Access Gateway audit log

Access Gateway audit logs include information on the following events:

  • Admin nomination: Events that occur during the admin renomination process.
  • Application: Application-related activity, such as create, update, delete, activate, or deactivate.
  • Authentication and Authorization: Events such as authentication and authorization.
  • Certificate events: Certificate-related event activity.
  • Connectivity and validation: Events between Access Gateway and external resources such as back-end applications, data stores, and similar conditions.
  • Kerberos: Kerberos-related activity, such as create, update, or delete.
  • Log Verbosity: Changes in log verbosity.
  • Password: Password-related events.
  • System status: System-related events, such as system up, system down, identify provider connection status, EBS subsystem up, and others.
  • Trusted Domains: Trusted domain-related activity, such as create, update, delete, or synchronize, and exceptions during trusted domain operations.

Before you begin

Event fields

Field

Description

TIMESTAMP

Current system date and time

HOSTNAME

Hostname of node generating event

APPLICATION

One of:

  • ACCESS_GATEWAY
  • OAG
  • OAG_MONITOR
  • A specific service (for example, check_connection)

SUB-PROCESS

One of:

  • ApplicationService
  • ACCESS
  • ADMIN_CONSOLE
  • EBS_SSOAGENT
  • HOST_IP_CHECK
  • MONITOR
  • SCRIPT
  • SERVICE
  • TrustedOriginUpdateScheduler
  • WEB_CONSOLE
  • A specific service (for example, check_connection)

COMPONENT

Component of the sub-process such as:

  • AUTHN
  • AUTHZ
  • CLUSTER MANAGER ADMIN
  • ERROR
  • IDP
  • INFO
  • KRB5
  • LOG_DOWNLOAD_STATUS
  • LOG_PREPARE_OPERATION
  • LOG_PREPARE_STATUS
  • NGINX
  • SYSTEM
  • TRUSTED_DOMAINS

SUB-COMPONENT

Sub-component of the process such as:

  • ALERT
  • EBS_SSOAGENT
  • HOST
  • INFO
  • LOCAL
  • NETCAT
  • NOMINATION
  • POLICY
  • SESSION
  • STARTUP/SHUTDOWN

LOG_LEVEL

Log level, one of: TRACE, DEBUG, INFO, WARN, ERROR, or FATAL.

EVENT

Event type

STRUCTURED_DATA

Data related to the occurred event.

MESSAGE

Readable message.

Admin nomination

Events logged when admin renomination takes place.

Nomination - Starting

Description: Events generated when the nomination starts on admin node.

Messages:

  • OAG Version - 2020.8.3, Cluster Manager Version - 2020.1.5.20200803.174755

    Starting authorized nomination process

  • OAG Version - 2020.6.3, Cluster Manager Version - 2020.1.5.20200803.174755
  • Sent nomination.authKey to admin node - existingadmin[.domain.tld]

Examples:

  • 2020-08-05T18:40:23.711-07:00 nodeB OAG ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Mgmt console Event [USER="oag-mgmt"] OAG Version - 2020.6.3, Cluster Manager Version - 2020.1.5.20200803.174755
  • 2020-08-05T18:40:23.711-07:00 nodeB OAG ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Mgmt console Event [USER="oag-mgmt"] Starting authorized nomination process - OAG Version - 2020.6.3, Cluster Manager Version - 2020.1.5.20200803.174755
  • 2020-08-05T18:40:23.905-07:00 nodeB ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Send auth key to admin node [USER="oag-mgmt"] Sent nomination.authKey to admin node - existingadmin[.domain.tld]
  • Structured data:
    • USER - User performing nomination actions, always oag-mgmt.
  • Corrective action :
    • N/A

    • Nomintation - initiated

    Description: Events generated when nomination starts on admin node.

    Messages:

    • Started nomination process with args: adminNode - [DNS name of existing admin ],

      nominatedNode - [DNS name of nominated worker],

      accessGatewayHostname - gw-admin.[domain.tld]

    Examples:

    • 2020-08-04T14:28:48.376-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Arguments [USER="root"] Started nomination process with args: adminNode - oag.nodeA.com,nominatedNode - oag.nodeC.com, accessGatewayHostname - gw-admin.[domain.tld]
  • Structured data:
    • USER - User performing nomination actions, always root.
  • Corrective action :
    • N/A

    • Nomination - Worker nodes not at correct version

    Description: One or more nodes aren't at the required feature version.

    Messages:

    • Incompatible node list - [worker.[domain.tld]...] Update worker nodes to version - 2020.8.3 or higher.

    Examples:

    • 2020-08-04T14:28:48.380-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION ERROR Determine Version Compatibility [USER="root"] Incompatible Node List - oag.nodeB.com,oag.nodeD.com. Update worker nodes to version - 2020.8.3 or higher
  • Structured data:
    • USER - User performing nomination actions, always root.
  • Corrective action :
    • Update the worker nodes identified to version 2020.8.3 or later, and then re-run the renomination process.

    • Nomination - Nominated worker detached from cluster

    Description: Events generated when the nominated worker has been detached from the cluster before becoming the new admin node.

    Messages:

    • Removed nominated admin node - existingadmin[.domain.tld] from HA configuration files

    • Failed to remove nominated admin node - existingadmin[.domain.tld] from HA configuration files.

    Examples:

    • 2020-08-04T14:28:48.380-05:00 existingadmin.[.domain.tld] ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION ERROR Remove nominated node from HA [USER="root"] Removed nominated admin node - name[.domain.tld] from HA configuration files.
    • 2020-08-04T14:28:48.380-05:00 existingadmin.[domain.tld] ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION ERROR Remove nominated node from HA [USER="root"] Failed to remove nominated admin node - name[.domain.tld] from HA configuration files.
  • Structured data:
    • USER - User performing nomination actions, always root.
  • Corrective action :
    • No action required: If the operation fails, the admin node reverts to its original state. The nominated node is also reverted to its pre-renomination state.

    • Nomination - nominated node cloned

    Description: Events generated when current configuration has been transferred to nominated worker.

    Messages:

    • Transferred HA configuration files from current admin node - worker[.domain.tld].
    • Failed to transfer HA configuration files from current admin node - worker[.domain.tld].

    Examples:

    • 2020-08-04T14:27:42.345-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Copy HA configs [USER="root"] Transferred HA configuration files from current admin node - worker[.domain.tld].
    • 2020-08-04T14:27:42.345-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Copy HA configs [USER="root"] Failed to transfer HA configuration files from current admin node - worker[.domain.tld].
  • Structured data:
    • USER - User performing nomination actions, always oag-mgmt.
  • Corrective action :
    • No action required: If the process fails, the nominated worker node reverts to its original state.

    • Nomination - Key exchange

    Description: Events generated when the required keys are exchanged between existing admin and nominated admin.

    Messages:

    • Backup of ssh keys completed for nominated node - newadmin.[domain.tld].

    Examples:

    • 2020-08-04T14:27:42.362-05:00 newadmin[.domain.tld] ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Backup SSH Keys [USER="root"] Backup of ssh keys completed for nominated node - worker.[domain.tld]
  • Structured data:
    • USER - User performing nomination actions, always oag-mgmt.

    • Nomination - Key exchange

    Description: Events generated when the required keys are synchronized between admin and workers.

    Messages:

    • Synced known_hosts and authorized_keys of current admin node - worker[.domain.tld] with all worker nodes.

    • Failed to sync known_hosts and authorized_keys of current admin node - oag.nodeA.com with all worker nodes.

    Examples:

    • 2020-08-04T14:27:43.823-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Sync keys [USER="root"] Synced known_hosts and authorized_keys of current admin node - worker[.domain.tld] with all worker nodes
    • 2020-08-04T14:27:43.823-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Sync keys [USER="root"] Failed to sync known_hosts and authorized_keys of current admin node - worker[.domain.tld] with all worker nodes
  • Structured data:
    • USER - User performing nomination actions, always root.
  • Corrective action :
    • No action required: If the operation fails, the nominated worker node reverts to its original state.

    • Nomination - Update worker high availability configuration

    Description: Events generated during exchange of high availability configuration between nominated admin and workers.

    Messages:

    • Prepared HA config file - /tmp/nolock.update_ha_configs.f76c8aea-073b-4241-8960-536fb26573d5.json for worker node - workerX[.domain.tld].
    • Sent nolock.update_ha_configs.f76c8aea-073b-4241-8960-536fb26573d5.json file to worker node - workerX[.domain.tld].
    • Prepared HA config file - /tmp/nolock.update_ha_configs.01880ce6-6ac3-4dd9-ac14-934a301490f3.json for worker node - workerX.[domain.tld]
    • Sent nolock.update_ha_configs.01880ce6-6ac3-4dd9-ac14-934a301490f3.json file to worker node - workerX.[.domain.tld]

    Examples:

    • 2020-08-04T14:27:43.883-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Prep HA config for worker node [USER="root"] Prepared HA config file - /tmp/nolock.update_ha_configs.f76c8aea-073b-4241-8960-536fb26573d5.json for worker node - workerX[.domain.tld]
    • 2020-08-04T14:27:44.086-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Send HA config to worker node [USER="root"] Sent nolock.update_ha_configs.f76c8aea-073b-4241-8960-536fb26573d5.json file to worker node - workerX[.domain.tld].
    • 2020-08-04T14:27:44.107-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Prep HA config for worker node [USER="root"] Prepared HA config file - /tmp/nolock.update_ha_configs.01880ce6-6ac3-4dd9-ac14-934a301490f3.json for worker node - workerX[.domain.tld]
    • 2020-08-04T14:27:44.307-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Send HA config to worker node [USER="root"] Sent nolock.update_ha_configs.01880ce6-6ac3-4dd9-ac14-934a301490f3.json file to worker node - workerX[.domain.tld].
    • 2020-08-04T14:27:44.307-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Send HA config to worker node [USER="root"] Failed to send nolock.update_ha_configs.01880ce6-6ac3-4dd9-ac14-934a301490f3.json file to worker node - workerX[.domain.tld].
  • Structured data:
    • USER - User performing nomination actions, always root.
  • Corrective action :
    • No action required: If the operation fails, the nominated worker node and the impacted worker nodes revert to their original states.

    • Nomination - Update worker high availability configuration

    Description: Events generated as workers acknowledge receipt of new high availability configuration.

    Messages:

    • Received - 0/2 acknowledgements so far
    • eceived acknowledgment for Worker node - workerX[.domain.tld] with updated Admin Node - newadmin[.domain.tld]
    • Received - 2/2 acknowledgements so far
    • Newly nominated admin node - newadmin[.domain.tld] has been acknowledged by all worker nodes
    • Received acknowledgment 1/2 acknowledgements so far

    Examples:

    • 2020-08-04T14:27:44.346-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Received acknowledgment [USER="root"] Received - 0/2 acknowledgements so far
    • 8-04T14:27:54.383-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Received acknowledgment [USER="root"] Received acknowledgment for Worker node - workerX.[domain.tld] with updated Admin Node - newadmin[.domain.tld]
    • 2020-08-04T14:27:54.428-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Received acknowledgment [USER="root"] Received - 2/2 acknowledgements so far
    • 2020-08-04T14:28:04.448-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Received acknowledgment [USER="root"] Newly nominated admin node - oag.nodeC.com has been acknowledged by all worker nodes
    • 2020-08-04T14:28:04.448-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Received acknowledgment [USER="root"] Received acknowledgment 1/2 acknowledgements so far
  • Structured data:
    • USER - User performing nomination actions, always oag-mgmt.
  • Corrective action :
    • Contact support to determine why specific worker didn't return acknowledgment.

    • Nomination - Revert existing admin to standalone

    Description: Event generated at completion of renomination when the existing admin becomes standalone node.

    Messages:

    • Reset HA configs of older admin node - oldadmin[.domain.tld]

    Examples:

    • 2020-08-04T14:28:04.806-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Reset admin node HA setup [USER="root"] Reset HA configs of older admin node - oag.nodeA.com
  • Structured data:
    • USER - User performing nomination actions, always root.
  • Corrective action :
    • N/A

    • Nomination - Confirmation of reset

    Description: Event generated to confirm the reset of an existing admin to standalone.

    Messages:

    • Admin nomination process completed successfully for new admin node - existingadmin[.domain.tld].

    • Reset HA configs for admin node - existingadmin[.domain.tld]

    Examples:

    • 2020-08-04T14:28:04.818-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Nomination completed [USER="root"] Admin nomination process completed successfully for new admin node - oldamin[.domain.tld].
    • 2020-08-04T14:28:04.818-05:00 oag.nodeC.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Nomination completed [USER="root"] Admin nomination process completed successfully for new admin node - oldamin[.domain.tld].
  • Structured data:
    • USER - User performing nomination actions, always root.
  • Corrective action :
    • N/A

    • Nomination - Incorrect authorization code

    Description: Event generated when the admin user [in]correctly enters the renomination authorization code.

    Messages:

    • Authorization token is correct.
    • Authorization token is incorrect.
    • Initiating nomination process on Nominated node - newadmin[.domain.tld].

    • Sent nolock.start_admin_nomination.json to nominated node - oag.nodeC.com

    Examples:

    • 2020-08-06T12:15:23.136-05:00 oag.nodeA.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Auth Token Verification [USER="oag-mgmt"] Authorization token is correct
    • 2020-08-06T12:13:49.224-05:00 oag.nodeA.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION ERROR Auth Token Verification [USER="oag-mgmt"] Authorization token is incorrect
    • 2020-08-06T12:15:23.148-05:00 oag.nodeA.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Initiate nomination [USER="oag-mgmt"] Initiating nomination process on Nominated node - newadmin[.domain.tld].
    • 2020-08-06T12:15:23.423-05:00 oag.nodeA.com ADMIN_CONSOLE CLUSTER MANAGER ADMIN NOMINATION INFO Initiate nomination [USER="oag-mgmt"] Sent nolock.start_admin_nomination.json to nominated node - oag.nodeC.com
  • Structured data:
    • USER - User performing nomination actions, always oag-mgmt.
  • Corrective action :
    • Re-enter the correct code.

    • Nomination - Existing admin enters maintenance mode

    Description: Event generated when the existing admin enters maintenance mode.

    Messages:

    • Started Admin Node Nomination App on admin node - existingadmin.[domain.tld]

    Examples:

    • 2020-08-06T13:06:41.872-05:00 oag.nodeA.com ADMIN_CONSOLE CLUSTER MANAGER UPDATE ADMIN INFO Started Admin Node Nomination App [USER="oagha"] Started Admin Node Nomination App on admin node - existingadmin[.domain.tld]
  • Structured data:
    • USER - User performing nomination actions, always root.
  • Corrective action :
    • N/A

    • Nomination - Existing admin exit maintenance mode

    Description: Event generated when admin exits maintenance mode.

    Messages:

    • Activated Admin App for admin node - existingadmin[.domain.tld].
    • Removed Admin Node Nomination Mode App for admin node - existingadmin[.domain.tld].

    • Reset process completed for admin node - existingadmin[.domain.tld].

    Examples:

    • 2020-08-06T13:08:05.086-05:00 oag.nodeA.com ADMIN_CONSOLE CLUSTER MANAGER UPDATE ADMIN INFO Activate Admin App [USER="oagha"] Activated Admin App for admin node - existingadmin[.domain.tld]
    • 2020-08-06T13:08:05.105-05:00 oag.nodeA.com ADMIN_CONSOLE CLUSTER MANAGER UPDATE ADMIN INFO Removed Nomination Mode App [USER="oagha"] Removed Admin Node Nomination Mode App for admin node - existingadmin[.domain.tld]
    • 2020-08-06T13:08:05.118-05:00 oag.nodeA.com ADMIN_CONSOLE CLUSTER MANAGER UPDATE ADMIN INFO Reset process completed [USER="oagha"] Reset process completed for admin node - existingadmin[.domain.tld]
  • Structured data:
    • USER - User performing nomination actions, always oagha.
  • Corrective action :
    • N/A

    • Nomination -Backup triggered on existing admin node

    Description: Event generated when a backup is performed on existing admin.

    Messages:

    • sudo ...

    Examples:

    • 2020-08-06T13:06:42.000-05:00 existingadmin[.domain.tld] sudo oagha : TTY=unknown ; PWD=/opt/oag/configs/ha/configs.install ; USER=root ; COMMAND=/opt/oag/scripts/oag_backup.sh
  • Structured data:
    • USER - User performing nomination actions, always root.
  • Corrective action :
    • N/A

    • Nomination - Public and private keys transferred to new admin.

    Description: Event generated required public and private keys are transferred to new admin.

    Messages:

    • Copied private key of oagha user from node - existingadmin[.domain.tld to nominated node - newadmin[.domain.tld].
    • Copied public key oagha user from node - existingadmin[.domain.tld] to nominated node - existingadmin[.domain.tld].

    Examples:

    • 2020-08-06T13:07:43.331-05:00 oag.nodeA.com ADMIN_CONSOLE CLUSTER MANAGER UPDATE ADMIN INFO Copy user private key [USER="oagha"] Copied private key of oagha user from node - existingadmin[.domain.tld] to nominated node - newadmin.[domain.tld]
    • 2020-08-06T13:07:43.515-05:00 oag.nodeA.com ADMIN_CONSOLE CLUSTER MANAGER UPDATE ADMIN INFO Copy user public key [USER="oagha"] Copied public key oagha user from node - existing.[domain.tld] to nominated node - newadmin.[domain.tld]
  • Structured data:
    • USER - User performing nomination actions, always root.
  • Corrective action :
    • N/A

    • Nomination - Worker node key updates

    Description: Event generated when a key is written to a worker node

    Messages:

    • Public host keys of nominated admin node - workerX[.domain.tld] has been added to known_hosts file of worker node - newadmin[.domain.tld]

    Examples:

    • 2020-08-06T13:07:43.228-05:00 oag.nodeB.com ADMIN_CONSOLE CLUSTER MANAGER UPDATE WORKER INFO Update keys [USER="root"] Public host keys of nominated admin node - workerX.[domain.tld] has been added to known_hosts file of worker node - newadmin[.domain.tld]
  • Structured data:
    • USER - User performing nomination actions, always root.
  • Corrective action :
    • N/A

    • Nomination - Worker configuration updates

    Description: Event generated when a worker nodes keys are updated

    Messages:

    • Public host keys of nominated admin node - workerX[.domain.tld] has been added to known_hosts file of worker node - newadmin[.domain.tld]

    Examples:

    • 2020-08-06T13:07:44.505-05:00 oag.nodeB.com ADMIN_CONSOLE CLUSTER MANAGER UPDATE WORKER INFO Update HA Config [USER="root"] Updated HA config file - /opt/oag/configs/events/config/ha_configuration.config with nominated admin node as - newadmin[.domain.tld] and worker nodes as - workerX[.domain.tld], workerY[.domain.tld]
  • Structured data:
    • USER - User performing nomination actions, always root.
  • Corrective action :
    • N/A

    • Nomination - Acknowledgements

    Description: Event generated as nominations are acknowledged.

    Messages:

    • Prepared acknowledgment file - /tmp/f76c8aea-073b-4241-8960-536fb26573d5.ack.prep.
    • Sent acknowledgment file - /tmp/f76c8aea-073b-4241-8960-536fb26573d5.ack.prep to nominated admin node - newadmin[.domain.tld]

    Examples:

    • 2020-08-06T13:07:44.520-05:00 oag.nodeB.com ADMIN_CONSOLE CLUSTER MANAGER UPDATE WORKER INFO Prepare Ack file [USER="root"] Prepared acknowledgment file - /tmp/f76c8aea-073b-4241-8960-536fb26573d5.ack.prep
    • 2020-08-06T13:07:44.734-05:00 oag.nodeB.com ADMIN_CONSOLE CLUSTER MANAGER UPDATE WORKER INFO Sent Ack file [USER="root"] Sent acknowledgment file - /tmp/f76c8aea-073b-4241-8960-536fb26573d5.ack.prep to nominated admin node - newadmin[.domain.tld]
  • Structured data:
    • USER - User performing nomination actions, always root.
  • Corrective action :
    • N/A

    • Nomination - Successful nomination

    Description: Event generated when a nomination completes successfully.

    Messages:

    • Admin nomination process completed successfully on worker node - newadmin[.domain.tld].

    Examples:

    • 2020-08-06T13:07:44.746-05:00 oag.nodeB.com ADMIN_CONSOLE CLUSTER MANAGER UPDATE WORKER INFO Sent Ack file [USER="root"] Admin nomination process completed successfully on worker node - newadmin[.domain.tld]
  • Structured data:
    • USER - User performing nomination actions, always root.
  • Corrective action :
    • N/A

    • Application

    SYSTEM_APP_EVENT

    Event issued when an application is created, updated, deleted, activated, or deactivated.

    Message types:

    • Application: <Application Name> action: CREATE

    • Application: <Application Name> action: UPDATE

    • Application: <Application Name> action: DELETE

    • Application: <Application Name> action: ENABLE

    • Application: <Application Name> action: DISABLE

    Examples:

    • 2020-06-24T09:40:36.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="93d2e78a-c6b7-4c27-83c8-15c2b783d3bb" NAME="Sample Header App" TYPE="SAMPLEHEADER_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="CREATE" SESSION_ID="3dKU4yqIlHkcRUeGb9f9Dh6OSgFjHq3hIMVktx7h" SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'CREATE'

    • 2020-06-24T09:40:36.000-05:00 example.myaccessgateway.com ACCESSS_GATEWAY WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="<Application GUID>" NAME="Sample Header App" TYPE="SAMPLEHEADER_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="UPDATE" SESSION_ID="<Session ID> " SUBJECT="user@<Domain.tld>" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'UPDATE'

    • 2020-06-24T09:40:36.000-05:00 example.myaccessgateway.com ACCESSS_GATEWAY WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="<Application GUID> " NAME="Sample Header App" TYPE="SAMPLEHEADER_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="ENABLE" SESSION_ID="<Session ID>" SUBJECT="user@<Domain.tld>" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'ENABLE'

    • 2020-06-24T09:40:36.000-05:00 example.myaccessgateway.com ACCESSS_GATEWAY WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="<Application GUID>" NAME="Sample Header App" TYPE="SAMPLEHEADER_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="DISABLE" SESSION_ID="<Session ID> " SUBJECT="user@<Domain.tld>" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'DISABLE'

    • 2020-06-24T09:40:36.000-05:00 example.myaccessgateway.com WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="<Applicatuin GUID> " NAME="Sample Header App" TYPE="SAMPLEHEADER_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="DELETE" SESSION_ID="<Session ID> " SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'DELETE'

    Structured data:

    • GUID - Application identifier
    • NAME - Application name
    • TYPE - Application Type
    • DOMAIN - Application domain
    • IDP - IDP of application
    • IDP_TYPE- Okta or LOCAL
    • REASON - One of CREATE, UPDATE, DELETE, ENABLE or DISABLE
    • SESSION_ID - Iinternal session ID created for the user session
    • SUBJECT - User performing action, usually the admin
    • REMOTE_ID - IP address of user, if available
    • USER_AGENT - Browser details

    Certificate events

    Events logged when adding, updating, or assigning certificates. See Certificate use and Manage certificates and certificate chains for more information. This includes both traditional certificates, or those actions associated with certificate chain authentication.

    Can't read certificate

    Description: While adding or updating a certificate using the Access Gateway Management console, an invalid certificate was provided.

    Messages:

    • Failed to read certificate.

    Examples:

    • 2020-08-10 15:42:30.583 ERROR 1336 --- [ XNIO-2 task-11] com.okta.oag.service.CertificateService : Failed to read certificate from file /opt/oag/nginx/ssl//test.crt. Error: /opt/oag/nginx/ssl/test.crt (Permission denied) This is generated while reading certificate and any certificate is lacking read permission.
  • Structured data:
    • None
  • Corrective action :
    • Ensure that the certificate being uploaded is valid and check permissions.

    • Invalid certificate format

    Description: While adding or updating a certificate using the Access Gateway Management console, an invalid certificate was provided.

    Messages:

    • Error: Could not parse certificate.

    Examples:

    • 2020-08-10 15:41:51.682 ERROR 1336 --- [ XNIO-2 task-11] com.okta.oag.service.CertificateService : Failed parse certificate file /opt/oag/nginx/ssl//test.crt. Error: Could not parse certificate: java.io.IOException: Empty input This is generated when certificate file being read is not a valid PEM format certificate file i.e. parsing error.
  • Structured data:
    • None
  • Corrective action :
    • Ensure that the certificate being uploaded is valid and try again.

    • Invalid protected web resource value

    Description: While adding an application using the Access Gateway Admin UI console, an attempt was made to generate a self-signed certificate based on an invalid protected web resource file.

    Messages:

    • 'value.gateway.info' is not a valid hostname.

    Examples:

    • 2020-08-10 15:40:10.938 ERROR 1336 --- [ XNIO-2 task-11] c.okta.oag.web.rest.CertificateResource : 'value.gateway.info' is not a valid hostname.
  • Structured data:
    • None
  • Corrective action :
    • Examine the value of the associated application's protected web resource and try again.

    • Missing protected web resource value

    Description: While adding an application using the Access Gateway Admin UI console, an attempt was made to generate a self-signed certificate based on an invalid or missing protected web resource file.

    Messages:

    • No value for relayDomain

    Examples:

    • 2020-08-10 15:36:49.769 ERROR 1336 --- [ XNIO-2 task-2] c.i.s.web.rest.ExceptionHandlerAdvice : handleExceptions org.springframework.boot.configurationprocessor.json.JSONException: No value for relayDomain
  • Structured data:
    • None
  • Corrective action :
    • Examine the value of the associated applications protected web resource, correct any errors, and try again.

    • Certificate revocation list settings updated

    Description: Settings associated with certificate revocation lists were updated.

    Messages:

    • CRL config updated.

    Examples:

    • 2020-08-10 15:36:49.769 ERROR 1336 --- [ XNIO-2 task-2] c.i.s.web.rest.ExceptionHandlerAdvice : handleExceptions org.springframework.boot.configurationprocessor.json.JSONException: No value for relayDomain
  • Structured data:
    • None
  • Corrective action :
    • None

    • Log Verbosity

    Events generated when the logging verbosity level is changed. See Manage log verbosity and Logging levels

    Log verbosity change event

    Description: An administrator changed the current log verbosity. This event signals the start of the change process.

    Messages:

    • Allow access to resource

    Examples:

    • 2020-08-26T21:24:03.678-05:00 oag01.okta.com ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="_3fd5e31193bff51983c9f81c8092cc9f23a1339446" SUBJECT="admin@oag.okta.com" RESOURCE="/api/v1/setting/loglevel" METHOD="PUT" POLICY="api" POLICY_TYPE="PROTECTED" DURATION="0" APP="Local OAG Admin Console" APP_TYPE="ADMINUI_APP" APP_DOMAIN="gw-admin.[domain.tld]" RESULT="ALLOW" REASON="N/A - SESSIONID=_3fd5e31193bff51983c9f81c8092cc9f23a1339446 X-Authorization=admin@oag.okta.com username=admin RelayDomain=gw-admin.gateway.info oag_username=admin@oag.okta.com UserName=admin@oag.okta.com SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport RemoteIP=192.168.1.84 USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0 creationTime=1598494932480 maxInactiveInterval=3600000 maxActiveInterval=28800000 lastAccessedTime=1598495024962 " REMOTE_IP="192.168.1.84" USER_AGENT="PostmanRuntime/7.26.3"] allow access to resource
  • Structured data:
    • SESSION_ID - Valid or invalid.
    • RESOURCE - Always loglevel.
    • METHOD - Always PUT.
    • POLICY - Always api.
    • POLICY_TYPE - Always protected .
    • DURATION - Always 0.
    • APP - Always Local OAG Admin Console .
    • APP_TYPE - Always ADMINUI_APP.
    • APP_DOMAIN - Domain where the log verbosity level was changed.
    • RESULT - Always allow.
    • REASON - Not applicable followed by session information.
    • REMOTE_ID - IP Address off client.
    • USER_AGENT - Always Postman runtime.
  • Corrective action:
    • None, informational.

    • Create and communicate a change in log verbosity (available in ics_all.log and via sys loggers)

    Events issued when the Access Gateway admin instance generates and communicates with all high availability nodes about a change in log verbosity.

    Messages:

    • application_template_service

    • application_template_service event for file_with_path:/opt/oag/events/loglevel.local.UPDATE.json

    • application_template_service event for file:loglevel.local.UPDATE.json

    • application_template_service Acquiring lock

    • application_template_service reading JSON from file '/opt/oag/events/loglevel.local.UPDATE.json'

    • application_template_service Local log level set to '[level]' where level represents the new log verbosity level.

    Examples:

    • 2020-08-26T21:24:03.000-05:00 [DNS name of administration node] application_template_service ['/opt/oag/events/loglevel.local.UPDATE.json']

    • 2020-08-26T21:24:03.000-05:00 oag01.okta.com application_template_service event for file_with_path:/opt/oag/events/loglevel.local.UPDATE.json

    • 2020-08-26T21:24:03.000-05:00 oag01.okta.com application_template_service event for file:loglevel.local.UPDATE.json

    • 2020-08-26T21:24:03.000-05:00 oag01.okta.com application_template_service Acquiring lock

    • 2020-08-26T21:24:03.000-05:00 oag01.okta.com application_template_service reading JSON from file '/opt/oag/events/loglevel.local.UPDATE.json'

    • 2020-08-26T21:24:03.000-05:00 oag01.okta.com application_template_service Local log level set to 'info'

    Structured data:

    • None

  • Corrective action:
    • None, informational.

    • Restart Syslog (available in ics_all.log and through sys loggers)

    Events emitted when Access Gateway has successfully communicated the change in verbosity and is restarting the SYSLOG agent.

    Messages:

    • Restart and restart complete.

    Examples:

    • 2020-08-26T21:24:04.000-05:00 [DNS name of HA node] OAG syslog-ng: Access-Gateway SYSLOG-NG restart

    • 2020-08-26T21:24:04.000-05:00 oag01.okta.com OAG syslog-ng: Access-Gateway SYSLOG-NG restart completed

    Structured data:

    • None

  • Corrective action :
    • None, informational.

    • Verbosity update complete (available in ics_all.log and through sys loggers)

    Events issued when Access Gateway has completed the change to log verbosity.

    Message:

    • Application_template_service loglevel event:update template...

    Examples:

    • 2020-08-26T21:24:04.000-05:00 [DNS name of administration node] application_template_service loglevel event:update template for file:loglevel.local.UPDATE.json

    Structured data:

    • None

  • Corrective action:
    • None, informational.

    • Password

    Events logged when changing passwords.

    Access Gateway Admin UI console

    Reset password

    Description: Access Gateway Admin UI console password successfully changed.

    Messages:

    • Password updated successfully

    Examples:

    • 2021-04-28T12:04:16.000-05:00 oag.adminX.com ACCESS_GATEWAY WEB_CONSOLE Admin password updated successfully.

    Structured data:

    • None

    Corrective action:

    • N/A

    Attempt to reuse default password

    Description: An attempt was made to set the Access Gateway Admin UI console password to the original default value.

    Messages:

    • Password reset failed. Default password was entered.

    Examples:

    • 2021-04-28T12:00:14.451-05:00 oag.adminX.com WEB_CONSOLE PASSWORD_RESET WEB_CONSOLE ERROR PASSWORD_RESET [USER="oag-mgmt"] Password reset failed. Default password was entered.

    Structured data:

    • USER - User performing login.

    Corrective action:

    • Enter a new password that doesn't match the original default password.

    Default password during login

    Description: During an Access Gateway Admin UI console login attempt the default password was detected.

    Messages:

    • Default admin password being used.

    Examples:

    • 2021-04-28T12:03:53.906-05:00 oag.adminX.com SCRIPT INFO DEFAULT_PASSWORD_CHECK [USER="spgw"] Default admin password being used.

    Structured data:

    • USER - User performing login.

    Corrective action:

    • N/A

    Non-default password password during login

    Description: During an Access Gateway Admin UI console login attempt the default password wasn't detected.

    Messages:

    • Default admin password not detected.

    Examples:

    • 2021-04-28T12:04:19.319-05:00 oag.okta.com SCRIPT INFO DEFAULT_PASSWORD_CHECK [USER="spgw"] Default admin password not detected.

    Structured data:

    • USER - User performing login.

    Corrective action:

    • N/A

    Access Gateway Management console

    Reset password

    Description: Access Gateway Management console password successfully changed.

    • Password reset successful

    Examples:

    • 2021-02-23T12:55:29.267-06:00 oag.adminX.com ADMIN_CONSOLE PASSWORD_RESET ADMIN_CONSOLE INFO PASSWORD_RESET [USER="oag-mgmt" USERNAME="oag-mgmt"] Password reset

    Structured data:

    • USER - User performing nomination actions, always oag-mgmt
    • USERNAME - Always oag-mgmt

    Corrective action:

    • N/A

    Reset failed

    Description: Attempt to change Access Gateway Management console password failed.

    Messages:

    • Password reset failed.

    • Password reset failed. Password did not meet minimum requirement

    Examples:

    • 2021-02-22T19:33:51.702-06:00 oag.adminX.com ADMIN_CONSOLE PASSWORD_RESET ADMIN_CONSOLE ERROR PASSWORD_RESET [USER="oag-mgmt" USERNAME="oag-mgmt"] Password reset failed

    Structured data:

    • USER - User performing nomination actions, always oag-mgmt
    • USERNAME - Always oag-mgmt

    Corrective action:

    • Password likely failed requirements, try again.

    Invalid password entered

    Description: Log in failed, incorrect Access Gateway Management console password entered.

    Messages:

    • Incorrect password entered

    Examples:

    • 2021-02-22T19:33:19.903-06:00 oag.adminX.com ADMIN_CONSOLE PASSWORD_RESET ADMIN_CONSOLE ERROR PASSWORD_RESET [USER="oag-mgmt" USERNAME="oag-mgmt"] Incorrect password entered

    Structured data:

    • USER - User performing nomination actions, always oag-mgmt
    • USERNAME - Always oag-mgmt

    Corrective action:

    • Reenter Access Gateway Management console password and try again.

    System status

    CONFIG_TEST

    Event issued when NGINX has completed its configuration check successfully.

    Message:

    • nginx: The configuration file /tmp/nginx/nginx.conf syntax is ok. nginx: configuration file /tmp/nginx/nginx.conf test is successful.

    Example:

    • 2020-06-24T05:40:25.786-05:00 example.myaccessgateway.com OAG_MONITOR MONITOR NGINX INFO CONFIG_TEST [STATUS="VALID" UUID="<ID>"] nginx: the configuration file /tmp/nginx/nginx.conf syntax is ok nginx: configuration file /tmp/nginx/nginx.conf test is successful.

    Structured data:

    • STATUS - Valid or invalid.
    • UUID - UUID of configuration.

    SYSTEM_STARTUP

    Event issues when the system start has completed.

    Message:

    • Startup complete, system ready.

    Example:

    • 2020-06-24T10:05:56.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE - - INFO SYSTEM_STARTUP [] Startup complete, system ready.

    Structured data:

    • None.

    SHUTDOWN

    Event issued when system shutdown has begun.

    Message:

    • Shutting down system.

    Example:

    • O2020-06-24T08:31:25.729-05:00 example.myaccessgateway.com OAG ADMIN_CONSOLE SYSTEM SHUTDOWN INFO SHUTDOWN [USER="oag-mgmt"] Shutting down system.

    Structured data:

    • USER - User who performed the action.

    SYSTEM_IDP_STATUS

    Event issued when:

    • Access Gateway successfully connects with a configured identity provider.

    • Access Gateway can't connect with a configured identity provider.

    • An Access Gateway API token is invalid or expired.

    Messages:

    • Success confirming IDP status with: org.okta[preview].com.

    • Failure confirming connectivity with IDP: <IDP URL>. Please verify your network configuration.

    • Failure validating security token with IDP: <IDP Domain>. Please ensure that the token exists and is enabled.

    Examples:

    • Success: 2020-06-24T04:00:01.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE IDP LOCAL INFO SYSTEM_IDP_STATUS [NAME="MyIDP" DOMAIN="someorg.oktapreview.com" TYPE="IDP_OKTA" RESULT="PASS" REASON="VALID"] Success confirming IDP status with: someorg.oktapreview.com.

    • Network connectivity error: 2020-06-24T04:00:01.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE IDP LOCAL INFO SYSTEM_IDP_STATUS [NAME="<IDP Name> IDP" DOMAIN="<IDP URL>" TYPE="<Identity Provider type>" RESULT="FAIL" REASON="INVALID_NETWORK_CONN"] Failure confirming connectivity with IDP: <IDP URL>>. Please verify your network configuration.

    • Invalid API token: 2020-06-24T04:00:01.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE IDP LOCAL INFO SYSTEM_IDP_STATUS [NAME="<IDP Name> IDP" DOMAIN="<IDP URL>" TYPE="<Identity Provider type>" RESULT="FAIL" REASON="INVALID_NETWORK_CONN"] Failure validating security token with IDP: <IDP Domain>. Please validate token exists and is enabled.

    Structured data:

    • NAME - Name of IDP.
    • DOMAIN - Associated domain.
    • TYPE - Type of IDP. IDP_OKTA or LOCAL.
    • RESULT - PASS or FAIL.
    • REASON - Valid or reason for failure.

    SYSTEM_STARTUP

    Event issued when Access Gateway starts successfully.

    Message:

    • Startup complete, system ready.

    Example:

    • 22020-06-24T09:40:52.000-05:00 ec2-18-209-113-130.compute-1.amazonaws.com ACCESS_GATEWAY WEB_CONSOLE - - INFO SYSTEM_STARTUP [] Startup complete, system ready.

    Structured data:

    • None

    Trusted Domains

    SYSTEM_TD_EVENT

    Messages:

    • source_app_guid: "<guid>", source_app_name="<name of source app>",source_app_domain: "<source domain of application>".
    • exception 'exception data' occurred.

    Examples:

    • When events are published:

      2020-07-15T04:46:38.000-04:00 localhost ACCESS_GATEWAY WEB_CONSOLE TRUSTED_DOMAINS - INFO SYSTEM_TD_EVENT [ SOURCE="APP" ACTION="UPDATE" ] source_app_guid: "61602a9d. . . ", source_app_name="Wikipedia SSO App", source_app_domain: "www.wikipedia.com"

    • When errors occur:

      2020-07-15T04:46:38.000-04:00 localhost ACCESS_GATEWAY WEB_CONSOLE TRUSTED_DOMAINS ALERT SYSTEM_TD_EVENT [ SOURCE="APP" ACTION="UPDATE" ] Exception when disable/enable trusted domains: [Errno 13] Permission denied: '/opt/oag/events/trusteddomains.DISABLE.json'.

    • When events are synchronized with an Okta tenant:

      2020-07-15T04:46:38.000-04:00 localhost ACCESS_GATEWAY WEB_CONSOLE TRUSTED_DOMAINS - INFO SYSTEM_TD_EVENT [ SOURCE="OKTA_TRUSTED_ORIGIN" ACTION="SYNC" ]
    • Structured data:
      • SOURCE - APP or OKTA_TRUSTED_ORIGIN.
      • ACTION -One of CREATE, UPDATE, DELETE or SYNCH. Indicating that the a trusted domain was added, updated, removed or synchronized.

      Note: Severity can be ALERT, INFO, or WARN.

    Kerberos

    SYSTEM_KRB5_EVENT

    Event issued when an action is performed on a Kerberos realm such as create, update, delete, activate, or deactivate.

    Messages:

    • Kerberos Realm: <Kerberos Realm> action: CREATE
    • Kerberos Realm: <Kerberos Realm> action: UPDATE
    • Kerberos Realm: <Kerberos Realm> action: DELETE

    Examples:

    • 2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE KRB5 - INFO SYSTEM_KRB5_EVENT [REALM="<Kerberos Realm>" REASON="CREATE" SESSION_ID="<Session ID>" SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Kerberos Realm: '<Kerberos Realm>' action: 'CREATE'

    • 2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE KRB5 - INFO SYSTEM_KRB5_EVENT [REALM="<Kerberos Realm>" REASON="UPDATE" SESSION_ID="<Session ID>" SUBJECT="user@<Domain.tld>" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Kerberos Realm: '<Kerberos Realm>' action: 'UPDATE'

    • O2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE KRB5 - INFO SYSTEM_KRB5_EVENT [REALM="<Kerberos Realm>" REASON="DELETE" SESSION_ID="<Session ID>" SUBJECT="user@<Domain.tld>" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Kerberos Realm: '<Kerberos Realm>' action: 'DELETE'

    Structured data

    • REALM - Associated Kerberos realm.
    • REASON - CREATE, UPDATE, or DELETE.
    • SESSION_ID - Associated local session id.
    • SUBJECT - User performing the action, usually the admin.
    • REMOTE_IP- Remote IP is available.
    • USER_AGENT - Remote operating system, browser, and so on.

    Authentication and Authorization

    USER_LOGIN

    Event issued when a user attempts to log in. See event for success or failure.

    Messages:

    • User login success: [user]
    • User login failed: [user]
    • Received an assertion that has expired. Check clock synchronization on IDP and SP.

    Examples:

    • 2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE AUTHN LOCAL INFO USER_LOGIN [SESSION_ID="<Session ID>" SUBJECT="<User login name>" TYPE="LOCAL" RESULT="PASS" REASON="VALID_CREDENTIALS" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36"] User login success: user@<domain.tld>

    • 2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE AUTHN LOCAL INFO USER_LOGIN [SESSION_ID="<Session ID> " SUBJECT="<User login name>" TYPE="LOCAL" RESULT="FAIL" REASON="INVALID_CREDENTIALS" REMOTE_IP="-" USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36"] User login failed: user@<domain.tld>

    • 2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHN SAML INFO USER_AUTHN [SESSION_ID="<Session ID> " SESSION_AUTH="<Session AUTH Information> " SUBJECT="<User login name>" TYPE="SAML_2_0" SOURCE="IDP Source URL" SOURCE_TYPE="<Identity Provider type>" SOURCE_DOMAIN="<IDP URL>" SOURCE_AUTHN_TYPE="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" APP="Sample Header App" APP_DOMAIN="<App Domain URL>" RESULT="PASS" REASON="Valid SAML Assertion" REMOTE_IP="192.168.10.20" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] User login:user@<domain.tld>

    • 2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHN SAML ERROR USER_AUTHN [TYPE="SAML_2_0" TRACKER_ID="<Tracking ID>" SOURCE="https://<IDP URL>/app/template_saml_2_0/exkckwwaxvY3crKhn0h7/sso/saml" RESULT="FAIL" REASON="Invalid SAML Assertion" REMOTE_IP="192.168.10.192" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36"] Received an assertion that has expired. Check clock synchronization on IdP and SP.

    Structured data

    • SESSION_ID - LOCAL.
    • SUBJECT - Subject identifier, for example email address.
    • TYPE - SAML or the involved authentication module.
    • RESULT - PASS or FAIL
    • REASON- Valid credentials or reason for failure
    • REMOTE_IP- Remote IP is available
    • USER_AGENT - Remote operating system, browser, etc.

    USER_SESSION

    Event issued when a request for a session is issued.

    Message:

    • No session cookie. Sending to handler.

    • Upgraded auth cookie. App session created.

    • This should be investigated by your security group.

    Example:

    • 2020-06-04T13:53:53.483-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHZ SESSION INFO USER_SESSION [SESSION_ID="<Session ID>" APP="Local OAG Admin Console" APP_TYPE="ADMINUI_APP" APP_DOMAIN="<Application Domain>" RESULT="DENY" REASON="NOT_EXIST" REMOTE_IP="10.63.182.118" USER_AGENT="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"] No session cookie. Sending to handler.
    • 2020-06-04T13:53:53.483-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHZ SESSION INFO USER_SESSION [SESSION_ID="<Session ID>" SESSION_AUTH="<Session Auth ID>" SESSION_APP="e701ddf534554eab8ea671e884438b99" SUBJECT="<User login name>" APP="Sample Header App" APP_TYPE="SAMPLEHEADER_APP" APP_DOMAIN="<App Domain URL>" RESULT="ALLOW" REASON="VALID_AUTHCOOKIE" REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Upgraded auth cookie. App session created.
    • 2020-06-04T13:53:53.483-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHZ SESSION WARN USER_SESSION [SESSION_ID="<Session ID>" SESSION_AUTH="<Session Auth ID>" APP="Sample Header App" APP_TYPE="SAMPLEHEADER_APP" APP_DOMAIN="<App Domain URL>" RESULT="DENY" REASON="INVALID_AUTHCOOKIE" REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] This should be investigated by your security group.

    Structured data

    • SESSION_ID - Assigned session id, if it exists.
    • APP - Application name.
    • APP_TYPE - Application session was used against.
    • APP_DOMAIN - associated application domain.
    • RESULT- ALLOW or DENY.
    • REASON - Reason why request was allowed or denied.
    • REMOTE_IP - Remote IP from which user attempted to log in.
    • USER_AGENT- Remote operating system, browser, etc.

    USER_LOGOUT

    Event issues when a used logs out.

    Message:

    • User logout success: user@<Application Domain>.

    Example:

    • 2020-06-04T13:53:59.986-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHN SESSION INFO USER_LOGOUT [SESSION_ID="<Session ID> " SUBJECT="user@<Application Domain.tld>" APP="Local OAG Admin Console" APP_TYPE="ADMINUI_APP" APP_DOMAIN="<Application Domain>"" RESULT="PASS" REASON="VALID_SESSION" REMOTE_IP="10.63.182.118" USER_AGENT="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"] User logout success: user@<Application Domain.tld>.

    Structured data:

    • SESSION_ID - Assigned session id.
    • APP - Application name
    • APP_TYPE - Application session was used against. For example, ADMINUI_APP.
    • APP_DOMAIN - associated application domain.
    • RESULT- ALLOW or DENY.
    • REASON - Reason why request was allowed or denied.
    • REMOTE_IP - Remote IP from which user attempted to log in.
    • USER_AGENT- Remote operating system, browser, etc.

    POLICY

    Event issued when a used attempts to access a resource.

    Message:

    • Allow access to resource.

    • Deny access to resource.

    Example:

    • 2020-06-24T09:40:55.667-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="_8832d5961146a7d69baafe864b05eac3d5e3bb72bb" SUBJECT="admin@<Domain.tld>" RESOURCE="/" METHOD="GET" POLICY="root" POLICY_TYPE="PROTECTED" DURATION="0" APP="Local OAG Admin Console" APP_TYPE="ADMINUI_APP" APP_DOMAIN="gw-admin.saganich.com" RESULT="ALLOW" REASON="N/A - SESSIONID=_8832d5961146a7d69baafe864b05eac3d5e3bb72bb X-Authorization=admin@oag.okta.com username=admin X-SPGW-KEY=5b626d19e16f4d18ac42ef5d9cc8654a RelayDomain=gw-admin.domain.tld oag_username=admin@domain.tld UserName=admin@<Domain.tld >SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport RemoteIP=10.0.0.110 USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 "] allow access to resource.

    • 2020-06-24T09:40:55.667-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="_4a3fdbbc52dadda2109e0e789098f9b473d4f68c7e" SUBJECT="user@<Domain.tld>" RESOURCE="/alt" METHOD="GET" POLICY="altroot" POLICY_TYPE="PROTECTED_REGEX" DURATION="0" APP="Sample Header App" APP_TYPE="SAMPLEHEADER_APP" APP_DOMAIN="<App Domain URL>" RESULT="DENY" REASON="Groups=(?!.*Everyone:) - SESSIONID=_4a3fdbbc52dadda2109e0e789098f9b473d4f68c7e RelayDomain=<App Domain URL> static_a=aaaaa static-b=bbbbb staticc=ccccc _staticd=ddddd -statice=eeeee staticcookie=1234 secret=secretvalue spgw_username=<User login name> UserName=<User login name> login=<User login name> firstname=<User first name> lastname=<User last name> email=<User login name> samplecookie<User first name> Groups=Everyone:Group A:Group C:Group E:Group B: SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport RemoteIP=192.168.10.20 USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 creationTime=1507265129865 maxInactiveInterval=3600000 maxActiveInterval=28800000 lastAccessedTime=1507265129865 " REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] deny access to resource

    Structured data:

    • SESSION_ID - Assigned session id.
    • SUBJECT - Requestor
    • RESOURCE- Requested resource
    • METHOD-Request method.
    • POLICY-Applied policy
    • POLICY_TYPE-One of the policy types.
    • DURATION-Duration of request
    • APP - Application name
    • APP_TYPE - Application session was used against. For example, ADMINUI_APP.
    • APP_DOMAIN - associated application domain.
    • RESULT- ALLOW or DENY.
    • REASON - Reason why request was allowed or denied. Including a variety of other policy related information.

    Connectivity and validation

    CHECK_CONNECTION

    Event issued when an application is being added. <Application Domain> is tested to determine if it's valid or invalid.

    See also CHECK_HOST.

    Message:

    • Host <Application Domain> not found.

    Example:

    • 2020-06-24T09:41:16.766-05:00 example.myaccessgateway.com CHECK_HOST HOST_IP_CHECK INFO HOST [USER="admin" <Application Domain>] Host <Application Domain> not found

    Structured data:

    • USER - Internal user running the check.
    • Application domain used in application,

    CHECK_HOST

    Event issued immediate after a check connection is performed. Results of the check are noted in message.

    Message:

    • Ncat: Connection refused.

    Example:

    • 2020-06-24T09:45:28.024-05:00 example.myaccessgateway.com CHECK_HOST checkConnection.sh INFO 10.0.0.1 7001 [USER="admin"] Ncat: Connection refused.
    • Structured data
      • USER - Internal user running the command.

    ACCESS AUTHN - - STORE

    Event issued immediately after a check connection is performed. Results of the check are noted in message.

    Message:

    • Store failed during initialization.

    Example:

    • 22020-06-25T14:18:52.458-05: example.store.com ACCESS_GATEWAY ACCESS AUTHN FAILED WARN STORE [STORE_NAME="Name of datastore - Entry DN" FAILURE_COUNT="3"] Store failed during initialization.

    Structured data:

    • STORE_NAME - Name of the data store, which failed to initialize.
    • FAILURE_COUNT - Number of attempts to access the store.