This section contains all the audit events logged by Access Manager. Each event has EventID, Description, Originator Title, Target Title, Subtarget Title, Text1 Title, Text2 Title, Text3 Title, Value1 Title, Value1 Type, Group Title, Data Length, and Data Type values stored. Each field contains a single character token (such as B, U, Y, and so on) that represent the data fields of the audit event, with each letter representing a different data field. The mapping of the character tokens to data fields is found in the nids_en.lscfile.
Audit events are device-specific. You can select events for the following devices:
Administration Console: In Administration Console Dashboard, click Auditing.
Identity Server: Click Devices > Identity Servers > Edit > Auditing and > Logging.
Access Gateway: Click Devices > Access Gateways > Edit > Auditing.
JavaScript Object Notation (JSON) Event Format
Sample JSON Format
This event is generated when you select the Risk-Based Authentication Succeeded option under Audit Logging on the Logging page of an Identity Server configuration.
The following is a sample JSON event format of a Risk-Based authentication:
{ "appName" : "Novell Access Manager", "Component" : "nidp", "timeStamp" : "Fri, 31 Jul 2015 17:30:57 +0530", "eventId" : "002E0025", "Description": "NIDS: Risk based additional authentication executed successfully for user", "Originator": "9772686A5705BA6C", "Target": "cn=admin,o=novell", "SubTarget": "3883A05A302BA3BDC7899AF05810B08B", "stringValue1": "35", "stringValue2": "medium", "stringValue3": "null", "numericValue1": "0", "numericValue2": "0", "numericValue3": "0", "Data": "MTY0Ljk5LjEzNy41Mg==", "Message": "[Fri, 31 Jul 2015 17:30:57 +0530] [Novell Access Manager\nidp]: AMDEVICEID#9772686A5705BA6C: AMAUTHID#YfdEmqCT2ZutwybD1eYSpfph8g5a5aMl6MGryq1hIqc=: Risk based authentication successful for user: [cn=admin,o=novell]. RiskScore: [35] RiskLevel: [Medium] Additional authentication class: [$SF] Client IP Address: [164.99.137.52]", }
NOTE:The IP address is encoded in the base64 format.
The following table lists the event fields with its corresponding description:
Field |
Description |
---|---|
appName |
Specifies the name of the product. |
Component |
Specifies the name of the Access Manager component. For example, “nipd” identifies that the audit is triggered by Identity Server. |
timeStamp |
Specifies the time when the event occurred. |
eventId |
Specifies the event ID. For example, 002E0025. To view all the events and their corresponding event IDs, see the below sections. |
Description |
Describes the event. |
Originator |
Specifies the ID of the device that generated this event. For example, 9772686A5705BA6C is the device with ID “idp-9772686A5705BA6C” |
Target |
Specifies the target on which this action is executed. In the above example, the action is risk-based authentication, hence the target is the user id for which the risk was assessed. |
SubTarget |
Specifies the additional details about the target. |
stringValue1 |
Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass. |
stringValue2 |
Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass. |
stringValue3 |
Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass. |
numbericValue1 |
Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass. |
numbericValue2 |
Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass. |
numbericValue3 |
Specifies an event-specific string value. The value of this field varies from event to event. For example, it is null if the event has no value to pass. |
Data |
Specifies an event-specific data. |
Message |
Specifies a friendly detailed message related to the event. |
NOTE:The Syslog agents use the following message format: rfc3164. For more information, see RFC 3164 documentation.
This section discusses the following audit events:
Section 31.17.2, NIDS: Received a Federate Request (002e0002)
Section 31.17.4, NIDS: Received a Defederate Request (002e0004)
Section 31.17.5, NIDS: Sent a Register Name Request (002e0005)
Section 31.17.6, NIDS: Received a Register Name Request (002e0006)
Section 31.17.8, NIDS: Logged out a Local Authentication (002e0008)
Section 31.17.9, NIDS: Provided an Authentication to a Remote Consumer (002e0009)
Section 31.17.10, NIDS: User Session Was Authenticated (002e000a)
Section 31.17.11, NIDS: Failed to Provide an Authentication to a Remote Consumer (002e000b)
Section 31.17.12, NIDS: User Session Authentication Failed (002e000c)
Section 31.17.13, NIDS: Received an Attribute Query Request (002e000d)
Section 31.17.15, NIDS: Failed to Provision a User Account (002e000f)
Section 31.17.18, NIDS: Connection to User Store Replica Lost (002e0012)
Section 31.17.19, NIDS: Connection to User Store Replica Reestablished (002e0013)
Section 31.17.24, NIDS: Severe Component Log Entry (002e0018)
Section 31.17.25, NIDS: Warning Component Log Entry (002e0019)
Section 31.17.29, NIDS: Web service Request was authenticated (002e001D)
Section 31.17.30, NIDS: Web service Request for authentication Failed (002e001E)
Section 31.17.31, NIDS: OAuth2 Authorization code issued (002e0028)
Section 31.17.33, NIDS: OAuth2 Authorization code issue failed (002e0030)
Section 31.17.35, NIDS: OAuth2 refresh token issued (002e0032)
Section 31.17.36, NIDS: OAuth2 token issue failed (002e0033)
Section 31.17.37, NIDS: OpenID token issue failed (002e0034)
Section 31.17.38, NIDS: OAuth2 refresh token issue failed (002e0035)
Section 31.17.39, NIDS: OAuth2 client has been registered successfully (002e0036)
Section 31.17.40, NIDS: OAuth2 client has been modified successfully (002e0037)
Section 31.17.41, NIDS: OAuth2 client has been deleted successfully (002e0038)
Section 31.17.42, NIDS: OAuth2 user has provided consent (002e0039)
Section 31.17.43, NIDS: OAuth2 user has revoked consent (002e0040)
Section 31.17.44, NIDS: OAuth2 token validation success (002e0041)
Section 31.17.45, NIDS: OAuth2 token validation failed (002e0042)
Section 31.17.46, NIDS: OAuth2 client registration failed (002e0043)
Section 31.17.47, NIDS: OAuth2 refresh token revoked success (002e0055)
Section 31.17.48, NIDS: OAuth2 refresh token revocation failed (002e0056)
Section 31.17.49, NIDS: OAuth2 AA Authorization Code Exchange (002e0071)
Section 31.17.50, NIDS: OAuth2 AA Access Token Exchange (002e0072)
Section 31.17.53, NIDS: Risk-Based Authentication Action for User (002e0045)
Section 31.17.54, NIDS: Risk-Based Authentication Action for User (002e0046)
Section 31.17.55, NIDS: Risk-Based Authentication Action for User (002e0047)
Section 31.17.56, NIDS: Token was Issued to Web Service (002E001F)
Section 31.17.57, NIDS: Issued a Federation Assertion (002E0102)
Section 31.17.58, NIDS: Received a Federation Assertion (002E0103)
Section 31.17.60, Roles Assignment Policy Evaluation (002e0320)
Section 31.17.61, Access Gateway: Authorization Policy Evaluation (002e0321)
Section 31.17.62, Access Gateway: Form Fill Policy Evaluation (002e0322)
Section 31.17.63, Access Gateway: Identity Injection Policy Evaluation (002e0323)
Section 31.17.64, Access Gateway: Access Denied (0x002e0505)
Section 31.17.65, Access Gateway: URL Not Found (0x002e0508)
Section 31.17.66, Access Gateway: System Started (0x002e0509)
Section 31.17.67, Access Gateway: System Shutdown (0x002e050a)
Section 31.17.68, Access Gateway: Identity Injection Parameters (0x002e050c)
Section 31.17.69, Access Gateway: Identity Injection Failed (0x002e050d)
Section 31.17.70, Access Gateway: Form Fill Authentication (0x002e050e)
Section 31.17.71, Access Gateway: Form Fill Authentication Failed (0x002e050f)
Section 31.17.73, Access Gateway: IP Access Attempted (0x002e0513)
Section 31.17.74, Access Gateway: Webserver Down (0x002e0515)
Section 31.17.75, Access Gateway: All WebServers for a Service is Down (0x002e0516)
Section 31.17.76, Access Gateway: Application Accessed (002E0514)
Section 31.17.77, Access Gateway: Session Created (002E0525)
Section 31.17.78, Management Communication Channel: Health Change (0x002e0601)
Section 31.17.79, Management Communication Channel: Device Imported (0x002e0602)
Section 31.17.80, Management Communication Channel: Device Deleted (0x002e0603)
Section 31.17.81, Management Communication Channel: Device Configuration Changed (0x002e0604)
Section 31.17.82, Management Communication Channel: Device Alert (0x002e0605)
Section 31.17.83, Management Communication Channel: Statistics (002e0606)
Section 31.17.84, Risk-Based Authentication Successful (002e0025)
Section 31.17.85, Risk-Based Authentication Failed (002e0026)
Section 31.17.86, Risk-Based Authentication for User (002e0027)
Section 31.17.88, Impersonation: Impersonator Logs Out (002E0049)
Section 31.17.90, Impersonation: Impersonatee Denies (002E0051)
Section 31.17.91, Impersonation: Impersonatee Approves (002E0052)
Section 31.17.92, Impersonation: Impersonator Cancels (002E0053)
Section 31.17.93, Impersonation: Authorization Policy Fails (002E0054)