Skip to main content

Event Logs

Overview

The Event Logs dashboard contains detailed data on specific events for your tenant. Events can be filtered by username, event type, and by date.

To access your event logs dashboard, follow these steps:

  1. Navigate to your AdminX tenant and log in as a community administrator or help desk admin.
  2. Click on the Reports icon, located on the left-hand menu, and select Event Logs.
  1. To view information for a specific event, click the event you wish to examine. The details of the event logs page are displayed.

  2. After examining the details, click Show Details to view detailed information regarding the event.

Viewing Aliases Used for Authentication

You can use the Show Details section under Reports > Event Logs dashboard on the AdminX interface to view the details of the aliases used for authentication.

User Activity

All user activity can be tracked and reviewed through event logs. The following event names are used to classify different categories of event data. Tenant details are recorded as part of each event log.

E_LOGIN_SUCCEEDED

The E_LOGIN_SUCCEEDED event is created when a user successfully logs in to their account and records the following account information:

  • First and last name
  • Email
  • User directory source
  • BlockID mobile application version
  • Browser user agent
  • Device details, including OS and model
  • 2FA method used to log in
  • User location information

E_LOGIN_FAILED

The E_LOGIN_FAILED event is created when a user attempts to log in to their account but fails. It captures user account information and the reason why the login attempt failed.

Onboarding Activity

User onboarding activity can tracked and reviewed in the event logs.

E_USER_INVITED

The E_USER_INVITED event is created when a user is invited to a tenant. The event captures which email address the invitation was sent to and which user account created the invitation.

E_USER_ONBOARDED

The E_USER_ONBOARDED event captures information about the user that was onboarded to the tenant and details about the device the user linked to their account.

Authentication Activity

All user authentication activity is captured and is trackable through event logs.

E_ACCOUNT_LOCKED

The E_ACCOUNT_LOCKED event is created when a user account is locked and therefore unable to login. The log will also record the time the account was locked, and the reason the account was locked.

Note: The E_ACCOUNT_LOCKED event only records account lockouts due to exceeding the maximum number of incorrect OTP attempts.

Event Details Captured

  • tenant_id
  • community_id
  • username
  • initiatedby
  • lockedAt
  • reason
  • reasonCode
  • message

E_ACCOUNT_UNLOCKED

The E_ACCOUNT_UNLOCKED event is created when a user account is unlocked and account access is restored.

Note: The E_ACCOUNT_UNLOCKED event only records account resoration when the lockout was due to exceeding the maximum number of incorrect OTP attempts.

Event Details Captured

  • tenant_id
  • community_id
  • username
  • initiatedby
  • lockedAt
  • reason
  • reasonCode
  • message

E_DEVICE_DELINKED

The E_DEVICE_DELINKED event is created when a user removes and delinks a mobile device as an authentication method from their account.

Event Details Captured

  • tenant_id
  • community_id
  • username
  • actor
  • auth_device_application_id
  • auth_device_did
  • auth_device_id
  • auth_device_longitude
  • auth_device_latitude
  • auth_device_name
  • initiatedby
  • user_id

E_PWDRESET_FAILED

The E_PWDRESET_FAILED event is created when a requested password reset fails or is unauthorized.

Event Details Captured

  • tenant_id
  • community_id
  • username
  • directory_id
  • directory_type
  • directory_name
  • failure_reason

E_PWDRESET_SUCCEEDED

The E_PWDRESET_SUCCEEDED captures successful password reset requests.

Event Details Captured

  • tenant_id
  • community_id
  • username
  • directory_id
  • directory_type
  • directory_name

Event Details Captured

  • tenant_id
  • community_id
  • username

E_PUSH_REQUESTED

The E_PUSH_REQUESTED event is created when a user requests to log in via a push notification. It records user account details, as well as the time the push notification was requested.

E_OTP_GENERATED

The E_OTP_GENERATED event captures the time an OTP was generated, user details, and which email or phone the OTP was sent to.

E_OTP_LOCKED

The E_OTP_LOCKED event is created when a user has entered an incorrect OTP the maximum number of times allowed, resulting in a temporary account lockout.

E_OTP_REQUESTED

The E_OTP_REQUESTED event captures which user requested an OTP, what time the OTP was requested, and which email or phone the user is requesting the OTP be sent to.

E_OTP_VERIFIED

The E_OTP_VERIFIED event captures information about the outcome of an OTP verification, including the time.

E_SP_REDIRECT_SUCCEEDED

The E_SP_REDIRECT_SUCCEEDED event provides information about users when they log into an SSO application. The event also captures the authentication method used to login and additional information about the user's device.

Event Details Captured

  • event_id
  • event_ts
  • version
  • journey_id
  • session_id
  • client_ip_address
  • caller_user_agent
  • user_id
  • user_status
  • user_email
  • user_firstname
  • user_lastname
  • source_user_directory
  • source_user_directory_name
  • caller_ip
  • tenant_dns
  • auth_method
  • auth_device_os
  • auth_device_name
  • auth_device_app_name
  • auth_device_app_version
  • auth_device_ip_address
  • auth_device_latitude
  • auth_device_longitude
  • sp_type
  • sp_name
  • sp_id
  • tenant_id
  • community_id
  • type
  • eventName
  • timestamp
  • epoch_time
  • reports_producer_time

E_AUTH_REQUEST_DENIED

The E_AUTH_REQUEST_DENIED event is triggered when the user clicks the Cancel Sign In button on the Consent screen.

Event Details Captured

  • authenticator_id
  • authenticator_name
  • authenticator_os
  • authenticator_version
  • device_id
  • event_name
  • license_hash
  • network_info
  • person_id
  • person_publickey
  • sender
  • sender_version
  • status
  • type
  • user_agent
  • user_id
  • origin
  • api
  • authPage
  • community
  • communityId

Authentication Policy

Whenever an authentication policy for your tenant is checked, the event and the outcome are logged.

E_AUTHPOLICY_CHECKED

The E_AUTHPOLICY_CHECKED event provides information on an evaluated authentication policy. The event log records if access was granted, denied, or if additional step-up authentication was required.

Event Details Captured

  • type
  • event_id
  • ip
  • person_publickey
  • requestid
  • rule_id
  • decision
  • caller_user_agent
  • url
  • country
  • region
  • eventName
  • timestamp
  • epoch_time
  • tenant_id
  • community_id
  • reports_producer_time

Identity Verification

Identity verification activity events, such as uploading identity documents, are captured and logged.

E_DOCUMENT_ENROLLED

The E_DOCUMENT_ENROLLED event provides information about enrolled identity documents. We currently track the enrollment of passports, driver's licenses or state IDs, social security numbers, and LiveID. No personally identifiable information is captured.

Event Details Captured

  • type
  • tenant_name
  • community_name
  • username
  • email
  • timestamp
  • document_type
  • live_id
  • ip_address
  • user_agent
  • document_id
  • transaction_id
  • event_id
  • eventName
  • epoch_time
  • tenant_id
  • community_id

E_DOCUMENT_UNENROLLED

The E_DOCUMENT_UNENROLLED event is created when an identity document has been removed from a user's identity wallet. The event records the document type, and user's corresponding IAL level as a result of the document.

Event Details Captured

  • tenantid
  • communityid
  • username
  • did
  • document_id
  • document_type
  • ial

The E_USER_CONSENT event records that user consent has been granted, and details about the items consent has been granted for.

Event Details Captured

  • tenantid
  • communityid
  • username
  • relying_party
  • wallet_did
  • wallet_publickey
  • document_ids
  • scopes

Administrator Activity

Administrator activity is captured and can be tracked through the event logs. The following event names are used to classify activities that require administrator access to the tenant.

Tenant details are recorded as part of each event log.

In the individual event details, Administrator activity contains the AUDIT_LOG event category and can be distinguished from user events by looking for this tag.

E_BROKER_DISCONNECTED

The E_BROKER_DISCONNECTED event captures details of a broker experiencing connection issues, or a broker that has been manually disconnected. Details about the user directory linked to the broker and information about when the broker connection was last active are also recorded.

Event Details Captured

  • tenantid
  • communityid
  • username
  • license_hash
  • software_version
  • broker_id
  • broker_name
  • broker_version
  • broker_last_seen
  • reason
  • connected
  • auth_module_name

E_ROLE_CHANGED

The E_ROLE_CHANGED event is triggered whenever an administrator changes the role of a user within the system. This event is crucial for auditing and tracking role modifications in the system..

Event Details Captured

  • username
  • initiatedby
  • role_changed_from
  • role_changed_to
  • timestamp
  • epoch_time

E_DIRECTORY_ADDED

The E_DIRECTORY_ADDED event is created when a new directory is added to the tenant. It captures the directory details, including the directory name and type for the following activities:

  • When a new AD directory is created using the AD Broker
  • When a new LDAP directory is created using the LDAP Broker
  • When a new Direct LDAP directory is created
  • When a new Azure AD directory is created

Event Details Captured

  • timestamp

  • tenantid

  • communityid

  • username

  • connection_ip_address

  • connection_useragent

  • directory_id

  • directory_name

  • directory_type

E_DIRECTORY_MODIFIED

The E_DIRECTORY_MODIFIED event is created when any directory settings are modified and contains which specific settings changed.

Event Details Captured

  • timestamp
  • tenantid
  • communityid
  • username
  • connection_ip_address
  • connection_useragent
  • directory_id
  • directory_name
  • old_directory_name
  • new_directory_name
  • old_server_protocol_type
  • new_server_protocol_type

E_DIRECTORY_REMOVED

The E_DIRECTORY_REMOVED event is created when a directory is deleted and contains details about the deleted directory.

Event Details Captured

  • timestamp
  • tenantid
  • communityid
  • username
  • connection_ip_address
  • connection_useragent
  • directory_id
  • directory_name

E_DIRECTORY_BROKER_ENABLED

The E_DIRECTORY_BROKER_ENABLED event is created when a user enables an AD or LDAP Broker. It contains directory details, as well as the linked broker name and the time the broker was last detected.

Event Details Captured

  • timestamp
  • tenantid
  • communityid
  • username
  • connection_ip_address
  • connection_useragent
  • directory_id
  • directory_name
  • broker_name
  • broker_client_id
  • last_seen_at

E_DIRECTORY_BROKER_DISABLED

The E_DIRECTORY_BROKER_DISABLED event is created when an administrator disables a directory broker and contains information about the directory and broker affected.

Event Details Captured

  • timestamp
  • tenantid
  • communityid
  • username
  • connection_ip_address
  • connection_useragent
  • directory_id
  • directory_name
  • broker_name
  • broker_client_id
  • last_seen_at

E_DIRECTORY_BROKER_DELETED

The E_DIRECTORY_BROKER_DELETED event is created when an administrator deletes a directory broker and contains information about the directory and broker affected.

Event Details Captured

  • timestamp
  • tenantid
  • communityid
  • username
  • connection_ip_address
  • connection_useragent
  • directory_id
  • directory_name
  • broker_name
  • broker_client_id
  • last_seen_at

E_DIRECTORY_BROKER_MODIFIED

The E_DIRECTORY_BROKER_MODIFIED event is created when an administrator renames a directory broker and contains information about the directory and broker affected.

Event Details Captured

  • timestamp
  • tenantid
  • communityid
  • username
  • connection_ip_address
  • connection_useragent
  • directory_id
  • directory_name
  • broker_name
  • broker_client_id
  • last_seen_at

E_DIRECTORY_ATTRIBUTE_ADDED

The E_DIRECTORY_ATTRIBUTE_ADDED event is created when a directory attribute is added to a directory and contains details about the directory and the added directory attribute.

Event Details Captured

  • timestamp
  • tenantid
  • communityid
  • username
  • connection_ip_address
  • connection_useragent
  • directory_id
  • directory_name
  • attribute_name
  • directory_attribute_name

E_DIRECTORY_ATTRIBUTE_MODIFIED

The E_DIRECTORY_ATTRIBUTE_MODIFIED event is created when a directory attribute is modified for a directory and contains details about the directory and modified directory attribute. The event details capture the old and new directory attribute names for the modified items.

Event Details Captured

  • timestamp
  • tenantid
  • communityid
  • username
  • connection_ip_address
  • connection_useragent
  • directory_id
  • directory_name
  • old_attribute_name
  • new_attribute_name
  • old_directory_attribute_name
  • new_directory_attribute_name

E_DIRECTORY_ATTRIBUTE_DELETED

The E_DIRECTORY_ATTRIBUTE_DELETED event is created when a directory attribute is deleted for a directory and contains details about the directory and the deleted attribute.

Event Details Captured

  • timestamp
  • tenantid
  • communityid
  • username
  • connection_ip_address
  • connection_useragent
  • directory_id
  • directory_name
  • attribute_name
  • directory_attribute_name

E_DIRECTORY_ADVANCED_CONFIGURATION_MODIFIED

The E_DIRECTORY_ADVANCED_CONFIGURATION_MODIFIED is created when an administrator modifies the advanced configuration section of a directory is modified. It records information about the directory, details about which configuration options were modified, and details about the old and new configurations. For example, if the password policy is modified, the log will record the old and new password policies.

Event Details Captured

  • timestamp
  • tenantid
  • communityid
  • username
  • connection_ip_address
  • connection_useragent
  • directory_id
  • directory_name
  • old_login_using_smartcard <boolean>
  • new_login_using_smartcard: <boolean>
  • old_scep_service_url
  • new_scep_service_url
  • old_enrollment_challenge_url
  • new_enrollment_challenge_url
  • old_allow_password_reset: <boolean>
  • new_allow_password_reset: <boolean>
  • old_password_policy
  • new_password_polcy
  • old_kerberos_sso: <boolean>
  • new_kerberos_sso: <boolean>

E_IDP_CONFIGURATION_MODIFIED

The E_IDP_CONFIGURATION_MODIFIED event is created when the IdP configuration is changed on the tenant. The log will capture details about the settings changed, as well as details about the old and new configurations.

Event Details Captured

  • tenantid
  • communityid
  • username
  • connection_ip_address
  • connection_useragent
  • old_idp_name
  • new_idp_name
  • old_authentication_request
  • new_authentication_request
  • old_key_size
  • new_key_size
  • old_algorithm
  • new_algorithm
  • old_service_url_signon_endpoint
  • new_service_url_signon_endpoint
  • old_service_url_logout_endpoint
  • new_service_url_logout_endpoint

Reporting Activity

E_REPORT_REQUESTED

The E_REPORT_REQUESTED event is created when an Administrator requests to generate and download report of tenant activity.

Event Details Captured

  • tenantid
  • communityid
  • username
  • number_of_records
  • event_id
  • filters_used

E_REPORT_GENERATED

The E_REPORT_GENERATED event is created when an requested report has been generated and is ready to download.

Event Details Captured

  • tenantid
  • communityid
  • username
  • number_of_records
  • event_id
  • filters_used