Authentication Logs

You have access to records of system activity involving logging in and out. High-level security events are logged for auditing purposes. The types of security events cover high-risk activities enabling the tracking and source identification of the event through analysis of logged source internet address, source session, user id, and event time.

Log entries are based on industry standards for identification and description of security events that may be the result of system attacks making them suitable for importing/use with third party tools for forensic analysis reporting. Additionally, the logs themselves provide the ability to identify specific events as immediately visible in the logs.

The Authentication Logs page includes a powerful Search filter, a Log Summary area for summarizing the events in the log, and a Message Detail pane at the bottom of the page for displaying event details, including handler class and type, user agent, and the log message.

In SaaS deployments, authentication logs are kept until explicitly deleted. The authentication provider log table is kept 10 days.

There are two ways to access the Authentication Logs page:

  1. On the Administrator Panel, in the Integrations section, select Authentication. Then, select View Authentication Logs.
  2. On the Administrator Panel, in the Tools and Utilities section, select Logs. Then, select Authentication Logs.

Authentication Logs page

The log shows all authentication events, including the event type, username, IP address, date, and the provider involved. Select an entry in the log table to show more information in the Message Detail window.

  1. Use the Search filter to search for specific activity and filter by user, authentication provider, event type, and date.
  2. Refresh the display so that the most current log entries appear that match the filter choice.
  3. Clear Counts clears the message count indicators in the Log Summary section to aid in troubleshooting.
  4. Purge Log removes all records from the log, which also clears the message count indicators in the Log Summary section.
  5. Message Detail pane allows you to review event details including handler class and type, user agent, and the log message. Select an event in the Log Summary section to display the Message Detail for that event.

With REDIRECT type authentication providers, such as CAS or Shibboleth, some authentication events may not be logged as they occur on the authentication source server.

Event types

The log shows five events:

  • Logins
  • Logouts, additional information shows whether a logout was manual or due to session expiration.
  • Login Attempts
  • Messages
  • Errors

Example log entries by scenario

The Message Detail window shows the detailed log message for an event. This table shows some example logs for common events.

#ScenarioExample Row
1Login succeeded, via login pagetimestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=0|evt_name=login succeeded|sev=0|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=success|src_ip=10.100.100.100|duid=_x_x|duser=targetusername|text=login succeeded|authnmethod=login page|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.91 Safari/534.30
2Login failed, bad username, via login pagetimestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=1|evt_name=login failed|sev=2|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=failure|src_ip=10.100.100.100|duid= |duser=fakeusername|text=login failed|authnmethod=login page|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.91 Safari/534.30
3Login failed, bad password, via login pagetimestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=2|evt_name=login failed|sev=2|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=failure|src_ip=10.100.100.100|duid=_x_x|duser=targetusername|text=login failed|authnmethod=login page|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.91 Safari/534.30
4Login created, via one time tooltimestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=7|evt_name=login created|sev=8|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=success|src_ip=10.100.100.100|duid=_x_x|duser=targetusername|text=one time login created|authnmethod=one time login tool|http_useragent=
5Login failed, bad token, via one time tooltimestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=1|evt_name=login failed|sev=8|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=failure|src_ip=10.100.100.100|duid= |duser= |text=login failed due to invalid token <token value>|authnmethod=one time login tool|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.91 Safari/534.30
6Login failed, bad entry code, via one time tooltimestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=2|evt_name=login failed|sev=8|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=failure|src_ip=10.100.100.100|duid=_x_x|duser=targetusername|text=login failed due to invalid entry code for token <token value>|authnmethod=one time login tool|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.91 Safari/534.30
7Login succeeded, via one time tooltimestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=0|evt_name=login succeeded|sev=8|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=success|src_ip=10.100.100.100|duid=_x_x|duser=targetusername|text=login succeeded for token <token value>|authnmethod=one time login tool|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.91 Safari/534.30
8Session expiredtimestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=4|evt_name=session expired|sev=0|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=success|src_ip=10.100.100.100|duid=_x_x|duser=targetusername|text=session expired|authnmethod= |http_useragent=
9Logouttimestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=3|evt_name=logout succeeded|sev=0|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=success|src_ip=10.100.100.100|duid=_x_x|duser=targetusername|text=logout succeeded|authnmethod=login page|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.91 Safari/534.30