Security Audit Events

The security audit events are divided into Columns, Services, Modules, Status, and Events according to from where it originates.

The following lists and describes the different event types and the overview is also available in JavaDoc format of the API.

Note that since EJBCA is built around the CESeCore project, both EventTypes and EjbcaEventTypes in the API documentation need to be considered to view all the event types EJBCA can generate.

An example of how such an event would look like in the server log using the Log4jDevice is the event that the application is starting:

... INFO [Log4jDevice] 2015-03-20 12:47:51+01:00;EJBCA_STARTING;SUCCESS;SERVICE;EJBCA;StartServicesServlet.init;;hostname;;msg=Init, EJBCA 6.7.0 Enterprise (r25420) startup.

and the same kind of event using IntegrityProtectedDevice that writes the log entry to the database:

mysql> select * from AuditRecordData where eventType='EJBCA_STARTING' ... \G
pk: 24861ebf7f00010106e5a024d82c694d
additionalDetails: ... Init, EJBCA 6.7.0 Enterprise (r25420) startup. ...
authToken: StartServicesServlet.init
customId: NULL
eventStatus: SUCCESS
eventType: EJBCA_STARTING
module: SERVICE
nodeId: hostname
rowProtection: 1:2:123:4d2f6...
rowVersion: 0
searchDetail1: hostname
searchDetail2: NULL
sequenceNumber: 17640195
service: EJBCA
timeStamp: 1426205614754

This should be interpreted as the following:

  • Service is EJBCA (not shown in the Admin GUI) : the event originates from the part of the application that not part of the core shared with other products.

  • Module is SERVICE: this event was generated from a module in EJBCA that is responsible for background services.

  • Status (named "Outcome" in the Admin GUI) is SUCCESS: in the context of the event, this should be interpreted as no error were detected during the EJBCA startup.

  • Event is EJBCA_STARTING: the application EJBCA is starting up.

  • AdditionalDetails is an event specific message with additional information telling us (in this case) the version of EJBCA that was started.

  • AuthToken identifies that the event was generated by the internal module StartServicesServlet

  • NodeId is the EJBCA node, in this case hostname, that generated the event

  • SearchDetail1 is an additional message, in this case the hostname (same as NodeId) that EJBCA was started on.

  • TimeStamp is the time, in milliseconds since epoch, the event occured

Columns

The following table includes descriptions of the log column names and a mapping between the columns names and the display names in the Admin GUI.

Column Name

Description

Admin UI Display Name

Service

The service an event originates from, EJBCA or CORE.

(not shown)

Module

The module an event was generated from.

Module

Status

SUCCESS or FAILURE

Outcome

Event

The audit log event that occurred.

Event

AdditionalDetails

Event specific message with additional information.

Details

AuthToken

Identifies the administrator, or internal module, that caused the event.

Administrator

NodeId

Identifies the EJBCA instance (which server in a cluster) that the event occurred on.

Node

CustomId

Identifier used in log messages, commonly the certificate authority an event was related to.

Certificate Authority

searchDetail1

Detail used in log messages, commonly the serial number of the certificate an event was related to.

Certificate

searchDetail2

Detail used in log messages, commonly the username an event was related to.

Username

timeStamp

The time, in milliseconds since epoch, the event occurred.

Time

Services

Service can be one of EJBCA or CORE. Both are from the EJBCA application, but services originating from CORE originates from a part, CESeCore, that contains functions also shared with other products. These services relates to event types below.

This is not important from an audit perspective, but is useful information for an understanding of the logging format.

Service

Event

CORE

CESeCore Events

EJBCA

EJBCA Events

Modules

The Security Audit Log has one component that is the Module. The Module is a description of the internal module of EJBCA where the event happened and can be useful for categorizing events.

Modules are also documented in the source code in ModuleTypes.java and EjbcaModuleTypes.java.

Module

Description

ACCESSCONTROL

Access control module

AUTHENTICATION

Authentication module

CA

Certificate Authority module

CERTIFICATE

Certificate issuance and handling module

CERTIFICATEPROFILE

Certificate profile module

CRL

Certificate Revocation List issuance and handling module

CRYPTOTOKEN

Crypto Token module

BLACKLIST

Blacklist module

VALIDATOR

Validator module

ROLES

Administrator role management module

SECURITY_AUDIT

Security event audit log module

INTERNALKEYBINDING

Internal Key Binding module

GLOBALCONF

Module for system settings stored in the database

RA

Registration Authority module

HARDTOKEN

(Client) hardware token management module

KEYRECOVERY

Key recovery module

APPROVAL

Approval module

APPROVAL_PROFILE

Approval Profiles module

PUBLISHER

Publisher module

SERVICE

EJBCA background service module

CUSTOM

External logging module

ADMINWEB

Administrative web GUI module

Status

The outcome of an event can be one of the following.

Status is also documented in the source code in EventStatus.java

Status

Description

FAILURE

Operation failed

SUCCESS

Operation succeeded

VOID

Operation completed without a defined result

Events

Security Events are divided into two parts. The logical separation is that the CESeCore Events are PKI core events needed for Common Criteria certified operations, and kept in a Core module that is re-used across some different PrimeKey products. We keep the separation in the documentation for simplicity.

Example Log File Event

The EJBCA Startup log even will look like this in the application server log file.

2017-03-25 07:26:04+01:00;EJBCA_STARTING;SUCCESS;SERVICE;EJBCA;Application internal;;hostname;;msg=Init, EJBCA 6.7.0 Enterprise (r25420) startup.

CESeCore Events

CESeCore event types are also documented in the source code in EventTypes.java.

Event Type

Description

ACCESS_CONTROL

Authorization check to resource of authenticated entity

AUTHENTICATION

Authentication check of an entity

CA_CREATION

Creation of a Certificate Authority

CA_DELETION

Removal of a Certificate Authority

CA_RENAMING

Internal application name change of a Certificate Authority. Unrelated to Certificate Authority's Subject Distinguisher Name

CA_EDITING

Modification of a Certificate Authority

CA_KEYACTIVATE

Certificate Authority starts using a different key pair

CA_KEYGEN

Generation of a new key pair that can be used by the Certificate Authority during renewal or update

CA_SERVICEACTIVATE

Certificate Authority state change to start serving requests. Unrelated to CA private key availability

CA_SERVICEDEACTIVATE

Certificate Authority state change to stop serving requests. Unrelated to CA private key availability

CERT_STORED

Persistence of a certificate to the database

CERT_REVOKED

Change of a certificate's status to revoked or active

CERT_CHANGEDSTATUS

Change of a certificate's status to unassigned, inactive, active, notified about expiration, revoked or archived

CERT_REQUEST

A request for certificate issuance from a Certificate Authority is submitted

CERT_CREATION

Issuance of a certificate by a Certificate Authority

CERT_CTPRECERT_SUBMISSION

Certificate Transparency log servers responds to a pre-certificate submission from a Certificate Authority

CERTPROFILE_CREATION

Creation of a certificate profile

CERTPROFILE_DELETION

Removal of a certificate profile

CERTPROFILE_RENAMING

Name change of a certificate profile

CERTPROFILE_EDITING

Modification of a certificate profile

CRL_STORED

Persistence of a Certificate Revocation List to the database

CRL_CREATION

Issuance of a Certificate Revocation List by a Certificate Authority

CRYPTOTOKEN_CREATE

Creation of a Crypto Token

CRYPTOTOKEN_EDIT

Modification of a Crypto Token

CRYPTOTOKEN_DELETION

Removal of a Crypto Token

CRYPTOTOKEN_ACTIVATION

Activation of a Crypto Token, making the key material available for use by the application

CRYPTOTOKEN_DEACTIVATION

Deactivation of a Crypto Token, making the key material unavailable for use by the application

CRYPTOTOKEN_REACTIVATION

Attempted reactivation of a Crypto Token. Since this occurs automatically, it may fail

CRYPTOTOKEN_DELETE_ENTRY

Removal of a key pair from the Crypto Token key material or key pair place-holder from the Crypto Token object

CRYPTOTOKEN_GEN_KEYPAIR

Generation of a new key pair in the Crypto Token

CRYPTOTOKEN_UPDATEPIN

Modification of the Crypto Token's auto-activation PIN. For soft key stores, this also implies changes of the protection of the key material

BLACKLIST_CHANGE

Modification of an existing blacklist

BLACKLIST_CREATION

Creation of a new blacklist

BLACKLIST_REMOVAL

Removal of an existing blacklist

VALIDATOR_CHANGE

Modification of an existing validator

VALIDATOR_CREATION

Creation of a new validator

VALIDATOR_REMOVAL

Removal of an existing validator

VALIDATOR_RENAME

Name change of an existing validator

VALIDATOR_VALIDATION_FAILED

Validation failed event

LOG_DELETE

Removal of persisted audit log records

LOG_EXPORT

Export of audit log records

LOG_MANAGEMENT_CHANGE

Change of protection settings for audit log records

LOG_VERIFY

Verification of existing audit log records

ROLE_CREATION

Creation of an administrative role

ROLE_DELETION

Removal of an administrative role

ROLE_RENAMING

Name change of an administrative role

ROLE_ACCESS_RULE_ADDITION

New access rules added to administrative role

ROLE_ACCESS_RULE_CHANGE

Modifications of existing access rules in an administrative role

ROLE_ACCESS_RULE_DELETION

Removal of existing access rules from administrative role

ROLE_ACCESS_USER_ADDITION

New administrator added to administrative role

ROLE_ACCESS_USER_CHANGE

Change of existing administrator in an administrative role

ROLE_ACCESS_USER_DELETION

Removal of existing administrator from administrative role

SYSTEMCONF_CREATE

Creation of new system settings stored in the database

SYSTEMCONF_EDIT

Modification of existing system settings stored in the database

INTERNALKEYBINDING_CREATE

Creations of a new Internal Key Binding

INTERNALKEYBINDING_EDIT

Modification of an existing Internal Key Binding

INTERNALKEYBINDING_DELETE

Removal of an existing Internal Key Binding

EJBCA Events

EJBCA event types are also documented in the source code in EjbcaEventTypes.java.

Event Type

Description

ADMINWEB_ADMINISTRATORLOGGEDIN

An administrator logs in to EJBCA's Administrative Web GUI

APPROVAL_ADD

Action that requires approval by one or more administrators is requested

APPROVAL_APPROVE

Action that requires approval was approved by one of the required administrator(s)

APPROVAL_EDIT

Approval request was edited

APPROVAL_REJECT

Action that requires approval was rejected by one of the required administrator(s)

APPROVAL_EXTEND

Expiration date of an approval request was extended by an administrator

APPROVAL_PROFILE_ADD

Adding an approval profile

APPROVAL_PROFILE_EDIT

Editing an approval profile

APPROVAL_PROFILE_REMOVE

Removing an approval profile

APPROVAL_PROFILE_RENAME

Renaming an approval profile

CA_EXPORTTOKEN

Export of a Certificate Authority's (soft) Crypto Token

CA_EXTENDEDSERVICE

Execution of one of the Certificate Authority's extended services

CA_IMPORT

Creation of a Certificate Authority using an existing soft key store

CA_REMOVETOKEN

Removal of a Certificate Authority's (soft) Crypto Token

CA_RENEWED

Renewal of a Certificate Authority's certificate, optionally using a different key pair

CA_ROLLEDOVER

Roll over of a Certificates Authority's certificate chain and key

CA_RESTORETOKEN

Restoration of a Certificate Authority's previously removed (soft) Crypto Token

CA_REVOKED

Revocation of a Certificate Authority and all certificates issued by it

CA_SIGNREQUEST

Certificate Authority signs (attests) a provided certificate signing request

CA_SIGNCMS

Certificate Authority signs (attests) a CMS / PKCS#7

CA_USERAUTH

End entity authenticates using enrollment code

CA_VALIDITY

Certificate Authority's signing certificate is not valid yet or not valid any longer

CUSTOMLOG_ERROR

Log entry with log level error supplied from external source

CUSTOMLOG_INFO

Log entry with log level info supplied from external source

EJBCA_STARTING

Application startup

HARDTOKEN_ADD

Creation of a new (client) hardware token representation

HARDTOKEN_ADDCERTMAP

Creation of link from a (client) hardware token representation to a certificate

HARDTOKEN_ADDISSUER

Creation of a new issuer for (client) hardware tokens

HARDTOKEN_ADDPROFILE

Creation of a new template for (client) hardware tokens

HARDTOKEN_EDIT

Modification of an existing (client) hardware token representation

HARDTOKEN_EDITISSUER

Modification or name change of an existing issuer for (client) hardware tokens

HARDTOKEN_EDITPROFILE

Modification or name change of an existing template for (client) hardware tokens

HARDTOKEN_GENERATE

Outcome of provisioning of a (client) hardware token reported by external card management system

HARDTOKEN_REMOVE

Removal of an existing (client) hardware token representation

HARDTOKEN_REMOVECERTMAP

Removal of link from a (client) hardware token representation to a certificate

HARDTOKEN_REMOVEISSUER

Removal of an existing issuer for (client) hardware tokens

HARDTOKEN_REMOVEPROFILE

Removal of an existing template for (client) hardware tokens

HARDTOKEN_VIEWED

Administrator views the content of a (client) hardware token representation

HARDTOKEN_VIEWEDPUK

Administrator views the PUK code of a (client) hardware token representation

KEYRECOVERY_ADDDATA

Persistence of encrypted key material and meta data that can be used for recovering a server-side generated client key pair

KEYRECOVERY_EDITDATA

Modification of encrypted key material and meta data that can be used for recovering a server-side generated client key pair

KEYRECOVERY_MARKED

Change status of meta data for encrypted key material to allow extraction of server-side generated client key pair

KEYRECOVERY_REMOVEDATA

Removal of specific or all encrypted key material and meta data that can be used for recovering a server-side generated client key pair

KEYRECOVERY_SENT

Extraction of key material of server-side generated client key pair

PUBLISHER_CHANGE

Modification of an existing publisher

PUBLISHER_CREATION

Creation of a new publisher

PUBLISHER_REMOVAL

Removal of an existing publisher

PUBLISHER_RENAME

Name change of an existing publisher

PUBLISHER_STORE_CERTIFICATE

Publishing of a certificate and/or related certificate meta data

PUBLISHER_STORE_CRL

Publishing of a Certificate Revocation List and related meta data

RA_ADDADMINPREF

Creation of new settings for an administrator

RA_ADDEEPROFILE

Creation of a new end entity profile

RA_ADDENDENTITY

Creation of a new end entity

RA_DEFAULTADMINPREF

Modification of default settings for administrators

RA_DELETEENDENTITY

Removal of an end entity

RA_EDITADMINPREF

Modification of an existing settings for an administrator

RA_EDITEEPROFILE

Modification of an existing end entity profile

RA_EDITENDENTITY

Modification of an existing end entity

RA_REMOVEEEPROFILE

Removal of an existing end entity profile

RA_RENAMEEEPROFILE

Name change of an existing end entity profile

RA_REVOKEDENDENTITY

Change status of an existing end entity and all the end entity's certificates to revoked

RA_USERDATASOURCEADD

Creation of a new user data source

RA_USERDATASOURCEEDIT

Modification of an existing user data source

RA_USERDATASOURCEFETCHDATA

Retrieval of data through an existing user data source

RA_USERDATASOURCEREMOVE

Removal of an existing user data source

RA_USERDATASOURCEREMOVEDATA

Request for removal of data through an existing user data source

RA_USERDATASOURCERENAME

Name change of an existing user data source

REVOKE_UNREVOKEPUBLISH

Publishing of a certificate and/or related certificate meta data when certificate is activated after being on hold

SERVICE_ADD

Creation of a new EJBCA background service

SERVICE_EDIT

Modification of an existing EJBCA background service

SERVICE_REMOVE

Removal of an existing EJBCA background service

SERVICE_RENAME

Name change of an existing EJBCA background service