Keyfactor Command Windows Event IDs
Keyfactor Command Windows Event IDs
Both Keyfactor Command and Keyfactor Orchestrators generate Windows event log messages for both normal activity and errors in the Windows application event log. Table 61: Keyfactor Command Windows Event IDs shows some of the more common event IDs generated by the Keyfactor Command server (source Certificate Management System or CMS Timer Job Servce). Table 63: Keyfactor Windows Orchestrator and Keyfactor Universal Orchestrator Windows Event IDs shows some of the more common event IDs generated by the Keyfactor Orchestrator (source Certificate Management System Agent). Depending on the features in use on your server, you may not see all these events in your log. These codes can be useful to set up log analysis platforms such as Splunk and Kibana.
Table 61: Keyfactor Command Windows Event IDs
Event ID |
Task Category | Description |
---|---|---|
200 | CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Synchronization | Incremental CA synchronization started |
201 | CA Synchronization | Incremental CA synchronization finished |
210 | CA Synchronization | An error occurred during CA synchronization |
220 | CA Synchronization | Unable to connect to the CA during incremental CA synchronization |
221 | CA Synchronization | Unable to validate Keyfactor Command product license |
222 | CA Synchronization | Unable to read the Keyfactor Command database during incremental CA synchronization |
230 | CA Synchronization | Unable to connect to the CA during full CA synchronization |
300 | Monitoring | Monitoring service started |
301 | Monitoring | Monitoring engine started |
304 | Monitoring | Monitoring service timer elapsed |
305 | Monitoring | Monitoring service execution skipped |
306 | Monitoring | Monitoring job completed successfully |
307 | Monitoring | Monitoring engine failed |
310 | Monitoring | Monitoring job completed with errors |
322 | Monitoring | Unable to read the Keyfactor Command database during monitor job run |
323 | Monitoring | An error occurred refreshing a key rotation, cert expiration, CA Health, cert issued, pending cert, or query item alert service job |
330 | Monitoring | OCSP endpoint An endpoint is a URL that enables the API to gain access to resources on a server. is unavailable |
331 | Monitoring | OCSP endpoint is responding successfully |
340 | Monitoring | An error occurred configuring an expiration alert |
350 | Monitoring | An error occurred configuring a pending alert |
360 | Monitoring | An error occurred configuring an SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. alert |
370 | Monitoring | An error occurred configuring the CRL A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted. |
371 | Monitoring | CRL endpoint location could not be contacted |
372 | Monitoring |
CRL at the endpoint is stale (past the CA's next publish date for the CRL but not yet at the expiration date) Note: If a CRL is both in the warning period and stale, only the event log message for stale will appear in the log. |
373 | Monitoring | CRL at the endpoint is in the warning period configured for email alerts (X days before expiration) |
374 | Monitoring | CRL is in a good state |
375 | Monitoring | CRL at the endpoint has expired |
380 | Monitoring | An error occurred configuring a SSRS reporting job, CRL alert jobs, or certificate authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. threshold jobs |
390 | Monitoring | Failed to configure the certificate authority threshold jobs |
391 | Monitoring | CA has failed to meet one of the threshold monitoring requirements |
410 | Web API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. | A general error occurred during a Keyfactor API A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. request |
411 | Web API | Invalid token error occurred during a Keyfactor API request |
413 | Web API | Invalid template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. error occurred during a Keyfactor API request |
419 | Web API | Invalid user error occurred during a Keyfactor API request |
800 | Timer Service | Keyfactor Command Service started |
801 | Timer Service | Keyfactor Command Service stopped |
810 | Maintenance | A general Keyfactor Command Service maintenance error occurred. |
822 | Timer Service | Unable to read the Keyfactor Command database during Keyfactor Command Service job |
830 | Timer Service | Keyfactor Command Service jobs failed to start (alerts, monitoring, sync, other) |
930 | Timer Service | An orchestrator job configuration failed |
931 | Timer Service | An orchestrator job execution failed |
1001 | Maintenance | Keyfactor Command product license is approaching expiration |
1002 | Maintenance | Audit logs failed to write to the audit log destination |
1900 | Configuration Wizard | The configuration wizard was started |
1910 | Configuration Wizard | The configuration wizard finished |
1911 | Configuration Wizard | The configuration wizard database creation process started |
1912 | Configuration Wizard | The configuration wizard database upgrade process started |
1913 | Configuration Wizard | The configuration wizard database conversion process started |
1914 | Configuration Wizard | The configuration wizard database upgrade process completed successfully |
1915 | Configuration Wizard | The configuration wizard database creation process completed successfully |
1916 | Configuration Wizard | The configuration wizard database conversion process completed successfully |
1920 | Configuration Wizard | A general failure occurred for the configuration wizard |
1921 | Configuration Wizard | The configuration wizard database upgrade process failed |
1922 | Configuration Wizard | The configuration wizard database creation process failed |
1940 | Configuration Wizard | Configuration wizard general warning |
1941 | Configuration Wizard | Configuration wizard SSRS reporting config warning |
1942 | Configuration Wizard | Configuration wizard agent pool config warning |
2000 | Alert | Whitelist policy failure |
2300 | Expiration Renewal | Renewal handler was able to successfully renew a certificate |
2310 | Expiration Renewal | Renewal handler failed to renew a certificate |
2800 | User Authentication | User login to Management Portal was authenticated |
3000 | Alert | Execution of an alert (pending, issued, expiration, or key rotation) configured in the Management Portal failed. |
3001 | Alert | Execution of an alert (pending, issued, expiration, or key rotation) configured in the Management Portal succeeded. |
3002 | Alert | Execution of an alert (pending, issued, expiration, or key rotation) configured in the Management Portal was canceled. |
3003 | Alert | Execution of an alert (pending, issued, expiration, or key rotation) configured in the Management Portal started. |
3004 | Alert | A CA threshold monitoring alert failed. |
3005 | Alert | A CA threshold monitoring alert succeeded. |
3006 | Alert | A CA threshold monitoring alert was canceled. |
3007 | Alert | A CA threshold monitoring alert started. |
3008 | Alert | A CRL alert for a revocation monitoring location configured in the Management Portal failed. |
3009 | Alert | A CRL alert for a revocation monitoring location configured in the Management Portal succeeded. |
3010 | Alert | A CRL alert for a revocation monitoring location configured in the Management Portal was canceled. |
3011 | Alert | A CRL alert for a revocation monitoring location configured in the Management Portal started. |
3012 | Certificate Authority | Local CA sync failed. |
3013 | Certificate Authority | Local CA sync succeeded. |
3014 | Certificate Authority | Local CA sync was canceled. |
3015 | Certificate Authority | Local CA sync started. |
3016 | Other | Delivery of regularly scheduled reports has failed. |
3017 | Other | Delivery of regularly scheduled reports has succeeded. |
3018 | Other | Delivery of regularly scheduled reports has been canceled. |
3019 | Other | Delivery of regularly scheduled reports has started. |
3020 | Maintenance | The process to generate and assign metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In the context of Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. to certificates when they are imported into Keyfactor Command has started. |
3021 | Maintenance | The process to generate and assign metadata to certificates when they are imported into Keyfactor Command has failed. |
3022 | Maintenance | The process to generate and assign metadata to certificates when they are imported into Keyfactor Command has been canceled. |
3023 | Maintenance | The periodic process to generate and assign metadata to certificates when they are imported into Keyfactor Command has succeeded. |
3024 | Maintenance | The periodic process to remove any stored private keys in the Keyfactor Command database that have expired and are eligible for deletion has started. |
3025 | Maintenance | The periodic process to remove any stored private keys in the Keyfactor Command database that have expired and are eligible for deletion has failed. |
3026 | Maintenance | The periodic process to remove any stored private keys in the Keyfactor Command database that have expired and are eligible for deletion has been canceled. |
3027 | Maintenance | The periodic process to remove any stored private keys in the Keyfactor Command database that have expired and are eligible for deletion has succeeded. |
3028 | Maintenance | The periodic process to add audit log entries for large jobs started. |
3029 | Maintenance | The periodic process to add audit log entries for large jobs failed. |
3030 | Maintenance | The periodic process to add audit log entries for large jobs was canceled. |
3031 | Maintenance | The periodic process to add audit log entries for large jobs succeeded. |
3032 | Maintenance | The periodic process to remove any audit log history in the Keyfactor Command database that has expired and is eligible for deletion started. |
3033 | Maintenance | The periodic process to remove any audit log history in the Keyfactor Command database that has expired and is eligible for deletion failed. |
3034 | Maintenance | The periodic process to remove any audit log history in the Keyfactor Command database that has expired and is eligible for deletion was canceled. |
3035 | Maintenance | The periodic process to remove any audit log history in the Keyfactor Command database that has expired and is eligible for deletion succeeded. |
3036 | Maintenance | The periodic process to remove any SSL endpoint history in the Keyfactor Command database that is eligible for deletion started. |
3037 | Maintenance | The periodic process to remove any SSL endpoint history in the Keyfactor Command database that is eligible for deletion failed. |
3038 | Maintenance | The periodic process to remove any SSL endpoint history in the Keyfactor Command database that is eligible for deletion was canceled. |
3039 | Maintenance | The periodic process to remove any SSL endpoint history in the Keyfactor Command database that is eligible for deletion succeeded. |
3040 | Alert | The periodic process to update the temporary tables that store information on which certificates are in which certificate collections started. |
3041 | Alert | The periodic process to update the temporary tables that store information on which certificates are in which certificate collections failed. |
3042 | Alert | The periodic process to update the temporary tables that store information on which certificates are in which certificate collections was canceled. |
3043 | Alert | The periodic process to update the temporary tables that store information on which certificates are in which certificate collections succeeded. |
3044 | Maintenance | The periodic process to remove records from temporary files generated while running reports started. |
3045 | Maintenance | The periodic process to remove records from temporary files generated while running reports failed. |
3046 | Maintenance | The periodic process to remove records from temporary files generated while running reports was canceled. |
3047 | Maintenance | The periodic process to remove records from temporary files generated while running reports succeeded. |
3048 | Other | The periodic process to attempt to continue all suspended workflows that may be eligible to continue but have not done so due to locking conflicts started. |
3049 | Other | The periodic process to attempt to continue all suspended workflows that may be eligible to continue but have not done so due to locking conflicts failed. |
3050 | Other | The periodic process to attempt to continue all suspended workflows that may be eligible to continue but have not done so due to locking conflicts was canceled. |
3051 | Other | The periodic process to attempt to continue all suspended workflows that may be eligible to continue but have not done so due to locking conflicts succeeded. |
3052 | Maintenance | The periodic process to identify and schedule SSL discovery and monitoring jobs started. |
3053 | Maintenance | The periodic process to identify and schedule SSL discovery and monitoring jobs failed. |
3054 | Maintenance | The periodic process to identify and schedule SSL discovery and monitoring jobs was canceled. |
3055 | Maintenance | The periodic process to identify and schedule SSL discovery and monitoring jobs succeeded. |
3056 | Maintenance | The periodic process to synchronize certificate templates from a source (e.g. Active Directory) to pick up new templates started. |
3057 | Maintenance | The periodic process to synchronize certificate templates from a source (e.g. Active Directory) to pick up new templates failed. |
3058 | Maintenance | The periodic process to synchronize certificate templates from a source (e.g. Active Directory) to pick up new templates was canceled. |
3059 | Maintenance | The periodic process to synchronize certificate templates from a source (e.g. Active Directory) to pick up new templates succeeded. |
3060 | Maintenance | The periodic process to run the Microsoft SQL update statistics function in the Keyfactor Command database started. |
3061 | Maintenance | The periodic process to run the Microsoft SQL update statistics function in the Keyfactor Command database failed. |
3062 | Maintenance | The periodic process to run the Microsoft SQL update statistics function in the Keyfactor Command database was canceled. |
3063 | Maintenance | The periodic process to run the Microsoft SQL update statistics function in the Keyfactor Command database succeeded. |
3064 | Maintenance | The periodic process to remove any completed workflow A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. instances (both successful and failed) in the Keyfactor Command database that have aged past the date as defined in that application started. |
3065 | Maintenance | The periodic process to remove any completed workflow instances (both successful and failed) in the Keyfactor Command database that have aged past the date as defined in that application failed. |
3066 | Maintenance | The periodic process to remove any completed workflow instances (both successful and failed) in the Keyfactor Command database that have aged past the date as defined in that application canceled. |
3067 | Maintenance | The periodic process to remove any completed workflow instances (both successful and failed) in the Keyfactor Command database that have aged past the date as defined in that application succeeded. |
9999 | Unknown error |
Table 62: Keyfactor Command Windows Event IDs for Audit Log
Event ID |
Task Category | Description |
---|---|---|
2001 | Audit Log | Auditable event in the Certificate area of the product |
2002 | Audit Log | Auditable event in the API Application area of the product |
2003 | Audit Log | Auditable event in the Template area of the product |
2004 | Audit Log | Auditable event in the Certificate Collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). area of the product |
2005 | Audit Log | Auditable event in the Expiration Alert area of the product |
2006 | Audit Log | Auditable event in the Pending Alert area of the product |
2007 | Audit Log | Auditable event in the Application Setting area of the product |
2008 | Audit Log | Auditable event in the Issued Alert area of the product |
2009 | Audit Log | Auditable event in the Denied Alert area of the product |
2010 | Audit Log | Auditable event in the Security Identity area of the product |
2011 | Audit Log | Auditable event in the Security Role area of the product |
2012 | Audit Log | Auditable event related to an Authorization Failure |
2013 | Audit Log | Auditable event related to CSR A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). |
2014 | Audit Log | Auditable event related to SSH The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. Server Groups |
2015 | Audit Log | Auditable event related to SSH Servers |
2016 | Audit Logs | Auditable event related to SSH Keys |
2017 | Audit Log | Auditable event related to SSH Service Accounts |
2018 | Audit Log | Auditable event related to SSH Key Rotation Alerts |
2019 | Audit Log | Auditable event related to SSH Users |
2020 | Audit Log | Auditable event related to Key Rotation Alerts |
2021 | Audit Log | Auditable event related to Certificate Stores |
2022 | Audit Log | Auditable event related to Orchestrator Job Types |
2023 | Audit Log | Auditable event related to Orchestrator Jobs |
2024 | Audit Log | Auditable event related to Bulk Orchestrator Job |
2025 | Audit Log | Auditable event related to Certificate Store Container |
2026 | Audit Log | Auditable event related to Orchestrator |
2027 | Audit Log | Auditable event related to Monitoring |
2028 | Audit Log | Auditable event related to License |
2029 | Audit Log | Auditable event related to Workflow Definition |
2030 | Audit Log | Auditable event related to Workflow Instance |
2031 | Audit Log | Auditable event related to Workflow Instance Signal |
Table 63: Keyfactor Windows Orchestrator and Keyfactor Universal Orchestrator Windows Event IDs
Event ID |
Task Category | Description |
---|---|---|
400 | Monitoring | Job manager for the Keyfactor Windows Orchestrator The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location. starting |
401 | Monitoring | Job manager for the Keyfactor Windows Orchestrator stopping |
1300 | F5 Inventory | Keyfactor Windows Orchestrator: Starting inventory job for F5 certificate store (SSL Profile and Web Server)
Note: This does not include F5 REST jobs, which are part of the AnyAgent The AnyAgent, one of Keyfactor's suite of orchestrators, is used to allow management of certificates regardless of source or location by allowing customers to implement custom agent functionality via an API. and appear with AnyAgent messages. |
1310 | F5 Inventory | Keyfactor Windows Orchestrator: Completed inventory job for F5 certificate store (SSL Profile and Web Server) |
1320 | F5 Inventory | Keyfactor Windows Orchestrator: Error while performing an F5 inventory job |
1400 | F5 Management | Keyfactor Windows Orchestrator: Starting management job for F5 certificate store (SSL Profile and Web Server) |
1410 | F5 Management | Keyfactor Windows Orchestrator: Completed management job for F5 certificate store (SSL Profile and Web Server) |
1420 | F5 Management | Keyfactor Windows Orchestrator: Error while performing an F5 management job |
1500 | SSL Discovery | Starting SSL discovery job |
1510 | SSL Discovery | Completed SSL discovery job |
1520 | SSL Discovery | Error while performing SSL discovery job |
1600 | SSL Monitor | Starting SSL monitoring job |
1610 | SSL Monitor | Completed SSL monitoring job |
1620 | SSL Monitor | Error while performing SSL monitoring job |
1630 | SSL Monitor | Error connecting to an endpoint during an SSL scan |
1640 | SSL Monitor | Certificate approaching expiration found at endpoint during an SSL scan |
1700 | IIS Inventory | Keyfactor Windows Orchestrator: Starting inventory job for IIS certificate store (IIS Personal, IIS Trusted Root, and IIS Revoked) |
1710 | IIS Inventory | Keyfactor Windows Orchestrator: Completed inventory job for IIS certificate store (IIS Personal, IIS Trusted Root, and IIS Revoked) |
1720 | IIS Inventory | Keyfactor Windows Orchestrator: Error while performing an IIS inventory job |
1800 | IIS Management | Keyfactor Windows Orchestrator: Starting management job for IIS certificate store (IIS Personal, IIS Trusted Root, and IIS Revoked) |
1810 | IIS Management | Keyfactor Windows Orchestrator: Completed management job for IIS certificate store (IIS Personal, IIS Trusted Root, and IIS Revoked) |
1820 | IIS Management | Keyfactor Windows Orchestrator: Error while performing an IIS management job |
2100 | NetScaler Inventory | Keyfactor Windows Orchestrator: Starting inventory job for NetScaler certificate store |
2110 | NetScaler Inventory | Keyfactor Windows Orchestrator: Completed inventory job for NetScaler certificate store |
2120 | NetScaler Inventory | Keyfactor Windows Orchestrator: Error while performing a NetScaler inventory job |
2200 | NetScaler Management | Keyfactor Windows Orchestrator: Starting management job for NetScaler certificate store |
2210 | NetScaler Management | Keyfactor Windows Orchestrator: Completed management job for NetScaler certificate store |
2220 | NetScaler Management | Keyfactor Windows Orchestrator: Error while performing a NetScaler management job |
2400 | AnyAgent Inventory |
Keyfactor Windows Orchestrator: Starting inventory job for an AnyAgent (e.g. FTP, F5 REST) certificate store |
2410 | AnyAgent Inventory | Keyfactor Windows Orchestrator: Completed inventory job for an AnyAgent (e.g. FTP, F5 REST) certificate store Keyfactor Universal Orchestrator: Completed inventory job for an AnyAgent (e.g. FTP, IIS) certificate |
2420 | AnyAgent Inventory | Keyfactor Windows Orchestrator: Error while performing inventory job for an AnyAgent (e.g. FTP, F5 REST) certificate store Keyfactor Universal Orchestrator: Error while performing inventory job for an AnyAgent (e.g. FTP, IIS) certificate store |
2500 | AnyAgent Management |
Keyfactor Windows Orchestrator: Starting management job for an AnyAgent (e.g. FTP, F5 REST) certificate store Keyfactor Universal Orchestrator: Starting management job for an AnyAgent (e.g. FTP, IIS) certificate store |
2510 | AnyAgent Management | Keyfactor Windows Orchestrator: Completed management job for an AnyAgent (e.g. FTP, F5 REST) certificate store Keyfactor Universal Orchestrator: Completed management job for an AnyAgent (e.g. FTP, IIS) certificate |
2520 | AnyAgent Management | Keyfactor Windows Orchestrator: Error while performing management job for an AnyAgent (e.g. FTP, F5 REST) certificate store Keyfactor Universal Orchestrator: Error while performing management job for an AnyAgent (e.g. FTP, IIS) certificate store |
2800 | Audit Log | Keyfactor Universal Orchestrator: Starting fetch logs job |
2810 | Audit Log | Keyfactor Universal Orchestrator: Completed fetch logs job |
2820 | Audit Log | Keyfactor Universal Orchestrator: Error while performing fetch logs job |
2900 | Agent Service | Job manager for the Keyfactor Universal Orchestrator starting |
2920 | Agent Service | Job manager for the Keyfactor Universal Orchestrator stopped |