Authentication Logs
You have access to records of system activity involving logging in and out. High-level security events are logged for auditing purposes. The types of security events cover high-risk activities enabling the tracking and source identification of the event through analysis of logged source internet address, source session, user id, and event time.
Log entries are based on industry standards for identification and description of security events that may be the result of system attacks making them suitable for importing/use with third party tools for forensic analysis reporting. Additionally, the logs themselves provide the ability to identify specific events as immediately visible in the logs.
The Authentication Logs page includes a powerful Search filter, a Log Summary area for summarizing the events in the log, and a Message Detail pane at the bottom of the page for displaying event details, including handler class and type, user agent, and the log message.
In SaaS deployments, authentication logs are kept until explicitly deleted. The authentication provider log table is kept 10 days.
There are two ways to access the Authentication Logs page:
- On the Administrator Panel, in the Integrations section, select Authentication. Then, select View Authentication Logs.
- On the Administrator Panel, in the Tools and Utilities section, select Logs. Then, select Authentication Logs.
Authentication Logs page
The log shows all authentication events, including the event type, username, IP address, date, and the provider involved. Select an entry in the log table to show more information in the Message Detail window.
- Use the Search filter to search for specific activity and filter by user, authentication provider, event type, and date.
- Refresh the display so that the most current log entries appear that match the filter choice.
- Clear Counts clears the message count indicators in the Log Summary section to aid in troubleshooting.
- Message Detail pane allows you to review event details including handler class and type, user agent, and the log message. Select an event in the Log Summary section to display the Message Detail for that event.
With REDIRECT type authentication providers, such as CAS, some authentication events may not be logged as they occur on the authentication source server.
Event types
The log shows five events:
- Logins
- Logouts, additional information shows whether a logout was manual or due to session expiration.
- Login Attempts
- Messages
- Errors
Example log entries by scenario
The Message Detail window shows the detailed log message for an event. This table shows some example logs for common events.
# | Scenario | Example Row |
---|---|---|
1 | Login succeeded, via login page | timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=0|evt_name=login succeeded|sev=0|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=success|src_ip=10.100.100.100|duid=_x_x|duser=targetusername|text=login succeeded|authnmethod=login page|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.91 Safari/534.30 |
2 | Login failed, bad username, via login page | timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=1|evt_name=login failed|sev=2|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=failure|src_ip=10.100.100.100|duid= |duser=fakeusername|text=login failed|authnmethod=login page|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.91 Safari/534.30 |
3 | Login failed, bad password, via login page | timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=2|evt_name=login failed|sev=2|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=failure|src_ip=10.100.100.100|duid=_x_x|duser=targetusername|text=login failed|authnmethod=login page|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.91 Safari/534.30 |
4 | Login created, via one time tool | timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=7|evt_name=login created|sev=8|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=success|src_ip=10.100.100.100|duid=_x_x|duser=targetusername|text=one time login created|authnmethod=one time login tool|http_useragent= |
5 | Login failed, bad token, via one time tool | timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=1|evt_name=login failed|sev=8|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=failure|src_ip=10.100.100.100|duid= |duser= |text=login failed due to invalid token <token value>|authnmethod=one time login tool|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.91 Safari/534.30 |
6 | Login failed, bad entry code, via one time tool | timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=2|evt_name=login failed|sev=8|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=failure|src_ip=10.100.100.100|duid=_x_x|duser=targetusername|text=login failed due to invalid entry code for token <token value>|authnmethod=one time login tool|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.91 Safari/534.30 |
7 | Login succeeded, via one time tool | timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=0|evt_name=login succeeded|sev=8|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=success|src_ip=10.100.100.100|duid=_x_x|duser=targetusername|text=login succeeded for token <token value>|authnmethod=one time login tool|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.91 Safari/534.30 |
8 | Session expired | timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=4|evt_name=session expired|sev=0|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=success|src_ip=10.100.100.100|duid=_x_x|duser=targetusername|text=session expired|authnmethod= |http_useragent= |
9 | Logout | timestamp=Aug 08 2008 08:08:08.888 EDT|app_vend=blackboard|app_name=learn|app_ver=9.1.80000.0|evt_code=3|evt_name=logout succeeded|sev=0|cat=authentication|authnprovider=1|dhost=appsec-demo|outcome=success|src_ip=10.100.100.100|duid=_x_x|duser=targetusername|text=logout succeeded|authnmethod=login page|http_useragent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.91 Safari/534.30 |