Identity Router Audit Log Messages

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by RSA Information Design and Development on Oct 8, 2019
Version 39Show Document
  • View in full screen mode
  

The RSA SecurID Access Identity Router generates audit log messages describing user activities and other events that occur on the identity router. You can configure the identity router to send these details to a syslog server where you can view them directly.

Note:  User events available through the syslog from the identity router apply only to the identity router.

For more information on identity router logs and files, see Identity Router Logging and Contents of Identity Router Log Bundle.

See the CODE and MESSAGE fields of these events for more details.

 
                                        
User Audit Events Description
USER_AUTHZ A user established a session to access applications available to that user.
USER_EDIT_KEYCHAIN A user profile (keychain) was edited.
USER_LOGIN

A user attempted to authenticate and establish a session through the application portal.

If the user is redirected using the singlepoint-next-redirect parameter, the message contains the redirect details. The identity router allows redirects only to hostnames associated with your Protected Domain Name, configured applications, or configured identity providers.

To view a list of the allowed redirects for your deployment:

  1. Set the identity router logging level to debug.
  2. Either view the system log messages using the Cloud Administration Console, or generate a log bundle on the identity router and view the symplified.log file.
USER_LOGOUT

Either a user initiated a sign-out or the session expired.

If the user is redirected using the singlepoint-next-redirect parameter, the message contains the redirect details. The identity router allows redirects only to hostnames associated with your Protected Domain Name, configured applications, or configured identity providers.

To view a list of the allowed redirects for your deployment:

  1. Set the identity router logging level to debug.
  2. Either view the system log messages using the Cloud Administration Console, or generate a log bundle on the identity router and view the symplified.log file.
USER_PROTECTED_APP_AUTHN A user attempted to access an application through single sign-on.
USER_REQUEST_AUTHZ A user attempted to access an application that requires authorization.
USER_STEPUP_AUTHN A user attempted to perform additional authentication.
 

 

                                   
Web Services Audit Events Description
WEB_SERVICES_CREATE The web services API created a resource.
WEB_SERVICES_DELETE The web services API deleted a resource.
WEB_SERVICES_EDIT The web services API performed full edit of a resource.
WEB_SERVICES_PARTIALEDIT The web services API partially edited a resource.
WEB_SERVICES_VERIFY_TOKENThe web services API verified an RSA SecurID Authenticate Tokencode. See the STATUS and DESCRIPTION fields for this event for more details.
WEB_SERVICES_USER_STATUSThe web services API verified the presence and status of a user within all identity sources configured for the Cloud Authentication Service. See the STATUS and DESCRIPTION fields for this event for more details.
 

 

                                               
System Audit Events Description
SYSTEM_BACKUP User keychains on the identity router were backed up.
SYSTEM_BOOTSTRAP The identity router configuration was modified.
SYSTEM_CONFIG_FIREWALL A firewall rule for the identity router was modified.
SYSTEM_CONFIG_HOST A static host entry for the identity router was modified.
SYSTEM_CONFIG_ROUTE A routing rule for the identity router was modified.
SYSTEM_CONFIG_UPDATE Configuration settings were published to the identity router.
SYSTEM_ERROR An error occurred on the identity router.
SYSTEM_REBOOT The identity router rebooted.
SYSTEM_STARTUP The identity router services started.

 

                                                           
Identity Router Status EventsDescription
SYSTEM_IDENTITY_SOURCE_STATUS

Connectivity status changed for one or more identity sources:

  • Healthy - The identity router can connect to all configured identity sources.

  • Partially Healthy - The identity router cannot connect to some of the configured identity sources.

  • Unhealthy - The identity router cannot connect to any configured identity sources.

SYSTEM_DNS_STATUS

Connectivity status changed for one or more DNS servers:

  • Healthy - The identity router can resolve hostnames with all configured DNS servers.

  • Partially healthy -The identity router cannot resolve hostnames with some of the configured DNS servers.

  • Unhealthy - The identity router cannot resolve hostnames with any configured DNS server.

SYSTEM_AM_STATUS

Connectivity status changed for RSA Authentication Manager. This status applies to the connection that allows RSA SecurID Token users to access resources protected by the Cloud Authentication Service.

  • Healthy - The identity router is connected to Authentication Manager.

  • Unhealthy - The identity router is not connected to Authentication Manager.

SYSTEM_UPGRADE_CONNECTION_STATUS

Connectivity status for the Software Update Service changed to Healthy or Unhealthy.

SYSTEM_ADAPTER_UPGRADE_CONNECTION_STATUS

Connectivity status for the Adapter Update Service changed to Healthy or Unhealthy.

SYSTEM_NTP_STATUSConnectivity status for the NTP server changed to Healthy or Unhealthy.
SYSTEM_CLOUD_TIME_SYNC_STATUS

Time synchronization between the identity router and the Cloud Authentication Service changed.

  • Healthy - The identity router time is within 60 seconds of the time reported by the Cloud Authentication Service, which is required for successful authentication.

  • Unhealthy - The identity router time is not within 60 seconds of the time reported by the Cloud Authentication Service.

SYSTEM_CPU_STATUS

CPU usage status on the identity router machine changed.

  • Healthy- The identity router CPU idle time is more than 10%.

  • Unhealthy - The identity router CPU idle time is less than 10%.

SYSTEM_CLUSTER_STATUS

Cluster status changed.

  • Healthy - The cluster is in quorum. More than 50% of identity routers can communicate with each other. Users can authenticate through the cluster.

  • Unhealthy - The cluster is offline. All configured identity routers are offline.

  • Partially healthy - The cluster is not in quorum and is in read-only mode but at least one configured identity router is online.

SYSTEM_MEMORY_STATUS

Memory usage on the identity router machine changed.

  • Healthy - More than 25% of free memory is available for the identity router.

  • Unhealthy - Less than 25% of free memory is available for the identity router.

SYSTEM_CLOUD_AUTHENTICATION_SERVICE_CONNECTIONS_STATUS

Reachability status for any of the Cloud Authentication Service IP addresses changed.

  • Healthy - The identity router can connect to all alternate Cloud Authentication Service IP addresses successfully.

  • Unhealthy - The identity router cannot connect to some alternate Cloud Authentication Service IP addresses successfully.

SYSTEM_CLOUD_CONNECTIVITY_STATUSConnectivity status for the current Cloud Authentication Service IP address changed to Healthy or Unhealthy.

 

                                                       
RADIUS Audit Events Description
RADIUS_REQUEST_VALIDATION A RADIUS authentication request was rejected due to character limits, null values, or an invalid response to a menu prompt.
RADIUS_USER_LDAP_AUTHENTICATION A user attempted RADIUS authentication using LDAP credentials.
RADIUS_USER_APPROVE_AUTHENTICATION A user attempted RADIUS authentication using the Approve method.
RADIUS_USER_TOKENCODE_AUTHENTICATION A user attempted RADIUS authentication using Authenticate Tokencode.
RADIUS_USER_SECURID_AUTHENTICATION A user attempted RADIUS authentication using an RSA SecurID Token.
RADIUS_USER_SECURID_NEW_PIN_AUTHENTICATION A user attempted RADIUS authentication using an RSA SecurID Token in New PIN mode.
RADIUS_USER_SECURID_NEXT_CODE_AUTHENTICATION A user attempted RADIUS authentication using an RSA SecurID Token in Next Tokencode mode.
RADIUS_USER_DEVICE_BIOMETRICS_AUTHENTICATION A user attempted RADIUS authentication using Fingerprint.
RADIUS_CHALLENGE_METHODS_NOT_SUPPORTED A user attempted RADIUS authentication, but RADIUS or the user's device does not support any of the authentication methods allowed by the access policy.
RADIUS_USER_DEVICE_NOT_REGISTERED A user attempted RADIUS authentication using a method that requires a mobile device, but no device is registered for the user.
RADIUS_INTERNAL_ERROR The RADIUS service encountered an error.

 

 

We want your feedback! Tell us what you think of this page.

You are here
Table of Contents > Logging > Identity Router Audit Log Messages

Attachments

    Outcomes