Identity Router Audit Log Messages
The RSA Identity Router generates audit log messages describing user activities and other events that occur on the identity router. You can configure the identity router to send these details to a syslog server where you can view them directly.
Note: User events available through the syslog from the identity router apply only to the identity router.
For more information on identity router logs and files, see Identity Router Logging and Contents of Identity Router Log Bundle.
See the CODE and MESSAGE fields of these events for more details.
| User Audit Events | Description |
|---|---|
| USER_AUTHZ | A user established a session to access applications available to that user. |
| USER_EDIT_KEYCHAIN | A user profile (keychain) was edited. |
| USER_LOGIN | A user attempted to authenticate and establish a session through the application portal. If the user is redirected using the singlepoint-next-redirect parameter, the message contains the redirect details. The identity router allows redirects only to hostnames associated with your Protected Domain Name, configured applications, or configured identity providers. To view a list of the allowed redirects for your deployment:
|
| USER_LOGOUT | Either a user initiated a sign-out or the session expired. If the user is redirected using the singlepoint-next-redirect parameter, the message contains the redirect details. The identity router allows redirects only to hostnames associated with your Protected Domain Name, configured applications, or configured identity providers. To view a list of the allowed redirects for your deployment:
|
| USER_PROTECTED_APP_AUTHN | A user attempted to access an application through single sign-on. |
| USER_REQUEST_AUTHZ | A user attempted to access an application that requires authorization. |
| USER_STEPUP_AUTHN | A user attempted to perform additional authentication. |
| Web Services Audit Events | Description |
|---|---|
| WEB_SERVICES_CREATE | The web services API created a resource. |
| WEB_SERVICES_DELETE | The web services API deleted a resource. |
| WEB_SERVICES_EDIT | The web services API performed full edit of a resource. |
| WEB_SERVICES_PARTIALEDIT | The web services API partially edited a resource. |
| WEB_SERVICES_VERIFY_TOKEN | The web services API verified an SecurID Authenticate Tokencode. See the STATUS and DESCRIPTION fields for this event for more details. |
| WEB_SERVICES_USER_STATUS | The web services API verified the presence and status of a user within all identity sources configured for the Cloud Access Service (CAS). See the STATUS and DESCRIPTION fields for this event for more details. |
| System Audit Events | Description |
|---|---|
| SYSTEM_BACKUP | User keychains on the identity router were backed up. |
| SYSTEM_BOOTSTRAP | The identity router configuration was modified. |
| SYSTEM_CONFIG_FIREWALL | A firewall rule for the identity router was modified. |
| SYSTEM_CONFIG_HOST | A static host entry for the identity router was modified. |
| SYSTEM_CONFIG_ROUTE | A routing rule for the identity router was modified. |
| SYSTEM_CONFIG_UPDATE | Configuration settings were published to the identity router. |
| SYSTEM_ERROR | An error occurred on the identity router. |
| SYSTEM_REBOOT | The identity router rebooted. |
| SYSTEM_STARTUP | The identity router services started. |
| Identity Router Status Events | Description |
|---|---|
| SYSTEM_IDENTITY_SOURCE_STATUS | Connectivity status changed for one or more identity sources:
|
| SYSTEM_DNS_STATUS | Connectivity status changed for one or more DNS servers:
|
| SYSTEM_AM_STATUS | Connectivity status changed for Authentication Manager. This status applies to the connection that allows SecurID Token users to access resources protected by CAS.
|
| SYSTEM_UPGRADE_CONNECTION_STATUS | Connectivity status for the Software Update Service changed to Healthy or Unhealthy. |
| SYSTEM_ADAPTER_UPGRADE_CONNECTION_STATUS | Connectivity status for the Adapter Update Service changed to Healthy or Unhealthy. |
| SYSTEM_NTP_STATUS | Connectivity status for the NTP server changed to Healthy or Unhealthy. |
| SYSTEM_CLOUD_TIME_SYNC_STATUS | Time synchronization between the identity router and CAS changed.
|
| SYSTEM_CPU_STATUS | CPU usage status on the identity router machine changed.
|
| SYSTEM_CLUSTER_STATUS | Cluster status changed.
|
| SYSTEM_MEMORY_STATUS | Memory usage on the identity router machine changed.
|
| SYSTEM_CLOUD_AUTHENTICATION_SERVICE_CONNECTIONS_STATUS | Reachability status for any of the CAS domain name changed.
|
| SYSTEM_CLOUD_CONNECTIVITY_STATUS | Connectivity status for the current CAS domain name changed to Healthy or Unhealthy. |
| RADIUS Audit Events | Description |
|---|---|
| RADIUS_REQUEST_VALIDATION | A RADIUS authentication request was rejected due to character limits, null values, or an invalid response to a menu prompt. |
| RADIUS_USER_LDAP_AUTHENTICATION | A user attempted RADIUS authentication using LDAP credentials. |
| RADIUS_USER_APPROVE_AUTHENTICATION | A user attempted RADIUS authentication using the Approve method. |
| RADIUS_USER_TOKENCODE_AUTHENTICATION | A user attempted RADIUS authentication using Authenticate OTP. |
| RADIUS_USER_SECURID_AUTHENTICATION | A user attempted RADIUS authentication using a SecurID Token. |
| RADIUS_USER_SECURID_NEW_PIN_AUTHENTICATION | A user attempted RADIUS authentication using a SecurID Token in New PIN mode. |
| RADIUS_USER_SECURID_NEXT_CODE_AUTHENTICATION | A user attempted RADIUS authentication using a SecurID Token in Next Tokencode mode. |
| RADIUS_USER_DEVICE_BIOMETRICS_AUTHENTICATION | A user attempted RADIUS authentication using Fingerprint. |
| RADIUS_CHALLENGE_METHODS_NOT_SUPPORTED | A user attempted RADIUS authentication, but RADIUS or the user's device does not support any of the authentication methods allowed by the access policy. |
| RADIUS_USER_DEVICE_NOT_REGISTERED | A user attempted RADIUS authentication using a method that requires a mobile device, but no device is registered for the user. |
| RADIUS_INTERNAL_ERROR | The RADIUS service encountered an error. |
| RADIUS_USER_ AUTHENTICATION_THROTTLED | RADIUS request throttled, invalid userId attempt threshold exceeded. or RADIUS request throttled, failed authentication threshold exceeded |
Related Articles
Audit event REVIEW_DEFNITION is misspelled in RSA Identity Governance & Lifecycle Number of Views How to create a compressed tar archive of the Oracle audit files in RSA Identity Governance & Lifecycle Number of Views How to enable or disable Audit Logging in RSA Identity Governance and Lifecycle Number of Views Audit logs events and their descriptions Number of Views New audit events available in RSA Identity Governance and Lifecycle 7.0 and above Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes: Cloud Access Service and RSA Authenticators RSA Release Notes for RSA Authentication Manager 8.8 RSA-2026-04: RSA Governance and Lifecycle Security Update for SUSE Linux Enterprise Server Vulnerabilities
