Event Descriptions
HYPR Control Center Advanced
App Properties Menu
Each single captured Event is a result of a successful or failed attempt. Events appear in the Audit Trail, in the Control Center (CC) logs, in the HYPR Dashboard for Splunk, and in API call results.
Invisible Events
Not every Event is listed in the CC Audit Trail or HYPR Dashboard for Splunk; some only appear in API responses or CC logs.
Event data is stored in a separate schema away from the critical HYPR FIDO databases. This allows registration, authentication, and deregistration flows to continue functioning without being affected. The connection information to this schema can be found in the Vault; a HYPR representative can help you find it. The settings for the Audit Trail schema will be automatically set up for you during installation.
We anticipate that potentially millions of records could exist in this database. We have included a means to roll over the data. This mechanism will be described in detail at the bottom of this guide.
eventTags
eventTagsMost Events fall under one of the following eventTags categories; those that do not are listed last. Table listings under the following categories are sorted by the Action column.
A list of Event Parameters follows the event descriptions.
ADMIN Events
Event (eventName) | Action | Source (eventLoggedBy) | Description (message) |
|---|---|---|---|
| LOGIN | CC Access | CONTROL_CENTER_SERVER | The user logged in to Control Center. |
| LOGOUT | CC Access | CONTROL_CENTER_SERVER | Logout from Control Center web console. |
| FIDO2_METADATA | FIDO2 Metadata | CONTROL_CENTER_SERVER | FIDO2 metadata statement with AAGUID modified. aaguid = {aaguid} |
| CREATE_INTEGRATION | IdP Integrations | RELYING_PARTY_SERVER | Successfully added an IdP integration. |
| DELETE_INTEGRATION | IdP Integrations | RELYING_PARTY_SERVER | Successfully deleted the IdP integration. |
| DISABLE_INTEGRATION | IdP Integrations | RELYING_PARTY_SERVER | Successfully disabled the IdP integration. |
| ENABLE_INTEGRATION | IdP Integrations | RELYING_PARTY_SERVER | Successfully enabled the IdP integration. |
| REFRESH_INTEGRATION | IdP Integrations | RELYING_PARTY_SERVER | Successfully refreshed the IdP integration. OR Failed to refresh the IdP integration. |
| UPDATE_INTEGRATION | IdP Integrations | RELYING_PARTY_SERVER | Successfully updated the IdP integration details. |
| AUTHENTICATOR_DISABLED | RP Application | CONTROL_CENTER_SERVER | The authenticator was disabled for this rpAppId. Authentication requests using this authenticator will fail. aaid={aaid} rpAppId={appId} |
| AUTHENTICATOR_ENABLED | RP Application | CONTROL_CENTER_SERVER | The authenticator was enabled. aaid={aaid} rpAppId={rpAppId} |
| CREATE_APP | RP Application | CONTROL_CENTER_SERVER | {rpAppId} was succesfully created. |
| CREATE_APP_ACTION | RP Application | [Not Logged] | An authentication or registration policy was created for {rpAppId}. |
| DELETE_APP | RP Application | CONTROL_CENTER_SERVER | Associated settings have been deleted. |
| DELETE_APP_ACTION | RP Application | CONTROL_CENTER_SERVER | Delete action for {rpAppId}. |
| DELETE_APP_CONFIG | RP Application | RELYING_PARTY_SERVER | RP Application configuration has been deleted. config: {{config.toStringTruncateValue()} |
| SAVE_APP_CONFIG | RP Application | RELYING_PARTY_SERVER | The Application configuration was saved. One or more of the following changed: - Theme color, logo, title, or messaging - Push and/or QR enablement toggle - Desktop SSO enablement toggle - Timeout configuration |
| UPDATE_APP | RP Application | CONTROL_CENTER_SERVER | {rpAppId} was succesfully updated. |
| UPDATE_APP_ACTION | RP Application | CONTROL_CENTER_SERVER | Update action for {rpAppId}. |
| USERNAME DISSOCIATE | Username Aliases and Emails | RELYING_PARTY_SERVER | All associations with an email or alias have been deleted. |
| USERNAME ASSOCIATE | Username Aliases and Emails | RELYING_PARTY_SERVER | The username has been associated with {this}. |
REGISTRATION Events
Event (eventName) | Action | Source (eventLoggedBy) | Description (message) |
|---|---|---|---|
| FIDO_ONLY_REG | FIDO Core | UAF_SERVER MobileDevice WEB | FIDO registration. The registration policy is supplied by the server. The device generates a cryptographic key pair, then sends the public key to the server. The user provides a second factor (touch/PIN/native/etc.) to safeguard the key. Typical problems: - The Application's policy(-ies) is not configured properly in Control Center - The authenticator specified by the policy is not available on the phone |
| FIDO2_DEVICE_REG | FIDO2 Keys | RELYING_PARTY_SERVER | User {userName} initiated FIDO2 key registration. |
| FIDO2_DEVICE_REG_COMPLETE | FIDO2 Keys | RELYING_PARTY_SERVER | A successful platform or security key registration was completed on a mobile device. The browser running on the mobile device used WebAuthn with the Relying Party. aaid = {aaid} |
| OOB_DEVICE_REG | Registration | RELYING_PARTY_SERVER MobileDevice | The device scans the QR code and sends starts the registration process. A sessionId is generated and returned as a part of the response. The initial handshake between the client (browser/workstation) is now complete.Typical problems: - PIN mismatch due to a timeout - Multiple scans of the same QR code |
| OOB_DEVICE_REG_COMPLETE | Registration | RELYING_PARTY_SERVER | This is the final step in the registration process. Confirmation was received from the Device. The device registration record has been saved. |
| OOB_DEVICE_REG_COMPLETE | Registration | RELYING_PARTY_SERVER | The device started registration successfully. The PIN has been matched successfully. The Relying Party connection is OK. The device can now proceed to attempt a FIDO registration. |
| OOB_DEVICE_REG_COMPLETE | Registration | RELYING_PARTY_SERVER | A successful FIDO authentication was completed on a mobile device. Use traceId to match this event with the WORKSTATION_AUTH authentication start.traceId={traceId} |
| OOB_GET_REG_DEVICES | Registration | RELYING_PARTY_SERVER | Listing request for mobile devices or security keys registered to the user. |
| OOB_WEBSITE_REG | Registration | RELYING_PARTY_SERVER MobileDevice WEB | The opening registration request from the browser or workstation. The client now waits for the mobile to scan QR. Started. |
| OOB_WEBSITE_REG | Registration | RELYING_PARTY_SERVER MobileDevice WEB | The client setup is complete. The sessionId is returned to the clientThis indicates that the device has finished enrolling the user key pair. Registration is not yet complete. |
| OOB_WEBSITE_REG | Registration | RELYING_PARTY_SERVER MobileDevice WEB | The opening registration request call from the browser or workstation. The client now waits for the mobile device to scan a QR code. Typical problems: - The Application is not setup in Control Center - The HYPR license is invalid |
| OOB_WORKSTATION_REG | Registration | RELYING_PARTY_SERVER MobileDevice Workstation | FIDO registration was started. |
| SMARTKEY_ENROLL | SmartKey Phase 1 | RELYING_PARTY_SERVER Workstation | Enrolling the security key. enrollmentRequest={req} |
| SMARTKEY_ENROLL_COMPLETE | SmartKey Phase 1 | RELYING_PARTY_SERVER | Security key enrollment succeeded. |
WEB_REGISTRATION Events
Event (eventName) | Action | Source (eventLoggedBy) | Description (message) |
|---|---|---|---|
| MOBILE_CONFIRMED_CERTIFICATE_RENEWAL | Web Registration | [Not Logged] | The mobile device's certificate renewal is complete. |
| MOBILE_CONFIRMED_NEW_CERTIFICATE | Web Registration | RELYING_PARTY_SERVER | The mobile device confirms workstation certificate processing. |
| MOBILE_NOTIFIED_OF_CERTIFICATE_RENEWAL | Web Registration | [Not Logged] | The mobile device was informed of successful certificate renewal. |
| MOBILE_NOTIFIED_OF_NEW_CERTIFICATE | Web Registration | RELYING_PARTY_SERVER | The mobile device has been notified of the workstation certificate's availability. |
| WORKSTATION_CERTIFICATE_ISSUED | Web Registration | RELYING_PARTY_SERVER | The certificate was issued by the enrollment service. |
| WORKSTATION_CERTIFICATE_REQUESTED | Web Registration | RELYING_PARTY_SERVER | A certificate request has been queued up for the Enrollment service. |
| WORKSTATION_CERTIFICATE_REVOKED | Web Registration | [Not Logged] | The workstation certificate was revoked. |
| WORKSTATION_ENROLLED | Web Registration | RELYING_PARTY_SERVER | Workstation enrolled. {machineName} |
AUTHENTICATION Events
Event (eventName) | Action | Source (eventLoggedBy) | Description (message) |
|---|---|---|---|
| OOB_WEBSITE_AUTH | Auth (OOB | Browser | DM | Java SDK) | RELYING_PARTY_SERVER WEB MobileDevice | The browser requests authentication from the HYPR server for the user. A push notification is sent to the mobile device asking it to authenticate. A sessionId is generated and returned as a part of the response.Typical problems: - Network conditions may create delays in receiving the push notification |
| OOB_WEBSITE_AUTH_COMPLETE | Auth (OOB | Browser | DM | Java SDK) | RELYING_PARTY_SERVER | The client polls the server periodically to check if the mobile authentication is successful. The server returns the current status of authentication in the response message. |
| OOB_WEBSITE_TRANS | Auth (OOB | Browser | DM | Java SDK) | RELYING_PARTY_SERVER MobileDevice | The browser requested authentication for a step transaction from the HYPR server. The HYPR server sent a push notification to the mobile device, asking it to authenticate. |
| DESKTOP_SSO | Desktop SSO | RELYING_PARTY_SERVER WORKSTATION | Desktop SSO started by web login attempt. |
| DESKTOP_SSO_COMPLETE | Desktop SSO | RELYING_PARTY_SERVER WORKSTATION | Desktop SSO completed by the workstation signing challenge. |
| EXTERNAL_AUTH_COMPLETE | Auth (OOB | Browser | DM | Java SDK) | Workstation | Workstation [unlock | login] using [deviceType]. |
| FIDO_ONLY_AUTH | FIDO Core | UAF_SERVER | FIDO authentication using the cryptographic key. |
| WORKSTATION_AUTH | Workstation Auth | RELYING_PARTY_SERVER MobileDevice Workstation | Start of the workstation unlock request from the device. This request is made when the user clicks the Unlock button in the HYPR App. A message is sent to the workstation to initiate unlock/login. |
| WORKSTATION_AUTH_COMPLETE | Workstation Auth | RELYING_PARTY_SERVER | Final confirmation that workstation unlock is successful. Client and device top off the offline tokens. |
| WORKSTATION_AUTH_COMPLETE | Workstation Auth | RELYING_PARTY_SERVER | The client has finished unlocking the workstation. The login confirmation message reached the workstation. Completed. |
| WORKSTATION_AUTH_COMPLETE | Workstation Auth | RELYING_PARTY_SERVER | The user has verified their physical presence at the workstation. Generally, this involves pressing Ctrl+Alt+Delete. |
DEREGISTRATION Events
Event (eventName) | Action | Source (eventLoggedBy) | Description (message) |
|---|---|---|---|
| MOBILE_INITIATED_WEBSITE_DELETE | Delete | RELYING_PARTY_SERVER MobileDevice | A deregistration request was initiated from a mobile device for a website. The mobile user clicked on the Delete Web Account button. |
| MOBILE_INITIATED_WORKSTATION_DELETE | Delete | RELYING_PARTY_SERVER MobileDevice | A deregistration request was initiated from a mobile device for a workstation. The mobile user clicked on the Delete Computer button. |
| OOB_WEBSITE_INITIATED_DELETE | Delete | RELYING_PARTY_SERVER | A deregistration request was initiated from the web account or Control Center. |
| WORKSTATION_INITIATED_DELETE | Delete | RELYING_PARTY_SERVER Workstation MobileDevice | A deregistration request was initiated from the workstation. The user clicked on the Delete Mobile Device button in the HYPR app on the computer. |
| FIDO_ONLY_DEREG | FIDO Core | UAF_SERVER MobileDevice WEB | FIDO registration is deleted. It can no longer be used to authenticate. |
| FIDO2_DEVICE_DEREG | FIDO2 Keys | RELYING_PARTY_SERVER | FIDO2 key {aaid} deleted for user {userName}. |
OFFLINE_ACCESS Events
Event (eventName) | Action | Source (eventLoggedBy) | Description (message) |
|---|---|---|---|
| OFFLINE_TOKEN_ACCESS | Workstation-related | MobileDevice | Offline token access request. |
| OFFLINE_TOKEN_AUTH | Workstation-related | Workstation | Authentication using Offline Mode. A mobile app user used an Offline Mode PIN to login to the workstation. |
SMART_KEY Events
Event (eventName) | Action | Source (eventLoggedBy) | Description (message) |
|---|---|---|---|
| SMARTKEY_CC_INITIATED_UNENROLL | SmartKey Phase 1 | RELYING_PARTY_SERVER | The security key was unenrolled from Control Center. Please remove the certificate from the Certificate Authority using the following command:certutil -revoke ${req.smartKeyCertificateSerialNumber} 8 |
| SMARTKEY_PIN_CHANGE | SmartKey Phase 1 | Workstation | An attempt was made to change the security key PIN. |
| SMARTKEY_PIN_VERIFICATION | SmartKey Phase 1 | Workstation | The security key PIN was verified. |
| SMARTKEY_WORKSTATION_INITIATED_UNENROLL | SmartKey Phase 1 | RELYING_PARTY_SERVER Workstation | The security key was unenrolled from the workstation. Please remove the certificate from the Certificate Authority using the following command:certutil -revoke ${req.smartKeyCertificateSerialNumber} 8 |
| SMARTKEY_AUTH | SmartKey Phase 2 | [Not Logged] | Authentication was attempted on a workstation using a security key. |
| SMARTKEY_AUTH_COMPLETE | SmartKey Phase 2 | Workstation | Authentication was completed using a security key. |
| SMARTKEY_PIN_PUK_CHANGE | SmartKey Phase 2 | [Not Logged] | A PIN Unblocking Key (PUK) for a smart key has been changed. |
| SMARTKEY_PIN_PUK_VERIFICATION | SmartKey Phase 2 | [Not Logged] | A PIN Unblocking Key (PUK) for a smart key has been verified as part of a PIN reset. |
ACCESS_TOKEN (ADMIN) Events
Event (eventName) | Action | Source (eventLoggedBy) | Description (message) |
|---|---|---|---|
| ACCESS_TOKEN_CREATE | Access Tokens | RELYING_PARTY_SERVER | Endpoint API token creation request; this event is typically from the the browser token management UI. |
| ACCESS_TOKEN_REVOKE | Access Tokens | RELYING_PARTY_SERVER | Endpoint API token revoked. tokenId={token.id} revokedBy={user} |
ENDPOINT_API_ACCESS_TOKEN (ADMIN) Events
Event (eventName) | Action | Source (eventLoggedBy) | Description (message) |
|---|---|---|---|
| ENDPOINT_API_ACCESS_TOKEN_CREATE | Endpoint API Access Token | RELYING_PARTY_SERVER | The endpoint API token was created. Scope = [DEVICE | WORKSTATION] tokenId = {truncated_token} |
| ENDPOINT_API_ACCESS_TOKEN_EXCHANGE | Endpoint API Access Token | RELYING_PARTY_SERVER | The workstation install token was successfully exchanged. tokenId={truncated_token} |
| ENDPOINT_API_ACCESS_TOKEN_EXCHANGE_FAILED | Endpoint API Access Token | RELYING_PARTY_SERVER MobileDevice | The workstation install token exchange failed. tokenId={truncated_token} |
| ENDPOINT_API_ACCESS_TOKEN_REVOKE | Endpoint API Access Token | RELYING_PARTY_SERVER | The endpoint API token was successfully revoked. tokenId={token.id} revokedBy=$user |
RECOVERY_PINS (ADMIN) Events
Event (eventName) | Action | Source (eventLoggedBy) | Description (message) |
|---|---|---|---|
| RECOVERY_PIN_AUTH | Recovery PINs | Workstation | Authorization was attempted using a recovery PIN. |
| RECOVERY_PIN_REVEAL | Recovery PINs | CONTROL_CENTER_SERVER RELYING_PARTY_SERVER | The recovery PIN was revealed via either the CC Admin UI or an API call. |
| RECOVERY_PINS_DELETE | Recovery PINs | [Not Logged] | The recovery PIN was deleted. HYPR recommends generating new recovery PINS. |
| RECOVERY_PINS_GENERATED | Recovery PINs | RELYING_PARTY_SERVER | The recovery PIN has been saved. |
| RECOVERY_PINS_RE_GENERATED | Recovery PINs | RELYING_PARTY_SERVER | The recovery PINs have been re-saved. |
| RECOVERY_PINS_SETUP | Recovery PINs | [Not Logged] | Recovery PINS were created. |
MAGIC_LINK (ADMIN) Events
Event (eventName) | Action | Source (eventLoggedBy) | Description (message) |
|---|---|---|---|
| MAGIC_LINK_CREATE | Magic Links | CONTROL_CENTER_SERVER RELYING_PARTY_SERVER | Magic link created. |
| MAGIC_LINK_DELETE | Magic Links | CONTROL_CENTER_SERVER | Deleting pending magic links for: username={userName} rpAppId={rpAppId} |
| MAGIC_LINK_EXP_DELETE_EXISTING_AFTER_NEW | Magic Links | CONTROL_CENTER_SERVER | Deleting existing magic links after creating new a one for the same username. |
| MAGIC_LINK_EXP_DELETED_EXISTING | Magic Links | CONTROL_CENTER_SERVER | Pre-existing magic links have been deleted. Only one magic link can be alive at a given time. |
| MAGIC_LINK_EXP_RESEND_EMAIL_MSG_TO_HAAS | Magic Links | CONTROL_CENTER_SERVER | An invitation email has been generated and sent to {userName}. |
| MAGIC_LINK_EXP_USERNAME_NOT_FOUND | Magic Links | CONTROL_CENTER_SERVER | Username not found. Unable to resend an email to HYPR with a new magic link message. |
| MAGIC_LINK_EXPIRED_OR_USED | Magic Links | RELYING_PARTY_SERVER | This magic link is invalid or has expired. |
| MAGIC_LINK_NOT_FOUND | Magic Links | CONTROL_CENTER_SERVER | Cannot find a magic link for the token given. Verify that the token is correct and try again. |
FEATURE_FLAGS (ADMIN) Events
Event (eventName) | Action | Source (eventLoggedBy) | Description (message) |
|---|---|---|---|
| FEATURE_FLAG_TOGGLE | Feature Flags | RELYING_PARTY_SERVER | Feature Flag toggled. |
CREATE_USER, DELETE_USER Events
Event (eventName) | Action | Source (eventLoggedBy) | Description (message) |
|---|---|---|---|
| MAGIC_LINK_CREATE_USER | Magic Links | RELYING_PARTY_SERVER | {userName} was invited to Control Center via magic link and email. |
| DELETE_USER | Deleting RP User from CC | RELYING_PARTY_SERVER | {userName} was deleted from the Control Center using the API token belonging to {userPerformingDelete}. [if no devices left] {userName} has no remaining registrations after removing {deviceId}. Deleting the user record. |
SYSTEM_CHECK Events
Event (eventName) | Action | Source (eventLoggedBy) | Description (message) |
|---|---|---|---|
| BATCH_DB_UPDATE | System Checks | CONTROL_CENTER_SERVER | The background process to update the database failed; contact your administrator immediately. |
| DB_CRYPTO_VALIDATION_PROBLEM | System Checks | CONTROL_CENTER_SERVER | The database data integrtity check failed. Data has potentially been tampered with. Check affected user activity in the Audit Trail and Logs for suspicious authentication attempts. Try to register again. |
| FIDO_CERT_EXPIRY_CHECK | System Checks | RELYING_PARTY_SERVER | Certificate Expiration Notice. FIDO certificates are monitored for expiry based on days remaining: < 90 = High Criticality 90 - 150 = Medium Criticality > 150 = Low Criticality If the event is not logged as success=false, it passed the check. |
| MOBILE_CERT_RENEWAL_EXPIRY_CHECK | System Checks | RELYING_PARTY_SERVER MobileDevice | Certificate Expiration Notice. Mobile device certificates are monitored for expiry based on days remaining: < 90 = High Criticality 90 - 150 = Medium Criticality > 150 = Low Criticality If the event is not logged as success=false, it passed the check. |
| UAF_CERT_EXPIRY_CHECK | System Checks | RELYING_PARTY_SERVER | Certificate Expiration Notice. UAF certificates are monitored for expiry based on days remaining: < 90 = High Criticality 90 - 150 = Medium Criticality > 150 = Low Criticality If the event is not logged as success=false, it passed the check. |
SETTINGS Events
Event (eventName) | Action | Source (eventLoggedBy) | Description (message) | |
|---|---|---|---|---|
| FIDO2_SETTINGS | Settings | RELYING_PARTY_SERVER | {Client Origin URL} has been [enabled | disabled]. |
RADIUS Events
Event (eventName) | Action | Source (eventLoggedBy) | Description (message) |
|---|---|---|---|
| RADIUS_CLIENT_CREATE | RADIUS Servers | CONTROL_CENTER_SERVER | The Radius server client was created. id={radiusClientId} |
| RADIUS_CLIENT_DELETE | RADIUS Servers | CONTROL_CENTER_SERVER | The Radius server client was deleted. id={radiusClientId} |
| RADIUS_CLIENT_UPDATE | RADIUS Servers | CONTROL_CENTER_SERVER | The Radius server client was updated. id={radiusClientId} |
| RADIUS_CONFIG_CREATE | RADIUS Servers | CONTROL_CENTER_SERVER | The Radius server configuration was created. id={configCreated.radiusConfigId} |
| RADIUS_CONFIG_DELETE | RADIUS Servers | CONTROL_CENTER_SERVER | The Radius server configuration was deleted. id={radiusConfigId} |
| RADIUS_CONFIG_UPDATE | RADIUS Servers | CONTROL_CENTER_SERVER | The Radius server configuration was updated. id={updatedConfig.radiusConfigId} |
| RADIUS_INTEGRATION_CREATE | RADIUS Servers | CONTROL_CENTER_SERVER | The Radius integration was created. id={createdIntegration.id} |
| RADIUS_INTEGRATION_DELETE | RADIUS Servers | CONTROL_CENTER_SERVER | The Radius integration was deleted. id={radiusIntConfigId} |
| RADIUS_SERVER_CREATE | RADIUS Servers | CONTROL_CENTER_SERVER | The Radius server was created. id={createdServer.radiusServerId} |
| RADIUS_SERVER_DELETE | RADIUS Servers | CONTROL_CENTER_SERVER | The Radius server was deleted. id={radiusServerId} |
| RADIUS_SERVER_UPDATE | RADIUS Servers | CONTROL_CENTER_SERVER | The Radius server was updated. id={radiusServerId} radiusConfigId={radiusServer.radiusConfigId} |
MISCELLANEOUS Events (no eventTags)
eventTags)Event (eventName) | Action | Source (eventLoggedBy) | Description (message) |
|---|---|---|---|
| MOBILE_CERTIFICATE_REENROLLMENT | Certificate Renewal | RELYING_PARTY_SERVER Workstation MobileDevice | The certificate was re-issued by the enrollment service. |
| DEFAULT | Core System | [Not Logged] | A default entry for anomalous events. |
| EXCEPTION | Core System | RELYING_PARTY_SERVER | Captures any oddities that may occur on the mobile, workstation or web components. |
| UNKNOWN | Core System | [Not Logged] | EventName= {name} is not known to this version of the server. The event may have been introduced in a newer version of the server. |
| DEVICE_SIGNAL_RECEIVED | Device Signals | RELYING_PARTY_SERVER | Successfully posted the device security state. |
| LOG_SUBMISSION | Log Submission | CONTROL_CENTER_SERVER RELYING_PARTY_SERVER | {clientType} client logs were submitted successfully. OR {clientType} client logs were submitted successfully by {userName}. OR WINDOWS client logs were submitted successfully by {machineUserName}. OR ANDROID client logs were submitted successfully. |
| WESBITE_AUTH | Authentication | MobileDevice | Operation failed. Your request to authenticate this device didn't complete in time. Fingerprint timeout reached. Try again. |
| QR_FALLBACK_PAYLOAD_RETRIEVED | QR Authentication | RELYING_PARTY_SERVER | [Success] Cached payload was retrieved using the respective activation code associated with creation. [Failure] Failed to find QR fallback payload using activation code provided. Please check code entered and retry. |
| SESSION_WEBSITE_AUTH | QR Authentication | MobileDevice | Authentication was attempted using a QR code. |
| SESSION_WEBSITE_AUTH_COMPLETE | QR Authentication | [Not Logged] | Authentication was completed using a QR code. |
| AUTH_DENIED_LOW_VERSION | Version Control Feature Flag | [Not Logged] | Authentication was denied due to a prohibitively low version of Control Center. |
| REG_DENIED_LOW_VERSION | Version Control Feature Flag | [Not Logged] | Registration was denied due to a prohibitively low version of Control Center. |
| WORKSTATION_LOCK | Workstation Lock | RELYING_PARTY_SERVER MobileDevice | A request was issued to lock the workstation: {deviceId(deviceIdParam)} |
| UNIVERSAL_QR_SCAN | Workstation VDI | MobileDevice | Operation cancelled. The HYPR barcode scan was aborted by the user. |
| WORKSTATION_AUTH_JSON_SCAN | Workstation VDI | MobileDevice | A mobile device was used to initiate a workstation unlock or lock event. |
| WORKSTATION_AUTH_QR_SCAN | Workstation VDI | [Not Logged] | A mobile device has been paired with a workstation via QR scan. |
| MOBILE_INITIATED_WORKSTATION_LOCK | Workstation-related | [Not Logged] | The mobile device initiated a workstation lock action. |
| WORKSTATION_CONFIGURATION | Workstation-related | [Not Logged] | The workstation was configured successfully. |
| WORKSTATION_SHUTDOWN | Workstation-related | [Not Logged] | The workstation was shut down. Usually this indicates that the user powered off or rebooted the computer. |
| WORKSTATION_SOCKET_CONNECT | Workstation-related | Workstation | The workstation web socket was connected. |
| WORKSTATION_SOCKET_DISCONNECT | Workstation-related | [Not Logged] | The workstation web socket was disconnected. |
| WORKSTATION_STARTUP | Workstation-related | [Not Logged] | The workstation was started. Usually this indicates that the user powered on or rebooted the computer. |
| WORKSTATION_UPGRADE | Workstation-related | [Not Logged] | The workstation was upgraded. |
Event Parameters
Each Event will provide the following parameters, data permitting.
Event Data Model Parameters vs. Log Parameters
Labels in plain text are directly from the Event Data Model, while those in italics are generated for the logs and may be used in the Audit Trail and HYPR Dashboard for Splunk.
| Label | Parameter | Description |
|---|---|---|
| Event ID | id | Unique identifier for the Event. |
| Schema Version | version | The Event schema version. |
| Event Type | type | Event classification. For API log requests, this will always be AUDIT. |
| Event | eventName | The name of the Event. |
| Message | message | A message giving a brief recount of the Event. |
| SubEvent | subName | An Event might be broken into sub-steps. The SubEvent distinguishes the various steps. Typically it is the URI of the request. |
| Logged By | eventLoggedBy | The component which logged the Event. Success events are mostly (but not necessarily) logged by the server. Failure events are sent by HYPR Mobile, HYPR Workforce Access, or HYPR SDK if something goes wrong. Possible Values: MobileDevice, RELYING_PARTY_SERVER, CONTROL_CENTER_SERVER, Web, Workstation, Browser, UAF_SERVICE, ENROLLMENT_SERVICE |
| Time | eventTimeInUTC | The time of the Event in UTC format. |
| Logged | loggedTimeInUTC | The time the server logged the Event in UTC format. |
| Tenant | tenantId | Identifier for the HYPR Control Center server. Sourced from the HYPR-TenantID HTTP header or from the hypr.rp.cacheNamespace Vault prop. |
| Remote IP | remoteIP | The IP address of the node submitting the Event. Sourced from the X-Forwarded-For HTTP header in the request. |
| User Agent | userAgent | Identifies the application, operating system, vendor, and/or version of the Event's requesting user agent. Sourced from the User-Agent HTTP header. |
| Trace ID | traceId | An identifier to assist Support in tracking the Event. If the header is missing, the server starts a new trace. Sourced from the X-B3-TraceId HTTP header. |
| Session ID | sessionId | Unique identifier of the web session. |
| Additional Details | additionalDetails | A map of discretionary data supplied for an Event; used to capture attributes not available in the Event object. |
| Status | isSuccessful | Status of the individual Event. Possible Values: Success, Failure |
| Error Code | errorCode | The HYPR Error code associated with the Event, if any. This value must be populated if isSuccessful=false.See also HYPR Error Codes Troubleshooting Table. |
| Error Severity | errorSeverity | The impact level of the Event causing the error. Possible Values: WARN, ERROR, FATAL, null (default) |
| RP Application ID | rpAppId | The name of the relying party Application generating the Event. |
| FIDO User | fidoUser | A machine-readable user handle representing a FIDO registration. |
| Username | machineUserName | HYPR name for the user generating the Event. Typically associated with fidoUser. |
| Authenticator | authenticator | Authenticator GUID/ID logged with the following Events: GUID for FIDO2 Authentication FIDO2_DEVICE_DEREG FIDO2_WEBAUTHN_COMPLETE FIDO2_DEVICE_REG_COMPLETE ID for UAF FIDO_ONLY_AUTH FIDO_ONLY_DEREG FIDO_ONLY_REG |
| Usage Type | usageType | Currently not used. |
| Integration Type | integrationType | The type of integration upon which the Event occurs. |
| Integration Provider | integrationProvider | The type of integration provider for the Event, based on the rpAppId. |
Specific Parameters
The following parameters will appear only when a specific Event type is triggered.
Device (Includes Security Keys)
| Label | Parameter | Description |
|---|---|---|
| OS | deviceOS | Device operating system (Android/iOS/security key). Sourced from the HYPR-Device-OS HTTP header. |
| OS Version | deviceOSVersion | Device operating system version. For security keys, this will be the firmware version. Sourced from the HYPR-Device-OS-Version HTTP header. |
| Model | deviceModel | Device model number. Sourced from the HYPR-Device-Model HTTP header. |
| Device ID | deviceId | A HYPR-generated device identifier. deviceId stays same for the lifetime of the App. Reinstalling the App generates a new deviceId.In this case, Device may refer to a mobile device (90%) or another hardware device (Yubikey, etc.) which stores the private key/authenticator and performs authentication. |
| Device Type | deviceType | Represents any special indication of the device type triggering the Event. |
| HYPR Mobile App Version | deviceRelVersion | Version of the HYPR Mobile App. Sourced from the HYPR-Device-Release-Version HTTP header. |
| SDK Version | sdkRelVersion | Version of the HYPR SDK. Sourced from the HYPR-SDK-Release-Version HTTP header. |
| Tokens Available | tokensAvailable | Number of Offline Mode tokens available. |
| Tokens Remaining | tokensRemaining | Number of Offline Mode tokens remaining. |
Workstation
| Label | Parameter | Description |
|---|---|---|
| Extended Message | extendedMessage | An additional message from the workstation regarding the Event. |
| OS Version | wsOSVersion | Workstation operating system version. Sourced from the HYPR-Device-OS-Version HTTP header. |
| Model | wsModel | Workstation model number. Sourced from the HYPR-WS-Model HTTP header. |
| OS | wsOS | Workstation operating system. Sourced from the HYPR-WS-OS HTTP header. |
| Machine ID | machineId | A HYPR-generated machine identifier. In this case, Machine refers to the entity requesting authentication. Possible Values: Website Accessing the same website in different browsers is considered to be the same machine. machineId is derived assha256(window.location.hostname + user + rpAppID)WorkStation The UUID generated upon Workstation install. This is not related to the underlying OS. The machineId remains constant through the life of the install or upgrade. A re-install of the Workstation will generate a new machineId." |
| Machine Type | machineType | Defines when a machine is persisted/non-persisted with a local, web, or domain account. |
| Workforce Access Version | wsRelVersion | Version of the HYPR Workforce Access client. Sourced from the HYPR-WS-Release-Version HTTP header. |
| Offline Access Enabled | offlineAccessEnabled | Toggle Offline Access. Possible Values: True, False |
| Offline Token Length | offlineTokenLength | Length of the offline token. |
| Offline Token Count | offlineTokenCount | Total number of offline tokens. |
| Offline Access Days | offlineAccessDays | Number of days remaining on offline tokens. |
| Tokens Available | tokensAvailable | Number of tokens available. |
| Tokens Remaining | tokensRemaining | Number of tokens remaining. |
Server
| Label | Parameter | Description |
|---|---|---|
| Node ID | node | IP address of the node. |
| Version | serverRelVersion | Version of the HYPR Control Center. |
Web
| Label | Parameter | Description |
|---|---|---|
| Extended Message | extendedMessage | Additional details. |
| Machine Name | machineName | Unique name of the machine. |
Event Log File (On-premises Only)
HYPR generates Event log files for tracing errors and Events, and to help integration with SIEM tools such as Splunk, Greylog, etc.
Control Center Event Log File
The CC Event log is located under the /opt/hypr/<server install dir> logs directory. It contains all Control Center Events.
UAF Event Log File
The UAF Event log is located in the /opt/hypr/<server install dir> logs directory. This contains all UAF Events.
Updated 10 days ago