Appendix E. Audit Events
This Appendix provides individual audit events and their parameter description and format. Every audit event in the log is accompanied by the following information:
- The Java identifier of the thread. For example:
0.localhost-startStop-1
- The time stamp the event occurred at. For example:
[21/Jan/2019:17:53:00 IST]
- The log source (14 is SIGNED_AUDIT):
[14]
- The current log level (6 is Security-related events. See the Log Levels (Message Categories) section in the Red Hat Certificate System Planning, Installation, and Deployment Guide. For example:
[6]
- The information about the log event (which is log event specific; see Section E.1, “Audit Event Descriptions” for information about each field in a particular log event). For example:
[AuditEvent=AUDIT_LOG_STARTUP][SubjectID=$System$][Outcome=Success] audit function startup
E.1. Audit Event Descriptions
The following lists the audit events provided in Certificate System:
####################### SIGNED AUDIT EVENTS #############################
# Common fields:
# - Outcome: "Success" or "Failure"
# - SubjectID: The UID of the user responsible for the operation
# "$System$" or "SYSTEM" if system-initiated operation (e.g. log signing).
#
#########################################################################
# Required Audit Events
#
# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
# Description: This event is used when access session failed to establish.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientIP: Client IP address.
# - ServerIP: Server IP address.
# - SubjectID: Client certificate subject DN.
# - Outcome: Failure
# - Info: Failure reason.
#
LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\
<type=ACCESS_SESSION_ESTABLISH>:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish failure
#
# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success]
# Description: This event is used when access session was established successfully.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientIP: Client IP address.
# - ServerIP: Server IP address.
# - SubjectID: Client certificate subject DN.
# - Outcome: Success
#
LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
<type=ACCESS_SESSION_ESTABLISH>:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish success
#
# Event: ACCESS_SESSION_TERMINATED
# Description: This event is used when access session was terminated.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientIP: Client IP address.
# - ServerIP: Server IP address.
# - SubjectID: Client certificate subject DN.
# - Info: The TLS Alert received from NSS
# - Outcome: Success
# - Info: The TLS Alert received from NSS
#
LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\
<type=ACCESS_SESSION_TERMINATED>:[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated
#
# Event: AUDIT_LOG_SIGNING
# Description: This event is used when a signature on the audit log is generated (same as "flush" time).
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: Predefined to be "$System$" because this operation
# associates with no user.
# - Outcome: Success
# - sig: The base-64 encoded signature of the buffer just flushed.
#
LOGGING_SIGNED_AUDIT_AUDIT_LOG_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2}
#
# Event: AUDIT_LOG_STARTUP
# Description: This event is used at audit function startup.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome:
#
LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=<type=AUDIT_LOG_STARTUP>:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup
#
# Event: AUTH with [Outcome=Failure]
# Description: This event is used when authentication fails.
# In case of TLS-client auth, only webserver env can pick up the TLS violation.
# CS authMgr can pick up certificate mismatch, so this event is used.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome: Failure
# (obviously, if authentication failed, you won't have a valid SubjectID, so
# in this case, SubjectID should be $Unidentified$)
# - AuthMgr: The authentication manager instance name that did
# this authentication.
# - AttemptedCred: The credential attempted and failed.
#
LOGGING_SIGNED_AUDIT_AUTH_FAIL=<type=AUTH>:[AuditEvent=AUTH]{0} authentication failure
#
# Event: AUTH with [Outcome=Success]
# Description: This event is used when authentication succeeded.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of user who has been authenticated
# - Outcome: Success
# - AuthMgr: The authentication manager instance name that did
# this authentication.
#
LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authentication success
#
# Event: AUTHZ with [Outcome=Failure]
# Description: This event is used when authorization has failed.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of user who has failed to be authorized for an action
# - Outcome: Failure
# - aclResource: The ACL resource ID as defined in ACL resource list.
# - Op: One of the operations as defined with the ACL statement
# e.g. "read" for an ACL statement containing "(read,write)".
# - Info:
#
LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization failure
#
# Event: AUTHZ with [Outcome=Success]
# Description: This event is used when authorization is successful.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of user who has been authorized for an action
# - Outcome: Success
# - aclResource: The ACL resource ID as defined in ACL resource list.
# - Op: One of the operations as defined with the ACL statement
# e.g. "read" for an ACL statement containing "(read,write)".
#
LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization success
#
# Event: CERT_PROFILE_APPROVAL
# Description: This event is used when an agent approves/disapproves a certificate profile set by the
# administrator for automatic approval.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of the CA agent who approved the certificate enrollment profile
# - Outcome:
# - ProfileID: One of the profiles defined by the administrator
# and to be approved by an agent.
# - Op: "approve" or "disapprove".
#
LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval
#
# Event: CERT_REQUEST_PROCESSED
# Description: This event is used when certificate request has just been through the approval process.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: The UID of the agent who approves, rejects, or cancels
# the certificate request.
# - Outcome:
# - ReqID: The request ID.
# - InfoName: "certificate" (in case of approval), "rejectReason"
# (in case of reject), or "cancelReason" (in case of cancel)
# - InfoValue: The certificate (in case of success), a reject reason in
# text, or a cancel reason in text.
# - CertSerialNum:
#
LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=<type=CERT_REQUEST_PROCESSED>:[AuditEvent=CERT_REQUEST_PROCESSED]{0} certificate request processed
#
# Event: CERT_SIGNING_INFO
# Description: This event indicates which key is used to sign certificates.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome: Success
# - SKI: Subject Key Identifier of the certificate signing certificate
# - AuthorityID: (applicable only to lightweight CA)
#
LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO=<type=CERT_SIGNING_INFO>:[AuditEvent=CERT_SIGNING_INFO]{0} certificate signing info
#
# Event: CERT_STATUS_CHANGE_REQUEST
# Description: This event is used when a certificate status change request (e.g. revocation)
# is made (before approval process).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of uer who performed the action
# - Outcome:
# - ReqID: The request ID.
# - CertSerialNum: The serial number (in hex) of the certificate to be revoked.
# - RequestType: "revoke", "on-hold", "off-hold"
#
LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=<type=CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=CERT_STATUS_CHANGE_REQUEST]{0} certificate revocation/unrevocation request made
#
# Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED
# Description: This event is used when certificate status is changed (revoked, expired, on-hold,
# off-hold).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: The UID of the agent that processed the request.
# - Outcome:
# - ReqID: The request ID.
# - RequestType: "revoke", "on-hold", "off-hold"
# - Approval: "complete", "rejected", or "canceled"
# (note that "complete" means "approved")
# - CertSerialNum: The serial number (in hex).
# - RevokeReasonNum: One of the following number:
# reason number reason
# --------------------------------------
# 0 Unspecified
# 1 Key compromised
# 2 CA key compromised (should not be used)
# 3 Affiliation changed
# 4 Certificate superceded
# 5 Cessation of operation
# 6 Certificate is on-hold
# - Info:
#
LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=<type=CERT_STATUS_CHANGE_REQUEST_PROCESSED>:[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED]{0} certificate status change request processed
#
# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
# Description: This event is when access session failed to establish when Certificate System acts as client.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientHost: Client hostname.
# - ServerHost: Server hostname.
# - ServerPort: Server port.
# - SubjectID: SYSTEM
# - Outcome: Failure
# - Info:
#
LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
<type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client
#
# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success]
# Description: This event is used when access session was established successfully when
# Certificate System acts as client.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientHost: Client hostname.
# - ServerHost: Server hostname.
# - ServerPort: Server port.
# - SubjectID: SYSTEM
# - Outcome: Success
#
LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
<type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client
#
# Event: CLIENT_ACCESS_SESSION_TERMINATED
# Description: This event is used when access session was terminated when Certificate System acts as client.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - ClientHost: Client hostname.
# - ServerHost: Server hostname.
# - ServerPort: Server port.
# - SubjectID: SYSTEM
# - Outcome: Success
# - Info: The TLS Alert received from NSS
#
LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\
<type=CLIENT_ACCESS_SESSION_TERMINATED>:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client
#
# Event: CMC_REQUEST_RECEIVED
# Description: This event is used when a CMC request is received.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: The UID of user that triggered this event.
# If CMC requests is signed by an agent, SubjectID should
# be that of the agent.
# In case of an unsigned request, it would bear $Unidentified$.
# - Outcome:
# - CMCRequest: Base64 encoding of the CMC request received
#
LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=<type=CMC_REQUEST_RECEIVED>:[AuditEvent=CMC_REQUEST_RECEIVED][SubjectID={0}][Outcome={1}][CMCRequest={2}] CMC request received
#
# Event: CMC_RESPONSE_SENT
# Description: This event is used when a CMC response is sent.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: The UID of user that triggered this event.
# - Outcome:
# - CMCResponse: Base64 encoding of the CMC response sent
#
LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=<type=CMC_RESPONSE_SENT>:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent
#
# Event: CMC_SIGNED_REQUEST_SIG_VERIFY
# Description: This event is used when agent signed CMC certificate requests or revocation requests
# are submitted and signature is verified.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: the user who signed the CMC request (success case)
# - Outcome:
# - ReqType: The request type (enrollment, or revocation).
# - CertSubject: The certificate subject name of the certificate request.
# - SignerInfo: A unique String representation for the signer.
#
LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=<type=CMC_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent signed CMC request signature verification
#
# Event: CMC_USER_SIGNED_REQUEST_SIG_VERIFY
# Description: This event is used when CMC (user-signed or self-signed) certificate requests or revocation requests
# are submitted and signature is verified.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: the user who signed the CMC request (success case)
# - Outcome:
# - ReqType: The request type (enrollment, or revocation).
# - CertSubject: The certificate subject name of the certificate request.
# - CMCSignerInfo: A unique String representation for the CMC request signer.
# - info:
#
LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification failure
LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification success
#
# Event: CONFIG_ACL
# Description: This event is used when configuring ACL information.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=<type=CONFIG_ACL>:[AuditEvent=CONFIG_ACL][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] ACL configuration parameter(s) change
#
# Event: CONFIG_AUTH
# Description: This event is used when configuring authentication.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
# --- Password MUST NOT be logged ---
#
LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=<type=CONFIG_AUTH>:[AuditEvent=CONFIG_AUTH][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] authentication configuration parameter(s) change
#
# Event: CONFIG_CERT_PROFILE
# Description: This event is used when configuring certificate profile
# (general settings and certificate profile).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=<type=CONFIG_CERT_PROFILE>:[AuditEvent=CONFIG_CERT_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate profile configuration parameter(s) change
#
# Event: CONFIG_CRL_PROFILE
# Description: This event is used when configuring CRL profile
# (extensions, frequency, CRL format).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=<type=CONFIG_CRL_PROFILE>:[AuditEvent=CONFIG_CRL_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] CRL profile configuration parameter(s) change
#
# Event: CONFIG_DRM
# Description: This event is used when configuring KRA.
# This includes key recovery scheme, change of any secret component.
# Applicable subsystems: KRA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
# --- secret component (password) MUST NOT be logged ---
#
LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=<type=CONFIG_DRM>:[AuditEvent=CONFIG_DRM][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] DRM configuration parameter(s) change
#
# Event: CONFIG_OCSP_PROFILE
# Description: This event is used when configuring OCSP profile
# (everything under Online Certificate Status Manager).
# Applicable subsystems: OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=<type=CONFIG_OCSP_PROFILE>:[AuditEvent=CONFIG_OCSP_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] OCSP profile configuration parameter(s) change
#
# Event: CONFIG_ROLE
# Description: This event is used when configuring role information.
# This includes anything under users/groups, add/remove/edit a role, etc.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_ROLE=<type=CONFIG_ROLE>:[AuditEvent=CONFIG_ROLE]{0} role configuration parameter(s) change
#
# Event: CONFIG_SERIAL_NUMBER
# Description: This event is used when configuring serial number ranges
# (when requesting a serial number range when cloning, for example).
# Applicable subsystems: CA, KRA
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=<type=CONFIG_SERIAL_NUMBER>:[AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] serial number range update
#
# Event: CONFIG_SIGNED_AUDIT
# Description: This event is used when configuring signedAudit.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: id of administrator who performed the action
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=<type=CONFIG_SIGNED_AUDIT>:[AuditEvent=CONFIG_SIGNED_AUDIT]{0} signed audit configuration parameter(s) change
#
# Event: CONFIG_TRUSTED_PUBLIC_KEY
# Description: This event is used when:
# 1. "Manage Certificate" is used to edit the trustness of certificates
# and deletion of certificates
# 2. "Certificate Setup Wizard" is used to import CA certificates into the
# certificate database (Although CrossCertificatePairs are stored
# within internaldb, audit them as well)
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: ID of administrator who performed this configuration
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=<type=CONFIG_TRUSTED_PUBLIC_KEY>:[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY]{0} certificate database configuration
#
# Event: CRL_SIGNING_INFO
# Description: This event indicates which key is used to sign CRLs.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome:
# - SKI: Subject Key Identifier of the CRL signing certificate
#
LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=<type=CRL_SIGNING_INFO>:[AuditEvent=CRL_SIGNING_INFO]{0} CRL signing info
#
# Event: DELTA_CRL_GENERATION
# Description: This event is used when delta CRL generation is complete.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: $Unidentified$
# - Outcome: "Success" when delta CRL is generated successfully, "Failure" otherwise.
# - CRLnum: The CRL number that identifies the CRL
# - Info:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=<type=DELTA_CRL_GENERATION>:[AuditEvent=DELTA_CRL_GENERATION]{0} Delta CRL generation
#
# Event: FULL_CRL_GENERATION
# Description: This event is used when full CRL generation is complete.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome: "Success" when full CRL is generated successfully, "Failure" otherwise.
# - CRLnum: The CRL number that identifies the CRL
# - Info:
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=<type=FULL_CRL_GENERATION>:[AuditEvent=FULL_CRL_GENERATION]{0} Full CRL generation
#
# Event: PROFILE_CERT_REQUEST
# Description: This event is used when a profile certificate request is made (before approval process).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: The UID of user that triggered this event.
# If CMC enrollment requests signed by an agent, SubjectID should
# be that of the agent.
# - Outcome:
# - CertSubject: The certificate subject name of the certificate request.
# - ReqID: The certificate request ID.
# - ProfileID: One of the certificate profiles defined by the
# administrator.
#
LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=<type=PROFILE_CERT_REQUEST>:[AuditEvent=PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ProfileID={3}][CertSubject={4}] certificate request made with certificate profiles
#
# Event: PROOF_OF_POSSESSION
# Description: This event is used for proof of possession during certificate enrollment processing.
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: id that represents the authenticated user
# - Outcome:
# - Info: some information on when/how it occurred
#
LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession
#
# Event: OCSP_ADD_CA_REQUEST_PROCESSED
# Description: This event is used when an add CA request to the OCSP Responder is processed.
# Applicable subsystems: OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: OCSP administrator user id
# - Outcome: "Success" when CA is added successfully, "Failure" otherwise.
# - CASubjectDN: The subject DN of the leaf CA cert in the chain.
#
LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED=<type=OCSP_ADD_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED]{0} Add CA for OCSP Responder
#
# Event: OCSP_GENERATION
# Description: This event is used when an OCSP response generated is complete.
# Applicable subsystems: CA, OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: $NonRoleUser$
# - Outcome: "Success" when OCSP response is generated successfully, "Failure" otherwise.
# - FailureReason:
#
LOGGING_SIGNED_AUDIT_OCSP_GENERATION=<type=OCSP_GENERATION>:[AuditEvent=OCSP_GENERATION]{0} OCSP response generation
#
# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Failure]
# Description: This event is used when a remove CA request to the OCSP Responder is processed and failed.
# Applicable subsystems: OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: OCSP administrator user id
# - Outcome: Failure
# - CASubjectDN: The subject DN of the leaf CA certificate in the chain.
#
LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE=<type=OCSP_REMOVE_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder has failed
#
# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Success]
# Description: This event is used when a remove CA request to the OCSP Responder is processed successfully.
# Applicable subsystems: OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: OCSP administrator user id
# - Outcome: "Success" when CA is removed successfully, "Failure" otherwise.
# - CASubjectDN: The subject DN of the leaf CA certificate in the chain.
#
LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS=<type=OCSP_REMOVE_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder is successful
#
# Event: OCSP_SIGNING_INFO
# Description: This event indicates which key is used to sign OCSP responses.
# Applicable subsystems: CA, OCSP
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome:
# - SKI: Subject Key Identifier of the OCSP signing certificate
# - AuthorityID: (applicable only to lightweight CA)
#
LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO=<type=OCSP_SIGNING_INFO>:[AuditEvent=OCSP_SIGNING_INFO]{0} OCSP signing info
#
# Event: ROLE_ASSUME
# Description: This event is used when a user assumes a role.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID:
# - Outcome:
# - Role: One of the valid roles:
# "Administrators", "Certificate Manager Agents", or "Auditors".
# Note that customized role names can be used once configured.
#
LOGGING_SIGNED_AUDIT_ROLE_ASSUME=<type=ROLE_ASSUME>:[AuditEvent=ROLE_ASSUME]{0} assume privileged role
#
# Event: SECURITY_DOMAIN_UPDATE
# Description: This event is used when updating contents of security domain
# (add/remove a subsystem).
# Applicable subsystems: CA
# Enabled by default: Yes
# Fields:
# - SubjectID: CA administrator user ID
# - Outcome:
# - ParamNameValPairs: A name-value pair
# (where name and value are separated by the delimiter ;;)
# separated by + (if more than one name-value pair) of config params changed.
#
LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=<type=SECURITY_DOMAIN_UPDATE>:[AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] security domain update
#
# Event: SELFTESTS_EXECUTION
# Description: This event is used when self tests are run.
# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
# Enabled by default: Yes
# Fields:
# - SubjectID: $System$
# - Outcome:
#
LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details)
