Documentation

Introduction

Use this guide to configure the Logs tab in the Web Admin for each SecureAuth IdP realm.

This includes enabling or disabling audit, error, and debug logs.

Prerequisites

1. Create a New Realm for the target resource for which the configuration settings will apply, or open an existing realm for which configurations have already been started

2. Configure the Overview, Data, Workflow, Registration Methods, and Post Authentication tabs in the Web Admin before configuring the Logs tab 

Logs Configuration Steps

 

1. In the Log Options section, provide the Log Instance ID, e.g. the Application Name or the realm name (SecureAuth1)

2. Check which Audit, Debug, and Error Logs to enable

3. Select On or Remote Only from the Custom Errors dropdown to redirect end-users to a distinct page when a custom error occurs

4. Provide the URL for the Custom Error Redirect if On or Remote Only is selected in step 3

 If SysLog is enabled
SysLog

 

1. Provide the FQDN or IP Address of the Syslog Server

2. Provide the SysLog Port number

3. Select the Syslog RFC Spec from the dropdown as required by the Syslog

 If Database is enabled
Log Database

 

1. Provide the FQDN or the IP Address of the database in the Data Source field

2. Provide the Database Name in the Initial Catalog field

3. Select True from the Integrated Security dropdown if the webpage's ID is to be included in the Connection String

4. Select True form the Persist Security Info dropdown if access to username and password information is allowed

5. Provide the User ID of the Database

6. Provide the Password associated to the User ID

7. Click Generate Connection String, and the Connection String will auto-populate based on the previous fields

8. Click Test Connection to ensure that the integration is successful

9. Click Save to all Realms if these Database settings are to be used in each SecureAuth IdP realm

Reports

 

5. Review the log Reports and Charts by downloading the information

6. Review the Error Logs, Audit Logs, and / or Certificate Logs as enabled here in the Web Admin as needed

Click Save once the configurations have been completed and before leaving the Logs  page to avoid losing changes

New Enhanced Logging in SecureAuth IdP 8.2

New Key-Value Pair Properties

Multiple new key-value pair properties have been added to the structured data element of a syslog entry. Several of these properties are also logged in the header or message elements of the log entry but are difficult to parse or extract. These will continue to output in their original location as well as in the structured data element.

New PropertyDescriptionNotes
AE.IP.RiskScore
Risk score based on IP Address evaluation and threat intelligence dataApplicable only to IP reputation log entries; also logged in the message element
AllowedTokens

For some authentication methods, this property may tell which method of 2FA was used.

Text string. Possible values are:
  • COOKIE
  • ZCOOKIE
  • BROWSERFINGERPRINT
  • ALL
EventID Category of the event being loggedAlso logged in the header element
ReceiveToken
 Integer
RequestDuration
Displays the response time of an application requestApplicable only to log entries with event ID9004x; also logged in the message element
RequestID
Displays a unique identifier that shows the workflow for a specific requestAn "Application End" log entry marks the end of a request and its corresponding RequestID
TrxResult
Displays result of an authentication attemptAlso logged in the message element
UseJava
 True / False

New Logging Event

Syslog now generates a log entry when a user opens or saves a tab in the Web Admin tool. This provides information on which realm a user was modifying at the time the log entry was generated.

Along with this change are two new key-value properties:

New PropertyDescriptionNotes

Loading: [ realm# ]

Describes the realm number that was opened in the Web AdminThis log entry type is generated when a user opens a realm (by clicking the sidebar in the Web Admin) or opens a tab in a realm (e.g. Workflow, Data)

Saving to: [ realm#,... ]

Describes the realm number(s) where changes were saved in the Web AdminThe value of this key lists all realms that were saved to when the log entry was generated

If upgrading an appliance to version 8.2, then certain steps must be taken to include new properties. Refer to Update Syslog Log Formatters after Upgrade for more information.

Bug Fixes
FixDescription
Exclude zero, null, and outrageously high response time values

When a log entry contains a RequestDuration value that is 0, missing, or outrageously high (e.g. thousands of years), syslog assigns EventID 90041 or EventID 90042 to it, rather than the usual EventID 90040

  • 90041: RequestDuration is 0
  • 90042: RequestDuration is unknown, missing, or outrageously high
Replace whitespaces in App-Name and Hostname with underscoresPertains only to RFC 5424-compliant syslog servers
Information About Transaction Logs (20990)

Events recorded in Transaction Logs (20990) provide information that can assist in troubleshooting or analyzing end-user activity on the SecureAuth IdP appliance

The table below provides details about common fields and values identified in transaction logs, and how to interpret that data

Field / DescriptionValues / Description
 AllowedTokens

Configured Persistent Token 

 BROWSERFINGERPRINT, ALL, ZCOOKIE, COOKIE

The persistent token corresponds to the Client Side Control configured in the Production Configuration section on the Workflow tab

Persistent TokenClient Side ControlIntegration Method
BROWSERFINGERPRINTDevice / Browser Fingerprinting
  • Certification Enrollment and Validation
  • Mobile Enrollment and Validation
ALLJava Applet, Brower Plug-insCertification Enrollment and Validation
ZCOOKIEUniversal Browser Credential (UBC)
  • Certification Enrollment and Validation
  • Mobile Enrollment and Validation
COOKIEBrowser Credential

Mobile Enrollment and Validation

 AuthGuiMode

Configured Workflow 

 0, 1, 2, 3, 4, 5, 6, 7, 9, 999

The value corresponds to the Authentication Mode configured in the Workflow section on the Workflow tab

The log provides counts for any of these values that are present:

ValueAuthentication Mode
0Standard (User / 2nd Factor / Password)
1User / Password Only (On separate pages)
2Second Factor Only
3User / Password on 1st page (+2nd factor)
4Valid Persistent Token + Registration Code
5Valid Persistent Token + Reg Code + Password
6Valid Persistent Token + Password
7User / Password on 1st page (no 2nd factor)
9Validate Persistent Token Only
999UserName Only
 Category

Log type classification

 AUDIT, DEBUG, ERROR, WARNING

Audit Logs, Debug Logs, Error Logs are configured in Log Options section on Logs tab

Warning Logs by default are found in the Error Logs folder

 Comment

End-user login failure transaction event details

 See all entries

The comment includes an entry for each type of end-user failed login event, and includes the count and decimal percentage for each instance:

Numerical ValueDefinition
NULLNo error or success
1Bad Multi-Factor Authentication attempt count (minus 1) for user with locked or disabled status
2Message from a state machine Security Violation
3Message from a SecurityViolation_X509 (includes -1)
4Attempt count from a Security Limit Violation (attempts that have reached the maximum limit)
5A Redirect URL if the user was redirected to another page

NOTE: Session Aborted appears whenever a session has ended (see TrxResult)

Security Violation TypeDefinition
SecurityViolationAdaptive check, hard stop
SecurityViolation_ExceededMaxPasswordAttemptsPassword attempt exceeds set maximum attempts
SecurityViolation_ExceededMaxUserAttemptsUser ID attempt exceeds set maximum attempts
SecurityViolation_ExceededMaxUserPasswordAttemptsUser ID or password attempt exceeds set maximum attempts
The current windowsIdentity is different from logon user IdWindows identity of the logged-in user has changed since last login
SECURITYVIOLATION_EXCEEDEDMAXCHANGEPASSWORDATTEMPTSExceeded maximum attempts changing password
SECURITYVIOLATION_EXCEEDEDMAXKBAATTEMPTSExceeded maximum attempts entering KB answers
SECURITYVIOLATION_EXCEEDEDMAXPINATTEMPTSExceeded maximum attempts entering PIN
SECURITYVIOLATION_EXCEEDEDMAXOTPATTEMPTSExceeded maximum attempts entering OTP
SECURITYVIOLATION_X509Certificate issuance error
SECURITYVIOLATION_X509_CONTINUECertificate error, but can click Continue button to proceed
SecurityViolation_X509 ValueDefinition
-1Default
201No ActiveX and no fall back allowed to obtain certificate
302Certificate expired
402Certificate not found
403SSL certificate not found
404SSL certificate error
405UserID verification of certificate failed
406CRI verification failure
407URL verification failure
408Certificate reset date failed
409Maximum certificate attempt count attained
410Maximum mobile cookie count attained
411Certificate chain
 Priority

Reserved

Reserved

 ProductType

Configured Workflow Integration Method

 1, 2, 3

The value corresponds to the Integration Method configured in the Production Configuration section on the Workflow tab

ValueIntegration Method
1Certificate Enrollment and Validation
2Certificate Enrollment Only
3Mobile Enrollment and Validation
 ReceiveToken

Field under Custom Front End configured on the Workflow tab

 0, 1, 2, 3, 4, 5, 6

The value corresponds to the Receive Token type configured in the Custom Front End section on the Workflow tab

The log provides counts for any of these values that are present:

ValueReceive Token
0None
1Token
2Clear Text Query String
3XOR / Base64 Query String
4Send Token Only
5Send XOR / Base64 Only
6Receive Token Only
 RequestID

Authentication request identifier

Reserved

 ReturnUrl

Authentication request return URL

As specified by the Service Provider

 SAMLRelayState

SAML authentication request relay state URL

As specified by the Service Provider

 TargetUrl

Authentication request target URL 

As specified by the Service Provider

 TrxResult

Transaction result 

 Success or failure results

The comment includes an entry for each type of end-user login event, and includes the count and decimal percentage for each instance:

Transaction ResultDefinition
Session AbortedSession ended
SuccessSuccessful login attempt
WS-Trust success.Successful login via WS-Trust
WS-Trust token validation failed.Unsuccessful login attempt due to failure to validate the WS-Trust token
SA SSO SuccessSuccessful login attempt via SSO
Incorrect_UserUnsuccessful login attempt due to end-user invalidation
SecurityViolationAdaptive check, hard stop
Incorrect_Browser_RegistrationMethod_PINIncorrect Multi-Factor Authentication PIN entered
Incorrect_UserPasswordIncorrect password entered
Incorrect_FingerPrint_Check_PasswordIncorrect password entered
Incorrect_Profile_DataErrEnd-user found, but no profile information returned
NULLSuccessful login attempt, but no information returned
Incorrect_Standard_Check_PasswordIncorrect password entered
Incorrect_GroupIncorrect group returned for end-user
Incorrect_Browser_RegistrationMethod_OTPIncorrect Multi-Factor Authentication OTP entered
SecurityViolation_ExceededMaxPasswordAttemptsEnd-user exceeded maximum session attempts via an incorrect password
Denied_Browser_RegistrationMethod_AcceptDeny_LoginRequestPush-to-Accept Multi-Factor Authentication attempt denied
SecurityViolation_ExceededMaxPINAttemptsEnd-user exceeded maximum session attempts via an incorrect PIN
SecurityViolation_ExceededMaxUserAttemptsEnd-user exceeded maximum session attempts via an incorrect username
RedirectEnd-user was redirected to a different page than the one intended to be accessed