Logging in Safewhere Identify
Introduction
Safewhere Identify supports extensive logging for monitoring, reporting and debugging needs. You can find all settings related to logging on the Logging page:
Types of logs
| Name | Abbreviation | Description |
|---|---|---|
| System log | SYS | Contains all warnings, errors and debug logs. As you can see in examples below, all the new log types have richer information than the legacy audit log. |
| Audit log | N/A | Audit log is stored in the IdentifyAudit SQL database. Identify has supported this log type for many versions. This log type includes: - All changes made to Identify’s data models, e.g. User, Connection. - Content of SAML 2.0 and WSFed messages (aka user requests). - Token issuances. |
| Security log | SEC | Security log contains data about: - SAML 2.0 messages. - Validation results for certificates which are used by those messages. - We will support security log for other plugins in 5.1. A plus point of security log is that SAML 2.0 messages are logged in plain text even if original messages are encrypted. |
| Billing log | BILL | Collects information relevant to settle billing requirements such as where a request comes from, where it is sent to, its size, and time used to process it. |
| Revision log | REV | Collects information about how the system is used: - When REST API is called. - Create/Update/Delete resources via Admin UI - User requests |
Logging settings in Safewhere Identify
You can find all the settings related to logging on the Logging page.
Log targets
Log targets specify where log data is written to. Supported options are Text file, Windows event log, Serilog sinks (either to the Audit database by default, which can be SQL database, MongoDB, or CosmosDB, or a custom sink), Application Insights and Message bus.
The default folder for logging when Text file is used is C:\Program Files\Safewhere\Identify\Tenants\your_tenant\Logs. You can change the log folder by editing it in the web.config files.
Log retention
When you choose to store logs in SQL database, the log retention settings specify how long you want to keep logs and at what time of a day that a background job can run to clean up old data. When you choose to store logs in Application Insights or MongoDB/CosmosDB, those storage technologies are responsible for handling log retention.
Log levels
- Log Level - Runtime: specify the level of system log for Identify Runtime. Supported value are Verbose, Information, Error or Off. Recommended setting for production: Information. When you do not need this log type, Error should be used.
- Log Level - Admin: specify the level of system log for Identify Admin. Supported value are Verbose, Information, Error or Off. Recommended setting for production: Information. When you do not need this log type, Error should be used.
Enable logging features
The Logging features section allows you to control what log types that Identify needs to log:
- Audit: control whether Identify should do legacy audit log. Recommended setting for production: checked, when your installation requires that audit data must be added to the SQL database.
- Security: control whether Identify should do security log. Recommended setting for production: checked.
- Billing: control whether Identify should do billing log. Recommended setting for production: unchecked. Billing log is mostly useful for performance monitoring.
- Revision: control whether Identify should do revision log. Recommended setting for production: checked.
- Analysis: control whether Identify should do analysis log. Recommended setting for production: unchecked.
Log event filtering
Even when you enable all log types, you may not be interested in all log events. For example, you may want to log content of SAML assertions returned from an identity providers but you do not need to log content of AuthnRequest. In that case, you can use the Log event filtering feature to control what events to log:
User requests
You can select where to log User requests using the following options:
- Log user requests to database store: check to enable user requests logs written to database. Recommended setting for production: it depends on whether your installation needs this type of log and where you want to log to.
- Log user requests to Windows Event log: check to enable user requests logs written to Windows Security event. Recommended setting for production: it depends on whether your installation needs this type of log and where you want to log to.
- Log user requests to the "Log target" as specified in the setting below: check to enable user requests logs written to store which is specified by the Log Target setting below. Recommended setting for production: it depends on whether your installation needs this type of log and where you want to log to.
Service interfaces
The following settings control how logging and error response work for Identify's service interfaces:
- Enable WCF tracing log - Runtime: check to enable WCF logging for Identify Runtime activities. Recommended setting for production: unchecked
- Enable WCF tracing log - Admin: check to enable WCF logging for Identify Admin activities. Recommended setting for production: unchecked
- Enable REST APIs verbose error to client side: check to enable including verbose error in message sent back to REST client in case error occurs. Recommended setting for production: unchecked
- Enable Identify*STS verbose error to client side: returns verbose error messages for unhandled errors, mostly errors happening when Identify is verifying access tokens. Recommended setting for production: unchecked
Log examples
Each log entry is in json format.
System log
{
"Type": "SYS",
"RequestId": "7ade7586-a490-4fba-ae92-071cad868b26",
"BuildNumber": "1.0.0.0",
"System": "RUNTIME",
"Component": "Passive",
"EventId": "9900",
"LogId": "aedd791f-99f1-4991-93bf-c77ba96e1b88",
"Timestamp": "10/20/2021 10:25:37 AM",
"IPAddress": "127.0.0.1",
"MachineName": "DEVBOX",
"UserId": "00000000-0000-0000-0000-000000000000",
"LogLevel": "INFO",
"LogMessage": "The authorization response was successfully returned to https://contextid.safewhere.local/adminv2/signin-oidc using the form post response mode."
}
| Name | Description |
|---|---|
| Type | Log type, value must be SYS |
| RequestId | Unique ID dynamically generated for every event |
| BuildNumber | Build number of the running Identify instance |
| System | Value must be RUNTIME, ADMIN, or SERVICE |
| EventId | Every log event has a unique event id. |
| Timestamp | Time event occurs |
| IPAddress | IP of the machine initiates the request |
| MachineName | Name of the machine initiates the request |
| UserId | Unique ID of the user that produced the request |
| LogLevel | Severity level, eligible values are DEBUG, INFO, WARNING, ERROR |
| LogMessage | More detail information about the event |
Notice that, for every incoming web request, Identify logs an event with ID 8010 that contains request's parameters.
{
"Type": "SYS",
"RequestId": "0bda0dd6-1bd6-48e4-a2c5-e37cb9c4ffb6",
"BuildNumber": "1.0.0.0",
"System": "RUNTIME",
"EventId": "8010",
"LogId": "c1b6dfc5-1f8a-412d-b47c-f6db91bf59d6",
"Timestamp": "10/20/2021 10:24:00 AM",
"IPAddress": "127.0.0.1",
"MachineName": "DEVBOX",
"UserId": "00000000-0000-0000-0000-000000000000",
"LogLevel": "INFO",
"HttpRequestParameters": {
"QueryString": {
"ici_ci": "CfDJ8DKO30I_...",
"authNConnectionId": "d8f18c3b-e14a-4e34-957e-ee8f3125bf13",
"remember": "unspecified"
},
"Path": "/runtime/saml2auth/signon.idp",
"Referrer": "https://something.safewhere.local/runtime/saml2/issue.idp?SAMLRequest=...",
"Method": "GET"
}
}
| Name | Description |
|---|---|
| HttpRequestParameters | The HTTP request parameters, consist of QueryString, Path, Method, and Forms parameters |
Security log (SEC)
SAML request message received from Service Provider
{
"Type": "SEC",
"RequestId": "4d50e003-a55f-49e5-ae87-e68f2fab1691",
"BuildNumber": "5.18.0.1",
"System": "RUNTIME",
"Component": "Passive",
"EventId": "5518",
"LogId": "ddd0657b-d041-4ff2-afb0-933773b54f45",
"Timestamp": "10/9/2024 7:44:15 AM",
"IPAddress": "127.0.0.1",
"MachineName": "WebServerHostName",
"UserId": "(unknown)",
"LogLevel": "INFO",
"Action": "",
"Source": "https://example-saml2.safewhere.local/",
"Destination": "https://example.safewhere.local/runtime/saml2/issue.idp",
"LogMessage": {
"SAMLRequest": "lZJRa4MwFIX/Ssh7NYkWM...mJZv1f1DQ==",
"SigAlg": "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256",
"Signature": "OWZ19p0JA2FkUD2gy0ojs...t8tVdjFia",
"ProtocolBinding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
}
}
| Name | Description |
|---|---|
| Type | Log type, value must be SEC |
| Component | Must be Passive for SAML2 |
| EventId | Must be 5518 |
| Source | The participant that sends a request to Identify |
| Destination | The Identify endpoint that receives a request |
| LogMessage | Full AuthnRequest and the ProtocolBinding attribute |
SAML Request Message Sent to Upstream Identity Provider
{
"Type": "SEC",
"RequestId": "dd7f8e3c-9e87-43bd-979c-124211741ee1",
"BuildNumber": "1.0.0.0",
"System": "RUNTIME",
"Component": "Passive",
"EventId": "5518",
"LogId": "aba7921d-ddce-42e1-9ae2-ecb0fdcddce8",
"Timestamp": "10/9/2024 7:44:18 AM",
"IPAddress": "127.0.0.1",
"MachineName": "WebServerHostName",
"UserId": "(unknown)",
"LogLevel": "INFO",
"Action": "",
"Source": "https://example.safewhere.local/runtime/",
"Destination": "https://adserver.adfs.safewhere.com/adfs/ls/",
"LogMessage": "https://adserver.adfs.safewhere.com/adfs/ls/?SAMLRequest=nZJNS8Q...85PlVzQf&RelayState=25b8f9b39da4c008ac1cc38af30eafa7a33ac924bf8c8929ae7ee617d8db218b&SigAlg=http%3a%2f%2fwww.w3.org%2f2001%2f04%2fxmldsig-more%23rsa-sha256&Signature=kkzJbzByi7XU38...9S2fVCfmaWyKSgg%3d%3d"
}
| Name | Description |
|---|---|
| Type | Log type, value must be SEC |
| Component | Must be Passive for SAML2 |
| EventId | Must be 5518 |
| Source | The current Identify EntityID |
| Destination | The Upstream Identity Provider that receives the request from Identify |
| LogMessage | Full request URI to the Upstream Identity Provider, including parameters such as SAMLRequest, RelayState, Signature, etc. |
Billing log (BIL)
{
"Type": "BIL",
"RequestId": "658e347d-47a1-40b9-82b4-183487673bbd",
"BuildNumber": "1.0.0.0",
"System": "RUNTIME",
"Component": "Passive",
"EventId": "7000",
"LogId": "e588344e-48bb-417f-a440-d34ddcb33948",
"Timestamp": "10/20/2021 10:23:53 AM",
"IPAddress": "127.0.0.1",
"MachineName": "DEVBOX",
"UserId": "00000000-0000-0000-0000-000000000000",
"LogLevel": "INFO",
"Status": "200 OK",
"ResponseTime": 4234,
"ResponseSize": 8327,
"RequestSize": 913,
"Operation": "/runtime/saml2/issue.idp"
}
| Name | Description |
|---|---|
| Type | Log type, value must be BIL |
| Status | Status of the request, ex: 200 OK |
| ResponseTime | Time taken from request was received to response was sent, measured in ms |
| ResponseSize | Size of the response in bytes |
| RequestSize | Size of the request in bytes |
| Operation | Name of the method or operation that was called |
| Other attributes | Similar to those of the SYS log |
Revision log (REV)
{
"Type": "REV",
"RequestId": "0a47ce44-27cc-4d65-ab2d-8eb67bbeaab2",
"BuildNumber": "1.0.0.0",
"System": "RUNTIME",
"Component": "Passive",
"EventId": "20028",
"LogId": "dcba56f6-9b39-4e10-b861-db8f91c92131",
"Timestamp": "11/2/2021 7:00:19 AM",
"IPAddress": "127.0.0.1",
"MachineName": "DEVBOX",
"UserId": "00000000-0000-0000-0000-000000000000",
"LogLevel": "INFO",
"RevisionType": "IssueClaims",
"RevisionData": {
"LocalTimestamp": "2021-11-02T14:00:19.1141802+07:00",
"Id": 6749,
"EventType": "IssueClaims",
"UtcTimestamp": "2021-11-02T07:00:19.1141802Z",
"UserName": "Administrator",
"ApplicationId": "https://contextid.safewhere.local/runtime/",
"ContextId": "90c2b6f5ee0f1ba2387c3334a320871bf5a9fc1ea30e00b37749548fe4903ee7",
"AuditClaimsIssuances": [{
"Id": 4067,
"AuditEventId": 6749,
"AuthenticationConnectionId": "d8f18c3b-e14a-4e34-957e-ee8f3125bf13",
"AuthenticationConnectionName": "ADFS SAML2",
"ProtocolConnectionId": "880d4436-64d1-4f0f-9370-7f09be9a8686",
"ProtocolConnectionName": "Saml2wif",
"AuditIssuedClaims": [{
"Id": 4518,
"ClaimsIssuanceId": 4067,
"ClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"Value": "Administrator",
"ValueType": "http://www.w3.org/2001/XMLSchema#string",
"Issuer": "http://adfs3.safewhere.local/adfs/services/trust",
"OriginalIssuer": "http://adfs3.safewhere.local/adfs/services/trust",
"_typeTag": "AuditIssuedClaim"
}, {
"Id": 4519,
"ClaimsIssuanceId": 4067,
"ClaimType": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"Value": "Administrator@vm2016.local",
"ValueType": "http://www.w3.org/2001/XMLSchema#string",
"Issuer": "http://adfs3.safewhere.local/adfs/services/trust",
"OriginalIssuer": "http://adfs3.safewhere.local/adfs/services/trust",
"_typeTag": "AuditIssuedClaim"
}
],
"_typeTag": "AuditClaimsIssuance"
}
],
"_typeTag": "AuditEvent"
}
}
| Name | Description |
|---|---|
| Type | Log type, value must be REV |
| RevisionData | Includes claim issuances, changes made to Identify data entities |
| Other attributes | Similar to those of the SYS log |
Appendix A: List of Event IDs for System log (SYS)
| ID | Description |
|---|---|
| 97 | Web Service Communication Error |
| 98 | Authentication Connection Not Found In Session Error |
| 99 | Common Logout Error |
| 100 | Common Runtime Error |
| 101 | Connection Resolution Error |
| 102 | License Error |
| 103 | Malformed Request Error |
| 104 | Path Resolution Error |
| 105 | Web Service Error |
| 106 | Audit User Request Error |
| 107 | Sending Email Error |
| 108 | Security Error |
| 110 | Not Supported Exception |
| 111 | Configuration Error |
| 120 | TextResource Error |
| 130 | Database Error |
| 140 | External Claim Transformation Error |
| 141 | Sql Claim Transformation Error |
| 142 | Regular Expression Condition Parsing Error |
| 143 | Invalid Operation Claim Transformation Error |
| 145 | Scripting Claim Transformation Compilation Error |
| 146 | Excluded Pass Through Claim Transformation Error |
| 147 | Common Claim Transformation Runtime Log |
| 1440 | User Account Update Claim Transformation - Invalid Claim Value Added Error |
| 1441 | User Account Update Claim Transformation - Invalid Bearing Claim Value Added Error |
| 1442 | User Account Update Claim Transformation - Invalid Email Claim Value Added Error |
| 1443 | User Account Update Claim Transformation - Invalid Update Option Error |
| 150 | Home Realm Discovery Rules - WHR Parameter Error |
| 151 | Home Realm Discovery Rules -Common Domain Cookie Error |
| 152 | Home Realm Discovery Rules -Common Home Reaml Discovery Error |
| 154 | Home Realm Discovery Rules - Read Cookie Error |
| 155 | Home Realm Discovery Rules - HRD Parameter Missing |
| 156 | Home Realm Discovery Rules - HRD Build Script Error |
| 160 | Authentication Session Expired |
| 161 | Authentication User Disabled |
| 300 | Certificate Error |
| 301 | Certificate Revocation Check Error |
| 999 | Supplemental Data |
| 1000 | Cannot Log Message |
| 3000 | CORS Debug |
| 3001 | CORS Header set, such as 'Access-Control-Allow-Origin' header |
| 3002 | CORS Configuration already exists in the web.config for endpoint |
| 3003 | CORS Allowed CORS Origins Domains Validation Error |
| 3004 | CORS Origin Parsing Error |
| 3011 | SAML20 Authentication Request Validation Error |
| 3012 | SAML20 Authentication Response Validation Error |
| 3013 | SAML20 Faulty Response Sent |
| 3014 | SAML20 SignOn Error |
| 3015 | SAML20 HTTP Message Error |
| 3016 | SAML20 RelayState Missing |
| 3017 | SAML20 Artifact Not Exist Or Expired |
| 3018 | SAML20 Build Customization Script Error |
| 3019 | SAML20 IsPassive But Assurance Level Not Satisfy |
| 3040 | SAML20 Unsuccessful Logout Response Received Error |
| 3050 | SAML20 Service Invalid Protocol Connection Error |
| 3053 | SAML20 Service Invalid Request Error |
| 3054 | SAML20 Service Data Response Error |
| 3112 | Ws Federation Security Token Validation Error |
| 3114 | Ws Federation Faulty State |
| 3115 | Ws Federation Protocol Error |
| 3116 | Ws Federation Wctx Missing |
| 3310 | NemID Common LogOn Error |
| 3312 | NemID Signature Error |
| 3314 | NemID Validation Error |
| 3612 | OAuth Provider Response Error |
| 4010 | Device Based Common Error |
| 4011 | Device Based Protocol Connection Not Found Error |
| 4012 | Device Based Response Error |
| 4016 | Device Based State Code Missing |
| 4410 | OTP Common error |
| 4511 | UserName & Password Update Password Error |
| 4512 | UserName & Password Authentication Session Exist Error |
| 4712 | LDAP Authentication Session Eexist Error |
| 4717 | LDAP Authentication Reset Password Failed |
| 4810 | Generic Provider Common Error |
| 4811 | Generic Provider Could Not Load External Provider Error |
| 4812 | Generic Provider Unhandled Exception From External Provider Error |
| 4813 | Generic Provider Name Claim Is Empty Or CanNot Parsed |
| 4950 | OAuth20 Request Error |
| 5001 | STS Configuration loading error |
| 5002 | STS Invalid Authentication Connection Found Error |
| 5003 | STS Invalid Protocol Connection Found Error |
| 5004 | STS Client Certificate Security Token Validation Failed Error |
| 5005 | STS UserName Password Validation Failed Error |
| 5006 | STS Claims Transformation Exception Thrown Error |
| 5007 | STS Credential Validation Exception Thrown Error |
| 5020 | STS Log Information Event |
| 5050 | STS Unknown Error |
| 5100 | REST Service Common Error |
| 5102 | REST Invalid Request |
| 5103 | REST Warning Request |
| 5120 | SPML Common Error |
| 5200 | Yubico Common Error |
| 5201 | Yubico Response Error |
| 6000 | Signing Certificate Rollover |
| 7000 | Data Management Service Invalid Policy Element |
| 8000 | SYS Common Error |
| 8001 | SYS Publish Event To ServiceBus Error |
| 8002 | SYS Hangfire Job Event |
| 8003 | SYS Logout Invalid Context |
| 8004 | SYS Login Invalid Context |
| 8010 | SYS HTTP Request Parameters |
| 8011 | SYS Data Load Error |
| 8012 | SYS Data Load Succeeded |
| 9000 | SYS Warning Event Log |
| 9900 | SYS Info Event Log |
| 9999 | SYS Debug Event Log |
Appendix B: List of event IDs for SAML 2.0/WS-Federation/Username & Password/NemID/OTP/Facebook/Google/Twitter/LinkedIn/ Device-based/LiveId/LDAP/Yubico/Generic provider/STS plugins (SEC)
| ID | Description |
|---|---|
| SAML 2.0 plugin | |
| 5501 | AuthnRequest Sent To Attribute Service |
| 5502 | Response Received From Attribute Service |
| 5503 | Attribute Query Message |
| 5504 | Attribute Query Response Message |
| 5510 | AuthnRequest Sent To Upstream Identity Provider |
| 5511 | Plain Text Assertion |
| 5520 | AuthnRequest Received From Service Provider |
| 5516 | Response Message |
| 5518 | SAML Request Message Received from Service Provider or Sent to Upstream Identity Provider |
| 5521 | Response Sent To Service Provider |
| 5522 | Certificate Validation Succeeded |
| 5523 | Certificate Validation Failed |
| 5530 | LogoutRequest Received From Service Provider |
| 5531 | LogoutResponse To Service Provider |
| 5536 | LogoutRequest Sent To Service Provider |
| 5537 | LogoutResponse Received From Service Provider |
| 5538 | LogoutResponse Received From Service Provider - Signature Validation |
| 5539 | LogoutResponse Received From Service Provider - Signature Validation Failed |
| 5540 | LogoutRequest Sent To Identity Provider |
| 5541 | LogoutResponse eceived From Identity Provider |
| 5542 | LogoutResponse eceived From Identity Provider - Signature Validation |
| 5543 | LogoutResponse eceived From Identity Provider - Signature Validation Failed |
| 5544 | LogoutResponse Sent To Identity Provider |
| 5545 | LogoutRequest Received From IdentityProvider |
| 5546 | LogoutRequest Received From IdentityProvider - Signature Validation |
| 5547 | LogoutRequest Received From IdentityProvider - Signature Validation Failed |
| WS-Federation plugin | |
| 3112 | Security Token Validation Error |
| 3117 | Sign In Request Message |
| 3118 | Sign In Response Message |
| 3119 | Sign Out Clean up Request Message |
| 3120 | Sign Out Request Message |
| Username & Password plugin | |
| 4513 | Username Password Authentication Success |
| 4514 | Username Password Authentication Failed |
| 4515 | Username Offboarding User |
| 4516 | User Account Is Locked Out |
| 4517 | Password Length Limit Exceeded |
| NemID plugin | |
| 3315 | NemId Common Log On Error |
| 3316 | NemId Authentication Succeed |
| 3317 | NemId Signature Error |
| 3318 | NemId Validation Error |
| OTP plugin | |
| 4412 | OTP Code Generated |
| 4413 | OTP Code Authentication Success |
| 4414 | OTP Code Authentication Failed |
| 4415 | OTP Code Sent |
| 4416 | OS2faktor Error |
| 4417 | WebAuthn Error |
| 4418 | WebAuth Public Key Credential Creation Options |
| 4419 | WebAuth Authenticator Attestation Response |
| 4420 | WebAuth Assertion Options |
| 4421 | WebAuth Authenticator Assertion Response |
| 4422 | WebAuth First Factor User Not Found |
| 4423 | WebAuth First Factor Registered Credential Not Found |
| OAuth 2.0 plugin | |
| 4910 | OAuth2 Invalid Authorization Request |
| 4914 | OAuth2 Authorization Request |
| 4915 | OAuth2 Authorization Response |
| 4916 | OAuth2 Token Request |
| 4917 | OAuth2 Token Response |
| 4911 | OAuth2 Invalid Access Token Request |
| 4934 | OAuth2 Token Request Security Validation Failed |
| 4935 | OAuth2 Token Request Configuration Loading Error |
| 4935 | OAuth2 Token Request Security Validation Success |
| 4922 | OAuth2 Invalid Device Authorization Request |
| 4923 | OAuth2 Device Authorization Request |
| 4924 | OAuth2 Device Authorization Response |
| 4918 | OpenId Connect Token Request |
| 4919 | OpenId Connect Token Response |
| 4920 | OpenId Connect UserInfo Request |
| 4912 | OpenId Connect Invalid UserInfo Request |
| 4921 | OpenId Connect UserInfo Response |
| 4913 | OAuth2 Invalid Logout Request |
| 4925 | OAuth2 Valid Logout Request |
| 4931 | OAuth2 Auto Register Request |
| 4932 | OAuth2 Invalid Auto Register Request |
| 4933 | OAuth2 Auto Register Response |
| 4940 | OAuth2 Token Revocation Request |
| 4941 | OAuth2 Token Revocation Response |
| 4942 | OAuth2 Invalid Token Revocation Request |
| 4950 | OAuth2 Token Introspection Request |
| 4951 | OAuth2 Token Introspection Response |
| 4952 | OAuth2 Token Invalid Introspection Request |
| OAuth Provider (Facebook, Google, Twitter, LinkedIn, LiveId and Generic OAuth Provider plugins) | |
| 4110 | OAuth2 Provider Common Error |
| 4111 | OAuth2 Provider Response Error |
| 4112 | OAuth2 Provider Response Message |
| 4113 | OAuth2 Provider Request Message |
| 4114 | OAuth2 Provider User Information Message |
| 4115 | OAuth2 Provider State Code Missing |
| 4116 | OAuth2 Provider Token Validation Error |
| 4117 | OAuth2 Provider Token Validation Successful |
| 4118 | OAuth2 Provider Make Request To The Authorization Endpoint |
| 4119 | OAuth2 Provider Make Request To The Token Endpoint |
| Device-based plugin | |
| 4013 | User Device Cookie Validation Succeeded |
| 4014 | User Device Cookie Validation Failed |
| LDAP plugin | |
| 4713 | LDAP Authentication Succeeded |
| 4714 | LDAP Authentication Failed |
| 4716 | LDAP Reset Password Succeeded |
| 4718 | LDAP Reset Password Failed |
| Yubico plugin | |
| 5203 | Yubico Request Message |
| 5204 | Yubico Response Message |
| 5205 | Yubico Response Succeeded |
| 5206 | Yubico Response Failed |
| Generic provider plugin | |
| 4814 | Generic Provider Authentication Succeeded |
| 4815 | Generic Provider Authentication Failed |
| STS | |
| 5600 | Client certificate validation is successful |
| 5601 | Client certificate validation is failed, e.g. expired client certificate |
| 5602 | SOAP request message is signed correctly |
| 5604 | RST Received From User system |
| 5605 | RSTR Sent To User system |
| 5606 | The request with credential is successfully authenticated |
| 5607 | Invalid credentials |
| 5608 | Authentication for actas user is passed |
| 5609 | Authentication for actas user is failed (the reason is also included) |
| 5610 | Authorization for actas user is passed |
| 5611 | Authorization for actas user is failed (the reason is also included) |
| Provisioning (REST API) | |
| 5700 | Provisioning Authentication Failed |
| 5701 | Provisioning Authentication Passed |
| UserSelfService | |
| 5000 | User SelfService Offboarding User |
| Email notification | |
| 5800 | Send Authenticator Changed Notification Failed |
| 5801 | Send User Password Changed Notification Failed |
Appendix C: List of event IDs for Billing log (BIL)
| ID | Description |
|---|---|
| 7000 | Billing log for Passive flow |
| 7001 | Billing log for Active flow, .e.g STS |
| 7003 | Billing log for provisioning data (REST API) |
| 7004 | Billing log for Performance Counter |
Appendix D: List of event IDs for Revision log (REV)
| ID | Description |
|---|---|
| 20028 | Revision Log For Data Change |
| 20029 | Revision Log For User Requests |
Appendix E: List of event IDs for Analysis log (ANALYSIS)
| ID | Description |
|---|---|
| 8100 | User Data From Identity Provider |
| 8101 | User Data To Service Provider |
| 8102 | User Logout |