Audit Events Reference

EventIDLevelServicesDescription
License-error0Critical(2)Authorizer, Host Store, License Manager, RDP Bastion, RDP Proxy, SSH Bastion, SSH ProxyThe system license does not allow operation.
Configuration-error1Critical(2)Authorizer, Extender Service, RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy, Role StoreThe system configuration is invalid.
Service-starting10Info(6)Authentication, Authorizer, Connection Manager, Extender Service, Host Store, License Manager, Monitor Service, Network Access Manager, RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy, Role Store, Secrets Manager, Trail Index, User Store, Secrets Vault, Workflow EngineThe service is starting.
Service-running11Info(6)Authentication, Authorizer, Connection Manager, Extender Service, Host Store, License Manager, Monitor Service, Network Access Manager, RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy, Role Store, Secrets Manager, Trail Index, User Store, Secrets Vault, Workflow EngineThe service is running.
Service-stopped12Warning(4)Authentication, Authorizer, Connection Manager, Extender Service, Host Store, License Manager, Monitor Service, Network Access Manager, RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy, Role Store, Secrets Manager, Trail Index, User Store, Secrets Vault, Workflow EngineThe service has been stopped.
Background-migration-started20Info(6)Connection Manager, Monitor ServiceData migration will be running in the background
Background-migration-completed21Info(6)Connection Manager, Monitor ServiceData migration is completed
Unknown-event99Critical(2)Unknown event ID
User-logged-in100Info(6)AuthenticationUser has logged in to the system.
User-logged-out101Info(6)AuthenticationUser has logged out from the system.
User-login-failed102Warning(4)AuthenticationUser login operation failed.
User-MFA-challenge-sent103Info(6)AuthenticationChallenge is sent to the user for login.
User-MFA-challenge-accepted104Info(6)AuthenticationUser successfully authenticated with MFA pin code.
User-MFA-challenge-setup-sent105Info(6)AuthenticationUser was MFA setup information.
Access-token-granted106Info(6)AuthenticationAccess token granted.
User-Mobile-MFA-challenge-sent107Info(6)AuthenticationChallenge is sent to the user for login.
User-Mobile-MFA-challenge-accepted108Info(6)AuthenticationUser successfully authenticated with Mobile MFA
User-Mobile-MFA-challenge-setup-sent109Info(6)AuthenticationUser was Mobile MFA setup information.
User-access-token-refreshed110Info(6)AuthenticationUser refreshed the access token.
User-access-token-refresh-failed111Warning(4)AuthenticationUser access token refresh failed.
OAuth-client-authenticated121Info(6)AuthenticationOAuth client authenticated.
OAuth-client-authentication-failed122Warning(4)AuthenticationOAuth client authentication failed.
User-login-attempt-rate-limited130Info(6)AuthenticationUser login attempt rate limited.
IDP-client-config-created131Info(6)AuthenticationIDPClient config created.
IDP-client-config-modified132Info(6)AuthenticationIDPClient config modified.
IDP-client-config-removed133Info(6)AuthenticationIDPClient config removed.
IDP-client-credentials-regenerated134Info(6)AuthenticationIDPClient credentials regenerated.
Session-terminated140Info(6)AuthenticationSession terminated.
Session-password-generated141Info(6)AuthenticationSession password generated.
Role-added201Info(6)Role StoreNew role added to the system.
Role-modified202Info(6)Role StoreRole has been modified.
Role-removed203Info(6)Role StoreRole has been removed.
Directory-added210Info(6)Role StoreNew directory added to the system.
Directory-modified211Info(6)Role StoreDirectory has been modified.
Directory-removed212Info(6)Role StoreDirectory has been removed.
Directory-authentication-failed213Info(6)Role StoreDirectory authentication failed.
User-roles-modified220Info(6)Role StoreThe user's role associations were changed.
AWS-token-granted230Info(6)Role StoreAWS token was granted to a user.
AWS-token-grant-failed231Warning(4)Role StoreAWS token grant failed.
LogConf-collector-created232Info(6)Role StoreLogConf collector created.
LogConf-collector-modified233Info(6)Role StoreLogConf collector modified.
LogConf-collector-removed234Info(6)Role StoreLogConf collector removed.
LogConf-collector-failed235Warning(4)Role StoreLogConf collector failed.
RoleContext-usage-alert250Warning(4)Role StoreRoleContext limitations were violated.
RoleContext-role-blocked251Warning(4)Role StoreRoleContext limitations were violated, role blocked.
Authorized-key-added260Info(6)Role StoreAuthorized key added.
Authorized-key-modified261Info(6)Role StoreAuthorized key modified.
Authorized-key-removed262Info(6)Role StoreAuthorized key removed.
Identity-provider-added270Info(6)Role StoreNew IDP added to the system.
Identity-provider-modified271Info(6)Role StoreIDP has been modified.
Identity-provider-removed272Info(6)Role StoreIDP has been removed.
WebAuthn-Credential-added280Info(6)Role StoreWebAuthn Credential added.
WebAuthn-Credential-modified281Info(6)Role StoreWebAuthn Credential modified.
WebAuthn-Credential-removed282Info(6)Role StoreWebAuthn Credential removed.
Multi-factor-authentication-generated283Info(6)Role StoreMulti-factor-authentication has been generated for user
Multi-factor-authentication-configured284Info(6)Role StoreMulti-factor-authentication has been configured for user
Housekeeping-user-data290Info(6)Role StoreCompleted housekeeping user data.
Housekeeping-OIDC-user-cache291Info(6)Role StoreCompleted housekeeping OIDC user cache.
Housekeeping-SCIM-roles292Info(6)Role StoreInitiating housekeeping SCIM roles.
Housekeeping-authorized-keys293Info(6)Role StoreInitiating housekeeping authorized keys.
Users-license-grace-period-started296Info(6)Role StoreGrace period started for users overflowing license limit
Users-blocked-by-license297Info(6)Role StoreUsers overflowing license limit are blocked
Users-license-ok298Info(6)Role StoreUsers count complies with license limits
Connection-requested300Info(6)RDP Bastion, RDP Proxy, SSH Bastion, SSH ProxyConnection was requested.
Connection-authenticated301Info(6)RDP Bastion, RDP Proxy, SSH Bastion, SSH ProxyConnection was authenticated.
Connection-rejected302Warning(4)RDP Bastion, RDP Proxy, SSH Bastion, SSH ProxyConnection was rejected.
Connection-closed303Info(6)RDP Bastion, RDP Proxy, SSH Bastion, SSH ProxyConnection was closed.
Connection-failed304Info(6)RDP Bastion, RDP Proxy, SSH BastionConnection closed with an error.
Client-authenticated305Info(6)SSH BastionClient was authenticated.
Session-added310Info(6)SSH Bastion, SSH ProxyA session was added to a connection.
Session-removed311Info(6)SSH Bastion, SSH ProxyA session was removed from a connection.
Session-rejected312Warning(4)SSH Bastion, SSH ProxyA session was rejected.
File-upload320Info(6)RDP Proxy, SSH Bastion, SSH ProxyFile upload performed.
File-download321Info(6)RDP Proxy, SSH Bastion, SSH ProxyFile download performed.
File-upload-rejected322Warning(4)RDP Proxy, SSH Bastion, SSH ProxyFile upload was rejected.
File-download-rejected323Warning(4)RDP Proxy, SSH Bastion, SSH ProxyFile download was rejected.
Host-key-matched324Info(6)SSH Bastion, SSH ProxyHost key matched.
Host-key-denied325Alert(1)SSH Bastion, SSH ProxyHost key denied.
Host-key-accepted326Info(6)SSH Bastion, SSH ProxyHost key accepted.
Host-key-saved327Info(6)SSH Bastion, SSH ProxyHost key saved.
Extender-connected328Info(6)Extender ServiceExtender connected.
Extender-disconnected329Warning(4)Extender ServiceExtender disconnected.
File-removed330Info(6)RDP Proxy, SSH ProxyFile removed via SSH.
Folder-removed331Info(6)RDP Proxy, SSH ProxyFolder removed via SSH.
File-moved332Info(6)RDP Proxy, SSH ProxyFile moved.
Folder-created333Info(6)RDP Proxy, SSH ProxyFolder created.
Connection-audit-started334Info(6)RDP Proxy, SSH Bastion, SSH ProxyConnection audit started.
Connection-audit-failed335Alert(1)RDP Proxy, SSH Bastion, SSH ProxyConnection audit failed.
Host-certificate-trusted336Info(6)RDP Proxy, RDP BastionHost certificate trusted.
Host-certificate-matched337Info(6)RDP Proxy, RDP BastionHost certificate matched.
Host-certificate-denied338Alert(1)RDP Proxy, RDP BastionHost certificate denied.
Host-certificate-accepted339Info(6)RDP Proxy, RDP BastionHost certificate accepted.
Host-certificate-saved340Info(6)RDP Proxy, RDP BastionHost certificate saved.
Connection-accepted341Info(6)SSH ProxyConnection accepted.
File-upload-blocked342Warning(4)RDP Proxy, SSH Bastion, SSH ProxyFile upload blocked by ICAP.
File-download-blocked343Warning(4)RDP Proxy, SSH Bastion, SSH ProxyFile download blocked by ICAP.
File-move-rejected344Warning(4)RDP Proxy, SSH ProxyFile move was rejected.
File-remove-rejected345Warning(4)RDP Proxy, SSH ProxyFile removal was rejected.
Folder-create-rejected346Warning(4)RDP Proxy, SSH ProxyFolder create was rejected.
Folder-remove-rejected347Warning(4)RDP Proxy, SSH ProxyFolder removal was rejected.
Monitoring-session-started348Info(6)RDP Proxy, SSH ProxyA monitoring session is started
Monitoring-session-ended349Info(6)RDP Proxy, SSH ProxyA monitoring session has ended
Authorization-requested400Info(6)AuthorizerA client requested an authorization.
Authorization-certificate-granted401Info(6)AuthorizerAn authorization certificate granted.
Authorization-role-key-granted402Info(6)AuthorizerAn authorization role key granted.
Authorization-role-key-sign-operation-rejected403Warning(4)AuthorizerAn authorization role key sign operation was rejected.
Authorization-role-key-sign-operation-accepted404Info(6)AuthorizerAn authorization role key sign operation was accepted.
Authorization-rejected405Alert(1)AuthorizerAn authorization was rejected.
Authorization-certificate-warning406Warning(4)AuthorizerAuthorization certificate creation generated warnings.
Authorization-passphrase-returned407Info(6)AuthorizerAuthorization passphrase was returned.
Principal-added410Info(6)AuthorizerA principal was added.
Principal-removed411Info(6)AuthorizerA principal was removed.
Trusted-client-added420Info(6)User StoreA trusted client was added.
Trusted-client-modified421Info(6)User StoreA trusted client was modified.
Trusted-client-removed423Info(6)User StoreA trusted client was removed.
API-client-added424Info(6)User StoreAn API client was added.
API-client-modified425Info(6)User StoreAn API client was modified.
API-client-removed426Info(6)User StoreAn API client was removed.
License-updated430Info(6)License ManagerThe service license was updated.
CA-certificate-created440Info(6)AuthorizerCA certificate was created.
CA-certificate-deleted441Info(6)AuthorizerCA certificate was deleted.
EE-certificate-enrolled442Info(6)AuthorizerEnd entity certificate was enrolled.
EE-certificate-revoked443Info(6)AuthorizerEnd entity certificate was revoked.
CA-certificate-enrolled444Info(6)AuthorizerCA certificate was enrolled.
CA-certificate-revoked445Info(6)AuthorizerCA certificate was revoked.
EE-certificate-deleted446Info(6)AuthorizerEE certificate was deleted.
Access-group-created450Info(6)AuthorizerAccess group created.
Access-group-modified451Info(6)AuthorizerAccess group modified.
Access-group-deleted452Info(6)AuthorizerAccess group deleted.
User-added500Info(6)User StoreNew user added to the system.
User-modified501Info(6)User StoreUser has been modified.
User-removed502Info(6)User StoreUser has been removed.
User-password-modified510Info(6)User StoreUser password has been modified.
User-authenticated520Info(6)User StoreUser has been authenticated.
User-authentication-failed521Warning(4)User StoreUser authentication has failed.
Workflow-added600Info(6)Workflow EngineA workflow was added.
Workflow-modified601Info(6)Workflow EngineA workflow was modified.
Workflow-removed602Info(6)Workflow EngineA workflow was removed.
Request-added610Info(6)Workflow EngineA request was added.
Request-removed612Info(6)Workflow EngineA request was removed.
Decision-made620Info(6)Workflow EngineA decision has been made on a request.
Email-sent630Info(6)Workflow EngineAn email notification has been sent.
Email-configuration-modified631Info(6)Workflow EngineEmail configuration has been modified.
Email-not-sent632Info(6)Workflow EngineEmail not sent.
Log-downloaded700Info(6)Monitor ServiceLog files have been downloaded.
Log-level-modified710Info(6)Monitor ServiceThe log level was modified.
Host-added801Info(6)Host StoreA host was added.
Host-modified802Info(6)Host StoreA host was modified.
Host-removed803Info(6)Host StoreA host was removed.
Host-service-connection-re-established804Info(6)Host StoreA host service connection re-established.
Host-service-connection-failure805Warning(4)Host StoreA host service connection failed.
Host-disabled-state-changed806Info(6)Host StoreHost disabled state changed.
White-list-added811Info(6)Host StoreA white list was added.
White-list-modified812Info(6)Host StoreA white list was modified.
White-list-removed813Info(6)Host StoreA white list was removed.
Connection-terminated900Info(6)Connection ManagerConnection terminated.
Connection-terminated-for-host901Info(6)Connection ManagerConnection terminated for host.
Connection-terminated-for-user902Info(6)Connection ManagerConnection terminated for user.
Licensed-connection-count-exceeded903Warning(4)Connection ManagerLicensed connection count exceeded.
Access-role-granted910Info(6)Connection ManagerAccess role granted.
Access-role-revoked911Info(6)Connection ManagerAccess role revoked.
Connections-meta-removed920Info(6)Connection ManagerConnections meta removed.
Connection-blocked-by-ueba930Alert(1)Connection ManagerConnection blocked by Ueba.
Connection-unusual-behavior-by-ueba931Warning(4)Connection ManagerConnection marked as unusual by Ueba.
Connection-marked-anomaly-by-ueba932Alert(1)Connection ManagerConnection marked as anomaly by Ueba.
Trail-opened1000Info(6)Connection Manager, RDP Bastion, RDP Proxy, SSH ProxyTrail opened.
Trail-open-failed1001Alert(1)Connection Manager, RDP Bastion, RDP Proxy, SSH ProxyFailed to open trail.
Trail-file-open-failed1002Alert(1)Connection Manager, RDP Proxy, SSH ProxyFailed to open trail file.
Trail-file-read-failed1003Alert(1)Connection Manager, RDP Proxy, SSH ProxyFailed to read trail file.
Trail-removed1004Info(6)Connection ManagerTrail removed.
Trail-remove-failed1005Warning(4)Connection ManagerFailed to remove trail.
Trail-file-integrity-failed1006Alert(1)Connection ManagerTrail file integrity check failed.
Trail-file-downloaded1007Info(6)Connection ManagerTrail file downloaded.
Config-checksum-added1100Info(6)Authentication, Authorizer, Connection Manager, Extender Service, Host Store, License Manager, Monitor Service, Network Access Manager, RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy, Role Store, Secrets Manager, Trail Index, User Store, Secrets Vault, Workflow EngineA config file checksum was added.
Config-checksum-changed1101Info(6)Authentication, Authorizer, Connection Manager, Extender Service, Host Store, License Manager, Monitor Service, Network Access Manager, RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy, Role Store, Secrets Manager, Trail Index, User Store, Secrets Vault, Workflow EngineA config file checksum has changed.
Transcript-status-scheduled1201Info(6)Trail IndexTranscript status: scheduled.
Transcript-status-indexing1202Info(6)Trail IndexTranscript status: indexing.
Transcript-status-indexed1203Info(6)Trail IndexTranscript status: indexed.
Transcript-status-error1204Warning(4)Trail IndexTranscript status: error.
Transcript-status-not-indexed1205Info(6)Trail IndexTranscript status: not indexed.
Transcript-trail-removed1206Info(6)Trail IndexTranscript trail removed.
Transcript-opened1207Info(6)Trail IndexTranscript opened.
Disk-full1301Critical(2)Monitor ServiceDisk full.
Auditevent-removed1302Info(6)Monitor ServiceAuditevent removed.
PrivX-restarted1303Info(6)Monitor ServicePrivX restarted.
PrivX-db-clock-out-of-sync1304Warning(4)Monitor ServicePrivX and Database clocks are out of sync.
Secret-created1400Info(6)Secrets VaultSecret created.
Secret-removed1401Info(6)Secrets VaultSecret removed.
Secret-accessed1402Info(6)Secrets VaultSecret accessed.
Secret-changed1403Info(6)Secrets VaultSecret changed.
Secret-metadata-changed1404Info(6)Secrets VaultSecret's metadata changed.
Settings-modified1501Info(6)-Settings modified.
Network-target-created1600Info(6)Network Access ManagerNetwork target created.
Network-target-modified1601Info(6)Network Access ManagerNetwork target modified.
Network-target-removed1602Info(6)Network Access ManagerNetwork target removed.
Router-initialized1603Info(6)Network Access ManagerRouter initialized for network access manager.
Router-init-failed1604Warning(4)Network Access ManagerRouter initialization for network access manager failed.
Network-session-opened1605Info(6)Network Access ManagerNetwork session opened.
Network-session-closed1606Info(6)Network Access ManagerNetwork session closed.
Network-session-failure1607Warning(4)Network Access ManagerNetwork session failure.
Network-session-fatal-failure1608Alert(1)Network Access ManagerNetwork session fatal failure.
Network-target-disabled-state-changed1609Info(6)Network Access ManagerNetwork target disabled state changed.
Password-rotation-policy-created1700Info(6)Secrets ManagerPassword rotation policy created.
Password-rotation-policy-modified1701Info(6)Secrets ManagerPassword rotation policy modified.
Password-rotation-policy-removed1702Info(6)Secrets ManagerPassword rotation policy removed.
Password-rotation-script-created1703Info(6)Secrets ManagerPassword rotation script created.
Password-rotation-script-modified1704Info(6)Secrets ManagerPassword rotation script modified.
Password-rotation-script-removed1705Info(6)Secrets ManagerPassword rotation script removed.
Password-rotation-failure1706Alert(1)Secrets ManagerPassword rotation failure.
SSH-live-event1800Info(6)SSH Bastion, SSH ProxySSH live event
SSH-whitelisted-command-allowed1801Info(6)SSH Bastion, SSH ProxySSH whitelisted command allowed
SSH-non-whitelisted-command-allowed1802Info(6)SSH Bastion, SSH ProxySSH non-whitelisted command allowed
SSH-command-blocked1803Info(6)SSH Bastion, SSH ProxySSH command blocked
Invalidated-session-cache-full1900Info(6)Authentication, Authorizer, Connection Manager, Extender Service, Host Store, License Manager, Monitor Service, Network Access Manager, RDP Bastion, RDP Proxy, SSH Bastion, SSH Proxy, Role Store, Secrets Manager, Trail Index, User Store, Secrets Vault, Workflow EngineThe invalidated session cache is full
Database-session-started2000Info(6)Database ProxyDatabase session started
Database-session-closed2001Info(6)Database ProxyDatabase session closed
Database-session-failure2002Info(6)Database ProxyDatabase session failure
Database-session-terminated2003Critical(2)Database ProxyDatabase session terminated
Database-session-rejected2004Info(6)Database ProxyDatabase session rejected
MobileGW-privx-registration-success2100Info(6)Mobile GatewayMobile gateway PrivX registrations success
MobileGW-privx-registration-failure2101Info(6)Mobile GatewayMobile gateway PrivX registrations failure
MobileGW-privx-registration-terminated2102Info(6)Mobile GatewayMobile gateway PrivX registrations terminated
MobileGW-user-paired-device2103Info(6)Mobile GatewayMobile gateway user paired device
MobileGW-user-unpaired-device2104Info(6)Mobile GatewayMobile gateway user unpaired device

Was this page helpful?