Event Descriptions

Each single captured Event is a result of a successful or failed attempt. Events appear in the Audit Trail, in the Control Center (CC) logs, in the HYPR Dashboard for Splunk, and in API call results.

📘
Invisible Events
Not every Event is listed in the CC Audit Trail or HYPR Dashboard for Splunk; some only appear in API responses or CC logs.

Event data is stored in a separate schema away from the critical HYPR FIDO databases. This allows registration, authentication, and deregistration flows to continue functioning without being affected. The connection information to this schema can be found in the Vault; a HYPR representative can help you find it. The settings for the Audit Trail schema will be automatically set up for you during installation.

We anticipate that potentially millions of records could exist in this database. We have included a means to roll over the data. This mechanism will be described in detail at the bottom of this guide.

`eventTags`

Most Events fall under one of the following eventTags categories; those that do not are listed last. Table listings under the following categories are sorted by the Action column.

A list of Event Parameters follows the event descriptions.

ADMIN Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
LOGIN	CC Access	CONTROL_CENTER_SERVER	The user logged in to Control Center.
LOGOUT	CC Access	CONTROL_CENTER_SERVER	Logout from Control Center web console.
FIDO2_METADATA	FIDO2 Metadata	CONTROL_CENTER_SERVER	FIDO2 metadata statement with AAGUID modified. aaguid = {aaguid}
CREATE_INTEGRATION	IdP Integrations	RELYING_PARTY_SERVER	Successfully added an IdP integration.
DELETE_INTEGRATION	IdP Integrations	RELYING_PARTY_SERVER	Successfully deleted the IdP integration.
DISABLE_INTEGRATION	IdP Integrations	RELYING_PARTY_SERVER	Successfully disabled the IdP integration.
ENABLE_INTEGRATION	IdP Integrations	RELYING_PARTY_SERVER	Successfully enabled the IdP integration.
REFRESH_INTEGRATION	IdP Integrations	RELYING_PARTY_SERVER	Successfully refreshed the IdP integration. OR Failed to refresh the IdP integration.
SUSPEND_INTEGRATION	IdP Integrations	RELYING_PARTY_SERVER	Successfully suspended the IdP integration.
UPDATE_INTEGRATION	IdP Integrations	RELYING_PARTY_SERVER	Successfully updated the IdP integration details.
AUTHENTICATOR_DISABLED	RP Application	CONTROL_CENTER_SERVER	The authenticator was disabled for this rpAppId. Authentication requests using this authenticator will fail. aaid={aaid} rpAppId={appId}
AUTHENTICATOR_ENABLED	RP Application	CONTROL_CENTER_SERVER	The authenticator was enabled. aaid={aaid} rpAppId={rpAppId}
CREATE_APP	RP Application	CONTROL_CENTER_SERVER	{rpAppId} was succesfully created.
CREATE_APP_ACTION	RP Application	[Not Logged]	An authentication or registration policy was created for {rpAppId}.
DELETE_APP	RP Application	CONTROL_CENTER_SERVER	Associated settings have been deleted.
DELETE_APP_ACTION	RP Application	CONTROL_CENTER_SERVER	Delete action for {rpAppId}.
DELETE_APP_CONFIG	RP Application	RELYING_PARTY_SERVER	RP Application configuration has been deleted. config: {{config.toStringTruncateValue()}
SAVE_APP_CONFIG	RP Application	RELYING_PARTY_SERVER	The Application configuration was saved. One or more of the following changed: - Theme color, logo, title, or messaging - Push and/or QR enablement toggle - Desktop SSO enablement toggle - Timeout configuration
UPDATE_APP	RP Application	CONTROL_CENTER_SERVER	{rpAppId} was succesfully updated.
UPDATE_APP_ACTION	RP Application	CONTROL_CENTER_SERVER	Update action for {rpAppId}.
USERNAME DISSOCIATE	Username Aliases and Emails	RELYING_PARTY_SERVER	All associations with an email or alias have been deleted.
USERNAME ASSOCIATE	Username Aliases and Emails	RELYING_PARTY_SERVER	The username has been associated with {this}.

REGISTRATION Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
FIDO_ONLY_REG	FIDO Core	UAF_SERVER MobileDevice WEB	FIDO registration. The registration policy is supplied by the server. The device generates a cryptographic key pair, then sends the public key to the server. The user provides a second factor (touch/PIN/native/etc.) to safeguard the key. Typical problems: - The Application's policy(-ies) is not configured properly in Control Center - The authenticator specified by the policy is not available on the phone
FIDO2_DEVICE_REG	FIDO2 Keys	RELYING_PARTY_SERVER	User {userName} initiated FIDO2 key registration.
FIDO2_DEVICE_REG_COMPLETE	FIDO2 Keys	RELYING_PARTY_SERVER	A successful platform or security key registration was attempted on a mobile device. The browser running on the mobile device used WebAuthn with the Relying Party. Success: FIDO2 key registered Failure: Session not found for challenge , [expired \| false]. Please contact HYPR customer support and report this issue. ExceptionId:
OOB_DEVICE_REG	Registration	RELYING_PARTY_SERVER MobileDevice	The device scans the QR code and sends starts the registration process. A `sessionId` is generated and returned as a part of the response. The initial handshake between the client (browser/workstation) is now complete. Typical problems: - PIN mismatch due to a timeout - Multiple scans of the same QR code
OOB_DEVICE_PAIRED (was OOB_DEVICE_REG_COMPLETE)	Registration	RELYING_PARTY_SERVER	This is the final step in the registration process. Confirmation was received from the Device. The device registration record has been saved.
OOB_DEVICE_PAIRED (was OOB_DEVICE_REG_COMPLETE)	Registration	RELYING_PARTY_SERVER	The device started registration successfully. The PIN has been matched successfully. The Relying Party connection is OK. The device can now proceed to attempt a FIDO registration.
OOB_DEVICE_PAIRED (was OOB_DEVICE_REG_COMPLETE)	Registration	RELYING_PARTY_SERVER	A successful FIDO authentication was completed on a mobile device. Use `traceId` to match this event with the WORKSTATION_AUTH authentication start. traceId={traceId}
OOB_GET_REG_DEVICES	Registration	RELYING_PARTY_SERVER	Listing request for mobile devices or security keys registered to the user.
OOB_WEBSITE_REG	Registration	RELYING_PARTY_SERVER MobileDevice WEB	The opening registration request from the browser or workstation. The client now waits for the mobile to scan QR. Started.
OOB_WEBSITE_REG	Registration	RELYING_PARTY_SERVER MobileDevice WEB	The client setup is complete. The `sessionId` is returned to the client This indicates that the device has finished enrolling the user key pair. Registration is not yet complete.
OOB_WEBSITE_REG	Registration	RELYING_PARTY_SERVER MobileDevice WEB	The opening registration request call from the browser or workstation. The client now waits for the mobile device to scan a QR code. Typical problems: - The Application is not setup in Control Center - The HYPR license is invalid
OOB_WORKSTATION_REG	Registration	RELYING_PARTY_SERVER MobileDevice Workstation	FIDO registration was started.
SMARTKEY_ENROLL	SmartKey Phase 1	RELYING_PARTY_SERVER Workstation	Enrolling the security key. enrollmentRequest={req}
SMARTKEY_ENROLL_COMPLETE	SmartKey Phase 1	RELYING_PARTY_SERVER	Security key enrollment succeeded.

WEB_REGISTRATION Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
MOBILE_CONFIRMED_CERTIFICATE_RENEWAL	Web Registration	[Not Logged]	The mobile device's certificate renewal is complete.
MOBILE_CONFIRMED_NEW_CERTIFICATE	Web Registration	RELYING_PARTY_SERVER	The mobile device confirms workstation certificate processing.
MOBILE_NOTIFIED_OF_CERTIFICATE_RENEWAL	Web Registration	[Not Logged]	The mobile device was informed of successful certificate renewal.
MOBILE_NOTIFIED_OF_NEW_CERTIFICATE	Web Registration	RELYING_PARTY_SERVER	The mobile device has been notified of the workstation certificate's availability.
WORKSTATION_CERTIFICATE_ISSUED	Web Registration	RELYING_PARTY_SERVER	The certificate was issued by the enrollment service.
WORKSTATION_CERTIFICATE_REQUESTED	Web Registration	RELYING_PARTY_SERVER	A certificate request has been queued up for the Enrollment service.
WORKSTATION_CERTIFICATE_REVOKED	Web Registration	[Not Logged]	The workstation certificate was revoked.
WORKSTATION_ENROLLED	Web Registration	RELYING_PARTY_SERVER	Workstation enrolled. {machineName}

AUTHENTICATION Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
EXTERNAL_AUTH_COMPLETE	Auth (OOB \| Browser \| DM \| Java SDK)	RELYING_PARTY_SERVER	Workstation [unlock \| login] using [deviceType].
KC_USER_TEMPORARILY_DISABLED	Auth (OOB \| Browser \| DM \| Java SDK)	RELYING_PARTY_SERVER	user: REDACTED is temporarily disabled by brute force detection
KC_POSSIBLE_BRUTE_FORCE_AUTH_ATTEMPT	Auth (OOB \| Browser \| DM \| Java SDK)	WEB	Users latest authentication attempt triggered brute force detection. Will eventually block user temporarily if this keeps occuring.
OOB_WEBSITE_AUTH	Auth (OOB \| Browser \| DM \| Java SDK)	RELYING_PARTY_SERVER WEB MobileDevice	The browser requests authentication from the HYPR server for the user. A push notification is sent to the mobile device asking it to authenticate. A `sessionId` is generated and returned as a part of the response. Typical problems: - Network conditions may create delays in receiving the push notification
OOB_WEBSITE_AUTH_COMPLETE	Auth (OOB \| Browser \| DM \| Java SDK)	RELYING_PARTY_SERVER	The client polls the server periodically to check if the mobile authentication is successful. The server returns the current status of authentication in the response message.
OOB_WEBSITE_TRANS	Auth (OOB \| Browser \| DM \| Java SDK)	RELYING_PARTY_SERVER MobileDevice	The browser requested authentication for a step transaction from the HYPR server. The HYPR server sent a push notification to the mobile device, asking it to authenticate.
DESKTOP_SSO	Desktop SSO	RELYING_PARTY_SERVER WORKSTATION	Desktop SSO started by web login attempt.
DESKTOP_SSO_COMPLETE	Desktop SSO	RELYING_PARTY_SERVER WORKSTATION	Desktop SSO completed by the workstation signing challenge.
FALLBACK_AUTHENTICATOR	Fallback Authentication	MobileDevice	Fallback authentication has been [ enabled \| disabled ] .
FIDO_ONLY_AUTH	FIDO Core	UAF_SERVER	FIDO authentication using the cryptographic key.
FIDO2_WEBAUTHN	FIDO2 Authentication	RELYING_PARTY_SERVER	A web authentication (webAuthn) attempt was made.
FIDO2_WEBAUTHN_COMPLETE	FIDO2 Authentication	RELYING_PARTY_SERVER	Web authentication (webAuthn) with {aaguid} was successful. OR Mobile device: Authentication as a platform authenticator or with a security key plugged into the mobile device. This is the use case where the browser running on the mobile device does WebAuthn with the Relying Party.
QR_FALLBACK_PAYLOAD_CACHED	QR Authentication	CONTROL_CENTER_SERVER	QR code was successfully cached for manual retrieval via QR Fallback deviceId=null, rpAppId={{rpAppId}}
QR_FALLBACK_PAYLOAD_RETRIEVED	QR Authentication	CONTROL_CENTER_SERVER RELYING PARTY_SERVER	[Success] Cached payload was retrieved using the respective activation code associated with creation. \n \n[Failure] Failed to find QR fallback payload using activation code provided. Please check code entered and retry.
SESSION_WEBSITE_AUTH	QR Authentication	MobileDevice	Authentication was attempted using a QR code.
SESSION_WEBSITE_AUTH_COMPLETE	QR Authentication	[Not Logged]	Authentication was completed using a QR code.
WORKSTATION_AUTH	Workstation Auth	RELYING_PARTY_SERVER MobileDevice Workstation	Start of the workstation unlock request from the device. This request is made when the user clicks the Unlock button in the HYPR App. A message is sent to the workstation to initiate unlock/login.
WORKSTATION_AUTH_COMPLETE	Workstation Auth	RELYING_PARTY_SERVER	Final confirmation that workstation unlock is successful. Client and device top off the offline tokens.
WORKSTATION_AUTH_COMPLETE	Workstation Auth	RELYING_PARTY_SERVER	The client has finished unlocking the workstation. The login confirmation message reached the workstation. Completed.
WORKSTATION_AUTH_COMPLETE	Workstation Auth	RELYING_PARTY_SERVER	The user has verified their physical presence at the workstation. Generally, this involves pressing Ctrl+Alt+Delete.
UNIVERSAL_QR_SCAN	Workstation Auth	MobileDevice	Operation canceled. The HYPR barcode scan was aborted by the user.
WORKSTATION_AUTH_JSON_SCAN	Workstation Auth	MobileDevice	A mobile device was used to initiate a workstation lock or unlock event.
WORKSTATION_AUTH_QR_SCAN	Workstation Auth	[Not logged]	A mobile device has been paired with a workstation via QR scan.

DEREGISTRATION Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
MOBILE_INITIATED_WEBSITE_DELETE	Delete	RELYING_PARTY_SERVER MobileDevice	A deregistration request was initiated from a mobile device for a website. The mobile user clicked on the Delete Web Account button.
MOBILE_INITIATED_WORKSTATION_DELETE	Delete	RELYING_PARTY_SERVER MobileDevice	A deregistration request was initiated from a mobile device for a workstation. The mobile user clicked on the Delete Computer button.
OOB_WEBSITE_INITIATED_DELETE	Delete	RELYING_PARTY_SERVER	A deregistration request was initiated from the web account or Control Center.
OOB_DEVICE_UNPAIRED (was WORKSTATION_INITIATED_DELETE)	Delete	RELYING_PARTY_SERVER Workstation MobileDevice	A deregistration request was initiated from the workstation. The user clicked on the Delete Mobile Device button in the HYPR app on the computer.
FIDO_ONLY_DEREG	FIDO Core	UAF_SERVER MobileDevice WEB	FIDO registration is deleted. It can no longer be used to authenticate.
FIDO2_DEVICE_DEREG	FIDO2 Keys	RELYING_PARTY_SERVER	FIDO2 key {aaid} deleted for user {userName}.
FIDO2_DEVICE_RESET	FIDO2 Keys	RELYING_PARTY_SERVER	[FIDO2 key {aaid} reset for user {userName}.
MOBILE_INITIATED_WORKSTATION_UNPAIRED	FIDO2 Keys	RELYING_PARTY_SERVER	A deregistration request was initiated from a mobile device for a workstation. The mobile user clicked on the Delete Computer button.

OFFLINE_ACCESS Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
OFFLINE_TOKEN_ACCESS	Workstation-related	MobileDevice	Offline token access request.
OFFLINE_TOKEN_AUTH	Workstation-related	Workstation	Authentication using Offline Mode. A mobile app user used an Offline Mode PIN to login to the workstation.

SMART_KEY Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
SMARTKEY_CC_INITIATED_UNENROLL	SmartKey Phase 1	RELYING_PARTY_SERVER	The security key was unenrolled from Control Center. Please remove the certificate from the Certificate Authority using the following command: `certutil -revoke ${req.smartKeyCertificateSerialNumber} 8`
SMARTKEY_PIN_CHANGE	SmartKey Phase 1	Workstation	An attempt was made to change the security key PIN.
SMARTKEY_PIN_VERIFICATION	SmartKey Phase 1	Workstation	The security key PIN was verified.
SMARTKEY_WORKSTATION_INITIATED_UNENROLL	SmartKey Phase 1	RELYING_PARTY_SERVER Workstation	The security key was unenrolled from the workstation. Please remove the certificate from the Certificate Authority using the following command: `certutil -revoke ${req.smartKeyCertificateSerialNumber} 8`
SMARTKEY_AUTH	SmartKey Phase 2	[Not Logged]	Authentication was attempted on a workstation using a security key.
SMARTKEY_AUTH_COMPLETE	SmartKey Phase 2	Workstation	Authentication was completed using a security key.
SMARTKEY_PIN_PUK_CHANGE	SmartKey Phase 2	[Not Logged]	A PIN Unblocking Key (PUK) for a smart key has been changed.
SMARTKEY_PIN_PUK_VERIFICATION	SmartKey Phase 2	[Not Logged]	A PIN Unblocking Key (PUK) for a smart key has been verified as part of a PIN reset.

ACCESS_TOKEN (ADMIN) Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
ACCESS_TOKEN_CREATE	Access Tokens	RELYING_PARTY_SERVER	Endpoint API token creation request; this event is typically from the the browser token management UI.
ACCESS_TOKEN_REVOKE	Access Tokens	RELYING_PARTY_SERVER	Endpoint API token revoked. tokenId={token.id} revokedBy={user}

ENDPOINT_API_ACCESS_TOKEN (ADMIN) Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
ENDPOINT_API_ACCESS_TOKEN_CREATE	Endpoint API Access Token	RELYING_PARTY_SERVER	The endpoint API token was created. Scope = [DEVICE \| WORKSTATION] tokenId = {truncated_token}
ENDPOINT_API_ACCESS_TOKEN_EXCHANGE	Endpoint API Access Token	RELYING_PARTY_SERVER	The workstation install token was successfully exchanged. tokenId={truncated_token}
ENDPOINT_API_ACCESS_TOKEN_EXCHANGE_FAILED	Endpoint API Access Token	RELYING_PARTY_SERVER MobileDevice	The workstation install token exchange failed. tokenId={truncated_token}
ENDPOINT_API_ACCESS_TOKEN_REVOKE	Endpoint API Access Token	RELYING_PARTY_SERVER	The endpoint API token was successfully revoked. tokenId={token.id} revokedBy=$user

RECOVERY_PINS (ADMIN) Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
RECOVERY_PIN_AUTH	Recovery PINs	Workstation	Authorization was attempted using a recovery PIN.
RECOVERY_PIN_REVEAL	Recovery PINs	CONTROL_CENTER_SERVER RELYING_PARTY_SERVER	The recovery PIN was revealed via either the CC Admin UI or an API call.
RECOVERY_PINS_DELETE	Recovery PINs	[Not Logged]	The recovery PIN was deleted. HYPR recommends generating new recovery PINS.
RECOVERY_PINS_GENERATED	Recovery PINs	RELYING_PARTY_SERVER	The recovery PIN has been saved.
RECOVERY_PINS_RE_GENERATED	Recovery PINs	RELYING_PARTY_SERVER	The recovery PINs have been re-saved.
RECOVERY_PINS_SETUP	Recovery PINs	[Not Logged]	Recovery PINS were created.

MAGIC_LINK (ADMIN) Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
MAGIC_LINK_CREATE	Magic Links	CONTROL_CENTER_SERVER RELYING_PARTY_SERVER	Magic link created.
MAGIC_LINK_DELETE	Magic Links	CONTROL_CENTER_SERVER	Deleting pending magic links for: username={userName} rpAppId={rpAppId}
MAGIC_LINK_EXP_DELETE_EXISTING_AFTER_NEW	Magic Links	CONTROL_CENTER_SERVER	Deleting existing magic links after creating new a one for the same username.
MAGIC_LINK_EXP_DELETED_EXISTING	Magic Links	CONTROL_CENTER_SERVER	Pre-existing magic links have been deleted. Only one magic link can be alive at a given time.
MAGIC_LINK_EXP_RESEND_EMAIL_MSG_TO_HAAS	Magic Links	CONTROL_CENTER_SERVER	An invitation email has been generated and sent to {userName}.
MAGIC_LINK_EXP_USERNAME_NOT_FOUND	Magic Links	CONTROL_CENTER_SERVER	Username not found. Unable to resend an email to HYPR with a new magic link message.
MAGIC_LINK_EXPIRED_OR_USED	Magic Links	RELYING_PARTY_SERVER	This magic link is invalid or has expired.
MAGIC_LINK_NOT_FOUND	Magic Links	CONTROL_CENTER_SERVER	Cannot find a magic link for the token given. Verify that the token is correct and try again.

FEATURE_FLAGS (ADMIN) Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
FEATURE_FLAG_TOGGLE	Feature Flags	RELYING_PARTY_SERVER	Feature Flag toggled.

CREATE_USER, DELETE_USER Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
DELETE_USER	Deleting RP User from CC	RELYING_PARTY_SERVER	{userName} was deleted from the Control Center using the API token belonging to {userPerformingDelete}. [if no devices left] {userName} has no remaining registrations after removing {deviceId}. Deleting the user record.
MAGIC_LINK_CREATE_USER	Magic Links	RELYING_PARTY_SERVER	{userName} was invited to Control Center via magic link and email.

SYSTEM_CHECK Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
BATCH_DB_UPDATE	System Checks	CONTROL_CENTER_SERVER	The background process to update the database failed; contact your administrator immediately.
DB_CRYPTO_VALIDATION_PROBLEM	System Checks	CONTROL_CENTER_SERVER	The database data integrtity check failed. Data has potentially been tampered with. Check affected user activity in the Audit Trail and Logs for suspicious authentication attempts. Try to register again.
FIDO_CERT_EXPIRY_CHECK	System Checks	RELYING_PARTY_SERVER	Certificate Expiration Notice. FIDO certificates are monitored for expiry based on days remaining: < 90 = High Criticality 90 - 150 = Medium Criticality > 150 = Low Criticality If the event is not logged as `success=false`, it passed the check.
LICENSE_VALIDATION_PROBLEM	System Checks	RELYING_PARTY_SERVER	INVALID_LICENSE: Details: Please upload a HYPR license key with a valid domain. Creating and updating RP applications will not be permitted until a valid license is uploaded.
MOBILE_CERT_RENEWAL_EXPIRY_CHECK	System Checks	RELYING_PARTY_SERVER MobileDevice	Certificate Expiration Notice. Mobile device certificates are monitored for expiry based on days remaining: < 90 = High Criticality 90 - 150 = Medium Criticality > 150 = Low Criticality If the event is not logged as `success=false`, it passed the check.
UAF_CERT_EXPIRY_CHECK	System Checks	RELYING_PARTY_SERVER	Certificate Expiration Notice. UAF certificates are monitored for expiry based on days remaining: < 90 = High Criticality 90 - 150 = Medium Criticality > 150 = Low Criticality If the event is not logged as `success=false`, it passed the check.

SETTINGS Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
SSL_PINS_UPDATED	Global Config	MobileDevice Workstation	SSL pins have been synched across HYPR. [Fail] Error updating SSL pins: Operation failed
UPDATE_SERVER_GLOBAL_CONFIG	Global Config	RELYING_PARTY_SERVER	Support email has been updated. Support display name has been updated. OR Support email has been deleted.
FIDO2_POLICY	Settings	RELYING_PARTY_SERVER	Updated FIDO2 policy.
FIDO2_SETTINGS	Settings	RELYING_PARTY_SERVER	{Client origin URL} has been [ enabled \| disabled ]

RADIUS Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
RADIUS_CLIENT_CREATE	RADIUS Clients	CONTROL_CENTER_SERVER	The Radius server client was created. id={radiusClientId}
RADIUS_CLIENT_DELETE	RADIUS Clients	CONTROL_CENTER_SERVER	The Radius server client was deleted. id={radiusClientId}
RADIUS_CLIENT_UPDATE	RADIUS Clients	CONTROL_CENTER_SERVER	The Radius server client was updated. id={radiusClientId}
RADIUS_CONFIG_CREATE	RADIUS Servers	CONTROL_CENTER_SERVER	The Radius server configuration was created. id={configCreated.radiusConfigId}
RADIUS_CONFIG_DELETE	RADIUS Servers	CONTROL_CENTER_SERVER	The Radius server configuration was deleted. id={radiusConfigId}
RADIUS_CONFIG_UPDATE	RADIUS Servers	CONTROL_CENTER_SERVER	The Radius server configuration was updated. id={updatedConfig.radiusConfigId}
RADIUS_INTEGRATION_CREATE	RADIUS Servers	CONTROL_CENTER_SERVER	The Radius integration was created. id={createdIntegration.id}
RADIUS_INTEGRATION_DELETE	RADIUS Servers	CONTROL_CENTER_SERVER	The Radius integration was deleted. id={radiusIntConfigId}
RADIUS_ONBOARDED	RADIUS Servers	CONTROL_CENTER_SERVER	Radius integration onboarded. id={newIntegration.id}
RADIUS_SERVER_CREATE	RADIUS Servers	CONTROL_CENTER_SERVER	The Radius server was created. id={createdServer.radiusServerId}
RADIUS_SERVER_DELETE	RADIUS Servers	CONTROL_CENTER_SERVER	The Radius server was deleted. id={radiusServerId}
RADIUS_SERVER_UPDATE	RADIUS Servers	CONTROL_CENTER_SERVER	The Radius server was updated. id={radiusServerId} radiusConfigId={radiusServer.radiusConfigId}

SUPPORT_ACCESS Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
SUPPORT_ACCESS_ENABLED	Support Access	RELYING_PARTY_SERVER	HYPR Support access enabled.
SUPPORT_ACCESS_DISABLED	Support Access	RELYING_PARTY_SERVER	HYPR Support access disabled.
SUPPORT_ACCESS_EXPIRATION_DATE_CHANGED	Support Access	RELYING_PARTY_SERVER	HYPR Support access expiration date set.
SUPPORT_ACCESS_EXPIRATION_DATE_EXCEEDED_BLOCKING_ACCESS	Support Access	RELYING_PARTY_SERVER	Blocked HYPR Support access due to expiration date exceeded.
SUPPORT_ACCESS_NEW_EXPIRATION_DATE_APPLICABLE_ENABLING_ACCESS	Support Access	RELYING_PARTY_SERVER	Enabled HYPR Support access due to expiration date no yet exceeded.
SUPPORT_ACCESS_ADDED_EMAILS_TO_ALLOW_LIST	Support Access	RELYING_PARTY_SERVER	Email added to list.
SUPPORT_ACCESS_REMOVED_EMAILS_FROM_ALLOW_LIST	Support Access	RELYING_PARTY_SERVER	Email removed from list.
SUPPORT_ACCESS_ALLOWANCE_CHANGED_FROM_ALLOW_LIST_TO_ALL	Support Access	RELYING_PARTY_SERVER	All HYPR employees are allowed to have access.
SUPPORT_ACCESS_ALLOWANCE_CHANGED_FROM_ALL_TO_ALLOW_LIST	Support Access	RELYING_PARTY_SERVER	Only HYPR employees on the list are allowed to have access.
SUPPORT_ACCESS_EXPIRATION_DATE_ENABLED	Support Access	RELYING_PARTY_SERVER	Changed from indefinite access to expiration date.
SUPPORT_ACCESS_EXPIRATION_DATE_DISABLED	Support Access	RELYING_PARTY_SERVER	Changed from expiration date to indefinite access.
SUPPORT_ACCESS_DENIED_TENANT_ACCESS_ATTEMPT_EXPIRATION_DATE_EXCEEDED	Support Access	RELYING_PARTY_SERVER	Denied HYPR Support access - expiration date exceeded.
SUPPORT_ACCESS_SUCCESSFUL_TENANT_ACCESS_ATTEMPT	Support Access	RELYING_PARTY_SERVER	Successful HYPR Support tenant access.
SUPPORT_ACCESS_DENIED_TENANT_ACCESS_ATTEMPT_UNAUTHORIZED	Support Access	RELYING_PARTY_SERVER	Denied HYPR Support access - unauthorized.
SUPPORT_ACCESS_DENIED_TENANT_ACCESS_ATTEMPT_SUPPORT_ACCESS_DISABLED	Support Access	RELYING_PARTY_SERVER	Denied HYPR Support access - access disabled.
SUPPORT_ACCESS_MAGIC_LINK_SESSION_EXPIRED	Support Access	RELYING_PARTY_SERVER	HYPR Support Magic Link session expired.

RISK_ENGINE Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
ADAPT_POLICY_EVALUATION	Risk Engine	CONTROL_CENTER_SERVER	Adapt policy evaluation was successful for , rpAppId=, traceId=<traceId, if applicable; may be empty>
ADAPT_CREATE_POLICY	Risk Engine	CONTROL_CENTER_SERVER	Created new Adapt authentication policy for this tenant.
ADAPT_UPDATE_POLICY	Risk Engine	CONTROL_CENTER_SERVER	Update an Adapt authentication policy for this tenant.
ADAPT_DELETE_POLICY	Risk Engine	CONTROL_CENTER_SERVER	Deleted Adapt authentication policy for this tenant.

SIGNAL Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
DEVICE_SIGNAL_RECEIVED	Signals	RELYING PARTY_SERVER	Successfully posted the device security state.
WORKSTATION_SIGNAL_RECEIVED	Signals	RELYIN_PARTY_SERVER	Successfully posted the workstation security state.
BROWSER_SIGNAL_RECEIVED	Signals		Successfully posted the browser security state.

ERROR Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
EXCEPTION	Error	RELYING_PARTY_SERVER	Captures any oddities that may occur on the mobile, workstation, or web components.

WORKSTATION_STATE Events

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
WORKSTATION_SOCKET_CONNECT	Workstation State	Workstation	The workstation web socket was connected.
WORKSTATION_SOCKET_DISCONNECT	Workstation State	[Not Logged]	The workstation web socket was disconnected.
WORKSTATION_CONFIGURATION	Workstation State	[Not Logged]	The workstation was configured successfully.
WORKSTATION_STARTUP	Workstation State	[Not Logged]	The workstation was started. Usually this indicates the user powered on or rebooted the computer.
WORKSTATION_SHUTDOWN	Workstation State	[Not Logged]	The workstation was shut down. Usually this indicates the user powered off or rebooted the computer.
WORKSTATION_LOCK	Workstation State	RELYING_PARTY_SERVER Workstation	A request was issued to lock the workstation. {deviceId(deviceIdParam)}
WORKSTATION_UPGRADE	Workstation State	[Not Logged]	The workstation was upgraded.

MISCELLANEOUS Events (no `eventTags`)

Event (`eventName`)	Action	Source (`eventLoggedBy`)	Description (`message`)
WESBITE_AUTH	Authentication	MobileDevice	Operation failed. Your request to authenticate this device didn't complete in time. Fingerprint timeout reached. Try again.
MOBILE_CERTIFICATE_REENROLLMENT	Certificate Renewal	RELYING_PARTY Workstation MobileDevice	The certificate was re-issued by the enrollment service.
DEFAULT	Core System	[Not Logged]	A default entry for anomalous events.
UNKNOWN	Core System	[Not Logged]	EventName= {name} is not known to this version of the server. The event may have been introduced in a newer version of the server.
LOG_SUBMISSION	Log Submission	CONTROL_CENTER_SERVER RELYING_PARTY_SERVER	{clientType} client logs were submitted successfully. OR {clientType} client logs were submitted successfully by {userName}. OR WINDOWS client logs were submitted successfully by {machineUserName}.
AUTH_DENIED_LOW_VERSION	Version Control Feature Flag	[Not Logged]	Authentication was denied due to a prohibitively low version of Control Center.
REG_DENIED_LOW_VERSION	Version Control Feature Flag	[Not Logged]	Registration was denied due to a prohibitively low version of Control Center.
MOBILE_INITIATED_WORKSTATION_LOCK	Workstation-related	[Not Logged]	The mobile device initiated a workstation lock action.

Event Parameters

Each Event will provide the following parameters, data permitting.

📘
Event Data Model Parameters vs. Log Parameters
Labels in plain text are directly from the Event Data Model, while those in italics are generated for the logs and may be used in the Audit Trail and HYPR Dashboard for Splunk.

Label	Parameter	Description
Event ID	`id`	Unique identifier for the Event.
Schema Version	`version`	The Event schema version.
Event Type	`type`	Event classification. For API log requests, this will always be AUDIT.
Event	`eventName`	The name of the Event.
Message	`message`	A message giving a brief recount of the Event.
SubEvent	`subName`	An Event might be broken into sub-steps. The SubEvent distinguishes the various steps. Typically it is the URI of the request.
Logged By	`eventLoggedBy`	The component which logged the Event. Success Events are mostly (but not necessarily) logged by the server. Failure Events are sent by the HYPR Mobile App, HYPR Passwordless, or HYPR SDK if something goes wrong. Possible Values: MobileDevice, RELYING_PARTY_SERVER, CONTROL_CENTER_SERVER, Web, Workstation, Browser, UAF_SERVICE, ENROLLMENT_SERVICE
Time	`eventTimeInUTC`	The time of the Event in UTC format.
Logged	`loggedTimeInUTC`	The time the server logged the Event in UTC format.
Tenant	`tenantId`	Identifier for the HYPR Control Center server. Sourced from the `HYPR-TenantID` HTTP header or from the `hypr.rp.cacheNamespace` Vault prop.
Remote IP	`remoteIP`	The IP address of the node submitting the Event. Sourced from the `X-Forwarded-For` HTTP header in the request.
User Agent	`userAgent`	Identifies the application, operating system, vendor, and/or version of the Event's requesting user agent. Sourced from the `User-Agent` HTTP header.
Trace ID	`traceId`	An identifier to assist Support in tracking the Event. If the header is missing, the server starts a new trace. Sourced from the `X-B3-TraceId` HTTP header.
Session ID	`sessionId`	Unique identifier of the web session.
Additional Details	`additionalDetails`	A map of discretionary data supplied for an Event; used to capture attributes not available in the Event object.
Status	`isSuccessful`	Status of the individual Event. Possible Values: true, false
Error Code	`errorCode`	The HYPR Error code associated with the Event, if any. This value must be populated if `isSuccessful`=false. See also HYPR Error Codes Troubleshooting Table.
Error Severity	`errorSeverity`	The impact level of the Event causing the error. Possible Values: WARN, ERROR, FATAL, null (default)
RP Application ID	`rpAppId`	The camel case unique identifier of the relying party application generating the Event.
FIDO User	`fidoUser`	A machine-readable user handle representing a FIDO registration.
Username	`machineUserName`	HYPR name for the user generating the Event. Typically associated with `fidoUser`.
Authenticator	`authenticator`	Authenticator GUID/ID logged with the following Events: GUID for FIDO2 Authentication FIDO2_DEVICE_DEREG FIDO2_WEBAUTHN_COMPLETE FIDO2_DEVICE_REG_COMPLETE ID for UAF FIDO_ONLY_AUTH FIDO_ONLY_DEREG FIDO_ONLY_REG
Usage Type	`usageType`	Currently not used.
Integration Type	`integrationType`	The type of integration upon which the Event occurs.
Integration Provider	`integrationProvider`	The type of integration provider for the Event, based on the `rpAppId`.

Specific Parameters

The following parameters will appear only when a specific Event type is triggered.

Device (Includes Security Keys)

Label	Parameter	Description
OS	`deviceOS`	Device operating system (Android/iOS/security key). Sourced from the `HYPR-Device-OS` HTTP header.
OS Version	`deviceOSVersion`	Device operating system version. For security keys, this will be the firmware version. Sourced from the `HYPR-Device-OS-Version` HTTP header.
Model	`deviceModel`	Device model number. Sourced from the `HYPR-Device-Model` HTTP header.
Device ID	`deviceId`	A HYPR-generated device identifier. `deviceId` stays same for the lifetime of the App. Reinstalling the App generates a new `deviceId`. In this case, Device may refer to a mobile device (90%) or another hardware device (Yubikey, etc.) which stores the private key/authenticator and performs authentication.
Device Type	`deviceType`	Represents any special indication of the device type triggering the Event.
HYPR Mobile App Version	`deviceRelVersion`	Version of the HYPR Mobile App. Sourced from the `HYPR-Device-Release-Version` HTTP header.
SDK Version	`sdkRelVersion`	Version of the HYPR SDK. Sourced from the `HYPR-SDK-Release-Version` HTTP header.
Tokens Available	`tokensAvailable`	Number of Offline Mode tokens available.
Tokens Remaining	`tokensRemaining`	Number of Offline Mode tokens remaining.

Workstation

Label	Parameter	Description
Extended Message	`extendedMessage`	An additional message from the workstation regarding the Event.
OS Version	`wsOSVersion`	Workstation operating system version. Sourced from the `HYPR-Device-OS-Version` HTTP header.
Model	`wsModel`	Workstation model number. Sourced from the `HYPR-WS-Model` HTTP header.
OS	`wsOS`	Workstation operating system. Sourced from the `HYPR-WS-OS` HTTP header.
Machine ID	`machineId`	A HYPR-generated machine identifier. In this case, Machine refers to the entity requesting authentication. Possible Values: Website Accessing the same website in different browsers is considered to be the same machine. `machineId` is derived as `sha256(window.location.hostname + user + rpAppID)` WorkStation The UUID generated upon Workstation install. This is not related to the underlying OS. The `machineId` remains constant through the life of the install or upgrade. A re-install of the Workstation will generate a new `machineId`."
Machine Type	`machineType`	Defines when a machine is persisted/non-persisted with a local, web, or domain account.
Workforce Access Version	`wsRelVersion`	Version of the HYPR Passwordless client. Sourced from the `HYPR-WS-Release-Version` HTTP header.
Offline Access Enabled	`offlineAccessEnabled`	Toggle Offline Access. Possible Values: True, False
Offline Token Length	`offlineTokenLength`	Length of the offline token.
Offline Token Count	`offlineTokenCount`	Total number of offline tokens.
Offline Access Days	`offlineAccessDays`	Number of days remaining on offline tokens.
Tokens Available	`tokensAvailable`	Number of tokens available.
Tokens Remaining	`tokensRemaining`	Number of tokens remaining.

Server

Label	Parameter	Description
Node ID	`node`	IP address of the node.
Version	`serverRelVersion`	Version of the HYPR Control Center.

Web

Label	Parameter	Description
Extended Message	`extendedMessage`	Additional details.
Machine Name	`machineName`	Unique name of the machine.

Event Log File (On-premises Only)

HYPR generates Event log files for tracing errors and Events, and to help integration with SIEM tools such as Splunk, Greylog, etc.

Control Center Event Log File

The CC Event log is located under the /opt/hypr/<server install dir> logs directory. It contains all Control Center Events.

UAF Event Log File

The UAF Event log is located in the /opt/hypr/<server install dir> logs directory. This contains all UAF Events.

eventTags

ADMIN Events

REGISTRATION Events

WEB_REGISTRATION Events

AUTHENTICATION Events

DEREGISTRATION Events

OFFLINE_ACCESS Events

SMART_KEY Events

ACCESS_TOKEN (ADMIN) Events

ENDPOINT_API_ACCESS_TOKEN (ADMIN) Events

RECOVERY_PINS (ADMIN) Events

MAGIC_LINK (ADMIN) Events

FEATURE_FLAGS (ADMIN) Events

CREATE_USER, DELETE_USER Events

SYSTEM_CHECK Events

SETTINGS Events

RADIUS Events

SUPPORT_ACCESS Events

RISK_ENGINE Events

SIGNAL Events

ERROR Events

WORKSTATION_STATE Events

MISCELLANEOUS Events (no eventTags)

Event Parameters

Specific Parameters

Device (Includes Security Keys)

Workstation

Server

Web

Event Log File (On-premises Only)

Control Center Event Log File

UAF Event Log File

`eventTags`

MISCELLANEOUS Events (no `eventTags`)