Knowledge Partner
Knowledge Partner
1414 views

Audit Log - Change Password events

Question about the SSPR Audit Log.

When it shows two lines like:


2016-08-06T22:24:28Z jsmith AUTHENTICATED jsmith 10.10.x.x
2016-08-06T22:24:41Z jsmith CHANGE_PASSWORD jsmith 10.10.x.x


Which event is this for?

The "I forgot my password", where you enter your challenge/response and change password?
Or the "hey your password expired, change your password"?

In other words, is there a difference in the audit logs as to which was which?
0 Likes
3 Replies
Knowledge Partner
Knowledge Partner

Re: Audit Log - Change Password events

kjhurni;2437180 wrote:
Question about the SSPR Audit Log.

When it shows two lines like:


2016-08-06T22:24:28Z jsmith AUTHENTICATED jsmith 10.10.x.x
2016-08-06T22:24:41Z jsmith CHANGE_PASSWORD jsmith 10.10.x.x


Which event is this for?

The "I forgot my password", where you enter your challenge/response and change password?
Or the "hey your password expired, change your password"?

In other words, is there a difference in the audit logs as to which was which?


While this doesn't answer the question, if you get into the Event Log, it'll show the reason why (in this case, expired password). But I'm still curious about if the AUDIT log delineates between the two scenarios. Or if that's only able to be deciphered by the EVENT log.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: Audit Log - Change Password events

On 16.08.2016 17:56, kjhurni wrote:
>
> kjhurni;2437180 Wrote:
>> Question about the SSPR Audit Log.
>>
>> When it shows two lines like:
>>
>>>

> Code:
> --------------------
> > >

> > 2016-08-06T22:24:28Z jsmith AUTHENTICATED jsmith 10.10.x.x
> > 2016-08-06T22:24:41Z jsmith CHANGE_PASSWORD jsmith 10.10.x.x
> >

> --------------------
>>>

>>
>> Which event is this for?
>>
>> The "I forgot my password", where you enter your challenge/response
>> and change password?



http://www.pwm-project.org/pwm/public/reference/tables.jsp#auditEvents
suggests that should be RECOVER_PASSWORD. But you should try it with
your own policy to see the actual sequence of events.


>> Or the "hey your password expired, change your password"?
>>
>> In other words, is there a difference in the audit logs as to which
>> was which?

>
> While this doesn't answer the question, if you get into the Event Log,
> it'll show the reason why (in this case, expired password). But I'm
> still curious about if the AUDIT log delineates between the two
> scenarios. Or if that's only able to be deciphered by the EVENT log.
>
>



--
Norbert
--
Norbert
0 Likes
Knowledge Partner
Knowledge Partner

Re: Audit Log - Change Password events

klasen;2437199 wrote:
On 16.08.2016 17:56, kjhurni wrote:
>
> kjhurni;2437180 Wrote:
>> Question about the SSPR Audit Log.
>>
>> When it shows two lines like:
>>
>>>

> Code:
> --------------------
> > >

> > 2016-08-06T22:24:28Z jsmith AUTHENTICATED jsmith 10.10.x.x
> > 2016-08-06T22:24:41Z jsmith CHANGE_PASSWORD jsmith 10.10.x.x
> >

> --------------------
>>>

>>
>> Which event is this for?
>>
>> The "I forgot my password", where you enter your challenge/response
>> and change password?



http://www.pwm-project.org/pwm/public/reference/tables.jsp#auditEvents
suggests that should be RECOVER_PASSWORD. But you should try it with
your own policy to see the actual sequence of events.


>> Or the "hey your password expired, change your password"?
>>
>> In other words, is there a difference in the audit logs as to which
>> was which?

>
> While this doesn't answer the question, if you get into the Event Log,
> it'll show the reason why (in this case, expired password). But I'm
> still curious about if the AUDIT log delineates between the two
> scenarios. Or if that's only able to be deciphered by the EVENT log.
>
>



--
Norbert


Thanks for the information!
--Kevin
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.