Skip to content

Signed Audit Events

Jump to bottom
Endi S. Dewata edited this page May 18, 2023 · 22 revisions

Overview

This page describes audit events that are common in all PKI subsystems. The complete list of events, the message format, and the event description are stored in audit-events.properties.

Subsystem-specific audit events are described in the following pages:

Authentication Events

AUTH_SUCCESS

This event is triggered when authentication succeeded.

Properties:

  • Outcome should always be Success in this event

  • AuthMgr must be the authentication manager instance name that did this authentication

For example, use CLI to authenticate as admin user:

$ pki -n caadmin ca-user-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.users][Op=execute][Info=UserResource.findUsers] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to AUTH.

AUTH_FAIL

This event is triggered when authentication fails (in case of SSL-client auth, only webserver env can pick up the SSL violation; CS authMgr can pick up certificate mis-match, so this event is used).

Properties:

  • Outcome should always be Failure in this event (obviously, if authentication failed, you won’t have a valid SubjectID, so in this case, SubjectID should be $Unidentified$)

  • AuthMgr must be the authentication manager instance name that did this authentication

  • AttemptedCred must be the credential attempted and failed

For example, start PKI console and login with a wrong password. The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success] access session establish success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success] access session establish success
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success] access session establish success
[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure
[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=passwdUserDBAuthMgr][AttemptedCred=caadmin] authentication failure
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to AUTH.

AUTH

In PKI 10.5 the AUTH_SUCCESS and AUTH_FAIL events have been merged into AUTH event.

Authorization Events

AUTHZ_SUCCESS

This event is triggered when authorization is successful.

Properties:

  • Outcome must be Success for this event

  • aclResource must be the ACL resource ID as defined in ACL resource list

  • Op must be one of the operations as defined with the ACL statement, e.g. read for an ACL statement containing (read,write)

For example, use CLI to authenticate as admin user:

$ pki -n caadmin ca-user-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.users][Op=execute][Info=UserResource.findUsers] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to AUTHZ.

AUTHZ_FAIL

This event is triggered when authorization has failed.

Properties:

  • Outcome must be Failure for this event

  • aclResource must be the ACL resource ID as defined in ACL resource list

  • Op must be one of the operations as defined with the ACL statement, e.g. read for an ACL statement containing (read,write)

For example, execute the following command:

$ pki -n caadmin ca-audit-file-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_FAIL][SubjectID=caadmin][Outcome=Failure][aclResource=certServer.log.content.signedAudit][Op=read][Info=Authorization Error] authorization failure
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to AUTHZ.

AUTHZ

In PKI 10.5 the AUTHZ_SUCCESS and AUTHZ_FAIL events have been merged into AUTHZ event.

ROLE_ASSUME

Configuration Events

CONFIG_ROLE

This event is triggered when configuring role information (anything under users/groups) add/remove/edit a role, etc).

Properties:

  • ParamNameValPairs must be a name;;value pair (where name and value are separated by the delimiter ;;) separated by + (if more than one name;;value pair) of config params changed

For example, use CLI to add a member to a group:

$ pki -n caadmin ca-group-member-add Administrators testuser

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.groups][Op=execute][Info=GroupResource.addGroupMember] authorization success
[AuditEvent=CONFIG_ROLE][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;members+Operation;;OP_ADD+Resource;;Administrators+user;;testuser] role configuration parameter(s) change
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

CONFIG_SIGNED_AUDIT

This event is triggered when configuring signedAudit.

  • ParamNameValPairs must be a name;;value pair (where name and value are separated by the delimiter ;;) separated by + (if more than one name;;value pair) of config params changed

For example, use CLI to disable audit:

$ pki -n caadmin ca-audit-mod --action disable

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.log.configuration][Op=modify][Info=AuditResource.changeAuditStatus] authorization success
[AuditEvent=CONFIG_SIGNED_AUDIT][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=+Action;;disable] signed audit configuration parameter(s) change
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

CONFIG_TRUSTED_PUBLIC_KEY

This event is triggered when:

  • Manage Certificate is used to edit the trustness of certificates and deletion of certificates

  • Certificate Setup Wizard is used to import CA certificates into the certificate database (Although CrossCertificatePairs are stored within internaldb, audit them as well)

Properties:

  • ParamNameValPairs must be a name;;value pair (where name and value are separated by the delimiter ;;) separated by + (if more than one name;;value pair) of config params changed

For example, run PKI Console and execute the following operations:

  • Click System Keys and Certificates

  • Click Add

  • Click Next

  • Select Trusted CA Certificate Chain

  • Click Next

  • Select The certificate is located in the text are below

  • Paste a CA Certificate

  • Click Next

  • Click Next

[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY][SubjectID=caadmin][Outcome=Success][ParamNameValPairs=Scope;;installCert+Operation;;OP_MODIFY+Resource;;trustedCACert+pkcs10;;-----BEGIN CERTIFICATE-----
MIIDFTCCAf2gAwIBAgICWakwDQYJKoZIhvcNAQELBQAwMzEQMA4GA1UEChMHRVhB
TVBMRTEfMB0GA1UEAxMWQ0EgU2lnbmluZyBDZXJ0aWZpY2F0ZTAeFw0xNzA0MjYx
NzQzMjRaFw0xNzA3MjYxNzQzMjRaMDMxEDAOBgNVBAoTB0VYQU1QTEUxHzAdBgNV
BAMTFkNBIFNpZ25pbmcgQ2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDOlxlvYGfx1xGD9ZUMu1smdVJFbpvt+oQ6Sfk6S0fUgNe+vsr/
SYVGKvCAFPp+94I70auxFFO3XQhfn3ZKohfuOt1rGLPwYIx3sS4ldU6wWENGYZLi
qA8yQJEGBldql7OKVfC0WCHkKS9b3BJBVqogz7BnO86nxN3g3cmzzWKSAt2Rp5jm
YJT/Lr4xm5vKWtq+rdiDmc36LJ8Wi23tAfUyWoOodBxfYQBMPUGLMA7EaQwWm8oe
vd7wljq3AsX4AWwdBPvsi9QvnSZKpSMZIJj94lSE6O0R3CkHWR0ZNVoBj/XpDqm2
I8ygswbObUeLzTnOJzs8rStvKf4/hNgD0rn/AgMBAAGjMzAxMBEGCWCGSAGG+EIB
AQQEAwIABzAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwICBDANBgkqhkiG9w0B
AQsFAAOCAQEAp1SAHv6qoWd30vEHSVLJwh/RKFh60Dj4ON29KtiploCxiwZk9tZa
Klca+xbtEhK2pVV8UmiUzkbnqNpWB58i1bxoPP316En0DyqjTRodInKt5Y9Jpn89
OuL3o+hTYuQtkQqWknkqxpQi/rbzwEeqEfDcLOLPWbhp4yQXFZySJJPPMSsl0vNN
64ZJdmbzS0/1lNb86aHzoeBUvEwAcHCqnoN5/vXCk0P/DAImIXwugP2cjKH8V8DX
ZEbIOznWyNmNq5gqSIYwt2RUREf6NUjXWWzayrVL2hBq90ukFtMuSf/Pka/Uk3HC
MtQfIFm9RMdb8mdpQxqikxQ49G7pHT+zYA==
-----END CERTIFICATE-----+nickname;;<null>+pathname;;<null>+serverRoot;;<null>+serverID;;instanceID] certificate database configuration

Access Session Events

ACCESS_SESSION_ESTABLISH_SUCCESS

This event is triggered when PKI client managed to establish a secure connection to PKI server successfully.

Properties:

  • ClientIP: Client’s IP address

  • ServerIP: Server’s IP address

  • SubjectID: Client certificate’s subject DN

  • Outcome: Success

For example, use CLI to authenticate as admin user:

$ pki -n caadmin ca-user-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.users][Op=execute][Info=UserResource.findUsers] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

In PKI 10.5 this event is renamed to ACCESS_SESSION_ESTABLISH.

ACCESS_SESSION_ESTABLISH_FAILURE

This event is triggered when PKI client failed to establish a secure connection to PKI server.

Properties:

  • ClientIP: Client’s IP address

  • ServerIP: Server’s IP address

  • SubjectID: Client certificate’s subject DN if known

  • Outcome: Failure

  • Info: Failure reason

For example, configure CLI to use a cipher that is disabled on the server:

SSL_CIPHERS="TLS_RSA_WITH_AES_128_CBC_SHA256"
SSL_DEFAULT_CIPHERS="false"

Then execute a CLI command that uses SSL:

$ pki -n caadmin ca-user-find

The operation will fail and the server will generate the following log:

[AuditEvent=ACCESS_SESSION_ESTABLISH_FAILURE][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=][Outcome=Failure][Info=HANDSHAKE_FAILURE] access session establish failure

In PKI 10.5 this event is renamed to ACCESS_SESSION_ESTABLISH.

ACCESS_SESSION_ESTABLISH

In PKI 10.5 the ACCESS_SESSION_ESTABLISH_SUCCESS and ACCESS_SESSION_ESTABLISH_FAIL events are merged into ACCESS_SESSION_ESTABLISH event.

ACCESS_SESSION_TERMINATED

This event is triggered when the secure connection between PKI client and PKI server is terminated.

Properties:

  • ClientIP: Client’s IP address

  • ServerIP: Server’s IP address

  • SubjectID: Client certificate’s subject DN

  • Outcome: Success

For example, use CLI to authenticate as admin user:

$ pki -n caadmin ca-user-find

The server will generate the following logs:

[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTH_SUCCESS][SubjectID=caadmin][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=login][Info=AccountResource.login] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.users][Op=execute][Info=UserResource.findUsers] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated
[AuditEvent=ACCESS_SESSION_ESTABLISH_SUCCESS][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success] access session establish success
[AuditEvent=AUTHZ_SUCCESS][SubjectID=caadmin][Outcome=Success][aclResource=certServer.ca.account][Op=logout][Info=AccountResource.logout] authorization success
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=10.34.78.30][ServerIP=10.34.78.30][SubjectID=CN=PKI Administrator,[email protected],OU=pki-tomcat,O=EXAMPLE][Outcome=Success][Info=CLOSE_NOTIFY] access session terminated

Outbound Connection Events

OUTBOUND_CONNECTION_ESTABLISH

OUTBOUND_CONNECTION_TERMINATED

Random Number Generator Events

RANDOM_GENERATION

See Also

Tip
 To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis.
Clone this wiki locally