Previous Topic: Audit Event TypesNext Topic: Logout Event


Login Event

Login events describe an attempt to log in to CA ControlMinder or a CA ControlMinder protected host.

Audit records in this event have the following format:

Date Time Status Event UserName SessionID Details Reason Terminal Program AuditFlags
Date

Identifies the date the event occurred.

Format: DD MMM YYYY

Note: CA ControlMinder Endpoint Management formats the date display according to your computer's settings.

Time

Identifies the time the event occurred.

Format: HH:MM:SS

Note: CA ControlMinder Endpoint Management formats the time display according to your computer's settings.

Status

Indicates the return code for the event.

Values: Can be one of:

Event Type

Identifies the type of event this record belongs to.

Note: CA ControlMinder Endpoint Management refers to this field simply as Event.

User Name

Identifies the name of the accessor that performed the action that triggered this event.

User Logon Session ID

Identifies the accessor's session ID.

Note: By default this field does not appear in a non-detailed seaudit output. To display this field in a non-detailed seaudit output, specify the -sessionid option in the seaudit command.

Details

Indicates at which stage CA ControlMinder decided what action to take for this event.

Note: The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or in CA ControlMinder Endpoint Management, the audit record displays the message associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.

Reason

Indicates the reason that CA ControlMinder wrote an audit record.

Note: This field does not display in a detailed seaudit output or in CA ControlMinder Endpoint Management. The audit record you see in a non-detailed seaudit output displays a number in this field. This number is known as the reason code. For a complete list of reason codes, run seaudit -t.

Terminal

Identifies the name of the terminal that the accessor used to connect to the host.

Program

Identifies the name of the program that triggered the event. That is, the program that the accessor used to try to log in. For CA ControlMinder administration login, this is the CA ControlMinder module that logged in (selang, Web Service, and so on).

Audit Flags

Indicates whether the accessor is internal (CA ControlMinder database user) or an enterprise user.

Note: If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.

Example: Login Event Message

The following audit record was taken from a detailed seaudit output.

28 Oct 2008 12:15:01 P LOGIN  root  49047159:0000034b  59  2  _CRONJOB_  SBIN_CRON
Event type: Login event
Status: Permitted
User name: root
Terminal: _CRONJOB_
Program: SBIN_CRON
Date: 28 Oct 2008
Time: 12:15
Details: Resource UACC check
User Logon Session ID: 49047159:0000034b
Audit flags: AC database user

This audit record indicates that on October 28th 2008, at 12:15:01 user root logged in to the protected host from terminal _CRONJOB_ and ran a SBIN_CRON program. CA ControlMinder permitted the operation because the resource's default access permissions permit this action (authorization stage code 59—Resource UACC check). CA ControlMinder logged this event because the accessor's audit mode specifies that this event should be logged (reason code 2—User audit mode requires logging).

More information:

Authorization Stage Codes for Log In and Log Out Events

Reason Codes That Specify Why a Record Was Created