Risk logs include information about the risk service events. The logs message is displayed in the following CEF format:
Date host CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]
The Extension part of the message displays additional details associated with an audit event. Extension can include the following fields:
Custom string label: Indicates the name of the audit field.
Custom string: Indicates the value of custom string label.
Custom number label: Indicates the name of the audit field.
Custom number: Indicates the value of respective custom number label.
EventID |
Name |
Severity |
Example |
---|---|---|---|
receivedRequest |
Received request at Risk Service |
LOW |
INFO RiskService_collector CEF:0|NetIQ|Risk Service|1.0|receivedRequest|Received request at Risk Service|LOW| suid=123 cs1Label=correlationID cs1=abcdef_123456 cs2Label=containerID cs2=f6811eb7c2e2 cs3Label=tenantID cs3=tenant_1 cs4Label=policyID cs4=Demo_Risk Policy cn1Label=mode cn1=0 msg=Request received at the Risk service for risk evaluation |
successfulRiskEvaluated |
Successful Response sent from Risk |
LOW |
INFO RiskService_collector CEF:0|NetIQ|Risk Service|1.0|successfulRiskEvaluated|Successful Response sent from Risk Service|LOW| suid=123 cs1Label=correlationID cs1=abcdef_123456 cs2Label=containerID cs2=f6811eb7c2e2 cs3Label=tenantID cs3=tenant_1 cs4Label=policyID cs4=RPH cn1Label=mode cn1=0 cn2Label=riskscore cn2=100 cs5Label=risklevel cs5=Medium msg= Response of the risk evaluation request sent successfully |
riskResponseFailure |
Risk Service response failed |
HIGH |
INFO RiskService_collector CEF:0|NetIQ|Risk Service|1.0|riskResponseFailure|Risk Service response failed|HIGH| cs1Label=correlationID cs1=abcdef_123456 cs2Label=containerID cs2=f6811eb7c2e2 cs3Label=tenantID cs3=tenant_1 cs4Label=policyID cs4=Demo_Risk Policy cn1Label=mode msg=Failed to provide the response of the risk evaluation request at Risk Service : {"error":"Policy not found for tenant."} |
configurationChanged |
Risk configuration has been modified |
LOW |
INFO RiskService_ui CEF:0|NetIQ|Risk Service|1.0|configurationChanged|Risk configuration has been modified|LOW| suid=admin cs1Label=correlationID cs1=2660c5a5-60b8-44b8-aafe-589a77bc7561 cs2Label=containerID cs2=e272e8f5f6ca cs3Label=tenantID cs3=tenant_1 cs4Label=policyID cn1Label=mode cs5Label=configName cs5=1574318009646 cs6Label=configType cs6=RISKPOLICY cs7Label=action cs7=MODIFY msg=Risk policy updated |