Audit Logs

Audit logs (USERAUDIT category) are user activity logs and are written first to files before being stored in database.

This page discusses:

How Audit Logs Work

The 3DEXPERIENCE platform audit log files are written in a JSON format in the file:

<tomee_installation_directory>/logs/passport-audit.{date}.log

An attribute, sent to the platform services, carries the correlation ID for the SSO session of the logged user.

User Activities Logged by 3DPassport

3DPassport can log the following events linked to user activities:

AbbreviationMessage Event Success
APPLICATION_PASSWORD_ENABLED The Application Password feature has been enabled by the administrator. 3
APPLICATION_PASSWORD_DISABLED The Application Password feature has been disabled by the administrator. 3
APPLICATION_PASSWORD_CREATED The user {Username} has created a new Application Password : {Name}. 0
APPLICATION_PASSWORD_DELETED The Application Password {Name} was deleted by the user {Username}. 0
APPLICATION_LOGIN_KO_EXPIRED The User {Username} has failed to sign in because their Application password

{Name} is expired.

1
APPLICATION_LOGIN_KO_DISABLED The User {Username} has failed to sign in because their password {Name} is disabled. 1
APPLICATION_PASSWORD_USER_ENABLED The Application Password {Name} for the user {username} has been enabled by the administrator. 3
APPLICATION_PASSWORD_USER_DISABLED The Application Password {Name} for the user {username} has been disabled by the administrator. 3
RESET_PASS_OK User has successfully reset his password. 0
RESET_PASS_KO User has failed to reset his password. 2
RESET_PASSWORD_LINK_OK Password reset link has been generated for the user (user email) 3
RESET_PASSWORD_LINK_KO An error occurred when generating password link for the user (user email) 3
LOGIN_OK User has successfully signed in. 0
LOGIN_KO User has failed to sign in. 1
LOGIN_KO_PWD_EXPIREDUser has failed to sign in because their password is expired. 1
LOGIN_KO_SSOUser has failed to login due to single sign on problem. 2
LOGIN_KO_WRONG_CREDSUser has failed to sign in because of the wrong credentials. 1
LOGIN_KO_LOCKED_ACCUser has failed to sign in because his account is locked. 1
LOGIN_KO_NOT_AUTHORIZED User account does not have the required membership. 1
LOGOUT_OK User has successfully signed out. 0
LOGOUT_KO User has failed to sign out. 2
CREATE_ACCOUNT User has created a new account. 0
UPDATE_ACC_OKUser has successfully updated his account. 0
UPDATE_ACC_KOUser has failed to update his account. 2
LOCKED_ACCUser account {user} has been locked out. 3
UNLOCKED_ACCUser account {user} has been unlocked by administrator. 3
DEACTIVATED_ACC User account has been deactivated by administrator. 3
LDAP_SEARCH LDAP search request sent. 0
LDAP_BIND LDAP bind request sent. 0
LDAP_MODIFY LDAP modify request sent. 0
SERVICE_SSO_OKUser has successfully single signed on service {service} 0
SERVICE_SSO_KOUser has failed to single sign on service {service} 2
CREATE_UUID New UUID has been created for {Email address} 0
LOGIN_KO_BLOCKED_AUTHN User could not be authenticated because his account is blocked for security reasons. 1
CREATE_ACCOUNT_KO User has failed to create a new account. 2
DELETED_ACCOUNT_OK User account has been deleted by administrator. 3
DELETED_ACCOUNT_PARTIALLY_OK User account has been partially deleted by administrator. 3
DELETED_ACCOUNT_KO User account has failed to delete by administrator. 2
DELETED_ACCOUNT_USER The registration has been cancelled by the user {user} 0
DEACTIVATED_TOTP Two Factor authentication for {user} has been deactivated by administrator. 3
BATCH_SERVICE_CREATED Batch service named {batch name} has been created. 3
BATCH_SERVICE_UPDATED Batch service named { batch name } has been updated. 3
BATCH_SERVICE_DELETED Batch service named { batch name } has been deleted. 3
TRANSIENT_TICKET_CREATED Transient ticket {ticket} has been created for user '{user}' by user '{user}'. 3
TRANSIENT_TICKET_CREATED_BATCH Transient ticket {ticket} has been created for user '{user}' by batch service '{user}'. 3
TRANSIENT_TICKET_CONSUMED Transient ticket {ticket} has been consumed. 3

Each event will be logged with the following information:

  • Timestamp, Tenant Id and Client IP
  • SSO ID: a unique identifier that represents a unique single sign-on. It correlates all user logs.
  • User ID: hashed username (for data privacy purposes)
  • Event name: For example: LOGIN_OK, LOGOUT_KO, UPDATE, DELETE…
  • Event success: specifies if the activity was successfully performed or not:
    • 0 = success (user activity OK)
    • 1 = failed (functional error: user activity KO)
    • 2 = unexpected error (technical error)
    • 3 = administrator activity.

    Event Success Definition

    The following examples illustrate in more detail what is leant by event success:

    • The LOGIN_OK event always has code 0 because the event (in this case, login) was performed without interruption (no anomaly or exception, and no bad credentials). Consequently, a LOGIN_OK event cannot have a 1/2/3 code.
    • Similarly, the LOGIN_KO_WRONG_CREDENTIALS has code 1, since it is not a technical problem, but rather due to bad credentials.
    • The LOGIN_KO_SSO event with code 2 is an anomaly or an exception.
    • The DESACTIVATED_ACC event with code 3 signifies actions performed by the administrator.
  • Data: additional information.

Here are some examples of the generated JSON audit log:

{
	"timestamp": "514835489 ",
	"timestamp_hr": "2017-04-25T05:07:00.254Z",
	"tenant_id": "",
	"client_ip": "10.10.10.10",
	"sso_id": "86086050D14661C32CBC29758270C57367550D1466573675",
"user_id": "jcdcd54dr45rfezdc54d45ezedz5dez54",
	"event_name": "LOGIN_OK",
	"event_success": "0",
	"data": {"message": "User has successfully signed in"}
} 

{
	"timestamp": "514835489 ",
	"timestamp_hr": "2017-04-25T05:07:00.254Z",
	"tenant_id": "",
	"client_ip": "10.10.10.10",
	"sso_id": "86086050D14661C32CBC29758270C57367550D1466573675",
"user_id": "jcdcd54dr45rfezdc54d45ezedz5dez54",
	"event_name": "LOGIN_KO",
	"event_success": "1",
	"data": {"message": "User has failed to sign in"}
} 

{
	"timestamp": "514835489 ",
	"timestamp_hr": "2017-04-25T05:07:00.254Z",
	"tenant_id": "",
	"client_ip": "10.10.10.10",
	"sso_id": "86086050D14661C32CBC29758270C57367550D1466573675",
"user_id": "jcdcd54dr45rfezdc54d45ezedz5dez54",
	"event_name": "UPDATE_ACC_KO",
	"event_success": "2",
	"data": {"message": "User has failed to update his account", "user_data": {"username":"xxx", …}}
} 

{
	"timestamp": "514835489 ",
	"timestamp_hr": "2017-04-25T05:07:00.254Z",
	"tenant_id": "",
	"client_ip": "10.10.10.10",
	"sso_id": "86086050D14661C32CBC29758270C57367550D1466573675",
"user_id": "jcdcd54dr45rfezdc54d45ezedz5dez54",
	"event_name": "LOCKED_ACC",
	"event_success": "3",
	"data": {"message": "User account has been locked out"}
} 

{
	"timestamp": "514835489 ",
	"timestamp_hr": "2017-04-25T05:07:00.254Z",
	"tenant_id": "",
	"client_ip": "10.10.10.10",
	"sso_id": "86086050D14661C32CBC29758270C57367550D1466573675",
"user_id": "jcdcd54dr45rfezdc54d45ezedz5dez54",
	"event_name": "DEACTIVATED_ACC",
	"event_success": "3",
	"data": {"message": "User account has been deactivated by administrator"}
}

Here is a sample of the attributes sent upon CAS service ticket validation with the new ssoId attribute:

<cas:serviceResponse xmlns:cas="http://www.yale.edu/tp/cas">
<cas:authenticationSuccess>
<cas:user>admin_platform</cas:user>
<cas:attributes>
<cas:zip/>
<cas:address/>
<cas:city/>
<cas:telephone>+33612345678</cas:telephone>
<cas:company/>
<cas:email>admin_platform@3ds.com</cas:email>
<cas:username>admin_platform</cas:username>
<cas:sso_id>86086050D14661C32CBC29758270C57367550D1466573675</cas:ssoId>
</cas:attributes>
</cas:authenticationSuccess>
</cas:serviceResponse>