure option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Failed to provision a user account

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Store Identifier Data Description: Displayable User Name

SubTarget (Y): null

Text1 (S): Schema Title: User Identifier Data Description: Authentication User Name

Text2 (T): Schema Title: Reason Data Description: Reason Message

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.16 NIDS: Web Service Query (002e0010)

This event is generated when you select the Web Service Query Handled option under Audit Logging on the Logging page of an Identity Server configuration. Identity Server uses this event for two types of Web service queries:

  • Discovery: This is a query to discover a service. For this type of query, the Group (G) field is not used. For a remote query, the Data Description of the Value1 field is set to 0. For a local query, the Data Description of the Value1 field is set to 1.

  • Profile: This is a query to get attributes for a user from a profile (personal, credential, etc.). For this type of query, the Group (G) field contains a GroupingID for all attributes selected in the request. A separate event is generated for each attribute select list in the request. For a remote query, the Data Description of the Value1 field is set to 0. For a local query, the Data Description of the Value1 field is set to 1.

Description: NIDS: Web Service query

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN

SubTarget (Y): null

Text1 (S): Schema Title: Provider Identifier Data Description: Requesting Provider ID

Text2 (T): Schema Title: Select String Data Description: Requested attributes; select string

Text3 (F): Schema Title: Service Identifier Data Description: Web Service URI

Value1 (1): Schema Title: Local Data Description: 0 – Remote 1 – Local

Group (G): Schema Title: Query Group Data Description: If this is a profile query, it contains the grouping ID for all attributes selected in this request. Otherwise, this field is not used in the event.

Data Length (X): 0

Data (D): null

30.16.17 NIDS: Web Service Modify (002e0011)

This event is generated when you select the Web Service Modify Handled option under Audit Logging on the Logging page of an Identity Server configuration. Identity Server uses this event for two types of Web service modify requests:

  • Discovery: This is a request to discover a service to modify. For this type of request, the Group (G) field is not used. For a remote request, the Data Description of the Value1 field is set to 0. For a local request, the Data Description of the Value1 field is set to 1.

  • Profile: This is a request to modify the attributes of a user in a profile (personal, credential, etc.). For this type of request, the Group (G) field contains a GroupingID for all attributes selected in the request. A separate event is generated for each attribute select list in the modify request. For a remote request, the Data Description of the Value1 field is set to 0. For a local request, the Data Description of the Value1 field is set to 1.

Description: NIDS: Web Service modify

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN

SubTarget (Y): null

Text1 (S): Schema Title: Provider Identifier Data Description: Requesting Provider ID

Text2 (T): Schema Title: Select String Data Description: Modified attributes select string

Text3 (F): Schema Title: Service Identifier Data Description: Web Service URI

Value1 (1): Schema Title: Local Data Description: 0 – Remote; 1 – Local

Group (G): Schema Title: Modify Group Data Description: If this is a profile modify, it contains the grouping ID for each attribute select list in the request. Otherwise, this field is not used in the event.

Data Length (X): 0

Data (D): null

30.16.18 NIDS: Connection to User Store Replica Lost (002e0012)

This event is generated when you select the LDAP Connection Lost option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Connection to user store replica lost

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Store Replica Name Data Description: Replica name

SubTarget (Y): null

Text1 (S): Schema Title: User Store Replica Host Data Description: IP Address of User Store replica server

Text2 (T): null

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.19 NIDS: Connection to User Store Replica Reestablished (002e0013)

This event is generated when you select the LDAP Connection Reestablished option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Connection to user store replica reestablished

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Store Replica Name Data Description: Replica name

SubTarget (Y): null

Text1 (S): Schema Title: User Store Replica Host Data Description: IP Address of User Store replica server

Text2 (T): null

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.20 NIDS: Server Started (002e0014)

This event is generated when you select the Server Started option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Server started

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: Configuration Identifier Data Description: Configuration Object DN

SubTarget (Y): null

Text1 (S): Schema Title: Server Identifier Data Description: Unique server ID also used to create Liberty and SAML artifacts

Text2 (T): null

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.21 NIDS: Server Stopped (002e0015)

This event is generated when you select the Server Stopped option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Server stopped

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: Configuration Identifier Data Description: Configuration object DN

SubTarget (Y): null

Text1 (S): Schema Title: Server Identifier Data Description: Unique server ID also used to create Liberty and SAML artifacts

Text2 (T): null

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.22 NIDS: Server Refreshed (002e0016)

This event is generated when you select the Server Refreshed option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Server Refreshed

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: Configuration Identifier Data Description: Configuration Object DN

SubTarget (Y): null

Text1 (S): Schema Title: Server Identifier Data Description: Unique server ID also used to create Liberty and SAML artifacts

Text2 (T): null

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.23 NIDS: Intruder Lockout (002e0017)

This event is generated when you select the Intruder Lockout Detected option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Intruder Lockout

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN

SubTarget (Y): null

Text1 (S): Schema Title: Server Identifier Data Description: IP address of the User Store replica server

Text2 (T): null

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.24 NIDS: Severe Component Log Entry (002e0018)

This event is generated when you select the Component Log Severe Messages option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Severe Component Log Entry

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): null

Text1 (S): Schema Title: Component Log Text Data Description: Server Error Text

Text2 (T): null

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.25 NIDS: Warning Component Log Entry (002e0019)

This event is generated when you select the Component Log Warning Messages option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Warning Component Log Entry

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): null

Text1 (S): Schema Title: Component Log Text Data Description: Warning Error Text

Text2 (T): null

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.26 NIDS: Failed to Broker an Authentication from Identity Provider to Service Provider as Identity Provider and Service Provider Are not in Same Group (002E001A)

This event is generated when you select the Brokering Across Groups Denied option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Failed to broker an authentication from identity provider to service provider as identity provider and service provider are not in same group

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN

SubTarget (Y): null

Text1 (S): Schema Title: Identity Provider IdentifierDescription : Identity Provider ID

Text2 (T): Schema Title: Service Provider IdentifierDescription: Service Provider ID

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): Schema Title: Target URL Length Description: Byte length of the target URL

Data (D): Schema Title: Target URL Description: Target URL

30.16.27 NIDS: Failed to Broker an Authentication from Identity Provider to Service Provider Because a Policy Evaluated to Deny (002E001B)

This event is generated when you select the Brokering Rule Evaluated to Deny option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Failed to broker an authentication from identity provider to service provider because a policy evaluated to deny

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN

SubTarget (Y): Schema Title: Broker Group Name Description: Name of the Brokering Group

Text1 (S): Schema Title: Identity Provider IdentifierDescription: Identity Provider ID

Text2 (T): Schema Title: Service Provider IdentifierDescription: Service Provider ID

Text3 (F): Schema Title: Broker Policy Description: Name of the Broker Policy that evaluated to deny

Value1 (1): 0

Group (G): 0

Data Length (X): Schema Title: Target URL Length Description: Byte length of the target URL

Data (D): Schema Title: Target URL Description: Target URL

30.16.28 NIDS: Brokered an Authentication from Identity Provider to Service Provider (002E001C)

This event is generated when you select the Brokering Handled option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: Brokered an authentication from identity provider to service provider

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN

SubTarget (Y): Schema Title: Broker Group Name Description: Name of the Brokering Group

Text1 (S): Schema Title: Identity Provider Identifier Description: Identity Provider ID

Text2 (T): Schema Title: Service Provider Identifier Description: Service Provider ID

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): Schema Title: Target URL Length Description: Byte length of the target URL

Data (D): Schema Title: Target URL Description: Target URL

30.16.29 NIDS: OAuth2 Authorization code issued (002e0028)

This event is generated when you select the OAuth & OpenID Token Issued option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: OAuth2 Authorization code issued

Originator (B): Schema Title: Originator

Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier

Data Description: Authentication User Name

SubTarget (Y): null

Text1 (S): Schema Title: Issued At Data

Data Description: Token issued time stamp in Millisecond

Text2 (T): Schema Title: Issued To Data

Description: Client Name

Text3 (F): Schema Title: Validity Data

Description: From: Time in Milliseconds - To: Time in Milliseconds

30.16.30 NIDS: OAuth2 token issued (002e0029)

This event is generated when you select the OAuth & OpenID Token Issued option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: OAuth2 token issued

Originator (B): Schema Title: Originator

Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier

Data Description: Authentication User Name

SubTarget (Y): Schema Title: Grant Type

Data Description: Oauth grant type

Text1 (S): Schema Title: Issued At

Data Description: Token issued time stamp in Milliseconds

Text2 (T): Schema Title: Issued To

Data Description: Client Name plus session id seperated by '-'.

Text3 (F): Schema Title: Validity

Data Description: From: Time in Milliseconds - To: Time in Milliseconds

30.16.31 NIDS: OAuth2 Authorization code issue failed (002e0030)

This event is generated when you select the OAuth & OpenID Token Issue Failed option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: OAuth2 Authorization code issue failed

Originator (B): Schema Title: Originator

Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier

Data Description: Authentication User Name

SubTarget (Y): null

Text1 (S): Schema Title: Failed At

Data Description: Code issued failed time stamp in Milliseconds

Text2 (T): Schema Title: Reason

Data Description: Reason for failure

Text3 (F): null

30.16.32 NIDS: OpenID token issued (002e0031)

This event is generated when you select the OAuth & OpenID Token Issue option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: OpenID token issued

Originator (B): Schema Title: Originator

Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier

Data Description: Authentication User Name

SubTarget (Y): null

Text1(S): Schema Title: Issued At

Data Description: ID Token issued time stamp in Millisecond

Text2(T): Schema Title: Issued To

Data Description: Client Name s

Text3(F): Schema Title: Expires

Data Description: Expires in second

30.16.33 NIDS: OAuth2 refresh token issued (002e0032)

This event is generated when you select the OAuth & OpenID Token Issue option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: OAuth2 refresh token issued

Originator (B): Schema Title: Originator

Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier

Data Description: Authentication User Name

SubTarget (Y): null

Text1 (S): Schema Title: Issued At

Data Description: Token issued time stamp in Millisecond

Text2 (T): Schema Title: Issued To

Data Description: Client Name

Text3 (F): Schema Title: Validity

Data Description: From: Time in Milliseconds - To: Time in Milliseconds

30.16.34 NIDS: OAuth2 token issue failed (002e0033)

This event is generated when you select the OAuth & OpenID Token Issue Failed option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: OAuth2 token issue failed

Originator (B): Schema Title: Originator

Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier

Data Description: Authentication User Name

SubTarget (Y): Schema Title: Grant Type

Data Description: Oauth grant type

Text1 (S): Schema Title: Failed At

Data Description: Token issue failed time stamp in Milliseconds

Text2 (T): Schema Title: Issued To

Data Description: Client Name

Text3 (F): Schema Title: Reason

Data Description: Reason for failure

30.16.35 NIDS: OpenID token issue failed (002e0034)

This event is generated when you select the OAuth & OpenID Token Issue Failed option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: OpenID token issue failed

Originator (B): Schema Title: Originator

Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: Authentication User Name

SubTarget (Y): null

Text1 (S): Schema Title: Failed At

Data Description: Token issue failed time stamp in Milliseconds

Text2 (T): Schema Title: Issued To

Data Description: Client Name

Text31 (F): Schema Title: Reason

Data Description: Reason for failure

30.16.36 NIDS: OAuth2 refresh token issue failed (002e0035)

This event is generated when you select the OAuth & OpenID Token Issue Failed option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: OAuth2 refresh token issue failed

Originator (B): Schema Title: Originator

Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier

Data Description: Authentication User Name

SubTarget (Y): null

Text1 (S): Schema Title: Failed At

Data Description: Token issue failed time stamp in Milliseconds

Text2 (T): Schema Title: Issued To

Data Description: Client Name

Text31 (F): Schema Title: Reason

Data Description: Reason for failure

30.16.37 NIDS: OAuth2 client has been registered successfully (002e0036)

This event is generated when you select the OAuth Client Applications option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: OAuth2 client has been registered successfully

Originator (B): Schema Title: Originator

Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier

Data Description: Authentication User Name

SubTarget (Y): null

Text1 (S): Schema Title: Registered At

Data Description: Client registered time stamp in Milliseconds

Text2 (T): Schema Title: Client Name Data Description: Client Name

Text31 (F): Schema Title: Client ID

Data Description: Client ID

30.16.38 NIDS: OAuth2 client has been modified successfully (002e0037)

This event is generated when you select the OAuth Client Applications option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: OAuth2 client has been modified successfully

Originator (B): Schema Title: Originator

Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier

Data Description: Authentication User Name

SubTarget (Y): null

Text1 (S): Schema Title: Modified At

Data Description: Client modify time stamp in Milliseconds

Text2 (T): Schema Title: Client Name

Data Description: Client Name

Text31 (F): Schema Title: Client ID Description: Client ID

30.16.39 NIDS: OAuth2 client has been deleted successfully (002e0038)

This event is generated when you select the OAuth Client Applications option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: OAuth2 client has been deleted successfully

Originator (B): Schema Title: Originator

Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier

Data Description: Authentication User Name

SubTarget (Y): null

Text1 (S): Schema Title: Removed At

Data Description: Client deleted time stamp in Milliseconds

Text2 (T): Schema Title: Client Name

Data Description: Client Name

Text31 (F): Schema Title: Client ID Description: Client ID

30.16.40 NIDS: OAuth2 user has provided consent (002e0039)

This event is generated when you select the OAuth Consent Provided option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: OAuth2 user has provided consent

Originator (B): Schema Title: Originator

Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier

Data Description: Authentication User Name

SubTarget (Y): null

Text1 (S): Schema Title: Provided At

Data Description: Consent provided time stamp in Milliseconds

Text2 (T): null

Text31 (F): null

30.16.41 NIDS: OAuth2 user has revoked consent (002e0040)

This event is generated when you select the OAuth Consent Revoked option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: OAuth2 user has revoked consent

Originator (B): Schema Title: Originator

Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier

Data Description: Authentication User Name

SubTarget (Y): null

Text1 (S): Schema Title: Revoked At

Data Description: Consent revoked time stamp in Milliseconds

Text2 (T): null

Text31 (F): null

30.16.42 NIDS: OAuth2 token validation success (002e0041)

This event is generated when you select the OAuth & OpenID Token Validation Success option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: OAuth2 token validation success

Originator (B): Schema Title: Originator

Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier

Data Description: Authentication User Name

SubTarget (Y): null

Text1 (S): Schema Title: Validated At

Data Description: Validated time stamp in Milliseconds

Text2 (T): null

Text31 (F): Schema Title: Expires

Data Description: Expires in seconds

30.16.43 NIDS: OAuth2 token validation failed (002e0042)

This event is generated when you select the OAuth & OpenID Token Validation Failed option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: OAuth2 token validation failed

Originator (B): Schema Title: Originator

Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): null

Text1 (S): Schema Title: Validated At

Data Description: Validated time stamp in Milliseconds

Text2 (T): null

Text31 (F): Schema Title: Reason

Data Description: Validation failure reason

Data (D): Schema Title: Client IP Address

Description: IP Address of the host from which the token received

30.16.44 NIDS: OAuth2 client registration failed (002e0043)

This event is generated when you select the OAuth Client Applications option under Audit Logging on the Logging page of an Identity Server configuration.

Description: NIDS: OAuth2 client registration failed

Originator (B): Schema Title: Originator

Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier

Data Description: Authentication User Name

SubTarget (Y): null

Text1 (S): Schema Title: Failed At

Data Description: Client registration failed time stamp in Milliseconds

Text2 (T): Schema Title: Client Name

Data Description: Client Name

Text31 (F): Schema Title: Reason

Data Description: Reason for failure

30.16.45 NIDS: Roles PEP Configured (002e0300)

This event is generated for Identity Server roles.

Description: NIDS: Roles PEP Configured

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): null

Text1 (S): null

Text2 (T): null

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): Schema Title: Policy Enforcement List Length Data Description: Byte length of PEL

Data (D): Schema Title: Policy Enforcement List Data Description: Policy Enforcement List (PEL) data

30.16.46 NIDS: Risk-Based Authentication Action for User (002e0045)

This event is generated when you select the Risk-based Pre-authentication Succeeded option under Audit Logging on the Logging page of an Identity Server configuration.

Description: Pre-Risk-Based additional authentication executed successfully for user.

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN

SubTarget (Y): Schema Title: Authentication Name Identifier Description: Risk type (preauth or postauth)

Text1 (S): Schema Title: RiskScore Description: Risk score(number) plus IDP session id seperated by '-'.

Text2 (T): Schema Title: RiskLevel Description: Risk category defined by risk score value plus user agent seperated by '-'.

Text3 (F): Schema Title: Authentication class Description: Authentication class name executed as part of risk based authentication.

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): Schema Title: Client IP Address Description: IP Address of the host from which the authentication succeeded.

30.16.47 NIDS: Risk-Based Authentication Action for User (002e0046)

This event is generated when you select the Risk-based Pre-authentication Failed option under Audit Logging on the Logging page of an Identity Server configuration.

Description: Pre-Risk-Based authentication failed for user.

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN

SubTarget (Y): Schema Title: Authentication Name Identifier Description: Risk type (preauth or postauth)

Text1 (S): Schema Title: RiskScore Description: Risk score(number) plus IDP session id seperated by '-'.

Text2 (T): Schema Title: RiskLevel Description: Risk category defined by risk score value plus user agent seperated by '-'.

Text3 (F): Schema Title: Authentication class Description: Authentication class name executed as part of risk based authentication.

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): Schema Title: Client IP Address Description: IP Address of the host from which the authentication succeeded.

30.16.48 NIDS: Risk-Based Authentication Action for User (002e0047)

This event is generated when you select the Risk-based Pre-authentication Action Invoked option under Audit Logging on the Logging page of an Identity Server configuration.

Description: Pre-Risk-Based authentication action for user.

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN

SubTarget (Y): Schema Title: Authentication Name Identifier Description: Risk type (preauth or postauth)

Text1 (S): Schema Title: RiskScore Description: Risk score(number) plus IDP session id seperated by '-'.

Text2 (T): Schema Title: RiskLevel Description: Risk category defined by risk score value plus user agent plus cluster id of IDP all seperated by '-'.

Text3 (F): Schema Title: Action taken Description: Risk category defined action taken as part of risk based authentication.

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): Schema Title: Client IP Address Description: IP Address of the host from which the authentication succeeded.

30.16.49 NIDS: Token was Issued to Web Service (002E001F)

This event is generated when you select the Token Issued To WebService option under Audit Logging on the Logging page of an Identity Server configuration.

Description: When a token is issued to a web service (WS-Trust)

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN.

SubTarget (Y): Schema Title: Token type Data Description: Type of token issued.

Text1 (S): Schema Title: Identity Provider Identifier Data Description: Identity provider identifier providing token.

Text2 (T): Schema Title: Authentication Method Data Description: Authentication method name.

Text3 (F): Schema Title: Target Name Data Description: Target name of service provider.

Data Length (X): 0

Data (D): Schema Title: Target URL Data Description: Target url of service provider.

30.16.50 NIDS: Issued a Federation Assertion (002E0102)

This event is generated when you select the Federation Token Sent option under Audit Logging on the Logging page of an Identity Server configuration.

Description: When a federation token is issued.

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN.

SubTarget (Y): Schema Title: Authentication Identifier Data Description: IDP Session ID.

Text1 (S): Schema Title: Provider Name Data Description: Name of the provider

Text2 (T): Schema Title: Provider Identifier Data Description: Identity provider identifier.

Text3 (F): Schema Title: User Agent-Cluster ID Data Description: User agent and IDP cluster ID.

Data Length (X): 0

Data (D): Schema Title: Client IP Address Data Description: Client IP address.

30.16.51 NIDS: Received a Federation Assertion (002E0103)

This event is generated when you select the Federation Token Received option under Audit Logging on the Logging page of an Identity Server configuration.

Description: When a federation token is received.

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN.

SubTarget (Y): Schema Title: Authentication Identifier Data Description: IDP Session ID.

Text1 (S): Schema Title: Provider Name Data Description: Name of the provider

Text2 (T): Schema Title: Provider Identifier Data Description: Identity provider identifier.

Text3 (F): Schema Title: User Agent-Cluster ID Data Description: User agent and IDP cluster ID.

Data Length (X): 0

Data (D): Schema Title: Client IP Address Data Description: Client IP address.

30.16.52 Access Gateway: PEP Configured (002e0301)

This event is generated when you enable auditing.

Description: Access Gateway: policy enforcement point (PEP) configured

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): null

Text1 (S): Schema Title: Event Identifier Data Description: Event Tracking Identifier

Text2 (T): null

Text3 (F): null

Value1 (1): Schema Title: Audit Enabled Data Description: 0 = No; 1 = Yes

Group (G): 0

Data Length (X): Schema Title: Policy Enforcement List Length Data Description: Byte length of PEL

Data (D): Schema Title: Policy Enforcement List Data Description: Policy Enforcement List (PEL) data

30.16.53 Roles Assignment Policy Evaluation (002e0320)

This event is generated when you enable auditing.

Description: Roles assignment policy evaluation

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): null

Text1 (S): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text2 (T): Schema Title: Assigned Roles Data Description: Assigned Role or error message

Text3 (F): Schema Title: Policy Action Data Description: Policy Action FDN

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.54 Access Gateway: Authorization Policy Evaluation (002e0321)

This event is generated when you enable auditing.

Description: Access Gateway: Authorization policy evaluation

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): null

Text1 (S): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text2 (T): Schema Title: Event Identifier Data Description: Event Tracking Identifier

Text3 (F): Schema Title: Policy Action Data Description: Policy Action FDN

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.55 Access Gateway: Form Fill Policy Evaluation (002e0322)

This event is generated when you enable auditing.

Description: Access Gateway: Form Fill policy evaluation

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): null

Text1 (S): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text2 (T): Schema Title: Event Identifier Data Description: Event Tracking Identifier

Text3 (F): Schema Title: Policy Action Data Description: Policy Action FDN

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.56 Access Gateway: Identity Injection Policy Evaluation (002e0323)

This event is generated when you enable auditing.

Description: Access Gateway: Identity Injection policy evaluation

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): null

Text1 (S): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text2 (T): Schema Title: Event Identifier Data Description: Event Tracking Identifier

Text3 (F): Schema Title: Policy Action Data Description: Policy Action FDN

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.57 Access Gateway: Access Denied (0x002e0505)

This event is generated when you select the Access Denied option on the Audit page of an Access Gateway.

Description: Access Gateway: Access Denied

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e0505

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: Protected Resource Name Data Description: Configured Name of Protected Resource

SubTarget (Y): Schema Title: Protected Resource URL Data Description: Protected Resource URL

Text1 (S): Schema Title: User Identifier Data Description: User DN

Text2 (T): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text3 (F): Schema Title: Event Identifier Data Description: Event Tracking Identifier

Value1 (1): Schema Title: Source IP Address Data Description: User IP address (numeric format – host order)

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.58 Access Gateway: URL Not Found (0x002e0508)

This event is generated when you select the URL Not Found option on the Audit page of an Access Gateway.

Description: Access Gateway: URL Not Found

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e0508

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): Schema Title: Protected Resource URL Data Description: Protected Resource URL

Text1 (S): Schema Title: User Identifier Data Description: User DN

Text2 (T): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text3 (F): Schema Title: Event Identifier Data Description: Event Tracking Identifier

Value1 (1): Schema Title: Source IP Address Data Description: User IP address (numeric format – host order)

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.59 Access Gateway: System Started (0x002e0509)

This event is generated when you select the System Started option on the Audit page of an Access Gateway.

Description: Access Gateway: System Started

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e0509

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): null

Text1 (S): null

Text2 (T): null

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.60 Access Gateway: System Shutdown (0x002e050a)

This event is generated when you select the System Shutdown option on the Audit page of an Access Gateway.

Description: Access Gateway: System Shutdown

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e050a

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): null

Text1 (S): null

Text2 (T): null

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.61 Access Gateway: Identity Injection Parameters (0x002e050c)

This event is generated when you select the Identity Injection Parameters option on the Audit page of an Access Gateway.

Description: Access Gateway: Identity Injection Parameters

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e050c

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): Schema Title: Protected Resource URL Data Description: Protected Resource URL

Text1 (S): Schema Title: User Identifier Data Description: User DN

Text2 (T): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text3 (F): Schema Title: Event Identifier Data Description: Event Tracking Identifier

Value1 (1): Schema Title: Injection Location Data Description: 2710 – Auth Header 2720 – Custom Header 2730 – Query Parameters

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.62 Access Gateway: Identity Injection Failed (0x002e050d)

This event is generated when you select the Identity Injection Failed option on the Audit page of an Access Gateway.

Description: Access Gateway: Identity Injection Failed

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e050d

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): Schema Title: Protected Resource URL Data Description: Protected Resource URL

Text1 (S): Schema Title: User Identifier Data Description: User DN

Text2 (T): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text3 (F): Schema Title: Event Identifier Data Description: Event Tracking Identifier

Value1 (1): Schema Title: Injection Location Data Description: 2710 – Auth Header 2720 – Custom Header 2730 – Query Parameters

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.63 Access Gateway: Form Fill Authentication (0x002e050e)

This event is generated when you select the Form Fill Success option on the Audit page of an Access Gateway.

Description: Access Gateway: Form Fill Authentication

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e050e

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: Protected Resource Name Data Description: Configured name of protected resource

SubTarget (Y): Schema Title: Protected Resource URL Data Description: Protected Resource URL

Text1 (S): Schema Title: User Identifier Data Description: User DN

Text2 (T): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text3 (F): Schema Title: Event Identifier Data Description: Event Tracking Identifier

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.64 Access Gateway: Form Fill Authentication Failed (0x002e050f)

This event is generated when you select the Form Fill Failed option on the Audit page of an Access Gateway.

Description: Access Gateway: Form Fill Authentication Failed

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e050f

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: Protected Resource Name Data Description: Configured name of protected resource

SubTarget (Y): Schema Title: Protected Resource URL Data Description: Protected Resource URL

Text1 (S): Schema Title: User Identifier Data Description: User DN

Text2 (T): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text3 (F): Schema Title: Event Identifier Data Description: Event Tracking Identifier

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.65 Access Gateway: URL Accessed (0x002e0512)

This event is generated when you select the URL Accessed option on the Audit page of an Access Gateway.

Description: Access Gateway: URL Accessed

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e0512

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): Schema Title: Protected Resource URL Data Description: Protected Resource URL

Text1 (S): Schema Title: User Identifier Data Description: User DN

Text2 (T): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text3 (F): Schema Title: Event Identifier Data Description: Event Tracking Identifier

Value1 (1): Schema Title: Source IP Address Data Description: User IP address (numeric format – host order)

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.66 Access Gateway: IP Access Attempted (0x002e0513)

This event is generated when you select the IP Access Attempted option on the Audit page of an Access Gateway.

Description: Access Gateway: IP Access Attempted

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e0513

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): Schema Title: Protected Resource URL Data Description: Protected Resource URL

Text1 (S): Schema Title: User Identifier Data Description: User DN

Text2 (T): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text3 (F): Schema Title: Event Identifier Data Description: Event Tracking Identifier

Value1 (1): Schema Title: Source IP Address Data Description: User IP address (numeric format – host order)

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.67 Access Gateway: Webserver Down (0x002e0515)

This event is generated when you select the IP Access Attempted option on the Audit page of an Access Gateway.

Description: Access Gateway: One of the Web servers is not reachable

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e0515

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): null

Text1 (S): WebServer hostname

Text2 (T): null

Text3 (F): null

Value1 (1): WebServer IP Address

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.68 Access Gateway: All WebServers for a Service is Down (0x002e0516)

This event is generated when you select the IP Access Attempted option on the Audit page of an Access Gateway.

Description: Access Gateway: All Web servers for a service are down

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e0516

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): null

Text1 (S): WebServer Hostname

Text2 (T): null

Text3 (F): null

Value1 (1): WebServer IP address

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.69 Access Gateway: Application Accessed (002E0514)

This event is generated when you select the Application Accessed option on the Audit page of an Access Gateway.

Description: Access Gateway: An application has been accessed with authentication in AG.

Event ID: 0x002e0514

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: Protected Resource Name Data Description: Name of protected resource.

SubTarget (Y): Schema Title: Protected Resource URL Data Description: Protected Resource URL

Text1 (S): Schema Title: User Identifier Data Description: User DN

Text2 (T): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text3 (F): Schema Title: Application Name Data Description: Application that has been accessed.

Value1 (1): Schema Title: Source IP Address Data Description: User IP address (numeric format – host order)

Group (G): 0

Data Length (X): 0

Data (D): Schema Title: ESP Provider Id Data Description: ID of ESP.

30.16.70 Access Gateway: Session Created (002E0525)

This event is generated when you select the Session Created/Destroyed option on the Audit page of an Access Gateway.

Description: Access Gateway: Session has been created in AG.

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): null

SubTarget (Y): Schema Title: Protected Resource URL Data Description: Protected Resource URL

Text1 (S): Schema Title: User Identifier Data Description: User DN

Text2 (T): Schema Title: Authentication Identifier Data Description: IDP Session ID (AMAUTHID#auth_id:)

Text3 (F): Schema Title: Event Identifier Data Description: Event Tracking Identifier

Value1 (1): Schema Title: Source IP Address Data Description: User IP address (numeric format – host order)

Value1 (2): Schema Title: X-Forwarded-For Client IP Address Data Description: X-Forwarded-For header value for client IP

Group (G): 0

Data Length (X): 0

Data (D): Schema Title: Provider Id Data Description: Device ID of provider.

30.16.71 Management Communication Channel: Health Change (0x002e0601)

This event is generated when you select the Health Changes option on the Access Manager Auditing page.

Description: Management Communication Channel: Health Change

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e0601

Originator (B): Schema Title: Originator Data Description: “devmanagement” (AMDEVICEID#devmanagement:)

Target (U): null

SubTarget (Y): null

Text1 (S): Schema Title: Changed Device Data Description: IP address and device type of the changed device

Text2 (T): Schema Title: Old State Data Description: Old State

Text3 (F): Schema Title: New State Data Description: New State

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.72 Management Communication Channel: Device Imported (0x002e0602)

This event is generated when you select the Server Imports option on the Access Manager Auditing page.

Description: Management Communication Channel: Device Imported

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e0602

Originator (B): Schema Title: Originator Data Description: “devmanagement” (AMDEVICEID#devmanagement:)

Target (U): null

SubTarget (Y): null

Text1 (S): Schema Title: Device Data Description: IP address and device type of the changed device

Text2 (T): blank string

Text3 (F): blank string

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.73 Management Communication Channel: Device Deleted (0x002e0603)

This event is generated when you select the Server Deletes option on the Access Manager Auditing page.

Description: Management Communication Channel: Device Deleted

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e0603

Originator (B): Schema Title: Originator Data Description: “devmanagement” (AMDEVICEID#devmanagement:)

Target (U): null

SubTarget (Y): null

Text1 (S): Schema Title: Device Data Description: IP address and device type of the changed device

Text2 (T): Schema Title: Administrator Data Description: DN of the administrator deleting the device

Text3 (F): blank string

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.74 Management Communication Channel: Device Configuration Changed (0x002e0604)

This event is generated when you select the Configuration Changes option on the Access Manager Auditing page.

Description: Management Communication Channel: Device Configuration Changed

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e0604

Originator (B): Schema Title: Originator Data Description: “devmanagement” (AMDEVICEID#devmanagement:)

Target (U): null

SubTarget (Y): null

Text1 (S): Schema Title: Device Data Description: IP address and device type of the changed device

Text2 (T): Schema Title: Administrator Data Description: DN of the administrator invoking the configuration change

Text3 (F): blank string

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.75 Management Communication Channel: Device Alert (0x002e0605)

This event is generated when you enable auditing.

Description: Management Communication Channel: Device Alert

In the Event list (Auditing and Logging > Logging Server Options > [Name of Novell Audit Secure Logging Server] > Novell Access Manager > Events), this column is called Event Name.

In a query, this column is called EventID.

Event ID: 0x002e0605

Originator (B): Schema Title: Originator Data Description: “devmanagement” (AMDEVICEID#devmanagement:)

Target (U): null

SubTarget (Y): null

Text1 (S): Schema Title: Device Data Description: IP address of the device generating the alert

Text2 (T): Schema Title: Alert Message Data Description: alert message string

Text3 (F): blank string

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): null

30.16.76 Management Communication Channel: Statistics (002e0606)

This event is generated when you select the Server Statistics option on the Access Manager Auditing page

Description: Management Communication Channel: Statistics of IDP ESP and AG.

Originator (B): Schema Title: Originator Data Description: “devmanagement” (AMDEVICEID#devmanagement:)

Target (U): null

SubTarget (Y): Schema Title: Device IP Address Data Description: IP address of devices like IDP or AG.

Text1 (S): Schema Title: Device Data Description: Device type of the device

Text2 (T): null

Text3 (F): null

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): Schema Title: Statistics Data Description: Statistics data.

30.16.77 Risk-Based Authentication Successful (002e0025)

This event is generated when you select the Risk-Based Authentication Succeeded option under Audit Logging on the Logging page of an Identity Server configuration.

Description: Risk-Based additional authentication executed successfully for user.

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN

SubTarget (Y): Schema Title: Authentication Identifier Description: IDP Session ID (AMAUTHID#auth_id:)

Text1 (S): Schema Title: RiskScore Description: Risk score(number).

Text2 (T): Schema Title: RiskLevel Description: Risk category defined by risk score value.

Text3 (F): Schema Title: Additional authentication class Description: Additional Authentication class name executed as part of risk based authentication.

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): Schema Title: Client IP Address Description: IP Address of the host from which the authentication succeeded.

30.16.78 Risk-Based Authentication Failed (002e0026)

This event is generated when you select the Risk-Based Authentication Failed option under Audit Logging on the Logging page of an Identity Server configuration.

Description: Risk-Based authentication failed for user.

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN

SubTarget (Y): Schema Title: Authentication Identifier Description: IDP Session ID (AMAUTHID#auth_id:)

Text1 (S): Schema Title: RiskScore Description: Risk score(number).

Text2 (T): Schema Title: RiskLevel Description: Risk category defined by risk score value.

Text3 (F): Schema Title: Additional authentication class Description: Additional Authentication class name executed as part of risk based authentication.

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): Schema Title: Client IP Address Description: IP Address of the host from which the authentication succeeded.

30.16.79 Risk-Based Authentication for User (002e0027)

This event is generated when you select the Risk-Based Authentication Action Invoked option under Audit Logging on the Logging page of an Identity Server configuration.

Description: Risk-Based authentication action for user.

Originator (B): Schema Title: Originator Data Description: JCC Device ID (AMDEVICEID#device_id:)

Target (U): Schema Title: User Identifier Data Description: User DN

SubTarget (Y): Schema Title: Authentication Identifier Description: IDP Session ID (AMAUTHID#auth_id:)

Text1 (S): Schema Title: RiskScore Description: Risk score(number) plus IDP session id seperated by '-'.

Text2 (T): Schema Title: RiskLevel Description: Risk category defined by risk score value plus user agent plus cluster id of IDP all seperated by '-'.

Text3 (F): Schema Title: Action taken Description: Risk category defined action taken as part of risk based authentication.

Value1 (1): 0

Group (G): 0

Data Length (X): 0

Data (D): Schema Title: Client IP Address Description: IP Address of the host from which the authentication succeeded.

30.16.80 Impersonation Sign in (002E0048)

This event is generated during an Impersonation sign in.

appName: Novell Access Manager

timeStamp: Thu, 15 Sep 2016 17:18:58 -0600

eventId: ID of the event

SubTarget: Impersonator’s session ID

stringValue1: Impersonatee’s userDN or username

stringValue2: Impersonatee’s session ID

stringValue3: Description of the event

numericValue1: 0

numericValue2: 0

numericValue3: 0

data: IP address in the base64 format

description: null

message: null

component: nidp\\\\impersonation

originator: JCC device ID

target: Impersonator’s UserDN or username

30.16.81 Impersonation: Impersonator Logs Out (002E0049)

This event is generated when an Impersonator logs out from an Impersonation session.

appName: Novell Access Manager

timeStamp: Thu, 15 Sep 2016 17:18:58 -0600

eventId: ID of the event

SubTarget: Impersonator’s session ID

stringValue1: Impersonatee’s userDN or username

stringValue2: Impersonatee’s session ID

stringValue3: Description of the event

numericValue1: 0

numericValue2: 0

numericValue3: 0

data: IP address in the base64 format

description: null

message: null

component: nidp\\\\impersonation

originator: JCC device ID

target: Impersonator’s UserDN or username

30.16.82 Impersonation: Session Started (002E0050)

This event is generated when an Impersonation session is started.

appName: Novell Access Manager

timeStamp: Thu, 15 Sep 2016 17:18:58 -0600

eventId: ID of the event

SubTarget: Impersonator’s session ID

stringValue1: Impersonatee’s userDN or username

stringValue2: Impersonatee’s session ID

stringValue3: Description of the event

numericValue1: 0

numericValue2: 0

numericValue3: 0

data: IP address in the base64 format

description: null

message: null

component: nidp\\\\impersonation

originator: JCC device ID

target: Impersonator’s UserDN or username

30.16.83 Impersonation: Impersonatee Denies (002E0051)

This event is generated when an Impersonatee denies an Impersonation session request.

appName: Novell Access Manager

timeStamp: Thu, 15 Sep 2016 17:18:58 -0600

eventId: ID of the event

SubTarget: Impersonator’s session ID

stringValue1: Impersonatee’s userDN or username

stringValue2: Impersonatee’s session ID

stringValue3: Description of the event

numericValue1: 0

numericValue2: 0

numericValue3: 0

data: IP address in the base64 format

description: null

message: null

component: nidp\\\\impersonation

originator: JCC device ID

target: Impersonator’s UserDN or username

30.16.84 Impersonation: Impersonatee Approves (002E0052)

This event is generated when an Impersonatee approves an Impersonation session request.

appName: Novell Access Manager

timeStamp: Thu, 15 Sep 2016 17:18:58 -0600

eventId: ID of the event

SubTarget: Impersonator’s session ID

stringValue1: Impersonatee’s userDN or username

stringValue2: Impersonatee’s session ID

stringValue3: Description of the event

numericValue1: 0

numericValue2: 0

numericValue3: 0

data: IP address in the base64 format

description: null

message: null

component: nidp\\\\impersonation

originator: JCC device ID

target: Impersonator’s UserDN or username

30.16.85 Impersonation: Impersonator Cancels (002E0053)

This event is generated when an Impersonator cancels an Impersonation session request.

appName: Novell Access Manager

timeStamp: Thu, 15 Sep 2016 17:18:58 -0600

eventId: ID of the event

SubTarget: Impersonator’s session ID

stringValue1: Impersonatee’s userDN or username

stringValue2: Impersonatee’s session ID

stringValue3: Description of the event

numericValue1: 0

numericValue2: 0

numericValue3: 0

data: IP address in the base64 format

description: null

message: null

component: nidp\\\\impersonation

originator: JCC device ID

target: Impersonator’s UserDN or username

30.16.86 Impersonation: Authorization Policy Fails (002E0054)

This event is generated when an Impersonation session authorization policy fails.

appName: Novell Access Manager

timeStamp: Thu, 15 Sep 2016 17:18:58 -0600

eventId: ID of the event

SubTarget: Impersonator’s session ID

stringValue1: Impersonatee’s userDN or username

stringValue2: Impersonatee’s session ID

stringValue3: Description of the event

numericValue1: 0

numericValue2: 0

numericValue3: 0

data: IP address in the base64 format

description: null

message: null

component: nidp\\\\impersonation

originator: JCC device ID

target: Impersonator’s UserDN or username