Documentation

Introduction

Use this guide to configure the Logs tab in the Web Admin for each SecureAuth IdP realm.

This includes enabling or disabling audit, error, and debug logs.

Prerequisites

1. Create a New Realm for the target resource for which the configuration settings will apply, or open an existing realm for which configurations have already been started

2. Configure the Overview, Data, Workflow, Adaptive Authentication, Multi-Factor Methods, and Post Authentication tabs in the Web Admin before configuring the Logs tab 

Logs Configuration Steps

 

1. In the Log Options section, provide the Log Instance ID, e.g. the Application Name or the realm name (SecureAuth1)

2. Check which Audit, Debug, and Error Logs to enable

3. Select On or Remote Only from the Custom Errors dropdown to redirect end-users to a distinct page when a custom error occurs

4. Provide the URL for the Custom Error Redirect if On or Remote Only is selected in step 3

 If SysLog is enabled
SysLog

 

1. Provide the FQDN or IP Address of the Syslog Server

2. Provide the SysLog Port number

3. Select the Syslog RFC Spec from the dropdown as required by the Syslog

If RFC3164 is selected, then choose a Spec Format:

  • None Specified: normal RFC3164 formatting, for use in most implementations
  • LEEF: for use with IBM Security QRadar SIEM only
  • CEF: for use with HP ArcSight SIEM only
 If Database is enabled
Log Database

 

1. Provide the FQDN or the IP Address of the database in the Data Source field

2. Provide the Database Name in the Initial Catalog field

3. Select True from the Integrated Security dropdown if the webpage's ID is to be included in the Connection String

4. Select True form the Persist Security Info dropdown if access to username and password information is allowed

5. Provide the User ID of the Database

6. Provide the Password associated to the User ID

7. Click Generate Connection String, and the Connection String will auto-populate based on the previous fields

8. Click Test Connection to ensure that the integration is successful

9. Click Save to all Realms if these Database settings are to be used in each SecureAuth IdP realm

Reports

 

5. Review the log Reports and Charts by downloading the information

6. Review the Error Logs, Audit Logs, and / or Certificate Logs as enabled here in the Web Admin as needed

Click Save once the configurations have been completed and before leaving the Logs page to avoid losing changes

Enhanced Logging

Key-Value Pair Properties

Key-value pair properties defined in the table below are pertinent to the structured data element of a syslog entry. Several of these properties are also logged in the header or message elements of the log entry but are difficult to parse or extract. These properties are outputted in their original location as well as in the structured data element.

PropertyDescriptionNotes
AE.IP.RiskScore
Risk score based on IP Address evaluation and threat intelligence dataApplicable only to IP reputation log entries; also logged in the message element
AllowedTokens

For some authentication methods, this property may tell which method of 2FA was used.

Text string; possible values are:
  • COOKIE
  • ZCOOKIE
  • BROWSERFINGERPRINT
  • ALL
EventID
Category of the event being loggedAlso logged in the header element
ReceiveToken  Integer
RequestDuration
Displays the response time of an application requestApplicable only to log entries with event ID9004x; also logged in the message element
RequestID
Displays a unique identifier that shows the workflow for a specific requestAn "Application End" log entry marks the end of a request and its corresponding RequestID
TrxResult
Displays result of an authentication attemptAlso logged in the message element
UseJava  True / False

Syslog Logging Event

Syslog generates a log entry when a user opens or saves a tab using the Web Admin tool. This tool provides information about the realm a user modified at the time the log entry was generated.

PropertyDescriptionNotes

Loading: [ realm# ]

Describes the realm number that was opened in the Web AdminThis log entry type is generated when a user opens a realm (by clicking the sidebar in the Web Admin) or opens a tab in a realm (e.g. Workflow, Data)

Saving to: [ realm#,... ]

Describes the realm number(s) where changes were saved in the Web AdminThe value of this key lists all realms that were saved to when the log entry was generated
Information About Transaction Logs (20990)

Events recorded in Transaction Logs (20990) provide information that can assist in troubleshooting or analyzing end-user activity on the SecureAuth IdP appliance.

The table below provides details about common fields and values identified in transaction logs, and how to interpret that data.

Field / DescriptionValues / Description
 AllowedTokens

Configured Persistent Token 

 BROWSERFINGERPRINT, ALL, ZCOOKIE, COOKIE

The persistent token corresponds to the Client Side Control configured in the Production Configuration section on the Workflow tab

Persistent TokenClient Side ControlIntegration Method
BROWSERFINGERPRINTDevice / Browser Fingerprinting
  • Certification Enrollment and Validation
  • Mobile Enrollment and Validation
ALLJava Applet, Brower Plug-insCertification Enrollment and Validation
ZCOOKIEUniversal Browser Credential (UBC)
  • Certification Enrollment and Validation
  • Mobile Enrollment and Validation
COOKIEBrowser Credential

Mobile Enrollment and Validation

 AuthGuiMode

Configured Workflow 

 0, 1, 2, 3, 4, 5, 6, 7, 9, 999

The value corresponds to the Default Workflow configured in the Workflow section on the Workflow tab

The log provides counts for any of these values that are present:

ValueDefault Workflow
0Username | Second Factor | Password
1Username | Password
2Username | Second Factor
3Username & Password | Second Factor
4(Valid Persistent Token) | Second Factor
5(Valid Persistent Token) | Second Factor | Password
6(Valid Persistent Token) | Password
7Username & Password
9(Validate Persistent Token) only
999Username only
 Category

Log type classification

 AUDIT, DEBUG, ERROR, WARNING

Audit Logs, Debug Logs, Error Logs are configured in Log Options section on Logs tab

Warning Logs by default are found in the Error Logs folder

 Comment

End-user login failure transaction event details

 See all entries

The comment includes an entry for each type of end-user failed login event, and includes the count and decimal percentage for each instance

Numerical ValueDefinition
NULLNo error or success
1Bad Multi-Factor Authentication attempt count (minus 1) for user with locked or disabled status
2Message from a state machine Security Violation
3Message from a SecurityViolation_X509 (includes -1)
4Attempt count from a Security Limit Violation (attempts that have reached the maximum limit)
5A Redirect URL if the user was redirected to another page

NOTE: Session Aborted appears whenever a session has ended (see TrxResult )

Security Violation CodeDefinition
SecurityViolationAdaptive check, hard stop
SecurityViolation_ExceededMaxPasswordAttemptsPassword attempt exceeds set maximum attempts
SecurityViolation_ExceededMaxUserAttemptsUser ID attempt exceeds set maximum attempts
SecurityViolation_ExceededMaxUserPasswordAttemptsUser ID or password attempt exceeds set maximum attempts
The current windowsIdentity is different from logon user IdWindows identity of the logged-in user has changed since last login
SECURITYVIOLATION_EXCEEDEDMAXCHANGEPASSWORDATTEMPTSExceeded maximum attempts changing password
SECURITYVIOLATION_EXCEEDEDMAXKBAATTEMPTSExceeded maximum attempts entering KB answers
SECURITYVIOLATION_EXCEEDEDMAXPINATTEMPTSExceeded maximum attempts entering PIN
SECURITYVIOLATION_EXCEEDEDMAXOTPATTEMPTSExceeded maximum attempts entering OTP
SECURITYVIOLATION_X509Certificate issuance error
SECURITYVIOLATION_X509_CONTINUECertificate error, but can click Continue button to proceed
SecurityViolation_X509 ValueDefinition
-1Default
201No ActiveX and no fall back allowed to obtain certificate
302Certificate expired
402Certificate not found
403SSL certificate not found
404SSL certificate error
405UserID verification of certificate failed
406CRI verification failure
407URL verification failure
408Certificate reset date failed
409Maximum certificate attempt count attained
410Maximum mobile cookie count attained
411Certificate chain
 Priority

Reserved

Reserved

 ProductType

Configured Workflow Integration Method

 1, 2, 3

The value corresponds to the Integration Method configured in the Device Recognition Method section on the Workflow tab

ValueIntegration Method
1Certificate Enrollment and Validation
2Certificate Enrollment Only
3Mobile Enrollment and Validation
 ReceiveToken

Field under Custom Identity Consumer configured on the Workflow tab

 0, 1, 2, 3, 4, 5, 6

The value corresponds to the Receive Token type configured in the Custom Identity Consumer section on the Workflow tab

The log provides counts for any of these values that are present:

ValueReceive Token
0None
1Token
2Clear Text Query String
3XOR / Base64 Query String
4Send Token Only
5Send XOR / Base64 Only
6Receive Token Only
 RequestID

Authentication request identifier

Reserved

 ReturnUrl

Authentication request return URL

As specified by the Service Provider

 SAMLRelayState

SAML authentication request relay state URL

As specified by the Service Provider

 TargetUrl

Authentication request target URL 

As specified by the Service Provider

 TrxResult

Transaction result 

 Success or failure results

The comment includes an entry for each type of end-user login event, and includes the count and decimal percentage for each instance:

Transaction ResultDefinition
Session AbortedSession ended
SuccessSuccessful login attempt
WS-Trust success.Successful login via WS-Trust
WS-Trust token validation failed.Unsuccessful login attempt due to failure to validate the WS-Trust token
SA SSO SuccessSuccessful login attempt via SSO
Incorrect_UserUnsuccessful login attempt due to end-user invalidation
SecurityViolationAdaptive check, hard stop
Incorrect_Browser_RegistrationMethod_PINIncorrect Multi-Factor Authentication PIN entered
Incorrect_UserPasswordIncorrect password entered
Incorrect_FingerPrint_Check_PasswordIncorrect password entered
Incorrect_Profile_DataErrEnd-user found, but no profile information returned
NULLSuccessful login attempt, but no information returned
Incorrect_Standard_Check_PasswordIncorrect password entered
Incorrect_GroupIncorrect group returned for end-user
Incorrect_Browser_RegistrationMethod_OTPIncorrect Multi-Factor Authentication OTP entered
SecurityViolation_ExceededMaxPasswordAttemptsEnd-user exceeded maximum session attempts via an incorrect password
Denied_Browser_RegistrationMethod_AcceptDeny_LoginRequestPush-to-Accept Multi-Factor Authentication attempt denied
SecurityViolation_ExceededMaxPINAttemptsEnd-user exceeded maximum session attempts via an incorrect PIN
SecurityViolation_ExceededMaxUserAttemptsEnd-user exceeded maximum session attempts via an incorrect username
RedirectEnd-user was redirected to a different page than the one intended to be accessed