Audit Events Reference
| NAME | CODE | SEVERITY | ORIGIN | DESCRIPTION |
|---|---|---|---|---|
| License-error | 0 | Critical(2) | Authorizer, Host Store, License Manager, RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy | The system license does not allow operation. |
| Configuration-error | 1 | Critical(2) | Authorizer, Extender Service, RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy, Role Store | The system configuration is invalid. |
| Service-starting | 10 | Info(6) | Authentication, Authorizer, Connection Manager, Extender Service, Host Store, License Manager, Monitor Service, Network Access Manager, RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy, Role Store, Secrets Manager, Trail Index, User Store, Secrets Vault, Workflow Engine | The service is starting. |
| Service-running | 11 | Info(6) | Authentication, Authorizer, Connection Manager, Extender Service, Host Store, License Manager, Monitor Service, Network Access Manager, RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy, Role Store, Secrets Manager, Trail Index, User Store, Secrets Vault, Workflow Engine | The service is running. |
| Service-stopped | 12 | Warning(4) | Authentication, Authorizer, Connection Manager, Extender Service, Host Store, License Manager, Monitor Service, Network Access Manager, RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy, Role Store, Secrets Manager, Trail Index, User Store, Secrets Vault, Workflow Engine | The service has been stopped. |
| Background-migration-started | 20 | Info(6) | Connection Manager, Monitor Service | Data migration will be running in the background |
| Background-migration-completed | 21 | Info(6) | Connection Manager, Monitor Service | Data migration is completed |
| Unknown-event | 99 | Critical(2) | Unknown event ID | |
| User-logged-in | 100 | Info(6) | Authentication | User has logged in to the system. |
| User-logged-out | 101 | Info(6) | Authentication | User has logged out from the system. |
| User-login-failed | 102 | Warning(4) | Authentication | User login operation failed. |
| User-MFA-challenge-sent | 103 | Info(6) | Authentication | Challenge is sent to the user for login. |
| User-MFA-challenge-accepted | 104 | Info(6) | Authentication | User successfully authenticated with MFA pin code. |
| User-MFA-challenge-setup-sent | 105 | Info(6) | Authentication | User was MFA setup information. |
| Access-token-granted | 106 | Info(6) | Authentication | Access token granted. |
| User-Mobile-MFA-challenge-sent | 107 | Info(6) | Challenge is sent to the user for login. | |
| User-Mobile-MFA-challenge-accepted | 108 | Info(6) | User successfully authenticated with Mobile MFA | |
| User-Mobile-MFA-challenge-setup-sent | 109 | Info(6) | User was Mobile MFA setup information. | |
| User-access-token-refreshed | 110 | Info(6) | Authentication | User refreshed the access token. |
| User-access-token-refresh-failed | 111 | Warning(4) | Authentication | User access token refresh failed. |
| OAuth-client-authenticated | 121 | Info(6) | Authentication | OAuth client authenticated. |
| OAuth-client-authentication-failed | 122 | Warning(4) | Authentication | OAuth client authentication failed. |
| User-login-attempt-rate-limited | 130 | Info(6) | Authentication | User login attempt rate limited. |
| IDP-client-config-created | 131 | Info(6) | Authentication | IDPClient config created. |
| IDP-client-config-modified | 132 | Info(6) | Authentication | IDPClient config modified. |
| IDP-client-config-removed | 133 | Info(6) | Authentication | IDPClient config removed. |
| IDP-client-credentials-regenerated | 134 | Info(6) | Authentication | IDPClient credentials regenerated. |
| Session-terminated | 140 | Info(6) | Authentication | Session terminated. |
| Session-password-generated | 141 | Info(6) | Authentication | Session password generated. |
| Role-added | 201 | Info(6) | Role Store | New role added to the system. |
| Role-modified | 202 | Info(6) | Role Store | Role has been modified. |
| Role-removed | 203 | Info(6) | Role Store | Role has been removed. |
| Directory-added | 210 | Info(6) | Role Store | New directory added to the system. |
| Directory-modified | 211 | Info(6) | Role Store | Directory has been modified. |
| Directory-removed | 212 | Info(6) | Role Store | Directory has been removed. |
| Directory-authentication-failed | 213 | Info(6) | Role Store | Directory authentication failed. |
| User-roles-modified | 220 | Info(6) | Role Store | The user's role associations were changed. |
| AWS-token-granted | 230 | Info(6) | Role Store | AWS token was granted to a user. |
| AWS-token-grant-failed | 231 | Warning(4) | Role Store | AWS token grant failed. |
| LogConf-collector-created | 232 | Info(6) | Role Store | LogConf collector created. |
| LogConf-collector-modified | 233 | Info(6) | Role Store | LogConf collector modified. |
| LogConf-collector-removed | 234 | Info(6) | Role Store | LogConf collector removed. |
| LogConf-collector-failed | 235 | Warning(4) | Role Store | LogConf collector failed. |
| RoleContext-usage-alert | 250 | Warning(4) | Role Store | RoleContext limitations were violated. |
| RoleContext-role-blocked | 251 | Warning(4) | Role Store | RoleContext limitations were violated, role blocked. |
| Authorized-key-added | 260 | Info(6) | Role Store | Authorized key added. |
| Authorized-key-modified | 261 | Info(6) | Role Store | Authorized key modified. |
| Authorized-key-removed | 262 | Info(6) | Role Store | Authorized key removed. |
| Identity-provider-added | 270 | Info(6) | Role Store | New IDP added to the system. |
| Identity-provider-modified | 271 | Info(6) | Role Store | IDP has been modified. |
| Identity-provider-removed | 272 | Info(6) | Role Store | IDP has been removed. |
| WebAuthn-Credential-added | 280 | Info(6) | Role Store | WebAuthn Credential added. |
| WebAuthn-Credential-modified | 281 | Info(6) | Role Store | WebAuthn Credential modified. |
| WebAuthn-Credential-removed | 282 | (0) | Role Store | WebAuthn Credential removed. |
| Multi-factor-authentication-generated | 283 | Info(6) | Role Store | Multi-factor-authentication has been generated for user |
| Multi-factor-authentication-configured | 284 | Info(6) | Role Store | Multi-factor-authentication has been configured for user |
| Housekeeping-user-data | 290 | Info(6) | Role Store | Completed housekeeping user data. |
| Housekeeping-OIDC-user-cache | 291 | Info(6) | Role Store | Completed housekeeping OIDC user cache. |
| Housekeeping-SCIM-roles | 292 | Info(6) | Role Store | Initiating housekeeping SCIM roles. |
| Housekeeping-authorized-keys | 293 | Info(6) | Role Store | Initiating housekeeping authorized keys. |
| Users-license-grace-period-started | 296 | Info(6) | Role Store | Grace period started for users overflowing license limit |
| Users-blocked-by-license | 297 | Info(6) | Role Store | Users overflowing license limit are blocked |
| Users-license-ok | 298 | Info(6) | Role Store | Users count complies with license limits |
| Connection-requested | 300 | Info(6) | RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy | Connection was requested. |
| Connection-authenticated | 301 | Info(6) | RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy | Connection was authenticated. |
| Connection-rejected | 302 | Warning(4) | RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy | Connection was rejected. |
| Connection-closed | 303 | Info(6) | RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy | Connection was closed. |
| Connection-failed | 304 | Info(6) | RDP Bastion, RDP Proxy, SSH Bastion | Connection closed with an error. |
| Client-authenticated | 305 | Info(6) | SSH Bastion | Client was authenticated. |
| Session-added | 310 | Info(6) | SSH Bastion, SSH Proxy | A session was added to a connection. |
| Session-removed | 311 | Info(6) | SSH Bastion, SSH Proxy | A session was removed from a connection. |
| Session-rejected | 312 | Warning(4) | SSH Bastion, SSH Proxy | A session was rejected. |
| File-upload | 320 | Info(6) | RDP Proxy, SSH Bastion, SSH Proxy | File upload performed. |
| File-download | 321 | Info(6) | RDP Proxy, SSH Bastion, SSH Proxy | File download performed. |
| File-upload-rejected | 322 | Warning(4) | RDP Proxy, SSH Bastion, SSH Proxy | File upload was rejected. |
| File-download-rejected | 323 | Warning(4) | RDP Proxy, SSH Bastion, SSH Proxy | File download was rejected. |
| Host-key-matched | 324 | Info(6) | SSH Bastion, SSH Proxy | Host key matched. |
| Host-key-denied | 325 | Alert(1) | SSH Bastion, SSH Proxy | Host key denied. |
| Host-key-accepted | 326 | Info(6) | SSH Bastion, SSH Proxy | Host key accepted. |
| Host-key-saved | 327 | Info(6) | SSH Bastion, SSH Proxy | Host key saved. |
| Extender-connected | 328 | Info(6) | Extender Service | Extender connected. |
| Extender-disconnected | 329 | Warning(4) | Extender Service | Extender disconnected. |
| File-removed | 330 | Info(6) | RDP Proxy, SSH Proxy | File removed via SSH. |
| Folder-removed | 331 | Info(6) | RDP Proxy, SSH Proxy | Folder removed via SSH. |
| File-moved | 332 | Info(6) | RDP Proxy, SSH Proxy | File moved. |
| Folder-created | 333 | Info(6) | RDP Proxy, SSH Proxy | Folder created. |
| Connection-audit-started | 334 | Info(6) | RDP Proxy, SSH Bastion, SSH Proxy | Connection audit started. |
| Connection-audit-failed | 335 | Alert(1) | RDP Proxy, SSH Bastion, SSH Proxy | Connection audit failed. |
| Host-certificate-trusted | 336 | Info(6) | RDP Proxy, RDP Bastion | Host certificate trusted. |
| Host-certificate-matched | 337 | Info(6) | RDP Proxy, RDP Bastion | Host certificate matched. |
| Host-certificate-denied | 338 | Alert(1) | RDP Proxy, RDP Bastion | Host certificate denied. |
| Host-certificate-accepted | 339 | Info(6) | RDP Proxy, RDP Bastion | Host certificate accepted. |
| Host-certificate-saved | 340 | Info(6) | RDP Proxy, RDP Bastion | Host certificate saved. |
| Connection-accepted | 341 | Info(6) | SSH Proxy | Connection accepted. |
| File-upload-blocked | 342 | Warning(4) | RDP Proxy, SSH Bastion, SSH Proxy | File upload blocked by ICAP. |
| File-download-blocked | 343 | Warning(4) | RDP Proxy, SSH Bastion, SSH Proxy | File download blocked by ICAP. |
| File-move-rejected | 344 | Warning(4) | RDP Proxy, SSH Proxy | File move was rejected. |
| File-remove-rejected | 345 | Warning(4) | RDP Proxy, SSH Proxy | File removal was rejected. |
| Folder-create-rejected | 346 | Warning(4) | RDP Proxy, SSH Proxy | Folder create was rejected. |
| Folder-remove-rejected | 347 | Warning(4) | RDP Proxy, SSH Proxy | Folder removal was rejected. |
| Monitoring-session-started | 348 | Info(6) | RDP Proxy, SSH Proxy | A monitoring session is started |
| Monitoring-session-ended | 349 | Info(6) | RDP Proxy, SSH Proxy | A monitoring session has ended |
| Authorization-requested | 400 | Info(6) | Authorizer | A client requested an authorization. |
| Authorization-certificate-granted | 401 | Info(6) | Authorizer | An authorization certificate granted. |
| Authorization-role-key-granted | 402 | Info(6) | Authorizer | An authorization role key granted. |
| Authorization-role-key-sign-operation-rejected | 403 | Warning(4) | Authorizer | An authorization role key sign operation was rejected. |
| Authorization-role-key-sign-operation-accepted | 404 | Info(6) | Authorizer | An authorization role key sign operation was accepted. |
| Authorization-rejected | 405 | Alert(1) | Authorizer | An authorization was rejected. |
| Authorization-certificate-warning | 406 | Warning(4) | Authorizer | Authorization certificate creation generated warnings. |
| Authorization-passphrase-returned | 407 | Info(6) | Authorizer | Authorization passphrase was returned. |
| Principal-added | 410 | Info(6) | Authorizer | A principal was added. |
| Principal-removed | 411 | Info(6) | Authorizer | A principal was removed. |
| Trusted-client-added | 420 | Info(6) | User Store | A trusted client was added. |
| Trusted-client-modified | 421 | Info(6) | User Store | A trusted client was modified. |
| Trusted-client-removed | 423 | Info(6) | User Store | A trusted client was removed. |
| API-client-added | 424 | Info(6) | User Store | An API client was added. |
| API-client-modified | 425 | Info(6) | User Store | An API client was modified. |
| API-client-removed | 426 | Info(6) | User Store | An API client was removed. |
| License-updated | 430 | Info(6) | License Manager | The service license was updated. |
| CA-certificate-created | 440 | Info(6) | Authorizer | CA certificate was created. |
| CA-certificate-deleted | 441 | Info(6) | Authorizer | CA certificate was deleted. |
| EE-certificate-enrolled | 442 | Info(6) | Authorizer | End entity certificate was enrolled. |
| EE-certificate-revoked | 443 | Info(6) | Authorizer | End entity certificate was revoked. |
| CA-certificate-enrolled | 444 | Info(6) | Authorizer | CA certificate was enrolled. |
| CA-certificate-revoked | 445 | Info(6) | Authorizer | CA certificate was revoked. |
| EE-certificate-deleted | 446 | Info(6) | Authorizer | EE certificate was deleted. |
| Access-group-created | 450 | Info(6) | Authorizer | Access group created. |
| Access-group-modified | 451 | Info(6) | Authorizer | Access group modified. |
| Access-group-deleted | 452 | Info(6) | Authorizer | Access group deleted. |
| User-added | 500 | Info(6) | User Store | New user added to the system. |
| User-modified | 501 | Info(6) | User Store | User has been modified. |
| User-removed | 502 | Info(6) | User Store | User has been removed. |
| User-password-modified | 510 | Info(6) | User Store | User password has been modified. |
| Workflow-added | 600 | Info(6) | Workflow Engine | A workflow was added. |
| Workflow-modified | 601 | Info(6) | Workflow Engine | A workflow was modified. |
| Workflow-removed | 602 | Info(6) | Workflow Engine | A workflow was removed. |
| Request-added | 610 | Info(6) | Workflow Engine | A request was added. |
| Request-removed | 612 | Info(6) | Workflow Engine | A request was removed. |
| Decision-made | 620 | Info(6) | Workflow Engine | A decision has been made on a request. |
| Email-sent | 630 | Info(6) | Workflow Engine | A email notification has been sent. |
| Email-configuration-modified | 631 | Info(6) | Workflow Engine | Email configuration has been modified. |
| Email-not-sent | 632 | Info(6) | Workflow Engine | Email not sent. |
| Log-downloaded | 700 | Info(6) | Log files have been downloaded. | |
| Log-level-modified | 710 | Info(6) | The log level was modified. | |
| Host-added | 801 | Info(6) | Host Store | A host was added. |
| Host-modified | 802 | Info(6) | Host Store | A host was modified. |
| Host-removed | 803 | Info(6) | Host Store | A host was removed. |
| Host-service-connection-re-established | 804 | Info(6) | Host Store | A host service connection re-established. |
| Host-service-connection-failure | 805 | Warning(4) | Host Store | A host service connection failed. |
| Host-disabled-state-changed | 806 | Info(6) | Host Store | Host disabled state changed. |
| White-list-added | 811 | Info(6) | Host Store | A white list was added. |
| White-list-modified | 812 | Info(6) | Host Store | A white list was modified. |
| White-list-removed | 813 | Info(6) | Host Store | A white list was removed. |
| Connection-terminated | 900 | Info(6) | Connection Manager | Connection terminated. |
| Connection-terminated-for-host | 901 | Info(6) | Connection Manager | Connection terminated for host. |
| Connection-terminated-for-user | 902 | Info(6) | Connection Manager | Connection terminated for user. |
| Licensed-connection-count-exceeded | 903 | Warning(4) | Connection Manager | Licensed connection count exceeded. |
| Access-role-granted | 910 | Info(6) | Connection Manager | Access role granted. |
| Access-role-revoked | 911 | Info(6) | Connection Manager | Access role revoked. |
| Connections-meta-removed | 920 | Info(6) | Connection Manager | Connections meta removed. |
| Connection-blocked-by-ueba | 930 | Alert(1) | Connection Manager | Connection blocked by Ueba. |
| Connection-unusual-behavior-by-ueba | 931 | Warning(4) | Connection Manager | Connection marked as unusual by Ueba. |
| Connection-marked-anomaly-by-ueba | 932 | Alert(1) | Connection Manager | Connection marked as anomaly by Ueba. |
| Trail-opened | 1000 | Info(6) | Connection Manager, RDP Bastion, RDP Proxy, SSH Proxy | Trail opened. |
| Trail-open-failed | 1001 | Alert(1) | Connection Manager, RDP Bastion, RDP Proxy, SSH Proxy | Failed to open trail. |
| Trail-file-open-failed | 1002 | Alert(1) | Connection Manager, RDP Proxy, SSH Proxy | Failed to open trail file. |
| Trail-file-read-failed | 1003 | Alert(1) | Connection Manager, RDP Proxy, SSH Proxy | Failed to read trail file. |
| Trail-removed | 1004 | Info(6) | Connection Manager | Trail removed. |
| Trail-remove-failed | 1005 | Warning(4) | Connection Manager | Failed to remove trail. |
| Trail-file-integrity-failed | 1006 | Alert(1) | Connection Manager | Trail file integrity check failed. |
| Trail-file-downloaded | 1007 | Info(6) | Connection Manager | Trail file downloaded. |
| Config-checksum-added | 1100 | Info(6) | Authentication, Authorizer, Connection Manager, Extender Service, Host Store, License Manager, Monitor Service, Network Access Manager, RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy, Role Store, Secrets Manager, Trail Index, User Store, Secrets Vault, Workflow Engine | A config file checksum was added. |
| Config-checksum-changed | 1101 | Info(6) | Authentication, Authorizer, Connection Manager, Extender Service, Host Store, License Manager, Monitor Service, Network Access Manager, RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy, Role Store, Secrets Manager, Trail Index, User Store, Secrets Vault, Workflow Engine | A config file checksum has changed. |
| Transcript-status-scheduled | 1201 | Info(6) | Trail Index | Transcript status: scheduled. |
| Transcript-status-indexing | 1202 | Info(6) | Trail Index | Transcript status: indexing. |
| Transcript-status-indexed | 1203 | Info(6) | Trail Index | Transcript status: indexed. |
| Transcript-status-error | 1204 | Warning(4) | Trail Index | Transcript status: error. |
| Transcript-status-not-indexed | 1205 | Info(6) | Trail Index | Transcript status: not indexed. |
| Transcript-trail-removed | 1206 | Info(6) | Trail Index | Transcript trail removed. |
| Transcript-opened | 1207 | Info(6) | Trail Index | Transcript opened. |
| Disk-full | 1301 | Critical(2) | Monitor Service | Disk full. |
| Auditevent-removed | 1302 | Info(6) | Monitor Service | Auditevent removed. |
| PrivX-restarted | 1303 | Info(6) | Monitor Service | PrivX restarted. |
| PrivX-db-clock-out-of-sync | 1304 | Warning(4) | Monitor Service | PrivX and Database clocks are out of sync. |
| PrivX-external-component-hard-disk-full | 1305 | Warning(4) | Monitor Service | PrivX external component hard disk is full. |
| Secret-created | 1400 | Info(6) | Secrets Vault | Secret created. |
| Secret-removed | 1401 | Info(6) | Secrets Vault | Secret removed. |
| Secret-accessed | 1402 | Info(6) | Secrets Vault | Secret accessed. |
| Secret-changed | 1403 | Info(6) | Secrets Vault | Secret changed. |
| Secret-metadata-changed | 1404 | Info(6) | Secrets Vault | Secret's metadata changed. |
| Settings-modified | 1501 | Info(6) | Settings modified. | |
| Network-target-created | 1600 | Info(6) | Network Access Manager | Network target created. |
| Network-target-modified | 1601 | Info(6) | Network Access Manager | Network target modified. |
| Network-target-removed | 1602 | Info(6) | Network Access Manager | Network target removed. |
| Router-initialized | 1603 | Info(6) | Network Access Manager | Router initialized for network access manager. |
| Router-init-failed | 1604 | Warning(4) | Network Access Manager | Router initialization for network access manager failed. |
| Network-session-opened | 1605 | Info(6) | Network Access Manager | Network session opened. |
| Network-session-closed | 1606 | Info(6) | Network Access Manager | Network session closed. |
| Network-session-failure | 1607 | Warning(4) | Network Access Manager | Network session failure. |
| Network-session-fatal-failure | 1608 | Alert(1) | Network Access Manager | Network session fatal failure. |
| Network-target-disabled-state-changed | 1609 | Info(6) | Network Access Manager | Network target disabled state changed. |
| Password-rotation-policy-created | 1700 | Info(6) | Secrets Manager | Password rotation policy created. |
| Password-rotation-policy-modified | 1701 | Info(6) | Secrets Manager | Password rotation policy modified. |
| Password-rotation-policy-removed | 1702 | Info(6) | Secrets Manager | Password rotation policy removed. |
| Password-rotation-script-created | 1703 | Info(6) | Secrets Manager | Password rotation script created. |
| Password-rotation-script-modified | 1704 | Info(6) | Secrets Manager | Password rotation script modified. |
| Password-rotation-script-removed | 1705 | Info(6) | Secrets Manager | Password rotation script removed. |
| Password-rotation-failure | 1706 | Alert(1) | Secrets Manager | Password rotation failure. |
| SSH-live-event | 1800 | Info(6) | SSH Bastion, SSH Proxy | SSH live event |
| SSH-whitelisted-command-allowed | 1801 | Info(6) | SSH Bastion, SSH Proxy | SSH whitelisted command allowed |
| SSH-non-whitelisted-command-allowed | 1802 | Info(6) | SSH Bastion, SSH Proxy | SSH non-whitelisted command allowed |
| SSH-command-blocked | 1803 | Info(6) | SSH Bastion, SSH Proxy | SSH command blocked |
| Invalidated-session-cache-full | 1900 | Info(6) | Authentication, Authorizer, Connection Manager, Extender Service, Host Store, License Manager, Monitor Service, Network Access Manager, RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy, Role Store, Secrets Manager, Trail Index, User Store, Secrets Vault, Workflow Engine | The invalidated session cache is full |
| Database-session-started | 2000 | Info(6) | Database Proxy | Database session started |
| Database-session-closed | 2001 | Info(6) | Database Proxy | Database session closed |
| Database-session-failure | 2002 | Info(6) | Database Proxy | Database-session failure |
| Database-session-terminated | 2003 | Critical(2) | Database Proxy | Database-session-terminated |
| Database-session-rejected | 2004 | Info(6) | Database Proxy | Database-session-rejected |
| MobileGW-privx-registration-success | 2100 | Info(6) | Mobile gateway privx registrations success | |
| MobileGW-privx-registration-failure | 2101 | Info(6) | Mobile gateway privx registrations failure | |
| MobileGW-privx-registration-terminated | 2102 | Info(6) | Mobile gateway privx registrations terminated | |
| MobileGW-user-paired-device | 2103 | Info(6) | Mobile gateway user paired device | |
| MobileGW-user-unpaired-device | 2104 | Info(6) | Mobile gateway user unpaired device |
Was this page helpful?