Syslog Events

The Syslog server logs events that occur on the Unified Access Gateway appliance. This topic helps you understand the information that gets captured when these events are logged.

Syslog Audit Events

The following table describes the audit events with examples:

Event Description	Event Sample
Events are logged when an admin logs into the Unified Access Gateway Admin UI, performs configuration changes within the Admin UI, or logs out of the Admin UI.	`06-09-2020 16:56:03 User.Info Syslog_Server_IP_Address UAG-AUDIT:[qtp332498651-46]INFO utils.SyslogAuditManager[logAuditLog: 382] - LOGIN_SUCCESS: SOURCE_IP_ADDR=Client_Machine_IP_Address: USERNAME=admin"` `06-09-2020 16:57:25 User.Info Syslog_Server_IP_Address UAG-AUDIT:[qtp332498651-44]INFO utils.SyslogAuditManager[logAuditLog: 382] - CONFIG_CHANGE: SOURCE_IP_ADDR=Client_Machine_IP_Address: USERNAME=admin: CHANGE=tlsSyslogServerSettings:(null->[]) - dns:(null->) - monitorInterval:(20->60) - sshPublicKeys:(null->[]) - ntpServers:(null->) - dnsSearch:(null->) - fallBackNtpServers:(null->) -` `06-09-2020 16:55:57 User.Info Syslog_Server_IP_Address UAG-AUDIT:[qtp332498651-22]INFO utils.SyslogAuditManager[logAuditLog: 382] - LOGOUT_SUCCESS: SOURCE_IP_ADDR=Client_Machine_IP_Address: USERNAME=admin`

Event Description

Event Sample

Events are logged when an admin logs into the Unified Access Gateway Admin UI, performs configuration changes within the Admin UI, or logs out of the Admin UI.

06-09-2020 16:56:03 User.Info Syslog_Server_IP_Address UAG-AUDIT:[qtp332498651-46]INFO utils.SyslogAuditManager[logAuditLog: 382] - LOGIN_SUCCESS: SOURCE_IP_ADDR=Client_Machine_IP_Address: USERNAME=admin"
06-09-2020 16:57:25 User.Info Syslog_Server_IP_Address UAG-AUDIT:[qtp332498651-44]INFO utils.SyslogAuditManager[logAuditLog: 382] - CONFIG_CHANGE: SOURCE_IP_ADDR=Client_Machine_IP_Address: USERNAME=admin: CHANGE=tlsSyslogServerSettings:(null->[]) - dns:(null->) - monitorInterval:(20->60) - sshPublicKeys:(null->[]) - ntpServers:(null->) - dnsSearch:(null->) - fallBackNtpServers:(null->) -
06-09-2020 16:55:57 User.Info Syslog_Server_IP_Address UAG-AUDIT:[qtp332498651-22]INFO utils.SyslogAuditManager[logAuditLog: 382] - LOGOUT_SUCCESS: SOURCE_IP_ADDR=Client_Machine_IP_Address: USERNAME=admin

Syslog Events

The following table describes the system events with examples:

Event Description	Event Sample
An event is logged when any of the edge services configured within the Unified Access Gateway are started and stopped accordingly.	In the following event samples, `UAG Name` is the option which is configured as part of Unified Access Gateway's System Configuration in the Admin UI: `06-09-2020 16:57:26 Local2.Info Syslog_Server_IP_Address Jun 9 11:25:59 UAG Name UAG-ESMANAGER: [Curator-QueueBuilder-0]INFO utils.SyslogManager[stop: 993][] - EDGE_SERVICE_MANAGER:STOPPED:Stopped Edge Service Manager` `06-09-2020 16:57:26 Local2.Info Syslog_Server_IP_Address Jun 9 11:25:59 UAG Name UAG-ESMANAGER: [Curator-QueueBuilder-0]INFO utils.SyslogManager[start: 321][] - EDGE_SERVICE_MANAGER:STARTED:Started EdgeServiceManager.`
Events are logged when Unified Access Gateway is accessed using HTTP scheme and redirected to HTTPS.	`06-09-2020 16:57:28 Local2.Info Syslog_Server_IP_Address Jun 9 11:26:01 UAG Name UAG-ESMANAGER: [main-EventThread]INFO utils.SyslogManager[startAndStopHttpAndHttpsServer: 768][] - HTTP_REDIRECTION_SERVER:STARTED:Started HTTP redirection server listening on port 8080` `06-09-2020 16:57:26 Local2.Info Syslog_Server_IP_Address Jun 9 11:25:59 UAG Name UAG-ESMANAGER: [Curator-QueueBuilder-0]INFO utils.SyslogManager[stop: 977][] - HTTP_REDIRECTION_SERVER:STOPPED:Stopped HTTP redirection serverlistening on port 8080`
Events are logged when the Web Reverse Proxy settings are enabled or disabled on the Unified Access Gateway Admin UI.	`06-10-2020 11:11:06 Local2.Info Syslog_Server_IP_Address Jun 10 05:39:39 UAG Name UAG-ESMANAGER: [main-EventThread]INFO utils.SyslogManager[startService: 207][] - WS_PORTAL_SERVICE:STARTED:Started WS Portal Edge Service` `06-10-2020 11:10:32 Local2.Info Syslog_Server_IP_Address Jun 10 05:39:04 UAG Name UAG-ESMANAGER: [main-EventThread]INFO utils.SyslogManager[stopService: 274][] - WS_PORTAL_SERVICE:STOPPED:Stopped WS Portal Edge Service`
Events are logged when the Horizon edge service settings are enabled or disabled on the Unified Access Gateway Admin UI.	`06-10-2020 11:03:10 Local2.Info Syslog_Server_IP_Address Jun 10 05:31:43 UAG Name UAG-ESMANAGER: [main-EventThread]INFO utils.SyslogManager[stopService: 689][] - HORIZON_SERVICE:STOPPED:Horizon View Edge Service` `06-10-2020 11:04:40 Local2.Info Syslog_Server_IP_Address Jun 10 05:33:13 UAG Name UAG-ESMANAGER: [main-EventThread]INFO utils.SyslogManager[startService: 332][] - HORIZON_SERVICE:STARTED:Started Horizon Edge Service`
Events are logged when a Horizon session is established which constitutes of user login, user authentication and session termination.	While multiple events are logged through the flow, sample events include login scenarios, user authentication success and failure scenarios, and authentication timeout. In one of the samples, Horizon has been configured with the `RADIUS` authentication method: `Sample Event -06-10-2020 10:46:09 Local2.Info Syslog_Server_IP_Address Jun 10 05:14:42 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-6-4]INFO utils.SyslogManager[processXmlString: 189][3df5-*-41f6] - Authentication attempt - LOGIN initiated` `06-10-2020 10:46:09 Local2.Info Syslog_Server_IP_Address Jun 10 05:14:42 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-6-4]INFO utils.SyslogManager[processDocument: 110][3df5--41f6] - Authentication attempt response - ok` `06-11-2020 14:52:47 Local2.Info Syslog_Server_IP_Address Jun 11 09:21:20 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-16-2]INFO utils.SyslogManager[processDocument: 110][1e85--1f8d] - Authentication attempt response - partial` `06-11-2020 15:02:28 Local2.Info Syslog_Server_IP_Address Jun 11 09:31:01 UAG Name UAG-ESMANAGER: [jersey-client-async-executor-1]INFO utils.SyslogManager[logMessage: 188][f7ba--7a21] - AUTH SUCCESS for user radius. Auth type: RADIUS-AUTH, Sub type: passcode` `06-11-2020 14:52:47 Local2.Warning Syslog_Server_IP_Address Jun 11 09:21:20 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-16-2]WARN utils.SyslogManager[persistFailedLoginAttempt: 386][1e85--1f8d] - Authentication attempt - FAILED` `06-11-2020 14:58:22 Local2.Info Syslog_Server_IP_Address Jun 11 09:26:55 UAG Name UAG-ESMANAGER: [jersey-client-async-executor-0]INFO utils.SyslogManager[logMessage: 188][f22c--162d] - AUTH FAILED for user radius with error Received timeout from RADIUS server for user radius. Auth type: RADIUS-AUTH, Sub type: passcode` `06-10-2020 10:47:03 Local2.Info Syslog_Server_IP_Address Jun 10 05:15:36 UAG Name UAG-ESMANAGER: [nioEventLoopGroup-6-4]INFO utils.SyslogManager[terminateSession: 450][3df5-**-41f6] - HORIZON_SESSION:TERMINATED:Horizon Session terminated - Session count:2, Authenticated sessions: 1`

Secure Email Gateway

Secure Email Gateway is configured to follow the Syslog configurations which is configured as part of Unified Access Gateway System Settings. By default, only the contents of app.log in Secure Email Gateway is triggered as Syslog events.

For more information about the Syslog configurations, see Configure Unified Access Gateway System Settings.

VMware Tunnel

For more information, see Access Logs and Syslog Integration and Configure VMware Tunnel in the VMware Workspace ONE UEM Product Documentation at VMware Docs.