Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Dashboard

Access and authentication log fields

search

Access and authentication log fields

The following fields appear in the STA access logs and authentication logs.

Examples of logs

The following examples show access and authentication logs in JSON format.

The details.type field identifies whether it is an access log or an authentication log:

  • In access logs, the details.type field is ACCESS_REQUEST.

  • In authentication logs, the details.type field is AUTHENTICATION.

Some fields are common to both types of logs.

Access log example

{
    logVersion": "1.0",
    "category": "AUDIT",
    "timeStamp": "2020-02-04T09:38:46.526Z",
    "id": "9ac24938-3aa3-4eb3-b725",
    "context": {
        "tenantId": "BWUD0CN4AD-STA",
        "originatingAddress": "10.164.110.109",
        "principalId": "darwin",
        "globalAccessId": "93b27499-84f2-4181-aff2-002725b2836c",
        "applicationType": "SAML",
        "applicationName": "MyApplication",
        "scenarioName": "Windows only",
        "policyName": "Global Policy for STA"
    },
    "details": {
        "type": "ACCESS_REQUEST",
        "state": "Accepted",
        "action": "auth"",
        "credentials": [
            {
              "type": "otp",
              "state": "Verified"
            }
        ]
     }
}

Authentication log example

{
    "logVersion": "1.0",
    "category": "AUDIT",
    "timeStamp": "2020-02-04T09:38:31.7303217Z",
    "id": "GdWQD3ABVUFSs1A-_ML0",
    "context": {
        "tenantId": "BWUD0CN4AD",
        "originatingAddress": "10.164.110.109",
        "principalId": "darwin",
        "globalAccessId": "93b27499-84f2-4181-aff2-002725b2836c"
    },
    "details": {
        "type": "AUTHENTICATION",
        "serial": "0",
        "action": "0",
        "actionText": "AUTH_ATTEMPT",
        "result": "1",
        "resultText": "AUTH_SUCCESS",
        "agentId": "14",
        "message": "Login from MyApplication.",
        "usedName": "darwin"
        "credentialType": "MobilePASS"
    }
},

Log field definitions

category

Included in: Access and authentication logs

Identifies the types of logs. All access logs and authentication logs that are sent through log streaming have the category field set to AUDIT.

Type: String

context

Included in: Access and authentication logs

A JSON object that groups multiple fields that provide the context for the event.

Type: JSON object

context:applicationName

Included in: Access logs

The name of the application in an access event. It can be either an application name or the resource name that is configured for an auth node.

  • For applications that are configured on the Applications tab, the applicationName is the configured Display Name.

  • For auth nodes, the applicationName is the configured Resource Name.

Type: String

context:applicationType

Included in: Access logs

Identifies the type of application in an access event.

Type: Enumeration string [SAML, OIDC, Agent, or a string that is mapped to an agent ID for auth nodes]

context:globalAccessId

Included in: Access and authentication logs

A unique identifier for an access event. All access and authentication logs that are associated with the same access event have the same GlobalAccessId.

Type: String

context:originatingAddress

Included in: Access and authentication logs

The public IP address that the logged event originated from.

Type: String in the form of an IPv4 IP address

context:policyName

Included in: Access logs

The name of the STA policy that applied to the access event.

Type: String

context:principalId

Included in: Access and authentication logs

The STA user ID of the user who initiated the logged event.

Type: String

context:scenarioName

Included in: Access logs

The name of the scenario that applied to the access event. If no scenario applied, which means that the policy’s default requirements were used, then this field is empty.

Type: String

context:sessionId

Included in: Access and authentication logs

Identifier that represents the session in which the logged event occurred.

Type: String

context:tenantId

Included in: Access and authentication logs

A unique identifier for the STA tenant, which is (also referred to as an account or a virtual server) that the logged event is associated with. For example, Q41RKXHPWU.

Type: String in the form of 10 alphanumeric characters [A-Z][1-9]

details

Included in: Access and authentication logs

A JSON object that groups multiple fields that provide details about the access event.

Type: JSON object

details:action

Included in: Access and authentication logs

Identifies the action that took place. It applies to only authentication events.

Type: Enumeration string:

  • In access logs:

    • Authentication

    • Server-side Server PIN Change

    • Server-side User PIN Change

    • Outer Window Auth Attempt

    • Static Password Change

  • In authentication logs: The action is identified by the numerical codes and the corresponding text is displayed in the actionText field: [0, 1, 2, 3, 4]

    • 0: AUTH_ATTEMPT

    • 1: SERVERSIDE_SERVER_PIN_CHANGE

    • 2: SERVERSIDE_USER_PIN_CHANGE

    • 3: OUTERWINDOW_AUTH_ATTEMPT

    • 4: STATIC_PASSWORD_CHANGE

details:actionText

Included in: Authentication logs

Describes the action that took place. It corresponds to the numerical code in the action field. It applies only to a logged event of type authentication.

Type: Enumeration string [see below]

  • AUTH_ATTEMPT = 0

  • SERVERSIDE_SERVER_PIN_CHANGE = 1

  • SERVERSIDE_USER_PIN_CHANGE = 2

  • OUTERWINDOW_AUTH_ATTEMPT = 3

  • STATIC_PASSWORD_CHANGE = 4

details:agentId

Included in: Authentication logs

Identifies the type of agent through which the authentication request was sent to STA. It applies only to a logged event of type authentication.

Type: Enumeration string [1, 2, …, 23]

The following values are possible:

1

Internal

Not applicable

2

Console

Access to the STA Token Management console through the legacy URL.

This applies for only non-OIDC based access to the STA Token Management console. For the most common and current method of accessing the console, the agentId is 14.

3

IAS

Agent for Microsoft Internet Authentication Service

4

SBR

Agent for Steel Belted RADIUS

5

IIS

Agent for Microsoft Internet Information Services

6

Windows Logon

Agent for Windows Logon

7

Citrix

Agent for Citrix

8

AuthenticationAPI

Access to authentication APIs

9

RemoteManagementAPI

Access to management APIs (BSIDCA)

10

ISA

11

IIS_7

Agent for Microsoft Internet Information Services 7

12

Internal

Not applicable

13

FreeRADIUS

Access to FreeRADIUS
14 Shibboleth

Agent for SAML and OIDC access requests

All STA SAML and OIDC access requests come through this agent ID. This includes access requests for SAML or OIDC integrated applications, the STA user portal, OIDC access to the STA consoles, and OIDC access for STA application template agents (Outlook Web App, Windows Login, and Epic) that are configured through the Applications tab on the STA Access Management console.

Used by Keycloak.
15 SelfService

Access to the Self-Service portal
16 SharePoint

Agent for Sharepoint
17 OWA

Agent for Outlook Web App (Note: The new OWA agent that is configured through the Applications tab on the STA Access Management console uses agentId 14 instead.)
18 ADFS

Agent for Microsoft Active Directory Federation Services
19 RDGateway

Agent for RD Gateway
20 Siebel

Agent for Siebel
21 OAM

Agent for Oracle Access Manager
22 EPIC

Agent for Epic (The new Epic agent that is configured through the Applications tab on the STA Access Management console uses agentId 14 instead.)
23 RWW

Agent for Remote Web Workplace

details:credentials

Included in: Access logs

A JSON object that groups multiple fields that provide details about the authentication method that was required. It applies only to a logged event of type ACCESS_REQUEST or OPERATOR_LOGIN.

Type: JSON object

The credentials object can include the following fields.

  • state

  • type

details:credentials:state

Included in: Access logs

Identifies the result credential validation in the logged event.

Type: enumeration string [Pending, VerifiedInSession, Verified, NotRequired, Failed]

details:credentials:type

Included in: Access logs

Identifies the type of credential that was prompted for or checked during the logged event. For domain passwords, the LDAP/AD Password type is used.

Type: Enumeration string [MobilePASS, GrIDsure, SMS, eToken, MP, Static Password, KT, RB, Legacy, OATH, GOLD, GoogleAuthenticator, RADIUS, SecurID, SecurIDD, LDAP/AD Password ]

details:credentialType

Included in: Authentication logs

Identifies the type of authentication token that was required. It applies only to a logged event of type authentication.

Type: Enumeration string [MobilePASS, GrIDsure, SMS, eToken, MP, Static Password, KT, RB, Legacy, OATH, GOLD, GoogleAuthenticator, RADIUS].

details:message

Included in: Authentication logs

Provides additional details about the authentication. It applies only to a logged event of type authentication.

Type: String

details:reason

Included in: Access logs

Identifies the reason for a failed or denied access event. Applies only to a failed access event, and only to a logged event of type ACCESS_REQUEST or OPERATOR_LOGIN.

Type: Enumeration string [see the reasons for failed or denied access attempts]

details:result

Included in: Authentication logs

Identifies the result of the authentication through a numerical code. The corresponding text is displayed in the resultText field. It applies only to a logged event of type AUTHENTICATION.

Type: enumeration string [-1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12]

  • -1: NONE

  • 0: AUTH_FAILURE

  • 1: AUTH_SUCCESS

  • 2: CHALLENGE

  • 3: SERVER_PIN_PROVIDED

  • 4: USER_PIN_CHANGE

  • 5: OUTER_WINDOW_AUTH

  • 6: CHANGE_STATIC_PASSWORD

  • 7: STATIC_CHANGE_FAILED

  • 8: PIN_CHANGE_FAILED

  • 9: PUSH_OTP_REJECTED

  • 10: PUSH_OTP_DISPATCHED

  • 11: SKIPPED_STEP

  • 12: IPADDRESS_OUTSIDE_RANGE_DENIED

details:resultText

Included in: Authentication logs

Identifies the result of the authentication through a text identifier that corresponds to the numerical value in the result field. It applies only to a logged event of type AUTHENTICATION.

Type: Enumeration string [NONE, AUTH_FAILURE, AUTH_SUCCESS, CHALLENGE, CHANGE_STATIC_PASSWORD, IPADDRESS_OUTSIDE_RANGE_DENIED, PIN_CHANGE_FAILED, PUSH_OTP_DISPATCHED, PUSH_OTP_REJECTED, OUTER_WINDOW_AUTH, SERVER_PIN_PROVIDED, SKIPPED_STEP, STATIC_CHANGE_FAILED, USER_PIN_CHANGE]

  • NONE

  • AUTH_FAILURE: The authentication failed.

  • AUTH_SUCCESS: The authentication succeeded.

  • CHALLENGE: The authentication required a challenge.

  • CHANGE_STATIC_PASSWORD: The static password was changed. The details:actionText field is STATIC_PASSWORD_CHANGE.

  • IPADDRESS_OUTSIDE_RANGE_DENIED: The IP address was outside the allowed range.

  • PIN_CHANGE_FAILED: The pin change failed.

  • PUSH_OTP_DISPATCHED: The push notification was sent.

  • PUSH_OTP_REJECTED: The push notification was rejected.

  • OUTER_WINDOW_AUTH:

  • SERVER_PIN_PROVIDED: The server pin was provided.

  • SKIPPED_STEP: The authentication was skipped based on the authentication policy.

  • STATIC_CHANGE_FAILED: The password change failed.

  • USER_PIN_CHANGE: The user pin was changed.

details:serial

Included in: Authentication logs

The serial number of the authenticator. It applies only to a logged event of type AUTHENTICATION.

Only tokens have serial numbers. Domain passwords and static passwords do not have a serial number, and the value of this field is set to 0.

Type: string

details:state

Included in: Access logs

Identifies the result of the access event. It applies only to logged events of type ACCESS_REQUEST or OPERATOR_LOGIN. The following results are possible:

Type: Enumeration string [Accepted, Denied, Failed, Warning]

  • Accepted: The access event was successful and was allowed to proceed.

  • Denied: The access event was rejected based on policies or application assignments. The reason field provides more information about why access was denied.

  • Failed: The access event was rejected because authentication failed. The reason field provides more information about why authentication failed.

  • Warning: The access event was successful and was allowed to proceed. However, the authentication may be less than optimal. The reason field provides more information about the warning.

details:type

Included in: Access and authentication logs

Identifies the type of logged event.

Type: Enumeration string [ACCESS REQUEST, AUTHENTICATION, AUDIT]

  • In an access log, the value is always ACCESS REQUEST.

  • In an authentication log, the value is always AUTHENTICATION.

details: usedName

Included in: Authentication logs

The username that was used for the logged event. It applies only to a logged event of type AUTHENTICATION.

Type: String

id

Included in: Access and authentication logs

A unique identifier for the log event.

Type: String

logVersion

Included in: Access and authentication logs

The version number of the log structure or data schema. The log version changes when there is a change that is not backwards-compatible. For example, the log version changes if the name of a field is changed, or if a field is removed.

Type: String in the format “n.m”

timeStamp

Included in: Access and authentication logs

Identifies the time when the logged event occurred. For example 2019-12-04T21:37:20.2677353Z.

Type: String in format yyyy-MM-ddTHH:mm:ss.fffZ

  • yyyy represents the year.

  • MM represents the month.

  • dd represents the day.

  • T separates the date and time parameters.

  • HH represents the hour in 24-hour format.

  • mm represents the minutes.

  • ss represents the seconds.

  • fff represents the fraction of a second in milliseconds.

  • Z represents coordinated universal time (UTC).

On this page