Syslog events

Each syslog message contains the name of an event that triggered the message. While a number of syslog events are defined by the BeyondTrust Appliance B Series, most of the event types are defined within the /login administrative interface and are triggered by actions such as login attempts, creating users, and so forth. The access console also triggers syslog messages, but only for login and logout attempts.

Below is a comprehensive list of the possible events included with this version of BeyondTrust software, accompanied by a brief description of each event. Note that some events may be caused by multiple triggers. In those cases, the triggers are identified below.

Event	Trigger
account_added	A new account has been added and saved.
account_changed	An existing account has been modified and saved.
account_removed	An existing account has been deleted.
account_group_added	A new account group has been added and saved.
account_group_changed	An existing account group has been modified and saved.
account_group_removed	An existing account group has been deleted.
account_jump_item_association_added	An association with a Jump Item was added for the account.
account_jump_item_association_changed	An association with a Jump Item was changed for the account.
account_jump_item_direct_association_added	The account is allowed to be injected for the specific Jump Items.
account_jump_item_direct_association_removed	The account is removed from the allowed list to be injected for the specific Jump Items.
accounts_changed	The group of one or more accounts was modified.
admin_password_reset_to_factory_default	The Reset Admin Account button has been clicked, reverting a site's administrative account to its default credentials.
api_account_added	A new API account has been added and saved.
api_account_changed	An existing API account has been modified and saved.
api_account_removed	An existing API account has been deleted.
backup_created	A backup of the current software configuration has been saved.
canned_script_added	A new canned script has been added and saved.
canned_script_category_added	A canned script has been newly assigned to a category, and the script has been saved.
canned_script_category_removed	A previously assigned canned message has been unassigned from a category, and the script has been saved.
canned_script_changed	An existing canned script's name, description, or command sequence has been changed, and the change has been saved.
canned_script_file_added	A resource file has been newly associated with a canned script, and the script has been saved.
canned_script_file_removed	A previously associated resource file has been removed from a canned script, and the script has been saved.
canned_script_removed	An existing canned script has been deleted.
canned_script_team_added	A team has been newly assigned to a canned script, and the script has been saved.
canned_script_team_removed	A previously assigned team has been unassigned from a canned script, and the script has been saved.
canned_scripts_category_added	A new canned scripts category has been created.
canned_scripts_category_removed	An existing canned scripts category has been deleted.
canned_scripts_file_added	A new canned script resource file has been uploaded.
canned_scripts_file_removed	An existing canned script resource file has been deleted.
certificate_export	An SSL certificate has been exported from the B Series Appliance.
change_display_name	A user has attempted to change their display name.
change_password	A user has attempted to change their password.
change_username	A user has attempted to change their username.
command_shell_filtering_regex_list	The list of Shell Prompt patterns.
custom_rep_link_added	A new custom link has been added and saved.
custom_rep_link_changed	An existing custom link has been edited and saved.
custom_rep_link_removed	An existing custom link has been deleted.
custom_session_attribute_added	A new custom field for API integration has been added and saved.
custom_session_attribute_changed	An existing custom field for API integration has been edited and saved.
custom_session_attribute_removed	An existing custom field for API integration has been removed.
custom_session_policy_added	Custom session permissions have been added to a user account, and the user account has been saved.
custom_session_policy_changed	Existing custom session permissions have been edited, and the user account has been saved.
custom_session_policy_removed	Existing custom session permissions have been removed from a user account, and the user account has been saved.
custom_special_action_added	A new custom special action has been added and saved.
custom_special_action_changed	An existing custom special action has been edited and saved.
custom_special_action_removed	An existing custom special action has been removed.
customizable_text_changed	An existing login agreement has been changed.
discovery_error_added	A new Discovery job error has been added.
discovery_error_changed	A new Discovery job error has been changed.
discovery_error_removed	A new Discovery job error has been removed.
domain_added	A new vault domain has been added and saved.
domain_changed	An existing account has been modified and saved.
domain_removed	An existing vault domain has been deleted.
downloaded_rep_client	A user has clicked the link to download the access console.
ecm_group_added	An ECM Group has been added.
ecm_group_changed	An ECM Group has been changed.
ecm_group_removed	An ECM Group has been removed.
endpoint_automation_resource_added	A new endpoint automation resource was uploaded.
endpoint_automation_resource_changed	An endpoint automation resource has been replaced.
endpoint_automation_resource_removed	A endpoint automation resource was deleted.
endpoint_changed	An existing endpoint has been modified and saved.
endpoint_removed	An existing endpoint has been deleted.
eula_accepted	The BeyondTrust PRA Cloud end user license agreement (EULA) has been accepted by a user, and the username has been recorded.
fido2_credential_added	A new FIDO2 Autheticator has been added and saved.
fido2_credential_changed	An existing FIDO2 Autheticator has been modified and saved.
fido2_credential_removed	An existing FIDO2 Autheticator has been deleted.
file_removed_from_file_store	A file has been deleted from the file store.
file_uploaded_to_file_store	A file has been added to the file store.
group_policy_add_to_jump_group_added	A Jump Group has been added to a group policy's Add To Jump Groups list.
group_policy_add_to_jump_group_removed	A Jump Group has been removed from a group policy's Add To Jump Groups list.
group_policy_add_to_jumpoint_added	A Jumpoint has been added to a group policy's Add To Jumpoints list.
group_policy_add_to_jumpoint_removed	A Jumpoint has been removed from a group policy's Add To Jumpoints list.
group_policy_add_to_support_teams_added	A team has been added to a group policy's Add To Teams list.
group_policy_add_to_support_teams_removed	A team has been removed from a group policy's Add To Teams list.
group_policy_added	A new group policy has been created and saved.
group_policy_changed	An existing group policy's priority level has changed, and the change has been saved.
group_policy_member_added	A new member has been added to a group policy, and the policy has been saved.
group_policy_member_removed	An existing member has been removed from a group policy, and the policy has been saved.
group_policy_remove_from_jump_group_added	A Jump Group has been added to a group policy's Remove From Jump Groups list.
group_policy_remove_from_jump_group_removed	A Jump Group has been removed from a group policy's Remove From Jump Groups list.
group_policy_remove_from_jumpoint_added	A Jumpoint has been added to a group policy's Remove From Jumpoints list.
group_policy_remove_from_jumpoint_removed	A Jumpoint has been removed from a group policy's Remove From Jumpoints list.
group_policy_remove_from_support_teams_added	A team has been added to a group policy's Remove From Teams list.
group_policy_remove_from_support_teams_removed	A team has been removed from a group policy's Remove From Teams list.
group_policy_removed	An existing group policy has been deleted.
jump_item_role_added	A new Jump Item Role has been created and saved.
jump_item_role_changed	An existing Jump Item Role has been modified and saved.
jump_item_role_removed	An existing Jump Item Role has been deleted.
jump_policy:schedule_entry_added	A new schedule entry has been added to a Jump Policy, and the policy has been saved.
jump_policy:schedule_entry_removed	An existing schedule entry has been removed from a Jump Policy, and the policy has been saved.
jump_policy_added	A new Jump Policy has been created and saved.
jump_policy_changed	An existing Jump Policy has been modified and saved.
jump_policy_removed	An existing Jump Policy has been deleted.
jumpoint_cluster_added	A new Jumpoint or Jumpoint cluster has been created and saved.
jumpoint_cluster_changed	An existing Jumpoint or Jumpoint cluster has been changed.
jumpoint_cluster_removed	An existing Jumpoint or Jumpoint cluster has been deleted.
jumpoint_user_added	A new member has been added to a Jumpoint, and the Jumpoint has been saved.
jumpoint_user_removed	An existing member has been removed from a Jumpoint, and the Jumpoint has been saved.
kerberos_keytab_added	A new Kerberos keytab has been uploaded.
kerberos_keytab_removed	An existing Kerberos keytab has been deleted.
login	A login attempt has been made.
login_schedule_entry_added	A new login schedule entry has been added to a user's group policy's login schedule, and the user account or group policy has been saved.
login_schedule_entry_removed	An existing login schedule entry has been removed from a user's group policy's login schedule, and the user group policy has been saved.
logout	A user has logged out of the access console, whether by deliberate action, by an administrator, or as the result of a lost connection to the B Series Appliance.
management_account_added	A new management account has been added and saved.
management_account_changed	An existing management account has been modified and saved.
management_account_removed	An existing management account has been deleted.
msgraph_http_recipient_added	A new service principal has been added and saved.
msgraph_http_recipient_changed	An existing service principal has been modified and saved.
msgraph_http_recipient_removed	An existing service principal has been deleted.
network_address_added	A new IP address has been added and saved.
network_address_changed	An existing IP address has been modified and saved.
network_address_removed	An existing IP address has been deleted. Note that you cannot delete the default route.
network_changed	The global network configuration has been changed, and the change has been saved.
network_route_changed	A static route has been added, modified, or removed.
network_tunnel_jump_item_added	A network tunnel Jump Item has been added.
network_tunnel_jump_item_changed	A network tunnel Jump Item has been changed and saved.
network_tunnel_jump_item_removed	A network tunnel Jump Item has been removed.
outbound_event_email_recipient_added	A new email outbound event has been added and saved.
outbound_event_email_recipient_changed	An existing email outbound event has been modified and saved.
outbound_event_email_recipient_removed	An existing email outbound event has been deleted.
outbound_event_email_trigger_added	A new trigger has been added for an email outbound event, and the event has been saved.
outbound_event_email_trigger_removed	An existing trigger for an email outbound event has been removed, and the event has been saved.
outbound_event_http_recipient_added	A new HTTP outbound event has been added and saved.
outbound_event_http_recipient_changed	An existing HTTP outbound event has been modified and saved.
outbound_event_http_recipient_removed	An existing HTTP outbound event has been deleted.
outbound_event_http_trigger_added	A new trigger has been added for an HTTP outbound event, and the event has been saved.
outbound_event_http_trigger_removed	An existing trigger for an HTTP outbound event has been removed, and the event has been saved.
pending_user_added	A pending user has been added and saved.
pending_user_changed	A pending user has been modified and saved.
pending_user_removed	A pending user was deleted.
pending_vendor_user_added	A vendor user registration request was made.
pending_vendor_user_deleted	A pending vendor user was deleted.
perm_remote_shell_Allow list	A command filtering option has been Allow listed or Deny listed. Or, all commands are allowed.
perm_remote_shell_filter_commands	The list of Allow listed or Deny listed command patterns.
public_site_portal_logo_uploaded	A new logo image for the public site has been uploaded.
public_site_session_attribute_added	A public site session attribute has been added.
public_site_session_attribute_changed	A public site session attribute has been changed.
public_site_session_attribute_removed	A public site session attribute has been removed.
reboot	The B Series Appliance has been rebooted.
remote_rfb_jump_item_added	A Remote RFB Jump Item has been added.
remote_rfb_jump_item_removed	A Remote RFB Jump Item has been removed.
rep_client_connection_terminated	An administrator has terminated a user's connection.
rep_console_setting_added	A managed access console setting has been defined for the first time, and the settings have been saved.
rep_console_setting_changed	A managed access console setting has been changed, and the settings have been saved.
rep_console_setting_removed	A managed access console setting has been marked as undefined, and the settings have been saved.
rep_invite_added	A session policy has been made available for access invites, and the session policy has been saved.
rep_invite_removed	A session policy has been made unavailable for access invites and has been saved, or a session policy available for access invites has been deleted.
repinvite_setting_added	An access invite setting has been added because a session policy has been made available for access invites, and the session policy has been saved.
repinvite_setting_removed	An access invite setting has been removed either because a session policy has been made unavailable for access invites and has been saved, or because a session policy available for access invites has been deleted.
reporting_erasure	Session reports have had representative or customer data anonymized.
restored_from_backup	The software configuration has been successfully restored from its backup file.
restoring_from_backup	The software configuration is in the process of restoring from its backup file.
scheduled_discovery_job_added	The domain scheduled discovery has been added.
scheduled_discovery_job_changed	The domain scheduled discovery has changed.
security_provider_added	A new security provider configuration has been added and saved.
security_provider_changed	An existing security provider configuration's priority level has changed, and the change has been saved.
security_provider_removed	An existing security provider configuration has been deleted.
security_provider_setting_added	A security provider setting has been added as part of the initial configuration, and the configuration has been saved.
security_provider_setting_changed	An existing security provider configuration has been modified and saved.
security_provider_setting_removed	A security provider setting has been removed as part of the deletion of a security provider configuration.
server_software_restarted	The BeyondTrust software has been restarted.
session_policy_added	A new session policy has been added and saved.
session_policy_changed	An existing session policy has been modified and saved.
session_policy_removed	An existing session policy has been deleted.
setting_added	A setting has been defined and saved for the first time.
setting_changed	A setting has been modified and saved.
shared_jump_group_added	A new Jump Group has been added and saved.
shared_jump_group_changed	An existing Jump Group has been modified and saved.
shared_jump_group_removed	An existing Jump Group has been deleted.
SNMP_changed	The SNMPv2 Server has been changed.
ssh_account_added	An SSH account has been added.
ssh_account_changed	An SSH account has been modified and saved.
ssh_account_removed	An SSH account has been removed.
starting_support_tunnel	A support tunnel has been initiated from the B Series Appliance.
support_session_detail_generated	A detailed report has been run for an access session.
support_session_report_generated	A report of access sessions has been run.
support_session_summary_report_generated	A summary report of support sessions has been run.
support_team_added	A team has been added.
support_team_changed	A team has been changed.
support_team_member_added	A new member has been added to a team, and the team has been saved.
support_team_member_changed	An existing member has been assigned a different role in a team, and the team has been saved.
support_team_member_removed	An existing member has been deleted from a team, and the team has been saved.
support_team_removed	An existing team has been deleted.
syslog_server_changed	The remote syslog server setting has been changed and saved.
team_activity_report_generated	A team activity report has been run.
user_account_report_generated	A user account report has been generated.
user_added	A new local user has been created and saved. Event fields differ between /login users and /appliance users.
user_changed	An existing local user has been modified and saved. Event fields differ between /login users and /appliance users.
user_removed	An existing local user has been deleted. Event fields differ between /login users and /appliance users.
user_session_policy_added	A session policy has been applied to a user account, and the user account has been saved.
user_session_policy_removed	A session policy has been removed from a user account, and the user account has been saved.
vault_account_password_rotation	Vault account password has been rotated.
vendor_activity_report_generated	A vendor report was generated.
windows_service_changed	A Windows service has been changed and saved.
windows_service_removed	A Windows service was removed.