These logs contain information about the system events and actions. The log message is displayed in the format <date> <host> CEF:0|AAA|Core|<version>|<code>|<message>|<severity>|<endpoint>|<event>|<authentication method name>|<template owner>|<tenant name>|<user name>|<uwsgi process id>.
After you export the syslog file, you can find the log file syslog in the /var/log/ folder.
The Syslogs are classified as follows:
0 - 99: Maintenance
100 - 199: Access
200 - 299: App data
300 - 399: Endpoints
400 - 499: Repositories
500 - 599: Local users
600 - 699: Repository users
700 - 799: User templates
800 - 999: Policies
900 - 1099: Licenses
1000 - 1100: Settings
1100 - 1200: Password filter
1201 - 1300: Background logon
1301 - 1400: Events
1401 - 1500: Chains
Code |
Name |
Class |
Severity |
Optional Parameters |
Example |
---|---|---|---|---|---|
1 |
New Request |
Operational |
1 |
None |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|1|New Request|1| |
2 |
Request failed |
Operational |
1 |
None |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|2|Request failed|1|p=3531 |
10 |
Server started |
Operational |
4 |
None |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|1|Server started|4| |
12 |
Server stopped |
Operational |
7 |
None |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|2|Server stopped|7| |
13 |
Server unexpectedly stopped |
Operational |
10 |
None |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|3|Server unexpectedly stopped|10 |
50 |
Server Message |
Operational |
5 |
Message |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|4|Server Message|4|This is my message |
100 |
User logon started |
Security |
4 |
Username Ep Ep_addr Sid Unit_id Session_id Event Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|4|User logon started|4|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 event=Windows Logon ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 tenant_name=Mycompany |
101 |
User was successfully logged on |
Security |
7 |
Username Ep Ep_addr Sid Session_id method_name method_comment method_infoEvent Tenant_name Template_owner |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|101|User was successfully logged on|7|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 method_name=card method_comment=white card method_info=YYY password ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 event=Windows Logon template_owner=Mycompany\\demo tenant_name=Mycompany\\AbbooPI p=9721 |
102 |
User was failed to authenticate |
Security |
9 |
Username Ep Ep_addr Sid Session_id Method_name Tenant_name Template_owner |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|6|User was failed to authenticate|9|Username=Mycompany\\demo sid=S-1-5-XXX session_id=123 method_name=card ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 template_owner=Mycompany\\demo tenant_name=Mycompany |
103 |
User was switched to different method |
Security |
2 |
Username Ep Ep_addr Sid Session_id New_method_ name Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|7|User was switched to different method|2|username=Mycompany\\demo sid=S-1-5-XXX new_method_name=fingerprint session_id=123 ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 tenant_name=Mycompany |
104 |
User logon session was ended |
Security |
2 |
Username Ep Ep_addr Sid Session_id Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|8|User logon session was ended|2|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 ep=aaadev1.Mycompany.local ep_addr=192.168.91.1tenant_name=Mycompany |
105 |
User logon unwanted |
Security |
9 |
Username Ep Ep_addr Method_name Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|8|User logon session was ended|9|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 method_name=voice tenant_name=Mycompany |
106 |
User was failed to authenticate method in the middle of a chain |
Security |
2 |
Username Ep Ep_addr Method_name Tenant_name |
June 10 20:10:11 (UTC+0530) host CEF:0|AAA|Core|5.0|106|User was failed to authenticate method in the middle of a chain|2|ep_addr=164.99.137.193 method_name=PASSWORD:1 tenant_name=TOP user_name=MFA\\topvisu p=3147 |
200 |
User read app data |
Security |
3 |
Username Ep Ep_addr Sid Session_id Data_id Record_id Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|9|User read app data|3|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 data_id=Windows Logon record_id=password ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 tenant_name=Mycompany |
201 |
User write app data |
Security |
4 |
Username Ep Ep_addr Sid Session_id Data_id Record_id Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|10|User write app data|4|username=Mycompany\\demo sid=S-1-5-XXX session_id=123 data_id=Windows Logon record_id=password ep=aaadev1.Mycompany.local ep_addr=192.168.91.1 tenant_name=Mycompany |
300 |
Endpoint joined |
Security |
4 |
Ep_name Ep_addr Ep_id Username Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|11|Endpoint joined|4|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1 tenant_name=Mycompany |
301 |
No rights to join endpoint |
Security |
7 |
Ep_name Ep_addr Ep_id Username Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|12|No rights to join endpoint|7|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1 tenant_name=Mycompany |
302 |
Failed to join endpoint |
Operational |
7 |
Ep_name Ep_addr Ep_id Username Reason Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|13|Failed to join endpoint |7|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1 reason=Duplicated tenant_name=Mycompany |
303 |
Endpoint remove |
Security |
4 |
Ep_name Ep_addr Ep_id Username Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|14|Endpoint remove|4|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1 |
304 |
No rights to remove endpoint |
Security |
7 |
Ep_name Ep_addr Ep_id Username Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|15|No rights to remove endpoint|7|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1 tenant_name=Mycompany |
305 |
Failed to remove endpoint |
Operational |
7 |
Ep_name Ep_addr Ep_id Username Reason Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|16|Failed to remove endpoint |7|ep_name=xp_client ep_id=123 username=Mycompany\Admin ep_addr=192.168.91.1 reason=Duplicated tenant_name=Mycompany |
306 |
Endpoint session started |
Operational |
2 |
Ep_name Ep_addr Ep_id Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|306|Endpoint session started|2|ep_name=xp_client ep_id=123 ep_addr=192.168.91.1 tenant_name=Mycompany p=5428 |
307 |
Endpoint session ended |
Operational |
2 |
Ep_name Ep_addr Ep_id Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|18|Endpoint session ended|2|ep_name=xp_client ep_id=123 ep_addr=192.168.91.1tenant_name=Mycompany |
308 |
Invalid endpoint secret |
Security |
7 |
Ep_name Ep_addr Ep_id Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|17|Invalid endpoint secret|2|ep_name=xp_client ep_id=123 ep_addr=192.168.91.1 tenant_name=Mycompany |
309 |
Failed to create endpoint session |
Operational |
7 |
Ep_name Ep_addr Ep_id Reason Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|18| Failed to create endpoint session |7|ep_name=xp_client ep_id=123 ep_addr=192.168.91.1 reason=No memory tenant_name=Mycompany |
310 |
Failed to end endpoint session |
Operational |
7 |
Ep_name Ep_addr Ep_id Reason Tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|18| Failed to create endpoint session |7|ep_name=xp_client ep_id=123 ep_addr=192.168.91.1 reason=No memory tenant_name=Mycompany |
401 |
New repository was added |
Operational |
4 |
repo_name repo_type session_id tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|19|New repository was added |4|repo_name=Mycompany repo_type=LDAP session_id=123 tenant_name=Mycompany |
402 |
Failed to add repository |
Operational |
7 |
repo_name repo_type session_id reason tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|20| Failed to add repository|7|repo_name=Mycompany repo_type=LDAP session_id=123 reason=repo already exists tenant_name=Mycompany |
403 |
Repository was removed |
Operational |
4 |
repo_name repo_type session_id tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|21|Repository was removed|4|repo_name=Mycompany repo_type=LDAP session_id=123 tenant_name=Mycompany |
404 |
Failed to remove repository |
Operational |
7 |
repo_name repo_type session_id reason tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|22|Failed to remove repository|7| repo_name=Mycompany repo_type=LDAP session_id=123 reason=not empty tenant_name=Mycompany |
405 |
Repository configuration was changed |
Operational |
4 |
repo_name repo_type session_id reason tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|23|Repository configuration was changed|4| repo_name=Mycompany repo_type=LDAP session_id=123 tenant_name=Mycompany |
501 |
Local user was created |
Operational |
4 |
user_name session_id tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|24|Local user was created|4|user_name=admin session_id=123 tenant_name=Mycompany |
502 |
Local user was removed |
Operational |
5 |
user_name session_id tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|25|Local user was removed|5|user_name=admin session_id=123 tenant_name=Mycompany |
503 |
Failed to create local user |
Operational |
4 |
user_name session_id reason tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|26|ailed to create local user|4|user_name=admin session_id=123 reason=already exists tenant_name=Mycompany |
504 |
No rights to remove local user |
Security |
7 |
user_name session_id tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|26|ailed to create local user|4|user_name=admin session_id=123 reason=already exists tenant_name=Mycompany |
505 |
Failed to remove local user |
Operational |
5 |
user_name session_id reason tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|28|Failed to remove local user|5|user_name=admin session_id=123 reason=can't remove currently logged on user tenant_name=Mycompany |
506 |
No rights to create local user |
Security |
7 |
user_name session_id tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|29|Failed to create local user|7|user_name=admin session_id=123 tenant_name=Mycompany |
601 |
User was created |
Operational |
4 |
user_name session_id repo_name tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|30|User was created|4|username=Someone session_id=123 repo_name=Mycompany tenant_name=Mycompany |
602 |
No rights to create user |
Security |
7 |
user_name session_id repo_name tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|31|No rights to create user|7|username=Someone session_id=123 repo_name=Mycompany tenant_name=Mycompany |
603 |
Failed to create user |
Operational |
4 |
user_name session_id repo_name reason tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|32|Failed to create user|4|user_name=someone session_id=123 repo_name=123 reason=already exists tenant_name=Mycompany |
604 |
User was removed |
Operational |
5 |
user_name session_id repo_name tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|33|User was removed|5|username=Someone session_id=123 repo_name=Mycompany tenant_name=Mycompany |
605 |
No rights to remove user |
Security |
7 |
user_name session_id repo_name tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|34No rights to remove user|7|username=Someone session_id=123 repo_name=Mycompany tenant_name=Mycompany |
606 |
Failed to remove user |
Operational |
5 |
user_name session_id repo_name reason tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|35|Failed to remove user|5|user_name=someone session_id=123 repo_name=123 reason=not found tenant_name=Mycompany |
701 |
Template was assigned to the user |
Security |
7 |
user_name session_id ap_name comment tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|36|Template was assigned to the user|7|user_name=Mycompany\some session_id=123 ap_name=Card comment=white card tenant_name=Mycompany |
702 |
Template was enrolled for the user |
Security |
7 |
user_name session_id ap_name comment tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|37|Template was enrolled for the user|7|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany |
703 |
User enroll the assigned template |
Security |
7 |
user_name session_id ap_name comment tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|38|User enroll the assigned template|7|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany |
704 |
Template is linked |
Security |
8 |
user_name target_user_name session_id ap_name comment tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|39|Template is linked|8|user_name=Mycompany\some target_user_name=Mycompany\boss session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany |
705 |
Failed to assign template to the user |
Security |
7 |
user_name session_id ap_name comment reason tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|40|Failed to assign template to the user|7|user_name=Mycompany\some session_id=123 ap_name=Card comment=white card reason=no license tenant_name=Mycompany |
706 |
Failed to enroll template for the user |
Security |
7 |
user_name session_id ap_name comment reason tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|41|Failed to enroll template for the user|7|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand reason=ap error tenant_name=Mycompany |
707 |
User can't enroll the assigned template |
Security |
7 |
user_name session_id ap_name comment reason tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|41|User can't enroll the assigned template|7|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand reason=AP not installed on client side tenant_name=Mycompany |
709 |
Failed to link template |
Security |
8 |
user_name target_user_name session_id ap_name comment reason tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|42|Failed to link template|8|user_name=Mycompany\some target_user_name=Mycompany\boss session_id=123 ap_name=hand 3D comment=left hand reason=target user can't be found tenant_name=Mycompany |
709 |
Template link was removed |
Security |
6 |
user_name target_user_name session_id ap_name comment tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|43|Template link was removed|6|user_name=Mycompany\some target_user_name=Mycompany\boss session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany |
710 |
Failed to remove template link |
Security |
6 |
user_name target_user_name session_id ap_name comment reason tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|44|Failed to remove template link|6|user_name=Mycompany\some target_user_name=Mycompany\boss session_id=123 ap_name=hand 3D comment=left hand reason=too small carma tenant_name=Mycompany |
711 |
Template was removed |
Security |
6 |
user_name ap_name comment session_id tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|45|Template was removed|6|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany |
712 |
Failed to remove template |
Security |
6 |
user_name ap_name comment session_id reason tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|46|Failed to remove template|6|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand reason=only owner can remove template tenant_name=Mycompany |
713 |
Template was changed |
Security |
7 |
user_name ap_name comment session_id tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|47|Template was changed|7|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand tenant_name=Mycompany |
714 |
Failed to change template |
Security |
6 |
user_name ap_name comment session_id reason tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|48|Failed to change template|6|user_name=Mycompany\some session_id=123 ap_name=hand 3D comment=left hand reason=only owner can change template tenant_name=Mycompany |
715 |
Template was changed during logon |
Security |
5 |
user_name ap_name comment session_id tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|49|Template was changed during logon|7|user_name=Mycompany\some session_id=123 ap_name=TOTP comment=ASA (iPhone) tenant_name=Mycompany |
801 |
Policy was changed |
Security |
7 |
session_id scope comp_name policy_name old_value new_value |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|50|Policy was changed|7|session_id=123 scope=global comp_name=password poliices policy_name=minimal password length old_value=4 new_value=8 |
802 |
No rights to change policy |
Security |
8 |
session_id scope comp_name policy_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|51|No rights to change policy|8|session_id=123 scope=global comp_name=password poliices policy_name=minimal password |
803 |
Failed to change policy |
Operational |
7 |
session_id scope comp_name policy_name reason |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|52|Failed to change policy|7|session_id=123 scope=global comp_name=password poliices policy_name=minimal password reason=policy not found |
901 |
New license was added |
Operational |
3 |
session_id license_id users_count enabled_features expire_date |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|53|New license was added|3|session_id=123 license_id=111 users_count=101 enabled_features=client,rte,nps expire_date=31/12/2014 |
902 |
Failed to add license |
Operational |
8 |
session_id license_id users_count enabled_features expire_date reason |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|54|Failed to add license|8|session_id=123 license_id=111 users_count=101 enabled_features=client,rte,nps expire_date=31/12/2013 reason=already expired |
1001 |
Global setting was changed |
Security |
9 |
session_id setting_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|55|Global setting was changed|9|session_id=123 setting_name=syslog_server |
1002 |
No rights to change global setting |
Security |
9 |
session_id setting_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|56|No rights to change global setting|9|session_id=123 setting_name=syslog_server |
1003 |
Failed to change global setting |
Operational |
9 |
session_id setting_name reason |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|57|Failed to change global setting|9|session_id=123 setting_name=syslog_server reason=server is unavailable |
1101 |
Password was changed |
Security |
5 |
user_name ep ep_addr tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|15|Password was changed|5|ep=xp_client user_name=Mycompany\Admin ep_addr=192.168.91.1 tenant_name=Mycompany |
1102 |
Password was reset |
Security |
8 |
user_name ep ep_addr tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|15|Password was reset|8|ep=xp_client user_name=Mycompany\Admin ep_addr=192.168.91.1 tenant_name=Mycompany |
1201 |
User successfully logged on using local cache |
Security |
8 |
user_name ep_addr event chain_name logon_time tenant_name |
June 10 20:10:11 host CEF:0|AAA|Core|5.0|1201|User successfully logged on using local cache|8|ep=xp_client user_name=Mycompany\Admin ep_addr=192.168.91.1 event=windows logon chain_name=LDAP+SMS logon_time=2017-11-05 08:10:03 tenant_name=Mycompany |
1301 |
Event was created sucessfully |
Security |
4 |
event tenant_name |
Jan 03 17:04:10 host CEF:0|AAA|Core|5.0|1301|Event was created sucessfully|4|event=Windows logon tenant_name=TOP p=9171 |
1302 |
Failed to create event |
Operational |
7 |
event tenant_name reason |
|
1303 |
Event was changed sucessfully |
Security |
4 |
event tenant_name |
Jan 03 17:05:21 host CEF:0|AAA|Core|5.0|1303|Event was changed sucessfully|4|event=Linux logon tenant_name=TOP p=9163 |
1304 |
Failed to change event |
Operational |
7 |
event tenant_name reason |
|
1305 |
Event was removed sucessfully |
Security |
4 |
event tenant_name |
Jan 03 17:06:40 host CEF:0|AAA|Core|5.0|1305|Event was removed sucessfully|4|event=linux logon tenant_name=TOP p=9171 |
1306 |
Failed to remove event |
Operational |
7 |
event tenant_name reason |
|
1401 |
Chain was created sucessfully |
Security |
4 |
chain_name tenant_name |
Jan 03 16:54:09 host CEF:0|AAA|Core|5.0|1401|Chain was created sucessfully|4|chain_name=password tenant_name=TOP p=9171 |
1402 |
Failed to create chain |
Operational |
7 |
chain_name tenant_name reason |
|
1403 |
Chain was changed sucessfully |
Security |
4 |
chain_name tenant_name |
Jan 03 16:59:45 host CEF:0|AAA|Core|5.0|1403|Chain was changed sucessfully|4|chain_name=SMS tenant_name=TOP p=9171 |
1404 |
Failed to change chain |
Operational |
7 |
chain_name tenant_name reason |
|
1405 |
Chain was removed sucessfully |
Security |
4 |
chain_name tenant_name |
Jan 03 16:56:16 host CEF:0|AAA|Core|5.0|1405|Chain was removed sucessfully|4|chain_name=email OTP tenant_name=TOP p=9163 |
1406 |
Failed to remove chain |
Operational |
7 |
chain_name tenant_name reason |
To configure logs forwarding to a third-party syslog server, see CEF Log Forward Policy.