Summary: Cayosoft Administrator writes events related to the most important operations in the service to Windows Event Log into Windows Logs > Application. Change History information can optionally be written to a separate event. In this article, you can find a detailed description of events created by the Cayosoft Administrator service. This information could be useful when integrating with log management applications such as Splunk, or similar.
Applies to: Cayosoft Administrator 9.X or later.
ID: KB20180919-1
General Events that Cayosoft Administrator writes to Windows Event Log
Cayosoft Administrator service writes all events to Windows Event Log under Windows Logs > Application node with Source Cayosoft Administrator Service.
Please see the table below with all events that might be generated by the Cayosoft Administrator service to Event Log.
Note: Certain event data contains placeholders in angle brackets (for example, SMTP Server Name: <smtp server>). In the actual Event, these events will be populated with real data.
Note 2: You can find rule or web action initiator in Event Data using the Initiator field (in versions prior to 6.2 this could also be Executed by or Requestor fields). If a rule was started by the service itself, the initiator is written as 'Policy Service'.
| ID | Level | Event Data | Description |
|---|---|---|---|
|
996 |
Warning |
All retry attempts failed for function 'Get-MsolAccountSKU'. Using cached information instead. |
An error occurred when the Cayosoft Administrator service called Get-MsolAccountSKU function after a certain number of retries. |
|
997 |
Warning |
The remote call failed and will be retried for function 'Get-MsolAccountSKU'. System error: <exception>. |
An error occurred when the Cayosoft Administrator service called Get-MsolAccountSKU function. |
|
998 |
Warning |
The session was marked for re-creation. PID: {1}. Reason: {0}. | The MSOnline session was corrupted and should be recreated. |
|
999 |
Warning |
Timeout connecting to MSOnline service. Service will retry the connection now. Attempt: <N> | Cayosoft Administrator could not establish a connection to the MSOnline service. The default number of attempts: 5. |
|
1000 |
Error |
Error connecting to MSGraph service. Service will retry the connection now. Attempt: <N> | Cayosoft Administrator could not establish a connection to Microsoft Graph. |
|
1001 |
Error |
Office 365 credentials are not specified. | Office 365 credentials are not specified in the Office 365 extension. |
|
1002 |
Error |
Fail to open a connection to the target system <system>. Error: <error message> | General error when connecting to a target system. |
|
1003 |
Information |
New connection opened to the target system {0}. PID: {1}. | Connection to a target system. |
|
1004 |
Information |
New session created. PID: {0} | A New PowerShell session was created. |
|
1005 |
Error |
Session creation failed. PID: {0}. Reason: Session initialization completed with errors. Check the Application event log. | New PowerShell session creation failed. Check the Application event log for errors or warnings for details. |
|
1006 |
Information |
Connection is closed for the target system Microsoft Hybrid. PID: {0} | Connection is closed for the specified target system. |
|
1007 |
Warning |
EXO: Applying delay before retrying connection to Exchange Online. Delay (seconds): {0}. Attempt: $($curAttempt). PID: {1}. Reason: {2}. | Cayosoft Administrator waits for a specific time before retrying the connection to Exchange Online to prevent throttling. |
|
1008 |
Warning |
EXO: Exchange Online operation failed. It might indicate EXO throttling applied for too many reconnection requests. Rule: {0}. Command: {1}. PID: {2}. Reason: {3}. | An error occurred during the Exchange Online operation. |
|
1009 |
Information |
Hybrid Sign-in completed for Microsoft 365 account {upn} ({objectId}). Active Directory on-premise SID: {sid}. AD group membership: {comma-separated groups sids}. | A hybrid user logged in to Cayosoft Web Portal via Azure AD authentication. |
|
1010 |
Warning |
Hybrid Sign-in failed for Microsoft 365 account {upn} ({objectId}). Active Directory on-premise DN: {dn}. Error: {errorMessage} | An error occurred during hybrid user sign-in via Azure AD authentication. |
|
1100 |
Warning |
Exchange Online session creation failed. Attempt: $($curAttempt) Reason: $($lastErrorMsg).PID: $([System.Diagnostics.Process]::GetCurrentProcess().Id) | New Exchange Online session creation failed. |
|
1101 |
Warning |
Exchange Online session implicit creation failed. Reason: $($msg). PID: $([System.Diagnostics.Process]::GetCurrentProcess().Id) | New Exchange Online session creation failed. |
|
2001 |
Error |
Suspend Office 365 User - Remove user from cloud group(s). User: {0} Error(s):\n{1} |
The list of MS 365 users who can't be removed from cloud groups on suspension. |
|
2002 |
Error |
Undo Suspend Office 365 User - Remove user from cloud group(s).\n User: {0}\n Error(s):\n{1} |
The list of MS 365 users who can't be added to cloud groups on undo suspend. |
|
2003 |
Information |
Suspend Office 365 User - Remove user from cloud group(s). Removed from these groups: \n{1} |
The list of MS 365 groups from which MS 365 user was removed on suspension. |
|
2004 |
Information |
Undo Suspend Office 365 User - Remove user from cloud group(s).\n Added to these groups: \n{1} |
The list of MS 365 groups in which MS 365 user was added on undo suspend. |
|
6200 |
Information |
Cayosoft Administration Service started | Cayosoft Administrator Service started. |
|
6201 |
Information |
SMTP configuration parameters:
SMTP Server Name: <settings.SmtpServerName>
SMTP Server Port: <settings.SmtpPort>
SMTP Account name: <settings.SmtpAccountName>
SMTP Password: "********"
SMTP Enable SSL: <settings.SmtpEnableSSL>
SMTP From: <settings.SmtpFrom>
SMTP Notify: <settings.SmtpNotify>
SMTP Limit: <settings.SmtpLimit>
|
Contains the SMTP configuration parameters of the service, written after the service starts. |
|
6202 |
Error |
Cayosoft Administration Service failed to start.
Error message: <Exception.Message>
|
An error occurred when starting the Cayosoft Administrator Service. |
|
6203 |
Information |
Cayosoft Administration Service stopped
|
Cayosoft Administrator Service stopped. |
|
6204 |
Error |
Cayosoft Administration Service encountered a system error.
Error message: <Exception.Message>
|
Internal error occurred. |
|
6205 |
Error |
Business Rule execution failed.
Error message: Recursion detected in rule execution sequence.
|
A recursion is identified in the chain of rules during execution. |
|
6206 |
Error |
Business Rule execution failed.
Error message: Replicated rules are not available for execution on schedule.
|
Replicated rules are not available for execution on schedule. |
|
6207 |
Information |
Business Rule execution completed.
Business rule: <Rule Name>
Initiator: <Initiator | "Administration Service">
Total objects processed: <Objects Found>
Total errors: <Objects Errors>
Started: <Start time>
Completed: <End time>
Email delivery: "Not configured" | "Configured"
Email recipients: <Mail Recipients>
Email delivery error: <Mail Errors>
|
Business rule or Web Action rule or Dynamic Group rule execution completed successfully. |
|
6208 |
Error |
Business Rule failed to process an object.
Business rule: <Web Action Name>
Initiator: <Initiator | "Administration Service">
Object: <DN>
Action(s): <ActionName>
Error message: <ErrorDetails>
|
Web Action rule completed with error. |
|
6209 |
Information |
Business rule was modified. Business rule: <rule name> Initiator: <domain\username> Operations: "Modify" |
The business rule or Web Action rule was modified successfully |
|
6210 |
Error |
Business Rule modification failed.
Error message: <Exception.Message>
|
An error occurred when modifying a Business rule. |
|
6211 |
Information |
Cayosoft Administration Service configuration was modified with the configuration parameters listed below.
SMTP Server Name: <settings.SmtpServerName>
SMTP Server Port: <settings.SmtpPort>
SMTP account name: <settings.SmtpAccountName>
SMTP password: "********"
SMTP Enable SSL: <settings.SmtpEnableSSL>
SMTP From: <settings.SmtpFrom>
SMTP Notify: <settings.SmtpNotify
SMTP Limit: <settings.SmtpLimit>
|
Cayosoft Administrator General Settings were modified. |
|
6212 |
Information |
Business Rules execution history records were deleted.
Initiator: <execContext.InitiatorName>
Records deleted: <id.Count>
|
Execution history records were deleted. |
|
6213 |
Information |
Dynamic Group configuration was modified. Dynamic group: <group name> Initiator: <domain\username> Operations: "Modify" |
Dynamic Group rule was modified successfully. |
|
6214 |
Error |
Dynamic Group modification failed.
Error message: <Exception.Message>
|
An error occurred when modifying a Dynamic Group rule. |
|
6215 |
Information |
<request.JSON>
|
Special rule for tracking change history details, please see the next section of the article. |
|
6216 |
Information |
Business Rule execution started. |
Business rule or Web Action rule started. |
|
6217 |
Information |
Dynamic Group membership calculation started. |
Dynamic Group membership rules calculation started. |
|
6218 |
Information |
Restricted Group membership calculation started. Restricted Group name: <rule name> Restricted Group rule ID: <rule ID> |
Restricted Group calculation started. |
|
6219 |
Error |
Fail to validate the connection to the Active Directory DC. | When rule execution fails, check every DC provided to the rule. |
|
6220 |
Error |
Error connecting to Skype Online. Service will retry the connection now. Error:
<error message> |
An error occurred when the Cayosoft Administrator service called Skype Online commands. Skype online session was marked for re-creation. |
|
6221 |
Information |
The main session consumed too much RAM and will be recycled now. RAM consumption: <RAM consumption> | The PowerShell session consumed too much RAM. The default is 50% of physical RAM. Recycled after 1st check above the threshold. |
|
6222 |
Information |
One of the rule execution sessions consumed too much RAM and will be recycled now. RAM consumption: <RAM consumed> | The default for rule PowerShell sessions is 30% of physical RAM, recycle after 20 checks. |
|
6223 |
Information |
Configuration DB upgrade started from version {0} to version {1} | The configuration database upgrade is started. |
|
6224 |
Information |
Configuration DB upgrade finished | The configuration database upgrade is finished. |
|
6227 |
Information |
Dynamic Group membership calculation completed.
Dynamic Group name: <Group name>
Dynamic Group rule id: <rule ID> Initiator: <Initiator | "Administration Service">
Members added: <Added>
Members removed: <Removed>
Total errors: <ObjectsErrors>
Started: <StartDateUtc.ToShortDateString()>
Completed: <EndDateUtc.ToShortDateString()>
Total execution time: <total time>" |
Dynamic Group membership calculation completed. |
|
6228 |
Information |
Restricted Group membership calculation completed.
Restricted Group name: <Group name> Restricted Group rule id: <rule id>
Initiator: <Initiator | ""Administration Service"">
Members added: <Added>
Members removed: <Removed>
Total errors: <ObjectsErrors>
Started: <StartDateUtc.ToShortDateString()>
Completed: <EndDateUtc.ToShortDateString()>
Total execution time: <total time>"
|
Restricted Group membership calculation completed. |
|
6229 |
Information |
Business rules were upgraded. Business rules: <list of upgraded rules> |
Rules were upgraded |
|
6301 |
Error |
Cayosoft Administration Service cannot start. Check that the Windows service account, configured to run the service, has Local Administrator permissions on the server.\nError message: <system error>.
|
Service failed to start, probably because of lacking Local Administrator permissions. |
|
6302 |
Information |
<JSON>
|
Custom Web Action execution completed sucessfully. |
|
6303 |
Error |
<JSON>
|
Custom Web Action execution completed with error. |
|
6304 |
Information |
EXO: Exchange Online WinRM connections were enumerated and closed successfully.
|
Exchange Online sessions were enumerated and closed successfully. |
|
6305 |
Error |
EXO: Failed to enumerate or close Exchange Online WinRM connection. Details: {error message}.
|
Exchange Online session enumeration is failed. |
|
6306 |
Error |
Session did not respond for the last {0} hours and would be terminated now.\nLast action: {1}\nRule name: {2}\nRule ID: {3}\nPID: {4}
|
The session did not respond and would be terminated. |
|
6307 |
Error |
Business Rule execution was terminated by user.\nRule name: {0}\nRule ID:{1}\nPID: {2}.
|
Automation rule execution was terminated by the user. |
|
6400 |
Warning |
Service is currently busy. No available session to process the request for interactive rule execution. This may indicate a high load on the Service. Delays in execution may occur for end users. Service will retry the execution request. Attempt {attempts} of {AttemptsToSession}. PID:
|
No available session to process the rule for interactive execution. |
|
6401 |
Error |
Timeout waiting for a free session to process the request for interactive rule execution.
|
The rule will not be processed because of timeout. |
|
6402 |
Information |
A new session is going to be created to process the request for interactive rule execution.
|
A new session will be created o process the rule. |
|
6403 |
Information |
Session creation is in progress: {1}. PID: {0}.
|
A session is being created at the moment. |
Change History Events
Change History events can be written to the Windows Event Log by enabling the corresponding checkbox under Home > Configuration > Settings > Change History:
Cayosoft Administrator service writes all change history records to Windows Event Log under Windows Logs > Application node using the same Cayosoft Administrator Service source and the Event ID 2615
The details of the change are included in the event in a JSON format that follows this format:
{
"Action": "<Action name, like 'New User'>",
"ObjectName": "<Object name>",
"ObjectClass": "<Class like 'user' or 'group'>",
"ObjectPath": "<OU or location of object>",
"ClientIP": "<IP of client, including Web>",
"Comment": "",
"WorkItemId": "",
"Initiator": "<Initiator>",
"InitiatorId": "<Initiator SID>",
"Timestamp": "<format like 2020-09-23T18:12:08.1363927+08:00>",
"ObjectId": "<GUID>",
"RuleId": "<GUID>",
"CorrelationID": "<GUID>",
"OperationType": "<Create | Update | Delete>",
"ModifiedProperties": [
{
"Property": "<Property 1 name>",
"PreviousValue": "<old value>",
"NewValue": "<new value>"
},
{
"Property": "<Property 2 name>",
"PreviousValue": "<old value>",
"NewValue": "<new value>"
}
| Property | Description | Example |
| ObjectName |
Canonical name or display name
|
"ObjectName": "Administrators", |
| ObjectClass | Class of the object | "ObjectClass": "user", |
| ObjectPath | Path to the object | "ObjectPath": "CORP2.contoso.com/Computers", |
| ClientIP | IP of the client, including Web | "ClientIP": "10.1.1.4", |
| Comment | A comment specified by a user | "Comment": "", |
| WorkItemId | "WorkItemId": "", | |
| Initiator | The initiator of the change | "Initiator": "CORP2\\Admin", |
| InitiatorId | Initiator SID | "InitiatorId": "S-1-5-21-429793269-2857280461-2204077469-500", |
| Timestamp | Time of the change | "Timestamp": "2020-10-13T12:52:21.6568287+00:00", |
| ObjectId | Object GUID | "ObjectId": "574e0410-cf24-4224-83b2-26774cb5ce9f", |
| RuleId | GUID of the rule | "RuleId": "2c8818aa-3b83-4f53-bf47-c5aabff42edb", |
| CorrelationID |
Operation Id that will be the same for all changes related to a single operation
|
"CorrelationID": "b5fe5edd-e46b-415b-9615-ecd9798e3ee4", |
| OperationType |
Operation type like: Create |
"OperationType": "Create", |
| ModifiedProperties |
Property name, previous value, new value The "ModifiedProperties" section will contain an array of all the properties that correspond to the action. For example, a default "New User" action will have around 15 properties. |
"ModifiedProperties": [ { "Property": "Account is disabled", "PreviousValue": "", "NewValue": "False" }, { "Property": "Country", "PreviousValue": "", "NewValue": "United States" } ] |
Change History
| Version | Notes |
|---|---|
| 7.4.0 |
The service display name is renamed to Cayosoft Administrator Service. |
Comments
0 comments
Please sign in to leave a comment.