Summary: Cayosoft Administrator writes events related to the most important operations in the service to Windows Event Log into Windows Logs > Application. Change History information can optionally be written to a separate event. In this article, you can find the detailed description of events that are created by Cayosoft Administrator service. This information could be useful when integrating with log management applications such as Splunk, or similar.
Applies to: Cayosoft Administrator 4.X or later.
ID: KB20180919-1
General Events that Cayosoft Administrator writes to Windows Event Log
Cayosoft Administrator service writes all events to Windows Event Log under Windows Logs > Application node with Source Cayosoft Administrator Service.
Please see the table below with all events that might be generated by Cayosoft Administrator service to Event Log.
Note: Certain event data contains placeholders in angle brackets (for example, SMTP Server Name: <smtp server>). In the actual Event, these events will be populated with real data.
Note 2: You can find rule or web action initiator in Event Data using the Initiator field (in versions prior to 6.2 this could also be Executed by or Requestor fields). If a rule was started by service itself, the initiator is written as 'Policy Service'.
| ID | Level | Event Data | Description |
|---|---|---|---|
|
996 |
Warning |
All retry attempts failed for function 'Get-MsolAccountSKU'. Using cached information instead. |
An error occurred when Cayosoft Administrator service called Get-MsolAccountSKU function after the certain number of retries. |
|
997 |
Warning |
Remote call failed and will be retried for function 'Get-MsolAccountSKU'. System error: <exception>. |
An error occurred when Cayosoft Administrator service called Get-MsolAccountSKU function. |
|
998 |
Warning |
Session was marked for re-creation. PID: {1}. Reason: {0}. | MSOnline session corrupted and should be recreated. |
|
999 |
Warning |
Timeout connecting to MSOnline service. Service will retry connection now. Attempt: <N> | Cayosoft Administrator could not establish a connection to MSOnline service. The default number of attempts: 5. |
|
1000 |
Error |
Error connecting to MSGraph service. Service will retry connection now. Attempt: <N> | Cayosoft Administrator could not establish a connection to Microsoft Graph. |
|
1001 |
Error |
Office 365 credentials are not specified. | Office 365 credentials are not specified in the Office 365 extension. |
|
1002 |
Error |
Fail to open a connection to the target system <system>. Error: <error message> | General error when connecting to a target system. |
|
1003 |
Information |
New connection opened to the target system {0}. PID: {1}. | Connection to a target system. |
|
1004 |
Information |
New session created. PID: {0} | New PowerShell session created. |
|
1005 |
Error |
Session creation failed. PID: {0}. Reason: Session initialization completed with errors. Check Application event log. | New PowerShell session creation failed. Check the Application event log for errors or warnings for details. |
|
1006 |
Information |
Connection is closed for the target system Microsoft Hybrid. PID: {0} | Connection is closed for the specified target system. |
|
1007 |
Warning |
EXO: Applying delay before retrying connection to Exchange Online. Delay (seconds): {0}. Attempt: $($curAttempt). PID: {1}. Reason: {2}. | Cayosoft Administrator waits for a specific time before retrying connection to Exchange Online to prevent throttling. |
|
1008 |
Warning |
EXO: Exchange Online operation failed. It might indicate EXO throttling applied for too many reconnection requests. Rule: {0}. Command: {1}. PID: {2}. Reason: {3}. | An error occurred during the Exchange Online operation. |
|
1009 |
Information |
Hybrid Sign-in completed for Microsoft 365 account {upn} ({objectId}). Active Directory on-premise SID: {sid}. AD group membership: {comma-separated groups sids}. | A hybrid user logged in to Cayosoft Web Portal via Azure AD authentication. |
|
1010 |
Warning |
Hybrid Sign-in failed for Microsoft 365 account {upn} ({objectId}). Active Directory on-premise DN: {dn}. Error: {errorMessage} | An error occurred during hybrid user sign-in via Azure AD authentication. |
|
1100 |
Warning |
Exchange Online session creation failed. Attempt: $($curAttempt) Reason: $($lastErrorMsg).PID: $([System.Diagnostics.Process]::GetCurrentProcess().Id) | New Exchange Online session creation failed. |
|
1101 |
Warning |
Exchange Online session implicit creation failed. Reason: $($msg). PID: $([System.Diagnostics.Process]::GetCurrentProcess().Id) | New Exchange Online session creation failed. |
|
2001 |
Error |
Suspend Office 365 User - Remove user from cloud group(s). User: {0} Error(s):\n{1} |
The list of MS 365 users who can't be removed from cloud groups on suspend. |
|
2002 |
Error |
Undo Suspend Office 365 User - Remove user from cloud group(s).\n User: {0}\n Error(s):\n{1} |
The list of MS 365 users who can't be added to cloud groups on undo suspend. |
|
2003 |
Information |
Suspend Office 365 User - Remove user from cloud group(s). Removed from these groups: \n{1} |
The list of MS 365 groups from which MS 365 user was removed on suspend. |
|
2004 |
Information |
Undo Suspend Office 365 User - Remove user from cloud group(s).\n Added to these groups: \n{1} |
The list of MS 365 groups in which MS 365 user was addded on undo suspend. |
|
6200 |
Information |
Cayosoft Administration Service started | Cayosoft Administrator Service started. |
|
6201 |
Information |
SMTP configuration parameters:
SMTP Server Name: <settings.SmtpServerName>
SMTP Server Port: <settings.SmtpPort>
SMTP Account name: <settings.SmtpAccountName>
SMTP Password: "********"
SMTP Enable SSL: <settings.SmtpEnableSSL>
SMTP From: <settings.SmtpFrom>
SMTP Notify: <settings.SmtpNotify>
SMTP Limit: <settings.SmtpLimit>
|
Contains the SMTP configuration parameters of the service, written after service starts. |
|
6202 |
Error |
Cayosoft Administration Service failed to start.
Error message: <Exception.Message>
|
An error occurred when starting the Cayosoft Administrator Service. |
|
6203 |
Information |
Cayosoft Administration Service stopped
|
Cayosoft Administrator Service stopped. |
|
6204 |
Error |
Cayosoft Administration Service encountered a system error.
Error message: <Exception.Message>
|
Internal error occurred. |
|
6205 |
Error |
Business Rule execution failed.
Error message: Recursion detected in rule execution sequence.
|
A recursion is identified in the chain of rules during execution. |
|
6206 |
Error |
Business Rule execution failed.
Error message: Replicated rules are not available for execution on schedule.
|
Replicated rules are not available for execution on schedule. |
|
6207 |
Information |
Business Rule execution completed.
Business rule: <Rule Name>
Initiator: <Initiator | "Administration Service">
Total objects processed: <Objects Found>
Total errors: <Objects Errors>
Started: <Start time>
Completed: <End time>
Email delivery: "Not configured" | "Configured"
Email recipients: <Mail Recipients>
Email delivery error: <Mail Errors>
|
Business rule or Web Action rule or Dynamic Group rule execution completed successfully. |
|
6208 |
Error |
Business Rule failed to process an object.
Business rule: <Web Action Name>
Initiator: <Initiator | "Administration Service">
Object: <DN>
Action(s): <ActionName>
Error message: <ErrorDetails>
|
Web Action rule completed with error. |
|
6209 |
Information |
Business rule was modified. Business rule: <rule name> Initiator: <domain\username> Operations: "Modify" |
Business rule or Web Action rule was modified successfully |
|
6210 |
Error |
Business Rule modification failed.
Error message: <Exception.Message>
|
An error occurred when modifying a Business rule. |
|
6211 |
Information |
Cayosoft Administration Service configuration was modified with the configuration parameters listed below.
SMTP Server Name: <settings.SmtpServerName>
SMTP Server Port: <settings.SmtpPort>
SMTP account name: <settings.SmtpAccountName>
SMTP password: "********"
SMTP Enable SSL: <settings.SmtpEnableSSL>
SMTP From: <settings.SmtpFrom>
SMTP Notify: <settings.SmtpNotify
SMTP Limit: <settings.SmtpLimit>
|
Cayosoft Administrator General Settings were modified. |
|
6212 |
Information |
Business Rules execution history records were deleted.
Initiator: <execContext.InitiatorName>
Records deleted: <id.Count>
|
Execution history records were deleted. |
|
6213 |
Information |
Dynamic Group configuration was modified. Dynamic group: <group name> Initiator: <domain\username> Operations: "Modify" |
Dynamic Group rule was modified successfully. |
|
6214 |
Error |
Dynamic Group modification failed.
Error message: <Exception.Message>
|
An error occurred when modifying a Dynamic Group rule. |
|
6215 |
Information |
<request.JSON>
|
Special rule for tracking change history details, please see next section of the article. |
|
6216 |
Information |
Business Rule execution started. |
Business rule or Web Action rule started. |
|
6217 |
Information |
Dynamic Group membership calculation started. |
Dynamic Group membership rules calculation started. |
|
6218 |
Information |
Restricted Group membership calculation started. Restricted Group name: <rule name> Restricted Group rule ID: <rule ID> |
Restricted Group calculation started. |
|
6219 |
Error |
Fail to validate connection to the Active Directory DC. | When rule execution fails, check every DC provided to the rule. |
|
6220 |
Error |
Error connecting to Skype Online. Service will retry connection now. Error:
<error messag> |
An error occurred when Cayosoft Administrator service called Skype Online commands. Skype online session was marked for re-creation. |
|
6221 |
Information |
Main session consumed too much RAM and will be recycled now. RAM consumption: <RAM consumption> | PowerShell session consumed too much RAM. Default is 50% of physical RAM. Recycled after 1st check above threshold. |
|
6222 |
Information |
One of rule execution sessions consumed too much RAM and will be recycled now. RAM consumption: <RAM consumed> | The default for rule PowerShell sessions is 30% of physical RAM, recycle after 20 checks. |
|
6223 |
Information |
Configuration DB upgrade started from version {0} to version {1} | The configuration database upgrade is started. |
|
6224 |
Information |
Configuration DB upgrade finished | The configuration database upgrade is finished. |
|
6225 |
Error |
Session creation failed. Attempt {0} of {1}. | Session creation failed. |
|
6226 |
Error |
Timeout occurred on session creation. | Timeout occurred on session creation. |
|
6227 |
Information |
Dynamic Group membership calculation completed.
Dynamic Group name: <Group name>
Dynamic Group rule id: <rule ID> Initiator: <Initiator | "Administration Service">
Members added: <Added>
Members removed: <Removed>
Total errors: <ObjectsErrors>
Started: <StartDateUtc.ToShortDateString()>
Completed: <EndDateUtc.ToShortDateString()>
Total execution time: <total time>" |
Dynamic Group membership calculation completed. |
|
6228 |
Information |
Restricted Group membership calculation completed.
Restricted Group name: <Group name> Restricted Group rule id: <rule id>
Initiator: <Initiator | ""Administration Service"">
Members added: <Added>
Members removed: <Removed>
Total errors: <ObjectsErrors>
Started: <StartDateUtc.ToShortDateString()>
Completed: <EndDateUtc.ToShortDateString()>
Total execution time: <total time>"
|
Restricted Group membership calculation completed. |
|
6229 |
Information |
Business rules were upgraded. Business rules: <list of upgraded rules> |
Rules were upgraded |
|
6301 |
Error |
Cayosoft Administration Service cannot start. Check that Windows service account, configured to run the service, has Local Administrator permissions on the server.\nError message: <system error>.
|
Service failed to start, probably because of lacking Local Administrator permissions. |
Change History Events
Change History events can be written to the Windows Event Log by enabling the corresponding checkbox under Home > Configuration > Settings > Change History:
Cayosoft Administrator service writes all change history records to Windows Event Log under Windows Logs > Application node using the same Cayosoft Administrator Service source and the Event ID 2615
The details of the change are included in the event in a JSON format that follows this format:
{
"Action": "<Action name, like 'New User'>",
"ObjectName": "<Object name>",
"ObjectClass": "<Class like 'user' or 'group'>",
"ObjectPath": "<OU or location of object>",
"ClientIP": "<IP of client, including Web>",
"Comment": "",
"WorkItemId": "",
"Initiator": "<Initiator>",
"InitiatorId": "<Initiator SID>",
"Timestamp": "<format like 2020-09-23T18:12:08.1363927+08:00>",
"ObjectId": "<GUID>",
"RuleId": "<GUID>",
"CorrelationID": "<GUID>",
"OperationType": "<Create | Update | Delete>",
"ModifiedProperties": [
{
"Property": "<Property 1 name>",
"PreviousValue": "<old value>",
"NewValue": "<new value>"
},
{
"Property": "<Property 2 name>",
"PreviousValue": "<old value>",
"NewValue": "<new value>"
}
| Property | Description | Example |
| ObjectName |
Canonical name or display name
|
"ObjectName": "Administrators", |
| ObjectClass | Class of the object | "ObjectClass": "user", |
| ObjectPath | Path to the object | "ObjectPath": "CORP2.contoso.com/Computers", |
| ClientIP | IP of the client, including Web | "ClientIP": "10.1.1.4", |
| Comment | A comment specified by a user | "Comment": "", |
| WorkItemId | "WorkItemId": "", | |
| Initiator | The initiator of the change | "Initiator": "CORP2\\Admin", |
| InitiatorId | Initiator SID | "InitiatorId": "S-1-5-21-429793269-2857280461-2204077469-500", |
| Timestamp | Time of the change | "Timestamp": "2020-10-13T12:52:21.6568287+00:00", |
| ObjectId | Object GUID | "ObjectId": "574e0410-cf24-4224-83b2-26774cb5ce9f", |
| RuleId | GUID of the rule | "RuleId": "2c8818aa-3b83-4f53-bf47-c5aabff42edb", |
| CorrelationID |
Operation Id that will be the same for all changes related to a single operation
|
"CorrelationID": "b5fe5edd-e46b-415b-9615-ecd9798e3ee4", |
| OperationType |
Operation type like: Create |
"OperationType": "Create", |
| ModifiedProperties |
Property name, previous value, new value The "ModifiedProperties" section will contain an array of all the properties that correspond to the action. For example, a default "New User" action will have around 15 properties. |
"ModifiedProperties": [ { "Property": "Account is disabled", "PreviousValue": "", "NewValue": "False" }, { "Property": "Country", "PreviousValue": "", "NewValue": "United States" } ] |
Change History
| Version | Notes |
|---|---|
| 7.4.0 |
The service display name is renamed to Cayosoft Administrator Service. |
Comments
0 comments
Please sign in to leave a comment.