Imprivata OneSign Syslog Reference Guide

Imprivata Enterprise Access Management (OneSign) logs entries to the syslog for debugging and system status monitoring. Messages can be informational or indicative of a system error. This topic lists and describes syslog messages for Imprivata appliances running Imprivata OneSign. Recovery procedures are provided when applicable.

The Imprivata OneSign Syslog Reference Guide includes descriptions of how to view and export the syslog, and how to specify the syslog server. In addition, the syslog format and messages are provided, as well as how to post the system status and event notifications to the syslog.

Topic Conventions

The syslog message descriptions in this topic can include the following information:

Subsystem: Message with <a_variable>

Variables a_variable: the definition of this variable. Not all messages have variables.
Seen when Event that caused this message to be written to the syslog.
What to do What you can do to fix this error, if applicable.

You can view and export the syslog from the Logs tab on the System page in the Imprivata Appliance Console.

Viewing the syslog in the Imprivata Appliance Console

  1. Click the Logs tab on the System page in the Imprivata Appliance Console.
  2. Select Syslog from Appliance Logs drop-down list box.
  3. Click Display Log to view the syslog in a new browser window.

Exporting the syslog

  1. Click the Logs tab on the System page in the Imprivata Appliance Console.
  2. Click Export Log File. Status messages appear during the log export process.
  3. When Internet Explorer refreshes and you see the message Last Export Status: SUCCESS: completed at <Day> <Mon> <DD> <HH:MM:SS> <Year>, click Browse Exported Log Files.
  4. Enter the Imprivata Appliance ConsoleUser name and password and click OK.
  5. Click the syslog folder in the directory containing the exported log files.
  6. Download messages.gz.
  7. To view the syslog, extract messages and open it with a text editor.

If you experience an error message when attempting to export logs, try the export operation again. If the operation still fails contact Imprivata Customer Support.

See Appliance Logs for more information.

The Syslog Server is localhost by default. To change the Syslog Server:

  1. On the Logs tab on the System page in the Imprivata Appliance Console, click Edit.
  2. Enter the IP address or hostname of the syslog server and click OK. To set the Syslog Server back to localhost, blank out the Syslog Server field and click OK.
  3. When you return to the System page, click Test to test the Syslog Server. The appliance logs an entry to the Syslog Server indicating success when the server is successfully configured.

The format of a syslog entry is: Mon DD HH:MM:SS Hostname Subsystem: Message

Hostname

Hostname is the IP address of the appliance that logged an entry in the syslog.

Subsystem

These Imprivata OneSign subsystems log entries to the syslog:

Message Type

Subsystems

Tomcat Recovery

Tomcat recovery

Backup

BURE

FATAL BU error

Imprivata OneSign Startup

onesign-startup

Imprivata Agent

onesign-agent

ntp-agent

Database Logs Cleanup

Clean BINLOG

Operating System Hourly Checks

ALERT Disk Utilization

ALERT Enterprise Information

Other Log Entries

Imprivata OneSign logs additional entries to the syslog that are not in this topic. You do not need to monitor these entries because they are for debugging purposes.

SUSE Linux Enterprise Server and several Linux applications such as Apache Tomcat also log entries to the syslog. Refer to the logging program’s documentation for more information.

Each category of syslog messages describes log entries from a different Imprivata OneSign subsystem.

Apache Tomcat generates these messages when it is attempting to recover from a crash.

TOMCAT recovery: Trigger Tomcat Recovery [<stat>]

Variables stat: 0 indicates that Tomcat recovery successfully triggered. A non-zero value indicates Tomcat recovery failed to trigger.
Seen when Apache Tomcat is attempting to restart after a crash.
What to do Contact Imprivata Customer Support if <stat> is a non-zero value.

TOMCAT recovery: Imprivata OneSign stopped [<stat>]

Variables stat: 0 indicates that Tomcat recovery successfully stopped OneSign. A non-zero value indicates that Imprivata OneSign failed to stop.
Seen when Tomcat recovery is stopping Imprivata OneSign to recover Tomcat after a crash.
What to do Contact Imprivata Customer Support if <stat> is a non-zero value.

TOMCAT recovery: Imprivata OneSign started [<stat>]

Variables stat: 0 indicates that Tomcat recovery successfully started OneSign. A non-zero value indicates that Imprivata OneSign failed to start.
Seen when Tomcat recovery is starting Imprivata OneSign to recover Tomcat after a crash.
What to do Contact Imprivata Customer Support if <stat> is a non-zero value.

Imprivata OneSign logs these messages during backup operations.

FATAL BU error: Could not initiate BU: <stat>

Variables stat: debugging information
Seen when Appliance could not initiate backup operation.
What to do Try initiating the backup operation again. If backup fails, contact Imprivata Customer Support.

BURE: Warn:Backup FAILED

Seen when Backup operation failed.
What to do Try initiating the backup operation again. If backup fails, contact Imprivata Customer Support.

BURE: Info:Backup Completed successfully

Seen when Backup operation completed successfully.
What to do No action is required.

BURE: Cannot connect to FTP server <ftp_host>

Variables ftp_host: IP address of FTP server
Seen when The appliance could not save the backup file to the FTP server because the appliance could not connect to the FTP server.
What to do Check FTP server for operational and connectivity issues. If FTP server issues are resolved and backup errors persist, contact Imprivata Customer Support.

BURE: Cannot login to FTP server

Seen when The appliance could not save the backup file to the FTP server because the appliance could not log into the FTP server.
What to do Check FTP server for operational and connectivity issues. If FTP server issues are resolved and backup errors persist, contact Imprivata Customer Support.

BURE: FTP error [Cannot chdir to <path>]

Variables path: directory on FTP server where backup file is saved
Seen when The appliance could not save the backup file to the FTP server because the appliance could not change the save directory on the FTP server to the specified path.
What to do Check FTP server for operational and connectivity issues. If FTP server issues are resolved and backup errors persist, contact Imprivata Customer Support.

BURE: FTP error [Could not PUT file <file>]

Variables file: backup file
Seen when The appliance could not save the backup file to the FTP server because the PUT command failed.
What to do Check FTP server for operational and connectivity issues. If FTP server issues are resolved and backup errors persist, contact Imprivata Customer Support.

BURE: Backup File could not be saved

Seen when The appliance could not save the backup file to the network share.
What to do Check FTP server for operational and connectivity issues. If FTP server issues are resolved and backup errors persist, contact Imprivata Customer Support.

BURE: <file> transfered to server: <host> successfully

Variables file: backup file
host: IP address of network share server
Seen when The appliance successfully transferred the backup file to the network share.
What to do No action is required.

These messages indicate Imprivata OneSign errors or status updates during Startup.

onesign-startup: Startup Disabled, See OneSign Restart Log

Seen when
  • Imprivata OneSign Startup disabled during database migration when Imprivata OneSign is being upgraded.
  • A problem has occurred during normal operation.
What to do Try Restore operation. If problems persist, contact Imprivata Customer Support.

onesign-startup: Startup ERROR, last restore failed

Seen when An error occurred during Imprivata OneSign Startup because the previous Restore operation failed.
What to do Try Restore operation. If problems persist, contact Imprivata Customer Support.

onesign-startup: Startup ERROR, last DB synchronize failed

Seen when An error occurred during Imprivata OneSign Startup because the previous Database Synchronization operation failed or the previous Restore operation failed.
What to do If the Database Synchronization operation failed, try Database Synchronization again. Else if the Restore operation failed, try Restore again. If problems persist, contact Imprivata Customer Support.

onesign-startup: OneSign Started

Seen when Imprivata OneSign started successfully on local appliance.
What to do No action is required.

The Imprivata agent generates these messages.

onesign-agent: Info: Start monitoring SSO

Seen when Imprivata OneSign is running correctly.
What to do No action is required.

onesign-agent: Fatal: Could not read socket at SSO test URL

Seen when The Imprivata agent is unable to connect to Imprivata OneSign URL. This message does not indicate a system error itself but can provide useful information to Imprivata Customer Support if Imprivata OneSign experiences problems.
What to do If Imprivata OneSign experiences problems, contact Imprivata Customer Support.

NOTE: This subsystem does not refer to the client-side Imprivata agent on end-user PCs. It refers to an agent that monitors the status of the Imprivata OneSign server.

ntp-agent: Error: restarted NTP after “No association ID’s returned”

Seen when The Imprivata appliance restarted the NTP service after the NTP server became unavailable and then returned.
What to do No action is required.

ntp-agent: Warning: OFFSET too large on <NTP server> [<number of seconds off>]

Seen when The Imprivata appliance is unable to connect to the NTP server.
What to do Make sure the NTP server is up and reachable.

These messages indicate errors during database log files cleanup operations.

Clean BINLOG: Unexpected stat <stat>

Variables stat: debugging information about failure
Seen when The log cleanup operation failed.
What to do Contact Imprivata Customer Support

Clean BINLOG: File <file> not deleted, newer than binlog.<current_extension>

Variables file: name of the log file to be deleted during cleanup
current_extension: extension of current log file
Seen when The latest database log was not deleted because it is newer than the current log.
What to do No action is required.

These messages display information about the appliance operating system during hourly checks.

ALERT Disk Utilization: Issue on <local_IP>. Details: <df>

Variables local_IP: local IP address
df: Linux df command
Seen when The appliance’s local hard disk is filling up. The appliance will become unstable when the disk reaches capacity.
What to do Contact Imprivata Customer Support immediately before Imprivata OneSign becomes unstable.

ALERT Enterprise Information: Issue on <local_IP>. Details: Local appliance information is missing.

Variables local_IP: local IP address
Seen when The local appliance’s view of the enterprise information is corrupt.
What to do Contact Imprivata Customer Support immediately.

ALERT Enterprise Information: Details: <email_message>

Variables email_message: an email message sent to the enterprise’s Email forwarding address describing the error
Seen when The local appliance’s view of the enterprise does not agree with a peer appliance’s view of the enterprise.
What to do Contact Imprivata Customer Support immediately.

err: Agent state for <DESC> now <NEWVAL>

Variables DESC: dns1, dns2, dns3, onesign, osc-httpd, or smtp
NEWVAL: fatal or normal
Seen when NEWVAL = fatal when the Imprivata appliance can no longer reach the server identified by DESC.
NEWVAL = normal when the Imprivata appliance can again reach the server identified by DESC.
What to do Check the server identified by DESC, and its network connectivity.

[XXX subsystem]: <FQDN> recently enrolled a finger (<finger_name>, {<date_time>,date,dd-MMM-yy HH:mm z}) which appears to match (<username>, <existing_finger_name>)

Variables
  • FQDN — Fully qualified user name of the user who enrolled the finger
  • finger_name — English finger name of enrolled finger
  • date_time — Date and time of enrollment
  • username — Fully qualified user name of the user with the matching fingerprint
  • existing_finger_name — English name of username’s enrolled finger
Seen when A user enrolls a new fingerprint that appears to match an existing fingerprint.

[XXX subsystem]: @OEM@ @PRODUCTNAME@ has <num_pending_accounts> user accounts pending approval as of {<date_time>,date,dd-MMM-yy HH:mm z}.

Variables
  • num_pending_accounts — Number of pending user accounts
  • date_time — Date and time of enrollment request
Seen when There are new user accounts that are pending approval from the system Administrator.
What to do To approve these user accounts, click "N pending users >>" on the [XXX Product name] Administrator Users tab. Select the user accounts to be approved and click Approve.

[XXX Subsystem]: Task <task_name> was scheduled for {<date_time>,date,dd-MMM-yy HH:mm z} at <site_name>, and failed to run.

Variables
  • task_name — Task name
  • date_time — Date and time scheduled task was supposed to run
  • site_name — Site name
Seen when A scheduled task failed to run.
What to do Stop and restart OneSign. If the problem persists, contact Imprivata Customer Support.

[XXX Subsystem]: The RADIUS proxy destination server <server_name> is unreachable as of {<date_time>,date,dd-MMM-yy HH:mm z}.

Variables
  • date_time — Date and time of unavailability
  • server_name — Server name
Seen when The specified RADIUS proxy server is unavailable.
What to do TBD

[XXX Subsystem]: The ID Token Server <server_name> is unreachable as of {<date_time>,date,dd-MMM-yy HH:mm z}.

Variables
  • date_time — Date and time of unavailability
  • server_name — Server name
Seen when The speficied ID Token Server is unreachable.
What to do Check the ID token server and make sure it is up.

[XXX Subsystem]: The internal RADIUS server is unreachable as of {<date_time>,date,dd-MMM-yy HH:mm z}.

Variables date_time — Date and time of unavailability
Seen when The internal RADIUS server is unreachable.
What to do To restart the internal RADIUS server, restart the [XXX OEM] [XXX PRODUCT NAME] appliance.

[XXX Subsystem]: The internal Physical Access server is unreachable as of {<date_time>,date,dd-MMM-yy HH:mm z}.

Variables date_time — Date and time of unavailability
Seen when The internal Physical Access server is unreachable.
What to do To restart the internal Physical Access server, restart the [ XXX OEM] [XXX PRODUCTNAME] appliance.

[XXX Subsystem]: PA connector <num_pa_readers> readers synched at {<date_time>,date,dd-MMM-yy HH:mm z}. <num_readers_added> readers added: <list_readers_added>. <num_readers_removed> readers removed: <list_readers_removed>. <num_readers_renamed> readers renamed: <list_readers_renamed>.

Variables
  • date_time — Date and time of synchronization
  • num_pa_readers — Number of Physical Access readers synchronized
  • num_readers_added — Number of readers added
  • list_readers_added — List of readers added
  • num_readers_removed — Number of readers removed
  • list_readers_removed — List of readers removed
  • num_readers_renamed — Number of readers renamed
  • list_readers_renamed — List of readers renamed
Seen when Physical Access connector readers are synchronized
What to do Review the summary of changes. Adding, removing, or renaming readers in physical access system can affect [XXX PRODUCTNAME] user or computer policies that use those readers. Review the list of readers renamed. If a reader’s name change is indicative of the reader type or location, it might necessitate manually changing this reader's in/out or facility/zone designations in [XXX PRODUCTNAME], as well as an adjustment to their use in user or computer policies.

[XXX Subsystem]: PA access connector (<name>) unhealthy at {<date_time>,date,dd-MMM-yy HH:mm z} - connection to PA control failed.

Variables
  • name — Name of PA Access connector
  • date_time — Date and time of reported unhealthy event
Seen when PA access connector enters unhealthy mode due to a failed connection to PA control.
What to do Check the physical access system and make sure it is up.

[XXX Subsystem]: PA connector (<name>) healthy at {<date_time>,date,dd-MMM-yy HH:mm z} - connection to PA control restablished.

Variables
  • name — Name of PA Access connector
  • date_time — Date and time of reported unhealthy event
Seen when PA access connector enters healthy mode due to re-established connection to PA control.
What to do No action required.

[XXX Subsystem]: At {<date_time>,date,dd-MMM-yy HH:mm z}, @PRODUCTNAME@ at <site_name> <inc_dec> the min refresh interval from <old_refresh> min to <new_refresh> min in response to a <load_change> in load.

Variables
  • date_time - Date and time of the refresh interval change
  • site_name - Site name
  • inc_dec - Increased / Decreased
  • old_refresh - Old minimum refresh interval
  • new_refresh - New minimum refresh interval
  • load_change - Increase / Decrease in load
Seen when The minimum allowed value of the agent refresh interval has been increased or decreased in response to a change in the number of concurrent sessions serviced, or in the number of deployed applications.
What to do No action required.

[XXX Subsystem]: At {<date_time>,date,dd-MMM-yy HH:mm z}, @PRODUCTNAME@ at <site_name> <inc_dec> the min refresh interval from <old_refresh> min to <new_refresh> min in response to a <load_change> in load. The value of the refresh interval has also been <old_actual_refresh> to <new_actual_refresh> minutes.

Variables
  • date_time — Date and time of the refresh interval change
  • site_name — Site name
  • inc_dec — Increased / Decreased
  • old_refresh — Old minimum refresh interva
  • new_refresh — New minimum refresh interval
  • load_change — Increase / Decrease in load
  • old_actual_refresh — Old actual refresh interval
  • new_actual_refresh — New actual refresh interval
Seen when The minimum allowed value of the agent refresh interval has been increased or decreased in response to a change in the number of concurrent sessions serviced, or in the number of deployed applications.
What to do The minimum allowed value of the refresh interval has been increased or decreased in response to a change in the number of concurrent sessions serviced, or in the number of deployed applications. The refresh interval has also been changed.

[XXX Subsystem]: Near recommended fingerprint threshold: {<num_enrolled_fingers> enrolled fingers (<threshold> recommended threshold); \ <num_enrolled> fingers enrolled in the past <enrolled_num_days> days; <num_used> fingers actively used for authentication in the past <auth_num_days> days.

Variables
  • num_enrolled_fingers — Number of enrolled fingers
  • threshold — Recommended threshold
  • num_enrolled — Number of fingers enrolled in the past N days
  • enrolled_num_days — Number of past days used in variable {2}
  • num_used — Number of fingers [ XXX number not list?] actively used for authentication in past N days
  • auth_num_days — Number of past days used in variable {4}
Seen when The number of enrolled fingers in Imprivata OneSign is approaching the recommended limit. When this limit is exceeded, some users may be required to provide their network username to complete fingerprint authentication.
What to do
  • Set a low maximum number of fingers per user (Policies | Edit User Policy | Authentication | Fingerprint Options)
  • Run the Enrolled Modalities report to identify users with multiple enrolled fingers.
  • Delete the enrolled fingers of all users that no longer require fingerprint identification capabilities.
  • Ask users to un-enroll any fingers that they do not use for authentication (requires Imprivata OneSign 4.5 or later.) For more information on fingerprint identification and finger biometric authentication, see the product documentation.
  • Contact Imprivata Customer Support if you require further assistance.

[XXX Subsystem]: Exceeding recommending fingerprint threshold: {<num_enrolled_fingers> enrolled fingers (<rec_threshold> recommended threshold); \ <fingers_enrolled_n_days> fingers enrolled in the past <past_days_enrolled> days; <fingers_auth_n_days> fingers actively used for authentication in the past <past_days_auth> days.

Variables

  • num_enrolled_fingers - Number of enrolled fingers

  • rec_threshold - Recommended threshold

  • fingers_enrolled_n_days - Number of fingers enrolled in the past N days

  • past_days_enrolled - Number of past days used in variable fingers_auth_n_days

  • fingers_auth_n_days - Fingers actively used for authentication in past N days

  • past_days_auth - Number of past days used in variable fingers_auth_n_days
Seen when The number of enrolled fingers in Imprivata OneSign exceeded the recommended limit. Until the number of enrolled fingers is reduced below this threshold, some users may be required to provide their network username to complete fingerprint authentication.
What to do

  • Set a low maximum number of fingers per user (Policies | Edit User Policy | Authentication | Fingerprint Options.)

  • Run the Enrolled Modalities report to identify users with multiple enrolled fingers.

  • Delete the enrolled fingers of all users that no longer require fingerprint identification capabilities.

  • Ask users to un-enroll any fingers that they do not use for authentication (requires Imprivata OneSign 4.5 or later.)

  • For more information on fingerprint identification and finger biometric authentication, see the product documentation.

  • Contact Imprivata Customer Support if you require further assistance.

[XXX Subsystem]: Below recommending fingerprint threshold: <num_fingers> enrolled fingers (<threshold> recommended threshold).

Variables
  • num_fingers - Number of enrolled fingers
  • threshold - Recommended threshold
Seen when The number of enrolled fingers in Imprivata OneSign is now below the recommended threshold. Users will no longer be required to provide their network username to complete fingerprint authentication.
What to do No action required.

Database: The Imprivata OneSign database is in an unexpected state. Please contact Imprivata Technical Support.

Variables N/A
Seen when An unexpected database error occurs.
What to do Contact Imprivata Customer Support

Every five minutes, Imprivata OneSign can post a heartbeat and system status. To post them to the syslog:

  1. On the System Settings tab of the Properties page in the Imprivata Admin Console, select Post Heartbeat Info and System Status to Syslog.
  2. Click Save.

See System Settings for more information about posting system status.

Notifications, on the Notifications tab of the Reports page of the Imprivata Admin Console, inform Administrators of certain events. When configuring event notifications, Administrators can tell Imprivata OneSign to export the notification text to the syslog in response to each event type.

To export notifications to syslog:

  1. On the Notifications page from the gear icon, click Add. The Notifications - add page opens.
  2. Choose a notification type and click Next. A context-sensitive set of event conditions and actions appears.
  3. The conditions and action page lists the conditions under which you want to be notified of the event and the means of notification. Each Event has its own set of conditions. Enter the desired conditions.
  4. Under Action, select Export to syslog.
  5. Click Save

See Reporting Tools and Configuring Event Notifications for more information.