Skip to content
English
  • There are no suggestions because the search field is empty.

Security: Auditable Events in Xona

Security: Auditable Events in Xona

Table of Contents

Overview

A non-exhaustive list of common auditable events for Xona are provided in this KB. Audit logs are essential for security, compliance, and operational integrity in any system, as they provide a trustworthy, immutable record of all significant user actions and system events. By capturing details such as who performed what action, when, from where, and the outcome, audit logs enable organizations to detect and investigate unauthorized activities, policy violations, or errors, providing critical evidence for forensic analysis or incident response.

Affected Environments

  • Platform: all

  • Component: CSG, XCM

 

General Notes

  • The list of Auditable Events is based on Xona v5.5.2.2792.
  • Not all events are shown. For example, error messages vary widely and are not included for this reason.
  • Placeholder fields like usernames, bucket names, etc. are replaced with actual runtime values in your deployment.
  • The "log level" (infowarnerror) depends on command success, failure, or rejection.
  • The event field in audit logs CommandCompleted/add-download-magic-link is visible in the Details view of the audit log entry.

Typical Command Lifecycle Events

Most auditable events in Xona correspond with an REST API command that can either complete successfully, be rejected, or fail. The examples below show the CommandCompleted/, CommandFailed/, and CommandRejected/ event statuses that would appear in any audit log message. These are visible in the Logs view under each event's Details view. These are also included as part of the JSON sent from Xona to your log collector when Log Forwarding is enabled.

Log Level Event Example Message Example
info CommandCompleted/add-download-magic-link Added download magic link for file ‘setup.exe’.
info CommandCompleted/delete-upload-magic-link Deleted upload magic link for file ‘report.csv’.
info CommandCompleted/enable-user Enabled user: `alice`.
warn/error CommandFailed/enable-user Error running command: "enable-user" – insufficient permissions.
warn CommandRejected/delete-file Command not permitted: "delete-file".

User Management

Log Level Event Example Message Example
info CommandCompleted/create-user User: `alice` created new account: `bob_dev`.
info CommandCompleted/update-user User: `alice` updated attributes for user: `bob_dev`.
info CommandCompleted/enable-user Enabled user: `alice`.
info CommandCompleted/disable-user Disabled user: `bob_dev`.
info CommandCompleted/delete-user Deleted user: `bob_dev`.
info CommandCompleted/unlock-user Unlocked user: `bob_dev`.
info CommandCompleted/reset-user-password User: alice reset password for user: `bob_dev`.
info CommandCompleted/change-my-password User: `alice` changed their password.

Login & Authentication

Log Level Event Example Message Example
info CommandCompleted/login User: `alice` logged in using password.
info CommandCompleted/api-key-login User: `alice` logged in using API key.
info CommandCompleted/ssh-login User: `alice` logged in using SSH.
info CommandCompleted/logout User: `alice` logged out.
info CommandCompleted/post-confirm-totp User: `alice` confirmed TOTP 2FA.
info CommandCompleted/post-confirm-webauthn User: `alice` confirmed WebAuthn.

API Key Management

Log Level Event Example Message Example
info CommandCompleted/generate-api-key Generated API key: xyz for user: `alice` (id: 1234).
info CommandCompleted/enable-disable-api-key Enabled API key: xyz for user: `alice` (id: 1234).
info CommandCompleted/delete-api-key Deleted API key: xyz for user: `alice` (id: 1234).
info CommandCompleted/clear-api-keys Cleared API keys for user: `alice` (id: 1234).
info CommandCompleted/clear-ssh-keys Cleared API login SSH keys for user: `alice` (id: 1234).
info CommandCompleted/set-my-ssh-key Setting SSH key: 1 for logged-in user: `alice` (id: 1234).

Permissions & Groups

Log Level Event Example Message Example
info CommandCompleted/add-or-update-obj-assignment User: `alice` added or updated permissions assignment.
info CommandCompleted/delete-obj-assignment User: `alice` deleted permissions assignment.
info CommandCompleted/add-group-member User: `alice` added user: `bob_dev` to group: `Operators`.
info CommandCompleted/remove-group-member User: `alice` removed user: `bob_dev` from group: `Operators`.
info CommandCompleted/create-group Created group: `Operators`.
info CommandCompleted/update-group Updated group: `Operators`.
info CommandCompleted/delete-group Deleted group: `Operators`.

SSO & Directory Connector

Log Level Event Example Message Example
info CommandCompleted/add-sso-connector Added SSO connector: `OktaSSO`.
info CommandCompleted/update-sso-connector Updated SSO connector: `OktaSSO`.
info CommandCompleted/delete-sso-connector Deleted SSO connector: `OktaSSO`.
info CommandCompleted/enable-sso-connector Enabled SSO connector: `OktaSSO`.
info CommandCompleted/disable-sso-connector Disabled SSO connector: `OktaSSO`.
info CommandCompleted/add-ad-connector Added Active Directory connector: `CorpAD`.
info CommandCompleted/update-ad-connector Updated Active Directory connector: `CorpAD`.
info CommandCompleted/delete-ad-connector Deleted Active Directory connector: `CorpAD`.
info CommandCompleted/enable-ad-connector Enabled Active Directory connector: `CorpAD`.
info CommandCompleted/disable-ad-connector Disabled Active Directory connector: `CorpAD`.

File Buckets & File Transfer

Log Level Event Example Message Example
info CommandCompleted/add-file-bucket Created file bucket: `SecureFiles`.
info CommandCompleted/delete-file-bucket Deleted file bucket: `SecureFiles`.
info CommandCompleted/set-bucket-requires-approval Set bucket ‘SecureFiles’ as requiring approvals.
info CommandCompleted/set-bucket-ttl-days Set bucket ‘SecureFiles’ TTL to 30 days.
info CommandCompleted/set-bucket-magic-link-ttl-hours Set bucket ‘SecureFiles’ magic link TTL to 8 hours.
info CommandCompleted/add-download-magic-link Added download magic link for file ‘setup.exe’.
info CommandCompleted/delete-download-magic-link Deleted download magic link for file ‘setup.exe’.
info CommandCompleted/add-upload-magic-link Added upload magic link for file ‘report.csv’.
info CommandCompleted/delete-upload-magic-link Deleted upload magic link for file ‘report.csv’.
info CommandCompleted/approve-file Approved file transfer: ‘data.xlsx’.
info CommandCompleted/deny-file Denied file transfer: ‘risky.exe’.
info CommandCompleted/update-files-settings Updated files settings for bucket: `SecureFiles`.
info CommandCompleted/exempt-bucket-from-malware-scan Exempted bucket ‘Quarantine’ from malware scan.

Connection, Sessions, Relay

Log Level Event Example Message Example
info CommandCompleted/start-relay-session Started relay session for: `gateway01`.
info CommandCompleted/end-relay-session Ended relay session for: `gateway02`.
info CommandCompleted/request-conn-access User: alice requested access to connection: `prod-server.`
info CommandCompleted/approve-conn-access User: `bob` approved access to connection: `prod-server` for `alice`.
info CommandCompleted/deny-conn-access User: `admin` denied access to connection: `dev-server` for user: `carol`
info CommandCompleted/manual-login User: `alice` performed manual login to connection: `prod-app`.
info CommandCompleted/transfer-control User: `alice` transferred session control to: `bob`.
info CommandCompleted/take-control User: `bob` took session control.
info CommandCompleted/accept-transfer-control User: `carol` accepted transferred session control.
info CommandCompleted/create-shadow-connection Created shadow connection for: `analyst`.
info CommandCompleted/create-shadow-connection-manual-login Manual login with shadow connection.
info CommandCompleted/add-connection-magic-link Added connection magic link for: `admin`.
info CommandCompleted/delete-connection-magic-link Deleted connection magic link for: `admin`.
info CommandCompleted/update-conn-settings Updated connection settings for: `prod-server`.
info   CommandCompleted/create-schedule   Created new schedule: NightlyRestart.
info   CommandCompleted/archive-schedule   Archived schedule: OldWeekly.

Network, Device, System

Log Level Event Example Message Example
info CommandCompleted/activate-interface User: `alice` activated network interface: eth0 on `Gateway01`.
info CommandCompleted/deactivate-interface User: `bob` deactivated network interface: WAN.
info CommandCompleted/update-mfa-enabled-status MFA enabled for user: alice.
info CommandCompleted/update-mfa-settings Updated MFA settings for user: alice.
info CommandCompleted/reset-mfa Reset MFA for user: alice.
info CommandCompleted/update-banner-text Updated login banner message.
info CommandCompleted/update-inactivity-timeout Updated inactivity timeout to 30 minutes.
info CommandCompleted/update-approval-settings Updated connection approval workflow.
info CommandCompleted/update-primary-network-address Updated primary network address: 192.0.2.1.
info CommandCompleted/update-user-lockout-duration Updated lockout duration to 30 minutes.
  info CommandCompleted/build-diagnostics   Built diagnostics bundle.

Backup, Restore, Update

Log Level Event Example Message Example
info CommandCompleted/backup-generated Generated backup for all connections.
info CommandCompleted/backup-restored Restored backup from file: backup_2026-01-01.enc.
info CommandCompleted/audit-install-update User: alice began update install – it will take some time.
info CommandCompleted/audit-system-reset System reset initiated by user: admin.
info CommandCompleted/audit-system-reset-keep-net System reset (network retained) by user: admin.

Licensing

Log Level Event Example Message Example
info iCommandCompleted/nstall-license Installed a new license file.
info CommandCompleted/clear-license Cleared current license.
  info   CommandCompleted/bulk-deploy-license   Bulk deployed license file to: GatewayGroupA.

Time & Email/SMTP

Log Level Event Example Message Example
info CommandCompleted/enable-timesync Time synchronization enabled.
info CommandCompleted/disable-timesync Time synchronization disabled.
info CommandCompleted/restart-timesync Time synchronization restarted.
info CommandCompleted/save-time-servers Saved list of NTP time servers.
info CommandCompleted/set-time Manually set system time to 2026-05-14 12:00:00 UTC.
info CommandCompleted/update-smtp-settings SMTP settings updated: host=smtp.mail.com.
info CommandCompleted/test-smtp-connection Tested SMTP connection (result: success).

Bulk, HA Replication, Security, Misc

Log Level Event Example Message Example
info CommandCompleted/bulk-configure-saml-sso-connector Bulk configured SAML SSO connectors: OktaSSO1, OktaSSO2.
info CommandCompleted/setup-replication-replica Setup replication replica for: siteB.
info CommandCompleted/disable-replication-replica Disabled replication for: oldSite.
info CommandCompleted/regen-replication-sync-key Regenerated replication sync key for: backup-site.
info CommandCompleted/update-server-certificate Updated server certificate for: main-gateway.
  info   CommandCompleted/delete-all-trusted-certificates   Deleted all trusted certificates.
  info   CommandCompleted/set-trusted-proxies   Proxies updated. New values: ...

 

For assistance with interpreting audit log events, including log events not covered by this KB article, please contact Xona Support (support@xonasystems.com).