Skip to main content
Version: 3.25

Syslog

Syslog messages are based on UDP protocol through port 514, and are a maximum of 1024 bytes in size.

Notification Format

All Syslog messages follow a specific format. An example of a message in Syslog format may be:

$<$`<!-- -->`{=html}13$>$`<!-- -->`{=html}1 2018-06-18T17:49:41-03:00 vm-andrew-dev senhasegura 
1426 - Successfully authenticated.

This message can be divided into two parts: Header and Values.

The header is made up of date, time, hostname, and senhasegura ID information, indicating that the message is solution specific.

The values in turn present additional event information, in the format key = value.

  • <13>1: PRI

  • 218-06-18T17:49:41-03:00: TIMESTAMP

  • vm-andrew-dev: HOSTNAME

  • senhasegura_: AAP-NAME

  • _1426: PROCID

  • Successfully authenticated.: MSGID

Priorities

Priority types (PRI) are categorized according to their priority in the Syslog pattern:

PriorityCriticalityKeywordDescriptionExamples
0EmergencyemergThe system is unusableThis level should not be used by applications.
1AlertalertSome action should be taken immediately.Loss of the primary ISP connection.
2CriticalcritCritical ConditionsA failure in the system’s primary application.
3ErrorerrError ConditionsAn application has exceeded its file storage limit and attempts to write are failing.
4WarningwarningMay indicate that an error will occur if action is not takenA non-root file system has only 2GB remaining.
5NoticenoticeAbnormal events, but not in error condition
6InformationalinfoNormal operation messages, which do not require actionAn application has started, paused or ended successfully.
7DebugdebugDebug Messages.

The events configured in SYSLOG are:

IDOriginPriorityNameDescription
1COSEnotice(5)Password ViewedA password has been viewed by a user.
2COSEnotice(5)Password changedA password has been manually changed by a user.
3COSEnotice(5)Password ExpiredA password has expired and cannot be automatically changed.
4COSEnotice(5)Password daily summaryStatus concerning credentials daily usage
5COSGnotice(5)Information viewedProtected information is viewed by a user.
6COSGnotice(5)Information changedProtected information has been changed by a user.
7COSGnotice(5)Information expiredA protected information has expired.
8COEQwarning(4)Lost of connectivityThe application has lost connectivity with a device.
9COEQnotice(5)Reestablished ConnectivityThe application was able to connect to a device that was without connectivity.
10COAUwarning(4)Command detected - Low UrgencyAn audited low criticality command was detected.
11COAUerror(3)Command detected - Medium UrgencyAn audited command of medium criticality was detected.
12COAUcritical(2)Command detected - High UrgencyA highly critical audited command has been detected.
13COACnotice(5)New requestA user has requested access to a password.
14COACnotice(5)Request approvedA password access request has been approved.
15COACnotice(5)Request DisapprovedA password access request has been disapproved.
16COSSnotice(5)Session startedA user has logged in.
17COSSnotice(5)Session finishedA user has ended a session.
18COBAnotice(5)Backup performedThe backup was performed correctly.
19COBAerror(3)Error on backupAn error occurred while backing up.
20COTRerror(3)Error on changeAn error occurred while changing a password.
21COTRnotice(5)Change ExecutedPassword successfully changed.
22COREinfo(6)Password confirmedReconciliation validated the password.
23COREerror(3)Invalid passwordThe password stored in the vault is not valid.
24COTRinfo(6)Activation executedUser active successfully.
25COTRerror(3)Error on activationAn error occurred while activating the user.
26CONOinfo(6)Change password daily reportValidation of password changes.
27CONOwarning(4)Low disk space - Low UrgencyReaching 70 % of total disk space
28CONOerror(3)Low disk space - Medium UrgencyWhen you reach 80 % of total disk space
29CONOalert(1)Low disk space - High UrgencyReaching 90 % of total disk space
30CONOinfo(6)Space disk - Daily notificationDaily Disk Space Status
31COSSwarning(4)Command detected - Block and interrupt sessionAn audited command, configured as prohibited and subject to session interruption, was executed.
32COSSnotice(5)Command detected - BlockAn audited command, set to prohibited, has been executed.
33COSSinfo(6)Command detected - AllowAn audited command has been executed.
34COSSnotice(5)Session file modifiedA session file has been modified.
35COSEnotice(5)Credential Owner configurationCredential owner set
36COATnotice(5)Audit trailAudit trail
37AUTHnotice(5)Authentication messagessenhasegura.go Authentication Messages
38CONOwarning(4)CPU Usage - HighCPU utilization by application is high
39CONOcritical(2)CPU Usage - CriticalCPU utilization by application is at critical level
40CONOwarning(4)Memory Usage - HighMemory consumption by application is high
41CONOcritical(2)Memory Usage - CriticalMemory consumption by application is at critical level
42COOFinfo(6)Application startedThe application senhasegura.go started
43COOFinfo(6)Application completedThe application senhasegura.go terminated
44COOFinfo(6)Credential use for network accessA credential was used for network access
45COOFinfo(6)New senhasegura.go versionThere is a new version of senhasegura.go available
46COOFnotice(5)senhasegura.go version approvedThere is a version of senhasegura.go approved
47COOFwarning(4)senhasegura.go version disabledThere is an inactive version of senhasegura.go
48COOFnotice(5)Download of senhasegura.go version performedA version of senhasegura.go has been downloaded
49COOFnotice(5)senhasegura.go version installedA version of senhasegura.go has been installed
50CRTCnotice(5)Certificate expiration alert: 30 daysSome certificates will expire until 30 days
51CRTCwarning(4)Certificate expiration alert: 7 daysSome certificates will expire until 7 days
52CRTCerror(3)Certificate expiration alert: 1 daySome certificates will expire until 1 day
53CRTCnotice(5)Certificate creationA certificate has been created
54CRTCnotice(5)Certificate renewalA certificate has been renewed
55CRTCnotice(5)Certificate revocationA certificate has been revoked
58CRTCnotice(5)Request password viewA request’s password has been seen
59CRTCnotice(5)Certificate password viewA certificate’s password has been seen
60COOFnotice(5)Workstation approvedA workstation has been approved to use senhasegura.go
61COOFnotice(5)Workstation registrationA workstation has requested senhasegura.go usage
62COOFnotice(5)User createdA new workstation user has been approved to use senhasegura.go
63COOFnotice(5)Using AUCA program has requested elevation using Microsoft UAC using senhasegura.go
65COOFnotice(5)View passwordA credential has been requested and seen using senhasegura.go
66COOFnotice(5)Copy passwordA credential has been requested and copied using senhasegura.go
67COOFnotice(5)Runas executedA program has been executed using senhasegura.go
68COOFnotice(5)Macro executedA user-automation has been executed using senhasegura.go
69COOFnotice(5)Control panel executedA control panel applet has been executed using senhasegura.go
70COOFnotice(5)Network adapter executedA network adapter has been requested using senhasegura.go
71COOFnotice(5)Network shareA network folder has been accessed using senhasegura.go
72COOFnotice(5)senhasegura.go uninstalledsenhasegura.go has been uninstalled by user decision
73COOFnotice(5)senhasegura.go goes onlinesenhasegura.go has turned online by user decision
74COOFnotice(5)senhasegura.go goes offlinesenhasegura.go has turned offline by user decision
75COOFnotice(5)senhasegura.go alertsenhasegura.go has send an alert. Some situation under its workstation needs attention and can affect senhasegura.go usage.
76CRTCnotice(5)Certificate expiration warning: 90 daysSome certificates will expire until 90 days
77CRTCnotice(5)Certificate expiration warning: 60 daysSome certificates will expire until 60 days
78CRTCnotice(5)Certificate expiration warning: 15 daysSome certificates will expire until 15 day
79CRTCnotice(5)Certificate expiration alert: TodaySome certificates will expire today
80CRTCnotice(5)Certificate link with device
81CRTCnotice(5)Download
82CRTCnotice(5)Request Management
83CRTCnotice(5)Publication Profile Management
84CRTCnotice(5)Certificate Management
85COOFnotice(5)Error retrieving credentials
86USBHnotice(5)Accesses at unusual time
87USBHnotice(5)Access with unusual average length
88USBHnotice(5)Unusual accesses
89COOFnotice(5)Directory and file scan - Inclusion
90COOFnotice(5)Directory and file scan - Exclusion
91COOFnotice(5)Directory and file scan - Change
IDOriginPriorityNameDescription
336.001Orbitalert(1)Orbit task createOrbit task creation
336.002Orbitalert(1)Orbit task execution successOrbit task successfully executed
336.003Orbitalert(1)Orbit task execution errorOrbit task executed with error
336.004Orbitalert(1)Orbit log operationLog operation
336.500Orbitalert(1)Orbit alert reportOrbit Alert Information
336.501Orbitalert(1)Orbit incident reportOrbit Incident Information

Values

The message value is a set in key = value format, separated by spaces. The keys have the same name as the Common Event Format (CEF) format. The ones used by senhasegura are:

KeyDescriptionEvents
actMethod used to accessAll
dhostDevice hostname affected by event, 2, 3, 8, 16, 17, 20, 21
dstEvent Destination Device IP, 2, 3, 8, 16, 17, 20, 21
duidEvent related credential ID, 2, 3, 13, 14, 15, 16, 17, 20,21
duserEvent related credential username, 2, 3, 13, 14, 15, 16, 17, 20,21
KeyDescriptionEvents
msgAdditional Event DetailsAll
requestMethodMethod used for accessAll
snameUsername in the senhasegura that generated the eventAll
spidID of the process where the event was generatedAll
sprivUser type in senhasegura that generated the eventAll
suidUser ID in the senhasegura that generated the eventAll
suserUsername of the user who generated the eventAll