Security Audit Events

The security audit events are divided into Columns, Services, Modules, Status, and Events according to from where it originates.

The following lists and describes the different event types and the overview is also available in JavaDoc format of the API.

Note that since EJBCA is built around the CESeCore project, both EventTypes and EjbcaEventTypes in the API documentation need to be considered to view all the event types EJBCA can generate.

An example of how such an event would look like in the server log using the Log4jDevice is the event that the application is starting:

... INFO  [Log4jDevice] 2015-03-20 12:47:51+01:00;EJBCA_STARTING;SUCCESS;SERVICE;EJBCA;StartServicesServlet.init;;hostname;;msg=Init, EJBCA 6.7.0 Enterprise (r25420) startup.

and the same kind of event using IntegrityProtectedDevice that writes the log entry to the database:

mysql> select * from AuditRecordData where eventType='EJBCA_STARTING' ... \G
               pk: 24861ebf7f00010106e5a024d82c694d

additionalDetails: ...  Init, EJBCA 6.7.0 Enterprise (r25420) startup.  ...
        authToken: StartServicesServlet.init
         customId: NULL
      eventStatus: SUCCESS
        eventType: EJBCA_STARTING
           module: SERVICE
           nodeId: hostname
    rowProtection: 1:2:123:4d2f6...
       rowVersion: 0
    searchDetail1: hostname
    searchDetail2: NULL
   sequenceNumber: 17640195
          service: EJBCA
        timeStamp: 1426205614754

This should be interpreted as the following:

  • Service is EJBCA (not shown in the Admin GUI) : the event originates from the part of the application that not part of the core shared with other products.
  • Module is SERVICE: this event was generated from a module in EJBCA that is responsible for background services.
  • Status (named "Outcome" in the Admin GUI) is SUCCESS: in the context of the event, this should be interpreted as no error were detected during the EJBCA startup.

  • Event is EJBCA_STARTING: the application EJBCA is starting up.

  • AdditionalDetails  is an event specific message with additional information telling us (in this case) the version of EJBCA that was started.
  • AuthToken identifies that the event was generated by the internal module StartServicesServlet
  • NodeId is the EJBCA node, in this case hostname, that generated the event
  • SearchDetail1 is an additional message, in this case the hostname (same as NodeId) that EJBCA was started on.
  • TimeStamp is the time, in milliseconds since epoch, the event occured

Columns

The following table includes descriptions of the log column names and a mapping between the columns names and the display names in the Admin GUI.

Column NameDescriptionAdmin UI Display Name
ServiceThe service an event originates from, EJBCA or CORE.(not shown)
ModuleThe module an event was generated from.Module
StatusSUCCESS or FAILUREOutcome
EventThe audit log event that occurred.Event
AdditionalDetailsEvent specific message with additional information.Details
AuthTokenIdentifies the administrator, or internal module, that caused the event.Administrator
NodeIdIdentifies the EJBCA instance (which server in a cluster) that the event occurred on.Node
CustomIdIdentifier used in log messages, commonly the certificate authority an event was related to.Certificate Authority
searchDetail1Detail used in log messages, commonly the serial number of the certificate an event was related to.Certificate
searchDetail2Detail used in log messages, commonly the username an event was related to.Username
timeStampThe time, in milliseconds since epoch, the event occurred.Time

Services

Service can be one of EJBCA or CORE. Both are from the EJBCA application, but services originating from CORE originates from a part, CESeCore, that contains functions also shared with other products. These services relates to event types below.

This is not important from an audit perspective, but is useful information for an understanding of the logging format.

ServiceEvent
CORECESeCore Events
EJBCAEJBCA Events

Modules

The Security Audit Log has one component that is the Module. The Module is a description of the internal module of EJBCA where the event happened and can be useful for categorizing events.

Modules are also documented in the source code in ModuleTypes.java and EjbcaModuleTypes.java.

ModuleDescription
ACCESSCONTROLAccess control module
AUTHENTICATIONAuthentication module
CACertificate Authority module
CERTIFICATECertificate issuance and handling module
CERTIFICATEPROFILECertificate profile module
CRLCertificate Revocation List issuance and handling module
CRYPTOTOKENCrypto Token module
BLACKLISTBlacklist module
VALIDATORValidator module
ROLESAdministrator role management module
SECURITY_AUDITSecurity event audit log module
INTERNALKEYBINDINGInternal Key Binding module
GLOBALCONFModule for system settings stored in the database
RARegistration Authority module
HARDTOKEN(Client) hardware token management module
KEYRECOVERYKey recovery module
APPROVALApproval module
APPROVAL_PROFILEApproval Profiles module
PUBLISHERPublisher module
SERVICEEJBCA background service module
CUSTOMExternal logging module
ADMINWEBAdministrative web GUI module

Status

The outcome of an event can be one of the following.

Status is also documented in the source code in EventStatus.java

StatusDescription
FAILUREOperation failed
SUCCESSOperation succeeded
VOIDOperation completed without a defined result

Events

Security Events are divided into two parts. The logical separation is that the CESeCore Events are PKI core events needed for Common Criteria certified operations, and kept in a Core module that is re-used across some different PrimeKey products. We keep the separation in the documentation for simplicity.

Example Log File Event

The EJBCA Startup log even will look like this in the application server log file.

2017-03-25 07:26:04+01:00;EJBCA_STARTING;SUCCESS;SERVICE;EJBCA;Application internal;;hostname;;msg=Init, EJBCA 6.7.0 Enterprise (r25420) startup.

CESeCore Events

CESeCore event types are also documented in the source code in EventTypes.java.

Event TypeDescription
ACCESS_CONTROLAuthorization check to resource of authenticated entity
AUTHENTICATIONAuthentication check of an entity
CA_CREATIONCreation of a Certificate Authority
CA_DELETIONRemoval of a Certificate Authority
CA_RENAMINGInternal application name change of a Certificate Authority. Unrelated to Certificate Authority's Subject Distinguisher Name
CA_EDITINGModification of a Certificate Authority
CA_KEYACTIVATECertificate Authority starts using a different key pair
CA_KEYGENGeneration of a new key pair that can be used by the Certificate Authority during renewal or update
CA_SERVICEACTIVATECertificate Authority state change to start serving requests. Unrelated to CA private key availability
CA_SERVICEDEACTIVATECertificate Authority state change to stop serving requests. Unrelated to CA private key availability
CERT_STOREDPersistence of a certificate to the database
CERT_REVOKEDChange of a certificate's status to revoked or active
CERT_CHANGEDSTATUSChange of a certificate's status to unassigned, inactive, active, notified about expiration, revoked or archived
CERT_REQUESTA request for certificate issuance from a Certificate Authority is submitted
CERT_CREATIONIssuance of a certificate by a Certificate Authority
CERT_CTPRECERT_SUBMISSIONCertificate Transparency log servers responds to a pre-certificate submission from a Certificate Authority
CERTPROFILE_CREATIONCreation of a certificate profile
CERTPROFILE_DELETIONRemoval of a certificate profile
CERTPROFILE_RENAMINGName change of a certificate profile
CERTPROFILE_EDITINGModification of a certificate profile
CRL_STOREDPersistence of a Certificate Revocation List to the database
CRL_CREATIONIssuance of a Certificate Revocation List by a Certificate Authority
CRYPTOTOKEN_CREATECreation of a Crypto Token
CRYPTOTOKEN_EDITModification of a Crypto Token
CRYPTOTOKEN_DELETIONRemoval of a Crypto Token
CRYPTOTOKEN_ACTIVATIONActivation of a Crypto Token, making the key material available for use by the application
CRYPTOTOKEN_DEACTIVATIONDeactivation of a Crypto Token, making the key material unavailable for use by the application
CRYPTOTOKEN_REACTIVATIONAttempted reactivation of a Crypto Token. Since this occurs automatically, it may fail
CRYPTOTOKEN_DELETE_ENTRYRemoval of a key pair from the Crypto Token key material or key pair place-holder from the Crypto Token object
CRYPTOTOKEN_GEN_KEYPAIRGeneration of a new key pair in the Crypto Token
CRYPTOTOKEN_UPDATEPINModification of the Crypto Token's auto-activation PIN. For soft key stores, this also implies changes of the protection of the key material
BLACKLIST_CHANGEModification of an existing blacklist
BLACKLIST_CREATIONCreation of a new blacklist
BLACKLIST_REMOVALRemoval of an existing blacklist
VALIDATOR_CHANGEModification of an existing validator
VALIDATOR_CREATIONCreation of a new validator
VALIDATOR_REMOVALRemoval of an existing validator
VALIDATOR_RENAMEName change of an existing validator
VALIDATOR_VALIDATION_FAILEDValidation failed event
LOG_DELETERemoval of persisted audit log records
LOG_EXPORTExport of audit log records
LOG_MANAGEMENT_CHANGEChange of protection settings for audit log records
LOG_VERIFYVerification of existing audit log records
ROLE_CREATIONCreation of an administrative role
ROLE_DELETIONRemoval of an administrative role
ROLE_RENAMINGName change of an administrative role
ROLE_ACCESS_RULE_ADDITIONNew access rules added to administrative role
ROLE_ACCESS_RULE_CHANGEModifications of existing access rules in an administrative role
ROLE_ACCESS_RULE_DELETIONRemoval of existing access rules from administrative role
ROLE_ACCESS_USER_ADDITIONNew administrator added to administrative role
ROLE_ACCESS_USER_CHANGEChange of existing administrator in an administrative role
ROLE_ACCESS_USER_DELETIONRemoval of existing administrator from administrative role
SYSTEMCONF_CREATECreation of new system settings stored in the database
SYSTEMCONF_EDITModification of existing system settings stored in the database
INTERNALKEYBINDING_CREATECreations of a new Internal Key Binding
INTERNALKEYBINDING_EDITModification of an existing Internal Key Binding
INTERNALKEYBINDING_DELETERemoval of an existing Internal Key Binding


EJBCA Events

EJBCA event types are also documented in the source code in EjbcaEventTypes.java.

Event TypeDescription
ADMINWEB_ADMINISTRATORLOGGEDINAn administrator logs in to EJBCA's Administrative Web GUI
APPROVAL_ADDAction that requires approval by one or more administrators is requested
APPROVAL_APPROVEAction that requires approval was approved by one of the required administrator(s)
APPROVAL_EDITApproval request was edited
APPROVAL_REJECTAction that requires approval was rejected by one of the required administrator(s)
APPROVAL_EXTENDExpiration date of an approval request was extended by an administrator
APPROVAL_PROFILE_ADDAdding an approval profile
APPROVAL_PROFILE_EDITEditing an approval profile
APPROVAL_PROFILE_REMOVERemoving an approval profile
APPROVAL_PROFILE_RENAMERenaming an approval profile
CA_EXPORTTOKENExport of a Certificate Authority's (soft) Crypto Token
CA_EXTENDEDSERVICEExecution of one of the Certificate Authority's extended services
CA_IMPORTCreation of a Certificate Authority using an existing soft key store
CA_REMOVETOKENRemoval of a Certificate Authority's (soft) Crypto Token
CA_RENEWEDRenewal of a Certificate Authority's certificate, optionally using a different key pair
CA_ROLLEDOVERRoll over of a Certificates Authority's certificate chain and key
CA_RESTORETOKENRestoration of a Certificate Authority's previously removed (soft) Crypto Token
CA_REVOKEDRevocation of a Certificate Authority and all certificates issued by it
CA_SIGNREQUESTCertificate Authority signs (attests) a provided certificate signing request
CA_SIGNCMSCertificate Authority signs (attests) a CMS / PKCS#7
CA_USERAUTHEnd entity authenticates using enrollment code
CA_VALIDITYCertificate Authority's signing certificate is not valid yet or not valid any longer
CUSTOMLOG_ERRORLog entry with log level error supplied from external source
CUSTOMLOG_INFOLog entry with log level info supplied from external source
EJBCA_STARTINGApplication startup
HARDTOKEN_ADDCreation of a new (client) hardware token representation
HARDTOKEN_ADDCERTMAPCreation of link from a (client) hardware token representation to a certificate
HARDTOKEN_ADDISSUERCreation of a new issuer for (client) hardware tokens
HARDTOKEN_ADDPROFILECreation of a new template for (client) hardware tokens
HARDTOKEN_EDITModification of an existing (client) hardware token representation
HARDTOKEN_EDITISSUERModification or name change of an existing issuer for (client) hardware tokens
HARDTOKEN_EDITPROFILEModification or name change of an existing template for (client) hardware tokens
HARDTOKEN_GENERATEOutcome of provisioning of a (client) hardware token reported by external card management system
HARDTOKEN_REMOVERemoval of an existing (client) hardware token representation
HARDTOKEN_REMOVECERTMAPRemoval of link from a (client) hardware token representation to a certificate
HARDTOKEN_REMOVEISSUERRemoval of an existing issuer for (client) hardware tokens
HARDTOKEN_REMOVEPROFILERemoval of an existing template for (client) hardware tokens
HARDTOKEN_VIEWEDAdministrator views the content of a (client) hardware token representation
HARDTOKEN_VIEWEDPUKAdministrator views the PUK code of a (client) hardware token representation
KEYRECOVERY_ADDDATAPersistence of encrypted key material and meta data that can be used for recovering a server-side generated client key pair
KEYRECOVERY_EDITDATAModification of encrypted key material and meta data that can be used for recovering a server-side generated client key pair
KEYRECOVERY_MARKEDChange status of meta data for encrypted key material to allow extraction of server-side generated client key pair
KEYRECOVERY_REMOVEDATARemoval of specific or all encrypted key material and meta data that can be used for recovering a server-side generated client key pair
KEYRECOVERY_SENTExtraction of key material of server-side generated client key pair
PUBLISHER_CHANGEModification of an existing publisher
PUBLISHER_CREATIONCreation of a new publisher
PUBLISHER_REMOVALRemoval of an existing publisher
PUBLISHER_RENAMEName change of an existing publisher
PUBLISHER_STORE_CERTIFICATEPublishing of a certificate and/or related certificate meta data
PUBLISHER_STORE_CRLPublishing of a Certificate Revocation List and related meta data
RA_ADDADMINPREFCreation of new settings for an administrator
RA_ADDEEPROFILECreation of a new end entity profile
RA_ADDENDENTITYCreation of a new end entity
RA_DEFAULTADMINPREFModification of default settings for administrators
RA_DELETEENDENTITYRemoval of an end entity
RA_EDITADMINPREFModification of an existing settings for an administrator
RA_EDITEEPROFILEModification of an existing end entity profile
RA_EDITENDENTITYModification of an existing end entity
RA_REMOVEEEPROFILERemoval of an existing end entity profile
RA_RENAMEEEPROFILEName change of an existing end entity profile
RA_REVOKEDENDENTITYChange status of an existing end entity and all the end entity's certificates to revoked
RA_USERDATASOURCEADDCreation of a new user data source
RA_USERDATASOURCEEDITModification of an existing user data source
RA_USERDATASOURCEFETCHDATARetrieval of data through an existing user data source
RA_USERDATASOURCEREMOVERemoval of an existing user data source
RA_USERDATASOURCEREMOVEDATARequest for removal of data through an existing user data source
RA_USERDATASOURCERENAMEName change of an existing user data source
REVOKE_UNREVOKEPUBLISHPublishing of a certificate and/or related certificate meta data when certificate is activated after being on hold
SERVICE_ADDCreation of a new EJBCA background service
SERVICE_EDITModification of an existing EJBCA background service
SERVICE_REMOVERemoval of an existing EJBCA background service
SERVICE_RENAMEName change of an existing EJBCA background service