Access Gateway audit log

Access Gateway audit logs include information on the following events:

  • Admin nomination: Events that occur during the admin renomination process.
  • Application: Application-related activity, such as create, update, delete, activate, or deactivate.
  • Authentication and Authorization: Events such as authentication and authorization.
  • Certificate events: Certificate-related event activity.
  • Connectivity and validation: Events between Access Gateway and external resources such as back-end applications, data stores, and similar conditions.
  • Kerberos: Kerberos-related activity, such as create, update, or delete.
  • Log Verbosity: Changes in log verbosity.
  • Password: Password-related events.
  • System status: System-related events, such as system up, system down, identify provider connection status, EBS subsystem up, and others.
  • Trusted Domains: Trusted domain-related activity, such as create, update, delete, or synchronize, and exceptions during trusted domain operations.

Before you begin

Event fields

Field

Description

TIMESTAMP

Current system date and time

HOSTNAME

Hostname of node generating event

APPLICATION

One of:

  • ACCESS_GATEWAY
  • OAG
  • OAG_MONITOR
  • A specific service (for example, check_connection)

SUB-PROCESS

One of:

  • ApplicationService
  • ACCESS
  • ADMIN_CONSOLE
  • EBS_SSOAGENT
  • HOST_IP_CHECK
  • MONITOR
  • SCRIPT
  • SERVICE
  • TrustedOriginUpdateScheduler
  • WEB_CONSOLE
  • A specific service (for example, check_connection)

COMPONENT

Component of the sub-process such as:

  • AUTHN
  • AUTHZ
  • CLUSTER MANAGER ADMIN
  • ERROR
  • IDP
  • INFO
  • KRB5
  • LOG_DOWNLOAD_STATUS
  • LOG_PREPARE_OPERATION
  • LOG_PREPARE_STATUS
  • NGINX
  • SYSTEM
  • TRUSTED_DOMAINS

SUB-COMPONENT

Sub-component of the process such as:

  • ALERT
  • EBS_SSOAGENT
  • HOST
  • INFO
  • LOCAL
  • NETCAT
  • NOMINATION
  • POLICY
  • SESSION
  • STARTUP/SHUTDOWN

LOG_LEVEL

Log level, one of: TRACE, DEBUG, INFO, WARN, ERROR, or FATAL.

EVENT

Event type

STRUCTURED_DATA

Data related to the occurred event.

MESSAGE

Readable message.

Admin nomination

Application

SYSTEM_APP_EVENT

Event issued when an application is created, updated, deleted, activated, or deactivated.

Message types:

  • Application: <Application Name> action: CREATE

  • Application: <Application Name> action: UPDATE

  • Application: <Application Name> action: DELETE

  • Application: <Application Name> action: ENABLE

  • Application: <Application Name> action: DISABLE

Examples:

  • 2020-06-24T09:40:36.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="93d2e78a-c6b7-4c27-83c8-15c2b783d3bb" NAME="Sample Header App" TYPE="SAMPLEHEADER_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="CREATE" SESSION_ID="3dKU4yqIlHkcRUeGb9f9Dh6OSgFjHq3hIMVktx7h" SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'CREATE'

  • 2020-06-24T09:40:36.000-05:00 example.myaccessgateway.com ACCESSS_GATEWAY WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="<Application GUID>" NAME="Sample Header App" TYPE="SAMPLEHEADER_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="UPDATE" SESSION_ID="<Session ID> " SUBJECT="user@<Domain.tld>" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'UPDATE'

  • 2020-06-24T09:40:36.000-05:00 example.myaccessgateway.com ACCESSS_GATEWAY WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="<Application GUID> " NAME="Sample Header App" TYPE="SAMPLEHEADER_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="ENABLE" SESSION_ID="<Session ID>" SUBJECT="user@<Domain.tld>" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'ENABLE'

  • 2020-06-24T09:40:36.000-05:00 example.myaccessgateway.com ACCESSS_GATEWAY WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="<Application GUID>" NAME="Sample Header App" TYPE="SAMPLEHEADER_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="DISABLE" SESSION_ID="<Session ID> " SUBJECT="user@<Domain.tld>" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'DISABLE'

  • 2020-06-24T09:40:36.000-05:00 example.myaccessgateway.com WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="<Applicatuin GUID> " NAME="Sample Header App" TYPE="SAMPLEHEADER_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="DELETE" SESSION_ID="<Session ID> " SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'DELETE'

Structured data:

  • GUID - Application identifier
  • NAME - Application name
  • TYPE - Application Type
  • DOMAIN - Application domain
  • IDP - IDP of application
  • IDP_TYPE- Okta or LOCAL
  • REASON - One of CREATE, UPDATE, DELETE, ENABLE or DISABLE
  • SESSION_ID - Iinternal session ID created for the user session
  • SUBJECT - User performing action, usually the admin
  • REMOTE_ID - IP address of user, if available
  • USER_AGENT - Browser details

Certificate events

Log Verbosity

Events generated when the logging verbosity level is changed. See Manage log verbosity and Logging levels

Log verbosity change event

Description: An administrator changed the current log verbosity. This event signals the start of the change process.

Messages:

  • Allow access to resource

Examples:

  • 2020-08-26T21:24:03.678-05:00 oag01.okta.com ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="_3fd5e31193bff51983c9f81c8092cc9f23a1339446" SUBJECT="admin@oag.okta.com" RESOURCE="/api/v1/setting/loglevel" METHOD="PUT" POLICY="api" POLICY_TYPE="PROTECTED" DURATION="0" APP="Local OAG Admin Console" APP_TYPE="ADMINUI_APP" APP_DOMAIN="gw-admin.[domain.tld]" RESULT="ALLOW" REASON="N/A - SESSIONID=_3fd5e31193bff51983c9f81c8092cc9f23a1339446 X-Authorization=admin@oag.okta.com username=admin RelayDomain=gw-admin.gateway.info oag_username=admin@oag.okta.com UserName=admin@oag.okta.com SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport RemoteIP=192.168.1.84 USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:80.0) Gecko/20100101 Firefox/80.0 creationTime=1598494932480 maxInactiveInterval=3600000 maxActiveInterval=28800000 lastAccessedTime=1598495024962 " REMOTE_IP="192.168.1.84" USER_AGENT="PostmanRuntime/7.26.3"] allow access to resource
  • Structured data:
    • SESSION_ID - Valid or invalid.
    • RESOURCE - Always loglevel.
    • METHOD - Always PUT.
    • POLICY - Always api.
    • POLICY_TYPE - Always protected .
    • DURATION - Always 0.
    • APP - Always Local OAG Admin Console .
    • APP_TYPE - Always ADMINUI_APP.
    • APP_DOMAIN - Domain where the log verbosity level was changed.
    • RESULT - Always allow.
    • REASON - Not applicable followed by session information.
    • REMOTE_ID - IP Address off client.
    • USER_AGENT - Always Postman runtime.
  • Corrective action:
    • None, informational.
  • Create and communicate a change in log verbosity (available in ics_all.log and via sys loggers)

    Events issued when the Access Gateway admin instance generates and communicates with all high availability nodes about a change in log verbosity.

    Messages:

    • application_template_service

    • application_template_service event for file_with_path:/opt/oag/events/loglevel.local.UPDATE.json

    • application_template_service event for file:loglevel.local.UPDATE.json

    • application_template_service Acquiring lock

    • application_template_service reading JSON from file '/opt/oag/events/loglevel.local.UPDATE.json'

    • application_template_service Local log level set to '[level]' where level represents the new log verbosity level.

    Examples:

    • 2020-08-26T21:24:03.000-05:00 [DNS name of administration node] application_template_service ['/opt/oag/events/loglevel.local.UPDATE.json']

    • 2020-08-26T21:24:03.000-05:00 oag01.okta.com application_template_service event for file_with_path:/opt/oag/events/loglevel.local.UPDATE.json

    • 2020-08-26T21:24:03.000-05:00 oag01.okta.com application_template_service event for file:loglevel.local.UPDATE.json

    • 2020-08-26T21:24:03.000-05:00 oag01.okta.com application_template_service Acquiring lock

    • 2020-08-26T21:24:03.000-05:00 oag01.okta.com application_template_service reading JSON from file '/opt/oag/events/loglevel.local.UPDATE.json'

    • 2020-08-26T21:24:03.000-05:00 oag01.okta.com application_template_service Local log level set to 'info'

    Structured data:

    • None

  • Corrective action:
    • None, informational.
  • Restart Syslog (available in ics_all.log and through sys loggers)

    Events emitted when Access Gateway has successfully communicated the change in verbosity and is restarting the SYSLOG agent.

    Messages:

    • Restart and restart complete.

    Examples:

    • 2020-08-26T21:24:04.000-05:00 [DNS name of HA node] OAG syslog-ng: Access-Gateway SYSLOG-NG restart

    • 2020-08-26T21:24:04.000-05:00 oag01.okta.com OAG syslog-ng: Access-Gateway SYSLOG-NG restart completed

    Structured data:

    • None

  • Corrective action :
    • None, informational.
  • Verbosity update complete (available in ics_all.log and through sys loggers)

    Events issued when Access Gateway has completed the change to log verbosity.

    Message:

    • Application_template_service loglevel event:update template...

    Examples:

    • 2020-08-26T21:24:04.000-05:00 [DNS name of administration node] application_template_service loglevel event:update template for file:loglevel.local.UPDATE.json

    Structured data:

    • None

  • Corrective action:
    • None, informational.
  • Password

    Events logged when changing passwords.

    Access Gateway Admin UI console

    Reset password

    Description: Access Gateway Admin UI console password successfully changed.

    Messages:

    • Password updated successfully

    Examples:

    • 2021-04-28T12:04:16.000-05:00 oag.adminX.com ACCESS_GATEWAY WEB_CONSOLE Admin password updated successfully.

    Structured data:

    • None

    Corrective action:

    • N/A

    Attempt to reuse default password

    Description: An attempt was made to set the Access Gateway Admin UI console password to the original default value.

    Messages:

    • Password reset failed. Default password was entered.

    Examples:

    • 2021-04-28T12:00:14.451-05:00 oag.adminX.com WEB_CONSOLE PASSWORD_RESET WEB_CONSOLE ERROR PASSWORD_RESET [USER="oag-mgmt"] Password reset failed. Default password was entered.

    Structured data:

    • USER - User performing login.

    Corrective action:

    • Enter a new password that doesn't match the original default password.

    Default password during login

    Description: During an Access Gateway Admin UI console login attempt the default password was detected.

    Messages:

    • Default admin password being used.

    Examples:

    • 2021-04-28T12:03:53.906-05:00 oag.adminX.com SCRIPT INFO DEFAULT_PASSWORD_CHECK [USER="spgw"] Default admin password being used.

    Structured data:

    • USER - User performing login.

    Corrective action:

    • N/A

    Non-default password password during login

    Description: During an Access Gateway Admin UI console login attempt the default password wasn't detected.

    Messages:

    • Default admin password not detected.

    Examples:

    • 2021-04-28T12:04:19.319-05:00 oag.okta.com SCRIPT INFO DEFAULT_PASSWORD_CHECK [USER="spgw"] Default admin password not detected.

    Structured data:

    • USER - User performing login.

    Corrective action:

    • N/A

    Access Gateway Management console

    Reset password

    Description: Access Gateway Management console password successfully changed.

    • Password reset successful

    Examples:

    • 2021-02-23T12:55:29.267-06:00 oag.adminX.com ADMIN_CONSOLE PASSWORD_RESET ADMIN_CONSOLE INFO PASSWORD_RESET [USER="oag-mgmt" USERNAME="oag-mgmt"] Password reset

    Structured data:

    • USER - User performing nomination actions, always oag-mgmt
    • USERNAME - Always oag-mgmt

    Corrective action:

    • N/A

    Reset failed

    Description: Attempt to change Access Gateway Management console password failed.

    Messages:

    • Password reset failed.
    • Password reset failed. Password did not meet minimum requirement

    Examples:

    • 2021-02-22T19:33:51.702-06:00 oag.adminX.com ADMIN_CONSOLE PASSWORD_RESET ADMIN_CONSOLE ERROR PASSWORD_RESET [USER="oag-mgmt" USERNAME="oag-mgmt"] Password reset failed

    Structured data:

    • USER - User performing nomination actions, always oag-mgmt
    • USERNAME - Always oag-mgmt

    Corrective action:

    • Password likely failed requirements, try again.

    Invalid password entered

    Description: Log in failed, incorrect Access Gateway Management console password entered.

    Messages:

    • Incorrect password entered

    Examples:

    • 2021-02-22T19:33:19.903-06:00 oag.adminX.com ADMIN_CONSOLE PASSWORD_RESET ADMIN_CONSOLE ERROR PASSWORD_RESET [USER="oag-mgmt" USERNAME="oag-mgmt"] Incorrect password entered

    Structured data:

    • USER - User performing nomination actions, always oag-mgmt
    • USERNAME - Always oag-mgmt

    Corrective action:

    • Reenter Access Gateway Management console password and try again.

    System status

    CONFIG_TEST

    Event issued when NGINX has completed its configuration check successfully.

    Message:

    • nginx: The configuration file /tmp/nginx/nginx.conf syntax is ok. nginx: configuration file /tmp/nginx/nginx.conf test is successful.

    Example:

    • 2020-06-24T05:40:25.786-05:00 example.myaccessgateway.com OAG_MONITOR MONITOR NGINX INFO CONFIG_TEST [STATUS="VALID" UUID="<ID>"] nginx: the configuration file /tmp/nginx/nginx.conf syntax is ok nginx: configuration file /tmp/nginx/nginx.conf test is successful.

    Structured data:

    • STATUS - Valid or invalid.
    • UUID - UUID of configuration.

    SYSTEM_STARTUP

    Event issues when the system start has completed.

    Message:

    • Startup complete, system ready.

    Example:

    • 2020-06-24T10:05:56.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE - - INFO SYSTEM_STARTUP [] Startup complete, system ready.

    Structured data:

    • None.

    SHUTDOWN

    Event issued when system shutdown has begun.

    Message:

    • Shutting down system.

    Example:

    • O2020-06-24T08:31:25.729-05:00 example.myaccessgateway.com OAG ADMIN_CONSOLE SYSTEM SHUTDOWN INFO SHUTDOWN [USER="oag-mgmt"] Shutting down system.

    Structured data:

    • USER - User who performed the action.

    SYSTEM_IDP_STATUS

    Event issued when:

    • Access Gateway successfully connects with a configured identity provider.

    • Access Gateway can't connect with a configured identity provider.

    • An Access Gateway API token is invalid or expired.

    Messages:

    • Success confirming IDP status with: org.okta[preview].com.

    • Failure confirming connectivity with IDP: <IDP URL>. Please verify your network configuration.

    • Failure validating security token with IDP: <IDP Domain>. Please ensure that the token exists and is enabled.

    Examples:

    • Success: 2020-06-24T04:00:01.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE IDP LOCAL INFO SYSTEM_IDP_STATUS [NAME="MyIDP" DOMAIN="someorg.oktapreview.com" TYPE="IDP_OKTA" RESULT="PASS" REASON="VALID"] Success confirming IDP status with: someorg.oktapreview.com.

    • Network connectivity error: 2020-06-24T04:00:01.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE IDP LOCAL INFO SYSTEM_IDP_STATUS [NAME="<IDP Name> IDP" DOMAIN="<IDP URL>" TYPE="<Identity Provider type>" RESULT="FAIL" REASON="INVALID_NETWORK_CONN"] Failure confirming connectivity with IDP: <IDP URL>>. Please verify your network configuration.

    • Invalid API token: 2020-06-24T04:00:01.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE IDP LOCAL INFO SYSTEM_IDP_STATUS [NAME="<IDP Name> IDP" DOMAIN="<IDP URL>" TYPE="<Identity Provider type>" RESULT="FAIL" REASON="INVALID_NETWORK_CONN"] Failure validating security token with IDP: <IDP Domain>. Please validate token exists and is enabled.

    Structured data:

    • NAME - Name of IDP.
    • DOMAIN - Associated domain.
    • TYPE - Type of IDP. IDP_OKTA or LOCAL.
    • RESULT - PASS or FAIL.
    • REASON - Valid or reason for failure.

    SYSTEM_STARTUP

    Event issued when Access Gateway starts successfully.

    Message:

    • Startup complete, system ready.

    Example:

    • 22020-06-24T09:40:52.000-05:00 ec2-18-209-113-130.compute-1.amazonaws.com ACCESS_GATEWAY WEB_CONSOLE - - INFO SYSTEM_STARTUP [] Startup complete, system ready.

    Structured data:

    • None

    Trusted Domains

    SYSTEM_TD_EVENT

    Messages:

    • source_app_guid: "<guid>", source_app_name="<name of source app>",source_app_domain: "<source domain of application>".
    • exception 'exception data' occurred.

    Examples:

    • When events are published:

      2020-07-15T04:46:38.000-04:00 localhost ACCESS_GATEWAY WEB_CONSOLE TRUSTED_DOMAINS - INFO SYSTEM_TD_EVENT [ SOURCE="APP" ACTION="UPDATE" ] source_app_guid: "61602a9d. . . ", source_app_name="Wikipedia SSO App", source_app_domain: "www.wikipedia.com"
    • When errors occur:

      2020-07-15T04:46:38.000-04:00 localhost ACCESS_GATEWAY WEB_CONSOLE TRUSTED_DOMAINS ALERT SYSTEM_TD_EVENT [ SOURCE="APP" ACTION="UPDATE" ] Exception when disable/enable trusted domains: [Errno 13] Permission denied: '/opt/oag/events/trusteddomains.DISABLE.json'.
    • When events are synchronized with an Okta tenant:

      2020-07-15T04:46:38.000-04:00 localhost ACCESS_GATEWAY WEB_CONSOLE TRUSTED_DOMAINS - INFO SYSTEM_TD_EVENT [ SOURCE="OKTA_TRUSTED_ORIGIN" ACTION="SYNC" ]
    • Structured data:
      • SOURCE - APP or OKTA_TRUSTED_ORIGIN.
      • ACTION -One of CREATE, UPDATE, DELETE or SYNCH. Indicating that the a trusted domain was added, updated, removed or synchronized.

      Note: Severity can be ALERT, INFO, or WARN.

    Kerberos

    SYSTEM_KRB5_EVENT

    Event issued when an action is performed on a Kerberos realm such as create, update, delete, activate, or deactivate.

    Messages:

    • Kerberos Realm: <Kerberos Realm> action: CREATE
    • Kerberos Realm: <Kerberos Realm> action: UPDATE
    • Kerberos Realm: <Kerberos Realm> action: DELETE

    Examples:

    • 2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE KRB5 - INFO SYSTEM_KRB5_EVENT [REALM="<Kerberos Realm>" REASON="CREATE" SESSION_ID="<Session ID>" SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Kerberos Realm: '<Kerberos Realm>' action: 'CREATE'

    • 2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE KRB5 - INFO SYSTEM_KRB5_EVENT [REALM="<Kerberos Realm>" REASON="UPDATE" SESSION_ID="<Session ID>" SUBJECT="user@<Domain.tld>" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Kerberos Realm: '<Kerberos Realm>' action: 'UPDATE'

    • O2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE KRB5 - INFO SYSTEM_KRB5_EVENT [REALM="<Kerberos Realm>" REASON="DELETE" SESSION_ID="<Session ID>" SUBJECT="user@<Domain.tld>" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Kerberos Realm: '<Kerberos Realm>' action: 'DELETE'

    Structured data

    • REALM - Associated Kerberos realm.
    • REASON - CREATE, UPDATE, or DELETE.
    • SESSION_ID - Associated local session id.
    • SUBJECT - User performing the action, usually the admin.
    • REMOTE_IP- Remote IP is available.
    • USER_AGENT - Remote operating system, browser, and so on.

    Authentication and Authorization

    USER_LOGIN

    Event issued when a user attempts to log in. See event for success or failure.

    Messages:

    • User login success: [user]
    • User login failed: [user]
    • Received an assertion that has expired. Check clock synchronization on IDP and SP.

    Examples:

    • 2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE AUTHN LOCAL INFO USER_LOGIN [SESSION_ID="<Session ID>" SUBJECT="<User login name>" TYPE="LOCAL" RESULT="PASS" REASON="VALID_CREDENTIALS" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36"] User login success: user@<domain.tld>

    • 2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE AUTHN LOCAL INFO USER_LOGIN [SESSION_ID="<Session ID> " SUBJECT="<User login name>" TYPE="LOCAL" RESULT="FAIL" REASON="INVALID_CREDENTIALS" REMOTE_IP="-" USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36"] User login failed: user@<domain.tld>

    • 2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHN SAML INFO USER_AUTHN [SESSION_ID="<Session ID> " SESSION_AUTH="<Session AUTH Information> " SUBJECT="<User login name>" TYPE="SAML_2_0" SOURCE="IDP Source URL" SOURCE_TYPE="<Identity Provider type>" SOURCE_DOMAIN="<IDP URL>" SOURCE_AUTHN_TYPE="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" APP="Sample Header App" APP_DOMAIN="<App Domain URL>" RESULT="PASS" REASON="Valid SAML Assertion" REMOTE_IP="192.168.10.20" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] User login:user@<domain.tld>

    • 2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHN SAML ERROR USER_AUTHN [TYPE="SAML_2_0" TRACKER_ID="<Tracking ID>" SOURCE="https://<IDP URL>/app/template_saml_2_0/exkckwwaxvY3crKhn0h7/sso/saml" RESULT="FAIL" REASON="Invalid SAML Assertion" REMOTE_IP="192.168.10.192" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36"] Received an assertion that has expired. Check clock synchronization on IdP and SP.

    Structured data

    • SESSION_ID - LOCAL.
    • SUBJECT - Subject identifier, for example email address.
    • TYPE - SAML or the involved authentication module.
    • RESULT - PASS or FAIL
    • REASON- Valid credentials or reason for failure
    • REMOTE_IP- Remote IP is available
    • USER_AGENT - Remote operating system, browser, etc.

    USER_SESSION

    Event issued when a request for a session is issued.

    Message:

    • No session cookie. Sending to handler.

    • Upgraded auth cookie. App session created.

    • This should be investigated by your security group.

    Example:

    • 2020-06-04T13:53:53.483-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHZ SESSION INFO USER_SESSION [SESSION_ID="<Session ID>" APP="Local OAG Admin Console" APP_TYPE="ADMINUI_APP" APP_DOMAIN="<Application Domain>" RESULT="DENY" REASON="NOT_EXIST" REMOTE_IP="10.63.182.118" USER_AGENT="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"] No session cookie. Sending to handler.
    • 2020-06-04T13:53:53.483-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHZ SESSION INFO USER_SESSION [SESSION_ID="<Session ID>" SESSION_AUTH="<Session Auth ID>" SESSION_APP="e701ddf534554eab8ea671e884438b99" SUBJECT="<User login name>" APP="Sample Header App" APP_TYPE="SAMPLEHEADER_APP" APP_DOMAIN="<App Domain URL>" RESULT="ALLOW" REASON="VALID_AUTHCOOKIE" REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Upgraded auth cookie. App session created.
    • 2020-06-04T13:53:53.483-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHZ SESSION WARN USER_SESSION [SESSION_ID="<Session ID>" SESSION_AUTH="<Session Auth ID>" APP="Sample Header App" APP_TYPE="SAMPLEHEADER_APP" APP_DOMAIN="<App Domain URL>" RESULT="DENY" REASON="INVALID_AUTHCOOKIE" REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] This should be investigated by your security group.

    Structured data

    • SESSION_ID - Assigned session id, if it exists.
    • APP - Application name.
    • APP_TYPE - Application session was used against.
    • APP_DOMAIN - associated application domain.
    • RESULT- ALLOW or DENY.
    • REASON - Reason why request was allowed or denied.
    • REMOTE_IP - Remote IP from which user attempted to log in.
    • USER_AGENT- Remote operating system, browser, etc.

    USER_LOGOUT

    Event issues when a used logs out.

    Message:

    • User logout success: user@<Application Domain>.

    Example:

    • 2020-06-04T13:53:59.986-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHN SESSION INFO USER_LOGOUT [SESSION_ID="<Session ID> " SUBJECT="user@<Application Domain.tld>" APP="Local OAG Admin Console" APP_TYPE="ADMINUI_APP" APP_DOMAIN="<Application Domain>"" RESULT="PASS" REASON="VALID_SESSION" REMOTE_IP="10.63.182.118" USER_AGENT="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"] User logout success: user@<Application Domain.tld>.

    Structured data:

    • SESSION_ID - Assigned session id.
    • APP - Application name
    • APP_TYPE - Application session was used against. For example, ADMINUI_APP.
    • APP_DOMAIN - associated application domain.
    • RESULT- ALLOW or DENY.
    • REASON - Reason why request was allowed or denied.
    • REMOTE_IP - Remote IP from which user attempted to log in.
    • USER_AGENT- Remote operating system, browser, etc.

    POLICY

    Event issued when a used attempts to access a resource.

    Message:

    • Allow access to resource.

    • Deny access to resource.

    Example:

    • 2020-06-24T09:40:55.667-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="_8832d5961146a7d69baafe864b05eac3d5e3bb72bb" SUBJECT="admin@<Domain.tld>" RESOURCE="/" METHOD="GET" POLICY="root" POLICY_TYPE="PROTECTED" DURATION="0" APP="Local OAG Admin Console" APP_TYPE="ADMINUI_APP" APP_DOMAIN="gw-admin.saganich.com" RESULT="ALLOW" REASON="N/A - SESSIONID=_8832d5961146a7d69baafe864b05eac3d5e3bb72bb X-Authorization=admin@oag.okta.com username=admin X-SPGW-KEY=5b626d19e16f4d18ac42ef5d9cc8654a RelayDomain=gw-admin.domain.tld oag_username=admin@domain.tld UserName=admin@<Domain.tld >SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport RemoteIP=10.0.0.110 USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 "] allow access to resource.

    • 2020-06-24T09:40:55.667-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="_4a3fdbbc52dadda2109e0e789098f9b473d4f68c7e" SUBJECT="user@<Domain.tld>" RESOURCE="/alt" METHOD="GET" POLICY="altroot" POLICY_TYPE="PROTECTED_REGEX" DURATION="0" APP="Sample Header App" APP_TYPE="SAMPLEHEADER_APP" APP_DOMAIN="<App Domain URL>" RESULT="DENY" REASON="Groups=(?!.*Everyone:) - SESSIONID=_4a3fdbbc52dadda2109e0e789098f9b473d4f68c7e RelayDomain=<App Domain URL> static_a=aaaaa static-b=bbbbb staticc=ccccc _staticd=ddddd -statice=eeeee staticcookie=1234 secret=secretvalue spgw_username=<User login name> UserName=<User login name> login=<User login name> firstname=<User first name> lastname=<User last name> email=<User login name> samplecookie<User first name> Groups=Everyone:Group A:Group C:Group E:Group B: SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport RemoteIP=192.168.10.20 USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 creationTime=1507265129865 maxInactiveInterval=3600000 maxActiveInterval=28800000 lastAccessedTime=1507265129865 " REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] deny access to resource

    Structured data:

    • SESSION_ID - Assigned session id.
    • SUBJECT - Requestor
    • RESOURCE- Requested resource
    • METHOD-Request method.
    • POLICY-Applied policy
    • POLICY_TYPE-One of the policy types.
    • DURATION-Duration of request
    • APP - Application name
    • APP_TYPE - Application session was used against. For example, ADMINUI_APP.
    • APP_DOMAIN - associated application domain.
    • RESULT- ALLOW or DENY.
    • REASON - Reason why request was allowed or denied. Including a variety of other policy related information.

    Connectivity and validation

    CHECK_CONNECTION

    Event issued when an application is being added. <Application Domain> is tested to determine if it's valid or invalid.

    See also CHECK_HOST.

    Message:

    • Host <Application Domain> not found.

    Example:

    • 2020-06-24T09:41:16.766-05:00 example.myaccessgateway.com CHECK_HOST HOST_IP_CHECK INFO HOST [USER="admin" <Application Domain>] Host <Application Domain> not found

    Structured data:

    • USER - Internal user running the check.
    • Application domain used in application,

    CHECK_HOST

    Event issued immediate after a check connection is performed. Results of the check are noted in message.

    Message:

    • Ncat: Connection refused.

    Example:

    • 2020-06-24T09:45:28.024-05:00 example.myaccessgateway.com CHECK_HOST checkConnection.sh INFO 10.0.0.1 7001 [USER="admin"] Ncat: Connection refused.
    • Structured data
      • USER - Internal user running the command.

    ACCESS AUTHN - - STORE

    Event issued immediately after a check connection is performed. Results of the check are noted in message.

    Message:

    • Store failed during initialization.

    Example:

    • 22020-06-25T14:18:52.458-05: example.store.com ACCESS_GATEWAY ACCESS AUTHN FAILED WARN STORE [STORE_NAME="Name of datastore - Entry DN" FAILURE_COUNT="3"] Store failed during initialization.

    Structured data:

    • STORE_NAME - Name of the data store, which failed to initialize.
    • FAILURE_COUNT - Number of attempts to access the store.