Sometimes counter-intuitive the data in the policy server's audit logs is formatted as follows:
Format
Field | AccessType | Policy server name | Date and time | IP Address | Username | Agent name | HTTP Request | Resource | Transaction ID | Reason | Status |
A normal login | AzAccept | MY_POLICY_SERVER | 01/Mar/2018:10:58:43 -0500 | 10.242.60.178 | cn=me,dc=ca,dc=com | sps | GET | / | 128a02f2-792b6d99-5985f8d6-e47bc71d-4df5af6a-509 | ||
Bad password | AuthReject | MY_POLICY_SERVER | 01/Mar/2018:10:58:43 -0500 | 10.242.60.178 | cn=me,dc=ca,dc=com | sps | GET | / | 0 | Invalid credentials | |
Bad username | AuthAttempt | MY_POLICY_SERVER | 01/Mar/2018:10:58:43 -0500 | 10.242.60.178 | cn=hacker,dc=hack,dc=com | sps | GET | / | 0 |
What it all means
Column | What it means |
---|---|
AccessType | Type of access request |
Policy server name | Where the request was received (Useful if you use centralized logging) |
Date and time | In the policy servers timezone |
IP Address | The IP of the agent that received the request |
Username | The user, or who the person claims to be. |
Agent name | The agent object that was used for this request |
HTTP Request | The type of request - Get, Put, Post... ect.... |
Resource | The resource the user accessed or tried to access |
Transaction ID | Useful for tracing the request in other SMPS logs |
Reason | Why the action (if any was taken) |
Status message | The status message |