Shutdown Event

 shutdown events describe shutdown processes that are performed by an administrator or sub-administrator user with privileges to shutdown the system.
capamsc141
Privileged Access Manager
 shutdown events describe shutdown processes that are performed by an administrator or sub-administrator user with privileges to shutdown the system.
Audit records in this event have the following format:
Date Time M Event UserName SessionID Details Service AuditFlags
  • Date
    Identifies the date that the event occurred.
    Format:
    DD MMM YYYY
    Note:
     
    Privileged Access Manager
    Endpoint Management formats the date display according to your computer settings.
  • Time
    Identifies the time that the event occurred.
    Format:
    HH:MM:SS
    Note:
     
    Privileged Access Manager
    Endpoint Management formats the time display according to your computer settings.
  • Event Type
    Identifies the type of event this record belongs to.
    Note:
     
    Privileged Access Manager
    Endpoint Management refers to this field simply as
    Event
    .
  • User Name
    Identifies the name of the accessor that performed the action that triggered this event.
  • User Logon Session ID
    Identifies the accessor's session ID.
    Note:
    By default this field does not appear in a non-detailed seaudit output. To display this field in a non-detailed seaudit output, specify the -sessionid option in the seaudit command.
  • Details
    Indicates at which stage 
    Privileged Access Manager
    decided what action to take for this event.
    Note:
    The audit record that you see in a non-detailed seaudit output displays a number in this field. This number is known as the authorization stage code. In a detailed output or in 
    Privileged Access Manager
    Endpoint Management, the audit record displays the message that is associated with the authorization stage code. For a complete list of stage codes, run seaudit -t.
  • Daemon (UNIX) / Engine service (Windows)
    Identifies the name of the 
    Privileged Access Manager
    daemon (UNIX) or service (Windows) that was shut down.
    Value:
    seosd (the 
    Privileged Access Manager
    Engine).
  • Audit Flags
    Indicates whether the accessor is internal (
    Privileged Access Manager
    database user) or an enterprise user.
    Note:
    If the accessor is an enterprise user, the audit record you see in a non-detailed seaudit output displays the string "(OS user)" in this field. Otherwise, this field remains empty.
Example: Shutdown Event Message on UNIX
The following audit record was taken from a detailed seaudit output.
24 Sep YYYY 15:40:46 M SHUTDOWN     root    452 seosd
Event type: Daemon shutdown
User name: root
Daemon: seosd
Date: 24 Sep YYYY
Time: 15:40:46
Details: User is ADMIN or SPECIAL
User Logon Session ID: 48da26ce:00000142
Audit flags: CA PAMSC database user
This audit record indicates that on September 24th of the specified year, the user root who was attempting to shutdown 
Privileged Access Manager
was permitted to do so because the user has the ADMIN attribute (authorization stage code 452User is ADMIN or SPECIAL).
Example: Shutdown Event Message on Windows
The following audit record was taken from a detailed seaudit output.
23 Dec YYYY 12:56:20 D SHUTDOWN     tst002                   460 seosd
Event type: Engine service shutdown
User name: tst002
Engine service: seosd
Date: 10 Feb 2009
Time: 12:56
Details: User is not allowed to shutdown CA PAMSC
User Logon Session ID: 00000000:04c240d5
Audit flags: AC database user
This audit record indicates that on December 23rd of the specified year, the 
Privileged Access Manager
shut down was denied because the user tst002 is not allowed to shutdown the product (authorization stage code 460User is not allowed to shutdown
Privileged Access Manager
).