10.1 Syslog

These logs contain information about the system events and actions. The log message is displayed in the format <date> <host> CEF:0|AAA|Core|<version>|<code>|<message>|<severity>|<endpoint>|<event>|<authentication method name>|<template owner>|<tenant name>|<user name>|<uwsgi process id>.

After you export the syslog file, you can find the log file syslog in the /var/log/ folder.

The Syslogs are classified as follows:

  • 0 - 99: Maintenance

  • 100 - 199: Access

  • 200 - 299: App data

  • 300 - 399: Endpoints

  • 400 - 499: Repositories

  • 500 - 599: Local users

  • 600 - 699: Repository users

  • 700 - 799: User templates

  • 800 - 999: Policies

  • 900 - 1099: Licenses

  • 1000 - 1100: Settings

  • 1100 - 1200: Password filter

  • 1201 - 1300: Background logon

  • 1301 - 1400: Events

  • 1401 - 1500: Chains

Code

Name

Class

Severity

Optional Parameters

Example

1

New Request

Operational

1

None

June 10 20:10:11 host CEF:0|AAA|Core|5.0|1|New Request|1|

2

Request failed

Operational

1

None

June 10 20:10:11 host CEF:0|AAA|Core|5.0|2|Request failed|1|p=3531

10

Server started

Operational

4

None

June 10 20:10:11 host CEF:0|AAA|Core|5.0|1|Server started|4|

12

Server stopped

Operational

7

None

June 10 20:10:11 host CEF:0|AAA|Core|5.0|2|Server stopped|7|

13

Server unexpectedly stopped

Operational

10

None

June 10 20:10:11 host CEF:0|AAA|Core|5.0|3|Server unexpectedly stopped|10

50

Server Message

Operational

5

Message

June 10 20:10:11 host CEF:0|AAA|Core|5.0|4|Server Message|4|This is my message

100

User logon started

Security

4

Username Ep Ep_addr Sid Unit_id Session_id Event Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|4|User logon started|4|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 event=Windows Logon ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 tenant_name=Mycompany

101

User was successfully logged on

Security

7

Username Ep Ep_addr Sid Session_id method_name method_comment method_infoEvent Tenant_name Template_owner

June 10 20:10:11 host CEF:0|AAA|Core|5.0|101|User was successfully logged on|7|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 method_name=card method_comment=white card method_info=YYY password ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 event=Windows Logon template_owner=Mycompany\\demo tenant_name=Mycompany\\AbbooPI p=9721

102

User was failed to authenticate

Security

9

Username Ep Ep_addr Sid Session_id Method_name Tenant_name Template_owner

June 10 20:10:11 host CEF:0|AAA|Core|5.0|6|User was failed to authenticate|9|Username=Mycompany\\demo sid=S-1-5-XXX session_id=123 method_name=card ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 template_owner=Mycompany\\demo tenant_name=Mycompany

103

User was switched to different method

Security

2

Username Ep Ep_addr Sid Session_id New_method_ name Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|7|User was switched to different method|2|username=Mycompany\\demo sid=S-1-5-XXX new_method_name=fingerprint session_id=123 ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 tenant_name=Mycompany

104

User logon session was ended

Security

2

Username Ep Ep_addr Sid Session_id Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|8|User logon session was ended|2|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 ep=aaadev1.Mycompany.local ep_addr=192.168.91.1tenant_name=Mycompany

105

User logon unwanted

Security

9

Username Ep Ep_addr Method_name Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|8|User logon session was ended|9|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 method_name=voice tenant_name=Mycompany

106

User was failed to authenticate method in the middle of a chain

Security

2

Username Ep Ep_addr Method_name Tenant_name

June 10 20:10:11 (UTC+0530) host CEF:0|AAA|Core|5.0|106|User was failed to authenticate method in the middle of a chain|2|ep_addr=164.99.137.193 method_name=PASSWORD:1 tenant_name=TOP user_name=MFA\\topvisu p=3147

200

User read app data

Security

3

Username Ep Ep_addr Sid Session_id Data_id Record_id Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|9|User read app data|3|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 data_id=Windows Logon record_id=password ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 tenant_name=Mycompany

201

User write app data

Security

4

Username Ep Ep_addr Sid Session_id Data_id Record_id Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|10|User write app data|4|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 data_id=Windows Logon record_id=password ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 tenant_name=Mycompany

300

Endpoint joined

Security

4

Ep_name Ep_addr Ep_id Username Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|11|Endpoint joined|4|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1 tenant_name=Mycompany

301

No rights to join endpoint

Security

7

Ep_name Ep_addr Ep_id Username Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|12|No rights to join endpoint|7|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1 tenant_name=Mycompany

302

Failed to join endpoint

Operational

7

Ep_name Ep_addr Ep_id Username Reason Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|13|Failed to join endpoint |7|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1 reason=Duplicated tenant_name=Mycompany

303

Endpoint remove

Security

4

Ep_name Ep_addr Ep_id Username Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|14|Endpoint remove|4|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1

304

No rights to remove endpoint

Security

7

Ep_name Ep_addr Ep_id Username Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|15|No rights to remove endpoint|7|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1 tenant_name=Mycompany

305

Failed to remove endpoint

Operational

7

Ep_name Ep_addr Ep_id Username Reason Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|16|Failed to remove endpoint |7|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1 reason=Duplicated tenant_name=Mycompany

306

Endpoint session started

Operational

2

Ep_name Ep_addr Ep_id Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|306|Endpoint session started|2|ep_name=xp_client ep_id=123 ep_addr=192.168.91.1 tenant_name=Mycompany p=5428

307

Endpoint session ended

Operational

2

Ep_name Ep_addr Ep_id Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|18|Endpoint session ended|2|ep_name=xp_client ep_id=123 ep_addr=192.168.91.1tenant_name=Mycompany

308

Invalid endpoint secret

Security

7

Ep_name Ep_addr Ep_id Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|17|Invalid endpoint secret|2|ep_name=xp_client ep_id=123 ep_addr=192.168.91.1 tenant_name=Mycompany

309

Failed to create endpoint session

Operational

7

Ep_name Ep_addr Ep_id Reason Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|18| Failed to create endpoint session |7|ep_name=xp_client ep_id=123 ep_addr=192.168.91.1 reason=No memory tenant_name=Mycompany

310

Failed to end endpoint session

Operational

7

Ep_name Ep_addr Ep_id Reason Tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|18| Failed to create endpoint session |7|ep_name=xp_client ep_id=123 ep_addr=192.168.91.1 reason=No memory tenant_name=Mycompany

401

New repository was added

Operational

4

repo_name repo_type session_id tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|19|New repository was added |4|repo_name=Mycompany repo_type=LDAP session_id=123 tenant_name=Mycompany

402

Failed to add repository

Operational

7

repo_name repo_type session_id reason tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|20| Failed to add repository|7|repo_name=Mycompany repo_type=LDAP session_id=123 reason=repo already exists tenant_name=Mycompany

403

Repository was removed

Operational

4

repo_name repo_type session_id tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|21|Repository was removed|4|repo_name=Mycompany repo_type=LDAP session_id=123 tenant_name=Mycompany

404

Failed to remove repository

Operational

7

repo_name repo_type session_id reason tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|22|Failed to remove repository|7| repo_name=Mycompany repo_type=LDAP session_id=123 reason=not empty tenant_name=Mycompany

405

Repository configuration was changed

Operational

4

repo_name repo_type session_id reason tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|23|Repository configuration was changed|4| repo_name=Mycompany repo_type=LDAP session_id=123 tenant_name=Mycompany

501

Local user was created

Operational

4

user_name session_id tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|24|Local user was created|4|user_name=admin session_id=123 tenant_name=Mycompany

502

Local user was removed

Operational

5

user_name session_id tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|25|Local user was removed|5|user_name=admin session_id=123 tenant_name=Mycompany

503

Failed to create local user

Operational

4

user_name session_id reason tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|26|ailed to create local user|4|user_name=admin session_id=123 reason=already exists tenant_name=Mycompany

504

No rights to remove local user

Security

7

user_name session_id tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|26|ailed to create local user|4|user_name=admin session_id=123 reason=already exists tenant_name=Mycompany

505

Failed to remove local user

Operational

5

user_name session_id reason tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|28|Failed to remove local user|5|user_name=admin session_id=123 reason=can't remove currently logged on user tenant_name=Mycompany

506

No rights to create local user

Security

7

user_name session_id tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|29|Failed to create local user|7|user_name=admin session_id=123 tenant_name=Mycompany

601

User was created

Operational

4

user_name session_id repo_name tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|30|User was created|4|username=Someone session_id=123 repo_name=Mycompany tenant_name=Mycompany

602

No rights to create user

Security

7

user_name session_id repo_name tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|31|No rights to create user|7|username=Someone session_id=123 repo_name=Mycompany tenant_name=Mycompany

603

Failed to create user

Operational

4

user_name session_id repo_name reason tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|32|Failed to create user|4|user_name=someone session_id=123 repo_name=123 reason=already exists tenant_name=Mycompany

604

User was removed

Operational

5

user_name session_id repo_name tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|33|User was removed|5|username=Someone session_id=123 repo_name=Mycompany tenant_name=Mycompany

605

No rights to remove user

Security

7

user_name session_id repo_name tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|34No rights to remove user|7|username=Someone session_id=123 repo_name=Mycompany tenant_name=Mycompany

606

Failed to remove user

Operational

5

user_name session_id repo_name reason tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|35|Failed to remove user|5|user_name=someone session_id=123 repo_name=123 reason=not found tenant_name=Mycompany

701

Template was assigned to the user

Security

7

user_name session_id ap_name comment tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|36|Template was assigned to the user|7|user_name=Mycompany\some session_id=123 ap_name=Card comment=white card tenant_name=Mycompany

702

Template was enrolled for the user

Security

7

user_name session_id ap_name comment tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|37|Template was enrolled for the user|7|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany

703

User enroll the assigned template

Security

7

user_name session_id ap_name comment tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|38|User enroll the assigned template|7|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany

704

Template is linked

Security

8

user_name target_user_name session_id ap_name comment tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|39|Template is linked|8|user_name=Mycompany\some target_user_name=Mycompany\boss session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany

705

Failed to assign template to the user

Security

7

user_name session_id ap_name comment reason tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|40|Failed to assign template to the user|7|user_name=Mycompany\some session_id=123 ap_name=Card comment=white card reason=no license tenant_name=Mycompany

706

Failed to enroll template for the user

Security

7

user_name session_id ap_name comment reason tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|41|Failed to enroll template for the user|7|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand reason=ap error tenant_name=Mycompany

707

User can't enroll the assigned template

Security

7

user_name session_id ap_name comment reason tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|41|User can't enroll the assigned template|7|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand reason=AP not installed on client side tenant_name=Mycompany

709

Failed to link template

Security

8

user_name target_user_name session_id ap_name comment reason tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|42|Failed to link template|8|user_name=Mycompany\some target_user_name=Mycompany\boss session_id=123 ap_name=hand 3D comment=left hand reason=target user can't be found tenant_name=Mycompany

709

Template link was removed

Security

6

user_name target_user_name session_id ap_name comment tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|43|Template link was removed|6|user_name=Mycompany\some target_user_name=Mycompany\boss session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany

710

Failed to remove template link

Security

6

user_name target_user_name session_id ap_name comment reason tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|44|Failed to remove template link|6|user_name=Mycompany\some target_user_name=Mycompany\boss session_id=123 ap_name=hand 3D comment=left hand reason=too small carma tenant_name=Mycompany

711

Template was removed

Security

6

user_name ap_name comment session_id tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|45|Template was removed|6|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany

712

Failed to remove template

Security

6

user_name ap_name comment session_id reason tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|46|Failed to remove template|6|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand reason=only owner can remove template tenant_name=Mycompany

713

Template was changed

Security

7

user_name ap_name comment session_id tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|47|Template was changed|7|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany

714

Failed to change template

Security

6

user_name ap_name comment session_id reason tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|48|Failed to change template|6|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand reason=only owner can change template tenant_name=Mycompany

715

Template was changed during logon

Security

5

user_name ap_name comment session_id tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|49|Template was changed during logon|7|user_name=Mycompany\some session_id=123 ap_name=TOTP comment=ASA (iPhone) tenant_name=Mycompany

801

Policy was changed

Security

7

session_id scope comp_name policy_name old_value new_value

June 10 20:10:11 host CEF:0|AAA|Core|5.0|50|Policy was changed|7|session_id=123 scope=global comp_name=password poliices policy_name=minimal password length old_value=4 new_value=8

802

No rights to change policy

Security

8

session_id scope comp_name policy_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|51|No rights to change policy|8|session_id=123 scope=global comp_name=password poliices policy_name=minimal password

803

Failed to change policy

Operational

7

session_id scope comp_name policy_name reason

June 10 20:10:11 host CEF:0|AAA|Core|5.0|52|Failed to change policy|7|session_id=123 scope=global comp_name=password poliices policy_name=minimal password

reason=policy not found

901

New license was added

Operational

3

session_id license_id users_count enabled_features expire_date

June 10 20:10:11 host CEF:0|AAA|Core|5.0|53|New license was added|3|session_id=123 license_id=111 users_count=101 enabled_features=client,rte,nps expire_date=31/12/2014

902

Failed to add license

Operational

8

session_id license_id users_count enabled_features expire_date reason

June 10 20:10:11 host CEF:0|AAA|Core|5.0|54|Failed to add license|8|session_id=123 license_id=111 users_count=101 enabled_features=client,rte,nps expire_date=31/12/2013 reason=already expired

1001

Global setting was changed

Security

9

session_id setting_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|55|Global setting was changed|9|session_id=123 setting_name=syslog_server

1002

No rights to change global setting

Security

9

session_id setting_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|56|No rights to change global setting|9|session_id=123 setting_name=syslog_server

1003

Failed to change global setting

Operational

9

session_id setting_name reason

June 10 20:10:11 host CEF:0|AAA|Core|5.0|57|Failed to change global setting|9|session_id=123 setting_name=syslog_server reason=server is unavailable

1101

Password was changed

Security

5

user_name ep ep_addr tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|15|Password was changed|5|ep=xp_client user_name=Mycompany\Admin ep_addr=192.168.91.1 tenant_name=Mycompany

1102

Password was reset

Security

8

user_name ep ep_addr tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|15|Password was reset|8|ep=xp_client user_name=Mycompany\Admin ep_addr=192.168.91.1 tenant_name=Mycompany

1201

User successfully logged on using local cache

Security

8

user_name ep_addr event chain_name logon_time tenant_name

June 10 20:10:11 host CEF:0|AAA|Core|5.0|1201|User successfully logged on using local cache|8|ep=xp_client user_name=Mycompany\Admin ep_addr=192.168.91.1 event=windows logon chain_name=LDAP+SMS logon_time=2017-11-05 08:10:03 tenant_name=Mycompany

1301

Event was created sucessfully

Security

4

event tenant_name

Jan 03 17:04:10 host CEF:0|AAA|Core|5.0|1301|Event was created sucessfully|4|event=Windows logon tenant_name=TOP p=9171

1302

Failed to create event

Operational

7

event tenant_name reason

1303

Event was changed sucessfully

Security

4

event tenant_name

Jan 03 17:05:21 host CEF:0|AAA|Core|5.0|1303|Event was changed sucessfully|4|event=Linux logon tenant_name=TOP p=9163

1304

Failed to change event

Operational

7

event tenant_name reason

1305

Event was removed sucessfully

Security

4

event tenant_name

Jan 03 17:06:40 host CEF:0|AAA|Core|5.0|1305|Event was removed sucessfully|4|event=linux logon tenant_name=TOP p=9171

1306

Failed to remove event

Operational

7

event tenant_name reason

1401

Chain was created sucessfully

Security

4

chain_name tenant_name

Jan 03 16:54:09 host CEF:0|AAA|Core|5.0|1401|Chain was created sucessfully|4|chain_name=password tenant_name=TOP p=9171

1402

Failed to create chain

Operational

7

chain_name tenant_name reason

1403

Chain was changed sucessfully

Security

4

chain_name tenant_name

Jan 03 16:59:45 host CEF:0|AAA|Core|5.0|1403|Chain was changed sucessfully|4|chain_name=SMS tenant_name=TOP p=9171

1404

Failed to change chain

Operational

7

chain_name tenant_name reason

1405

Chain was removed sucessfully

Security

4

chain_name tenant_name

Jan 03 16:56:16 host CEF:0|AAA|Core|5.0|1405|Chain was removed sucessfully|4|chain_name=email OTP tenant_name=TOP p=9163

1406

Failed to remove chain

Operational

7

chain_name tenant_name reason

To configure logs forwarding to a third-party syslog server, see CEF Log Forward Policy.