Appendix E. Audit Events

The following lists the audit events in Certificate System:

ACCESS_SESSION_ESTABLISH: This event is triggered when the PKI client established or failed to establish a secure connection to the PKI server.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
ACCESS_SESSION_TERMINATED: This event is triggered when the secure connection between PKI client and PKI server is terminated.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
ASYMKEY_GEN_REQUEST_PROCESSED: This event is triggered when a request to generate asymmetric keys received by the KRA.
This event is enabled by default in the following subsystem: KRA
ASYMKEY_GENERATION_REQUEST: This event is triggered when asymmetric key generation request is made.
This event is enabled by default in the following subsystem: KRA
AUDIT_LOG_DELETE^[2]: The signed audit log expires or is deleted.
This event is not enabled by default in any subsystem.
AUDIT_LOG_SHUTDOWN: The shutdown of the subsystem, and thus the shutdown of the audit function.
This event is not enabled by default in any subsystem.
AUDIT_LOG_STARTUP: The start of the subsystem, and thus the start of the audit function.
This event is not enabled by default in any subsystem.
AUTH: Shows when a user successfully authenticates or fails to authenticate.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
AUTHZ: Shows when a user is or is not successfully processed by the authorization servlets.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
CERT_PROFILE_APPROVAL: Shows when a certificate profile sent by an administrator is approved by an agent.
This event is not enabled by default in any subsystem.
CERT_REQUEST_PROCESSED: Shows when a certificate request is being processed.
This event is enabled by default in the following subsystem: CA
CERT_SIGNING_INFO: Shows which key is used to sign certificates.
This event is enabled by default in the following subsystem: CA
CERT_STATUS_CHANGE_REQUEST: Shows when the request is made to change the status of a certificate.
This event is not enabled by default in any subsystem.
CERT_STATUS_CHANGE_REQUEST_PROCESSED: Shows when a certificate status change is processed.
This event is not enabled by default in any subsystem.
CIMC_CERT_VERIFICATION: Shows when a router (Cisco Integrated Management Controller) certificate verification request has been processed.
This event is not enabled by default in any subsystem.
CMC_SIGNED_REQUEST_SIG_VERIFY: Used when CMC (agent pre-signed) certificate requests or revocation requests are submitted and the signature is verified.
This event is enabled by default in the following subsystem: CA
CMC_USER_SIGNED_REQUEST_SIG_VERIFY: This event is triggered when CMC (user-signed or self-signed) certificate requests or revocation requests are submitted and signature is verified.
This event is enabled by default in the following subsystem: CA
COMPUTE_RANDOM_DATA_REQUEST: Shows when a request has been made to generate or derive a random data set.
This event is not enabled by default in any subsystem.
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE: Shows when a request to generatea random data set failed to process.
This event is not enabled by default in any subsystem.
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS: Shows when a request to generatea random data set has been successfully processed.
This event is not enabled by default in any subsystem.
COMPUTE_SESSION_KEY_REQUEST: Shows when a request to compute a session key has been received by the TKS.
This event is not enabled by default in any subsystem.
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE: Shows when a request to compute a session key has been processed by the TKS and failed.
This event is not enabled by default in any subsystem.
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS: Shows when a request to compute a session key has been succesfully processed by the TKS.
This event is not enabled by default in any subsystem.
CONFIG: Shows general configuration changes not specifically defined below.
This event is not enabled by default in any subsystem.
CONFIG_ACL: A change is made to the configuration settings for the ACL framework.
This event is not enabled by default in any subsystem.
CONFIG_AUDIT: Shows that a change has been made to the audit log configuration.
This event is not enabled by default in any subsystem.
CONFIG_AUTH: A change is made to the configuration settings for the authentication framework.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
CONFIG_CERT_POLICY: Shows when a change has been made to a certificate's policy configuration.
This event is not enabled by default in any subsystem.
CONFIG_CERT_PROFILE: A change is made to the configuration settings for the certificate profile framework.
This event is enabled by default in the following subsystem: CA
CONFIG_CRL_PROFILE: A change is made to the configuration settings for the CRL framework, such as to the extensions, frequency, and CRL format.
This event is not enabled by default in any subsystem.
CONFIG_DRM: This event is triggered when configuring KRA.
This event is enabled by default in the following subsystem: KRA
CONFIG_ENCRYPTION: A change is made to the encryption settings, including certificate settings and SSL cipher preferences.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, and TKS
CONFIG_OCSP_PROFILE: A change is made to the configuration settings for the OCSP.
This event is not enabled by default in any subsystem.
CONFIG_ROLE: Shows that a change has been made to the configuration settings for roles, including changes made to users or groups.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
CONFIG_SERIAL_NUMBER: A change is made to the serial number range assigned for certificates and keys. This is recorded by CA and KRA subsystems.
This event is enabled by default in the following subsystems: CA and KRA
CONFIG_SIGNED_AUDIT: A change is made to the configuration settings for the signed audit feature.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
CONFIG_TOKEN_AUTHENTICATOR: Shows when a token authenticator configuration is updated.
This event is enabled by default in the following subsystem: TPS
CONFIG_TOKEN_CONNECTOR: Shows when a token connector configuration is updated.
This event is enabled by default in the following subsystem: TPS
CONFIG_TOKEN_GENERAL: Shows when the general TPS configuration is updated.
This event is not enabled by default in any subsystem.
CONFIG_TOKEN_MAPPING_RESOLVER: Shows when a token mapping resolver configuration is updated.
This event is enabled by default in the following subsystem: TPS
CONFIG_TOKEN_PROFILE: Shows when a token profile configuration is updated.
This event is not enabled by default in any subsystem.
CONFIG_TOKEN_RECORD: Shows when a token record is updated.
This event is enabled by default in the following subsystem: TPS
CONFIG_TRUSTED_PUBLIC_KEY: The Certificate Setup Wizard is used to import certificates into the certificate database or any activity in Manage Certificates.
This event is enabled by default in the following subsystems: CA, KRA, and OCSP
CRL_RETRIEVAL: Shows when a CRL is retrieved by the OCSP.
This event is not enabled by default in any subsystem.
CRL_SIGNING_INFO: Shows which key is used to sign CRLs.
This event is not enabled by default in any subsystem.
CRL_VALIDATION: Shows when a CRL is retrieved and the validation process occurs.
This event is enabled by default in the following subsystem: CA
DELTA_CRL_GENERATION: Shows when the delta CRL generation is complete.
This event is enabled by default in the following subsystem: CA
DELTA_CRL_PUBLISHING: Shows when the delta CRL publishing is complete.
This event is not enabled by default in any subsystem.
DIVERSIFY_KEY_REQUEST: Shows when a request has been made for a key changeover.
This event is not enabled by default in any subsystem.
DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE: Shows when a request for key changeover has failed to process correctly.
This event is not enabled by default in any subsystem.
DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS: Shows when a request for key changeover has been successfully processed by the TKS.
This event is not enabled by default in any subsystem.
ENCRYPT_DATA_REQUEST: Shows when a request has been made to encrypt data.
This event is not enabled by default in any subsystem.
ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE: Shows when a request for encrypted data failed to process.
This event is not enabled by default in any subsystem.
ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS: Shows when a request for encrypted data has been successfully processed.
This event is not enabled by default in any subsystem.
FULL_CRL_GENERATION: Shows when the full CRL generation is complete.
This event is enabled by default in the following subsystem: CA
FULL_CRL_PUBLISHING: Shows when the full CRL publishing is complete.
This event is not enabled by default in any subsystem.
INTER_BOUNDARY: Records stat transfer between different subsystems.
This event is not enabled by default in any subsystem.
KEY_GEN_ASYMMETRIC: Shows when asymmetric keys are generated.
This event is enabled by default in the following subsystem: KRA
KEY_RECOVERY_AGENT_LOGIN: Shows when KRA agents log in as recovery agents to approve key recovery requests.
This event is enabled by default in the following subsystem: KRA
KEY_RECOVERY_REQUEST: Shows when a request is made to recover a private encryption key stored in the KRA.
This event is not enabled by default in any subsystem.
KEY_RECOVERY_REQUEST_ASYNC: Shows when an asynchronous key recovery request has been made.
This event is not enabled by default in any subsystem.
KEY_RECOVERY_REQUEST_PROCESSED: Shows when a key recovery request has been processed.
This event is not enabled by default in any subsystem.
KEY_RECOVERY_REQUEST_PROCESSED_ASYNC: Shows when an asynchronous key recovery request has been processed.
This event is not enabled by default in any subsystem.
LOG_EXPIRATION_CHANGE: Shows when the log expiration time has been changed.
This event is not enabled by default in any subsystem.
LOG_PATH_CHANGE^[3]: The path or name for the signed audit, system, transaction or any customized log is changed.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
LOGGING_SIGNED_AUDIT_SIGNING: Shows changes in whether the audit log is signed.
This event is not enabled by default in any subsystem.
NON_PROFILE_CERT_REQUEST: Shows when a certificate request is made outside the certificate profile framework.
This event is not enabled by default in any subsystem.
OCSP_ADD_CA_REQUEST: Shows when a request has been made to add a new certificate authority to the OCSP Manager's configuration.
This event is not enabled by default in any subsystem.
OCSP_ADD_CA_REQUEST_PROCESSED: Shows when a request to add a certificate authority to the OCSP Manager's configuration has been completed.
This event is enabled by default in the following subsystem: OCSP
OCSP_GENERATION: This event will be generated for each OCSP response generated by PKI CA Internal OCSP Responder.
This event is enabled by default in the following subsystem: CA
OCSP_REMOVE_CA_REQUEST: Shows when a request to remove a certificate authority from the OCSP Manager's configuration has been submitted.
This event is not enabled by default in any subsystem.
OCSP_REMOVE_CA_REQUEST_PROCESSED: Shows when a request to remove a certificate authority from the OCSP Manager's configuration has been successfully completed or failed.
This event is enabled by default in the following subsystem: OCSP
OCSP_SIGNING_INFO: Shows which key is used to sign OCSP responses.
This event is enabled by default in the following subsystems: CA and OCSP
PRIVATE_KEY_ARCHIVE_REQUEST: Shows when an encryption private key is requested during enrollment.
This event is not enabled by default in any subsystem.
PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED: Shows when a private encryption key is archived in the KRA.
This event is not enabled by default in any subsystem.
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE: Shows when a private key export request has been processed and returned a failed status.
This event is not enabled by default in any subsystem.
PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS: Shows when a private key export request has been successfully processed.
This event is not enabled by default in any subsystem.
PROFILE_CERT_REQUEST: Shows when a certificate request is made through the certificate profile framework.
This event is enabled by default in the following subsystems: CA and KRA
PROOF_OF_POSSESSION: Shows when proof of possession is checked during certificate enrollment.
This event is enabled by default in the following subsystem: CA
RANDOM_GENERATION: Shows when a random number was generated, including for random certificate serial numbers.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
ROLE_ASSUME: A user assuming a role. A user assumes a role after passing through authentication and authorization systems. Only the default roles of administrator, auditor, and agent are tracked. Custom roles are not tracked.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
SCHEDULE_CRL_GENERATION: Shows when the CRL generation is scheduled manually.
This event is not enabled by default in any subsystem.
SECURITY_DATA_ARCHIVAL_REQUEST: Shows when a archival request is created, either through the Web UI or through the CLI.
This event is enabled by default in the following subsystem: KRA
SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED: Shows when a archival request was processed.
This event is enabled by default in the following subsystem: KRA
SECURITY_DATA_RECOVERY_REQUEST: Shows when a recovery request is created, either through the Web UI or through the CLI.
This event is enabled by default in the following subsystem: KRA
SECURITY_DATA_RECOVERY_REQUEST_PROCESSED: This event occur when an approved key recovery request is processed and the key is retrieved, wrapped appropriately and returned to the client.
This event is enabled by default in the following subsystem: KRA
SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE: This event occurs when the state of a recovery request is changed, for example by having an agent approve the request either through the UI or through the CLI.
This event is enabled by default in the following subsystem: KRA
SECURITY_DOMAIN_UPDATE: The security domain is changed by adding or removing subsystem instances.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
SELFTESTS_EXECUTION: The self-tests are executed.
This event is enabled by default in the following subsystems: CA, KRA, OCSP, TKS, and TPS
SERVER_SIDE_KEYGEN_REQUEST: Shows when a server-side key generation request has been processed.
This event is enabled by default in the following subsystem: KRA
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED: Shows when a server-side key generation request has been processed.
This event is enabled by default in the following subsystem: KRA
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE: Shows when a server-side key generation request has been processed but returned a failed status.
This event is not enabled by default in any subsystem.
SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS: Shows when a server-side key generation request has been successfully processed.
This event is not enabled by default in any subsystem.
SYMKEY_GEN_REQUEST_PROCESSED: This event is logged when a symmetric key request was processed.
This event is enabled by default in the following subsystem: KRA
SYMKEY_GENERATION_REQUEST: This event is logged when a symmetric key is requested to be generated from the CLI.
This event is enabled by default in the following subsystem: KRA
TOKEN_APPLET_UPGRADE: Shows when token apple upgrade succeeded or failed.
This event is enabled by default in the following subsystem: TPS
TOKEN_AUTH_FAILURE: This event is triggered when authentication failed.
This event is not enabled by default in any subsystem.
TOKEN_AUTH_SUCCESS: Shows when authentication succeeded.
This event is not enabled by default in any subsystem.
TOKEN_CERT_ENROLLMENT: Shows when token certificate enrollment request is made.
This event is not enabled by default in any subsystem.
TOKEN_CERT_RENEWAL: This event is used for TPS when token certificate renewal request is made.
This event is not enabled by default in any subsystem.
TOKEN_CERT_RETRIEVAL: This event is used for TPS when token certificate retrieval request is made.
This event is not enabled by default in any subsystem.
TOKEN_CERT_STATUS_CHANGE_REQUEST: This event is used when a token certificate status change request, such as revocation, is made.
This event is not enabled by default in any subsystem.
TOKEN_FORMAT_FAILURE: Shows when token format op failed.
This event is not enabled by default in any subsystem.
TOKEN_FORMAT_SUCCESS: Shows when token format op succeeded.
This event is not enabled by default in any subsystem.
TOKEN_KEY_CHANGEOVER: Shows when token key changeover failed.
This event is enabled by default in the following subsystem: TPS
TOKEN_KEY_CHANGEOVER_FAILURE: Shows when token key changeover failed.
This event is not enabled by default in any subsystem.
TOKEN_KEY_CHANGEOVER_REQUIRED: Shows when token key changeover is required.
This event is enabled by default in the following subsystem: TPS
TOKEN_KEY_CHANGEOVER_REQUIRED: Shows when token key changeover is required.
This event is not enabled by default in any subsystem.
TOKEN_KEY_CHANGEOVER_SUCCESS: Shows when token key changeover succeeded.
This event is not enabled by default in any subsystem.
TOKEN_KEY_RECOVERY: Shows when token certificate key recovery request is made.
This event is not enabled by default in any subsystem.
TOKEN_OP_REQUEST: Shows when token processor op request made.
This event is not enabled by default in any subsystem.
TOKEN_PIN_RESET_FAILURE: Shows when token pin reset request failed.
This event is not enabled by default in any subsystem.
TOKEN_PIN_RESET_SUCCESS: Shows when a token pin reset request succeeded.
This event is not enabled by default in any subsystem.
TOKEN_STATE_CHANGE: Shows when a token state has been changed.
This event is not enabled by default in any subsystem.

^[2] The authorization system should not allow a signed audit log to be deleted.

^[3] The authorization system should not allow the log path or name to be changed.

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories

Appendix E. Audit Events

Where did the comment section go?