Contents x
    Syslog
    • 6 minutes to read
    • Print
    • Dark
      Light
    • PDF
    Contents

    Syslog

    • 6 minutes to read
    • Print
    • Dark
      Light
    • PDF
    Article Summary

    Syslog messages are based on UDP protocol through port 514 and are a maximum of 1024 bytes in size.

    Notification Format

    All Syslog messages follow a specific format. An example of a message in Syslog format may be:

    2018-06-18T17:49:41-03:00 vm-machine senhasegura 
1426 - Successfully authenticated.

    This message can be divided into two parts: Header and Values.

    The header is made up of date, time, hostname, and senhasegura ID information, indicating that the message is solution specific.

    The values present additional event information in the format key = value.

    • <13>1: PRI

    • 218-06-18T17:49:41-03:00: TIMESTAMP

    • vm-machine: HOSTNAME

    • senhasegura_: AAP-NAME

    • _1426: PROCID

    • Successfully authenticated.: MSGID

    Priorities

    Priority types (PRI) are categorized according to their priority in the Syslog pattern:

    PriorityCriticalityKeywordDescriptionExamples
    0EmergencyemergThe system is unusableThis level should not be used by applications.
    1AlertalertSome action should be taken immediately.Loss of the primary ISP connection.
    2CriticalcritCritical ConditionsA failure in the system’s primary application.
    3ErrorerrError ConditionsAn application has exceeded its file storage limit, and attempts to write are failing.
    4WarningwarningMay indicate that an error will occur if action is not takenA non-root file system has only 2GB remaining.
    5NoticenoticeAbnormal events, but not in an error condition
    6InformationalinfoNormal operation messages, which do not require actionAn application has started, paused, or ended successfully.
    7DebugdebugDebug Messages.

    The events configured in SYSLOG are:

    IDOriginPriorityNameDescription
    1COSEnotice(5)Password ViewedA password has been viewed by a user.
    2COSEnotice(5)Password changedA password has been manually changed by a user.
    3COSEnotice(5)Password ExpiredA password has expired and cannot be automatically changed.
    4COSEnotice(5)Password daily summaryStatus concerning credentials daily usage
    5COSGnotice(5)Information viewedProtected information is viewed by a user.
    6COSGnotice(5)Information changedProtected information has been changed by a user.
    7COSGnotice(5)Information expiredProtected information has expired.
    8COEQwarning(4)Lost of connectivityThe application has lost connectivity with a device.
    9COEQnotice(5)Reestablished ConnectivityThe application was able to connect to a device that was without connectivity.
    10COAUwarning(4)Command detected - Low UrgencyAn audited low criticality command was detected.
    11COAUerror(3)Command detected - Medium UrgencyAn audited command of medium criticality was detected.
    12COAUcritical(2)Command detected - High UrgencyA highly critical audited command has been detected.
    13COACnotice(5)New requestA user has requested access to a password.
    14COACnotice(5)Request approvedA password access request has been approved.
    15COACnotice(5)Request DisapprovedA password access request has been disapproved.
    16COSSnotice(5)Session startedA user has logged in.
    17COSSnotice(5)Session finishedA user has ended a session.
    18COBAnotice(5)Backup performedThe backup was performed correctly.
    19COBAerror(3)Error on backupAn error occurred while backing up.
    20COTRerror(3)Error on changeAn error occurred while changing a password.
    21COTRnotice(5)Change ExecutedThe password was successfully changed.
    22COREinfo(6)Password confirmedReconciliation validated the password.
    23COREerror(3)Invalid passwordThe password stored in the vault is not valid.
    24COTRinfo(6)Activation executedUser is active successfully.
    25COTRerror(3)Error on activationAn error occurred while activating the user.
    26CONOinfo(6)Change password daily reportValidation of password changes.
    27CONOwarning(4)Low disk space - Low UrgencyReaching 70 % of total disk space.
    28CONOerror(3)Low disk space - Medium UrgencyWhen you reach 80 % of the total disk space.
    29CONOalert(1)Low disk space - High UrgencyReaching 90 % of total disk space.
    30CONOinfo(6)Space disk - Daily notificationDaily Disk Space Status.
    31COSSwarning(4)Command detected - Block and interrupt sessionAn audited command, configured as prohibited and subject to session interruption, was executed.
    32COSSnotice(5)Command detected - BlockAn audited command, set to prohibited, has been executed.
    33COSSinfo(6)Command detected - AllowAn audited command has been executed.
    34COSSnotice(5)Session file modifiedA session file has been modified.
    35COSEnotice(5)Credential Owner configurationCredential owner set.
    36COATnotice(5)Audit trailAudit trail.
    37AUTHnotice(5)Authentication messagessenhasegura.go Authentication Messages.
    38CONOwarning(4)CPU Usage - HighCPU utilization by application is high.
    39CONOcritical(2)CPU Usage - CriticalCPU utilization by application is at a critical level.
    40CONOwarning(4)Memory Usage - HighMemory consumption by application is high.
    41CONOcritical(2)Memory Usage - CriticalMemory consumption by application is at a critical level.
    42COOFinfo(6)Application startedThe application senhasegura.go started.
    43COOFinfo(6)Application completedThe application senhasegura.go terminated.
    44COOFinfo(6)Credential use for network accessA credential was used for network access.
    45COOFinfo(6)New senhasegura.go versionThere is a new version of senhasegura.go available.
    46COOFnotice(5)senhasegura.go version approvedThere is a version of senhasegura.go approved.
    47COOFwarning(4)senhasegura.go version disabledThere is an inactive version of senhasegura.go.
    48COOFnotice(5)Download of senhasegura.go version performedA version of senhasegura.go has been downloaded.
    49COOFnotice(5)senhasegura.go version installedA version of senhasegura.go has been installed.
    50CRTCnotice(5)Certificate expiration alert: 30 daysSome certificates will expire until 30 days.
    51CRTCwarning(4)Certificate expiration alert: 7 daysSome certificates will expire in seven days.
    52CRTCerror(3)Certificate expiration alert: 1 daySome certificates will expire in one day.
    53CRTCnotice(5)Certificate creationA certificate has been created.
    54CRTCnotice(5)Certificate renewalA certificate has been renewed.
    55CRTCnotice(5)Certificate revocationA certificate has been revoked.
    56COSSinfo(6)Session indexed textA text has been indexed.
    57COSSinfo(6)Generate video for downloadA video has been generated for download.
    58CRTCnotice(5)Request password viewA request’s password has been seen.
    59CRTCnotice(5)Certificate password viewA certificate’s password has been seen.
    60COOFnotice(5)Workstation approvedA workstation has been approved to use senhasegura.go.
    61COOFnotice(5)Workstation registrationA workstation has requested senhasegura.go usage.
    62COOFnotice(5)User createdA new workstation user has been approved to use senhasegura.go.
    63COOFnotice(5)Using AUCA program has requested elevation using Microsoft UAC using senhasegura.go.
    65COOFnotice(5)View passwordA credential has been requested and seen using senhasegura.go.
    66COOFnotice(5)Copy passwordA credential has been requested and copied using senhasegura.go.
    67COOFnotice(5)Runas executedA program has been executed using senhasegura.go.
    68COOFnotice(5)Macro executedA user automation has been executed using senhasegura.go.
    69COOFnotice(5)Control panel executedA control panel applet has been executed using senhasegura.go.
    70COOFnotice(5)Network adapter executedA network adapter has been requested using senhasegura.go.
    71COOFnotice(5)Network shareA network folder has been accessed using senhasegura.go.
    72COOFnotice(5)senhasegura.go uninstalledsenhasegura.go has been uninstalled by user decision.
    73COOFnotice(5)senhasegura.go goes onlinesenhasegura.go has turned online by user decision.
    74COOFnotice(5)senhasegura.go goes offlinesenhasegura.go has turned offline by user decision.
    75COOFnotice(5)senhasegura.go alertsenhasegura.go has sent an alert. A situation in a workstation needs attention and can affect senhasegura.go usage.
    76CRTCnotice(5)Certificate expiration warning: 90 daysSome certificates will expire until 90 days.
    77CRTCnotice(5)Certificate expiration warning: 60 daysSome certificates will expire until 60 days.
    78CRTCnotice(5)Certificate expiration warning: 15 daysSome certificates will expire until 15 days.
    79CRTCnotice(5)Certificate expiration alert: TodaySome certificates will expire today.
    80CRTCnotice(5)Certificate link with deviceA certificate was linked to a device.
    81CRTCnotice(5)DownloadA user has downloaded a certificate.
    82CRTCnotice(5)Request ManagementA request was approved or denied. 
    83CRTCnotice(5)Publication Profile ManagementA publication profile was created or changed.
    84CRTCnotice(5)Certificate ManagementAn action was performed in a certificate. 
    85COOFnotice(5)Error retrieving credentialsAn error occurred when retrieving credentials.
    86USBHnotice(5)Accesses at unusual timeSome accesses occurred at an unusual time.
    87USBHnotice(5)Access with unusual average lengthAccess occurred with unusual average length.
    88USBHnotice(5)Unusual accessesA user has accessed an unusual target.
    89COOFnotice(5)Directory and file scan - InclusionA file has been found in the directory scan.
    90COOFnotice(5)Directory and file scan - ExclusionA file has been removed from the directory scan.
    91COOFnotice(5)Directory and file scan - ChangeA file has been changed in the directory scan.
    92COBAalert(1)Ceremony process started    
    		The master key ceremony has started.
    93
    		COBA
    		alert(1)User has seen his part of the key
    		A user saw his part of the master key.
    94
    		COBA
    		alert(1)User downloaded the PDF with his part of the key
    		A user downloaded the PDF with his part of the master key.
    95
    		COBA
    		alert(1)Ceremony process completed
    		The master key ceremony was completed.
    96
    		COSS
    		notice(5)Video scheduled for download
    		Video scheduled for download.
    97
    		CODS
    		alert(1)User downloaded the PDF with system dashboard.  
    		A user downloaded the PDF with the system dashboard.
    98
    		DOMU
    		notice(5)New location
    		A user logged in from a new location.
    99
    		DOMU
    		notice(5)Unexpected location
    		A user logged in from an unexpected location.
    100
    		CLOD
    		notice(5)IAM session without owner A credential was used for a session by a user that is not the owner of the credential.
    101CLODnotice(5)
    		IAM key view without owner
    		A credential was viewed by a user that is not the owner of the credential.
    102
    		COBAerror(3)Failed recovery attemptThe recovery attempt failed.
    103COBAerror(3)Successful recovery attemptThe recovery attempt was successful.
    112
    		DOMUerror(3)Domum health check
    		The communication between the Safe and Domum cloud services was verified.  
    118
    		USBHnotice(5)Access unusual targetA user accessed an unusual target.
    119
    		USBHnotice(5)Access unusual credentialA user accessed an unusual credential.
    120
    		USBHnotice(5)View unusual originA user accessed a credential from an unusual origin.
    121
    		USBHnotice(5)View unusual credentialA user viewed an unusual credential. 

    Orbit Alerts

    IDOriginPriorityNameDescription
    336.001Orbitalert(1)Orbit task createOrbit task creation
    336.002Orbitalert(1)Orbit task execution successOrbit task successfully executed
    336.003Orbitalert(1)Orbit task execution errorOrbit task executed with error
    336.004Orbitalert(1)Orbit log operationLog operation
    336.500Orbitalert(1)Orbit alert reportOrbit Alert Information
    336.501Orbitalert(1)Orbit incident reportOrbit Incident Information

    Other Alerts

    IDPriorityNameDescription
    1695.001notice(5)User loginUser has logged in
    1695.002notice(5)User logoutUser has logged out
    1695.003notice(5)Session expiredUser session has expired
    1695.010notice(5)I18N_REGISTER_TWOFACTOR_TOKENTwo-factor authentication token has been registered
    1695.011notice(5)I18N_VALIDATE_TWOFACTOR_TOKENTwo-factor authentication token has been validated
    1695.012notice(5)I18N_VALIDATE_TWOFACTOR_TOKENTwo-factor authentication token has been validated
    1695.013notice(5)I18N_DELETE_TWOFACTOR_TOKENTwo-factor authentication token has been deleted
    1695.014notice(5)I18N_DELETE_TWOFACTOR_TOKENTwo-factor authentication token has been deleted

    Values

    The message value is a set in key = value format, separated by spaces. The keys have the same name as the Common Event Format (CEF). The ones used by senhasegura are:

    KeyDescriptionEvents
    actMethod used to accessAll
    dhostDevice hostname affected by event, 2, 3, 8, 16, 17, 20, 21
    dstEvent Destination Device IP, 2, 3, 8, 16, 17, 20, 21
    duidEvent related credential ID, 2, 3, 13, 14, 15, 16, 17, 20,21
    duserEvent related credential username, 2, 3, 13, 14, 15, 16, 17, 20,21
    KeyDescriptionEvents
    msgAdditional Event DetailsAll
    requestMethodThe method used for accessAll
    snameUsername in the senhasegura that generated the eventAll
    spidThe ID of the process where the event was generatedAll
    sprivUser type in senhasegura that generated the eventAll
    suidUser ID in the senhasegura that generated the eventAll
    suserUsername of the user who generated the eventAll
    Was this article helpful?
    What's Next
    Digital sovereignty is a fundamental right for citizens, institutions, and society. That’s why we work every day.
    Connect With Us
    SENHASEGURA
    LEARN
    EXPLORE
    Copyright © senhasegura. All Rights Reserved