The Syslog server logs events that occur on the Unified Access Gateway appliance. These events are captured in log files that have a specific format. To help you understand some of the information captured when the events are generated, this topic lists the events, event samples, and the syslog formats.
Syslog Format
Syslog audit events are logged in the audit.log and syslog events are logged in the admin.log and esmanager.log files. All log files follow a certain format.
The following tables list the log files (
audit.log,
admin.log, and
esmanager.log), their respective formats, and field descriptions:
Note: The generated events follow the log format; however, the events might contain only some of the fields present in the format.
Log File |
Log Format |
|
<timestamp> <UAG hostname> <app name> <thread id> <log level> <file name> <function name> <line no.> <log message>
|
esmanager.log |
<timestamp> <UAG hostname> <app name> <thread id> <log level> <file name> <function name> <line no.> <client IP> <username> <session type> <session id> <log message> |
Field |
Description |
<timestamp> |
Indicates the time at which the event was generated and logged in the syslog server. |
<UAG hostname> |
Hostname of the Unified Access Gateway appliance. |
<appname> |
Application that generates the event.
Note: Depending on the log file, the values of this field are as follows:
UAG-AUDIT ,
UAG-ADMIN , and
UAG-ESMANAGER .
|
<thread id> |
ID of the thread in which the event gets generated. |
<log level> |
Type of information collected in the log message. For more information about logging levels, see Collecting Logs from the Unified Access Gateway Appliance. |
<file name> |
Name of the file from which the log is generated. |
<function name> |
Name of the function in that file from which the log is generated. |
<line no.> |
Line number in the file where the log event is generated. |
<client IP> |
IP Address of the component (such as Horizon Client, load balancer, and so on) that sends a request to Unified Access Gateway appliance. |
<session type> |
Edge service (such as Horizon and Web Reverse Proxy) for which the session is created.
If the session is for Web Reverse Proxy, the session type is mentioned as WRP-
<instanceId>.
Note:
<instanceId> is the instance ID of the Web Reverse Proxy edge service.
|
<session id> |
Unique identifier of the session. |
<log message> |
Provides a summary about what has occurred in the event. |
Syslog Audit Events
The following table describes the audit events with examples:
Event Description |
Event Sample |
Events are logged when an admin logs into the Unified Access Gateway Admin UI, performs configuration changes within the Admin UI, logs out of the Admin UI, and at login failure. Events are logged when a session is created at user login and when a session is destroyed after user logout. |
- Sep 8 08:50:04 UAG Name UAG-AUDIT: [qtp1062181581-73]INFO utils.SyslogAuditManager[logAuditLog: 418] - LOGIN_SUCCESS: SOURCE_IP_ADDR=Client_Machine_IP_Address USERNAME=admin
- 05/20 14:03:59,288 INFO: SESSION_CREATED: SOURCE_IP_ADDR=Client_Machine_IP_Address: USERNAME=admin: INFO=HttpSession@1165374987, Active session count for this user is 1
- Sep 8 08:50:13 UAG Name UAG-AUDIT: [qtp1062181581-79]INFO utils.SyslogAuditManager[logAuditLog: 418] - LOGOUT_SUCCESS: SOURCE_IP_ADDR=Client_Machine_IP_Address USERNAME=admin
- Sep 8 08:50:13 tunneltest UAG-AUDIT: [qtp1901824111-61]INFO utils.SyslogAuditManager[logAuditLog: 452] - LOGIN_FAILED: SOURCE_IP_ADDR=Client_Machine_IP_Address USERNAME=admin: REASON=Incorrect Password. 2 attempts are remaining.
- 05/20 14:07:46,841 INFO: SESSION_DESTROYED: SOURCE_IP_ADDR=Client_Machine_IP_Address: USERNAME=admin: INFO=HttpSession@1165374987, Active session count for this user is 0
- Sep 8 08:52:24 UAG Name UAG-AUDIT: [qtp1062181581-80]INFO utils.SyslogAuditManager[logAuditLog: 418] - CONFIG_CHANGE: SOURCE_IP_ADDR=Client_Machine_IP_Address USERNAME=admin: CHANGE=allowedHostHeaderValues:(null->) - tlsSyslogServerSettings:(null->[]) - dns:(null->) - sshPublicKeys:(null->[]) - ntpServers:( - null->) - adminPasswordExpirationDays:(90->50) - dnsSearch:(null->) - fallBackNtpServers:(null->) -
- Sep 8 07:32:01 UAG Name UAG-ADMIN: [qtp1062181581-27]INFO utils.SyslogManager[save: 57] - SETTINGS:CONFIG_CHANGED:allowedHostHeaderValues:(null->) - tlsSyslogServerSettings:(null->[]) - dns:(null->) - sessionTimeout:(9223372036854775807->36000000) - sshPublicKeys:(null->[]) - ntpServers:(null->) - dnsSearch:(null->) - fallBackNtpServers:(null->) -
- 08/22 13:52:22,815 INFO: CONFIG_CHANGE: SOURCE_IP_ADDR=Client_Machine_IPAddress: USERNAME=admin: CHANGE=httpproxyalias SSL_CERTIFICATE_METHOD_SETTINGS:CONFIG_CHANGED:certificate updated. OldValue:[Subject, Issuer, SerialNumber, Expiry and SHA1 thumbprint details of existing certificate], NewValue:[Subject, Issuer, SerialNumber, Expiry and SHA1 thumbprint details of new certificate]
|
Syslog Events
The following table describes the system events with examples:
Event Description |
Event Sample |
An event is logged when any of the edge services configured within the Unified Access Gateway are started and stopped accordingly. |
In the following event samples, UAG Name is the option which is configured as part of Unified Access Gateway's System Configuration in the Admin UI:
- Sep 9 05:36:55 UAG Name UAG-ESMANAGER: [Curator-QueueBuilder-0]INFO utils.SyslogManager[start: 355][][][][] - Edge Service Manager : started
- Sep 9 05:36:54 UAG Name UAG-ESMANAGER: [Curator-QueueBuilder-0]INFO utils.SyslogManager[stop: 1071][][][][] - Edge Service Manager : stopped
|
Events are logged when the Web Reverse Proxy settings are enabled or disabled on the Unified Access Gateway Admin UI. |
- Sep 8 09:34:52 UAG Name UAG-ESMANAGER: [main-EventThread]INFO utils.SyslogManager[stopService: 287][][][][] - Reverse Proxy Edge Service with instance id 'wiki' : stopped
- Sep 8 12:08:18 UAG Name UAG-ESMANAGER: [main-EventThread]INFO utils.SyslogManager[startService: 211][][][][] - Reverse Proxy Edge Service with instance id 'wiki' : started
|
Events are logged when the Horizon edge service settings are enabled or disabled on the Unified Access Gateway Admin UI. |
- Sep 8 09:15:21 UAG Name UAG-ESMANAGER: [main-EventThread]INFO utils.SyslogManager[startService: 335][][][][] - Horizon Edge Service : started
- Sep 8 09:15:07 UAG Name UAG-ESMANAGER: [main-EventThread]INFO utils.SyslogManager[stopService: 702][][][][] - Horizon Edge Service : stopped
|
Events are logged when a Horizon session is established which constitutes of session creation, user login, user authentication, desktop start, and session termination. |
While multiple events are logged through the flow, sample events include login scenarios, user authentication success and failure scenarios, and authentication timeout. In one of the samples, Horizon has been configured with the RADIUS authentication method:
- Sep 8 07:28:46 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[write: 163][Client_Machine_IP_Address][][][5a0b-***-7cfa] - Created session : 5a0b-***-7cfa
- Sep 8 07:28:51 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[putUserNameInMDC: 494][Client_Machine_IP_Address][testradius][Horizon][5a0b-***-7cfa] - UAG sessionId:5a0b-***-7cfa username:testradius
- Sep 8 07:28:51 UAG Name UAG-ESMANAGER: [jersey-client-async-executor-1]INFO utils.SyslogManager[logMessage: 190][Client_Machine_IP_Address][testradius][Horizon][5a0b-***-7cfa] - Authentication successful for user testradius. Auth type: RADIUS-AUTH, Sub type: passcode
- Sep 8 07:28:52 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[processDocument: 110][Client_Machine_IP_Address][testradius][Horizon][5a0b-***-7cfa] - Authentication attempt response - partial
- Sep 8 07:29:02 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[putUserNameInMDC: 494][Client_Machine_IP_Address][user name][Horizon][5a0b-***-7cfa] - UAG sessionId:5a0b-***-7cfa username:user name
- Sep 8 07:29:02 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[processXmlString: 190][Client_Machine_IP_Address][user name][Horizon][5a0b-***-7cfa] - Authentication attempt - LOGIN initiated
- Sep 8 07:29:03 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[processDocument: 110][Client_Machine_IP_Address][user name][Horizon][5a0b-***-7cfa] - Authentication attempt response - ok
- Sep 8 07:29:03 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[setAuthenticated: 384][Client_Machine_IP_Address][user name][Horizon][5a0b-***-7cfa] - HORIZON_SESSION:AUTHENTICATED:Horizon session authenticated - Session count:9, Authenticated sessions: 2
- Sep 8 07:29:04 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-41-1]INFO utils.SyslogManager[onSuccess: 109][Client_Machine_IP_Address][user name][Horizon][5a0b-***-7cfa] - Horizon Tunnel connection established
- Sep 8 07:29:16 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[resolveHostName: 234][Client_Machine_IP_Address][user name][Horizon][5a0b-***-7cfa] - Accessing virtual/rdsh desktop using protocol BLAST with IP Address IP_Address
- Sep 8 07:29:16 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-42-1]INFO utils.SyslogManager[onSuccess: 293][Client_Machine_IP_Address][user name][Horizon][5a0b-***-7cfa] - BSG route 5504-***-2905 with auth token Ob6NP-***-aEEqK added
- Sep 8 07:29:55 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-46-1]INFO utils.SyslogManager[terminateSession: 450][Client_Machine_IP_Address][user name][Horizon][5a0b-***-7cfa] - HORIZON_SESSION:TERMINATED:Horizon Session terminated due to logout - Session count:9, Authenticated sessions: 2
|
System Messages Sent to Syslog Server
The following table describes the events that are generated when system messages are sent to the syslog server:
Event Description |
Event Sample |
Events are logged when the root user logs into the Unified Access Gateway virtual machine console, logs out of the console, and at authentication failure. |
-
May 10 07:39:44 UAG Name login[605]: pam_unix(login:session): session opened for user root by (uid=0) May 10 07:39:44 UAG Name systemd-logind[483]: New session c14 of user root. May 10 07:39:44 UAG Name login[10652]: ROOT LOGIN on '/dev/tty1'
-
May 10 07:46:24 UAG Name login[605]: pam_unix(login:session): session closed for user root May 10 07:46:24 UAG Name systemd-logind[483]: Session c14 logged out. Waiting for processes to exit. May 10 07:46:24 UAG Name systemd-logind[483]: Removed session c14.
-
May 10 07:39:08 UAG Name login[605]: pam_unix(login:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=root May 10 07:39:12 UAG Name login[605]: FAILED LOGIN (1) on '/dev/tty1' FOR 'root', Authentication failure
|
Events are logged when the root user logs into and logs out of Unified Access Gateway using SSH and at authentication failure. |
-
May 10 04:30:40 UAG Name sshd[2880]: Accepted password for root from Client_Machine_IP_Address port 53599 ssh2 May 10 04:30:40 UAG Name sshd[2880]: pam_unix(sshd:session): session opened for user root by (uid=0) May 10 04:30:40 UAG Name systemd-logind[483]: New session c2 of user root.
-
Jun 11 09:53:34 BVT_NONFIPS sshd[2852]: pam_unix(sshd:session): session closed for user root Jun 18 05:47:13 rootPasswd sshd[6857]: Received disconnect from Client_Machine_IP_Address port 31389:11: disconnected by user Jun 18 05:47:13 rootPasswd sshd[6857]: Disconnected from user root Client_Machine_IP_Address port 31389 Jun 18 05:45:12 rootPasswd sshd[6772]: Failed password for root from Client_Machine_IP_Address port 31287 ssh2
|
Events are logged when the CPU, memory, heap, or disk usage exceeds the threshold value on Unified Access Gateway |
- Feb 2 08:28:35 uag-620c787e-440b-494e-91b2-54d2d8905c80 uag-esmanager: [Monitoring]WARN utils.SyslogManager[lambda$getConfiguredPerformanceCounters$2: 655][][][][] - UAGW00283: 93% of disk space usage is above threshold: 90%
- Feb 2 08:31:16 uag-620c787e-440b-494e-91b2-54d2d8905c80 uag-esmanager: [Monitoring]WARN utils.SyslogManager[lambda$getConfiguredPerformanceCounters$2: 655][][][][] - UAGW00283: 100.0% of System CPU usage is above threshold 95%
- Feb 2 08:34:17 uag-620c787e-440b-494e-91b2-54d2d8905c80 uag-esmanager: [Monitoring]WARN utils.SyslogManager[lambda$getConfiguredPerformanceCounters$2: 655][][][][] - UAGW00283: 99.0% of memory usage is above threshold: 95%
|
Events are logged when CSR is generated successfully using uagcertutil command |
09/09 12:46:16,022+0000 INFO: CONFIG_CHANGE: SOURCE_IP_ADDR=localhost: USERNAME=root (CLI): CHANGE=uagcertutil: New private key and CSR generated. CSR details: -----BEGIN CERTIFICATE REQUEST-----base64 encoded CSR content-----END CERTIFICATE REQUEST----- |
Secure Email Gateway
Secure Email Gateway is configured to follow the Syslog configurations which is configured as part of Unified Access Gateway System Settings. By default, only the contents of app.log in Secure Email Gateway is triggered as Syslog events.
For more information about the Syslog configurations, see Configure Unified Access Gateway System Settings.
VMware Tunnel
For more information, see Access Logs and Syslog Integration and Configure VMware Tunnel in the VMware Workspace ONE UEM Product Documentation at VMware Docs.