Logs Tab Configuration

Introduction

Use this guide to configure the Logs tab in the Web Admin for each SecureAuth IdP realm.

This includes enabling or disabling audit, error, and debug logs.

Prerequisites

1. Create a New Realm for the target resource for which the configuration settings will apply, or open an existing realm for which configurations have already been started

2. Configure the Overview, Data, Workflow, Adaptive Authentication, Multi-Factor Methods, and Post Authentication tabs in the Web Admin before configuring the Logs tab

Logs Configuration Steps

1. In the Log Options section, provide the Log Instance ID, e.g. the Application Name or the realm name (SecureAuth1)

2. Check which Audit, Debug, and Error Logs to enable

3. Select On or Remote Only from the Custom Errors dropdown to redirect end-users to a distinct page when a custom error occurs

4. Provide the URL for the Custom Error Redirect if On or Remote Only is selected in step 3

Log Database

1. Provide the FQDN or the IP Address of the database in the Data Source field

2. Provide the Database Name in the Initial Catalog field

3. Select True from the Integrated Security dropdown if the webpage's ID is to be included in the Connection String

4. Select True form the Persist Security Info dropdown if access to username and password information is allowed

5. Provide the User ID of the Database

6. Provide the Password associated to the User ID

7. Click Generate Connection String, and the Connection String will auto-populate based on the previous fields

8. Click Test Connection to ensure that the integration is successful

9. Click Save to all Realms if these Database settings are to be used in each SecureAuth IdP realm

Reports

5. Review the log Reports and Charts by downloading the information

6. Review the Error Logs, Audit Logs, and / or Certificate Logs as enabled here in the Web Admin as needed

Warning

Click Save once the configurations have been completed and before leaving the Logs page to avoid losing changes

Enhanced Logging

Key-Value Pair Properties

Key-value pair properties defined in the table below are pertinent to the structured data element of a syslog entry. Several of these properties are also logged in the header or message elements of the log entry but are difficult to parse or extract. These properties are outputted in their original location as well as in the structured data element.

Property	Description	Notes
`AE.IP.RiskScore`	Risk score based on IP Address evaluation and threat intelligence data	Applicable only to IP reputation log entries; also logged in the message element
`AllowedTokens`	For some authentication methods, this property may tell which method of 2FA was used.	Text string; possible values are: COOKIE ZCOOKIE BROWSERFINGERPRINT ALL
`EventID`	Category of the event being logged	Also logged in the header element
`ReceiveToken`		Integer
`RequestDuration`	Displays the response time of an application request	Applicable only to log entries with event ID9004x; also logged in the message element
`RequestID`	Displays a unique identifier that shows the workflow for a specific request	An "Application End" log entry marks the end of a request and its corresponding RequestID
`TrxResult`	Displays result of an authentication attempt	Also logged in the message element
`UseJava`		True / False

Syslog Logging Event

Syslog generates a log entry when a user opens or saves a tab using the Web Admin tool. This tool provides information about the realm a user modified at the time the log entry was generated.

Property	Description	Notes
`Loading: [` realm# `]`	Describes the realm number that was opened in the Web Admin	This log entry type is generated when a user opens a realm (by clicking the sidebar in the Web Admin) or opens a tab in a realm (e.g. Workflow, Data)
`Saving to: [` realm#,... `]`	Describes the realm number(s) where changes were saved in the Web Admin	The value of this key lists all realms that were saved to when the log entry was generated

Information About Transaction Logs (20990)

Events recorded in Transaction Logs (20990) provide information that can assist in troubleshooting or analyzing end-user activity on the SecureAuth IdP appliance.

The table below provides details about common fields and values identified in transaction logs, and how to interpret that data.

Field / Description

Values / Description

The persistent token corresponds to the Client Side Control configured in theProduction Configuration section on theWorkflow tab

Persistent Token	Client Side Control	Integration Method
BROWSERFINGERPRINT	Device / Browser Fingerprinting	Certification Enrollment and Validation Mobile Enrollment and Validation
ALL	Java Applet, Brower Plug-ins	Certification Enrollment and Validation
ZCOOKIE	Universal Browser Credential (UBC)	Certification Enrollment and Validation Mobile Enrollment and Validation
COOKIE	Browser Credential	Mobile Enrollment and Validation

The value corresponds to the Default Workflow configured in the Workflow section on the Workflow tab

The log provides counts for any of these values that are present:

Value	Default Workflow
0	Username \| Second Factor \| Password
1	Username \| Password
2	Username \| Second Factor
3	Username & Password \| Second Factor
4	(Valid Persistent Token) \| Second Factor
5	(Valid Persistent Token) \| Second Factor \| Password
6	(Valid Persistent Token) \| Password
7	Username & Password
9	(Validate Persistent Token) only
999	Username only

The comment includes an entry for each type of end-user failed login event, and includes the count and decimal percentage for each instance

Numerical Value	Definition
NULL	No error or success
1	Bad Multi-Factor Authentication attempt count (minus 1) for user with locked or disabled status
2	Message from a state machine Security Violation
3	Message from a SecurityViolation_X509 (includes -1)
4	Attempt count from a Security Limit Violation (attempts that have reached the maximum limit)
5	A Redirect URL if the user was redirected to another page

NOTE: Session Aborted appears whenever a session has ended (see TrxResult)

Security Violation Code	Definition
SecurityViolation	Adaptive check, hard stop
SecurityViolation_ExceededMaxPasswordAttempts	Password attempt exceeds set maximum attempts
SecurityViolation_ExceededMaxUserAttempts	User ID attempt exceeds set maximum attempts
SecurityViolation_ExceededMaxUserPasswordAttempts	User ID or password attempt exceeds set maximum attempts
The current windowsIdentity is different from logon user Id	Windows identity of the logged-in user has changed since last login
SECURITYVIOLATION_EXCEEDEDMAXCHANGEPASSWORDATTEMPTS	Exceeded maximum attempts changing password
SECURITYVIOLATION_EXCEEDEDMAXKBAATTEMPTS	Exceeded maximum attempts entering KB answers
SECURITYVIOLATION_EXCEEDEDMAXPINATTEMPTS	Exceeded maximum attempts entering PIN
SECURITYVIOLATION_EXCEEDEDMAXOTPATTEMPTS	Exceeded maximum attempts entering OTP
SECURITYVIOLATION_X509	Certificate issuance error
SECURITYVIOLATION_X509_CONTINUE	Certificate error, but can click Continue button to proceed

SecurityViolation_X509 Value	Definition
-1	Default
201	No ActiveX and no fall back allowed to obtain certificate
302	Certificate expired
402	Certificate not found
403	SSL certificate not found
404	SSL certificate error
405	UserID verification of certificate failed
406	CRI verification failure
407	URL verification failure
408	Certificate reset date failed
409	Maximum certificate attempt count attained
410	Maximum mobile cookie count attained
411	Certificate chain

Reserved

The value corresponds to the Integration Method configured in the Device Recognition Method section on the Workflow tab

Value	Integration Method
1	Certificate Enrollment and Validation
2	Certificate Enrollment Only
3	Mobile Enrollment and Validation

The value corresponds to the Receive Token type configured in the Custom Identity Consumer section on the Workflow tab