Security Audit Events
The security audit events are divided into Columns, Services, Modules, Status, and Events according to from where it originates.
The following lists and describes the different event types and the overview is also available in JavaDoc format of the API.
Note that since EJBCA is built around the CESeCore project, both EventTypes and EjbcaEventTypes in the API documentation need to be considered to view all the event types EJBCA can generate.
An example of how such an event would look like in the server log using the Log4jDevice is the event that the application is starting:
... INFO [Log4jDevice] 2015-03-20 12:47:51+01:00;EJBCA_STARTING;SUCCESS;SERVICE;EJBCA;StartServicesServlet.init;;hostname;;msg=Init, EJBCA 6.7.0 Enterprise (r25420) startup.and the same kind of event using IntegrityProtectedDevice that writes the log entry to the database:
mysql> select * from AuditRecordData where eventType='EJBCA_STARTING' ... \G pk: 24861ebf7f00010106e5a024d82c694d
additionalDetails: ... Init, EJBCA 6.7.0 Enterprise (r25420) startup. ... authToken: StartServicesServlet.init customId: NULL eventStatus: SUCCESS eventType: EJBCA_STARTING module: SERVICE nodeId: hostname rowProtection: 1:2:123:4d2f6... rowVersion: 0 searchDetail1: hostname searchDetail2: NULL sequenceNumber: 17640195 service: EJBCA timeStamp: 1426205614754This should be interpreted as the following:
Service is EJBCA (not shown in the Admin GUI) : the event originates from the part of the application that not part of the core shared with other products.
Module is SERVICE: this event was generated from a module in EJBCA that is responsible for background services.
Status (named "Outcome" in the Admin GUI) is SUCCESS: in the context of the event, this should be interpreted as no error were detected during the EJBCA startup.
Event is EJBCA_STARTING: the application EJBCA is starting up.
AdditionalDetails is an event specific message with additional information telling us (in this case) the version of EJBCA that was started.
AuthToken identifies that the event was generated by the internal module StartServicesServlet
NodeId is the EJBCA node, in this case hostname, that generated the event
SearchDetail1 is an additional message, in this case the hostname (same as NodeId) that EJBCA was started on.
TimeStamp is the time, in milliseconds since epoch, the event occured
Columns
The following table includes descriptions of the log column names and a mapping between the columns names and the display names in the Admin GUI.
|
Column Name |
Description |
Admin UI Display Name |
|
Service |
The service an event originates from, EJBCA or CORE. |
(not shown) |
|
Module |
The module an event was generated from. |
Module |
|
Status |
SUCCESS or FAILURE |
Outcome |
|
Event |
The audit log event that occurred. |
Event |
|
AdditionalDetails |
Event specific message with additional information. |
Details |
|
AuthToken |
Identifies the administrator, or internal module, that caused the event. |
Administrator |
|
NodeId |
Identifies the EJBCA instance (which server in a cluster) that the event occurred on. |
Node |
|
CustomId |
Identifier used in log messages, commonly the certificate authority an event was related to. |
Certificate Authority |
|
searchDetail1 |
Detail used in log messages, commonly the serial number of the certificate an event was related to. |
Certificate |
|
searchDetail2 |
Detail used in log messages, commonly the username an event was related to. |
Username |
|
timeStamp |
The time, in milliseconds since epoch, the event occurred. |
Time |
Services
Service can be one of EJBCA or CORE. Both are from the EJBCA application, but services originating from CORE originates from a part, CESeCore, that contains functions also shared with other products. These services relates to event types below.
This is not important from an audit perspective, but is useful information for an understanding of the logging format.
|
Service |
Event |
|
CORE |
CESeCore Events |
|
EJBCA |
EJBCA Events |
Modules
The Security Audit Log has one component that is the Module. The Module is a description of the internal module of EJBCA where the event happened and can be useful for categorizing events.
Modules are also documented in the source code in ModuleTypes.java and EjbcaModuleTypes.java.
|
Module |
Description |
|
ACCESSCONTROL |
Access control module |
|
AUTHENTICATION |
Authentication module |
|
CA |
Certificate Authority module |
|
CERTIFICATE |
Certificate issuance and handling module |
|
CERTIFICATEPROFILE |
Certificate profile module |
|
CRL |
Certificate Revocation List issuance and handling module |
|
CRYPTOTOKEN |
Crypto Token module |
|
BLACKLIST |
Block List module |
|
VALIDATOR |
Validator module |
|
ROLES |
Administrator role management module |
|
SECURITY_AUDIT |
Security event audit log module |
|
INTERNALKEYBINDING |
Internal Key Binding module |
|
GLOBALCONF |
Module for system settings stored in the database |
|
RA |
Registration Authority module |
|
HARDTOKEN |
(Client) hardware token management module |
|
KEYRECOVERY |
Key recovery module |
|
APPROVAL |
Approval module |
|
APPROVAL_PROFILE |
Approval Profiles module |
|
PUBLISHER |
Publisher module |
|
SERVICE |
EJBCA background service module |
|
CUSTOM |
External logging module |
|
ADMINWEB |
Administrative web GUI module |
Status
The outcome of an event can be one of the following.
Status is also documented in the source code in EventStatus.java
|
Status |
Description |
|
FAILURE |
Operation failed |
|
SUCCESS |
Operation succeeded |
|
VOID |
Operation completed without a defined result |
Events
Security Events are divided into two parts. The logical separation is that the CESeCore Events are PKI core events needed for Common Criteria certified operations, and kept in a Core module that is re-used across some different PrimeKey products. We keep the separation in the documentation for simplicity.
Example Log File Event
The EJBCA Startup log even will look like this in the application server log file.
2017-03-25 07:26:04+01:00;EJBCA_STARTING;SUCCESS;SERVICE;EJBCA;Application internal;;hostname;;msg=Init, EJBCA 6.7.0 Enterprise (r25420) startup.CESeCore Events
CESeCore event types are also documented in the source code in EventTypes.java.
|
Event Type |
Description |
|
ACCESS_CONTROL |
Authorization check to resource of authenticated entity |
|
AUTHENTICATION |
Authentication check of an entity |
|
CA_CREATION |
Creation of a Certificate Authority |
|
CA_DELETION |
Removal of a Certificate Authority |
|
CA_RENAMING |
Internal application name change of a Certificate Authority. Unrelated to Certificate Authority's Subject Distinguisher Name |
|
CA_EDITING |
Modification of a Certificate Authority |
|
CA_KEYACTIVATE |
Certificate Authority starts using a different key pair |
|
CA_KEYGEN |
Generation of a new key pair that can be used by the Certificate Authority during renewal or update |
|
CA_SERVICEACTIVATE |
Certificate Authority state change to start serving requests. Unrelated to CA private key availability |
|
CA_SERVICEDEACTIVATE |
Certificate Authority state change to stop serving requests. Unrelated to CA private key availability |
|
CERT_STORED |
Persistence of a certificate to the database |
|
CERT_REVOKED |
Change of a certificate's status to revoked or active |
|
CERT_CHANGEDSTATUS |
Change of a certificate's status to unassigned, inactive, active, notified about expiration, revoked or archived |
|
CERT_REQUEST |
A request for certificate issuance from a Certificate Authority is submitted |
|
CERT_CREATION |
Issuance of a certificate by a Certificate Authority |
|
CERT_CTPRECERT_SUBMISSION |
Certificate Transparency log servers responds to a pre-certificate submission from a Certificate Authority |
|
CERTPROFILE_CREATION |
Creation of a certificate profile |
|
CERTPROFILE_DELETION |
Removal of a certificate profile |
|
CERTPROFILE_RENAMING |
Name change of a certificate profile |
|
CERTPROFILE_EDITING |
Modification of a certificate profile |
|
CRL_STORED |
Persistence of a Certificate Revocation List to the database |
|
CRL_CREATION |
Issuance of a Certificate Revocation List by a Certificate Authority |
|
CRYPTOTOKEN_CREATE |
Creation of a Crypto Token |
|
CRYPTOTOKEN_EDIT |
Modification of a Crypto Token |
|
CRYPTOTOKEN_DELETION |
Removal of a Crypto Token |
|
CRYPTOTOKEN_ACTIVATION |
Activation of a Crypto Token, making the key material available for use by the application |
|
CRYPTOTOKEN_DEACTIVATION |
Deactivation of a Crypto Token, making the key material unavailable for use by the application |
|
CRYPTOTOKEN_REACTIVATION |
Attempted reactivation of a Crypto Token. Since this occurs automatically, it may fail |
|
CRYPTOTOKEN_DELETE_ENTRY |
Removal of a key pair from the Crypto Token key material or key pair place-holder from the Crypto Token object |
|
CRYPTOTOKEN_GEN_KEYPAIR |
Generation of a new key pair in the Crypto Token |
|
CRYPTOTOKEN_UPDATEPIN |
Modification of the Crypto Token's auto-activation PIN. For soft key stores, this also implies changes of the protection of the key material |
|
BLACKLIST_CHANGE |
Modification of an existing block list |
|
BLACKLIST_CREATION |
Creation of a new block list |
|
BLACKLIST_REMOVAL |
Removal of an existing block list |
|
VALIDATOR_CHANGE |
Modification of an existing validator |
|
VALIDATOR_CREATION |
Creation of a new validator |
|
VALIDATOR_REMOVAL |
Removal of an existing validator |
|
VALIDATOR_RENAME |
Name change of an existing validator |
|
VALIDATOR_VALIDATION_FAILED |
Validation failed event |
|
LOG_DELETE |
Removal of persisted audit log records |
|
LOG_EXPORT |
Export of audit log records |
|
LOG_MANAGEMENT_CHANGE |
Change of protection settings for audit log records |
|
LOG_VERIFY |
Verification of existing audit log records |
|
ROLE_CREATION |
Creation of an administrative role |
|
ROLE_DELETION |
Removal of an administrative role |
|
ROLE_RENAMING |
Name change of an administrative role |
|
ROLE_ACCESS_RULE_ADDITION |
New access rules added to administrative role |
|
ROLE_ACCESS_RULE_CHANGE |
Modifications of existing access rules in an administrative role |
|
ROLE_ACCESS_RULE_DELETION |
Removal of existing access rules from administrative role |
|
ROLE_ACCESS_USER_ADDITION |
New administrator added to administrative role |
|
ROLE_ACCESS_USER_CHANGE |
Change of existing administrator in an administrative role |
|
ROLE_ACCESS_USER_DELETION |
Removal of existing administrator from administrative role |
|
SYSTEMCONF_CREATE |
Creation of new system settings stored in the database |
|
SYSTEMCONF_EDIT |
Modification of existing system settings stored in the database |
|
INTERNALKEYBINDING_CREATE |
Creations of a new Internal Key Binding |
|
INTERNALKEYBINDING_EDIT |
Modification of an existing Internal Key Binding |
|
INTERNALKEYBINDING_DELETE |
Removal of an existing Internal Key Binding |
EJBCA Events
EJBCA event types are also documented in the source code in EjbcaEventTypes.java.
|
Event Type |
Description |
|
ADMINWEB_ADMINISTRATORLOGGEDIN |
An administrator logs in to EJBCA's Administrative Web GUI |
|
APPROVAL_ADD |
Action that requires approval by one or more administrators is requested |
|
APPROVAL_APPROVE |
Action that requires approval was approved by one of the required administrator(s) |
|
APPROVAL_EDIT |
Approval request was edited |
|
APPROVAL_REJECT |
Action that requires approval was rejected by one of the required administrator(s) |
|
APPROVAL_EXTEND |
Expiration date of an approval request was extended by an administrator |
|
APPROVAL_PROFILE_ADD |
Adding an approval profile |
|
APPROVAL_PROFILE_EDIT |
Editing an approval profile |
|
APPROVAL_PROFILE_REMOVE |
Removing an approval profile |
|
APPROVAL_PROFILE_RENAME |
Renaming an approval profile |
|
CA_EXPORTTOKEN |
Export of a Certificate Authority's (soft) Crypto Token |
|
CA_EXTENDEDSERVICE |
Execution of one of the Certificate Authority's extended services |
|
CA_IMPORT |
Creation of a Certificate Authority using an existing soft key store |
|
CA_REMOVETOKEN |
Removal of a Certificate Authority's (soft) Crypto Token |
|
CA_RENEWED |
Renewal of a Certificate Authority's certificate, optionally using a different key pair |
|
CA_ROLLEDOVER |
Roll over of a Certificates Authority's certificate chain and key |
|
CA_RESTORETOKEN |
Restoration of a Certificate Authority's previously removed (soft) Crypto Token |
|
CA_REVOKED |
Revocation of a Certificate Authority and all certificates issued by it |
|
CA_SIGNREQUEST |
Certificate Authority signs (attests) a provided certificate signing request |
|
CA_SIGNCMS |
Certificate Authority signs (attests) a CMS / PKCS#7 |
|
CA_USERAUTH |
End entity authenticates using enrollment code |
|
CA_VALIDITY |
Certificate Authority's signing certificate is not valid yet or not valid any longer |
|
CUSTOMLOG_ERROR |
Log entry with log level error supplied from external source |
|
CUSTOMLOG_INFO |
Log entry with log level info supplied from external source |
|
EJBCA_STARTING |
Application startup |
|
HARDTOKEN_ADD |
Creation of a new (client) hardware token representation |
|
HARDTOKEN_ADDCERTMAP |
Creation of link from a (client) hardware token representation to a certificate |
|
HARDTOKEN_ADDISSUER |
Creation of a new issuer for (client) hardware tokens |
|
HARDTOKEN_ADDPROFILE |
Creation of a new template for (client) hardware tokens |
|
HARDTOKEN_EDIT |
Modification of an existing (client) hardware token representation |
|
HARDTOKEN_EDITISSUER |
Modification or name change of an existing issuer for (client) hardware tokens |
|
HARDTOKEN_EDITPROFILE |
Modification or name change of an existing template for (client) hardware tokens |
|
HARDTOKEN_GENERATE |
Outcome of provisioning of a (client) hardware token reported by external card management system |
|
HARDTOKEN_REMOVE |
Removal of an existing (client) hardware token representation |
|
HARDTOKEN_REMOVECERTMAP |
Removal of link from a (client) hardware token representation to a certificate |
|
HARDTOKEN_REMOVEISSUER |
Removal of an existing issuer for (client) hardware tokens |
|
HARDTOKEN_REMOVEPROFILE |
Removal of an existing template for (client) hardware tokens |
|
HARDTOKEN_VIEWED |
Administrator views the content of a (client) hardware token representation |
|
HARDTOKEN_VIEWEDPUK |
Administrator views the PUK code of a (client) hardware token representation |
|
KEYRECOVERY_ADDDATA |
Persistence of encrypted key material and meta data that can be used for recovering a server-side generated client key pair |
|
KEYRECOVERY_EDITDATA |
Modification of encrypted key material and meta data that can be used for recovering a server-side generated client key pair |
|
KEYRECOVERY_MARKED |
Change status of meta data for encrypted key material to allow extraction of server-side generated client key pair |
|
KEYRECOVERY_REMOVEDATA |
Removal of specific or all encrypted key material and meta data that can be used for recovering a server-side generated client key pair |
|
KEYRECOVERY_SENT |
Extraction of key material of server-side generated client key pair |
|
PUBLISHER_CHANGE |
Modification of an existing publisher |
|
PUBLISHER_CREATION |
Creation of a new publisher |
|
PUBLISHER_REMOVAL |
Removal of an existing publisher |
|
PUBLISHER_RENAME |
Name change of an existing publisher |
|
PUBLISHER_STORE_CERTIFICATE |
Publishing of a certificate and/or related certificate meta data |
|
PUBLISHER_STORE_CRL |
Publishing of a Certificate Revocation List and related meta data |
|
RA_ADDADMINPREF |
Creation of new settings for an administrator |
|
RA_ADDEEPROFILE |
Creation of a new end entity profile |
|
RA_ADDENDENTITY |
Creation of a new end entity |
|
RA_DEFAULTADMINPREF |
Modification of default settings for administrators |
|
RA_DELETEENDENTITY |
Removal of an end entity |
|
RA_EDITADMINPREF |
Modification of an existing settings for an administrator |
|
RA_EDITEEPROFILE |
Modification of an existing end entity profile |
|
RA_EDITENDENTITY |
Modification of an existing end entity |
|
RA_REMOVEEEPROFILE |
Removal of an existing end entity profile |
|
RA_RENAMEEEPROFILE |
Name change of an existing end entity profile |
|
RA_REVOKEDENDENTITY |
Change status of an existing end entity and all the end entity's certificates to revoked |
|
RA_USERDATASOURCEADD |
Creation of a new user data source |
|
RA_USERDATASOURCEEDIT |
Modification of an existing user data source |
|
RA_USERDATASOURCEFETCHDATA |
Retrieval of data through an existing user data source |
|
RA_USERDATASOURCEREMOVE |
Removal of an existing user data source |
|
RA_USERDATASOURCEREMOVEDATA |
Request for removal of data through an existing user data source |
|
RA_USERDATASOURCERENAME |
Name change of an existing user data source |
|
REVOKE_UNREVOKEPUBLISH |
Publishing of a certificate and/or related certificate meta data when certificate is activated after being on hold |
|
SERVICE_ADD |
Creation of a new EJBCA background service |
|
SERVICE_EDIT |
Modification of an existing EJBCA background service |
|
SERVICE_REMOVE |
Removal of an existing EJBCA background service |
|
SERVICE_RENAME |
Name change of an existing EJBCA background service |