Keyfactor Command Windows Event IDs

Both Keyfactor Command and Keyfactor Orchestrators generate Windows event log messages for both normal activity and errors in the Windows application event log. Table 61: Keyfactor Command Windows Event IDs shows some of the more common event IDs generated by the Keyfactor Command server (source Certificate Management System or CMS Timer Job Servce). Table 63: Keyfactor Windows Orchestrator and Keyfactor Universal Orchestrator Windows Event IDs shows some of the more common event IDs generated by the Keyfactor Orchestrator (source Certificate Management System Agent). Depending on the features in use on your server, you may not see all these events in your log. These codes can be useful to set up log analysis platforms such as Splunk and Kibana.

Table 61: Keyfactor Command Windows Event IDs

Event ID

Task Category Description
200 CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. Synchronization Incremental CA synchronization started
201 CA Synchronization Incremental CA synchronization finished
210 CA Synchronization An error occurred during CA synchronization
220 CA Synchronization Unable to connect to the CA during incremental CA synchronization
221 CA Synchronization Unable to validate Keyfactor Command product license
222 CA Synchronization Unable to read the Keyfactor Command database during incremental CA synchronization
230 CA Synchronization Unable to connect to the CA during full CA synchronization
300 Monitoring Monitoring service started
301 Monitoring Monitoring engine started
304 Monitoring Monitoring service timer elapsed
305 Monitoring Monitoring service execution skipped
306 Monitoring Monitoring job completed successfully
307 Monitoring Monitoring engine failed
310 Monitoring Monitoring job completed with errors
322 Monitoring Unable to read the Keyfactor Command database during monitor job run
323 Monitoring An error occurred refreshing a key rotation, cert expiration, CA Health, cert issued, pending cert, or query item alert service job
330 Monitoring OCSP endpointClosed An endpoint is a URL that enables the API to gain access to resources on a server. is unavailable
331 Monitoring OCSP endpoint is responding successfully
340 Monitoring An error occurred configuring an expiration alert
350 Monitoring An error occurred configuring a pending alert
360 Monitoring An error occurred configuring an SSLClosed TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. alert
370 Monitoring An error occurred configuring the CRLClosed A Certificate Revocation List (CRL) is a list of digital certificates that have been revoked by the issuing Certificate Authority (CA) before their scheduled expiration date and should no longer be trusted.
371 Monitoring CRL endpoint location could not be contacted
372 Monitoring CRL at the endpoint is stale (past the CA's next publish date for the CRL but not yet at the expiration date)
Note:  If a CRL is both in the warning period and stale, only the event log message for stale will appear in the log.
373 Monitoring CRL at the endpoint is in the warning period configured for email alerts (X days before expiration)
374 Monitoring CRL is in a good state
375 Monitoring CRL at the endpoint has expired
380 Monitoring An error occurred configuring a SSRS reporting job, CRL alert jobs, or certificate authorityClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. threshold jobs
390 Monitoring Failed to configure the certificate authority threshold jobs
391 Monitoring CA has failed to meet one of the threshold monitoring requirements
410 Web APIClosed A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. A general error occurred during a Keyfactor APIClosed A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command. request
411 Web API Invalid token error occurred during a Keyfactor API request
413 Web API Invalid templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. error occurred during a Keyfactor API request
419 Web API Invalid user error occurred during a Keyfactor API request
800 Timer Service Keyfactor Command Service started
801 Timer Service Keyfactor Command Service stopped
810 Maintenance A general Keyfactor Command Service maintenance error occurred.
822 Timer Service Unable to read the Keyfactor Command database during Keyfactor Command Service job
830 Timer Service Keyfactor Command Service jobs failed to start (alerts, monitoring, sync, other)
930 Timer Service An orchestrator job configuration failed
931 Timer Service An orchestrator job execution failed
1001 Maintenance Keyfactor Command product license is approaching expiration
1002 Maintenance Audit logs failed to write to the audit log destination
1900 Configuration Wizard The configuration wizard was started
1910 Configuration Wizard The configuration wizard finished
1911 Configuration Wizard The configuration wizard database creation process started
1912 Configuration Wizard The configuration wizard database upgrade process started
1913 Configuration Wizard The configuration wizard database conversion process started
1914 Configuration Wizard The configuration wizard database upgrade process completed successfully
1915 Configuration Wizard The configuration wizard database creation process completed successfully
1916 Configuration Wizard The configuration wizard database conversion process completed successfully
1920 Configuration Wizard A general failure occurred for the configuration wizard
1921 Configuration Wizard The configuration wizard database upgrade process failed
1922 Configuration Wizard The configuration wizard database creation process failed
1940 Configuration Wizard Configuration wizard general warning
1941 Configuration Wizard Configuration wizard SSRS reporting config warning
1942 Configuration Wizard Configuration wizard agent pool config warning
2000 Alert Whitelist policy failure
2300 Expiration Renewal Renewal handler was able to successfully renew a certificate
2310 Expiration Renewal Renewal handler failed to renew a certificate
2800 User Authentication User login to Management Portal was authenticated
3000 Alert Execution of an alert (pending, issued, expiration, or key rotation) configured in the Management Portal failed.
3001 Alert Execution of an alert (pending, issued, expiration, or key rotation) configured in the Management Portal succeeded.
3002 Alert Execution of an alert (pending, issued, expiration, or key rotation) configured in the Management Portal was canceled.
3003 Alert Execution of an alert (pending, issued, expiration, or key rotation) configured in the Management Portal started.
3004 Alert A CA threshold monitoring alert failed.
3005 Alert A CA threshold monitoring alert succeeded.
3006 Alert A CA threshold monitoring alert was canceled.
3007 Alert A CA threshold monitoring alert started.
3008 Alert A CRL alert for a revocation monitoring location configured in the Management Portal failed.
3009 Alert A CRL alert for a revocation monitoring location configured in the Management Portal succeeded.
3010 Alert A CRL alert for a revocation monitoring location configured in the Management Portal was canceled.
3011 Alert A CRL alert for a revocation monitoring location configured in the Management Portal started.
3012 Certificate Authority Local CA sync failed.
3013 Certificate Authority Local CA sync succeeded.
3014 Certificate Authority Local CA sync was canceled.
3015 Certificate Authority Local CA sync started.
3016 Other Delivery of regularly scheduled reports has failed.
3017 Other Delivery of regularly scheduled reports has succeeded.
3018 Other Delivery of regularly scheduled reports has been canceled.
3019 Other Delivery of regularly scheduled reports has started.
3020 Maintenance The process to generate and assign metadataClosed Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In the context of Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. to certificates when they are imported into Keyfactor Command has started.
3021 Maintenance The process to generate and assign metadata to certificates when they are imported into Keyfactor Command has failed.
3022 Maintenance The process to generate and assign metadata to certificates when they are imported into Keyfactor Command has been canceled.
3023 Maintenance The periodic process to generate and assign metadata to certificates when they are imported into Keyfactor Command has succeeded.
3024 Maintenance The periodic process to remove any stored private keys in the Keyfactor Command database that have expired and are eligible for deletion has started.
3025 Maintenance The periodic process to remove any stored private keys in the Keyfactor Command database that have expired and are eligible for deletion has failed.
3026 Maintenance The periodic process to remove any stored private keys in the Keyfactor Command database that have expired and are eligible for deletion has been canceled.
3027 Maintenance The periodic process to remove any stored private keys in the Keyfactor Command database that have expired and are eligible for deletion has succeeded.
3028 Maintenance The periodic process to add audit log entries for large jobs started.
3029 Maintenance The periodic process to add audit log entries for large jobs failed.
3030 Maintenance The periodic process to add audit log entries for large jobs was canceled.
3031 Maintenance The periodic process to add audit log entries for large jobs succeeded.
3032 Maintenance The periodic process to remove any audit log history in the Keyfactor Command database that has expired and is eligible for deletion started.
3033 Maintenance The periodic process to remove any audit log history in the Keyfactor Command database that has expired and is eligible for deletion failed.
3034 Maintenance The periodic process to remove any audit log history in the Keyfactor Command database that has expired and is eligible for deletion was canceled.
3035 Maintenance The periodic process to remove any audit log history in the Keyfactor Command database that has expired and is eligible for deletion succeeded.
3036 Maintenance The periodic process to remove any SSL endpoint history in the Keyfactor Command database that is eligible for deletion started.
3037 Maintenance The periodic process to remove any SSL endpoint history in the Keyfactor Command database that is eligible for deletion failed.
3038 Maintenance The periodic process to remove any SSL endpoint history in the Keyfactor Command database that is eligible for deletion was canceled.
3039 Maintenance The periodic process to remove any SSL endpoint history in the Keyfactor Command database that is eligible for deletion succeeded.
3040 Alert The periodic process to update the temporary tables that store information on which certificates are in which certificate collections started.
3041 Alert The periodic process to update the temporary tables that store information on which certificates are in which certificate collections failed.
3042 Alert The periodic process to update the temporary tables that store information on which certificates are in which certificate collections was canceled.
3043 Alert The periodic process to update the temporary tables that store information on which certificates are in which certificate collections succeeded.
3044 Maintenance The periodic process to remove records from temporary files generated while running reports started.
3045 Maintenance The periodic process to remove records from temporary files generated while running reports failed.
3046 Maintenance The periodic process to remove records from temporary files generated while running reports was canceled.
3047 Maintenance The periodic process to remove records from temporary files generated while running reports succeeded.
3048 Other The periodic process to attempt to continue all suspended workflows that may be eligible to continue but have not done so due to locking conflicts started.
3049 Other The periodic process to attempt to continue all suspended workflows that may be eligible to continue but have not done so due to locking conflicts failed.
3050 Other The periodic process to attempt to continue all suspended workflows that may be eligible to continue but have not done so due to locking conflicts was canceled.
3051 Other The periodic process to attempt to continue all suspended workflows that may be eligible to continue but have not done so due to locking conflicts succeeded.
3052 Maintenance The periodic process to identify and schedule SSL discovery and monitoring jobs started.
3053 Maintenance The periodic process to identify and schedule SSL discovery and monitoring jobs failed.
3054 Maintenance The periodic process to identify and schedule SSL discovery and monitoring jobs was canceled.
3055 Maintenance The periodic process to identify and schedule SSL discovery and monitoring jobs succeeded.
3056 Maintenance The periodic process to synchronize certificate templates from a source (e.g. Active Directory) to pick up new templates started.
3057 Maintenance The periodic process to synchronize certificate templates from a source (e.g. Active Directory) to pick up new templates failed.
3058 Maintenance The periodic process to synchronize certificate templates from a source (e.g. Active Directory) to pick up new templates was canceled.
3059 Maintenance The periodic process to synchronize certificate templates from a source (e.g. Active Directory) to pick up new templates succeeded.
3060 Maintenance The periodic process to run the Microsoft SQL update statistics function in the Keyfactor Command database started.
3061 Maintenance The periodic process to run the Microsoft SQL update statistics function in the Keyfactor Command database failed.
3062 Maintenance The periodic process to run the Microsoft SQL update statistics function in the Keyfactor Command database was canceled.
3063 Maintenance The periodic process to run the Microsoft SQL update statistics function in the Keyfactor Command database succeeded.
3064 Maintenance The periodic process to remove any completed workflowClosed A workflow is a series of steps necessary to complete a process. In the context of Keyfactor Command, it refers to the workflow builder, which allows you automate event-driven tasks when a certificate is requested or revoked. instances (both successful and failed) in the Keyfactor Command database that have aged past the date as defined in that application started.
3065 Maintenance The periodic process to remove any completed workflow instances (both successful and failed) in the Keyfactor Command database that have aged past the date as defined in that application failed.
3066 Maintenance The periodic process to remove any completed workflow instances (both successful and failed) in the Keyfactor Command database that have aged past the date as defined in that application canceled.
3067 Maintenance The periodic process to remove any completed workflow instances (both successful and failed) in the Keyfactor Command database that have aged past the date as defined in that application succeeded.
9999   Unknown error

Table 62: Keyfactor Command Windows Event IDs for Audit Log

Event ID

Task Category Description
2001 Audit Log Auditable event in the Certificate area of the product
2002 Audit Log Auditable event in the API Application area of the product
2003 Audit Log Auditable event in the Template area of the product
2004 Audit Log Auditable event in the Certificate CollectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). area of the product
2005 Audit Log Auditable event in the Expiration Alert area of the product
2006 Audit Log Auditable event in the Pending Alert area of the product
2007 Audit Log Auditable event in the Application Setting area of the product
2008 Audit Log Auditable event in the Issued Alert area of the product
2009 Audit Log Auditable event in the Denied Alert area of the product
2010 Audit Log Auditable event in the Security Identity area of the product
2011 Audit Log Auditable event in the Security Role area of the product
2012 Audit Log Auditable event related to an Authorization Failure
2013 Audit Log Auditable event related to CSRClosed A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. enrollmentClosed Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA).
2014 Audit Log Auditable event related to SSHClosed The SSH (secure shell) protocol provides for secure connections between computers. It provides several options for authentication, including public key, and protects the communications with strong encryption. Server Groups
2015 Audit Log Auditable event related to SSH Servers
2016 Audit Logs Auditable event related to SSH Keys
2017 Audit Log Auditable event related to SSH Service Accounts
2018 Audit Log Auditable event related to SSH Key Rotation Alerts
2019 Audit Log Auditable event related to SSH Users
2020 Audit Log Auditable event related to Key Rotation Alerts
2021 Audit Log Auditable event related to Certificate Stores
2022 Audit Log Auditable event related to Orchestrator Job Types
2023 Audit Log Auditable event related to Orchestrator Jobs
2024 Audit Log Auditable event related to Bulk Orchestrator Job
2025 Audit Log Auditable event related to Certificate Store Container
2026 Audit Log Auditable event related to Orchestrator
2027 Audit Log Auditable event related to Monitoring
2028 Audit Log Auditable event related to License
2029 Audit Log Auditable event related to Workflow Definition
2030 Audit Log Auditable event related to Workflow Instance
2031 Audit Log Auditable event related to Workflow Instance Signal

Table 63: Keyfactor Windows Orchestrator and Keyfactor Universal Orchestrator Windows Event IDs

Event ID

Task Category Description
400 Monitoring Job manager for the Keyfactor Windows OrchestratorClosed The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location. starting
401 Monitoring Job manager for the Keyfactor Windows Orchestrator stopping
1300 F5 Inventory Keyfactor Windows Orchestrator: Starting inventory job for F5 certificate store (SSL Profile and Web Server)
1310 F5 Inventory Keyfactor Windows Orchestrator: Completed inventory job for F5 certificate store (SSL Profile and Web Server)
1320 F5 Inventory Keyfactor Windows Orchestrator: Error while performing an F5 inventory job
1400 F5 Management Keyfactor Windows Orchestrator: Starting management job for F5 certificate store (SSL Profile and Web Server)
1410 F5 Management Keyfactor Windows Orchestrator: Completed management job for F5 certificate store (SSL Profile and Web Server)
1420 F5 Management Keyfactor Windows Orchestrator: Error while performing an F5 management job
1500 SSL Discovery Starting SSL discovery job
1510 SSL Discovery Completed SSL discovery job
1520 SSL Discovery Error while performing SSL discovery job
1600 SSL Monitor Starting SSL monitoring job
1610 SSL Monitor Completed SSL monitoring job
1620 SSL Monitor Error while performing SSL monitoring job
1630 SSL Monitor Error connecting to an endpoint during an SSL scan
1640 SSL Monitor Certificate approaching expiration found at endpoint during an SSL scan
1700 IIS Inventory Keyfactor Windows Orchestrator: Starting inventory job for IIS certificate store (IIS Personal, IIS Trusted Root, and IIS Revoked)
1710 IIS Inventory Keyfactor Windows Orchestrator: Completed inventory job for IIS certificate store (IIS Personal, IIS Trusted Root, and IIS Revoked)
1720 IIS Inventory Keyfactor Windows Orchestrator: Error while performing an IIS inventory job
1800 IIS Management Keyfactor Windows Orchestrator: Starting management job for IIS certificate store (IIS Personal, IIS Trusted Root, and IIS Revoked)
1810 IIS Management Keyfactor Windows Orchestrator: Completed management job for IIS certificate store (IIS Personal, IIS Trusted Root, and IIS Revoked)
1820 IIS Management Keyfactor Windows Orchestrator: Error while performing an IIS management job
2100 NetScaler Inventory Keyfactor Windows Orchestrator: Starting inventory job for NetScaler certificate store
2110 NetScaler Inventory Keyfactor Windows Orchestrator: Completed inventory job for NetScaler certificate store
2120 NetScaler Inventory Keyfactor Windows Orchestrator: Error while performing a NetScaler inventory job
2200 NetScaler Management Keyfactor Windows Orchestrator: Starting management job for NetScaler certificate store
2210 NetScaler Management Keyfactor Windows Orchestrator: Completed management job for NetScaler certificate store
2220 NetScaler Management Keyfactor Windows Orchestrator: Error while performing a NetScaler management job
2400 AnyAgent Inventory

Keyfactor Windows Orchestrator: Starting inventory job for an AnyAgent (e.g. FTP, F5 REST) certificate store

Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux.: Starting inventory job for an AnyAgent (e.g. FTP, IIS) certificate store

2410 AnyAgent Inventory Keyfactor Windows Orchestrator: Completed inventory job for an AnyAgent (e.g. FTP, F5 REST) certificate store

Keyfactor Universal Orchestrator: Completed inventory job for an AnyAgent (e.g. FTP, IIS) certificate

2420 AnyAgent Inventory Keyfactor Windows Orchestrator: Error while performing inventory job for an AnyAgent (e.g. FTP, F5 REST) certificate store

Keyfactor Universal Orchestrator: Error while performing inventory job for an AnyAgent (e.g. FTP, IIS) certificate store

2500 AnyAgent Management

Keyfactor Windows Orchestrator: Starting management job for an AnyAgent (e.g. FTP, F5 REST) certificate store

Keyfactor Universal Orchestrator: Starting management job for an AnyAgent (e.g. FTP, IIS) certificate store

2510 AnyAgent Management Keyfactor Windows Orchestrator: Completed management job for an AnyAgent (e.g. FTP, F5 REST) certificate store

Keyfactor Universal Orchestrator: Completed management job for an AnyAgent (e.g. FTP, IIS) certificate

2520 AnyAgent Management Keyfactor Windows Orchestrator: Error while performing management job for an AnyAgent (e.g. FTP, F5 REST) certificate store

Keyfactor Universal Orchestrator: Error while performing management job for an AnyAgent (e.g. FTP, IIS) certificate store

2800 Audit Log Keyfactor Universal Orchestrator: Starting fetch logs job
2810 Audit Log Keyfactor Universal Orchestrator: Completed fetch logs job
2820 Audit Log Keyfactor Universal Orchestrator: Error while performing fetch logs job
2900 Agent Service Job manager for the Keyfactor Universal Orchestrator starting
2920 Agent Service Job manager for the Keyfactor Universal Orchestrator stopped