Both Keyfactor Command and Keyfactor Orchestrators generate Windows event log messages for both normal activity and errors in the Windows application event log. Table 88: Keyfactor Command Windows Event IDs shows some of the more common event IDs generated by the Keyfactor Command server (source Certificate Management System or CMS Timer Job Servce). Table 90: Keyfactor Universal Orchestrator Windows Event IDs shows some of the more common event IDs generated by the Keyfactor Orchestrator (source Certificate Management System Agent). Depending on the features in use on your server, you may not see all these events in your log. These codes can be useful to set up log analysis platforms such as Splunk and Kibana.
Table 88: Keyfactor Command Windows Event IDs
|
Event ID |
Task Category | Description |
|---|---|---|
| 200 | CA Synchronization | Incremental CA synchronization started |
| 201 | CA Synchronization | Incremental CA synchronization finished |
| 210 | CA Synchronization | An error occurred during CA synchronization |
| 220 | CA Synchronization | Unable to connect to the CA during incremental CA synchronization |
| 221 | CA Synchronization | Unable to validate Keyfactor Command product license |
| 222 | CA Synchronization | Unable to read the Keyfactor Command database during incremental CA synchronization |
| 230 | CA Synchronization | Unable to connect to the CA during full CA synchronization |
| 300 | Monitoring | Monitoring service started |
| 301 | Monitoring | Monitoring engine started |
| 304 | Monitoring | Monitoring service timer elapsed |
| 305 | Monitoring | Monitoring service execution skipped |
| 306 | Monitoring | Monitoring job completed successfully |
| 307 | Monitoring | Monitoring engine failed |
| 310 | Monitoring | Monitoring job completed with errors |
| 322 | Monitoring | Unable to read the Keyfactor Command database during monitor job run |
| 323 | Monitoring | An error occurred refreshing a key rotation, cert expiration, CA Health, cert issued, pending cert, or query item alert service job |
| 330 | Monitoring | OCSP endpoint is unavailable |
| 331 | Monitoring | OCSP endpoint is responding successfully |
| 340 | Monitoring | An error occurred configuring an expiration alert |
| 350 | Monitoring | An error occurred configuring a pending alert |
| 360 | Monitoring | An error occurred configuring an SSL alert |
| 370 | Monitoring | An error occurred configuring the CRL |
| 371 | Monitoring | CRL endpoint location could not be contacted |
| 372 | Monitoring |
CRL at the endpoint is stale (past the CA's next publish date for the CRL but not yet at the expiration date) Note: If a CRL is both in the warning period and stale, only the event log message for stale will appear in the log. |
| 373 | Monitoring | CRL at the endpoint is in the warning period configured for email alerts (X days before expiration) |
| 374 | Monitoring | CRL is in a good state |
| 375 | Monitoring | CRL at the endpoint has expired |
| 380 | Monitoring | An error occurred configuring a SSRS reporting job, CRL alert jobs, or certificate authority threshold jobs |
| 390 | Monitoring | Failed to configure the certificate authority threshold jobs |
| 391 | Monitoring | CA has failed to meet one of the threshold monitoring requirements |
| 410 | Web API | A general error occurred during a Keyfactor API request |
| 411 | Web API | Invalid token error occurred during a Keyfactor API request |
| 413 | Web API | Invalid template error occurred during a Keyfactor API request |
| 419 | Web API | Invalid user error occurred during a Keyfactor API request |
| 800 | Timer Service | Keyfactor Command Service started |
| 801 | Timer Service | Keyfactor Command Service stopped |
| 810 | Maintenance | A general Keyfactor Command Service maintenance error occurred. |
| 822 | Timer Service | Unable to read the Keyfactor Command database during Keyfactor Command Service job |
| 830 | Timer Service | Keyfactor Command Service jobs failed to start (alerts, monitoring, sync, other) |
| 930 | Timer Service | An orchestrator job configuration failed |
| 931 | Timer Service | An orchestrator job execution failed |
| 1001 | Maintenance | Keyfactor Command product license is approaching expiration |
| 1002 | Maintenance | Audit logs failed to write to the audit log destination |
| 1900 | Configuration Wizard | The configuration wizard was started |
| 1910 | Configuration Wizard | The configuration wizard finished |
| 1911 | Configuration Wizard | The configuration wizard database creation process started |
| 1912 | Configuration Wizard | The configuration wizard database upgrade process started |
| 1913 | Configuration Wizard | The configuration wizard database conversion process started |
| 1914 | Configuration Wizard | The configuration wizard database upgrade process completed successfully |
| 1915 | Configuration Wizard | The configuration wizard database creation process completed successfully |
| 1916 | Configuration Wizard | The configuration wizard database conversion process completed successfully |
| 1920 | Configuration Wizard | A general failure occurred for the configuration wizard |
| 1921 | Configuration Wizard | The configuration wizard database upgrade process failed |
| 1922 | Configuration Wizard | The configuration wizard database creation process failed |
| 1940 | Configuration Wizard | Configuration wizard general warning |
| 1941 | Configuration Wizard | Configuration wizard SSRS reporting config warning |
| 1942 | Configuration Wizard | Configuration wizard agent pool config warning |
| 2000 | Alert | Whitelist policy failure |
| 2300 | Expiration Renewal | Renewal handler was able to successfully renew a certificate |
| 2310 | Expiration Renewal | Renewal handler failed to renew a certificate |
| 2800 | User Authentication | User login to Management Portal was authenticated |
| 3000 | Alert | Execution of an alert (pending, issued, expiration, or key rotation) configured in the Management Portal failed. |
| 3001 | Alert | Execution of an alert (pending, issued, expiration, or key rotation) configured in the Management Portal succeeded. |
| 3002 | Alert | Execution of an alert (pending, issued, expiration, or key rotation) configured in the Management Portal was canceled. |
| 3003 | Alert | Execution of an alert (pending, issued, expiration, or key rotation) configured in the Management Portal started. |
| 3004 | Alert | A CA threshold monitoring alert failed. |
| 3005 | Alert | A CA threshold monitoring alert succeeded. |
| 3006 | Alert | A CA threshold monitoring alert was canceled. |
| 3007 | Alert | A CA threshold monitoring alert started. |
| 3008 | Alert | A CRL alert for a revocation monitoring location configured in the Management Portal failed. |
| 3009 | Alert | A CRL alert for a revocation monitoring location configured in the Management Portal succeeded. |
| 3010 | Alert | A CRL alert for a revocation monitoring location configured in the Management Portal was canceled. |
| 3011 | Alert | A CRL alert for a revocation monitoring location configured in the Management Portal started. |
| 3012 | Certificate Authority | Local CA sync failed. |
| 3013 | Certificate Authority | Local CA sync succeeded. |
| 3014 | Certificate Authority | Local CA sync was canceled. |
| 3015 | Certificate Authority | Local CA sync started. |
| 3016 | Other | Delivery of regularly scheduled reports has failed. |
| 3017 | Other | Delivery of regularly scheduled reports has succeeded. |
| 3018 | Other | Delivery of regularly scheduled reports has been canceled. |
| 3019 | Other | Delivery of regularly scheduled reports has started. |
| 3020 | Maintenance | The process to generate and assign metadata to certificates when they are imported into Keyfactor Command has started. |
| 3021 | Maintenance | The process to generate and assign metadata to certificates when they are imported into Keyfactor Command has failed. |
| 3022 | Maintenance | The process to generate and assign metadata to certificates when they are imported into Keyfactor Command has been canceled. |
| 3023 | Maintenance | The periodic process to generate and assign metadata to certificates when they are imported into Keyfactor Command has succeeded. |
| 3024 | Maintenance | The periodic process to remove any stored private keys in the Keyfactor Command database that have expired and are eligible for deletion has started. |
| 3025 | Maintenance | The periodic process to remove any stored private keys in the Keyfactor Command database that have expired and are eligible for deletion has failed. |
| 3026 | Maintenance | The periodic process to remove any stored private keys in the Keyfactor Command database that have expired and are eligible for deletion has been canceled. |
| 3027 | Maintenance | The periodic process to remove any stored private keys in the Keyfactor Command database that have expired and are eligible for deletion has succeeded. |
| 3028 | Maintenance | The periodic process to add audit log entries for large jobs started. |
| 3029 | Maintenance | The periodic process to add audit log entries for large jobs failed. |
| 3030 | Maintenance | The periodic process to add audit log entries for large jobs was canceled. |
| 3031 | Maintenance | The periodic process to add audit log entries for large jobs succeeded. |
| 3032 | Maintenance | The periodic process to remove any audit log history in the Keyfactor Command database that has expired and is eligible for deletion started. |
| 3033 | Maintenance | The periodic process to remove any audit log history in the Keyfactor Command database that has expired and is eligible for deletion failed. |
| 3034 | Maintenance | The periodic process to remove any audit log history in the Keyfactor Command database that has expired and is eligible for deletion was canceled. |
| 3035 | Maintenance | The periodic process to remove any audit log history in the Keyfactor Command database that has expired and is eligible for deletion succeeded. |
| 3036 | Maintenance | The periodic process to remove any SSL endpoint history in the Keyfactor Command database that is eligible for deletion started. |
| 3037 | Maintenance | The periodic process to remove any SSL endpoint history in the Keyfactor Command database that is eligible for deletion failed. |
| 3038 | Maintenance | The periodic process to remove any SSL endpoint history in the Keyfactor Command database that is eligible for deletion was canceled. |
| 3039 | Maintenance | The periodic process to remove any SSL endpoint history in the Keyfactor Command database that is eligible for deletion succeeded. |
| 3040 | Alert | The periodic process to update the temporary tables that store information on which certificates are in which certificate collections started. |
| 3041 | Alert | The periodic process to update the temporary tables that store information on which certificates are in which certificate collections failed. |
| 3042 | Alert | The periodic process to update the temporary tables that store information on which certificates are in which certificate collections was canceled. |
| 3043 | Alert | The periodic process to update the temporary tables that store information on which certificates are in which certificate collections succeeded. |
| 3044 | Maintenance | The periodic process to remove records from temporary files generated while running reports started. |
| 3045 | Maintenance | The periodic process to remove records from temporary files generated while running reports failed. |
| 3046 | Maintenance | The periodic process to remove records from temporary files generated while running reports was canceled. |
| 3047 | Maintenance | The periodic process to remove records from temporary files generated while running reports succeeded. |
| 3048 | Other | The periodic process to attempt to continue all suspended workflows that may be eligible to continue but have not done so due to locking conflicts started. |
| 3049 | Other | The periodic process to attempt to continue all suspended workflows that may be eligible to continue but have not done so due to locking conflicts failed. |
| 3050 | Other | The periodic process to attempt to continue all suspended workflows that may be eligible to continue but have not done so due to locking conflicts was canceled. |
| 3051 | Other | The periodic process to attempt to continue all suspended workflows that may be eligible to continue but have not done so due to locking conflicts succeeded. |
| 3052 | Maintenance | The periodic process to identify and schedule SSL discovery and monitoring jobs started. |
| 3053 | Maintenance | The periodic process to identify and schedule SSL discovery and monitoring jobs failed. |
| 3054 | Maintenance | The periodic process to identify and schedule SSL discovery and monitoring jobs was canceled. |
| 3055 | Maintenance | The periodic process to identify and schedule SSL discovery and monitoring jobs succeeded. |
| 3056 | Maintenance | The periodic process to synchronize certificate templates from a source (e.g. Active Directory) to pick up new templates started. |
| 3057 | Maintenance | The periodic process to synchronize certificate templates from a source (e.g. Active Directory) to pick up new templates failed. |
| 3058 | Maintenance | The periodic process to synchronize certificate templates from a source (e.g. Active Directory) to pick up new templates was canceled. |
| 3059 | Maintenance | The periodic process to synchronize certificate templates from a source (e.g. Active Directory) to pick up new templates succeeded. |
| 3060 | Maintenance | The periodic process to run the Microsoft SQL update statistics function in the Keyfactor Command database started. |
| 3061 | Maintenance | The periodic process to run the Microsoft SQL update statistics function in the Keyfactor Command database failed. |
| 3062 | Maintenance | The periodic process to run the Microsoft SQL update statistics function in the Keyfactor Command database was canceled. |
| 3063 | Maintenance | The periodic process to run the Microsoft SQL update statistics function in the Keyfactor Command database succeeded. |
| 3064 | Maintenance | The periodic process to remove any completed workflow instances (both successful and failed) in the Keyfactor Command database that have aged past the date as defined in that application started. |
| 3065 | Maintenance | The periodic process to remove any completed workflow instances (both successful and failed) in the Keyfactor Command database that have aged past the date as defined in that application failed. |
| 3066 | Maintenance | The periodic process to remove any completed workflow instances (both successful and failed) in the Keyfactor Command database that have aged past the date as defined in that application canceled. |
| 3067 | Maintenance | The periodic process to remove any completed workflow instances (both successful and failed) in the Keyfactor Command database that have aged past the date as defined in that application succeeded. |
| 3068 | Alert | An alert for a certificate collection workflow started. |
| 3069 | Alert | An alert for a certificate collection workflow failed. |
| 3070 | Alert | An alert for a certificate collection workflow canceled. |
| 3071 | Alert | An alert for a certificate collection workflow succeeded. |
| 3072 | Alert | An orchestrator alert that a notification alert started. |
| 3073 | Alert | An orchestrator alert that a notification alert failed. |
| 3074 | Alert | An orchestrator alert that a notification alert canceled. |
| 3075 | Alert | An orchestrator alert that a notification alert succeeded. |
| 3076 | Alert | An alert for a certificate collection workflow started. |
| 9999 | Unknown error |
Table 89: Keyfactor Command Windows Event IDs for Audit Log
|
Value |
Subcategory Name |
Description |
|---|---|---|
|
2001 |
Certificate |
Certificate |
|
2001 |
Auditing Certificate Scheduled Replacement |
Auditing Certificate Scheduled Replacement |
|
2001 |
Auditing Certificate Request |
Certificate Request |
|
2002 |
ApiApplication |
API Application |
|
2003 |
Template |
Template |
|
2004 |
CertificateQuery |
Certificate Collection/Query |
|
2005 |
ExpirationAlert |
Expiration Alert |
|
2005 |
Expiration Alert Definition Context Model |
Expiration Alert |
|
2006 |
PendingAlert |
Pending Alert |
|
2006 |
Pending Alert Definition Context Model |
Pending Alert |
|
2007 |
ApplicationSetting |
Application Setting |
|
2008 |
IssuedAlert |
Issued Alert |
|
2008 |
Issued Alert Definition Context Model |
Issued Alert |
|
2009 |
DeniedAlert |
Denied Alert |
|
2009 |
Denied Alert Definition Context Model |
Denied Alert |
|
2010 |
ADIdentityModel |
Security Identity |
|
2011 |
SecurityRole |
Security Role |
|
2012 |
AuthorizationFailure |
Authorization Failure |
|
2013 |
CertificateSigningRequest |
CSR |
|
2014 |
ServerGroup |
SSH Server Group |
|
2015 |
Server |
SSH Server |
| 2016 | DiscoveredKey | Rogue Key for Logon |
| 2016 | Key | SSH Key |
|
2017 |
ServiceAccount |
SSH Service Account |
|
2018 |
Logon |
SSH Logon |
|
2019 |
SshUser |
SSH User |
|
2020 |
Key Rotation Alert Definition Context Model |
SSH Key Rotation Alert |
| 2021 | CertificateStore | Certificate Store |
| 2022 | JobType | Orchestrator Job Type |
| 2023 | AgentSchedule | Orchestrator Job |
| 2024 | Bulk Agent Schedule | Bulk Orchestrator Job |
| 2025 | Certificate Store Container | Store Container |
| 2026 | Agent | Orchestrator |
| 2027 | Revocation Monitoring | Monitoring |
| 2028 | License | License |
| 2029 | WorkflowDefinition | Workflow Definition |
| 2030 | WorkflowInstance | Workflow Instance |
| 2031 | WorkflowInstanceSignal | Workflow Instance Signal |
| 2032 | IdentityProvider | Identity Provider |
| 2033 | RoleClaimDefinition | Claim Definition |
| 2034 | PermissionSet | Permission Set |
Table 90: Keyfactor Universal Orchestrator Windows Event IDs
|
Event ID |
Task Category | Description |
|---|---|---|
| 1500 | SSL Discovery | Starting SSL discovery job |
| 1510 | SSL Discovery | Completed SSL discovery job |
| 1520 | SSL Discovery | Error while performing SSL discovery job |
| 1600 | SSL Monitor | Starting SSL monitoring job |
| 1610 | SSL Monitor | Completed SSL monitoring job |
| 1620 | SSL Monitor | Error while performing SSL monitoring job |
| 1630 | SSL Monitor | Error connecting to an endpoint during an SSL scan |
| 1640 | SSL Monitor | Certificate approaching expiration found at endpoint during an SSL scan |
| 2400 | AnyAgent Inventory |
Keyfactor Universal Orchestrator: Starting inventory job for an AnyAgent certificate store |
| 2410 | AnyAgent Inventory |
Keyfactor Universal Orchestrator: Completed inventory job for an AnyAgent certificate |
| 2420 | AnyAgent Inventory |
Keyfactor Universal Orchestrator: Error while performing inventory job for an AnyAgent certificate store |
| 2500 | AnyAgent Management |
Keyfactor Universal Orchestrator: Starting management job for an AnyAgent certificate store |
| 2510 | AnyAgent Management |
Keyfactor Universal Orchestrator: Completed management job for an AnyAgent certificate |
| 2520 | AnyAgent Management |
Keyfactor Universal Orchestrator: Error while performing management job for an AnyAgent certificate store |
| 2800 | Audit Log | Keyfactor Universal Orchestrator: Starting fetch logs job |
| 2810 | Audit Log | Keyfactor Universal Orchestrator: Completed fetch logs job |
| 2820 | Audit Log | Keyfactor Universal Orchestrator: Error while performing fetch logs job |
| 2900 | Agent Service | Job manager for the Keyfactor Universal Orchestrator starting |
| 2920 | Agent Service | Job manager for the Keyfactor Universal Orchestrator stopped |