Audit Log Events

Event Levels

The levels Info and Error are used by PAM to communicate information about all events: successful (for level Info) or unsuccessful (for level Error).

The majority of the messages of Info and Error levels come from the Audit Log report at the same time when they appear to the audit log itself.

However, the application communicates some internal states also, such as installing session or key recording for sessions, details of servers startup, etc as Info messages and all internal system errors (these should not happen but sometimes occur) as Error messages.


Additionally, PAM uses Debug and Trace levels for internal debugging purposes. Sometimes to investigate certain situations with customer deployments, our Support team may ask the customer to enable a higher level debug for troubleshooting purposes.

Some of the application components, especially those related to integration (i.e. LDAP, PowerShell or SSH scripts executing) generate a lot of debug and especially trace messages when enabled.

We do not anticipate users to actually use Trace and Debug message for reasons other than troubleshooting purposes as they do not carry useful business level information.

Event Categories

  • Analytics: Relates to events that are generated from the Behavior Analytics service.
  • Application: Relates to events that the application itself is generating. This includes software updates, health checks, various global configurations and exports.
  • Data: Relates to the events that are generated when working with the data stored in PAM (containers and records). This includes events like Create/Update/Delete, Lock/Unlock secured fields, Copy/Move/Link, Record Type events, Reports and Anonymous Link interactions (create, open).
  • Event: Relates to events that are generated during sessions. These are the keystrokes, clipboard and file transfer events.
  • Operation: Relates to events that are generated through the operation of the software, either by users or the service itself. This includes various operations like Authentication into PAM (login/logout), Discovery Query events, Queue events, Session Events (join, left, terminate, created and connect options).
  • Permissions: Relates to events that are generated when modifications are made to object permissions, local directory services or public keys. For example, changes to record permissions including make or break inheritance and modifying ACLs. Local directory services includes creating users/groups, modifying groups and locking/unlocking users.
  • Policy: Relates to events that are generated with regards to the various Policies throughout PAM. This includes Behavior Analytics, Command Control, Password Formula, Scripts, Tasks and MFA. Events include creating, updating and deleting activities.
  • Workflow: Relates to events that are specific to workflows. Including creating, updating and publishing Bindings and Templates, notifications, approvals and steps.

For logging, PAM uses the industry standard Log4j logging mechanism for processing and filtering of its log messages.

This log configuration is located in the file $PAM_HOME/web/conf/, which in turn controls the filtering for log levels for the entire application as well as for individual components.

This file also controls the destination syslog traffic with its own filtering.


Download the PAM Syslog Messages file for a list of events.