The Syslog server logs events that occur on the Unified Access Gateway appliance. These events are captured in log files that have a specific format. To help you understand some of the information captured when the events are generated, this topic lists the events, event samples, and the syslog formats.
Syslog Format
Syslog audit events are logged in the audit.log and syslog events are logged in the admin.log and esmanager.log files. All log files follow a certain format.
The following tables list the log files, their respective formats, and field descriptions:
Note: The generated events follow the log format; however, the events might contain only some of the fields present in the format.
Log File |
Log Format |
|
<timestamp> <UAG hostname> <app name> <thread id> <log level> <file name> <function name> <line no.> <log message>
|
esmanager.log |
<timestamp> <UAG hostname> <app name> <thread id> <log level> <file name> <function name> <line no.> <client IP> <username> <session type> <session id> <log message> |
Field |
Description |
<timestamp> |
Indicates the time at which the event was generated and logged in the syslog server. |
<UAG hostname> |
Hostname of the Unified Access Gateway appliance. |
<appname> |
Application that generates the event.
Note: Depending on the log file, the values of this field are as follows:
UAG-AUDIT ,
UAG-ADMIN , and
UAG-ESMANAGER .
|
<thread id> |
ID of the thread in which the event gets generated. |
<log level> |
Type of information collected in the log message. For more information about logging levels, see Collecting Logs from the Unified Access Gateway Appliance. |
<file name> |
Name of the file from which the log is generated. |
<function name> |
Name of the function in that file from which the log is generated. |
<line no.> |
Line number of the log in the file. |
<client IP> |
IP Address of the component (such as Horizon Client, load balancer, and so on) that sends a request to Unified Access Gateway appliance. |
<session type> |
Edge service (such as Horizon and Web Reverse Proxy) for which the session is created.
If the session is for Web Reverse Proxy, the session type is mentioned as WRP-
<instanceId>.
Note:
<instanceId> is the instance ID of the Web Reverse Proxy edge service.
|
<session id> |
Unique identifier of the session. |
<log message> |
Provides a summary about what has occurred in the event. |
Syslog Audit Events
The following table describes the audit events with examples:
Event Description |
Event Sample |
Events are logged when an admin logs into the Unified Access Gateway Admin UI, performs configuration changes within the Admin UI, logs out of the Admin UI, and at login failure. |
- Sep 8 08:50:04 UAG Name UAG-AUDIT: [qtp1062181581-73]INFO utils.SyslogAuditManager[logAuditLog: 418] - LOGIN_SUCCESS: SOURCE_IP_ADDR=Client_Machine_IP_Address USERNAME=admin
- Sep 8 08:50:13 UAG Name UAG-AUDIT: [qtp1062181581-79]INFO utils.SyslogAuditManager[logAuditLog: 418] - LOGOUT_SUCCESS: SOURCE_IP_ADDR=Client_Machine_IP_Address USERNAME=admin
- Sep 8 08:50:13 tunneltest UAG-AUDIT: [qtp1901824111-61]INFO utils.SyslogAuditManager[logAuditLog: 452] - LOGIN_FAILED: SOURCE_IP_ADDR=Client_Machine_IP_Address USERNAME=admin: REASON=Incorrect Password. 2 attempts are remaining.
- Sep 8 08:52:24 UAG Name UAG-AUDIT: [qtp1062181581-80]INFO utils.SyslogAuditManager[logAuditLog: 418] - CONFIG_CHANGE: SOURCE_IP_ADDR=Client_Machine_IP_Address USERNAME=admin: CHANGE=allowedHostHeaderValues:(null->) - tlsSyslogServerSettings:(null->[]) - dns:(null->) - sshPublicKeys:(null->[]) - ntpServers:( - null->) - adminPasswordExpirationDays:(90->50) - dnsSearch:(null->) - fallBackNtpServers:(null->) -
- Sep 8 07:32:01 UAG Name UAG-ADMIN: [qtp1062181581-27]INFO utils.SyslogManager[save: 57] - SETTINGS:CONFIG_CHANGED:allowedHostHeaderValues:(null->) - tlsSyslogServerSettings:(null->[]) - dns:(null->) - sessionTimeout:(9223372036854775807->36000000) - sshPublicKeys:(null->[]) - ntpServers:(null->) - dnsSearch:(null->) - fallBackNtpServers:(null->) -
|
Syslog Events
The following table describes the system events with examples:
Event Description |
Event Sample |
An event is logged when any of the edge services configured within the Unified Access Gateway are started and stopped accordingly. |
In the following event samples, UAG Name is the option which is configured as part of Unified Access Gateway's System Configuration in the Admin UI:
- Sep 9 05:36:55 UAG Name UAG-ESMANAGER: [Curator-QueueBuilder-0]INFO utils.SyslogManager[start: 355][][][][] - Edge Service Manager : started
- Sep 9 05:36:54 UAG Name UAG-ESMANAGER: [Curator-QueueBuilder-0]INFO utils.SyslogManager[stop: 1071][][][][] - Edge Service Manager : stopped
|
Events are logged when the Web Reverse Proxy settings are enabled or disabled on the Unified Access Gateway Admin UI. |
- Sep 8 09:34:52 UAG Name UAG-ESMANAGER: [main-EventThread]INFO utils.SyslogManager[stopService: 287][][][][] - Reverse Proxy Edge Service with instance id 'wiki' : stopped
- Sep 8 12:08:18 UAG Name UAG-ESMANAGER: [main-EventThread]INFO utils.SyslogManager[startService: 211][][][][] - Reverse Proxy Edge Service with instance id 'wiki' : started
|
Events are logged when the Horizon edge service settings are enabled or disabled on the Unified Access Gateway Admin UI. |
- Sep 8 09:15:21 UAG Name UAG-ESMANAGER: [main-EventThread]INFO utils.SyslogManager[startService: 335][][][][] - Horizon Edge Service : started
- Sep 8 09:15:07 UAG Name UAG-ESMANAGER: [main-EventThread]INFO utils.SyslogManager[stopService: 702][][][][] - Horizon Edge Service : stopped
|
Events are logged when a Horizon session is established which constitutes of session creation, user login, user authentication, desktop start, and session termination. |
While multiple events are logged through the flow, sample events include login scenarios, user authentication success and failure scenarios, and authentication timeout. In one of the samples, Horizon has been configured with the RADIUS authentication method:
- Sep 8 07:28:46 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[write: 163][Client_Machine_IP_Address][][][5a0b-***-7cfa] - Created session : 5a0b-***-7cfa
- Sep 8 07:28:51 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[putUserNameInMDC: 494][Client_Machine_IP_Address][testradius][Horizon][5a0b-***-7cfa] - UAG sessionId:5a0b-***-7cfa username:testradius
- Sep 8 07:28:51 UAG Name UAG-ESMANAGER: [jersey-client-async-executor-1]INFO utils.SyslogManager[logMessage: 190][Client_Machine_IP_Address][testradius][Horizon][5a0b-***-7cfa] - Authentication successful for user testradius. Auth type: RADIUS-AUTH, Sub type: passcode
- Sep 8 07:28:52 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[processDocument: 110][Client_Machine_IP_Address][testradius][Horizon][5a0b-***-7cfa] - Authentication attempt response - partial
- Sep 8 07:29:02 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[putUserNameInMDC: 494][Client_Machine_IP_Address][user name][Horizon][5a0b-***-7cfa] - UAG sessionId:5a0b-***-7cfa username:user name
- Sep 8 07:29:02 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[processXmlString: 190][Client_Machine_IP_Address][user name][Horizon][5a0b-***-7cfa] - Authentication attempt - LOGIN initiated
- Sep 8 07:29:03 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[processDocument: 110][Client_Machine_IP_Address][user name][Horizon][5a0b-***-7cfa] - Authentication attempt response - ok
- Sep 8 07:29:03 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[setAuthenticated: 384][Client_Machine_IP_Address][user name][Horizon][5a0b-***-7cfa] - HORIZON_SESSION:AUTHENTICATED:Horizon session authenticated - Session count:9, Authenticated sessions: 2
- Sep 8 07:29:04 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-41-1]INFO utils.SyslogManager[onSuccess: 109][Client_Machine_IP_Address][user name][Horizon][5a0b-***-7cfa] - Horizon Tunnel connection established
- Sep 8 07:29:16 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[resolveHostName: 234][Client_Machine_IP_Address][user name][Horizon][5a0b-***-7cfa] - Accessing virtual/rdsh desktop using protocol BLAST with IP Address IP_Address
- Sep 8 07:29:16 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-42-1]INFO utils.SyslogManager[onSuccess: 293][Client_Machine_IP_Address][user name][Horizon][5a0b-***-7cfa] - BSG route 5504-***-2905 with auth token Ob6NP-***-aEEqK added
- Sep 8 07:29:55 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[terminateSession: 450][Client_Machine_IP_Address][user name][Horizon][5a0b-***-7cfa] - HORIZON_SESSION:TERMINATED:Horizon Session terminated due to logout - Session count:9, Authenticated sessions: 2
|
Secure Email Gateway
Secure Email Gateway is configured to follow the Syslog configurations which is configured as part of Unified Access Gateway System Settings. By default, only the contents of app.log in Secure Email Gateway is triggered as Syslog events.
For more information about the Syslog configurations, see Configure Unified Access Gateway System Settings.
VMware Tunnel
For more information, see Access Logs and Syslog Integration and Configure VMware Tunnel in the VMware Workspace ONE UEM Product Documentation at VMware Docs.