Audit Events Reference

|                      NAME                      | CODE |                      DESCRIPTION                       |
|------------------------------------------------|------|--------------------------------------------------------|
| License-error                                  |    0 | The system license does not allow operation.           |
| Configuration-error                            |    1 | The system configuration is invalid.                   |
| Service-starting                               |   10 | The service is starting.                               |
| Service-running                                |   11 | The service is running.                                |
| Service-stopped                                |   12 | The service has been stopped.                          |
| User-logged-in                                 |  100 | User has logged in to the system.                      |
| User-login-failed                              |  102 | User login operation failed.                           |
| User-MFA-challenge-sent                        |  103 | User tried to log in without MFA pin code.             |
| User-MFA-challenge-accepted                    |  104 | User successfully authenticated with MFA pin code.     |
| User-MFA-challenge-setup-sent                  |  105 | User was MFA setup information.                        |
| Access-token-granted                           |  106 | Access token granted                                   |
| User-access-token-refreshed                    |  110 | User refreshed the access token                        |
| User-access-token-refresh-failed               |  111 | User access token refresh failed.                      |
| OAuth-client-authenticated                     |  121 | OAuth client authenticated                             |
| OAuth-client-authentication-failed             |  122 | OAuth client authentication failed                     |
| User-login-attempt-rate-limited                |  130 | User login attempt rate limited                        |
| Role-added                                     |  201 | New role added to the system.                          |
| Role-modified                                  |  202 | Role has been modified.                                |
| Role-removed                                   |  203 | Role has been removed.                                 |
| Directory-added                                |  210 | New directory added to the system.                     |
| Directory-modified                             |  211 | Directory has been modified.                           |
| Directory-removed                              |  212 | Directory has been removed.                            |
| Directory-authentication-failed                |  213 | Directory authentication failed.                       |
| User-roles-modified                            |  220 | The user's role associations were changed              |
| AWS-token-granted                              |  230 | AWS token was granted to a user                        |
| AWS-token-grant-failed                         |  231 | AWS token grant failed                                 |
| LogConf-collector-created                      |  232 | LogConf collector created                              |
| LogConf-collector-modified                     |  233 | LogConf collector modified                             |
| LogConf-collector-removed                      |  234 | LogConf collector removed                              |
| LogConf-collector-failed                       |  235 | LogConf collector failed                               |
| RoleContext-usage-alert                        |  250 | RoleContext limitations were violated.                 |
| RoleContext-role-blocked                       |  251 | RoleContext limitations were violated, role blocked.   |
| Authorized-key-added                           |  260 | Authorized key added                                   |
| Authorized-key-modified                        |  261 | Authorized key modified                                |
| Authorized-key-removed                         |  262 | Authorized key removed                                 |
| Connection-requested                           |  300 | Connection was requested.                              |
| Connection-authenticated                       |  301 | Connection was authenticated.                          |
| Connection-rejected                            |  302 | Connection was rejected.                               |
| Connection-closed                              |  303 | Connection was closed.                                 |
| Connection-failed                              |  304 | Connection closed with an error.                       |
| Client-authenticated                           |  305 | Client was authenticated.                              |
| Session-added                                  |  310 | A session was added to a connection.                   |
| Session-removed                                |  311 | A session was removed from a connection.               |
| Session-rejected                               |  312 | A session was rejected.                                |
| File-upload                                    |  320 | File upload performed.                                 |
| File-download                                  |  321 | File download performed.                               |
| Host-key-matched                               |  324 | Host key matched                                       |
| Host-key-denied                                |  325 | Host key denied                                        |
| Host-key-accepted                              |  326 | Host key accepted                                      |
| Host-key-saved                                 |  327 | Host key saved                                         |
| Extender-connected                             |  328 | Extender connected                                     |
| Extender-disconnected                          |  329 | Extender disconnected                                  |
| File-removed                                   |  330 | File removed via SSH.                                  |
| Folder-removed                                 |  331 | Folder removed via SSH.                                |
| File-moved                                     |  332 | File moved.                                            |
| Folder-created                                 |  333 | Folder created.                                        |
| Connection-audit-started                       |  334 | Connection audit started                               |
| Connection-audit-failed                        |  335 | Connection audit failed                                |
| Authorization-requested                        |  400 | A client requested an authorization.                   |
| Authorization-certificate-granted              |  401 | An authorization certificate granted.                  |
| Authorization-role-key-granted                 |  402 | An authorization role key granted.                     |
| Authorization-role-key-sign-operation-rejected |  403 | An authorization role key sign operation was rejected. |
| Authorization-role-key-sign-operation-accepted |  404 | An authorization role key sign operation was accepted. |
| Authorization-rejected                         |  405 | An authorization was rejected.                         |
| Authorization-certificate-warning              |  406 | Authorization certificate creation generated warnings. |
| Authorization-Passphrase-returned              |  407 | Authorization passphrase was returned                  |
| Principal-added                                |  410 | A principal was added.                                 |
| Principal-removed                              |  411 | A principal was removed.                               |
| Trusted-client-added                           |  420 | A trusted client was added.                            |
| Trusted-client-modified                        |  421 | A trusted client was modified.                         |
| Trusted-client-removed                         |  423 | A trusted client was removed.                          |
| API-client-added                               |  424 | An API client was added.                               |
| API-client-modified                            |  425 | An API client was modified.                            |
| API-client-removed                             |  426 | An API client was removed.                             |
| License-updated                                |  430 | The service license was updated.                       |
| CA-Certificate-Created                         |  440 | CA certificate was created.                            |
| CA-Certificate-Deleted                         |  441 | CA certificate was deleted.                            |
| EE-Certificate-Enrolled                        |  442 | End entity certificate was enrolled                    |
| EE-Certificate-Revoked                         |  443 | End entity certificate was revoked                     |
| CA-Certificate-Enrolled                        |  444 | CA certificate was enrolled                            |
| CA-Certificate-Revoked                         |  445 | CA certificate was revoked                             |
| Access-Group-Created                           |  450 | Access group created                                   |
| Access-Group-Modified                          |  451 | Access group modified                                  |
| Access-Group-Deleted                           |  452 | Access group deleted                                   |
| User-added                                     |  500 | New user added to the system.                          |
| User-modified                                  |  501 | User has been modified.                                |
| User-removed                                   |  502 | User has been removed.                                 |
| User-password-modified                         |  510 | User password has been modified.                       |
| User-authenticated                             |  520 | User has been authenticated.                           |
| User-authentication-failed                     |  521 | User authentication has failed.                        |
| Workflow-added                                 |  600 | A workflow was added.                                  |
| Workflow-modified                              |  601 | A workflow was modified.                               |
| Workflow-removed                               |  602 | A workflow was removed.                                |
| Request-added                                  |  610 | A request was added.                                   |
| Request-removed                                |  612 | A request was removed.                                 |
| Decision-made                                  |  620 | A decision has been made on a request.                 |
| Email-sent                                     |  630 | A email notification has been sent.                    |
| Email-configuration-Modified                   |  631 | Email configuration has been modified.                 |
| Email-not-sent                                 |  632 | Email not sent.                                        |
| Log-downloaded                                 |  700 | Log files have been downloaded.                        |
| Log-level-modified                             |  710 | The log level was modified.                            |
| Host-added                                     |  801 | A host was added.                                      |
| Host-modified                                  |  802 | A host was modified.                                   |
| Host-removed                                   |  803 | A host was removed.                                    |
| Host-service-connection-re-established         |  804 | A host service connection re-established.              |
| Host-service-connection-failure                |  805 | A host service connection failed.                      |
| Connection-terminated                          |  900 | Connection terminated.                                 |
| Connection-terminated-for-host                 |  901 | Connection terminated for host.                        |
| Connection-terminated-for-user                 |  902 | Connection terminated for user.                        |
| Licensed-connection-count-exceeded             |  903 | Licensed connection count exceeded.                    |
| Access-role-granted                            |  910 | Access role granted                                    |
| Access-role-revoked                            |  911 | Access role revoked                                    |
| Trail-opened                                   | 1000 | Trail opened.                                          |
| Trail-open-failed                              | 1001 | Failed to open trail.                                  |
| Trail-file-open-failed                         | 1002 | Failed to open trail file.                             |
| Trail-file-read-failed                         | 1003 | Failed to read trail file.                             |
| Trail-removed                                  | 1004 | Trail removed.                                         |
| Trail-remove-failed                            | 1005 | Failed to remove trail.                                |
| Trail-file-integrity-failed                    | 1006 | Trail file integrity check failed.                     |
| Trail-file-downloaded                          | 1007 | Trail file downloaded.                                 |
| Config-checksum-added                          | 1100 | A config file checksum was added.                      |
| Config-checksum-changed                        | 1101 | A config file checksum has changed.                    |
| Transcript-status-scheduled                    | 1201 | Transcript status: scheduled.                          |
| Transcript-status-indexing                     | 1202 | Transcript status: indexing.                           |
| Transcript-status-indexed                      | 1203 | Transcript status: indexed.                            |
| Transcript-status-error                        | 1204 | Transcript status: error.                              |
| Transcript-status-not-indexed                  | 1205 | Transcript status: not indexed.                        |
| Transcript-trail-removed                       | 1206 | Transcript trail removed.                              |
| Transcript-opened                              | 1207 | Transcript opened.                                     |
| Disk-Full                                      | 1301 | Disk Full.                                             |
| Auditevent-Removed                             | 1302 | Auditevent Removed                                     |
| Secret-Created                                 | 1400 | Secret created.                                        |
| Secret-Removed                                 | 1401 | Secret removed.                                        |
| Secret-Accessed                                | 1402 | Secret accessed.                                       |
| Secret-Changed                                 | 1403 | Secret changed.                                        |
| Secret-Metadata-Changed                        | 1404 | Secret's metadata changed.                             |

Did this page help you?