(v1.5) List and description of Audit Log event types
The events logged in the the application audit log always have one of the event types described below. The event type specifies, what type of event occurred. Each specific event type has a set of information saved within its log record. This set of existing event types can differ in different application versions. Typically new versions contain new event types.
The following table lists all the existing event types and related information about them:
Název Audit Log typu | Základnà význam | Závažnost * | Od verze | Do verze |
---|---|---|---|---|
AD_AUTH_FAILED | User authentication in AD domain failed. | WARNING | 1.0 | Â |
AD_AUTH_FAILED_WRONG_PATH | User authentication in AD domain failed, likely because of wrong “User tree“ supplied in the settings. | ERROR | 1.0 | 1.3.2 |
AD_AUTH_FAILED_WRONG_PATH_OR_GROUP | User authentication in AD domain failed, likely because of wrong “User tree“ or “Allowed group“ supplied in the settings. | ERROR | 1.3.3 |  |
AD_AUTH_SUCCESS | Successful authentication of a user using AD account. | INFO | 1.0 | Â |
AD_BAD_GROUP | User successfully authenticated in AD, but is not in allowed group. | WARNING | 1.0 | Â |
AD_CONNECTION_FAILED | Error in communication with AD. | ERROR | 1.0 | Â |
AD_USER_FOUND | User was verified in AD. | INFO | 1.0 | Â |
AD_USER_INFO_FAIL | Could not read user information from AD. | WARNING | 1.0 | Â |
AD_USER_NOT_FOUND | User not found in AD, or the configured service account for binding to AD does not work. | WARNING | 1.0 | Â |
ADFS_ADDED | Configuration for ADFS user authentication added. | NOTICE | 1.0 | Â |
ADFS_CONFIG_MISSING | ADFS authentication enabled, but required configuration missing. | ERROR | 1.0 | Â |
ADFS_DELETED | Configuration for ADFS user authentication added - never occurs during application runtime. | NOTICE | 1.0 | Â |
ADFS_UPDATED | Configuration for ADFS user authentication updated. | NOTICE | 1.0 | Â |
ADMIN_ADDED | An administrator account added. | NOTICE | 1.0 | Â |
ADMIN_AUTH_FAILED_MFA | Second factor verification failed during an administrator login. | WARNING | 1.4 | Â |
ADMIN_AUTH_FAILED_NOT_ALLOWED_IP | An administrator login failed, because it originated from not allowed IP address. | WARNING | 1.0 | Â |
ADMIN_AUTH_FAILED_UNKNOWN_USER | An administrator login failed, because such an account does not exist. | WARNING | 1.0 | Â |
ADMIN_AUTH_FAILED_WRONG_PASSWORD | An administrator login failed, because the entered password was not valid. | WARNING | 1.0 | Â |
ADMIN_DELETED | Administrator’s account deleted. | NOTICE | 1.0 |  |
ADMIN_LOGGED_IN | An administrator logged in. | INFO | 1.0 | Â |
ADMIN_LOGGED_OUT | An administrator logged out. | INFO | 1.0 | Â |
ADMIN_PASSWORD_CHANGED | An administrator’s password changed. | NOTICE | 1.0 |  |
ADMIN_TIMED_OUT | An administrator logged out automatically because of long period of inactivity. | INFO | 1.0 | Â |
ADMIN_UPDATED | An administrator’s account updated. | INFO | 1.0 |  |
ANTIVIRUS_HARDFAIL | A file check by an antivirus failed definitively (will not be retried again). | ERROR | 1.0 | Â |
ANTIVIRUS_SOFTFAIL | A file check by an antivirus failed and will be retried again. | WARNING | 1.0 | Â |
API_TOKEN_ADDED | A token for using the API created. | NOTICE | 1.3 | Â |
API_TOKEN_DELETED | A token for using the API deleted. | NOTICE | 1.3 | Â |
APP_MIGRATION_ADDED | An application migration added - never occurs during application runtime. | INFO | 1.0 | Â |
APP_MIGRATION_DELETED | An application migration deleted - never occurs during application runtime. | INFO | 1.0 | Â |
APP_MIGRATION_UPDATED | An application migration updated - never occurs during application runtime. | INFO | 1.0 | Â |
APP_VERSION_CHANGED | Application version changed. Typically occurs during update to a new version. | NOTICE | 1.6.0 | Â |
CAPTCHA_ERROR | An unexpected error occurred during captcha evaluation. | ERROR | 1.3 | Â |
CAPTCHA_FAILED | The Captcha result is fail - request blocked. | NOTICE | 1.3 | Â |
CAPTCHA_PASSED | The Captcha result is pass - request allowed. | INFO | 1.3 | Â |
CONFIG_ADDED | New configuration parameter added - never occurs during application runtime. | INFO | 1.0 | Â |
CONFIG_DELETED | Configuration parameter deleted - never occurs during application runtime. | INFO | 1.0 | Â |
CONFIG_UPDATED | Configuration parameter updated. | NOTICE | 1.0 | Â |
CONTACT_ADDED | Added a new contact to the address book. | INFO | 1.4 | Â |
CONTACT_DELETED | Deleted a contact from the address book. | INFO | 1.4 | Â |
CONTACT_GROUP_ADDED | Added a new group to the address book. | INFO | 1.4 | Â |
CONTACT_GROUP_DELETED | Deleted a group from the address book. | INFO | 1.4 | Â |
CONTACT_GROUP_UPDATED | Updated a group in the address book. | INFO | 1.4 | Â |
CONTACT_UPDATED | Updated a contact in the address book. | INFO | 1.4 | Â |
DATASTORE_ACTIVATED | A data store activated, new data will be saved to it. | NOTICE | 1.4 | Â |
DATASTORE_ADDED | Added a new data store. | NOTICE | 1.4 | Â |
DATASTORE_DEACTIVATED | A data store deactivated, new data will not be saved to it. | NOTICE | 1.4 | Â |
DATASTORE_DELETED | Deleted a data store. | NOTICE | 1.4 | Â |
DATASTORE_UPDATED | Update a data store. | NOTICE | 1.4 | Â |
DETECTION_ENGINE_STATUS_UPDATED | Detection engine status updated. Occurs usually automatically during anti-virus update. | DEBUG | 1.3 | Â |
DETECTION_ENGINE_UPDATED | Updated detection engine settings. | NOTICE | 1.0 | Â |
DIAGNOSTIC_LOGS_SENT | Application logs sent for analysis. | NOTICE | 1.4 | Â |
DIAGNOSTIC_TUNNEL_DISABLED | Remote diagnostics access disabled. | NOTICE | 1.4 | Â |
DIAGNOSTIC_TUNNEL_ENABLED | Remote diagnostics access enabled. | NOTICE | 1.4 | Â |
DOMAIN_ADDED | Added a new domain. | NOTICE | 1.0 | Â |
DOMAIN_DELETED | Deleted a domain. | NOTICE | 1.0 | Â |
DOMAIN_UPDATED | Updated a domain. | NOTICE | 1.0 | Â |
EMAIL_QUEUED | An e-mail message queued to be sent. | INFO | 1.0 | Â |
EMAIL_SEND_FAILED | Failed to send an e-mail message through the configured SMTP server. | INFO | 1.4 | Â |
EMAIL_SENT | An e-mail message successfully sent to the configured outgoing mail server. | INFO | 1.0 | Â |
EMAIL_TEMPLATE_UPDATED | A template for outgoing e-mail messages updated. | NOTICE | 1.4 | Â |
FIDO_CHALLENGE_ADDED | New key for FIDO2 multi-factor authentication (webauthn) added - cancelled, does not occur. | NOTICE | 1.4 | Â |
FIDO_CHALLENGE_DELETED | A key for FIDO2 multi-factor authentication (webauthn) deleted - cancelled, does not occur. | NOTICE | 1.4 | Â |
FIDO_CHALLENGE_UPDATED | A key for FIDO2 multi-factor authentication (webauthn) updated - cancelled, does not occur. | NOTICE | 1.4 | Â |
FILE_ADDED | New file added to a package. | INFO | 1.0 | Â |
FILE_ARCHIVE_ADDED | File archive (zip) added to a package. | INFO | 1.0 | Â |
FILE_ARCHIVE_DELETED | Package’s file archive (zip) deleted. | INFO | 1.0 |  |
FILE_ARCHIVE_DOWNLOAD_STARTED | Download of a package’s file archive (zip) started. | INFO | 1.0 |  |
FILE_ARCHIVE_UPDATED | Package’s file archive (zip) updated. | INFO | 1.0 |  |
FILE_DELETED | Package’s file deleted. | INFO | 1.0 |  |
FILE_DOWNLOAD_STARTED | Download of a package’s file started. | INFO | 1.0 |  |
FILE_CHECK_ADDED | A new file check by a detection engine added (queued/scheduled). | INFO | 1.0 | Â |
FILE_CHECK_DELETED | A file check by a detection engine deleted - never occurs during application runtime. | INFO | 1.0 | Â |
FILE_CHECK_DONE | A file check by a detection engine finished successfully. | INFO | 1.0 | Â |
FILE_CHECK_FAILED | A file check by a detection engine failed. | ERROR | 1.0 | Â |
FILE_CHECK_REPORT_ADDED | A report with results added to the file check by a detection engine. | INFO | 1.2 | Â |
FILE_CHECK_REPORT_DELETED | A report with results deleted from the file check by a detection engine - never occurs during application runtime. | INFO | 1.2 | Â |
FILE_CHECK_REPORT_UPDATED | A report with results updated for the file check by a detection engine. | INFO | 1.2 | Â |
FILE_CHECK_TERMINATED_BY_ADMIN | A file check by a detection engine terminated by the administrator prematurely. | WARNING | 1.2 | Â |
FILE_CHECK_TERMINATED_BY_TIMEOUT | A file check by a detection engine terminated prematurely because of maximum time limit expiration. | WARNING | 1.2 | Â |
FILE_CHECK_TERMINATED_BY_USER | A file check by a detection engine terminated prematurely because the user deleted the package. | WARNING | 1.5.3 | Â |
FILE_CHECK_UPDATED | A file check by a detection engine updated - never occurs during application runtime. | INFO | 1.0 | Â |
FILE_IS_CLEAN | After finishing all file checks the file was evaluated as clean. | INFO | 1.0 | Â |
FILE_IS_UNCLEAN | After finishing all file checks the file was evaluated as not clean. | WARNING | 1.0 | Â |
FILE_MIMETYPE_UPDATED | File’s MIME type updated (refined). | INFO | 1.3 |  |
FILE_RELEASED | File released from the quarantine. | NOTICE | 1.4 | Â |
FILE_UPDATED | File updated. | INFO | 1.0 | Â |
FILE_UPLOAD_CANCELED | File’s upload canceled. | NOTICE | 1.0 |  |
FILE_UPLOAD_FAILED | File’s upload failed. | WARNING | 1.0 |  |
LICENSE_INVALID | Invalid application license. The reason might be expiration, exceeded user limit, FQDN, etc. | ERROR | 1.6.0 | Â |
LICENSE_UPDATE_FAILED | Update of the license failed. | WARNING | 1.3 | Â |
LICENSE_UPDATED | License updated. | INFO | 1.2 | Â |
LICENSE_VALID | The application license is now valid. | NOTICE | 1.6.0 | Â |
MULTI_FACTOR_KEY_ADDED | New TOTP (ie. Google auth) or FIDO2 (webauthn) type key for multi-factor authentication added. | NOTICE | 1.4 | Â |
MULTI_FACTOR_KEY_DELETED | A TOTP (ie. Google auth) or FIDO2 (webauthn) type key for multi-factor authentication deleted. | NOTICE | 1.4 | Â |
MULTI_FACTOR_KEY_UPDATED | A TOTP (ie. Google auth) or FIDO2 (webauthn) type key for multi-factor authentication updated. | NOTICE | 1.4 | Â |
PACKAGE_ADDED | A new package added. | INFO | 1.0 | Â |
PACKAGE_ARCHIVED | A package moved to archive. | INFO | 1.0 | Â |
PACKAGE_CONTENT_DELETE_FAILED | Deletion of a package’s content (files) from date store failed. | ERROR | 1.0 |  |
PACKAGE_CONTENT_DELETED | A package’s content (files) deleted. | INFO | 1.0 |  |
PACKAGE_DELETED | Package deleted - never occurs during application runtime. | INFO | 1.0 | Â |
PACKAGE_DOWNLOAD_ENTERED_INVALID_PASSWORD | Entered invalid password for package access. | WARNING | 1.0 | Â |
PACKAGE_DOWNLOAD_ENTERED_VALID_PASSWORD | Entered valid password for package access. | INFO | 1.0 | Â |
PACKAGE_DOWNLOAD_PACKAGE_EXPIRED | Attempt to access an expired package. | NOTICE | 1.6.0 | Â |
PACKAGE_DOWNLOAD_PACKAGE_NOT_FOUND | Attempt to access a non-existent package. | WARNING | 1.6.0 | Â |
PACKAGE_DOWNLOAD_UNAUTHORIZED_ACCESS | Unauthorized attempt to access the package. | WARNING | 1.6.0 | Â |
PACKAGE_EXTRACTED | A package restored from archive. | NOTICE | 1.4 | Â |
PACKAGE_FORWARDED | A new package created by forwarding an existing package. | INFO | 1.4 | Â |
PACKAGE_FORWARDED_AS | An existing package was forwarded creating a new package. | INFO | 1.4 | Â |
PACKAGE_IS_CLEAN | A package is clean. | INFO | 1.0 | Â |
PACKAGE_MADE_PUBLIC | A package was published (set as public). | NOTICE | 1.3 | Â |
PACKAGE_QUARANTINED | A package was evaluated as not clean and was quarantined. | WARNING | 1.0 | Â |
PACKAGE_RECIPIENT_ADDED | A recipient was added to a package - never occurs during application runtime. | INFO | 1.0 | Â |
PACKAGE_RELEASED | A package was released from the quarantine. | NOTICE | 1.0 | Â |
PACKAGE_RESTORED | A deleted package was restored. | NOTICE | 1.0 | Â |
PACKAGE_SCAN_CANCELED_BY_ADMIN | Package content checks by detection engines terminated prematurely by the administrator. | WARNING | 1.2 | Â |
PACKAGE_SCAN_CANCELED_BY_TIMEOUT | Package content checks by detection engines terminated prematurely because of time limit expiration. | WARNING | 1.2 | Â |
PACKAGE_SCAN_CANCELED_BY_USER | Package content checks by detection engines terminated prematurely because the user deleted the package. | WARNING | 1.5.3 | Â |
PACKAGE_SET_PERSISTENT | Package set as persistent (will not expire automatically). | NOTICE | 1.5 | Â |
PACKAGE_SET_TEMPORARY | Package persistence unset (will expire automatically again). | NOTICE | 1.5 | Â |
PACKAGE_UPDATED | Package updated. | INFO | 1.0 | Â |
PACKAGE_UPLOAD_CANCELED | Package upload canceled. | NOTICE | 1.0 | Â |
PASSWORD_RESET_TOKEN_ADDED | A new token for user’s password reset created. | NOTICE | 1.0 |  |
PASSWORD_RESET_TOKEN_EXPIRED_DELETED | A token for user’s password reset expired. | NOTICE | 1.0 |  |
PASSWORD_RESET_TOKEN_USED | A token for user’s password reset was used. | NOTICE | 1.0 |  |
QUEUED_EMAIL_ADDED | An e-mail message queued - never occurs during application runtime. | INFO | 1.0 | Â |
QUEUED_EMAIL_DELETED | An e-mail message deleted from the queue - never occurs during application runtime. | INFO | 1.0 | Â |
QUEUED_EMAIL_UPDATED | An e-mail message in the queue updated - never occurs during application runtime. | INFO | 1.0 | Â |
RECIPIENT_ADDED | A package recipient added. | INFO | 1.0 | Â |
RECIPIENT_DELETED | A package recipient deleted. | INFO | 1.0 | Â |
RECIPIENT_UPDATED | A package recipient updated - never occurs during application runtime. | INFO | 1.0 | Â |
REMOTE_USER_DIRECTORY_ADDED | A configuration for authentication in AD/LDAP added. | NOTICE | 1.0 | Â |
REMOTE_USER_DIRECTORY_DELETED | A configuration for authentication in AD/LDAP deleted - never occurs during application runtime. | NOTICE | 1.0 | Â |
REMOTE_USER_DIRECTORY_UPDATED | A configuration for authentication in AD/LDAP updated. | NOTICE | 1.0 | Â |
REPORT_DOWNLOAD_FAILED | Failed to download the detailed report from sandbox check. | WARNING | 1.5.4 | Â |
SCHEDULER_JOB_RESCHEDULED | A scheduler job rescheduled. | INFO | 1.0 | Â |
SCHEDULER_JOB_SCHEDULED | A scheduler job scheduled. | INFO | 1.0 | Â |
SCHEDULER_JOB_UNSCHEDULED | A scheduler job unscheduled. | INFO | 1.0 | Â |
TEST_LOG | A test log entry. | DEBUG | 1.0 | Â |
TRIAL_LICENSE_ACQUIRED | A trial license acquired. | NOTICE | 1.3 | Â |
USER_ADDED | A new user added. | NOTICE | 1.0 | Â |
USER_AUTH_FAILED_ACCOUNT_LOCKED | User’s login failed, account is locked. | WARNING | 1.4 |  |
USER_AUTH_FAILED_EMAIL_MISSING | User’s login failed, missing mandatory attribute: e-mail. (in AD/ADFS) | WARNING | 1.0 |  |
USER_AUTH_FAILED_GUID_MISMATCH | User’s login failed, GUID mismatch. (in AD/ADFS) |  | 1.0 | 1.1 |
USER_AUTH_FAILED_INVALID_ADFS_TOKEN | User’s login failed, invalid ADFS token. | WARNING | 1.0 |  |
USER_AUTH_FAILED_MFA | User’s login failed because of multi-factor authentication failure. | WARNING | 1.4 |  |
USER_AUTH_FAILED_MISSING_GUID | User’s login failed, GUID missing. (in AD/ADFS) | WARNING | 1.0 |  |
USER_AUTH_FAILED_TOO_MANY_USERS | User’s login failed, too many existing users, as allowed by license. | ERROR | 1.2 |  |
USER_AUTH_FAILED_UNKNOWN_LOCAL_USER | User’s login failed, such account does not exist. | WARNING | 1.0 |  |
USER_AUTH_FAILED_WRONG_PASSWORD | User’s login failed, invalid pasword. | WARNING | 1.0 |  |
USER_AUTH_GUID_MISMATCH | User’s login failed, GUID mismatch. (in AD/ADFS) | WARNING | 1.1 |  |
USER_AUTO_ADDED_FROM_AD | Automatically added a new user during first successful login authenticated in AD. | NOTICE | 1.0 | Â |
USER_AUTO_ADDED_FROM_ADFS | Automatically added a new user during first successful login authenticated in ADFS. | NOTICE | 1.0 | Â |
USER_AUTO_UPDATED_FROM_AD | User updated during login from AD. | INFO | 1.0 | Â |
USER_AUTO_UPDATED_FROM_ADFS | User updated during login from ADFS. | INFO | 1.0 | Â |
USER_DELETED | User deleted. | NOTICE | 1.0 | Â |
USER_ENTERED_VALID_LOGIN_PASSWORD_FOR_DOWNLOAD | User entered his correct login password, so he can download the package content. | NOTICE | 1.5 | Â |
USER_LOGGED_IN | User logged in successfully. | INFO | 1.0 | Â |
USER_LOGGED_OUT | User logged out. | INFO | 1.0 | Â |
USER_PASSWORD_CHANGED | User’s password changed. | NOTICE | 1.0 |  |
USER_PERMISSIONS_CHANGED | User’s permissions changed. | NOTICE | 1.4 |  |
USER_REGISTRATION_FROM_AD | New local user created after authentication in AD. | NOTICE | 1.0 | Â |
USER_TIMED_OUT | User automatically logged out after prolonged period of inactivity. | INFO | 1.0 | Â |
USER_UPDATED | User updated. | INFO | 1.0 | Â |
WORKER_COMMAND_SCHEDULED | New task for worker scheduled. | INFO | 1.0 | Â |
* The severity specified for each of the types has the following meaning:
Závažnost | Popis | PÅ™Ãklad |
---|---|---|
DEBUG | not interesting in normal cases, can fill up the log | automatic regular antivirus signature update in the background |
INFO | common audit log messages from regular operation, of no particular interest, except when searching for specific things | file/package upload, file download, user login |
NOTICE | common audit log messages from regular operation, which may be of interest and do not occur automatically | changes in configuration by admin, release from quarantine by admin, new user creation |
WARNING | events, that should not occur during normal operation and mean something unusual has happened, but does not necessarily mean problem with the application | incorrect password entered, file upload failed, package quarantined |
ERROR | events, that mean an error/problem occurred, that should be checked and fixed | file check failed (for example not working antivirus engine) |
Note: Severity for all event types was first introduced with version 1.4 of the application.
All audit log records always contain the following common information:
source = {WEB | WEB_PUBLIC | WEB_USER | WEB_ADMIN | WORKER | SCHEDULER | UNKNOWN | TEST}
ipAddress = ip address of the client performing the action through the web interface (for WEB_* sources)
sourceId = loggedInUser.getId() (if user or admin is logged in)
sourceText = loggedInUser.getUsername() (if user or admin is logged in)
attribute.sourceSAMAccountName = loggedInUser.getSamAccountName() (if user is logged in)
The records contain additional information specific to each event type.