Syslog
  • 6 minutes to read
  • Dark
    Light
  • PDF

Syslog

  • Dark
    Light
  • PDF

Article summary

Syslog messages are based on UDP protocol through port 514 and are a maximum of 1024 bytes in size.

Notification Format

All Syslog messages follow a specific format. An example of a message in Syslog format may be:

2018-06-18T17:49:41-03:00 vm-machine senhasegura 
1426 - Successfully authenticated.

This message can be divided into two parts: Header and Values.

The header is made up of date, time, hostname, and senhasegura ID information, indicating that the message is solution specific.

The values present additional event information in the format key = value.

  • <13>1: PRI

  • 218-06-18T17:49:41-03:00: TIMESTAMP

  • vm-machine: HOSTNAME

  • senhasegura_: AAP-NAME

  • _1426: PROCID

  • Successfully authenticated.: MSGID

Priorities

Priority types (PRI) are categorized according to their priority in the Syslog pattern:

PriorityCriticalityKeywordDescriptionExamples
0EmergencyemergThe system is unusableThis level should not be used by applications.
1AlertalertSome action should be taken immediately.Loss of the primary ISP connection.
2CriticalcritCritical ConditionsA failure in the system’s primary application.
3ErrorerrError ConditionsAn application has exceeded its file storage limit, and attempts to write are failing.
4WarningwarningMay indicate that an error will occur if action is not takenA non-root file system has only 2GB remaining.
5NoticenoticeAbnormal events, but not in an error condition
6InformationalinfoNormal operation messages, which do not require actionAn application has started, paused, or ended successfully.
7DebugdebugDebug Messages.

The events configured in SYSLOG are:

IDOriginPriorityNameDescription
1COSEnotice(5)Password ViewedA password has been viewed by a user.
2COSEnotice(5)Password changedA password has been manually changed by a user.
3COSEnotice(5)Password ExpiredA password has expired and cannot be automatically changed.
4COSEnotice(5)Password daily summaryStatus concerning credentials daily usage
5COSGnotice(5)Information viewedProtected information is viewed by a user.
6COSGnotice(5)Information changedProtected information has been changed by a user.
7COSGnotice(5)Information expiredProtected information has expired.
8COEQwarning(4)Lost of connectivityThe application has lost connectivity with a device.
9COEQnotice(5)Reestablished ConnectivityThe application was able to connect to a device that was without connectivity.
10COAUwarning(4)Command detected - Low UrgencyAn audited low criticality command was detected.
11COAUerror(3)Command detected - Medium UrgencyAn audited command of medium criticality was detected.
12COAUcritical(2)Command detected - High UrgencyA highly critical audited command has been detected.
13COACnotice(5)New requestA user has requested access to a password.
14COACnotice(5)Request approvedA password access request has been approved.
15COACnotice(5)Request DisapprovedA password access request has been disapproved.
16COSSnotice(5)Session startedA user has logged in.
17COSSnotice(5)Session finishedA user has ended a session.
18COBAnotice(5)Backup performedThe backup was performed correctly.
19COBAerror(3)Error on backupAn error occurred while backing up.
20COTRerror(3)Error on changeAn error occurred while changing a password.
21COTRnotice(5)Change ExecutedThe password was successfully changed.
22COREinfo(6)Password confirmedReconciliation validated the password.
23COREerror(3)Invalid passwordThe password stored in the vault is not valid.
24COTRinfo(6)Activation executedUser is active successfully.
25COTRerror(3)Error on activationAn error occurred while activating the user.
26CONOinfo(6)Change password daily reportValidation of password changes.
27CONOwarning(4)Low disk space - Low UrgencyReaching 70 % of total disk space.
28CONOerror(3)Low disk space - Medium UrgencyWhen you reach 80 % of the total disk space.
29CONOalert(1)Low disk space - High UrgencyReaching 90 % of total disk space.
30CONOinfo(6)Space disk - Daily notificationDaily Disk Space Status.
31COSSwarning(4)Command detected - Block and interrupt sessionAn audited command, configured as prohibited and subject to session interruption, was executed.
32COSSnotice(5)Command detected - BlockAn audited command, set to prohibited, has been executed.
33COSSinfo(6)Command detected - AllowAn audited command has been executed.
34COSSnotice(5)Session file modifiedA session file has been modified.
35COSEnotice(5)Credential Owner configurationCredential owner set.
36COATnotice(5)Audit trailAudit trail.
37AUTHnotice(5)Authentication messagessenhasegura.go Authentication Messages.
38CONOwarning(4)CPU Usage - HighCPU utilization by application is high.
39CONOcritical(2)CPU Usage - CriticalCPU utilization by application is at a critical level.
40CONOwarning(4)Memory Usage - HighMemory consumption by application is high.
41CONOcritical(2)Memory Usage - CriticalMemory consumption by application is at a critical level.
42COOFinfo(6)Application startedThe application senhasegura.go started.
43COOFinfo(6)Application completedThe application senhasegura.go terminated.
44COOFinfo(6)Credential use for network accessA credential was used for network access.
45COOFinfo(6)New senhasegura.go versionThere is a new version of senhasegura.go available.
46COOFnotice(5)senhasegura.go version approvedThere is a version of senhasegura.go approved.
47COOFwarning(4)senhasegura.go version disabledThere is an inactive version of senhasegura.go.
48COOFnotice(5)Download of senhasegura.go version performedA version of senhasegura.go has been downloaded.
49COOFnotice(5)senhasegura.go version installedA version of senhasegura.go has been installed.
50CRTCnotice(5)Certificate expiration alert: 30 daysSome certificates will expire until 30 days.
51CRTCwarning(4)Certificate expiration alert: 7 daysSome certificates will expire in seven days.
52CRTCerror(3)Certificate expiration alert: 1 daySome certificates will expire in one day.
53CRTCnotice(5)Certificate creationA certificate has been created.
54CRTCnotice(5)Certificate renewalA certificate has been renewed.
55CRTCnotice(5)Certificate revocationA certificate has been revoked.
56COSSinfo(6)Session indexed textA text has been indexed.
57COSSinfo(6)Generate video for downloadA video has been generated for download.
58CRTCnotice(5)Request password viewA request’s password has been seen.
59CRTCnotice(5)Certificate password viewA certificate’s password has been seen.
60COOFnotice(5)Workstation approvedA workstation has been approved to use senhasegura.go.
61COOFnotice(5)Workstation registrationA workstation has requested senhasegura.go usage.
62COOFnotice(5)User createdA new workstation user has been approved to use senhasegura.go.
63COOFnotice(5)Using AUCA program has requested elevation using Microsoft UAC using senhasegura.go.
65COOFnotice(5)View passwordA credential has been requested and seen using senhasegura.go.
66COOFnotice(5)Copy passwordA credential has been requested and copied using senhasegura.go.
67COOFnotice(5)Runas executedA program has been executed using senhasegura.go.
68COOFnotice(5)Macro executedA user automation has been executed using senhasegura.go.
69COOFnotice(5)Control panel executedA control panel applet has been executed using senhasegura.go.
70COOFnotice(5)Network adapter executedA network adapter has been requested using senhasegura.go.
71COOFnotice(5)Network shareA network folder has been accessed using senhasegura.go.
72COOFnotice(5)senhasegura.go uninstalledsenhasegura.go has been uninstalled by user decision.
73COOFnotice(5)senhasegura.go goes onlinesenhasegura.go has turned online by user decision.
74COOFnotice(5)senhasegura.go goes offlinesenhasegura.go has turned offline by user decision.
75COOFnotice(5)senhasegura.go alertsenhasegura.go has sent an alert. A situation in a workstation needs attention and can affect senhasegura.go usage.
76CRTCnotice(5)Certificate expiration warning: 90 daysSome certificates will expire until 90 days.
77CRTCnotice(5)Certificate expiration warning: 60 daysSome certificates will expire until 60 days.
78CRTCnotice(5)Certificate expiration warning: 15 daysSome certificates will expire until 15 days.
79CRTCnotice(5)Certificate expiration alert: TodaySome certificates will expire today.
80CRTCnotice(5)Certificate link with deviceA certificate was linked to a device.
81CRTCnotice(5)DownloadA user has downloaded a certificate.
82CRTCnotice(5)Request ManagementA request was approved or denied. 
83CRTCnotice(5)Publication Profile ManagementA publication profile was created or changed.
84CRTCnotice(5)Certificate ManagementAn action was performed in a certificate. 
85COOFnotice(5)Error retrieving credentialsAn error occurred when retrieving credentials.
86USBHnotice(5)Accesses at unusual timeSome accesses occurred at an unusual time.
87USBHnotice(5)Access with unusual average lengthAccess occurred with unusual average length.
88USBHnotice(5)Unusual accessesA user has accessed an unusual target.
89COOFnotice(5)Directory and file scan - InclusionA file has been found in the directory scan.
90COOFnotice(5)Directory and file scan - ExclusionA file has been removed from the directory scan.
91COOFnotice(5)Directory and file scan - ChangeA file has been changed in the directory scan.
92COBAalert(1)Ceremony process started    
The master key ceremony has started.
93
COBA
alert(1)User has seen his part of the key
A user saw his part of the master key.
94
COBA
alert(1)User downloaded the PDF with his part of the key
A user downloaded the PDF with his part of the master key.
95
COBA
alert(1)Ceremony process completed
The master key ceremony was completed.
96
COSS
notice(5)Video scheduled for download
Video scheduled for download.
97
CODS
alert(1)User downloaded the PDF with system dashboard.  
A user downloaded the PDF with the system dashboard.
98
DOMU
notice(5)New location
A user logged in from a new location.
99
DOMU
notice(5)Unexpected location
A user logged in from an unexpected location.
100
CLOD
notice(5)IAM session without owner A credential was used for a session by a user that is not the owner of the credential.
101CLODnotice(5)
IAM key view without owner
A credential was viewed by a user that is not the owner of the credential.
102
COBAerror(3)Failed recovery attemptThe recovery attempt failed.
103COBAerror(3)Successful recovery attemptThe recovery attempt was successful.
112
DOMUerror(3)Domum health check
The communication between the Safe and Domum cloud services was verified.  
118
USBHnotice(5)Access unusual targetA user accessed an unusual target.
119
USBHnotice(5)Access unusual credentialA user accessed an unusual credential.
120
USBHnotice(5)View unusual originA user accessed a credential from an unusual origin.
121
USBHnotice(5)View unusual credentialA user viewed an unusual credential. 

Orbit Alerts

IDOriginPriorityNameDescription
336.001Orbitalert(1)Orbit task createOrbit task creation
336.002Orbitalert(1)Orbit task execution successOrbit task successfully executed
336.003Orbitalert(1)Orbit task execution errorOrbit task executed with error
336.004Orbitalert(1)Orbit log operationLog operation
336.500Orbitalert(1)Orbit alert reportOrbit Alert Information
336.501Orbitalert(1)Orbit incident reportOrbit Incident Information

Other Alerts

IDPriorityNameDescription
1695.001notice(5)User loginUser has logged in
1695.002notice(5)User logoutUser has logged out
1695.003notice(5)Session expiredUser session has expired
1695.010notice(5)I18N_REGISTER_TWOFACTOR_TOKENTwo-factor authentication token has been registered
1695.011notice(5)I18N_VALIDATE_TWOFACTOR_TOKENTwo-factor authentication token has been validated
1695.012notice(5)I18N_VALIDATE_TWOFACTOR_TOKENTwo-factor authentication token has been validated
1695.013notice(5)I18N_DELETE_TWOFACTOR_TOKENTwo-factor authentication token has been deleted
1695.014notice(5)I18N_DELETE_TWOFACTOR_TOKENTwo-factor authentication token has been deleted

Values

The message value is a set in key = value format, separated by spaces. The keys have the same name as the Common Event Format (CEF). The ones used by senhasegura are:

KeyDescriptionEvents
actMethod used to accessAll
dhostDevice hostname affected by event, 2, 3, 8, 16, 17, 20, 21
dstEvent Destination Device IP, 2, 3, 8, 16, 17, 20, 21
duidEvent related credential ID, 2, 3, 13, 14, 15, 16, 17, 20,21
duserEvent related credential username, 2, 3, 13, 14, 15, 16, 17, 20,21
KeyDescriptionEvents
msgAdditional Event DetailsAll
requestMethodThe method used for accessAll
snameUsername in the senhasegura that generated the eventAll
spidThe ID of the process where the event was generatedAll
sprivUser type in senhasegura that generated the eventAll
suidUser ID in the senhasegura that generated the eventAll
suserUsername of the user who generated the eventAll

Was this article helpful?

What's Next