Appendix E. Audit events

Common fields:
- Outcome: "Success" or "Failure"
- SubjectID: The UID of the user responsible for the operation
    "$System$" or "SYSTEM" if system-initiated operation (e.g. log signing).
Required Audit Events
Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
Description: This event is used when access session failed to establish.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- ClientIP: Client IP address.
- ServerIP: Server IP address.
- SubjectID: Client certificate subject DN.
- Outcome: Failure
- Info: Failure reason.
Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success]
Description: This event is used when access session was established successfully.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- ClientIP: Client IP address.
- ServerIP: Server IP address.
- SubjectID: Client certificate subject DN.
- Outcome: Success
Event: ACCESS_SESSION_TERMINATED
Description: This event is used when access session was terminated.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- ClientIP: Client IP address.
- ServerIP: Server IP address.
- SubjectID: Client certificate subject DN.
- Info: The TLS Alert received from NSS
- Outcome: Success
- Info: The TLS Alert received from NSS
Event: AUDIT_LOG_SIGNING
Description: This event is used when a signature on the audit log is generated (same as "flush" time).
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID: Predefined to be "$System$" because this operation
    associates with no user.
- Outcome: Success
- sig: The base-64 encoded signature of the buffer just flushed.
Event: AUDIT_LOG_STARTUP
Description: This event is used at audit function startup.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID: $System$
- Outcome:
Event: AUTH with [Outcome=Failure]
Description: This event is used when authentication fails.
  In case of SSL-client auth, only webserver env can pick up the SSL violation.
  CS authMgr can pick up certificate mismatch, so this event is used.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome: Failure
    (obviously, if authentication failed, you won't have a valid SubjectID, so
    in this case, SubjectID should be $Unidentified$)
- AuthMgr: The authentication manager instance name that did
    this authentication.
- AttemptedCred: The credential attempted and failed.
Event: AUTH with [Outcome=Success]
Description: This event is used when authentication succeeded.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID: id of user who has been authenticated
- Outcome: Success
- AuthMgr: The authentication manager instance name that did
    this authentication.
Event: AUTHZ with [Outcome=Failure]
Description: This event is used when authorization has failed.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID: id of user who has failed to be authorized for an action
- Outcome: Failure
- aclResource: The ACL resource ID as defined in ACL resource list.
- Op: One of the operations as defined with the ACL statement
   e.g. "read" for an ACL statement containing "(read,write)".
- Info:
Event: AUTHZ with [Outcome=Success]
Description: This event is used when authorization is successful.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID: id of user who has been authorized for an action
- Outcome: Success
- aclResource: The ACL resource ID as defined in ACL resource list.
- Op: One of the operations as defined with the ACL statement
    e.g. "read" for an ACL statement containing "(read,write)".
Event: CERT_PROFILE_APPROVAL
Description: This event is used when an agent approves/disapproves a certificate profile set by the
  administrator for automatic approval.
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: id of the CA agent who approved the certificate enrollment profile
- Outcome:
- ProfileID: One of the profiles defined by the administrator
    and to be approved by an agent.
- Op: "approve" or "disapprove".
Event: CERT_REQUEST_PROCESSED
Description: This event is used when certificate request has just been through the approval process.
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: The UID of the agent who approves, rejects, or cancels
    the certificate request.
- Outcome:
- ReqID: The request ID.
- InfoName: "certificate" (in case of approval), "rejectReason"
    (in case of reject), or "cancelReason" (in case of cancel)
- InfoValue: The certificate (in case of success), a reject reason in
    text, or a cancel reason in text.
- CertSerialNum:
Event: CERT_SIGNING_INFO
Description: This event indicates which key is used to sign certificates.
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: $System$
- Outcome: Success
- SKI: Subject Key Identifier of the certificate signing certificate
- AuthorityID: (applicable only to lightweight CA)
Event: CERT_STATUS_CHANGE_REQUEST
Description: This event is used when a certificate status change request (e.g. revocation)
  is made (before approval process).
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: id of uer who performed the action
- Outcome:
- ReqID: The request ID.
- CertSerialNum: The serial number (in hex) of the certificate to be revoked.
- RequestType: "revoke", "on-hold", "off-hold"
Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED
Description: This event is used when certificate status is changed (revoked, expired, on-hold,
  off-hold).
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: The UID of the agent that processed the request.
- Outcome:
- ReqID: The request ID.
- RequestType: "revoke", "on-hold", "off-hold"
- Approval: "complete", "rejected", or "canceled"
    (note that "complete" means "approved")
- CertSerialNum: The serial number (in hex).
- RevokeReasonNum: One of the following number:
    reason number       reason
    --------------------------------------
    0              Unspecified
    1              Key compromised
    2              CA key compromised (should not be used)
    3              Affiliation changed
    4              Certificate superceded
    5              Cessation of operation
    6              Certificate is on-hold
- Info:
Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
Description: This event is when access session failed to establish when Certificate System acts as client.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- ClientHost: Client hostname.
- ServerHost: Server hostname.
- ServerPort: Server port.
- SubjectID: SYSTEM
- Outcome: Failure
- Info:
Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success]
Description: This event is used when access session was established successfully when
  Certificate System acts as client.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- ClientHost: Client hostname.
- ServerHost: Server hostname.
- ServerPort: Server port.
- SubjectID: SYSTEM
- Outcome: Success
Event: CLIENT_ACCESS_SESSION_TERMINATED
Description: This event is used when access session was terminated when Certificate System acts as client.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- ClientHost: Client hostname.
- ServerHost: Server hostname.
- ServerPort: Server port.
- SubjectID: SYSTEM
- Outcome: Success
- Info: The TLS Alert received from NSS
Event: CMC_REQUEST_RECEIVED
Description: This event is used when a CMC request is received.
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: The UID of user that triggered this event.
    If CMC requests is signed by an agent, SubjectID should
    be that of the agent.
    In case of an unsigned request, it would bear $Unidentified$.
- Outcome:
- CMCRequest: Base64 encoding of the CMC request received
Event: CMC_RESPONSE_SENT
Description: This event is used when a CMC response is sent.
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: The UID of user that triggered this event.
- Outcome:
- CMCResponse: Base64 encoding of the CMC response sent
Event: CMC_SIGNED_REQUEST_SIG_VERIFY
Description: This event is used when agent signed CMC certificate requests or revocation requests
  are submitted and signature is verified.
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: the user who signed the CMC request (success case)
- Outcome:
- ReqType: The request type (enrollment, or revocation).
- CertSubject: The certificate subject name of the certificate request.
- SignerInfo: A unique String representation for the signer.
Event: CMC_USER_SIGNED_REQUEST_SIG_VERIFY
Description: This event is used when CMC (user-signed or self-signed) certificate requests or revocation requests
  are submitted and signature is verified.
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: the user who signed the CMC request (success case)
- Outcome:
- ReqType: The request type (enrollment, or revocation).
- CertSubject: The certificate subject name of the certificate request.
- CMCSignerInfo: A unique String representation for the CMC request signer.
- info:
Event: CONFIG_ACL
Description: This event is used when configuring ACL information.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID: id of administrator who performed the action
- Outcome:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
Event: CONFIG_AUTH
Description: This event is used when configuring authentication.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID: id of administrator who performed the action
- Outcome:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
    --- Password MUST NOT be logged ---
Event: CONFIG_CERT_PROFILE
Description: This event is used when configuring certificate profile
  (general settings and certificate profile).
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: id of administrator who performed the action
- Outcome:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
Event: CONFIG_CRL_PROFILE
Description: This event is used when configuring CRL profile
  (extensions, frequency, CRL format).
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: id of administrator who performed the action
- Outcome:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
Event: CONFIG_DRM
Description: This event is used when configuring KRA.
  This includes key recovery scheme, change of any secret component.
Applicable subsystems: KRA
Enabled by default: Yes
Fields:
- SubjectID: id of administrator who performed the action
- Outcome:
- ParamNameValPairs A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
    --- secret component (password) MUST NOT be logged ---
Event: CONFIG_OCSP_PROFILE
Description: This event is used when configuring OCSP profile
  (everything under Online Certificate Status Manager).
Applicable subsystems: OCSP
Enabled by default: Yes
Fields:
- SubjectID: id of administrator who performed the action
- Outcome:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
Event: CONFIG_ROLE
Description: This event is used when configuring role information.
  This includes anything under users/groups, add/remove/edit a role, etc.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID: id of administrator who performed the action
- Outcome:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
Event: CONFIG_SERIAL_NUMBER
Description: This event is used when configuring serial number ranges
  (when requesting a serial number range when cloning, for example).
Applicable subsystems: CA, KRA
Enabled by default: Yes
Fields:
- SubjectID: id of administrator who performed the action
- Outcome:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
Event: CONFIG_SIGNED_AUDIT
Description: This event is used when configuring signedAudit.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID: id of administrator who performed the action
- Outcome:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
Event: CONFIG_TRUSTED_PUBLIC_KEY
Description: This event is used when:
  1. "Manage Certificate" is used to edit the trustness of certificates
     and deletion of certificates
  2. "Certificate Setup Wizard" is used to import CA certificates into the
     certificate database (Although CrossCertificatePairs are stored
     within internaldb, audit them as well)
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID: ID of administrator who performed this configuration
- Outcome:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
Event: CRL_SIGNING_INFO
Description: This event indicates which key is used to sign CRLs.
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: $System$
- Outcome:
- SKI: Subject Key Identifier of the CRL signing certificate
Event: DELTA_CRL_GENERATION
Description: This event is used when delta CRL generation is complete.
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: $Unidentified$
- Outcome: "Success" when delta CRL is generated successfully, "Failure" otherwise.
- CRLnum: The CRL number that identifies the CRL
- Info:
- FailureReason:
Event: FULL_CRL_GENERATION
Description: This event is used when full CRL generation is complete.
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: $System$
- Outcome: "Success" when full CRL is generated successfully, "Failure" otherwise.
- CRLnum: The CRL number that identifies the CRL
- Info:
- FailureReason:
Event: PROFILE_CERT_REQUEST
Description: This event is used when a profile certificate request is made (before approval process).
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: The UID of user that triggered this event.
    If CMC enrollment requests signed by an agent, SubjectID should
    be that of the agent.
- Outcome:
- CertSubject: The certificate subject name of the certificate request.
- ReqID: The certificate request ID.
- ProfileID: One of the certificate profiles defined by the
    administrator.
Event: PROOF_OF_POSSESSION
Description: This event is used for proof of possession during certificate enrollment processing.
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: id that represents the authenticated user
- Outcome:
- Info: some information on when/how it occurred
Event: OCSP_ADD_CA_REQUEST_PROCESSED
Description: This event is used when an add CA request to the OCSP Responder is processed.
Applicable subsystems: OCSP
Enabled by default: Yes
Fields:
- SubjectID: OCSP administrator user id
- Outcome: "Success" when CA is added successfully, "Failure" otherwise.
- CASubjectDN: The subject DN of the leaf CA cert in the chain.
Event: OCSP_GENERATION
Description: This event is used when an OCSP response generated is complete.
Applicable subsystems: CA, OCSP
Enabled by default: Yes
Fields:
- SubjectID: $NonRoleUser$
- Outcome: "Success" when OCSP response is generated successfully, "Failure" otherwise.
- FailureReason:
Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Failure]
Description: This event is used when a remove CA request to the OCSP Responder is processed and failed.
Applicable subsystems: OCSP
Enabled by default: Yes
Fields:
- SubjectID: OCSP administrator user id
- Outcome: Failure
- CASubjectDN: The subject DN of the leaf CA certificate in the chain.
Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Success]
Description: This event is used when a remove CA request to the OCSP Responder is processed successfully.
Applicable subsystems: OCSP
Enabled by default: Yes
Fields:
- SubjectID: OCSP administrator user id
- Outcome: "Success" when CA is removed successfully, "Failure" otherwise.
- CASubjectDN: The subject DN of the leaf CA certificate in the chain.
Event: OCSP_SIGNING_INFO
Description: This event indicates which key is used to sign OCSP responses.
Applicable subsystems: CA, OCSP
Enabled by default: Yes
Fields:
- SubjectID: $System$
- Outcome:
- SKI: Subject Key Identifier of the OCSP signing certificate
- AuthorityID: (applicable only to lightweight CA)
Event: ROLE_ASSUME
Description: This event is used when a user assumes a role.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- Role: One of the valid roles:
    "Administrators", "Certificate Manager Agents", or "Auditors".
    Note that customized role names can be used once configured.
Event: SECURITY_DOMAIN_UPDATE
Description: This event is used when updating contents of security domain
  (add/remove a subsystem).
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID: CA administrator user ID
- Outcome:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
Event: SELFTESTS_EXECUTION
Description: This event is used when self tests are run.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID: $System$
- Outcome:
Available Audit Events - Enabled by default: Yes
Event: SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST
Description: This event is used when Server-Side Keygen enrollment keygen request is made.
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- RequestID:
- ClientID:
Event: SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST_PROCESSED
Description: This event is used when a request to do Server-Side Keygen enrollment keygen has been processed
  is processed.
Applicable subsystems: KRA
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- RequestID:
- ClientID:
- FailureReason:
Event: SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST
Description: This event is used when Server-Side Keygen enrollment key retrieval request is made.
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- RequestID:
- ClientID:
Event: SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST_PROCESSED
Description: This event is used when a request to do Server-Side Keygen enrollment retrieval has been processed
  is processed.
Applicable subsystems: KRA
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- RequestID:
- ClientID:
- FailureReason:
Event: ASYMKEY_GENERATION_REQUEST
Description: This event is used when asymmetric key generation request is made.
Applicable subsystems: KRA
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- GenerationRequestID:
- ClientKeyID:
Event: ASYMKEY_GENERATION_REQUEST_PROCESSED
Description: This event is used when a request to generate asymmetric keys received by the KRA
  is processed.
Applicable subsystems: KRA
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- GenerationRequestID:
- ClientKeyID:
- KeyID:
- FailureReason:
Event: AUTHORITY_CONFIG
Description: This event is used when configuring lightweight authorities.
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
Event: CONFIG_ENCRYPTION
Description: This event is used when configuring encryption (cert settings and SSL cipher preferences).
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
Event: CONFIG_TOKEN_AUTHENTICATOR
Description: This event is used when configuring token authenticators.
Applicable subsystems: TPS
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- OP:
- Authenticator:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
    --- secret component (password) MUST NOT be logged ---
- Info: Error info for failed cases.
Event: CONFIG_TOKEN_CONNECTOR
Description: This event is used when configuring token connectors.
Applicable subsystems: TPS
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- Service: can be any of the methods offered
- Connector:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
    --- secret component (password) MUST NOT be logged ---
- Info: Error info for failed cases.
Event: CONFIG_TOKEN_MAPPING_RESOLVER
Description: This event is used when configuring token mapping resolver.
Applicable subsystems: TPS
Enabled by default: Yes
Fields:
- SubjectID: TPS administrator id
- Outcome:
- Service:
- MappingResolverID:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
    --- secret component (password) MUST NOT be logged ---
- Info: Error info for failed cases.
Event: CONFIG_TOKEN_RECORD
Description: This event is used when information in token record changed.
Applicable subsystems: TPS
Enabled by default: Yes
Fields:
- SubjectID: TPS administrator id
- Outcome:
- OP: operation to add or delete token
- TokenID: smart card unique id
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
    --- secret component (password) MUST NOT be logged ---
- Info: in general is used for capturing error info for failed cases
Event: KEY_GEN_ASYMMETRIC
Description: This event is used when asymmetric keys are generated
  such as when CA certificate requests are generated,
  e.g. CA certificate change over, renewal with new key.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- PubKey: The base-64 encoded public key material.
Event: LOG_PATH_CHANGE
Description: This event is used when log file name (including any path changes) for any of
  audit, system, transaction, or other customized log file change is attempted.
  The ACL should not allow this operation, but make sure it's written after the attempt.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID: administrator user id
- Outcome:
- LogType: "System", "Transaction", or "SignedAudit"
- toLogFile: The name (including any path changes) that the user is
    attempting to change to.
Event: RANDOM_GENERATION
Description: This event is used when a random number generation is complete.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome: "Success" when a random number is generated successfully, "Failure" otherwise.
- Info:
  - Caller: PKI code that calls the random number generator.
  - Size: Size of random number in bytes.
- FailureReason:
Event: SCHEDULE_CRL_GENERATION
Description: This event is used when CRL generation is scheduled.
Applicable subsystems: CA
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome: "Success" when CRL generation is scheduled successfully, "Failure" otherwise.
- FailureReason:
Event: SECURITY_DATA_ARCHIVAL_REQUEST
Description: This event is used when security data recovery request is made.
Applicable subsystems: KRA
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- ArchivalRequestID: The requestID provided by the CA through the connector.
    It is used to track the request through from CA to KRA.
- RequestId: The KRA archival request ID.
- ClientKeyID: The user supplied client ID associated with
    the security data to be archived.
- FailureReason:
Event: SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED
Description: This event is used when user security data archive request is processed.
  This is when KRA receives and processed the request.
Applicable subsystems: KRA
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- ArchivalRequestID: The requestID provided by the CA through the connector.
    It is used to track the request through from CA to KRA.
- RequestId: The KRA archival request ID.
- ClientKeyID: The user supplied client ID associated with
    the security data to be archived.
- KeyID:
- PubKey:
- FailureReason:
Event: SECURITY_DATA_RECOVERY_REQUEST
Description: This event is used when security data recovery request is made.
Applicable subsystems: KRA
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- RecoveryID: The recovery request ID.
- DataID: The ID of the security data being requested to be recovered.
- PubKey:
Event: SECURITY_DATA_RECOVERY_REQUEST_PROCESSED
Description: This event is used when security data recovery request is processed.
Applicable subsystems: KRA
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- RecoveryID: The recovery request ID.
- KeyID: The ID of the security data being requested to be recovered.
- RecoveryAgents: The UIDs of the recovery agents approving this request.
- FailureReason:
Event: SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE
Description: This event is used when KRA agents login as recovery agents to change
  the state of key recovery requests.
Applicable subsystems: KRA
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- RecoveryID: The recovery request ID.
- Operation: The operation performed (approve, reject, cancel etc.).
Event: SERVER_SIDE_KEYGEN_REQUEST
Description: This event is used when server-side key generation request is made.
  This is for token keys.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- EntityID: The representation of the subject that will be on the certificate when issued.
- RequestID:
Event: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
Description: This event is used when server-side key generation request has been processed.
  This is for token keys.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- EntityID: The representation of the subject that will be on the certificate when issued.
- RequestID:
- PubKey: The base-64 encoded public key associated with
    the private key to be archived.
Event: SYMKEY_GENERATION_REQUEST
Description: This event is used when symmetric key generation request is made.
Applicable subsystems: KRA
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- GenerationRequestID:
- ClientKeyID: The ID of the symmetric key to be generated and archived.
Event: SYMKEY_GENERATION_REQUEST_PROCESSED
Description: This event is used when symmetric key generation request is processed.
  This is when KRA receives and processes the request.
Applicable subsystems: KRA
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- GenerationRequestID:
- ClientKeyID: The user supplied client ID associated with
    the symmetric key to be generated and archived.
- KeyID:
- FailureReason:
Event: TOKEN_APPLET_UPGRADE with [Outcome=Failure]
Description: This event is used when token apple upgrade failed.
Applicable subsystems: TPS
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- IP:
- CUID:
- MSN:
- KeyVersion:
- oldAppletVersion:
- newAppletVersion:
- Info:
Event: TOKEN_APPLET_UPGRADE with [Outcome=Success]
Description: This event is used when token apple upgrade succeeded.
Applicable subsystems: TPS
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- IP:
- CUID:
- MSN:
- KeyVersion:
- oldAppletVersion:
- newAppletVersion:
- Info:
Event: TOKEN_KEY_CHANGEOVER with [Outcome=Failure]
Description: This event is used when token key changeover failed.
Applicable subsystems: TPS
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- IP:
- CUID:
- MSN:
- tokenType:
- AppletVersion:
- oldKeyVersion:
- newKeyVersion:
- Info: Info in case of failure.
Event: TOKEN_KEY_CHANGEOVER with [Outcome=Success]
Description: This event is used when token key changeover succeeded.
Applicable subsystems: TPS
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- IP:
- CUID:
- MSN:
- tokenType:
- AppletVersion:
- oldKeyVersion:
- newKeyVersion:
- Info: Usually is unused for success.
Event: TOKEN_KEY_CHANGEOVER_REQUIRED
Description: This event is used when token key changeover is required.
Applicable subsystems: TPS
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- IP:
- CUID:
- MSN:
- tokenType:
- AppletVersion:
- oldKeyVersion:
- newKeyVersion:
- Info:
Event: LOGGING_SIGNED_AUDIT_TOKEN_KEY_SANITY_CHECK_SUCCESS
Description: used for the CS.cfg properties: enableBoundedGPKeyVersion, cuidMustMatchKDD, and validateCardKeyInfoAgainstTokenDB
Applicable subsystems: TPS
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- IP:
- CUID:
- KDD:
- TokenKeyVersion:
- NewKeyVersion:
- TokenDBKeyVersion:
- Info:
Event: LOGGING_SIGNED_AUDIT_TOKEN_KEY_SANITY_CHECK_FAILURE
Description: used for the CS.cfg properties: enableBoundedGPKeyVersion, cuidMustMatchKDD, and validateCardKeyInfoAgainstTokenDB
Applicable subsystems: TPS
Enabled by default: Yes
Fields:
- SubjectID:
- Outcome:
- IP:
- CUID:
- KDD:
- TokenKeyVersion:
- NewKeyVersion:
- TokenDBKeyVersion:
- Info:
Available Audit Events - Enabled by default: No
Event: AUDIT_LOG_DELETE
Description: This event is used AFTER audit log gets expired.
  The ACL should not allow this operation, but it is provided in case ACL gets compromised.
  Make sure it is written AFTER the log expiration happens.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- LogFile: The complete name (including the path) of the
    signedAudit log that is attempted to be deleted.
Event: AUDIT_LOG_SHUTDOWN
Description: This event is used at audit function shutdown.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
Event: CIMC_CERT_VERIFICATION
Description: This event is used for verifying CS system certificates.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- CertNickName: The certificate nickname.
Event: CMC_ID_POP_LINK_WITNESS
Description: This event is used for identification and POP linking verification during CMC request processing.
Applicable subsystems: CA
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- Info:
Event: CMC_PROOF_OF_IDENTIFICATION
Description: This event is used for proof of identification during CMC request processing.
Applicable subsystems: CA
Enabled by default: No
Fields:
- SubjectID:
    In case of success, "SubjectID" is the actual identified identification.
    In case of failure, "SubjectID" is the attempted identification.
- Outcome:
- Info:
Event: COMPUTE_RANDOM_DATA_REQUEST
Description: This event is used when the request for TPS to TKS to get random challenge data is received.
Applicable subsystems: TKS, TPS
Enabled by default: No
Fields:
- Outcome:
- AgentID: The trusted agent ID used to make the request.
Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Failure]
Description: This event is used when the request for TPS to TKS to get random challenge data is processed unsuccessfully.
Applicable subsystems: TKS, TPS
Enabled by default: No
Fields:
- Outcome: Success or Failure.
- Status: 0 for no error.
- Error: The error message.
- AgentID: The trusted agent ID used to make the request.
Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Success]
Description: This event is used when the request for TPS to TKS to get random challenge data is processed successfully.
Applicable subsystems: TKS, TPS
Fields:
- Outcome: Success or Failure.
- Status: 0 for no error.
- AgentID: The trusted agent ID used to make the request.
Event: COMPUTE_SESSION_KEY_REQUEST
Description: This event is used when the request for TPS to TKS to get a session key for secure channel is received.
Applicable subsystems: TKS, TPS
Enabled by default: No
Fields:
- Outcome:
- AgentID: The trusted agent ID used to make the request.
- CUID_encoded: The special-encoded CUID of the token establishing the secure channel.
- KDD_encoded: The special-encoded KDD of the token establishing the secure channel.
Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Failure]
Description: This event is used when the request for TPS to TKS to get a session key for secure channel is processed unsuccessfully.
Applicable subsystems: TKS, TPS
Enabled by default: No
Fields:
- Outcome: Failure
- status: Error code or 0 for no error.
- AgentID: The trusted agent ID used to make the request.
- IsCryptoValidate: tells if the card cryptogram is to be validated
- IsServerSideKeygen: tells if the keys are to be generated on server
- SelectedToken: The cryptographic token performing key operations.
- KeyNickName: The numeric keyset, e.g. #01#01.
- Error: The error message.
- CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
- KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
- TKSKeyset: The name of the TKS keyset being used for this request.
- KeyInfo_KeyVersion: The key version number requested in hex.
- NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
- NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Success]
Description: This event is used when the request for TPS to TKS to get a session key for secure channel is processed successfully.
Applicable subsystems: TKS, TPS
Enabled by default: No
Fields:
- AgentID: The trusted agent ID used to make the request.
- Outcome: Success
- status: 0 for no error.
- IsCryptoValidate: tells if the card cryptogram is to be validated
- IsServerSideKeygen: tells if the keys are to be generated on server
- SelectedToken: The cryptographic token performing key operations.
- KeyNickName: The number keyset, e.g. #01#01.
- CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
- KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
- TKSKeyset: The name of the TKS keyset being used for this request.
- KeyInfo_KeyVersion: The key version number requested in hex.
- NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
- NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
Event: CONFIG_CERT_POLICY
Description: This event is used when configuring certificate policy constraints and extensions.
Applicable subsystems: CA
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
Event: CONFIG_TOKEN_GENERAL
Description: This event is used when doing general TPS configuration.
Applicable subsystems: TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
    --- secret component (password) MUST NOT be logged ---
- Info: Error info for failed cases.
Event: CONFIG_TOKEN_PROFILE
Description: This event is used when configuring token profile.
Applicable subsystems: TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- Service: can be any of the methods offered
- ProfileID:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
    --- secret component (password) MUST NOT be logged ---
- Info: Error info for failed cases.
Event: CRL_RETRIEVAL
Description: This event is used when CRLs are retrieved by the OCSP Responder.
Applicable subsystems: OCSP
Enabled by default: No
Fields:
- SubjectID:
- Outcome: "Success" when CRL is retrieved successfully, "Failure" otherwise.
- CRLnum: The CRL number that identifies the CRL.
Event: CRL_VALIDATION
Description: This event is used when CRL is retrieved and validation process occurs.
Applicable subsystems: OCSP
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
Event: DELTA_CRL_PUBLISHING
Description: This event is used when delta CRL publishing is complete.
Applicable subsystems: CA
Enabled by default: No
Fields:
- SubjectID:
- Outcome: "Success" when delta CRL is publishing successfully, "Failure" otherwise.
- CRLnum:
- FailureReason:
Event: DIVERSIFY_KEY_REQUEST
Description: This event is used when the request for TPS to TKS to do key changeover is received.
Applicable subsystems: TKS, TPS
Enabled by default: No
Fields:
- Outcome:
- AgentID: The trusted agent ID used to make the request.
- oldMasterKeyName: The old master key name.
- newMasterKeyName: The new master key name.
- CUID_encoded: The special-encoded CUID of the token establishing the secure channel.
- KDD_encoded: The special-encoded KDD of the token establishing the secure channel.
Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Failure]
Description: This event is when the request for TPS to TKS to do key changeover is processed unsuccessfully.
Applicable subsystems: TKS, TPS
Enabled by default: No
Fields:
- AgentID: The trusted agent ID used to make the request.
- Outcome: Failure
- status: 0 for success, non-zero for various errors.
- oldMasterKeyName: The old master key name.
- newMasterKeyName: The new master key name.
- Error: The error message.
- CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
- KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
- TKSKeyset: The name of the TKS keyset being used for this request.
- OldKeyInfo_KeyVersion: The old key version number in hex.
- NewKeyInfo_KeyVersion: The new key version number in hex.
- NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
- NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Success]
Description: This event is used when the request for TPS to TKS to do key changeover is processed successfully.
Applicable subsystems: TKS, TPS
Enabled by default: No
Fields:
- AgentID: The trusted agent ID used to make the request.
- Outcome: Success
- status: 0 for success, non-zero for various errors.
- oldMasterKeyName: The old master key name.
- newMasterKeyName: The new master key name.
- CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
- KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
- TKSKeyset: The name of the TKS keyset being used for this request.
- OldKeyInfo_KeyVersion: The old key version number in hex.
- NewKeyInfo_KeyVersion: The new key version number in hex.
- NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
- NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
Event: ENCRYPT_DATA_REQUEST
Description: This event is used when the request from TPS to TKS to encrypt data
  (or generate random data and encrypt) is received.
Applicable subsystems: TKS, TPS
Enabled by default: No
Fields:
- SubjectID: The CUID of the token requesting encrypt data.
- AgentID: The trusted agent ID used to make the request.
- status: 0 for success, non-zero for various errors.
- isRandom: tells if the data is randomly generated on TKS
- CUID_encoded: The special-encoded CUID of the token establishing the secure channel.
- KDD_encoded: The special-encoded KDD of the token establishing the secure channel.
Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Failure]
Description: This event is used when the request from TPS to TKS to encrypt data
  (or generate random data and encrypt) is processed unsuccessfully.
Applicable subsystems: TKS, TPS
Enabled by default: No
Fields:
- AgentID: The trusted agent ID used to make the request.
- Outcome: Failure
- status: 0 for success, non-zero for various errors.
- isRandom: tells if the data is randomly generated on TKS
- SelectedToken: The cryptographic token performing key operations.
- KeyNickName: The numeric keyset, e.g. #01#01.
- Error: The error message.
- CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
- KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
- TKSKeyset: The name of the TKS keyset being used for this request.
- KeyInfo_KeyVersion: The key version number requested in hex.
- NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
- NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Success]
Description: This event is used when the request from TPS to TKS to encrypt data
  (or generate random data and encrypt) is processed successfully.
Applicable subsystems: TKS, TPS
Enabled by default: No
Fields:
- AgentID: The trusted agent ID used to make the request.
- Outcome: Success
- status: 0 for success, non-zero for various errors.
- isRandom: tells if the data is randomly generated on TKS
- SelectedToken: The cryptographic token performing key operations.
- KeyNickName: The numeric keyset, e.g. #01#01.
- CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
- KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
- TKSKeyset: The name of the TKS keyset being used for this request.
- KeyInfo_KeyVersion: The key version number requested in hex.
- NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
- NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
Event: FULL_CRL_PUBLISHING
Description: This event is used when full  CRL publishing is complete.
Applicable subsystems: CA
Enabled by default: No
Fields:
- SubjectID:
- Outcome: "Success" when full CRL is publishing successfully, "Failure" otherwise.
- CRLnum:
- FailureReason:
Event: INTER_BOUNDARY
Description: This event is used when inter-CS boundary data transfer is successful.
  This is used when data does not need to be captured.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- ProtectionMethod: "SSL" or "unknown".
- ReqType: The request type.
- ReqID: The request ID.
Event: KEY_RECOVERY_AGENT_LOGIN
Description: This event is used when KRA agents login as recovery agents to approve
  key recovery requests.
Applicable subsystems: KRA
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- RecoveryID: The recovery request ID.
- RecoveryAgent: The recovery agent the KRA agent is
    logging in with.
Event: KEY_RECOVERY_REQUEST
Description: This event is used when key recovery request is made.
Applicable subsystems: CA, OCSP, TKS, TPS, TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- RecoveryID: The recovery request ID.
- PubKey: The base-64 encoded public key associated with
    the private key to be recovered.
Event: KEY_STATUS_CHANGE
Description: This event is used when modify key status is executed.
Applicable subsystems: KRA
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- KeyID: An existing key ID in the database.
- OldStatus: The old status to change from.
- NewStatus: The new status to change to.
- Info:
Event: LOG_EXPIRATION_CHANGE (disabled)
Description: This event is used when log expiration time change is attempted.
  The ACL should not allow this operation, but make sure it's written after the attempt.
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- LogType: "System", "Transaction", or "SignedAudit".
- ExpirationTime: The amount of time (in seconds) that is
    attempted to be changed to.
Event: NON_PROFILE_CERT_REQUEST
Description: This event is used when a non-profile certificate request is made (before approval process).
Applicable subsystems: CA, KRA, OCSP, TKS, TPS
Enabled by default: No
Fields:
- SubjectID: The UID of user that triggered this event.
    If CMC enrollment requests signed by an agent, SubjectID should
    be that of the agent.
- Outcome:
- CertSubject: The certificate subject name of the certificate request.
- ReqID: The certificate request ID.
- ServiceID: The identity of the servlet that submitted the original
    request.
Event: OCSP_ADD_CA_REQUEST
Description: This event is used when a CA is attempted to be added to the OCSP Responder.
Applicable subsystems: OCSP
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- CA: The base-64 encoded PKCS7 certificate (or chain).
Event: OCSP_REMOVE_CA_REQUEST
Description: This event is used when a CA is attempted to be removed from the OCSP Responder.
Applicable subsystems: OCSP
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- CASubjectDN: The DN ID of the CA.
Event: SECURITY_DATA_EXPORT_KEY
Description: This event is used when user attempts to retrieve key after the recovery request
  has been approved.
Applicable subsystems: KRA
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- RecoveryID: The recovery request ID.
- KeyID: The key being retrieved.
- Info: The failure reason if the export fails.
- PubKey: The public key for the private key being retrieved.
Event: SECURITY_DATA_INFO
Description: This event is used when user attempts to get metadata information about a key.
Applicable subsystems: KRA
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- KeyID: The key being retrieved.
- ClientKeyId:
- Info: The failure reason if the export fails.
- PubKey: The public key for the private key being retrieved.
Event: TOKEN_AUTH with [Outcome=Failure]
Description: This event is used when authentication failed.
Applicable subsystems: TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome: Failure
    (obviously, if authentication failed, you won't have a valid SubjectID, so
    in this case, AttemptedID is recorded)
- IP:
- CUID:
- MSN:
- OP:
- tokenType:
- AppletVersion:
- AuthMgr: The authentication manager instance name that did
    this authentication.
Event: TOKEN_AUTH with [Outcome=Success]
Description: This event is used when authentication succeeded.
Applicable subsystems: TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome: Success
- IP:
- CUID:
- MSN:
- OP:
- tokenType:
- AppletVersion:
- AuthMgr: The authentication manager instance name that did
    this authentication.
Event: TOKEN_CERT_ENROLLMENT
Description: This event is used for TPS when token certificate enrollment request is made.
Applicable subsystems: TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- IP:
- CUID:
- tokenType:
- KeyVersion:
- Serial:
- CA_ID:
- Info: Info in case of failure.
Event: TOKEN_CERT_RENEWAL
Description: This event is used for TPS when token certificate renewal request is made.
Applicable subsystems: TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- IP:
- CUID:
- tokenType:
- KeyVersion:
- Serial:
- CA_ID:
- Info: Info in case of failure.
Event: TOKEN_CERT_RETRIEVAL
Description: This event is used for TPS when token certificate retrieval request is made;
  usually used during recovery, along with TOKEN_KEY_RECOVERY.
Applicable subsystems: TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- IP:
- CUID:
- tokenType:
- KeyVersion:
- Serial:
- CA_ID:
- Info:
Event: TOKEN_CERT_STATUS_CHANGE_REQUEST
Description: This event is used when a token certificate status change request (e.g. revocation) is made.
Applicable subsystems: TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- IP:
- CUID: The last token that the certificate was associated with.
- tokenType:
- CertSerialNum: The serial number (in decimal) of the certificate to be revoked.
- RequestType: "revoke", "on-hold", "off-hold".
- RevokeReasonNum:
- CA_ID:
- Info:
Event: TOKEN_FORMAT with [Outcome=Failure]
Description: This event is used when token format operation failed.
Applicable subsystems: TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- IP:
- CUID:
- MSN:
- tokenType:
- AppletVersion:
- Info:
Event: TOKEN_FORMAT with [Outcome=Success]
Description: This event is used when token format operation succeeded.
Applicable subsystems: TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- IP:
- CUID:
- MSN:
- tokenType:
- AppletVersion:
- KeyVersion:
Event: TOKEN_KEY_RECOVERY
Description: This event is used for TPS when token certificate key recovery request is made.
Applicable subsystems: TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- IP:
- CUID:
- tokenType:
- KeyVersion:
- Serial:
- CA_ID:
- KRA_ID:
- Info:
Event: TOKEN_OP_REQUEST
Description: This event is used when token processor operation request is made.
Applicable subsystems: TPS
Enabled by default: No
Fields:
- IP:
- CUID:
- MSN:
- Outcome:
- OP: "format", "enroll", or "pinReset"
- AppletVersion:
Event: TOKEN_PIN_RESET with [Outcome=Failure]
Description: This event is used when token pin reset request failed.
Applicable subsystems: TPS
Enabled by default: No
Fields:
- IP:
- SubjectID:
- CUID:
- Outcome:
- tokenType:
- AppletVersion:
- Info:
Event: TOKEN_PIN_RESET with [Outcome=Success]
Description: This event is used when token pin reset request succeeded.
Applicable subsystems: TPS
Enabled by default: No
Fields:
- IP:
- SubjectID:
- CUID:
- Outcome:
- tokenType:
- AppletVersion:
- KeyVersion:
Event: TOKEN_STATE_CHANGE
Description: This event is used when token state changed.
Applicable subsystems: TPS
Enabled by default: No
Fields:
- SubjectID:
- Outcome:
- oldState:
- oldReason:
- newState:
- newReason:
- ParamNameValPairs: A name-value pair
    (where name and value are separated by the delimiter ;;)
    separated by + (if more than one name-value pair) of config params changed.
    --- secret component (password) MUST NOT be logged ---
- Info: Error info for failed cases.

####################### SIGNED AUDIT EVENTS #############################
# Common fields:
# - Outcome: "Success" or "Failure"
# - SubjectID: The UID of the user responsible for the operation
#     "$System$" or "SYSTEM" if system-initiated operation (e.g. log signing).
#
#########################################################################
# Required Audit Events
#
# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
# Description: This event is used when access session failed to establish.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientIP: Client IP address.
# - ServerIP: Server IP address.
# - SubjectID: Client certificate subject DN.
# - Outcome: Failure
# - Info: Failure reason.
#
LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\
<type=ACCESS_SESSION_ESTABLISH>:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish failure
#
# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success]
# Description: This event is used when access session was established successfully.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientIP: Client IP address.
# - ServerIP: Server IP address.
# - SubjectID: Client certificate subject DN.
# - Outcome: Success
#
LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
<type=ACCESS_SESSION_ESTABLISH>:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish success
#
# Event: ACCESS_SESSION_TERMINATED
# Description: This event is used when access session was terminated.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientIP: Client IP address.
# - ServerIP: Server IP address.
# - SubjectID: Client certificate subject DN.
# - Info: The TLS Alert received from NSS
# - Outcome: Success
# - Info: The TLS Alert received from NSS
#
LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\
<type=ACCESS_SESSION_TERMINATED>:[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated
#
# Event: AUDIT_LOG_SIGNING
# Description: This event is used when a signature on the audit log is generated (same as "flush" time).
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: Predefined to be "$System$" because this operation
#     associates with no user.
# - Outcome: Success
# - sig: The base-64 encoded signature of the buffer just flushed.
#
LOGGING_SIGNED_AUDIT_AUDIT_LOG_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2}
#
# Event: AUDIT_LOG_STARTUP
# Description: This event is used at audit function startup.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome:
#
LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=<type=AUDIT_LOG_STARTUP>:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup
#
# Event: AUTH with [Outcome=Failure]
# Description: This event is used when authentication fails.
#   In case of SSL-client auth, only webserver env can pick up the SSL violation.
#   CS authMgr can pick up certificate mismatch, so this event is used.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome: Failure
#     (obviously, if authentication failed, you won't have a valid SubjectID, so
#     in this case, SubjectID should be $Unidentified$)
# - AuthMgr: The authentication manager instance name that did
#     this authentication.
# - AttemptedCred: The credential attempted and failed.
#
LOGGING_SIGNED_AUDIT_AUTH_FAIL=<type=AUTH>:[AuditEvent=AUTH]{0} authentication failure
#
# Event: AUTH with [Outcome=Success]
# Description: This event is used when authentication succeeded.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of user who has been authenticated
# - Outcome: Success
# - AuthMgr: The authentication manager instance name that did
#     this authentication.
#
LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authentication success
#
# Event: AUTHZ with [Outcome=Failure]
# Description: This event is used when authorization has failed.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of user who has failed to be authorized for an action
# - Outcome: Failure
# - aclResource: The ACL resource ID as defined in ACL resource list.
# - Op: One of the operations as defined with the ACL statement
#    e.g. "read" for an ACL statement containing "(read,write)".
# - Info:
#
LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization failure
#
# Event: AUTHZ with [Outcome=Success]
# Description: This event is used when authorization is successful.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of user who has been authorized for an action
# - Outcome: Success
# - aclResource: The ACL resource ID as defined in ACL resource list.
# - Op: One of the operations as defined with the ACL statement
#     e.g. "read" for an ACL statement containing "(read,write)".
#
LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization success
#
# Event: CERT_PROFILE_APPROVAL
# Description: This event is used when an agent approves/disapproves a certificate profile set by the
#   administrator for automatic approval.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of the CA agent who approved the certificate enrollment profile
# - Outcome:
# - ProfileID: One of the profiles defined by the administrator
#     and to be approved by an agent.
# - Op: "approve" or "disapprove".
#
LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval
#
# Event: CERT_REQUEST_PROCESSED
# Description: This event is used when certificate request has just been through the approval process.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: The UID of the agent who approves, rejects, or cancels
#     the certificate request.
# - Outcome:
# - ReqID: The request ID.
# - InfoName: "certificate" (in case of approval), "rejectReason"
#     (in case of reject), or "cancelReason" (in case of cancel)
# - InfoValue: The certificate (in case of success), a reject reason in
#     text, or a cancel reason in text.
# - CertSerialNum:
#
LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=<type=CERT_REQUEST_PROCESSED>:[AuditEvent=CERT_REQUEST_PROCESSED]{0} certificate request processed
#
# Event: CERT_SIGNING_INFO
# Description: This event indicates which key is used to sign certificates.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome: Success
# - SKI: Subject Key Identifier of the certificate signing certificate
# - AuthorityID: (applicable only to lightweight CA)
#
LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO=<type=CERT_SIGNING_INFO>:[AuditEvent=CERT_SIGNING_INFO]{0} certificate signing info
#
# Event: CERT_STATUS_CHANGE_REQUEST
# Description: This event is used when a certificate status change request (e.g. revocation)
#   is made (before approval process).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of uer who performed the action
# - Outcome:
# - ReqID: The request ID.
# - CertSerialNum: The serial number (in hex) of the certificate to be revoked.
# - RequestType: "revoke", "on-hold", "off-hold"
#
LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=<type=CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=CERT_STATUS_CHANGE_REQUEST]{0} certificate revocation/unrevocation request made
#
# Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED
# Description: This event is used when certificate status is changed (revoked, expired, on-hold,
#   off-hold).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: The UID of the agent that processed the request.
# - Outcome:
# - ReqID: The request ID.
# - RequestType: "revoke", "on-hold", "off-hold"
# - Approval: "complete", "rejected", or "canceled"
#     (note that "complete" means "approved")
# - CertSerialNum: The serial number (in hex).
# - RevokeReasonNum: One of the following number:
#     reason number       reason
#     --------------------------------------
#     0              Unspecified
#     1              Key compromised
#     2              CA key compromised (should not be used)
#     3              Affiliation changed
#     4              Certificate superceded
#     5              Cessation of operation
#     6              Certificate is on-hold
# - Info:
#
LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=<type=CERT_STATUS_CHANGE_REQUEST_PROCESSED>:[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED]{0} certificate status change request processed
#
# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
# Description: This event is when access session failed to establish when Certificate System acts as client.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientHost: Client hostname.
# - ServerHost: Server hostname.
# - ServerPort: Server port.
# - SubjectID: SYSTEM
# - Outcome: Failure
# - Info:
#
LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
<type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client
#
# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success]
# Description: This event is used when access session was established successfully when
#   Certificate System acts as client.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientHost: Client hostname.
# - ServerHost: Server hostname.
# - ServerPort: Server port.
# - SubjectID: SYSTEM
# - Outcome: Success
#
LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
<type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client
#
# Event: CLIENT_ACCESS_SESSION_TERMINATED
# Description: This event is used when access session was terminated when Certificate System acts as client.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientHost: Client hostname.
# - ServerHost: Server hostname.
# - ServerPort: Server port.
# - SubjectID: SYSTEM
# - Outcome: Success
# - Info: The TLS Alert received from NSS
#
LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\
<type=CLIENT_ACCESS_SESSION_TERMINATED>:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client
#
# Event: CMC_REQUEST_RECEIVED
# Description: This event is used when a CMC request is received.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: The UID of user that triggered this event.
#     If CMC requests is signed by an agent, SubjectID should
#     be that of the agent.
#     In case of an unsigned request, it would bear $Unidentified$.
# - Outcome:
# - CMCRequest: Base64 encoding of the CMC request received
#
LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=<type=CMC_REQUEST_RECEIVED>:[AuditEvent=CMC_REQUEST_RECEIVED][SubjectID={0}][Outcome={1}][CMCRequest={2}] CMC request received
#
# Event: CMC_RESPONSE_SENT
# Description: This event is used when a CMC response is sent.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: The UID of user that triggered this event.
# - Outcome:
# - CMCResponse: Base64 encoding of the CMC response sent
#
LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=<type=CMC_RESPONSE_SENT>:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent
#
# Event: CMC_SIGNED_REQUEST_SIG_VERIFY
# Description: This event is used when agent signed CMC certificate requests or revocation requests
#   are submitted and signature is verified.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: the user who signed the CMC request (success case)
# - Outcome:
# - ReqType: The request type (enrollment, or revocation).
# - CertSubject: The certificate subject name of the certificate request.
# - SignerInfo: A unique String representation for the signer.
#
LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=<type=CMC_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent signed CMC request signature verification
#
# Event: CMC_USER_SIGNED_REQUEST_SIG_VERIFY
# Description: This event is used when CMC (user-signed or self-signed) certificate requests or revocation requests
#   are submitted and signature is verified.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: the user who signed the CMC request (success case)
# - Outcome:
# - ReqType: The request type (enrollment, or revocation).
# - CertSubject: The certificate subject name of the certificate request.
# - CMCSignerInfo: A unique String representation for the CMC request signer.
# - info:
#
LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification failure
LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification success
#
# Event: CONFIG_ACL
# Description: This event is used when configuring ACL information.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=<type=CONFIG_ACL>:[AuditEvent=CONFIG_ACL][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] ACL configuration parameter(s) change
#
# Event: CONFIG_AUTH
# Description: This event is used when configuring authentication.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#     --- Password MUST NOT be logged ---
#
LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=<type=CONFIG_AUTH>:[AuditEvent=CONFIG_AUTH][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] authentication configuration parameter(s) change
#
# Event: CONFIG_CERT_PROFILE
# Description: This event is used when configuring certificate profile
#   (general settings and certificate profile).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=<type=CONFIG_CERT_PROFILE>:[AuditEvent=CONFIG_CERT_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate profile configuration parameter(s) change
#
# Event: CONFIG_CRL_PROFILE
# Description: This event is used when configuring CRL profile
#   (extensions, frequency, CRL format).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=<type=CONFIG_CRL_PROFILE>:[AuditEvent=CONFIG_CRL_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] CRL profile configuration parameter(s) change
#
# Event: CONFIG_DRM
# Description: This event is used when configuring KRA.
#   This includes key recovery scheme, change of any secret component.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#     --- secret component (password) MUST NOT be logged ---
#
LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=<type=CONFIG_DRM>:[AuditEvent=CONFIG_DRM][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] DRM configuration parameter(s) change
#
# Event: CONFIG_OCSP_PROFILE
# Description: This event is used when configuring OCSP profile
#   (everything under Online Certificate Status Manager).
# Applicable subsystems: OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=<type=CONFIG_OCSP_PROFILE>:[AuditEvent=CONFIG_OCSP_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] OCSP profile configuration parameter(s) change
#
# Event: CONFIG_ROLE
# Description: This event is used when configuring role information.
#   This includes anything under users/groups, add/remove/edit a role, etc.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_ROLE=<type=CONFIG_ROLE>:[AuditEvent=CONFIG_ROLE]{0} role configuration parameter(s) change
#
# Event: CONFIG_SERIAL_NUMBER
# Description: This event is used when configuring serial number ranges
#   (when requesting a serial number range when cloning, for example).
# Applicable subsystems: CA, KRA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=<type=CONFIG_SERIAL_NUMBER>:[AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] serial number range update
#
# Event: CONFIG_SIGNED_AUDIT
# Description: This event is used when configuring signedAudit.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=<type=CONFIG_SIGNED_AUDIT>:[AuditEvent=CONFIG_SIGNED_AUDIT]{0} signed audit configuration parameter(s) change
#
# Event: CONFIG_TRUSTED_PUBLIC_KEY
# Description: This event is used when:
#   1. "Manage Certificate" is used to edit the trustness of certificates
#      and deletion of certificates
#   2. "Certificate Setup Wizard" is used to import CA certificates into the
#      certificate database (Although CrossCertificatePairs are stored
#      within internaldb, audit them as well)
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: ID of administrator who performed this configuration
# - Outcome:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=<type=CONFIG_TRUSTED_PUBLIC_KEY>:[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY]{0} certificate database configuration
#
# Event: CRL_SIGNING_INFO
# Description: This event indicates which key is used to sign CRLs.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome:
# - SKI: Subject Key Identifier of the CRL signing certificate
#
LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=<type=CRL_SIGNING_INFO>:[AuditEvent=CRL_SIGNING_INFO]{0} CRL signing info
#
# Event: DELTA_CRL_GENERATION
# Description: This event is used when delta CRL generation is complete.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: $Unidentified$
# - Outcome: "Success" when delta CRL is generated successfully, "Failure" otherwise.
# - CRLnum: The CRL number that identifies the CRL
# - Info:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=<type=DELTA_CRL_GENERATION>:[AuditEvent=DELTA_CRL_GENERATION]{0} Delta CRL generation
#
# Event: FULL_CRL_GENERATION
# Description: This event is used when full CRL generation is complete.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome: "Success" when full CRL is generated successfully, "Failure" otherwise.
# - CRLnum: The CRL number that identifies the CRL
# - Info:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=<type=FULL_CRL_GENERATION>:[AuditEvent=FULL_CRL_GENERATION]{0} Full CRL generation
#
# Event: PROFILE_CERT_REQUEST
# Description: This event is used when a profile certificate request is made (before approval process).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: The UID of user that triggered this event.
#     If CMC enrollment requests signed by an agent, SubjectID should
#     be that of the agent.
# - Outcome:
# - CertSubject: The certificate subject name of the certificate request.
# - ReqID: The certificate request ID.
# - ProfileID: One of the certificate profiles defined by the
#     administrator.
#
LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=<type=PROFILE_CERT_REQUEST>:[AuditEvent=PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ProfileID={3}][CertSubject={4}] certificate request made with certificate profiles
#
# Event: PROOF_OF_POSSESSION
# Description: This event is used for proof of possession during certificate enrollment processing.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: id that represents the authenticated user
# - Outcome:
# - Info: some information on when/how it occurred
#
LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession
#
# Event: OCSP_ADD_CA_REQUEST_PROCESSED
# Description: This event is used when an add CA request to the OCSP Responder is processed.
# Applicable subsystems: OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: OCSP administrator user id
# - Outcome: "Success" when CA is added successfully, "Failure" otherwise.
# - CASubjectDN: The subject DN of the leaf CA cert in the chain.
#
LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED=<type=OCSP_ADD_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED]{0} Add CA for OCSP Responder
#
# Event: OCSP_GENERATION
# Description: This event is used when an OCSP response generated is complete.
# Applicable subsystems: CA, OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: $NonRoleUser$
# - Outcome: "Success" when OCSP response is generated successfully, "Failure" otherwise.
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_OCSP_GENERATION=<type=OCSP_GENERATION>:[AuditEvent=OCSP_GENERATION]{0} OCSP response generation
#
# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Failure]
# Description: This event is used when a remove CA request to the OCSP Responder is processed and failed.
# Applicable subsystems: OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: OCSP administrator user id
# - Outcome: Failure
# - CASubjectDN: The subject DN of the leaf CA certificate in the chain.
#
LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE=<type=OCSP_REMOVE_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder has failed
#
# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Success]
# Description: This event is used when a remove CA request to the OCSP Responder is processed successfully.
# Applicable subsystems: OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: OCSP administrator user id
# - Outcome: "Success" when CA is removed successfully, "Failure" otherwise.
# - CASubjectDN: The subject DN of the leaf CA certificate in the chain.
#
LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS=<type=OCSP_REMOVE_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder is successful
#
# Event: OCSP_SIGNING_INFO
# Description: This event indicates which key is used to sign OCSP responses.
# Applicable subsystems: CA, OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome:
# - SKI: Subject Key Identifier of the OCSP signing certificate
# - AuthorityID: (applicable only to lightweight CA)
#
LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO=<type=OCSP_SIGNING_INFO>:[AuditEvent=OCSP_SIGNING_INFO]{0} OCSP signing info
#
# Event: ROLE_ASSUME
# Description: This event is used when a user assumes a role.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - Role: One of the valid roles:
#     "Administrators", "Certificate Manager Agents", or "Auditors".
#     Note that customized role names can be used once configured.
#
LOGGING_SIGNED_AUDIT_ROLE_ASSUME=<type=ROLE_ASSUME>:[AuditEvent=ROLE_ASSUME]{0} assume privileged role
#
# Event: SECURITY_DOMAIN_UPDATE
# Description: This event is used when updating contents of security domain
#   (add/remove a subsystem).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: CA administrator user ID
# - Outcome:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=<type=SECURITY_DOMAIN_UPDATE>:[AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] security domain update
#
# Event: SELFTESTS_EXECUTION
# Description: This event is used when self tests are run.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome:
#
LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details)
#########################################################################
# Available Audit Events - Enabled by default: Yes
#########################################################################
#
# Event: SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST
# Description: This event is used when Server-Side Keygen enrollment keygen request is made.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - RequestID:
# - ClientID:
#
LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST]{0} Server-Side Keygen enrollment keygen request made
#
# Event: SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST_PROCESSED
# Description: This event is used when a request to do Server-Side Keygen enrollment keygen has been processed
#   is processed.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - RequestID:
# - ClientID:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST_PROCESSED=<type=SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST_PROCESSED>:[AuditEvent=SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST_PROCESSED]{0} Server-Side Keygen enrollment keygen request processed
#
# Event: SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST
# Description: This event is used when Server-Side Keygen enrollment key retrieval request is made.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - RequestID:
# - ClientID:
#
LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST=<type=SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_ENROLL_KEYGEN_REQUEST]{0} Server-Side Keygen enrollment retrieval request made
#
# Event: SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST_PROCESSED
# Description: This event is used when a request to do Server-Side Keygen enrollment retrieval has been processed
#   is processed.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - RequestID:
# - ClientID:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST_PROCESSED=<type=SERVER_SIDE_KEYGEN_ENROLL_KEY_RETRIEVAL_REQUEST_PROCESSED>:[AuditEvent=SERVER_SIDE_KEYGEN_ENROLL_RETRIEVAL_REQUEST_PROCESSED]{0} Server-Side Keygen enrollment retrieval request processed
#
# Event: ASYMKEY_GENERATION_REQUEST
# Description: This event is used when asymmetric key generation request is made.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - GenerationRequestID:
# - ClientKeyID:
#
LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=<type=ASYMKEY_GENERATION_REQUEST>:[AuditEvent=ASYMKEY_GENERATION_REQUEST]{0} Asymkey generation request made
#
# Event: ASYMKEY_GENERATION_REQUEST_PROCESSED
# Description: This event is used when a request to generate asymmetric keys received by the KRA
#   is processed.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - GenerationRequestID:
# - ClientKeyID:
# - KeyID:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=<type=ASYMKEY_GENERATION_REQUEST_PROCESSED>:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED]{0} Asymkey generation request processed
#
# Event: AUTHORITY_CONFIG
# Description: This event is used when configuring lightweight authorities.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=<type=AUTHORITY_CONFIG>:[AuditEvent=AUTHORITY_CONFIG][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] lightweight authority configuration change
#
# Event: CONFIG_ENCRYPTION
# Description: This event is used when configuring encryption (cert settings and SSL cipher preferences).
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=<type=CONFIG_ENCRYPTION>:[AuditEvent=CONFIG_ENCRYPTION][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] encryption configuration parameter(s) change
#
# Event: CONFIG_TOKEN_AUTHENTICATOR
# Description: This event is used when configuring token authenticators.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - OP:
# - Authenticator:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#     --- secret component (password) MUST NOT be logged ---
# - Info: Error info for failed cases.
#
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6=<type=CONFIG_TOKEN_AUTHENTICATOR>:[AuditEvent=CONFIG_TOKEN_AUTHENTICATOR][SubjectID={0}][Outcome={1}][OP={2}][Authenticator={3}][ParamNameValPairs={4}][Info={5}] token authenticator configuration parameter(s) change
#
# Event: CONFIG_TOKEN_CONNECTOR
# Description: This event is used when configuring token connectors.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - Service: can be any of the methods offered
# - Connector:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#     --- secret component (password) MUST NOT be logged ---
# - Info: Error info for failed cases.
#
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6=<type=CONFIG_TOKEN_CONNECTOR>:[AuditEvent=CONFIG_TOKEN_CONNECTOR][SubjectID={0}][Outcome={1}][Service={2}][Connector={3}][ParamNameValPairs={4}][Info={5}] token connector configuration parameter(s) change
#
# Event: CONFIG_TOKEN_MAPPING_RESOLVER
# Description: This event is used when configuring token mapping resolver.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: TPS administrator id
# - Outcome:
# - Service:
# - MappingResolverID:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#     --- secret component (password) MUST NOT be logged ---
# - Info: Error info for failed cases.
#
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6=<type=CONFIG_TOKEN_MAPPING_RESOLVER>:[AuditEvent=CONFIG_TOKEN_MAPPING_RESOLVER][SubjectID={0}][Outcome={1}][Service={2}][MappingResolverID={3}][ParamNameValPairs={4}][Info={5}] token mapping resolver configuration parameter(s) change
#
# Event: CONFIG_TOKEN_RECORD
# Description: This event is used when information in token record changed.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: TPS administrator id
# - Outcome:
# - OP: operation to add or delete token
# - TokenID: smart card unique id
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#     --- secret component (password) MUST NOT be logged ---
# - Info: in general is used for capturing error info for failed cases
#
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6=<type=CONFIG_TOKEN_RECORD>:[AuditEvent=CONFIG_TOKEN_RECORD][SubjectID={0}][Outcome={1}][OP={2}][TokenID={3}][ParamNameValPairs={4}][Info={5}] token record configuration parameter(s) change
#
# Event: KEY_GEN_ASYMMETRIC
# Description: This event is used when asymmetric keys are generated
#   such as when CA certificate requests are generated,
#   e.g. CA certificate change over, renewal with new key.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - PubKey: The base-64 encoded public key material.
#
LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=<type=KEY_GEN_ASYMMETRIC>:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation
#
# Event: LOG_PATH_CHANGE
# Description: This event is used when log file name (including any path changes) for any of
#   audit, system, transaction, or other customized log file change is attempted.
#   The ACL should not allow this operation, but make sure it's written after the attempt.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: administrator user id
# - Outcome:
# - LogType: "System", "Transaction", or "SignedAudit"
# - toLogFile: The name (including any path changes) that the user is
#     attempting to change to.
#
LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PATH_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][toLogFile={3}] log path change attempt
#
# Event: RANDOM_GENERATION
# Description: This event is used when a random number generation is complete.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome: "Success" when a random number is generated successfully, "Failure" otherwise.
# - Info:
#   - Caller: PKI code that calls the random number generator.
#   - Size: Size of random number in bytes.
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=<type=RANDOM_GENERATION>:[AuditEvent=RANDOM_GENERATION]{0} Random number generation
#
# Event: SCHEDULE_CRL_GENERATION
# Description: This event is used when CRL generation is scheduled.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome: "Success" when CRL generation is scheduled successfully, "Failure" otherwise.
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION=<type=SCHEDULE_CRL_GENERATION>:[AuditEvent=SCHEDULE_CRL_GENERATION]{0} schedule for CRL generation
#
# Event: SECURITY_DATA_ARCHIVAL_REQUEST
# Description: This event is used when security data recovery request is made.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - ArchivalRequestID: The requestID provided by the CA through the connector.
#     It is used to track the request through from CA to KRA.
# - RequestId: The KRA archival request ID.
# - ClientKeyID: The user supplied client ID associated with
#     the security data to be archived.
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=<type=SECURITY_DATA_ARCHIVAL_REQUEST>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST]{0} security data archival request made
#
# Event: SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED
# Description: This event is used when user security data archive request is processed.
#   This is when KRA receives and processed the request.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - ArchivalRequestID: The requestID provided by the CA through the connector.
#     It is used to track the request through from CA to KRA.
# - RequestId: The KRA archival request ID.
# - ClientKeyID: The user supplied client ID associated with
#     the security data to be archived.
# - KeyID:
# - PubKey:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=<type=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED]{0} security data archival request processed
#
# Event: SECURITY_DATA_RECOVERY_REQUEST
# Description: This event is used when security data recovery request is made.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - RecoveryID: The recovery request ID.
# - DataID: The ID of the security data being requested to be recovered.
# - PubKey:
#
LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=<type=SECURITY_DATA_RECOVERY_REQUEST>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST]{0} security data recovery request made
#
# Event: SECURITY_DATA_RECOVERY_REQUEST_PROCESSED
# Description: This event is used when security data recovery request is processed.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - RecoveryID: The recovery request ID.
# - KeyID: The ID of the security data being requested to be recovered.
# - RecoveryAgents: The UIDs of the recovery agents approving this request.
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=<type=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED]{0} security data recovery request processed
#
# Event: SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE
# Description: This event is used when KRA agents login as recovery agents to change
#   the state of key recovery requests.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - RecoveryID: The recovery request ID.
# - Operation: The operation performed (approve, reject, cancel etc.).
#
LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=<type=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE]{0} security data recovery request state change
#
# Event: SERVER_SIDE_KEYGEN_REQUEST
# Description: This event is used when server-side key generation request is made.
#   This is for token keys.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - EntityID: The representation of the subject that will be on the certificate when issued.
# - RequestID:
#
LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request
#
# Event: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
# Description: This event is used when server-side key generation request has been processed.
#   This is for token keys.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - EntityID: The representation of the subject that will be on the certificate when issued.
# - RequestID:
# - PubKey: The base-64 encoded public key associated with
#     the private key to be archived.
#
LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=<type=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED]{0} server-side key generation request processed
#
# Event: SYMKEY_GENERATION_REQUEST
# Description: This event is used when symmetric key generation request is made.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - GenerationRequestID:
# - ClientKeyID: The ID of the symmetric key to be generated and archived.
#
LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=<type=SYMKEY_GENERATION_REQUEST>:[AuditEvent=SYMKEY_GENERATION_REQUEST]{0} symkey generation request made
#
# Event: SYMKEY_GENERATION_REQUEST_PROCESSED
# Description: This event is used when symmetric key generation request is processed.
#   This is when KRA receives and processes the request.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - GenerationRequestID:
# - ClientKeyID: The user supplied client ID associated with
#     the symmetric key to be generated and archived.
# - KeyID:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=<type=SYMKEY_GENERATION_REQUEST_PROCESSED>:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED]{0} symkey generation request processed
#
# Event: TOKEN_APPLET_UPGRADE with [Outcome=Failure]
# Description: This event is used when token apple upgrade failed.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - MSN:
# - KeyVersion:
# - oldAppletVersion:
# - newAppletVersion:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade failure
#
# Event: TOKEN_APPLET_UPGRADE with [Outcome=Success]
# Description: This event is used when token apple upgrade succeeded.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - MSN:
# - KeyVersion:
# - oldAppletVersion:
# - newAppletVersion:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success
#
# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Failure]
# Description: This event is used when token key changeover failed.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - MSN:
# - tokenType:
# - AppletVersion:
# - oldKeyVersion:
# - newKeyVersion:
# - Info: Info in case of failure.
#
LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover failure
#
# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Success]
# Description: This event is used when token key changeover succeeded.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - MSN:
# - tokenType:
# - AppletVersion:
# - oldKeyVersion:
# - newKeyVersion:
# - Info: Usually is unused for success.
#
LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover success
#
# Event: TOKEN_KEY_CHANGEOVER_REQUIRED
# Description: This event is used when token key changeover is required.
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - MSN:
# - tokenType:
# - AppletVersion:
# - oldKeyVersion:
# - newKeyVersion:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=<type=TOKEN_KEY_CHANGEOVER_REQUIRED>:[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required

#
# Event: LOGGING_SIGNED_AUDIT_TOKEN_KEY_SANITY_CHECK_SUCCESS
# Description: used for the CS.cfg properties: enableBoundedGPKeyVersion, cuidMustMatchKDD, and validateCardKeyInfoAgainstTokenDB
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - KDD:
# - TokenKeyVersion:
# - NewKeyVersion:
# - TokenDBKeyVersion:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_KEY_SANITY_CHECK_SUCCESS_9=<type=TOKEN_KEY_SANITY_CHECK>:[AuditEvent=TOKEN_KEY_SANITY_CHECK][IP={0}][SubjectID={1}][CUID={2}][KDD={3}][Outcome={4}][TokenKeyVersion={5}][NewKeyVersion={6}][TokenDBKeyVersion={7}][Info={8}] token key sanity check success
#
# Event: LOGGING_SIGNED_AUDIT_TOKEN_KEY_SANITY_CHECK_FAILURE
# Description: used for the CS.cfg properties: enableBoundedGPKeyVersion, cuidMustMatchKDD, and validateCardKeyInfoAgainstTokenDB
# Applicable subsystems: TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - KDD:
# - TokenKeyVersion:
# - NewKeyVersion:
# - TokenDBKeyVersion:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_KEY_SANITY_CHECK_FAILURE_9=<type=TOKEN_KEY_SANITY_CHECK>:[AuditEvent=TOKEN_KEY_SANITY_CHECK][IP={0}][SubjectID={1}][CUID={2}][KDD={3}][Outcome={4}][TokenKeyVersion={5}][NewKeyVersion={6}][TokenDBKeyVersion={7}][Info={8}] token key sanity check failure
+#

#########################################################################
# Available Audit Events - Enabled by default: No
#########################################################################
#
# Event: AUDIT_LOG_DELETE
# Description: This event is used AFTER audit log gets expired.
#   The ACL should not allow this operation, but it is provided in case ACL gets compromised.
#   Make sure it is written AFTER the log expiration happens.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - LogFile: The complete name (including the path) of the
#     signedAudit log that is attempted to be deleted.
#
LOGGING_SIGNED_AUDIT_LOG_DELETE_3=<type=AUDIT_LOG_DELETE>:[AuditEvent=AUDIT_LOG_DELETE][SubjectID={0}][Outcome={1}][LogFile={2}] signedAudit log deletion
#
# Event: AUDIT_LOG_SHUTDOWN
# Description: This event is used at audit function shutdown.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
#
LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=<type=AUDIT_LOG_SHUTDOWN>:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown
#
# Event: CIMC_CERT_VERIFICATION
# Description: This event is used for verifying CS system certificates.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - CertNickName: The certificate nickname.
#
LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CS certificate verification
#
# Event: CMC_ID_POP_LINK_WITNESS
# Description: This event is used for identification and POP linking verification during CMC request processing.
# Applicable subsystems: CA
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - Info:
#
LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=<type=CMC_ID_POP_LINK_WITNESS>:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification
#
# Event: CMC_PROOF_OF_IDENTIFICATION
# Description: This event is used for proof of identification during CMC request processing.
# Applicable subsystems: CA
# Enabled by default: No
# Fields:
# - SubjectID:
#     In case of success, "SubjectID" is the actual identified identification.
#     In case of failure, "SubjectID" is the attempted identification.
# - Outcome:
# - Info:
#
LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=<type=CMC_PROOF_OF_IDENTIFICATION>:[AuditEvent=CMC_PROOF_OF_IDENTIFICATION][SubjectID={0}][Outcome={1}][Info={2}] proof of identification in CMC request
#
# Event: COMPUTE_RANDOM_DATA_REQUEST
# Description: This event is used when the request for TPS to TKS to get random challenge data is received.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - Outcome:
# - AgentID: The trusted agent ID used to make the request.
#
LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=<type=COMPUTE_RANDOM_DATA_REQUEST>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request
#
# Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Failure]
# Description: This event is used when the request for TPS to TKS to get random challenge data is processed unsuccessfully.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - Outcome: Success or Failure.
# - Status: 0 for no error.
# - Error: The error message.
# - AgentID: The trusted agent ID used to make the request.
#
LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=<type=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCCESED]{0} TKS Compute random data request failed
#
# Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Success]
# Description: This event is used when the request for TPS to TKS to get random challenge data is processed successfully.
# Applicable subsystems: TKS, TPS
# Fields:
# - Outcome: Success or Failure.
# - Status: 0 for no error.
# - AgentID: The trusted agent ID used to make the request.
#
LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED]{0} TKS Compute random data request processed successfully
#
# Event: COMPUTE_SESSION_KEY_REQUEST
# Description: This event is used when the request for TPS to TKS to get a session key for secure channel is received.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - Outcome:
# - AgentID: The trusted agent ID used to make the request.
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the
##   CUID.  Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that
##   encoded parameters are being logged.
# - CUID_encoded: The special-encoded CUID of the token establishing the secure channel.
# - KDD_encoded: The special-encoded KDD of the token establishing the secure channel.
#
LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=<type=COMPUTE_SESSION_KEY_REQUEST>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}] TKS Compute session key request
#
# Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Failure]
# Description: This event is used when the request for TPS to TKS to get a session key for secure channel is processed unsuccessfully.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - Outcome: Failure
# - status: Error code or 0 for no error.
# - AgentID: The trusted agent ID used to make the request.
# - IsCryptoValidate: tells if the card cryptogram is to be validated
# - IsServerSideKeygen: tells if the keys are to be generated on server
# - SelectedToken: The cryptographic token performing key operations.
# - KeyNickName: The numeric keyset, e.g. #01#01.
# - Error: The error message.
#
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
##                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
# - TKSKeyset: The name of the TKS keyset being used for this request.
# - KeyInfo_KeyVersion: The key version number requested in hex.
# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
#
LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request failed
#
# Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Success]
# Description: This event is used when the request for TPS to TKS to get a session key for secure channel is processed successfully.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - AgentID: The trusted agent ID used to make the request.
# - Outcome: Success
# - status: 0 for no error.
# - IsCryptoValidate: tells if the card cryptogram is to be validated
# - IsServerSideKeygen: tells if the keys are to be generated on server
# - SelectedToken: The cryptographic token performing key operations.
# - KeyNickName: The number keyset, e.g. #01#01.
#
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the
##   CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact
##   that decoded parameters are now logged.
##       Also added TKSKeyset, KeyInfo_KeyVersion,
##            NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
# - TKSKeyset: The name of the TKS keyset being used for this request.
# - KeyInfo_KeyVersion: The key version number requested in hex.
# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
#
LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request processed successfully
#
# Event: CONFIG_CERT_POLICY
# Description: This event is used when configuring certificate policy constraints and extensions.
# Applicable subsystems: CA
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=<type=CONFIG_CERT_POLICY>:[AuditEvent=CONFIG_CERT_POLICY][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate policy constraint or extension configuration parameter(s) change
#
# Event: CONFIG_TOKEN_GENERAL
# Description: This event is used when doing general TPS configuration.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#     --- secret component (password) MUST NOT be logged ---
# - Info: Error info for failed cases.
#
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5=<type=CONFIG_TOKEN_GENERAL>:[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID={0}][Outcome={1}][Service={2}][ParamNameValPairs={3}][Info={4}] TPS token configuration parameter(s) change
#
# Event: CONFIG_TOKEN_PROFILE
# Description: This event is used when configuring token profile.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - Service: can be any of the methods offered
# - ProfileID:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#     --- secret component (password) MUST NOT be logged ---
# - Info: Error info for failed cases.
#
LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6=<type=CONFIG_TOKEN_PROFILE>:[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID={0}][Outcome={1}][Service={2}][ProfileID={3}][ParamNameValPairs={4}][Info={5}] token profile configuration parameter(s) change
#
# Event: CRL_RETRIEVAL
# Description: This event is used when CRLs are retrieved by the OCSP Responder.
# Applicable subsystems: OCSP
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome: "Success" when CRL is retrieved successfully, "Failure" otherwise.
# - CRLnum: The CRL number that identifies the CRL.
#
LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=<type=CRL_RETRIEVAL>:[AuditEvent=CRL_RETRIEVAL][SubjectID={0}][Outcome={1}][CRLnum={2}] CRL retrieval
#
# Event: CRL_VALIDATION
# Description: This event is used when CRL is retrieved and validation process occurs.
# Applicable subsystems: OCSP
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
#
LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=<type=CRL_VALIDATION>:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation
#
# Event: DELTA_CRL_PUBLISHING
# Description: This event is used when delta CRL publishing is complete.
# Applicable subsystems: CA
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome: "Success" when delta CRL is publishing successfully, "Failure" otherwise.
# - CRLnum:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=<type=DELTA_CRL_PUBLISHING>:[AuditEvent=DELTA_CRL_PUBLISHING]{0} Delta CRL publishing
#
# Event: DIVERSIFY_KEY_REQUEST
# Description: This event is used when the request for TPS to TKS to do key changeover is received.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - Outcome:
# - AgentID: The trusted agent ID used to make the request.
# - oldMasterKeyName: The old master key name.
# - newMasterKeyName: The new master key name.
#
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged.
# - CUID_encoded: The special-encoded CUID of the token establishing the secure channel.
# - KDD_encoded: The special-encoded KDD of the token establishing the secure channel.
#
LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=<type=DIVERSIFY_KEY_REQUEST>:[AuditEvent=DIVERSIFY_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}][oldMasterKeyName={4}][newMasterKeyName={5}] TKS Key Change Over request
#
# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Failure]
# Description: This event is when the request for TPS to TKS to do key changeover is processed unsuccessfully.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - AgentID: The trusted agent ID used to make the request.
# - Outcome: Failure
# - status: 0 for success, non-zero for various errors.
# - oldMasterKeyName: The old master key name.
# - newMasterKeyName: The new master key name.
# - Error: The error message.
#
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
##                       Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
# - TKSKeyset: The name of the TKS keyset being used for this request.
# - OldKeyInfo_KeyVersion: The old key version number in hex.
# - NewKeyInfo_KeyVersion: The new key version number in hex.
# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
#
LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=<type=DIVERSIFY_KEY_REQUEST_PROCESSED>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request failed
#
# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Success]
# Description: This event is used when the request for TPS to TKS to do key changeover is processed successfully.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - AgentID: The trusted agent ID used to make the request.
# - Outcome: Success
# - status: 0 for success, non-zero for various errors.
# - oldMasterKeyName: The old master key name.
# - newMasterKeyName: The new master key name.
#
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
##                       Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
# - TKSKeyset: The name of the TKS keyset being used for this request.
# - OldKeyInfo_KeyVersion: The old key version number in hex.
# - NewKeyInfo_KeyVersion: The new key version number in hex.
# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
#
LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=<type=DIVERSIFY_KEY_REQUEST_PROCESSED>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request processed successfully
#
# Event: ENCRYPT_DATA_REQUEST
# Description: This event is used when the request from TPS to TKS to encrypt data
#   (or generate random data and encrypt) is received.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - SubjectID: The CUID of the token requesting encrypt data.
# - AgentID: The trusted agent ID used to make the request.
# - status: 0 for success, non-zero for various errors.
# - isRandom: tells if the data is randomly generated on TKS
#
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged.
# - CUID_encoded: The special-encoded CUID of the token establishing the secure channel.
# - KDD_encoded: The special-encoded KDD of the token establishing the secure channel.
#
LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=<type=ENCRYPT_DATA_REQUEST>:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3}] TKS encrypt data request
LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=<type=ENCRYPT_DATA_REQUEST>:[AuditEvent=ENCRYPT_DATA_REQUEST][CUID_encoded={0}][KDD_encoded={1}][status={2}][AgentID={3}][isRandom={4}] TKS encrypt data request
#
# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Failure]
# Description: This event is used when the request from TPS to TKS to encrypt data
#   (or generate random data and encrypt) is processed unsuccessfully.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - AgentID: The trusted agent ID used to make the request.
# - Outcome: Failure
# - status: 0 for success, non-zero for various errors.
# - isRandom: tells if the data is randomly generated on TKS
# - SelectedToken: The cryptographic token performing key operations.
# - KeyNickName: The numeric keyset, e.g. #01#01.
# - Error: The error message.
#
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
##                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
# - TKSKeyset: The name of the TKS keyset being used for this request.
# - KeyInfo_KeyVersion: The key version number requested in hex.
# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
#
LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=<type=ENCRYPT_DATA_REQUEST_PROCESSED>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request failed
#
# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Success]
# Description: This event is used when the request from TPS to TKS to encrypt data
#   (or generate random data and encrypt) is processed successfully.
# Applicable subsystems: TKS, TPS
# Enabled by default: No
# Fields:
# - AgentID: The trusted agent ID used to make the request.
# - Outcome: Success
# - status: 0 for success, non-zero for various errors.
# - isRandom: tells if the data is randomly generated on TKS
# - SelectedToken: The cryptographic token performing key operations.
# - KeyNickName: The numeric keyset, e.g. #01#01.
#
## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
##                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
# - CUID_decoded: The ASCII-HEX representation of the CUID of the token establishing the secure channel.
# - KDD_decoded: The ASCII-HEX representation of the KDD of the token establishing the secure channel.
# - TKSKeyset: The name of the TKS keyset being used for this request.
# - KeyInfo_KeyVersion: The key version number requested in hex.
# - NistSP800_108KdfOnKeyVersion: The value of the corresponding setting in hex.
# - NistSP800_108KdfUseCuidAsKdd: The value of the corresponding setting in hex.
#
LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=<type=ENCRYPT_DATA_REQUEST_PROCESSED>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request processed successfully
#
# Event: FULL_CRL_PUBLISHING
# Description: This event is used when full  CRL publishing is complete.
# Applicable subsystems: CA
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome: "Success" when full CRL is publishing successfully, "Failure" otherwise.
# - CRLnum:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=<type=FULL_CRL_PUBLISHING>:[AuditEvent=FULL_CRL_PUBLISHING]{0} Full CRL publishing
#
# Event: INTER_BOUNDARY
# Description: This event is used when inter-CS boundary data transfer is successful.
#   This is used when data does not need to be captured.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - ProtectionMethod: "SSL" or "unknown".
# - ReqType: The request type.
# - ReqID: The request ID.
#
LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=<type=INTER_BOUNDARY>:[AuditEvent=INTER_BOUNDARY][SubjectID={0}][Outcome={1}][ProtectionMethod={2}][ReqType={3}][ReqID={4}] inter-CS boundary communication (data exchange) success
#
# Event: KEY_RECOVERY_AGENT_LOGIN
# Description: This event is used when KRA agents login as recovery agents to approve
#   key recovery requests.
# Applicable subsystems: KRA
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - RecoveryID: The recovery request ID.
# - RecoveryAgent: The recovery agent the KRA agent is
#     logging in with.
#
LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=<type=KEY_RECOVERY_AGENT_LOGIN>:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login
#
# Event: KEY_RECOVERY_REQUEST
# Description: This event is used when key recovery request is made.
# Applicable subsystems: CA, OCSP, TKS, TPS, TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - RecoveryID: The recovery request ID.
# - PubKey: The base-64 encoded public key associated with
#     the private key to be recovered.
#
LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=<type=KEY_RECOVERY_REQUEST>:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made
#
# Event: KEY_STATUS_CHANGE
# Description: This event is used when modify key status is executed.
# Applicable subsystems: KRA
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - KeyID: An existing key ID in the database.
# - OldStatus: The old status to change from.
# - NewStatus: The new status to change to.
# - Info:
#
LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=<type=KEY_STATUS_CHANGE>:[AuditEvent=KEY_STATUS_CHANGE]{0} Key Status Change
#
# Event: LOG_EXPIRATION_CHANGE (disabled)
# Description: This event is used when log expiration time change is attempted.
#   The ACL should not allow this operation, but make sure it's written after the attempt.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - LogType: "System", "Transaction", or "SignedAudit".
# - ExpirationTime: The amount of time (in seconds) that is
#     attempted to be changed to.
#
#LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=<type=LOG_EXPIRATION_CHANGE>:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt
#
# Event: NON_PROFILE_CERT_REQUEST
# Description: This event is used when a non-profile certificate request is made (before approval process).
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: No
# Fields:
# - SubjectID: The UID of user that triggered this event.
#     If CMC enrollment requests signed by an agent, SubjectID should
#     be that of the agent.
# - Outcome:
# - CertSubject: The certificate subject name of the certificate request.
# - ReqID: The certificate request ID.
# - ServiceID: The identity of the servlet that submitted the original
#     request.
#
LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=<type=NON_PROFILE_CERT_REQUEST>:[AuditEvent=NON_PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ServiceID={3}][CertSubject={4}] certificate request made without certificate profiles
#
# Event: OCSP_ADD_CA_REQUEST
# Description: This event is used when a CA is attempted to be added to the OCSP Responder.
# Applicable subsystems: OCSP
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - CA: The base-64 encoded PKCS7 certificate (or chain).
#
LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST=<type=OCSP_ADD_CA_REQUEST>:[AuditEvent=OCSP_ADD_CA_REQUEST]{0} request to add a CA for OCSP Responder
#
# Event: OCSP_REMOVE_CA_REQUEST
# Description: This event is used when a CA is attempted to be removed from the OCSP Responder.
# Applicable subsystems: OCSP
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - CASubjectDN: The DN ID of the CA.
#
LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST=<type=OCSP_REMOVE_CA_REQUEST>:[AuditEvent=OCSP_REMOVE_CA_REQUEST]{0} request to remove a CA from OCSP Responder
#
# Event: SECURITY_DATA_EXPORT_KEY
# Description: This event is used when user attempts to retrieve key after the recovery request
#   has been approved.
# Applicable subsystems: KRA
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - RecoveryID: The recovery request ID.
# - KeyID: The key being retrieved.
# - Info: The failure reason if the export fails.
# - PubKey: The public key for the private key being retrieved.
#
LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY=<type=SECURITY_DATA_EXPORT_KEY>:[AuditEvent=SECURITY_DATA_EXPORT_KEY]{0} security data retrieval request
#
# Event: SECURITY_DATA_INFO
# Description: This event is used when user attempts to get metadata information about a key.
# Applicable subsystems: KRA
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - KeyID: The key being retrieved.
# - ClientKeyId:
# - Info: The failure reason if the export fails.
# - PubKey: The public key for the private key being retrieved.
#
LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=<type=SECURITY_DATA_INFO>:[AuditEvent=SECURITY_DATA_INFO]{0} security data info request
#
# Event: TOKEN_AUTH with [Outcome=Failure]
# Description: This event is used when authentication failed.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome: Failure
#     (obviously, if authentication failed, you won't have a valid SubjectID, so
#     in this case, AttemptedID is recorded)
# - IP:
# - CUID:
# - MSN:
# - OP:
# - tokenType:
# - AppletVersion:
# - AuthMgr: The authentication manager instance name that did
#     this authentication.
#
LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH]{0} token authentication failure
#
# Event: TOKEN_AUTH with [Outcome=Success]
# Description: This event is used when authentication succeeded.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome: Success
# - IP:
# - CUID:
# - MSN:
# - OP:
# - tokenType:
# - AppletVersion:
# - AuthMgr: The authentication manager instance name that did
#     this authentication.
#
LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH]{0} token authentication success
#
# Event: TOKEN_CERT_ENROLLMENT
# Description: This event is used for TPS when token certificate enrollment request is made.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - tokenType:
# - KeyVersion:
# - Serial:
# - CA_ID:
# - Info: Info in case of failure.
#
LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=<type=TOKEN_CERT_ENROLLMENT>:[AuditEvent=TOKEN_CERT_ENROLLMENT][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate enrollment request made
#
# Event: TOKEN_CERT_RENEWAL
# Description: This event is used for TPS when token certificate renewal request is made.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - tokenType:
# - KeyVersion:
# - Serial:
# - CA_ID:
# - Info: Info in case of failure.
#
LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[AuditEvent=TOKEN_CERT_RENEWAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate renewal request made
#
# Event: TOKEN_CERT_RETRIEVAL
# Description: This event is used for TPS when token certificate retrieval request is made;
#   usually used during recovery, along with TOKEN_KEY_RECOVERY.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - tokenType:
# - KeyVersion:
# - Serial:
# - CA_ID:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9=<type=TOKEN_CERT_RETRIEVAL>:[AuditEvent=TOKEN_CERT_RETRIEVAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate retrieval request made
#
# Event: TOKEN_CERT_STATUS_CHANGE_REQUEST
# Description: This event is used when a token certificate status change request (e.g. revocation) is made.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID: The last token that the certificate was associated with.
# - tokenType:
# - CertSerialNum: The serial number (in decimal) of the certificate to be revoked.
# - RequestType: "revoke", "on-hold", "off-hold".
# - RevokeReasonNum:
# - CA_ID:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10=<type=TOKEN_CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][CertSerialNum={5}][RequestType={6}][RevokeReasonNum={7}][CA_ID={8}][Info={9}] token certificate revocation/unrevocation request made
#
# Event: TOKEN_FORMAT with [Outcome=Failure]
# Description: This event is used when token format operation failed.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - MSN:
# - tokenType:
# - AppletVersion:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format failure
#
# Event: TOKEN_FORMAT with [Outcome=Success]
# Description: This event is used when token format operation succeeded.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - MSN:
# - tokenType:
# - AppletVersion:
# - KeyVersion:
#
LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format success
#
# Event: TOKEN_KEY_RECOVERY
# Description: This event is used for TPS when token certificate key recovery request is made.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - IP:
# - CUID:
# - tokenType:
# - KeyVersion:
# - Serial:
# - CA_ID:
# - KRA_ID:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=<type=TOKEN_KEY_RECOVERY>:[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made
#
# Event: TOKEN_OP_REQUEST
# Description: This event is used when token processor operation request is made.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - IP:
# - CUID:
# - MSN:
# - Outcome:
# - OP: "format", "enroll", or "pinReset"
# - AppletVersion:
#
LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=<type=TOKEN_OP_REQUEST>:[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token processor op request made
#
# Event: TOKEN_PIN_RESET with [Outcome=Failure]
# Description: This event is used when token pin reset request failed.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - IP:
# - SubjectID:
# - CUID:
# - Outcome:
# - tokenType:
# - AppletVersion:
# - Info:
#
LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE=<type=TOKEN_PIN_RESET>:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset failure
#
# Event: TOKEN_PIN_RESET with [Outcome=Success]
# Description: This event is used when token pin reset request succeeded.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - IP:
# - SubjectID:
# - CUID:
# - Outcome:
# - tokenType:
# - AppletVersion:
# - KeyVersion:
#
LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS=<type=TOKEN_PIN_RESET>:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset success
#
# Event: TOKEN_STATE_CHANGE
# Description: This event is used when token state changed.
# Applicable subsystems: TPS
# Enabled by default: No
# Fields:
# - SubjectID:
# - Outcome:
# - oldState:
# - oldReason:
# - newState:
# - newReason:
# - ParamNameValPairs: A name-value pair
#     (where name and value are separated by the delimiter ;;)
#     separated by + (if more than one name-value pair) of config params changed.
#     --- secret component (password) MUST NOT be logged ---
# - Info: Error info for failed cases.
#
LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8=<type=TOKEN_STATE_CHANGE>:[AuditEvent=TOKEN_STATE_CHANGE][SubjectID={0}][Outcome={1}][oldState={2}][oldReason={3}][newState={4}][newReason={5}][ParamNameValPairs={6}][Info={7}] token state changed