The Audit Trail is designed to help administrators discover if and when issues occur during registration, authentication, or transaction. HYPR captures these user activity data and provides access to it in a simple, easy to use interface which lowers troubleshooting time and personnel resources, so that the issue can be identified and remedied at speed.
The Audit Trail is a collection of user activity events that is captured by all components in the HYPR ecosystem. These captured events span the entirety of the flow of operations, whether it's registration, authentication, de-registration, or a transaction. At every step of each HYPR request or response, an event is generated and collected with its corresponding information.
Event data is stored in a separate schema away from the critical HYPR FIDO databases. This allows registration, authentication and de-registration flows to continue functioning without being affected. The connection information to this schema can be found in the Vault and, or, a HYPR representative can help you find it. The settings for the Audit Trail schema will be automatically set up for you during installation.
We anticipate there could be potentially millions of records in this database so a data rollover mechanism exists. This mechanism will be described in detail at the bottom of this guide.
Each single captured event is a result of a Successful or Failed attempt.
Events reported during the registration of the Web Account or Workstation with HYPR Mobile App.
Opening Registration request call from the Browser or Workstation. The client now waits for the mobile to scan QR
Typical problems: - Application is not setup in ControlCenter
Device scans the QR code and sends starts the registration process from its side. A sessionId is generated and returned as a part of the response. Initial handshake between the client (Browser/Workstation) is now complete
Device started the registration successfully. Pin has been matched successfully. RP connection is ok. Device can now proceed to do a FIDO registration
Client setup step is done. The sessionId is returned to the Client
This indicates that the device has finished enrolling the user key pair. The registration process though, is not complete yet.
Client receives more registration information on the device and confirms completion on its side
Final registration complete confirmation by the Device. On success, a registration record will exist in the DB
Browser requests authentication from the HYPR server for the user in the context
Upon receiving the push msg, the device prompts the user to authenticate
Client polls the server periodically to check if the mobile authentication is successful
Start of the Workstation unlock request from the Device. This request is made when the user clicks the unlock button in the HYPR app.
A msg is sent to the workstation at this point to start unlock/login
Client has finished unlocking the Workstation.
The user has verified their physical presence at the workstation
Final confirmation that unlock is successful
Fido Only Dereg
Core FIDO De-registration.
OOB Website Trans
The initial call for Website transaction.
OOB Website Initiated Delete
Deregistration request initiated from the Web Account or Control Center.
Workstation Initiated Delete
Deregistration request initiated from Workstation. The user clicked on the delete mobile device button in the HYPR App on the computer.
Mobile Initiated Website Delete
Deregistration request initiated from Mobile for Website. The mobile user clicked on the delete web account button.
Mobile Initiated Workstation Delete
Deregistration request initiated from Mobile for Workstation. The mobile user clicked on the delete computer button.
Offline Token Access
Offline Token Access Request
Offline Token Auth
Authentication using Offline Mode. Mobile App user used Offline Mode PIN to login into the workstation.
Workstation Socket Connect
Workstation Web Socket was Connected.
Workstation Socket Disconnect
Workstation Web Socket was Disconnected.
Workstation was configured.
Workstation was started. Usually it indicates that user powered on or rebooted the computer.
Workstation was shutdown. Usually it indicates that user powered off or rebooted the computer.
Audit Action CC
Events that the Control Center admin performs to authenticators, policies, and to the Application settings.
Captures any oddities that may occur on the mobile, workstation or web components.
Each event will, available data permitting, provide the following
Time of the event
Username the registration was done with
An event might be broken into sub steps. The sub event distinguishes the various steps. Typically, its the URI of the request
Status of the individual Event. Success or Failure.
Machine refers to Entity requesting authentication. Currently we support Website
Device refers to the mobile device (90%) or another hardware device (Yubi key) which stores the private key/authenticator - does the authentication
The component which logged the event.
A message giving a brief recount of the event which happened.
Operating System of Mobile Device (Android/iOS)
Operation System Version number
Mobile device model number
Version of HYPR SDK
Number of Offline Mode Tokens Available
Number of Offline Mode Tokens Remaining
An Additional Message from Workstation regarding the event
Operating System version
Operating System model
Offline Access Enabled
Offline Token Length
Length of the Offline Token
Offline Token Count
Total Number of Offline Token
Offline Access Days
Number of Days Remaining on Offline Tokens
Number of Tokens Available
Number of Tokens Remaining
I.P. of the node
Version of the Server
Unique name of the machine
The Audit Trail feature is Application specific and does not encompass a global scope as such. You can locate it in the left navigation panel of the Control Center under App Properties.
When you first click on the Audit Tail option, the last 10 minutes of Events will be displayed.
To expand the searchable timeframe, click the 'Calendar' icon.
Gets the last 24 Hours of Events
Gets the Events from Midnight to Current Time
Gets the Events from Yesterday
Last 7 days
Gets the Events from the last 7 days
Last 30 Days
Gets the Events from the last 30 days
You can also select a specific timeframe by clicking the start date and end date in the calendar. For a more precise timeframe search, you also can enter in a time HH:MM:SS.
The Audit Trail allows searching by Username, Machine ID's, Session ID's or Device ID's. Searching on one of these identifiers allows the Admin to narrow down the action and get a resolution to the issue without having to dig through the server logs. By quickly identifying a Failed event, and cross-referencing it with a user, session, machineID or deviceID, you can further glean what the root cause of the issue is.
To export rows of the Audit Trail, select the checkbox next to the row you want to export and click the "Export" button. This will provide you with a CSV file with all selected rows.
You have found a Failed event that is a Timeout. By searching for the MachineID, you see that this particular user has many timeouts and errors which say "Did not receive anything from device". This could be a device issue. Check connectivity and try again.
We keep the last 30 days of event data.
Every hour we archive the data that is older than 30 days into a backup table.
The backup retains data indefinitely.
With Server 3.8, HYPR is introducing Event log files for users who want to parse the log file for tracing any errors and events. It will also help to integrate with SIEM tools such as Splunk, Greylog, etc.
This is located under the
/opt/hypr/<Server Install dir> logs directory. This contains all the events for the Control Center.
This is located under the
/opt/hypr/<Server Install dir> logs directory. This contains all the events for UAF.
Mobile users should send the support email which will contain required debug information.
Support Email Configuration
Support email can be configured here.
Step 1: Check diagnostic email from the user
Step 2: Copy FIDO ID and paste it into the Audit Trail search
Step 3: Check HYPR Docs for error details and steps to resolve
You can integrate Audit Trail APIs into your application to leverage advanced search capabilities or improve integration with the existing system.
Learn more about API Access in our documentation.
Updated almost 2 years ago