Event Logs
Overview
The Event Logs dashboard contains detailed data on specific events for your tenant. Events can be filtered by username, event type, and by date.
To access your event logs dashboard, follow these steps:
- Navigate to your AdminX tenant and log in as a community administrator or help desk admin.
- Click on the Reports icon, located on the left-hand menu, and select Event Logs.
-
To view information for a specific event, click the event you wish to examine. The details of the event logs page are displayed.
-
After examining the details, click Show Details to view detailed information regarding the event.
Viewing Aliases Used for Authentication
You can use the Show Details section under Reports > Event Logs dashboard on the AdminX interface to view the details of the aliases used for authentication.
User Activity
All user activity can be tracked and reviewed through event logs. The following event names are used to classify different categories of event data. Tenant details are recorded as part of each event log.
E_LOGIN_SUCCEEDED
The E_LOGIN_SUCCEEDED
event is created when a user successfully logs in to their account and records the following account information:
- First and last name
- User directory source
- BlockID mobile application version
- Browser user agent
- Device details, including OS and model
- 2FA method used to log in
- User location information
E_LOGIN_FAILED
The E_LOGIN_FAILED
event is created when a user attempts to log in to their account but fails. It captures user account information and the reason why the login attempt failed.
Onboarding Activity
User onboarding activity can tracked and reviewed in the event logs.
E_USER_INVITED
The E_USER_INVITED
event is created when a user is invited to a tenant. The event captures which email address the invitation was sent to and which user account created the invitation.
E_USER_ONBOARDED
The E_USER_ONBOARDED
event captures information about the user that was onboarded to the tenant and details about the device the user linked to their account.
Authentication Activity
All user authentication activity is captured and is trackable through event logs.
E_ACCOUNT_LOCKED
The E_ACCOUNT_LOCKED
event is created when a user account is locked and therefore unable to login. The log will also record the time the account was locked, and the reason the account was locked.
Note: The E_ACCOUNT_LOCKED
event only records account lockouts due to exceeding the maximum number of incorrect OTP attempts.
Event Details Captured
tenant_id
community_id
username
initiatedby
lockedAt
reason
reasonCode
message
E_ACCOUNT_UNLOCKED
The E_ACCOUNT_UNLOCKED
event is created when a user account is unlocked and account access is restored.
Note: The E_ACCOUNT_UNLOCKED
event only records account resoration when the lockout was due to exceeding the maximum number of incorrect OTP attempts.
Event Details Captured
tenant_id
community_id
username
initiatedby
lockedAt
reason
reasonCode
message
E_DEVICE_DELINKED
The E_DEVICE_DELINKED
event is created when a user removes and delinks a mobile device as an authentication method from their account.
Event Details Captured
tenant_id
community_id
username
actor
auth_device_application_id
auth_device_did
auth_device_id
auth_device_longitude
auth_device_latitude
auth_device_name
initiatedby
user_id
E_PWDRESET_FAILED
The E_PWDRESET_FAILED
event is created when a requested password reset fails or is unauthorized.
Event Details Captured
tenant_id
community_id
username
directory_id
directory_type
directory_name
failure_reason
E_PWDRESET_SUCCEEDED
The E_PWDRESET_SUCCEEDED
captures successful password reset requests.
Event Details Captured
tenant_id
community_id
username
directory_id
directory_type
directory_name
Event Details Captured
tenant_id
community_id
username
E_PUSH_REQUESTED
The E_PUSH_REQUESTED
event is created when a user requests to log in via a push notification. It records user account details, as well as the time the push notification was requested.
E_OTP_GENERATED
The E_OTP_GENERATED
event captures the time an OTP was generated, user details, and which email or phone the OTP was sent to.
E_OTP_LOCKED
The E_OTP_LOCKED
event is created when a user has entered an incorrect OTP the maximum number of times allowed, resulting in a temporary account lockout.
E_OTP_REQUESTED
The E_OTP_REQUESTED
event captures which user requested an OTP, what time the OTP was requested, and which email or phone the user is requesting the OTP be sent to.
E_OTP_VERIFIED
The E_OTP_VERIFIED
event captures information about the outcome of an OTP verification, including the time.
E_SP_REDIRECT_SUCCEEDED
The E_SP_REDIRECT_SUCCEEDED
event provides information about users when they log into an SSO application. The event also captures the authentication method used to login and additional information about the user's device.
Event Details Captured
event_id
event_ts
version
journey_id
session_id
client_ip_address
caller_user_agent
user_id
user_status
user_email
user_firstname
user_lastname
source_user_directory
source_user_directory_name
caller_ip
tenant_dns
auth_method
auth_device_os
auth_device_name
auth_device_app_name
auth_device_app_version
auth_device_ip_address
auth_device_latitude
auth_device_longitude
sp_type
sp_name
sp_id
tenant_id
community_id
type
eventName
timestamp
epoch_time
- reports_producer_time
E_AUTH_REQUEST_DENIED
The E_AUTH_REQUEST_DENIED
event is triggered when the user clicks the Cancel Sign In button on the Consent screen.
Event Details Captured
authenticator_id
authenticator_name
authenticator_os
authenticator_version
device_id
event_name
license_hash
network_info
person_id
person_publickey
sender
sender_version
status
type
user_agent
user_id
origin
api
authPage
community
communityId
Authentication Policy
Whenever an authentication policy for your tenant is checked, the event and the outcome are logged.
E_AUTHPOLICY_CHECKED
The E_AUTHPOLICY_CHECKED
event provides information on an evaluated authentication policy. The event log records if access was granted, denied, or if additional step-up authentication was required.
Event Details Captured
type
event_id
ip
person_publickey
requestid
rule_id
decision
caller_user_agent
url
country
region
eventName
timestamp
epoch_time
tenant_id
community_id
reports_producer_time
Identity Verification
Identity verification activity events, such as uploading identity documents, are captured and logged.
E_DOCUMENT_ENROLLED
The E_DOCUMENT_ENROLLED
event provides information about enrolled identity documents. We currently track the enrollment of passports, driver's licenses or state IDs, social security numbers, and LiveID. No personally identifiable information is captured.
Event Details Captured
type
tenant_name
community_name
username
email
timestamp
document_type
live_id
ip_address
user_agent
document_id
transaction_id
event_id
eventName
epoch_time
tenant_id
community_id
E_DOCUMENT_UNENROLLED
The E_DOCUMENT_UNENROLLED
event is created when an identity document has been removed from a user's identity wallet. The event records the document type, and user's corresponding IAL level as a result of the document.
Event Details Captured
tenantid
communityid
username
did
document_id
document_type
ial
E_USER_CONSENT
The E_USER_CONSENT
event records that user consent has been granted, and details about the items consent has been granted for.
Event Details Captured
tenantid
communityid
username
relying_party
wallet_did
wallet_publickey
document_ids
scopes
Administrator Activity
Administrator activity is captured and can be tracked through the event logs. The following event names are used to classify activities that require administrator access to the tenant.
Tenant details are recorded as part of each event log.
In the individual event details, Administrator activity contains the AUDIT_LOG
event category and can be distinguished from user events by looking for this tag.
E_BROKER_DISCONNECTED
The E_BROKER_DISCONNECTED
event captures details of a broker experiencing connection issues, or a broker that has been manually disconnected. Details about the user directory linked to the broker and information about when the broker connection was last active
are also recorded.
Event Details Captured
tenantid
communityid
username
license_hash
software_version
broker_id
broker_name
broker_version
broker_last_seen
reason
connected
auth_module_name
E_ROLE_CHANGED
The E_ROLE_CHANGED
event is triggered whenever an administrator changes the role of a user within the system. This event is crucial for auditing and tracking role modifications in the system..
Event Details Captured
username
initiatedby
role_changed_from
role_changed_to
timestamp
epoch_time
E_DIRECTORY_ADDED
The E_DIRECTORY_ADDED
event is created when a new directory is added to the tenant. It captures the directory details, including the directory name and type for the following activities:
- When a new AD directory is created using the AD Broker
- When a new LDAP directory is created using the LDAP Broker
- When a new Direct LDAP directory is created
- When a new Azure AD directory is created
Event Details Captured
-
timestamp
-
tenantid
-
communityid
-
username
-
connection_ip_address
-
connection_useragent
-
directory_id
-
directory_name
-
directory_type
E_DIRECTORY_MODIFIED
The E_DIRECTORY_MODIFIED
event is created when any directory settings are modified and contains which specific settings changed.
Event Details Captured
timestamp
tenantid
communityid
username
connection_ip_address
connection_useragent
directory_id
directory_name
old_directory_name
new_directory_name
old_server_protocol_type
new_server_protocol_type
E_DIRECTORY_REMOVED
The E_DIRECTORY_REMOVED
event is created when a directory is deleted and contains details about the deleted directory.
Event Details Captured
timestamp
tenantid
communityid
username
connection_ip_address
connection_useragent
directory_id
directory_name
E_DIRECTORY_BROKER_ENABLED
The E_DIRECTORY_BROKER_ENABLED
event is created when a user enables an AD or LDAP Broker. It contains directory details, as well as the linked broker name and the time the broker was last detected.
Event Details Captured
timestamp
tenantid
communityid
username
connection_ip_address
connection_useragent
directory_id
directory_name
broker_name
broker_client_id
last_seen_at
E_DIRECTORY_BROKER_DISABLED
The E_DIRECTORY_BROKER_DISABLED
event is created when an administrator disables a directory broker and contains information about the directory and broker affected.
Event Details Captured
timestamp
tenantid
communityid
username
connection_ip_address
connection_useragent
directory_id
directory_name
broker_name
broker_client_id
last_seen_at
E_DIRECTORY_BROKER_DELETED
The E_DIRECTORY_BROKER_DELETED
event is created when an administrator deletes a directory broker and contains information about the directory and broker affected.
Event Details Captured
timestamp
tenantid
communityid
username
connection_ip_address
connection_useragent
directory_id
directory_name
broker_name
broker_client_id
last_seen_at
E_DIRECTORY_BROKER_MODIFIED
The E_DIRECTORY_BROKER_MODIFIED
event is created when an administrator renames a directory broker and contains information about the directory and broker affected.
Event Details Captured
timestamp
tenantid
communityid
username
connection_ip_address
connection_useragent
directory_id
directory_name
broker_name
broker_client_id
last_seen_at
E_DIRECTORY_ATTRIBUTE_ADDED
The E_DIRECTORY_ATTRIBUTE_ADDED
event is created when a directory attribute is added to a directory and contains details about the directory and the added directory attribute.
Event Details Captured
timestamp
tenantid
communityid
username
connection_ip_address
connection_useragent
directory_id
directory_name
attribute_name
directory_attribute_name
E_DIRECTORY_ATTRIBUTE_MODIFIED
The E_DIRECTORY_ATTRIBUTE_MODIFIED
event is created when a directory attribute is modified for a directory and contains details about the directory and modified directory attribute. The event details capture the old and new directory attribute names for the modified items.
Event Details Captured
timestamp
tenantid
communityid
username
connection_ip_address
connection_useragent
directory_id
directory_name
old_attribute_name
new_attribute_name
old_directory_attribute_name
new_directory_attribute_name
E_DIRECTORY_ATTRIBUTE_DELETED
The E_DIRECTORY_ATTRIBUTE_DELETED
event is created when a directory attribute is deleted for a directory and contains details about the directory and the deleted attribute.
Event Details Captured
timestamp
tenantid
communityid
username
connection_ip_address
connection_useragent
directory_id
directory_name
attribute_name
directory_attribute_name
E_DIRECTORY_ADVANCED_CONFIGURATION_MODIFIED
The E_DIRECTORY_ADVANCED_CONFIGURATION_MODIFIED
is created when an administrator modifies the advanced configuration section of a directory is modified. It records information about the directory, details about which configuration options were modified, and details about the old and new configurations. For example, if the password policy is modified, the log will record the old and new password policies.
Event Details Captured
timestamp
tenantid
communityid
username
connection_ip_address
connection_useragent
directory_id
directory_name
old_login_using_smartcard <boolean>
new_login_using_smartcard: <boolean>
old_scep_service_url
new_scep_service_url
old_enrollment_challenge_url
new_enrollment_challenge_url
old_allow_password_reset: <boolean>
new_allow_password_reset: <boolean>
old_password_policy
new_password_polcy
old_kerberos_sso: <boolean>
new_kerberos_sso: <boolean>
E_IDP_CONFIGURATION_MODIFIED
The E_IDP_CONFIGURATION_MODIFIED
event is created when the IdP configuration is changed on the tenant. The log will capture details about the settings changed, as well as details about the old and new configurations.
Event Details Captured
tenantid
communityid
username
connection_ip_address
connection_useragent
old_idp_name
new_idp_name
old_authentication_request
new_authentication_request
old_key_size
new_key_size
old_algorithm
new_algorithm
old_service_url_signon_endpoint
new_service_url_signon_endpoint
old_service_url_logout_endpoint
new_service_url_logout_endpoint
Reporting Activity
E_REPORT_REQUESTED
The E_REPORT_REQUESTED
event is created when an Administrator requests to generate and download report of tenant activity.
Event Details Captured
tenantid
communityid
username
number_of_records
event_id
filters_used
E_REPORT_GENERATED
The E_REPORT_GENERATED
event is created when an requested report has been generated and is ready to download.
Event Details Captured
tenantid
communityid
username
number_of_records
event_id
filters_used