Documentation

 

 

This guide provides definitions for Event ID numbers included in the SecureAuth IdP / SecureAuth® Identity Platform appliance audit log.


Event ID classification

ID No.IdP component

1xxxx

Web Admin Page UI:

11xxx

Workflow

12xxx

Data

13xxx

RegCode

14xxx

IPsec

15xxx

Access

16xxx

Password

17xxx

License

18xxx

Postauth

19xxx

Other

ID No.IdP component

2xxxx

State Process

3xxxx

Pre Auth

4xxxx

Post Auth

5xxxx

Provider:

51xxx

Membership Provider

52xxx

Profile Provider

53xxx

OTP Provider

54xxx

Certificate Issuer

55xxx

Link-to-Accept Provider

ID No.IdP component

60000

API Layer: Filter

60xxx

DfpController

9xxxx

System


SecureAuth IdP / Identity Platform log ID number definitions

ID No. 2xxxx - Workflow Events

Workflow Page

ID No.MessageDefinition

20000

Authenticate the user successfully

Successful authentication

20100

CreateControlHierarchy

Security violation

21000

Land on login page

User browsed SecureAuth.aspx for login

21010

Found user with user name successfully

Result after user typed in username on UI

21020

Found user, but the user’s group is not allowed

Result after user typed in username on UI

21070

User is not found

Cannot find the user based on username

21090

User / Password is invalid

Invalid username or password for username / password on the same page

22100

Validate password successfully for public mode

For password on a separate page

22200

Validate password successfully for cookie mode

For password on a separate page

22300

Validate password successfully

For X509 / iOSDeviceID mode, password on a separate page

22400

Validate password successfully for Zombie cookie mode

For password on a separate page

22500

Validation of password after successful UBC credential check

For zombie cookie, password on a separate page

22600

Validate password successfully for FingerPrint mode

For Fingerprint

23120

Personal certificate is found and verified by browser ActiveX component or Java plugin

For checking user’s X.509 certificate

23310

The cookie exists or not

For mobile cookie

23420

Personal certificate is found and verified by browser ActiveX component or Java plugin

For manually reload Java plugin

23610

Verified UBC Credential

For zombie cookie

23700

iOS device ID is found

For iOS device

23810

Verified FingerPrint Credential

For Browser Attribute(s)

24000

Show OTP/PIN/KBA method options

For OTP, PIN, or KBA methods

24100

PIN verification succeeds

For PIN method

24110

KBA verification succeeds

For KBA method

24120

OTP verification succeeds

For OTP method

24200

Wrong PIN number attempt

For PIN method

24210

Wrong KBA attempt

For KBA method

24220

Wrong OTP attempt

For OTP method

26020

Deliver a token cookie

For SecureAuth cookie credential

26110

Registered UBC Credential

For zombie cookie credential

26210

Write iOS Device ID to database (AD)

For iOS Device ID

26310

Registered FingerPrint to datastore

For Browser Attribute(s)

27010

Registered the root cert

For X.509 certificate

27310

Install X509 certificate successfully

For X.509 certificate

27320

Installing X509 certificate failed

For X.509 certificate

27410

Install X509 certificate successfully

For manually reloading Java-plugin to install X.509 certificate

29010

Security violation with message id

Authentication issue

29000

Hardstopped by Analyze Engine

Adaptive Authentication process

29100

Hardstopped by Analyze Engine

Adaptive Authentication process

29990

Authentication failed

Authentication failure

ID No. 24xxx - YubiKey Multi-Factor Authentication Events

YubiKey Multi-Factor Authentication Method

ID No.

Message

Definition

24000

Show registration method options

Page loads and shows the Multi-Factor Authentication radio buttons

24010

YubiKey Method Selected

User selects YubiKey

24120

One Time Password Success

OTP is successfully validated

24220

One Time Password Failed, attempts: 0

User fails validation

ID No. 3xxxx - Pre-Authentication Events

Pre-Authentication Page

ID No.MessageDefinition

31020

Windows desktop SSO succeeds

For WindowsSSO.aspx, Windows desktop SSO

31120

Windows desktop SSO succeeds and redirect users to the destination site

For WindowsSSO2.aspx, Windows desktop SSO

32010

SiteMinder integration, redirect user to destination URL

For SiteMinder integration

33020

OATH Service user and otp authentication success

OATH service success response

33030

OATH Service OTP Failed

OATH service failure response

33040

OATH Service Username Failed

OATH service failure response

ID No. 333xx - Password Throttling Events

Password Throttling Multi-Factor Authentication

ID No.MessageDefinition

33300

User exceeded {MaxFailedAttempts} incorrect password attempts in a span of {Interval} minutes. The account will be inaccessible for a short time.

IdP has recorded more than the configured maximum number of unsuccessful password attempts within the configured throttling interval. While this condition exists, further password attempts will not be sent to LDAP, and the user will not be able to access this realm in IdP. This does not affect the user's other uses of their LDAP account, e.g. through an company internal email client.

33310

User exceeded {MaxFailedAttempts} incorrect password attempts; the account is being locked.

If the realm is configured with "PWThrottleHardLockout" as true, exceeding the permitted maximum incorrect password attempts will result in the user's LDAP account being locked. The user will no longer be able to access any system that relies on their LDAP account, and will need to contact an administrator in order to unlock the account.

ID No. 406xx - Adaptive Authentication + O365 Events

Adaptive Authentication with Office 365

ID No.MessageDefinition

40601

Credential validation passed

The call to ValidateUser by user ID and password was successful.

40601

ClaimsIdentity set

At least one element exists in the ClaimsPrincipal's identities collection. The first one in the collection will be used.

40602

RequestBlockingEngine

The WS-Trust Request Blocking Engine has rejected the request. After this error is logged, the BeginIssue call fails with a 401 Unauthorized and a "FailedAuthentication" FaultCode.

40603

WS-Trust token validation failed

The call to ValidateUser by user ID and password failed. After this error is logged, the BeginIssue call fails with a 401 Unauthorized and a "FailedAuthentication" FaultCode.

40604

AnalyzeEngineBlocking

The (optional) call to validate the client IP using the Analyze Engine has failed. This means the IP did not pass the Analyze Engine deny list / allow list filter or was rejected by the IP Risk service. It also may occur if the Analyze Engine configuration is incompatible with WS-Trust.

ID No. 5xxxx - User Membership / Profile Retrieval Events

User Membership / Profile Retrieval

ID No.MessageDefinition

51010

Found the user with the name

Found the user in AD

51020

Cannot find the user with the name

Username not found in AD

51080

GetUser: return user membership data with the name: {userName} with the result code: {sResult}

User found

51160

Password cannot be validated

User password is incorrect

51160

Validation failed with name and password

User password is incorrect

51170

Password is validated

User password is correct

52010

Retrieved user profile data

Retrieved user profile from AD

52060

Set ‘[User profile attribute name]’ to ‘[AD attribute name]’

Save data to AD with attribute name

52070

Updated user profile

Commit saving modified user profile data to AD

ID No. 53xxx - OTP Provider Events

Help Desk Email Provider

ID No.MessageDefinition

53000

Before Sending OTP Email to Helpdesk

Trace

53001

Sending OTP with Helpdesk Exception

Error occured in the sending process

53010

After Sending OTP with Helpdesk

Trace after the email is sent successfully

53020

Response time of sending OTP with Helpdesk

Follows 53000 to track response time

OTP HTML Email Provider

ID No.MessageDefinition

53100

Before Sending OTP Html Email

Trace

53101

Sending OTP with Html Email Exception

Error occured in the sending process

53110

After Sending OTP with Html Email

Trace after the email is sent successfully

53120

Response time of sending OTP with Html Email

Follows 53100 to track response time

OTP Text Email Provider

ID No.MessageDefinition

53200

Before Sending OTP Text Email

Trace

53201

Sending OTP with Text Email Exception

Error occured in the sending process

53210

After Sending OTP with Text Email

Trace after the email is sent successfully

53220

Response time of sending OTP with Text Email

Follows 53200 to track response time

ID No. 53xxx - OTP Response Events

OTP Responses

ID No.MessageDefinition

53020

Response time of sending OTP:

Sent help desk OTP email

53120

Response time of sending OTP:

Sent HTML OTP email

53220

Response time of sending OTP:

Sent text OTP email

53310

Response time of sending OTP in domestic call/WSE: [response time in ms]

Sent domestic OTP SMS via WSE call

53330

Response time of sending OTP in international call/WSE with [Provider name]: [response time in ms]

Sent international OTP SMS via WSE call

53350

Response time of sending OTP in domestic call with [Provider name]: [response time in ms]

Sent domestic OTP SMS

53370

Response time of sending OTP in international call with [Provider name]: [response time in ms]

Sent international OTP SMS

53430

Response time of sending OTP in domestic call/WSE:

Sent domestic OTP phone call via WSE

53450

Response time of sending OTP in international call/WSE:

Sent international OTP phone call via WSE

53470

Response time of sending OTP in domestic call:

Sent domestic OTP phone call

53490

Response time of sending OTP in international call

Sent international OTP phone call

ID No. 535xx - Number Profile and Push Notification Provider Events

NOTE: Duplicated event ID numbers for Number Profile and Push Notification (asterisked in the tables below) are being addressed for correction in a future software release

ID No.MessageDefinition

53500 *

NumberProfileProvider.GetNumberProfileModel - Status '{Current Carrier Status}' Reason: '{reason}'

Trace made when the provider gets the number profile of the user's number

53501 **

NumberProfileProvider.GetNumberProfileModel - number profile is null

Either the provider's number profile is null, or the current carrier is null

53502

NumberProfileProvider.GetNumberProfileModel - not configured for blocking

The realm is not configured for phone profile blocking

53510 ***

NumberProfileProvider.UpdateNumberProfile - Number: {user's number}, Ported Status: {user's PortedStatus}

Trace made in the provider when the number status is saved into the user's profile

53520

NumberProfileProvider.RemoveNumberProfile - Number: {old number}

Trace made in the provider when user chooses to remove a number from their profile

Push Notification

ID No.MessageDefinition

53500 *

Before sending OTP in push notification w/ WSE

Trace made when the provider sends the OTP

53501 **

Sending OTP with {Push Provider}, Exception: {message}

Sending OTP with Push notification exception

53510 ***

Response time of sending OTP in push notification w/ WSE

Follows 53500 to track Response Time

53540

Before sending push accept w/ WSE with:

Trace made when the provider sends the Push Accept Request

53550

Response time of sending push accept w/ WSE

Follows 53540 to track Response Time

53510 ***

{Provider}.Send push accept response: {status}, {statusMessage}, {Response Time}

Logs the Users Response to Push Accept

ID No. 54xxx - Certificate Request and Response Events

Certificate Request to SecureAuth CA Cloud (sent CSR and received response)

https://docs.secureauth.com/pages/editpage.action?pageId=52338455#

ID No.MessageDefinition

54010

Received response, response time of CSR in WSE call

Received via WSE call

54030

Received response, response time of CSR:

Response time of CSR

54050

Received response, response time of CSR in KEYGEN/WSE call

For Keygen, received via WSE call

54070

Received response, response time of CSR in KEYGEN

For Keygen

54110

Received response, response time of CSR in SCEP call

For SCEP call

ID No. 55xxx - SecureAuth Link-to-Accept Events

NOTE: Event ID number 55101 (asterisked in the HTML Email and SMS tables below) is used for three types of events

HTML Email

ID No.MessageDefinition
55100

Before sending LTA with: {Name}, to {maskedEmail}

This trace message is logged before an attempt is made to send the login request. A successful call is followed by an “After sending...” (55120) tracking message and a “Response time...” (55110) log for performance monitoring.

55101 *

{Provider}.Send, did not obtain a login RequestID from SA Cloud.

SecureAuth IdP made an unsuccessful attempt to obtain a SecureAuth Link-to-Accept link and associated RequestID from the SA Cloud service. The attempt failed because either the IdP was unable to obtain a Bearer token using the customer ID and certificate thumbprint, or (less likely) SA Cloud did not create and return the link as requested.

55101 *

Sending LTA with {Provider}, Exception: {Message}

An exception occurred before attempting to send a SecureAuth Link-to-Accept message, either when contacting SA Cloud or when building the message.

55102

Sending LTA with {Provider}, Exception: {Message}

An exception occurred after building the SecureAuth Link-to-Accept message, during an attempt to send the message.

SMS

ID No.MessageDefinition

55101 *

{Provider}.Send, did not obtain a login RequestID from SA Cloud.

SecureAuth IdP made an unsuccessful attempt to obtain a SecureAuth Link-to-Accept link and associated RequestID from the SA Cloud service. The attempt failed because either the IdP was unable to obtain a Bearer token using the customer ID and certificate thumbprint, or (less likely) SA Cloud did not create and return the link as requested.

Text Email

ID No.MessageDefinition

55200

Before sending LTA with: {Name}, to {maskedEmail}

This trace message is logged before an attempt is made to send the login request. A successful call is followed by an “After sending...” (55220) tracking message and a “Response time...” (55210) log for performance monitoring.

55201

Sending LTA with {Provider }, Exception: {Message}

An exception occurred after building the SecureAuth Link-to-Accept message, during an attempt to send the message.

Request Manager

ID No.MessageDefinition

55302

AcceptDenyRequestStatusManager.GetStatusByLinkRequestId: {Message}

An exception occurred while attempting to request the status of a pending SecureAuth Link-to-Accept link from SA Cloud. Note the RequestID for a link is different than the random characters ("nonce") in the link itself.

55320

AcceptDenyRequestStatusManager.GetStatusByLinkRequestId:  {RequestID} returned {Status}

This status is logged when SA Cloud replied to a request for a link status. In normal operations, SA Cloud does not return when a link is pending; this log message appears when the user clicked on either the accept or deny link, or when the link has expired (~ 4 minutes, by default).

ID No. 60xxx - API Events

API Layer

ID No.MessageDefinition

60000

HMAC authentication validation failed log

Filter action

60101

User controller entry point log of request to retrieve Multi-Factor collection for user

Controller action

60102

User controller exit point log of response to retrieve Multi-Factor collection for user

Controller action

60103

User controller entry point log of request to retrieve profile for user

Controller action

60104

User controller exit point log of response to retrieve profile for user

Controller action

60105

User controller entry point log of request to update user profile

Controller action

60106

User controller exit point log of response to update user profile

Controller action

60107

User controller entry point log of request to associate a single user with a single group

Controller action

60108

User controller exit point log of response to associate a single user with a single group

Controller action

60109

User controller entry point log of request to associate multiple users with a single group

Controller action

60110

User controller exit point log of response to associate multiple users with a single group

Controller action

60111

User controller entry point log of request to associate multiple groups with a single user

Controller action

60112

User controller exit point log of response to associate multiple groups with a single user

Controller action

60113

User controller entry point log of request to create new user

Controller action

60114

User controller exit point log of response to create new user

Controller action

60115

User controller entry point log of request to reset password

Controller action

60116

User controller exit point log of response to reset password

Controller action

60117

User controller entry point log of request to change password

Controller action

60118

User controller exit point log of response to change password

Controller action

60201

Authentication controller entry point log of request to perform some type of authentication

Controller action

60202

Authentication controller exit point log of response of an invalid user ID

Controller action

60203

Authentication controller exit point log of response to perform some type of authentication

Controller action

60204

Authentication controller entry point log of request to get Push-to-Accept status

Controller action

60206

Authentication controller entry point log of request to create Access History record

Controller action

60207

Authentication controller exit point log of response of an invalid user ID

Controller action

60208

Authentication controller exit point log of response to create Access History record

Controller action

60301

IP evaluation controller entry point log of request to evaluate IP threat level

Controller action

60302

IP evaluation controller exit point log of response to evaluate IP threat level

Controller action

60401

Mobile DFP controller entry point log of request to validate mobile DFP

Controller action

60402

Mobile DFP controller exit point log of response to validate mobile DFP

Controller action

60501

Adaptive Auth controller entry point log of request to invoke analyze engine

Controller action

60502

Adaptive Auth controller exit point log of response of an invalid user ID

Controller action

60503

Adaptive Auth controller exit point log of response of analyze engine results

Controller action

60601

DFP controller entry point log of request to validate / score a device fingerprint

Controller action

60602

DFP controller exit point log of response of an invalid user ID

Controller action

60603

DFP controller exit point log of response to validate / score a device fingerprint

Controller action

60604

DFP controller entry point log of request to confirm a previously scored device fingerprint

Controller action

60605

DFP controller exit point log of response of an invalid user ID

Controller action

60606

DFP controller exit point log of response to confirm a previously scored device fingerprint

Controller action

60701

SecureAuth controller entry point of request to check Push-to-Accept status. USED INTERNALLY BY IdP

Controller action

ID No. 606xx - Device Recognition Events

DFP Controller (API calls)

ID No.MessageDefinition

60601

[DfpController].[PostValidateDfpAsync] DFP controller invoked with: '{dfpRequest}'

After a DFP request is made

60602

[DfpController].[PostValidateDfpAsync] Returning response with: '{badUserResponse}'

Validation after a bad user DFP response

60603

[DfpController].[PostValidateDfpAsync] Returning response with: '{dfpRequest}'

Validation after a DFP request is made

60604

[DfpController].[PostConfirmDfpAsync] DFP controller invoked with: '{dfpRequest}'

Confirmation after a DFP request is made

60605

[DfpController].[PostConfirmDfpAsync] Returning response with: '{badUserResponse}'

Confirmation after a bad user DFP response

60606

[DfpController].[PostConfirmDfpAsync] Returning response with: '{dfpRequest}'

Response after a DFP request is made

60607

[DfpController].[PostScoreDfpAsync] DFP controller invoked with: '{dfpRequest}'

After scoring a DFP request

60608

[DfpController].[PostScoreDfpAsync] Returning response with: '{badUserResponse}'

Score after a bad user DFP response

60609

[DfpController].[PostScoreDfpAsync] Returning response with: '{dfpRequest}'

Score after a DFP request is made

60610

[DfpController].[PostSaveDfpAsync] DFP controller invoked with: '{dfpRequest}'

After a DFP request is saved

60611

[DfpController].[PostSaveDfpAsync] Returning response with: '{badUserResponse}'

Response after saving a bad user DFP response

60612

[DfpController].[PostSaveDfpAsync] Returning response with: '{dfpRequest}'

Response after a DFP request is saved

ID No. 900xx - System Level Events

System

ID No.MessageDefinition

90000

Application - Start

Web page starts

90010

Session - Start

New session starts

90020

Application - Begin request

Appears for each web request

90030

Application - End request

Appears for each web request

90040

(value in milliseconds for response time of each web page request)

Response time when user browses a web page

90050

Session - End

Session ends

90060

Application - End

Web page ends