12.1 Syslog

These logs contain information about the system events and actions.

The Syslogs are classified as follows:

0 - 100: Maintenance
100 - 200: Access
200 - 300: App data
300 - 400: Endpoints
400 - 500: Repositories
500 - 600: Local users
600 - 700: Repository users
700 - 800: User templates
800 - 900: Policies
900 - 1000: Licenses
1000 - 1100: Settings
1100 - 1200: Password filter
1201 - 1300: Background logon

Code	Name	Class	Severity	Optional Parameters	Example
1	New Request	Operational	1	None	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|1\|New Request\|1\|
2	Request failed	Operational	1	None	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|1\|Request failed\|1\|
10	Server started	Operational	4	None	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|1\|Server started\|4\|
12	Server stopped	Operational	7	None	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|2\|Server stopped\|7\|
13	Server unexpectedly stopped	Operational	10	None	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|3\|Server unexpectedly stopped\|10
50	Server Message	Operational	5	Message	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|4\|Server Message\|4\|This is my message
100	User logon started	Security	4	Username Ep Ep_addr Sid Unit_id Session_id Event Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|4\|User logon started\|4\|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 event=Windows Logon ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 tenant_name=Mycompany
101	User was successfully logged on	Security	7	Username Ep Ep_addr Sid Session_id method_name method_comment method_infoEvent Tenant_name Template_owner	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|5\|User was successfully logged on\|7\|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 method_name=card method_comment=white card method_info=YYY password ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 event=Windows Logon template_owner=Mycompany\\demo tenant_name=Mycompany
102	User was failed to authenticate	Security	9	Username Ep Ep_addr Sid Session_id Method_name Tenant_name Template_owner	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|6\|User was failed to authenticate\|9\|Username=Mycompany\\demo sid=S-1-5-XXX session_id=123 method_name=card ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 template_owner=Mycompany\\demo tenant_name=Mycompany
103	User was switched to different method	Security	2	Username Ep Ep_addr Sid Session_id New_method_ name Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|7\|User was switched to different method\|2\|username=Mycompany\\demo sid=S-1-5-XXX new_method_name=fingerprint session_id=123 ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 tenant_name=Mycompany
104	User logon session was ended	Security	2	Username Ep Ep_addr Sid Session_id Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|8\|User logon session was ended\|2\|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 ep=aaadev1.Mycompany.local ep_addr=192.168.91.1tenant_name=Mycompany
105	User logon unwanted	Security	9	Username Ep Ep_addr Method_name Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|8\|User logon session was ended\|9\|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 method_name=voice tenant_name=Mycompany
106	User was failed to authenticate method in the middle of a chain	Security	2	Username Ep Ep_addr Method_name Tenant_name	June 10 20:10:11 (UTC+0530) host CEF:0\|AAA\|Core\|5.0\|106\|User was failed to authenticate method in the middle of a chain\|2\|ep_addr=164.99.137.193 method_name=PASSWORD:1 tenant_name=TOP user_name=MFA\\topvisu p=3147
200	User read app data	Security	3	Username Ep Ep_addr Sid Session_id Data_id Record_id Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|9\|User read app data\|3\|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 data_id=Windows Logon record_id=password ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 tenant_name=Mycompany
201	User write app data	Security	4	Username Ep Ep_addr Sid Session_id Data_id Record_id Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|10\|User write app data\|4\|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 data_id=Windows Logon record_id=password ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 tenant_name=Mycompany
300	Endpoint joined	Security	4	Ep_name Ep_addr Ep_id Username Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|11\|Endpoint joined\|4\|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1 tenant_name=Mycompany
301	No rights to join endpoint	Security	7	Ep_name Ep_addr Ep_id Username Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|12\|No rights to join endpoint\|7\|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1 tenant_name=Mycompany
302	Failed to join endpoint	Operational	7	Ep_name Ep_addr Ep_id Username Reason Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|13\|Failed to join endpoint \|7\|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1 reason=Duplicated tenant_name=Mycompany
303	Endpoint remove	Security	4	Ep_name Ep_addr Ep_id Username Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|14\|Endpoint remove\|4\|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1
304	No rights to remove endpoint	Security	7	Ep_name Ep_addr Ep_id Username Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|15\|No rights to remove endpoint\|7\|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1 tenant_name=Mycompany
305	Failed to remove endpoint	Operational	7	Ep_name Ep_addr Ep_id Username Reason Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|16\|Failed to remove endpoint \|7\|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1 reason=Duplicated tenant_name=Mycompany
306	Endpoint session started	Operational	2	Ep_name Ep_addr Ep_id Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|17\|Endpoint session started\|2\|ep_name=xp_client ep_id=123 ep_addr=192.168.91.1 tenant_name=Mycompany
307	Endpoint session ended	Operational	2	Ep_name Ep_addr Ep_id Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|18\|Endpoint session ended\|2\|ep_name=xp_client ep_id=123 ep_addr=192.168.91.1tenant_name=Mycompany
308	Invalid endpoint secret	Security	7	Ep_name Ep_addr Ep_id Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|17\|Invalid endpoint secret\|2\|ep_name=xp_client ep_id=123 ep_addr=192.168.91.1 tenant_name=Mycompany
309	Failed to create endpoint session	Operational	7	Ep_name Ep_addr Ep_id Reason Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|18\| Failed to create endpoint session \|7\|ep_name=xp_client ep_id=123 ep_addr=192.168.91.1 reason=No memory tenant_name=Mycompany
310	Failed to end endpoint session	Operational	7	Ep_name Ep_addr Ep_id Reason Tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|18\| Failed to create endpoint session \|7\|ep_name=xp_client ep_id=123 ep_addr=192.168.91.1 reason=No memory tenant_name=Mycompany
401	New repository was added	Operational	4	repo_name repo_type session_id tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|19\|New repository was added \|4\|repo_name=Mycompany repo_type=LDAP session_id=123 tenant_name=Mycompany
402	Failed to add repository	Operational	7	repo_name repo_type session_id reason tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|20\| Failed to add repository\|7\|repo_name=Mycompany repo_type=LDAP session_id=123 reason=repo already exists tenant_name=Mycompany
403	Repository was removed	Operational	4	repo_name repo_type session_id tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|21\|Repository was removed\|4\|repo_name=Mycompany repo_type=LDAP session_id=123 tenant_name=Mycompany
404	Failed to remove repository	Operational	7	repo_name repo_type session_id reason tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|22\|Failed to remove repository\|7\| repo_name=Mycompany repo_type=LDAP session_id=123 reason=not empty tenant_name=Mycompany
405	Repository configuration was changed	Operational	4	repo_name repo_type session_id reason tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|23\|Repository configuration was changed\|4\| repo_name=Mycompany repo_type=LDAP session_id=123 tenant_name=Mycompany
501	Local user was created	Operational	4	user_name session_id tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|24\|Local user was created\|4\|user_name=admin session_id=123 tenant_name=Mycompany
502	Local user was removed	Operational	5	user_name session_id tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|25\|Local user was removed\|5\|user_name=admin session_id=123 tenant_name=Mycompany
503	Failed to create local user	Operational	4	user_name session_id reason tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|26\|ailed to create local user\|4\|user_name=admin session_id=123 reason=already exists tenant_name=Mycompany
504	No rights to remove local user	Security	7	user_name session_id tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|26\|ailed to create local user\|4\|user_name=admin session_id=123 reason=already exists tenant_name=Mycompany
505	Failed to remove local user	Operational	5	user_name session_id reason tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|28\|Failed to remove local user\|5\|user_name=admin session_id=123 reason=can't remove currently logged on user tenant_name=Mycompany
506	No rights to create local user	Security	7	user_name session_id tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|29\|Failed to create local user\|7\|user_name=admin session_id=123 tenant_name=Mycompany
601	User was created	Operational	4	user_name session_id repo_name tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|30\|User was created\|4\|username=Someone session_id=123 repo_name=Mycompany tenant_name=Mycompany
602	No rights to create user	Security	7	user_name session_id repo_name tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|31\|No rights to create user\|7\|username=Someone session_id=123 repo_name=Mycompany tenant_name=Mycompany
603	Failed to create user	Operational	4	user_name session_id repo_name reason tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|32\|Failed to create user\|4\|user_name=someone session_id=123 repo_name=123 reason=already exists tenant_name=Mycompany
604	User was removed	Operational	5	user_name session_id repo_name tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|33\|User was removed\|5\|username=Someone session_id=123 repo_name=Mycompany tenant_name=Mycompany
605	No rights to remove user	Security	7	user_name session_id repo_name tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|34No rights to remove user\|7\|username=Someone session_id=123 repo_name=Mycompany tenant_name=Mycompany
606	Failed to remove user	Operational	5	user_name session_id repo_name reason tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|35\|Failed to remove user\|5\|user_name=someone session_id=123 repo_name=123 reason=not found tenant_name=Mycompany
701	Template was assigned to the user	Security	7	user_name session_id ap_name comment tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|36\|Template was assigned to the user\|7\|user_name=Mycompany\some session_id=123 ap_name=Card comment=white card tenant_name=Mycompany
702	Template was enrolled for the user	Security	7	user_name session_id ap_name comment tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|37\|Template was enrolled for the user\|7\|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany
703	User enroll the assigned template	Security	7	user_name session_id ap_name comment tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|38\|User enroll the assigned template\|7\|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany
704	Template is linked	Security	8	user_name target_user_name session_id ap_name comment tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|39\|Template is linked\|8\|user_name=Mycompany\some target_user_name=Mycompany\boss session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany
705	Failed to assign template to the user	Security	7	user_name session_id ap_name comment reason tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|40\|Failed to assign template to the user\|7\|user_name=Mycompany\some session_id=123 ap_name=Card comment=white card reason=no license tenant_name=Mycompany
706	Failed to enroll template for the user	Security	7	user_name session_id ap_name comment reason tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|41\|Failed to enroll template for the user\|7\|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand reason=ap error tenant_name=Mycompany
707	User can't enroll the assigned template	Security	7	user_name session_id ap_name comment reason tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|41\|User can't enroll the assigned template\|7\|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand reason=AP not installed on client side tenant_name=Mycompany
709	Failed to link template	Security	8	user_name target_user_name session_id ap_name comment reason tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|42\|Failed to link template\|8\|user_name=Mycompany\some target_user_name=Mycompany\boss session_id=123 ap_name=hand 3D comment=left hand reason=target user can't be found tenant_name=Mycompany
709	Template link was removed	Security	6	user_name target_user_name session_id ap_name comment tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|43\|Template link was removed\|6\|user_name=Mycompany\some target_user_name=Mycompany\boss session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany
710	Failed to remove template link	Security	6	user_name target_user_name session_id ap_name comment reason tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|44\|Failed to remove template link\|6\|user_name=Mycompany\some target_user_name=Mycompany\boss session_id=123 ap_name=hand 3D comment=left hand reason=too small carma tenant_name=Mycompany
711	Template was removed	Security	6	user_name ap_name comment session_id tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|45\|Template was removed\|6\|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany
712	Failed to remove template	Security	6	user_name ap_name comment session_id reason tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|46\|Failed to remove template\|6\|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand reason=only owner can remove template tenant_name=Mycompany
713	Template was changed	Security	7	user_name ap_name comment session_id tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|47\|Template was changed\|7\|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany
714	Failed to change template	Security	6	user_name ap_name comment session_id reason tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|48\|Failed to change template\|6\|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand reason=only owner can change template tenant_name=Mycompany
715	Template was changed during logon	Security	5	user_name ap_name comment session_id tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|49\|Template was changed during logon\|7\|user_name=Mycompany\some session_id=123 ap_name=TOTP comment=ASA (iPhone) tenant_name=Mycompany
801	Policy was changed	Security	7	session_id scope comp_name policy_name old_value new_value	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|50\|Policy was changed\|7\|session_id=123 scope=global comp_name=password poliices policy_name=minimal password length old_value=4 new_value=8
802	No rights to change policy	Security	8	session_id scope comp_name policy_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|51\|No rights to change policy\|8\|session_id=123 scope=global comp_name=password poliices policy_name=minimal password
803	Failed to change policy	Operational	7	session_id scope comp_name policy_name reason	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|52\|Failed to change policy\|7\|session_id=123 scope=global comp_name=password poliices policy_name=minimal password reason=policy not found
901	New license was added	Operational	3	session_id license_id users_count enabled_features expire_date	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|53\|New license was added\|3\|session_id=123 license_id=111 users_count=101 enabled_features=client,rte,nps expire_date=31/12/2014
902	Failed to add license	Operational	8	session_id license_id users_count enabled_features expire_date reason	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|54\|Failed to add license\|8\|session_id=123 license_id=111 users_count=101 enabled_features=client,rte,nps expire_date=31/12/2013 reason=already expired
1001	Global setting was changed	Security	9	session_id setting_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|55\|Global setting was changed\|9\|session_id=123 setting_name=syslog_server
1002	No rights to change global setting	Security	9	session_id setting_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|56\|No rights to change global setting\|9\|session_id=123 setting_name=syslog_server
1003	Failed to change global setting	Operational	9	session_id setting_name reason	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|57\|Failed to change global setting\|9\|session_id=123 setting_name=syslog_server reason=server is unavailable
1101	Password was changed	Security	5	user_name ep ep_addr tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|15\|Password was changed\|5\|ep=xp_client user_name=Mycompany\Admin ep_addr=192.168.91.1 tenant_name=Mycompany
1102	Password was reset	Security	8	user_name ep ep_addr tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|15\|Password was reset\|8\|ep=xp_client user_name=Mycompany\Admin ep_addr=192.168.91.1 tenant_name=Mycompany
1201	User successfully logged on using local cache	Security	8	user_name ep_addr event chain_name logon_time tenant_name	June 10 20:10:11 host CEF:0\|AAA\|Core\|5.0\|15\|User successfully logged on using local cache\|8\|ep=xp_client user_name=Mycompany\Admin ep_addr=192.168.91.1 event=windows logon chain_name=LDAP+SMS logon_time=2017-11-05 08:10:03 tenant_name=Mycompany

To configure logs forwarding to a third-party syslog server, see CEF Log Forward Policy.