flama10

What data in the audit log means

Blog Post created by flama10 Employee on Mar 1, 2018

Sometimes counter-intuitive the data in the policy server's audit logs is formatted as follows:

 

Format

Field

AccessType

Policy server name

Date and time

IP Address

Username

Agent name

HTTP Request

Resource
Transaction ID
Reason
Status

A normal login

AzAccept

MY_POLICY_SERVER

 01/Mar/2018:10:58:43 -0500

10.242.60.178

cn=me,dc=ca,dc=com

sps

GET

/128a02f2-792b6d99-5985f8d6-e47bc71d-4df5af6a-509

Bad password

AuthReject

MY_POLICY_SERVER

 01/Mar/2018:10:58:43 -0500

10.242.60.178
cn=me,dc=ca,dc=com

sps

GET

/
0Invalid credentials

Bad username

AuthAttempt

MY_POLICY_SERVER

01/Mar/2018:10:58:43 -0500

10.242.60.178

cn=hacker,dc=hack,dc=com

sps

GET

/0

 

 

What it all means

ColumnWhat it means
AccessTypeType of access request
Policy server nameWhere the request was received (Useful if you use centralized logging)
Date and timeIn the policy servers timezone
IP AddressThe IP of the agent that received the request
UsernameThe user, or who the person claims to be.
Agent nameThe agent object that was used for this request
HTTP RequestThe type of request - Get, Put, Post... ect....
ResourceThe resource the user accessed or tried to access
Transaction IDUseful for tracing the request in other SMPS logs
ReasonWhy the action (if any was taken)
Status messageThe status message

Outcomes