Classes of audit events in the Authentication group

Authentication events that occur in KSMG 2.1.1 are recorded in the Audit Log if audit event logging is enabled in Audit Log settings.

The Authentication group represents the LMS_AUDIT_AUTHENTICATION event class.

The keys listed in the following table are used in the bodies of CEF messages of audit event class in the Authentication group.

Possible values of fields for classes of Authentication group audit events

Key

Value

cs1Label

The value is always AuthType.

cs1

Authentication type. Possible values:

  • Local
  • Krb
  • NTLM

cs2Label

Logged only if authentication fails. The value is ErrorId.

cs2

Logged only if authentication fails. Possible values:

  • AuthFailed
  • LoginAttemptsExceed
  • PasswordExpired
  • PasswordReset
  • NTLMServersNotAvailable
  • Unknown

reason

Logged only if authentication fails. Possible values:

  • Authentication failed
  • Login attempts exceeded
  • Password expired
  • Should change password
  • NTLM servers are not available
  • Unknown error occurs

Page top