Log format

The AdminServer log records both successful and failed authentication and authorization events in the following format:

[date][level]["security"] UserName:UserSuppliedPwd:GroupInfo:Text

Log contents

The following list describes the fields in the log format:

  • Date — The logging tool automatically inserts the current date using the existing AdminServer log format.
  • Level — Indicates the severity or type of event. The possible levels are 1 through 5, in compliance with the existing AdminServer log conventions. The security entry uses only the following levels:
    • 0 indicates an internal error.
    • 2 indicates an error condition and explains why the client is not authenticated or authorized.
    • 3 indicates success and is used for tracking purposes.
  • "security"—A fixed text string used to simplify log file scanning tools. It enables automated parser tools to easily identify security events.
  • UserName —Contains the user account being authenticated to the AdminServer. If the authentication or authorization operation fails before the username can be validated, this field displays "no-user". On Windows, the username can appear in the format [domain\]UserName. The domain is added automatically during the account lookup when the user does not provide a fully qualified user account.
  • UserSuppliedPwd —Indicates the source or status of the password being validated for the user account. It can contain one of the following values:
    • Y indicates that the password is supplied by the user.
    • N indicates that the password is generated by the Single Sign-On (SSO) password generator.
    • X indicates that the password is not yet validated.
  • GroupInfo—Contains group authorization information. When the AdminServer initializes, it validates that at least one authorized group is accessible. This field contains the list of available and unavailable groups, where unavailable groups are enclosed within curly brackets.

    The following example shows the format of GroupInfo:

    group, group...;{unavailablegroup,unavailablegroup...}

On Windows, the list of available group names can be prefixed with the domain in square brackets to indicate the source of the group name lookup.

When a security entry is made for an authentication or authorization operation, it can contain:

  • No Group Checking— Indicates that the AdminServer started without the -admingroup option and no group authorization took place.
  • GroupName—Indicates that a single group name was successfully authorized for the user with a success message logged.
  • GroupNames—Lists the group names that the user failed to authorize when the failure message was logged.
  • Text—Contains one of the following messages that further explains outcome of the authentication or authorization attempt:
    • User is not authenticated
    • User is authenticated and authorized
    • User is not authorized
    • Failed to find the admingroup(s)
    • Failed to find the admingroup, not a valid group list
    • Failed to find the admingroup, please provide a valid group list
    • User password is not valid
    • System generated password has expired
    • Error, system generated password is not valid, user and host are valid
    • Valid group list