Programming Guides › Programming Guide for C › Event Log Formats

Event Log Formats

This section contains the following topics:

Access Events

Access events indicate user-related activities. They are called in the context of authentication, authorization, and administration activity.

The format for access events in a text log depends on the event category ID.

Authentication and Authorization Format

If the event category ID is authentication (SmLogAccessCat_Auth) or authorization (SmLogAccessCat_Az), the format is:

lpszEvent lpszHostName lpszTimeString "szClientIp szUserName" "szAgentName szAction szResource" [szTransactionId] [nReason] szStatusMsg

Elements in the above format example are described as follows:

lpszEvent. The name (type) of the access event:

SmLogAccessEvent_AuthAccept : lpszEvent = "AuthAccept"
SmLogAccessEvent_AuthReject : lpszEvent = "AuthReject"
SmLogAccessEvent_AuthAttempt : lpszEvent = "AuthAttempt"
SmLogAccessEvent_AuthChallenge : lpszEvent = "AuthChallenge"
SmLogAccessEvent_AzAccept : lpszEvent = "AzAccept"
SmLogAccessEvent_AzReject : lpszEvent = "AzReject"
SmLogAccessEvent_AdminLogin : lpszEvent = "AdminLogin"
SmLogAccessEvent_AdminLogout : lpszEvent = "AdminLogout"
SmLogAccessEvent_AdminReject : lpszEvent = "AdminReject"
SmLogAccessEvent_AuthLogout : lpszEvent = "AuthLogout"
SmLogAccessEvent_ValidateAccept : lpszEvent = "ValidateAccept"
SmLogAccessEvent_ValidateReject : lpszEvent = "ValidateReject"

lpszHostName. The name of the host.
lpszTimeString. The timestamp of the occurrence of the event, in the format: [<date>/<month>/<year>:<hour>:<minute>:<second>
<difference from GMT>]. For example: [27/Jun/2000:11:27:29 -0500]
szClientIp. The IP address of the client machine.
szUserName. The name of the user.
szAgentName. The name of the agent.
szAction. The action associated with the resource.
szResource. The accessed resource.
[szTransactionId]. A string that contains: idletime=<value>.
[nReason]. The reason associated with the event. Reasons are enumerated in Sm_Api_Reason_t, which is in SmApi.h.
szStatusMsg. The message associated with the event. The message depends on the event type, as shown in in the following table:

Event	Role of szStatusMsg
SmLogAccessEvent_AdminLogin	Holds the UserMsg returned by the authentication scheme.
SmLogAccessEvent_AdminReject	Holds the ErrorMsg returned by the authentication Scheme
SmLogAccessEvent_AuthAccept	Holds the UserMsg.
SmLogAccessEvent_AuthReject	Holds a concatenated string of UserMsg and ErrorMsg.
SmLogAccessEvent_AuthAttempt	Holds a concatenated string of UserMsg and ErrorMsg.
SmLogAccessEvent_AuthChallenge	Holds the UserMsg.
SmLogAccessEvent_ValidateAccept	Is an empty string.
SmLogAccessEvent_ValidateReject	Holds an error message containing the reason for validate reject. Examples: "Invalid session token" "Invalid session id" "Invalid session ip" "Invalid user DN" "Session has expired" "Invalid key in use" "Invalid error status"
SmLogAccessEvent_AuthLogout	An empty string.
SmLogAccessEvent_AzAccept	An empty string.
SmLogAccessEvent_AzReject	Depending on the type of az reject, it is a string explaining the reason for the reject. Examples: "Invalid session type for affiliate agent" "Invalid session type" "Session not authorized for this security level"

For example:

AuthAccept testbox [27/Jun/2000:11:27:29 -0500] "190.158.4.90 uid=scarter,ou=people,o=airius.com" "testagent GET /test/index.html" [idletime=3600;maxtime=7200;authlevel=5;] [0]

In this example,

lpszEvent is AuthAccept
lpszHostName is testbox
lpszTimeString is [27/Jun/2000:11:27:29 -0500]
szClientIp is 190.158.4.90
szUserName is uid=scarter,ou=people,o=airius.com
szAgentName is testagent
szAction is GET
szResource is /test/index.html
[szTransactionId] is [idletime=3600;maxtime=7200;
authlevel=5;]
[nReason] is [0]
szStatusMsg is not specified.

Administration Format

If the event category ID is SmLogAccessCat_Admin, the format is:

lpszEvent lpszHostName lpszTimeString "szClientIp szUserName"     szStatusMsg

Elements in the above format example are described as follows:

lpszEvent is the name (type) of the access event:

SmLogAccessEvent_AdminLogin:lpszEvent = "AdminLogin"
SmLogAccessEvent_AdminLogout:lpszEvent = "AdminLogout" 
SmLogAccessEvent_AdminReject:lpszEvent = "AdminReject"

lpszHostName is the name of the host.
lpszTimeString is the timestamp of the occurrence of the event, in the format: [<date>/<month>/<year>:<hour>:<minute>:<second> <difference from GMT>]. For example:
```
[27/Jun/2000:11:27:29 -0500]
```
szClientIp is the IP address of the client machine.
szUserName is the name of the user.
szStatusMsg is the message associated with the event. The message depends on the event type, as shown in the following table:

Event	Role of szStatusMsg
SmLogAccessEvent_AdminLogin	Holds the UserMsg returned by the authentication scheme.
SmLogAccessEvent_AdminReject	Holds the ErrorMsg returned by the authentication scheme

For example:

AdminLogin testbox [27/Jun/2000:11:26:50 -0500] 
   "190.158.4.90 siteminder"

In this example,

lpszEvent is AdminLogin
lpszHostName is testbox
lpszTimeString is [27/Jun/2000:11:26:50 -0500]
szClientIp is 190.158.4.90
szUserName is siteminder
szStatusMsg is not specified.

Object Events

Object events are called when

SiteMinder objects are created, updated, or deleted.
An application or a user logs in to the object store.

Object events are called in the context of authentication, SiteMinder object changes, and management activity.

The format for object events in a text log depends upon the object event category ID.

AdminChange Format

AdminChange events occur when an administrator adds, updates, or deletes an object. The format is:

AdminChange <Hostname> <Time String> "- <Username> " <Event> <Category> '<ObjectName>'

Elements in the above format example are described as follows:

<HostName> is the name of the host.
<Time String> is the timestamp of the occurrence of the event, in the format: [<date>/<month>/<year>:<hour>:<minute>:<second> <difference from GMT>]. For example:
```
[27/Jun/2000:11:27:29 -0500]
```
<UserName> is the name of the user who generated the event.
<Event> is the name of the object event—namely:
```
Create
Delete
Update
UpdateField
```
<Category> is the object that is the target of the event—for example, Rule or UserDirectory.
<ObjectName> is the user-defined name for the object. Some object categories (such as RootConfig) have no ObjectName associated with them.

Here is an example of an AdminChange event format that was logged when administrator JLewis created the rule MyNewRule:

AdminChange MyHost [20/Jul/2001:10:26:15 -0500] "- JLewis" Create Rule 'MyNewRule'

Management Command Format

If the object category ID is management command (SmLogObjCat_ManagementCommand), the format is:

ManagementCommand <Hostname> <Time String> "- <Username> " <Event> '<Description>'

Elements in the above format example are described as follows:

<HostName> is the name of the host.
<Time String> is the timestamp of the occurrence of the event, in the format: [<date>/<month>/<year>:<hour>:<minute>:<second> <difference from GMT>]. For example:
```
[27/Jun/2000:11:27:29 -0500]
```
<UserName> is the name of the user who generated the event.

<Event> is the name of the management command event—namely:

FlushAll             ChangeDynamicKeys
FlushUser            ChangePersistentKey
FlushAllUsers        ChangeDisabledUserState
FlushAllRealms       ChangeUserPassword

<Description> is the user DN for management commands that involve a user, such as flush user command, a change disabled user state, and a change password.

Here is an example of a management command event format that was logged when administrator JLewis flushed the user cache for BRoy:

ManagementCommand MyHost [20/Jul/2001:13:26:23 -0500] 
"- JLewis" FlushUser 'uid=BRoy,ou=HR,o=security.com'

EMS Events

EMS events include the following:

Creating, deleting or modifying any of the following objects:
- User
- Organization
- User role
- Admin role
- Resource
- Generic object in the Top object class
Enabling or disabling a user
Assigning or removing a user role
Modifying a user’s password
Logging in or logging out as an administrator
Failing to authenticate
EMS server session timeout

EMS Log Format

SiteMinder logs EMS events to a text file using the following format. In the format example, literal strings are shown in bold type:

lpszTimeString: Category lpszCat (nCategoryId), 
      Event lpszEvent (nEventId)
   Username szUserName, SessionId szSessionId
   DirectoryName szDirName
   ObjectName szObjName, ObjectClass szObjClass, 
      ObjectPath szObjPath
   Organization szOrgName, Role szRoleName
   Description: szFieldDesc
   Status: szStatusMsg

Elements in the preceding format example are described as follows:

lpszTimeString is the timestamp of the occurrence of the event, in the format: [<date>/<month>/<year>:<hour>:<minute>:<second>
<difference from GMT>]. For example:
```
[27/Jun/2000:11:27:29 -0500]
```
nCategoryId contains the category ID, and lpszCat contains the corresponding category name.
nEventId contains the EMS event ID, and lpszEvent contains the corresponding event name.

The remaining fields, shown in italics, are members of the structure SmLog_EMS_t.

Category ID (nCategoryId)	Category (lpszCat)
SmLogEmsCat_DirectoryUser	"User"
SmLogEmsCat_DirectoryAdmin	"Admin"
SmLogEmsCat_DirectorySession	"Session"

Event ID (nEventId)	Event (lpszEvent)
SmLogEmsEvent_CreateUser	"CreateUser"
SmLogEmsEvent_DeleteUser	"DeleteUser"
SmLogEmsEvent_ModifyUser	"ModifyUser"
SmLogEmsEvent_AssignUserRole	"AssignUserRol" (sic)
SmLogEmsEvent_RemoveUserRole	"RemoveUserRole"
SmLogEmsEvent_EnableUser	"EnableUser"
SmLogEmsEvent_DisableUser	"DisableUser"
SmLogEmsEvent_CreateOrg	"CreateOrganization"
SmLogEmsEvent_DeleteOrg	"DeleteOrganization"
SmLogEmsEvent_ModifyOrg	"ModifyOrganization"
SmLogEmsEvent_CreateRole	"CreateRole"
SmLogEmsEvent_DeleteRole	"DeleteRole"
SmLogEmsEvent_ModifyRole	"ModifyRole"
SmLogEmsEvent_CreateResource	"CreateResource"
SmLogEmsEvent_DeleteResource	"DeleteResource"
SmLogEmsEvent_ModifyResource	"ModifyResource"
SmLogEmsEvent_AssignResourceRole	"AssignResourceRole"
SmLogEmsEvent_RemoveResourceRole	"RemoveResourceRole"
SmLogEmsEvent_Login	"Login"
SmLogEmsEvent_Logout	"Logout"
SmLogEmsEvent_LoginFail	"LoginFail"
SmLogEmsEvent_SessionTimeout	"SessionTimeout"
SmLogEmsEvent_AuthFail	"AuthFail"
SmLogEmsEvent_PasswordModify	"ChangePassword"
SmLogEmsEvent_CreateAdminRole	"CreateAdminRole"
SmLogEmsEvent_DeleteAdminRole	"DeleteAdminRole"
SmLogEmsEvent_ModifyAdminRole	"ModifyAdminRole"
SmLogEmsEvent_AssignAdminRole	"AssignAdminRole"
SmLogEmsEvent_RemoveAdminRole	"RemoveAdminRole"
SmLogEmsEvent_AddManagedOrg	"AddManagedOrg"
SmLogEmsEvent_RemoveManagedOrg	"RemoveManagedOrg"
SmLogEmsEvent_CreateObject	"CreateObject"
SmLogEmsEvent_DeleteObject	"DeleteObject"
SmLogEmsEvent_ModifyObject	"ModifyObject"