Audit Journal Reference
S-Filer Portal audits all actions taken in the user interface or via the API in a journal stored in the database. Audit entries are also sent to a special logger named "AUDIT" and this allows to send them to a SIEM solution using a syslog appender.
Audit types and description
Login (1.3.6.1.4.1.7660.50.1.1)
| OID | Description | Message |
|---|---|---|
| 1.3.6.1.4.1.7660.50.1.1.1 | Login succeeded | Login succeeded for 'ENTRY0' at domain 'ENTRY1'. |
| 1.3.6.1.4.1.7660.50.1.1.2 | Login failed | Login failed for 'ENTRY0' at domain 'ENTRY1'. Reason: ENTRY2 |
| 1.3.6.1.4.1.7660.50.1.1.3 | Logout success | Logout succeeded for 'ENTRY0@ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.1.4 | Password expired | Password expired for 'ENTRY0@ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.1.5 | Account expired | Account expired for 'ENTRY0@ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.1.6 | Account locked | Account locked for 'ENTRY0@ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.1.7 | Account temporarily locked | Account temporarily locked for 'ENTRY0@ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.1.8 | MFA validation succeeded | MFA validation succeeded for 'ENTRY0'. |
| 1.3.6.1.4.1.7660.50.1.1.9 | MFA validation failed | MFA validation failed for 'ENTRY0'. |
| 1.3.6.1.4.1.7660.50.1.1.10 | System administrators are not allowed to authenticate | Login succeeded for 'ENTRY0' at domain 'ENTRY1' but system administrators are not allowed to authenticate. |
User (1.3.6.1.4.1.7660.50.1.2)
| OID | Description | Message |
|---|---|---|
| 1.3.6.1.4.1.7660.50.1.2.1 | User password changed | User 'ENTRY0@ENTRY1(ENTRY2)' has changed his password. |
| 1.3.6.1.4.1.7660.50.1.2.2 | User added | User 'ENTRY0@ENTRY1(ENTRY2)' added. |
| 1.3.6.1.4.1.7660.50.1.2.3 | User updated | User 'ENTRY0@ENTRY1(ENTRY2)' updated. |
| 1.3.6.1.4.1.7660.50.1.2.4 | User deleted | User 'ENTRY0@ENTRY1(ENTRY2)' deleted. |
| 1.3.6.1.4.1.7660.50.1.2.5 | "Quick Send" recipient deleted | "Quick Send" recipient 'ENTRY0(ENTRY1)' deleted. |
| 1.3.6.1.4.1.7660.50.1.2.6 | User account locked | User account 'ENTRY0@ENTRY1(ENTRY2)' locked. |
| 1.3.6.1.4.1.7660.50.1.2.7 | User account unlocked | User account 'ENTRY0@ENTRY1(ENTRY2)' unlocked. |
| 1.3.6.1.4.1.7660.50.1.2.8 | User account temporarily locked | User account 'ENTRY0@ENTRY1(ENTRY2)' is temporarily locked. |
| 1.3.6.1.4.1.7660.50.1.2.9 | Lost Password | Lost password requested by user 'ENTRY0@ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.2.10 | Password Reset | Password reset for user 'ENTRY0@ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.2.11 | Access token added | Access token 'ENTRY0(ENTRY1)' added for user 'ENTRY2@ENTRY3(ENTRY4)'. |
| 1.3.6.1.4.1.7660.50.1.2.12 | Access token deleted | Access token 'ENTRY0(ENTRY1)' deleted for user 'ENTRY2@ENTRY3(ENTRY4)'. |
| 1.3.6.1.4.1.7660.50.1.2.13 | MFA (TOTP) enrollment started | MFA (TOTP) enrollment started for user 'ENTRY0@ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.2.14 | MFA (TOTP) added | MFA (TOTP) added for user 'ENTRY0@ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.2.15 | MFA (TOTP) deleted | MFA (TOTP) deleted for user 'ENTRY0@ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.2.16 | SSH key added | SSH key added for user 'ENTRY0@ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.2.17 | SSH key updated | SSH key updated for user 'ENTRY0@ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.2.18 | SSH key deleted | SSH key deleted for user 'ENTRY0@ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.2.19 | Role updated | User 'ENTRY0@ENTRY1(ENTRY2)' role has been updated (ENTRY3 -> ENTRY4). |
Community (1.3.6.1.4.1.7660.50.1.3)
| OID | Description | Message |
|---|---|---|
| 1.3.6.1.4.1.7660.50.1.3.1 | Community added | Community 'ENTRY0(ENTRY1)' added. |
| 1.3.6.1.4.1.7660.50.1.3.2 | Community updated | Community 'ENTRY0(ENTRY1)' updated. |
| 1.3.6.1.4.1.7660.50.1.3.3 | Community deleted | Community 'ENTRY0(ENTRY1)' deleted. |
| 1.3.6.1.4.1.7660.50.1.3.4 | User assigned to community | Assign member 'ENTRY0(ENTRY1)' to Community 'ENTRY2(ENTRY3)'. |
| 1.3.6.1.4.1.7660.50.1.3.5 | User unassigned from community | Member 'ENTRY0(ENTRY1)' has been unassigned from Community 'ENTRY2(ENTRY3)'. |
| 1.3.6.1.4.1.7660.50.1.3.6 | Group assigned to community | Assign group 'ENTRY0(ENTRY1)' to Community 'ENTRY2'. |
| 1.3.6.1.4.1.7660.50.1.3.7 | Group unassigned from community | User group 'ENTRY0(ENTRY1)' has been unassigned from Community 'ENTRY2(ENTRY3)'. |
| 1.3.6.1.4.1.7660.50.1.3.8 | User role updated to community member | Set user 'ENTRY0(ENTRY1)' as a member of the Community 'ENTRY2(ENTRY3)'. |
| 1.3.6.1.4.1.7660.50.1.3.9 | User role updated to community administrator | Set user 'ENTRY0(ENTRY1)' as an administrator of the Community 'ENTRY2(ENTRY3)'. |
Group (1.3.6.1.4.1.7660.50.1.4)
| OID | Description | Message |
|---|---|---|
| 1.3.6.1.4.1.7660.50.1.4.1 | Group added | User group 'ENTRY0(ENTRY1)' added. |
| 1.3.6.1.4.1.7660.50.1.4.2 | Group updated | User group 'ENTRY0(ENTRY1)' updated. |
| 1.3.6.1.4.1.7660.50.1.4.3 | Group deleted | User group 'ENTRY0(ENTRY1)' deleted. |
| 1.3.6.1.4.1.7660.50.1.4.4 | User assigned to group | Member 'ENTRY0(ENTRY1)' has been assigned to User group 'ENTRY2(ENTRY3)'. |
| 1.3.6.1.4.1.7660.50.1.4.5 | User unassigned from group | Member 'ENTRY0(ENTRY1)' has been unassigned from User group 'ENTRY2(ENTRY3)'. |
| 1.3.6.1.4.1.7660.50.1.4.6 | User role updated to group member | Set user 'ENTRY0(ENTRY1)' as a member of the User group 'ENTRY2(ENTRY3)'. |
| 1.3.6.1.4.1.7660.50.1.4.7 | User role updated to group administrator | Set user 'ENTRY0(ENTRY1)' as an administrator of the User group 'ENTRY2(ENTRY3)'. |
| 1.3.6.1.4.1.7660.50.1.4.8 | Password policy (user) assigned to group | Password policy (user) 'ENTRY0(ENTRY1)' has been assigned to User group 'ENTRY2(ENTRY3)'. |
| 1.3.6.1.4.1.7660.50.1.4.9 | Password policy (quick send) assigned to group | Password policy (quick send) 'ENTRY0(ENTRY1)' has been assigned to User group 'ENTRY2(ENTRY3)'. |
| 1.3.6.1.4.1.7660.50.1.4.10 | Password policy (user) unassigned from group | Password policy (user) 'ENTRY0(ENTRY1)' has been unassigned from User group 'ENTRY2(ENTRY3)'. |
| 1.3.6.1.4.1.7660.50.1.4.11 | Password policy (quick send) unassigned from group | Password policy (quick send) 'ENTRY0(ENTRY1)' has been unassigned from User group 'ENTRY2(ENTRY3)'. |
File Transfer (1.3.6.1.4.1.7660.50.1.5)
| OID | Description | Message |
|---|---|---|
| 1.3.6.1.4.1.7660.50.1.5.1 | File uploaded | File 'ENTRY0' (ENTRY1 bytes) has been successfully uploaded. |
| 1.3.6.1.4.1.7660.50.1.5.2 | File downloaded | File 'ENTRY0' (ENTRY1 bytes) has been successfully downloaded. |
| 1.3.6.1.4.1.7660.50.1.5.3 | File deleted | File 'ENTRY0' (ENTRY1 bytes) has been successfully deleted. |
| 1.3.6.1.4.1.7660.50.1.5.4 | Folder deleted | Folder 'ENTRY0' has been successfully deleted. |
| 1.3.6.1.4.1.7660.50.1.5.5 | File/Folder moved | File/Folder 'ENTRY0' has been successfully moved or renamed to 'ENTRY1'. |
| 1.3.6.1.4.1.7660.50.1.5.6 | Folder created | Folder 'ENTRY0' has been successfully created. |
Extension (1.3.6.1.4.1.7660.50.1.6)
| OID | Description | Message |
|---|---|---|
| 1.3.6.1.4.1.7660.50.1.6.1 | Extension added | Extension 'ENTRY0' added. |
| 1.3.6.1.4.1.7660.50.1.6.2 | Extension updated | Extension 'ENTRY0' updated. |
| 1.3.6.1.4.1.7660.50.1.6.3 | Extension deleted | Extension 'ENTRY0' deleted. |
| 1.3.6.1.4.1.7660.50.1.6.4 | Extension assigned to a user | Extension 'ENTRY0' assigned to the user 'ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.6.5 | Extension assigned to a user group | Extension 'ENTRY0' assigned to the user group 'ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.6.6 | Extension assigned to a community | Extension 'ENTRY0' assigned to the community 'ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.6.7 | Extension assigned to the application | Extension 'ENTRY0' assigned to the application. |
| 1.3.6.1.4.1.7660.50.1.6.8 | Extension unassigned from a user | Extension 'ENTRY0' unassigned from the user 'ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.6.9 | Extension unassigned from a user group | Extension 'ENTRY0' unassigned from the user group 'ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.6.10 | Extension unassigned from a community | Extension 'ENTRY0' has been unassigned from the community 'ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.6.11 | Extension unassigned from the application | Extension 'ENTRY0' has been unassigned from the application. |
| 1.3.6.1.4.1.7660.50.1.6.12 | User extension updated | Update extension 'ENTRY0' of the user 'ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.6.13 | User group extension updated | Update extension 'ENTRY0' of the user group 'ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.6.14 | Community extension updated | Update extension 'ENTRY0' of the community 'ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.6.15 | Application extension updated | Update extension 'ENTRY0' of the application. |
Authorization (1.3.6.1.4.1.7660.50.1.7)
| OID | Description | Message |
|---|---|---|
| 1.3.6.1.4.1.7660.50.1.7.1 | Authorization error | Authorization error for token 'ENTRY0'. |
Component startup (1.3.6.1.4.1.7660.50.1.8)
| OID | Description | Message |
|---|---|---|
| 1.3.6.1.4.1.7660.50.1.8.1 | Server started | Server 'ENTRY0' started. |
| 1.3.6.1.4.1.7660.50.1.8.2 | Server stopped | Server 'ENTRY0' stopped. |
| 1.3.6.1.4.1.7660.50.1.8.3 | Gateway started | Gateway 'ENTRY0' started. |
| 1.3.6.1.4.1.7660.50.1.8.4 | Gateway stopped | Gateway 'ENTRY0' stopped. |
| 1.3.6.1.4.1.7660.50.1.8.5 | Gateway keys renewal | Gateway keys renewal 'ENTRY0'. |
| 1.3.6.1.4.1.7660.50.1.8.6 | Web Client keys renewal | Web Client keys renewal 'ENTRY0'. |
| 1.3.6.1.4.1.7660.50.1.8.7 | Update license | Update license 'ENTRY0'. |
| 1.3.6.1.4.1.7660.50.1.8.8 | Reset instance password | Reset instance password 'ENTRY0'. |
| 1.3.6.1.4.1.7660.50.1.8.9 | Domain information updated | Domain 'ENTRY0(ENTRY1)' has been updated to 'ENTRY2(ENTRY3)' |
| 1.3.6.1.4.1.7660.50.1.8.10 | Entity keys created | Keys (ENTRY0) created for entity 'ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.8.11 | Entity keys deleted | Keys (ENTRY0) deleted for entity 'ENTRY1(ENTRY2)'. |
| 1.3.6.1.4.1.7660.50.1.8.12 | File re-encrypted | File 'ENTRY0' (UUID=ENTRY1) has been re-encrypted. |
Batch process (1.3.6.1.4.1.7660.50.1.9)
| OID | Description | Message |
|---|---|---|
| 1.3.6.1.4.1.7660.50.1.9.1 | Batch process started | Batch process 'ENTRY0' started. |
| 1.3.6.1.4.1.7660.50.1.9.2 | Batch process stopped | Batch process 'ENTRY0' stopped. |
Integrity Check (1.3.6.1.4.1.7660.50.1.10)
| OID | Description | Message |
|---|---|---|
| 1.3.6.1.4.1.7660.50.1.10.1 | Integrity check succeed | Integrity check succeeded. |
| 1.3.6.1.4.1.7660.50.1.10.2 | Integrity check failed | Integrity check failed. |
System Event Audit (1.3.6.1.4.1.7660.50.1.11)
| OID | Description | Message |
|---|---|---|
| 1.3.6.1.4.1.7660.50.1.11.1 | Event auditing enabled | Event 'ENTRY0' auditing is enabled. |
| 1.3.6.1.4.1.7660.50.1.11.2 | Event auditing disabled | Event 'ENTRY0' auditing is disabled. |
Task (1.3.6.1.4.1.7660.50.1.12)
| OID | Description | Message |
|---|---|---|
| 1.3.6.1.4.1.7660.50.1.12.1 | Task failed | Task 'ENTRY0' failed. A backup of the task has been kept in the TASKFAILED table (id=ENTRY1). |
Template (1.3.6.1.4.1.7660.50.1.13)
| OID | Description | Message |
|---|---|---|
| 1.3.6.1.4.1.7660.50.1.13.1 | Template added | Template 'ENTRY0(ENTRY1)' added. |
| 1.3.6.1.4.1.7660.50.1.13.2 | Template updated | Template 'ENTRY0(ENTRY1)' updated. |
| 1.3.6.1.4.1.7660.50.1.13.3 | Template deleted | Template 'ENTRY0(ENTRY1)' deleted. |
Password Policy (1.3.6.1.4.1.7660.50.1.14)
| OID | Description | Message |
|---|---|---|
| 1.3.6.1.4.1.7660.50.1.14.1 | Password policy added | Password policy 'ENTRY0(ENTRY1)' added. |
| 1.3.6.1.4.1.7660.50.1.14.2 | Password policy updated | Password policy 'ENTRY0(ENTRY1)' updated. |
| 1.3.6.1.4.1.7660.50.1.14.3 | Password policy deleted | Password policy 'ENTRY0(ENTRY1)' deleted. |
Surveillance use case examples
This section describes a few example use cases that can be configured in a SIEM system around S-Filer audits.
| Use Case | OID | Message | Details |
|---|---|---|---|
| Brute force password | 1.3.6.1.4.1.7660.50.1.1.2 | Login failed for 'ENTRY0' at domain 'ENTRY1'. Reason: ENTRY2 | Aggregate entries in a time frame by user account |
| Password Spray | 1.3.6.1.4.1.7660.50.1.1.2 | Login failed for 'ENTRY0' at domain 'ENTRY1'. Reason: ENTRY2 | Aggregate entries in a time frame |
| Audit deactivation | 1.3.6.1.4.1.7660.50.1.11.2 | Event 'ENTRY0' auditing is disabled. | As soon as entry is detected |
| Data exfiltration | 1.3.6.1.4.1.7660.50.1.5.2 | File 'ENTRY0' (ENTRY1 bytes) has been successfully downloaded. | Anomaly detection with respect to normal usage globally or per user |
| Mass deletion | 1.3.6.1.4.1.7660.50.1.5.3 | File 'ENTRY0' (ENTRY1 bytes) has been successfully deleted. | Anomaly detection with respect to normal usage globally |
| Suspicious activity | 1.3.6.1.4.1.7660.50.1.7.1 | Authorization error for token 'ENTRY0'. | Aggregate entries in a time frame by user account |
These cases relate to specific communities or groups.
| Cas | OID | Message | Détails |
|---|---|---|---|
| Access granted to a sensitive community | 1.3.6.1.4.1.7660.50.1.3.4 | Assign member 'ENTRY0(ENTRY1)' to Community 'ENTRY2(ENTRY3)'. | As soon as entry is detected |
| Access granted to a sensitive group | 1.3.6.1.4.1.7660.50.1.4.4 | Member 'ENTRY0(ENTRY1)' has been assigned to User group 'ENTRY2(ENTRY3)'. | As soon as entry is detected |