A customer noticed that the time in the aa_server.audit.log did not match the time on related records in the aa_server_admin.audit.log.
An end-user of Adaptive Authentication (On Premise) (AAOP) had tried to log into the application a number of times, and had locked themselves out. An admin of AAOP logged into Back Office to investigate the end-user.
The actions of the end-user were written into the aa_server.audit.log, while the actions of the admin were written into the aa_server_admin.audit.log.
The SHA1 hash of the end-user's account name is created, and written in both records above.
Since the hash of the end-user's account was in records of the aa_server.audit.log and the aa_server_admin.audit.log, the customer thought that just the end-user's actions had caused the writing of the records to both log files. Once the explanation above was provided, it became clear that two actions had occurred, that each action resulted in the records being written to separate log files, and that the timestamps on the records, while related by the hashed user account name, were not meant to be the same.