Reviewing audit records

As a BMC Helix Single Sign-On administrator, you can review the audit records for all events performed from administrator and end-user accounts.

Before you begin

For a selected tenant, enable auditing of records for administrators or end users in the BMC Helix SSO Admin Console. For information about how to enable auditing, see Configuring-settings-for-BMC-Helix-SSO-administrators.

Important

Audit is enabled separately for every tenant, but records related to tenants management are recorded only in the SaaS tenant.

To view an audit record and its remote IP address and login resource details

Log in to the BMC Helix SSO Admin Console as an administrator.
Click the Audit tab.
The Audit Events page displays the events for administrator and end-user actions.
By default, the Audit tab shows all logged administrator, end-user actions, or actions of both for the previous day, but you can filter audit data for certain time periods.
For more information about the types of audit records displayed, see Types of audit events.
To view the audit records for a session:
1. From the Action menu, click Select related records .
  Important
  Viewing audit records for one session is available only to actions that were created in BMC Helix SSO version 21.02 and later.
2. Click Back to list to return to the list of audit records.

To view details of the remoteAddr attribute of the HTTP request and the login resource details in the audit record:

From the Action menu, click Details .
The Audit record details window displays details of the following:

Details displayed	Description
remoteAddr attribute	The remote IP address of the HTTP request, which can be used to verify the source IP address in the audit record. Important: The source details of the client IP address are not available for automatic scheduled jobs because client IP address values are not available for such requests.
actionBy	The login resource details, which provide details about the login resource for the following audit records: ADMIN_LOGIN_SUCCESS ADMIN_LOGOUT ADMIN_LOGOUT_DUE_TO_PASSWORD_CHANGE ADMIN_LOGIN_FAILED The audit record displays one of the following values based on the resource that logged in successfully: UI—If an administrator logged in by using a browser. REST—If an administrator logged in by using Rest API. For example, if an administrator successfully logged in to BMC Helix SSO server user interface, the following details are added to the audit record: "actionBy":"UI"

Details displayed

Description

remoteAddr attribute

The remote IP address of the HTTP request, which can be used to verify the source IP address in the audit record.

Important: The source details of the client IP address are not available for automatic scheduled jobs because client IP address values are not available for such requests.

actionBy

The login resource details, which provide details about the login resource for the following audit records:

ADMIN_LOGIN_SUCCESS
ADMIN_LOGOUT
ADMIN_LOGOUT_DUE_TO_PASSWORD_CHANGE
ADMIN_LOGIN_FAILED

The audit record displays one of the following values based on the resource that logged in successfully:

UI—If an administrator logged in by using a browser.
REST—If an administrator logged in by using Rest API.

For example, if an administrator successfully logged in to BMC Helix SSO server user interface, the following details are added to the audit record:
"actionBy":"UI"

Click OK to return to the list of audit records.

Types of audit events

The following types of events are recorded on the Audit Events page for administrator actions:

Audit events for administrator actions

Audit event	Audit description
ADMIN_LOGIN_SUCCESS	An administrator has successfully logged in to the BMC Helix SSO Admin Console.
ADMIN_LOGOUT	An administrator has logged out from the BMC Helix SSO Admin Console.
ADMIN_USER_CREATED	An administrator user was created.
ADMIN_USER_DELETED	An administrator user was deleted.
ADMIN_USER_PWD_CHANGED	A password of an administrator user was changed.
ADMIN_USER_UPDATED	An administrator user was updated.
AUDIT_DISABLED	Auditing of administrator actions is disabled.
AUDIT_ENABLED	Auditing of administrator is enabled.
LAUNCHPAD_CREATED	A launchpad application was added to the Digital Service Management page.
LAUNCHPAD_DELETED	A launchpad application was deleted from the Digital Service Management page.
LAUNCHPAD_UPDATED	A launchpad application was updated on the Digital Service Management page.
LOCAL_GROUP_CREATED	A local group was created.
LOCAL_GROUP_DELETED	A local group was deleted.
LOCAL_GROUP_UPDATED	A local group was updated.
LOCAL_USER_ADDED_TO_GROUP	A local user was added to a group.
LOCAL_USER_CREATED	A local user was created.
LOCAL_USER_DELETED	A local user was deleted.
LOCAL_USER_PWD_CHANGED	A password for a local user was changed.
LOCAL_USER_REMOVED_FROM_GROUP	A local user was removed from a group.
LOCAL_USER_UPDATED	A local user was updated.
LOCAL_USER_UNLOCKED_BY_ADMIN	A local user was unlocked by the BMC Helix SSO administrator.
LOCAL_USER_UNLOCKED_BY_SYSTEM	A local user was unlocked automatically after the lockout interval expired.
OAUTH_CLIENT_CREATED	An OAuth client was created.
OAUTH_CLIENT_DELETED	An OAuth client was deleted.
OAUTH_CLIENT_UPDATED	An OAuth client was updated.
OAUTH_TOKEN_DELETED	An OAuth token was deleted.
OPENID_JWK_CREATED	An OpenID JWK was created.
OPENID_JWK_DELETED	An OpenID JWK was deleted.
RSSO_CONFIG_CHANGED	This event is generated when an administrator makes the following changes in the BMC Helix SSO Admin Console: Changes to the configuration of the BMC Helix SSO server on the General tab. Changes to the realms configuration on the Realms tab. Changes to the local users configuration on the Local User tab.
CONFIG_EXPORTED	Server configuration was exported.
CONFIG_IMPORTED	Server configuration was imported.
TENANT_CREATED	A tenant was created.
TENANT_DELETED	A tenant was deleted.
TENANT_UPDATED	A tenant was updated.
USER_SESSION_DELETED	An end-user session was deleted.
LOCAL_USER_REG_PENDING_DELETED	A nonconfirmed user was deleted.
LOCAL_USER_REG_PENDING	A request to create a local user by the end user.
LOCAL_USER_REG_COMPLETED	Local user registration has been completed.
LOCAL_USER_REG_REQUEST_EXPIRED	A request to create a local user was expired and cleaned up.
SAML_TEMPLATE_CREATED	A SAML template was created.
SAML_TEMPLATE_UPDATED	A SAML template was updated.

The following types of events are recorded on the Audit Events page for end-user actions:

Audit events for end-user actions

Audit event	Audit description
END_USER_AUDIT_ENABLED	Auditing of end-user actions is enabled.
END_USER_AUDIT_DISABLED	Auditing of end-user actions is disabled.
ADMIN_LOGIN_FAILED	An administrator has failed to log in to the BMC Helix SSO Admin Console.
USER_LOGIN_FAILED	An end user has failed to log in.
SESSION_QUOTA_LIMIT_REACHED	A session quota limit was reached.
USER_LOGGED_IN	An end user has successfully logged in.
USER_LOGGED_OUT	An end user has successfully logged out.
SESSION_EXPIRED	An end-user session expired.
REAUTHENTICATION	An end user confirmed an operation by providing their credentials again.
AGENT_REGISTERED	A new agent was registered.
AGENT_UNREGISTERED	An agent was removed by the application server and the BMC Helix SSO listener.
REQUEST_AUTH_CODE	An authorization code was requested.
USER_WENT_THROUGH_CONSENT_PAGE	An end user went through the OAuth consent page.
REQUESTS_NEW_OAUTH_TOKEN_WITH_AUTH_CODE	An OAuth client requested a new access or refresh token with a code. The initiator (submitter) of this action is the OAuth client because it acts on behalf of the end user.
REQUESTS_NEW_OAUTH_TOKEN_WITH_REFRESH_TOKEN	An OAuth client requested a new access or refresh token with a refresh token. The initiator (submitter) of this action is the OAuth client because it acts on behalf of the end user.
REQUESTS_NEW_OAUTH_TOKEN_WITH_JWT	An application used the JWT grant type to request an access or refresh token for the particular end user. The initiator (submitter) of this action is the OAuth client because it acts on behalf of the end user.
ACCESS_TOKEN_REVOKED	An OAuth client revoked an access token. The initiator (submitter) of this action is the OAuth client because it acts on behalf of the end user.
REFRESH_TOKEN_REVOKED	The OAuth client revoked a refresh token. The initiator (submitter) of this action is the OAuth client because it acts on behalf of the end user.
AUTH_CODE_EXPIRED	An authorization code expired.
OAUTH_TOKEN_EXPIRED	An OAuth token expired. You must clean up the outdated OAuth token.
TOKEN_INFO_REQUESTED	An application used an end-user token to get information about the token.
TOKEN_USER_GROUPS_REQUESTED	An application used an end-user token to get information about the users groups.
USER_LOGGED_IN_NATIVE_APP	A user logged in using an identity provider from the chain configuration by using a native application.
LOCAL_USER_CHANGED_OWN_PWD	A local user changed password per forced password reset.
LOCAL_USER_LOCKED	A local user was locked after unsuccessful login attempts.
LOCAL_USER_UNLOCKED	A local user was unlocked by the BMC Helix SSO administrator or automatically.
REQUEST_NEW_OAUTH_INTERNAL_TO_EXTERNAL_EXCHANGE_TOKEN	The OAuth client requests an internal to external token by using the token exchange grant type.

Reviewing audit records

Types of audit events

On this page