From f06a4c36834fae773da8ed429d0a91fbcda8d6aa Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 31 Oct 2018 21:56:14 +0100
Subject: [PATCH 01/26] Updated upgrade framework

The upgrade framework has been updated to match PKI 10.6
which no longer requires an upgrade folder for each
upgradable version.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit b4e5de9d618b57868be8b8d9a49d574ea58a7d40)
---
 base/common/python/pki/upgrade.py                  | 118 +++++++--------------
 base/common/python/pki/util.py                     |  86 ++++++++++++++-
 base/common/sbin/pki-upgrade                       |   3 +-
 .../python/pki/server/deployment/pkiparser.py      |   4 +-
 base/server/python/pki/server/upgrade.py           |  10 ++
 base/server/sbin/pki-server-upgrade                |  19 +++-
 6 files changed, 152 insertions(+), 88 deletions(-)

diff --git a/base/common/python/pki/upgrade.py b/base/common/python/pki/upgrade.py
index 3106c70..c2d217f 100644
--- a/base/common/python/pki/upgrade.py
+++ b/base/common/python/pki/upgrade.py
@@ -22,8 +22,8 @@
 from __future__ import absolute_import
 from __future__ import print_function
 import functools
+import logging
 import os
-import re
 import shutil
 import traceback
 
@@ -36,70 +36,9 @@ DEFAULT_VERSION = '10.0.0'
 UPGRADE_DIR = pki.SHARE_DIR + '/upgrade'
 BACKUP_DIR = pki.LOG_DIR + '/upgrade'
 SYSTEM_TRACKER = pki.CONF_DIR + '/pki.version'
-verbose = False
-
-
-@functools.total_ordering
-class Version(object):
-
-    def __init__(self, obj):
-
-        if isinstance(obj, str):
-
-            # parse <version>-<release>
-            pos = obj.find('-')
-
-            if pos > 0:
-                self.version = obj[0:pos]
-            elif pos < 0:
-                self.version = obj
-            else:
-                raise Exception('Invalid version number: ' + obj)
-
-            # parse <major>.<minor>.<patch>
-            match = re.match(r'^(\d+)\.(\d+)\.(\d+)$', self.version)
-
-            if match is None:
-                raise Exception('Invalid version number: ' + self.version)
-
-            self.major = int(match.group(1))
-            self.minor = int(match.group(2))
-            self.patch = int(match.group(3))
-
-        elif isinstance(obj, Version):
-
-            self.major = obj.major
-            self.minor = obj.minor
-            self.patch = obj.patch
-
-        else:
-            raise Exception('Unsupported version type: ' + str(type(obj)))
-
-    # release is ignored in comparisons
-    def __eq__(self, other):
-        return (self.major == other.major and
-                self.minor == other.minor and
-                self.patch == other.patch)
-
-    def __lt__(self, other):
-        if self.major < other.major:
-            return True
 
-        if self.major == other.major and self.minor < other.minor:
-            return True
-
-        if (self.major == other.major and
-                self.minor == other.minor and
-                self.patch < other.patch):
-            return True
-
-        return False
-
-    # not hashable
-    __hash__ = None
-
-    def __repr__(self):
-        return self.version
+logger = logging.getLogger(__name__)
+verbose = False
 
 
 class PKIUpgradeTracker(object):
@@ -203,9 +142,9 @@ class PKIUpgradeTracker(object):
 
         version = self.properties.get(self.version_key)
         if version:
-            return Version(version)
+            return pki.util.Version(version)
 
-        return Version(DEFAULT_VERSION)
+        return pki.util.Version(DEFAULT_VERSION)
 
     def set_version(self, version):
 
@@ -479,7 +418,7 @@ class PKIUpgrader(object):
 
         if os.path.exists(self.upgrade_dir):
             for version in os.listdir(self.upgrade_dir):
-                version = Version(version)
+                version = pki.util.Version(version)
                 all_versions.append(version)
 
         all_versions.sort()
@@ -489,25 +428,46 @@ class PKIUpgrader(object):
     def versions(self):
 
         current_version = self.get_current_version()
+        logger.debug('Current version: %s', current_version)
+
         target_version = self.get_target_version()
+        logger.debug('Target version: %s', target_version)
 
-        current_versions = []
+        upgrade_path = []
 
         for version in self.all_versions():
 
-            # skip old versions
-            if version >= current_version:
-                current_versions.append(version)
+            # skip older versions
+            if version < current_version:
+                continue
+
+            # skip newer versions
+            if version > target_version:
+                continue
+
+            upgrade_path.append(version)
 
-        current_versions.sort()
+        upgrade_path.sort()
+
+        # start from current version
+        if not upgrade_path or upgrade_path[0] != current_version:
+            upgrade_path.insert(0, current_version)
+
+        # stop at target version
+        if not upgrade_path or upgrade_path[-1] != target_version:
+            upgrade_path.append(target_version)
+
+        logger.debug('Upgrade path:')
+        for version in upgrade_path:
+            logger.debug(' - %s', version)
 
         versions = []
 
-        for index, version in enumerate(current_versions):
+        for index, version in enumerate(upgrade_path):
 
             # link versions
-            if index < len(current_versions) - 1:
-                version.next = current_versions[index + 1]
+            if index < len(upgrade_path) - 1:
+                version.next = upgrade_path[index + 1]
             else:
                 version.next = target_version
 
@@ -587,7 +547,7 @@ class PKIUpgrader(object):
         return tracker.get_version()
 
     def get_target_version(self):
-        return Version(pki.implementation_version())
+        return pki.util.Version(pki.implementation_version())
 
     def is_complete(self):
 
@@ -632,9 +592,6 @@ class PKIUpgrader(object):
                 scriptlet.init()
                 scriptlet.upgrade()
 
-            except pki.PKIException:
-                raise
-
             except Exception as e:  # pylint: disable=W0703
 
                 print()
@@ -699,9 +656,6 @@ class PKIUpgrader(object):
             try:
                 scriptlet.revert()
 
-            except pki.PKIException:
-                raise
-
             except Exception as e:  # pylint: disable=W0703
 
                 print()
diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py
index 871c899..65a861f 100644
--- a/base/common/python/pki/util.py
+++ b/base/common/python/pki/util.py
@@ -24,7 +24,9 @@ Module containing utility functions and classes for the Dogtag python code
 
 
 from __future__ import absolute_import
+import functools
 import os
+import re
 import shutil
 from shutil import Error
 try:
@@ -32,6 +34,7 @@ try:
 except ImportError:
     WindowsError = None
 
+import six
 import subprocess
 
 DEFAULT_PKI_ENV_LIST = [
@@ -124,11 +127,14 @@ def copydirs(source, dest):
 
 def chown(path, uid, gid):
     """
-    Change ownership of a folder and its contents.
+    Change ownership of a file or folder recursively.
     """
 
     os.chown(path, uid, gid)
 
+    if not os.path.isdir(path):
+        return
+
     for item in os.listdir(path):
         itempath = os.path.join(path, item)
 
@@ -138,6 +144,25 @@ def chown(path, uid, gid):
             chown(itempath, uid, gid)
 
 
+def chmod(path, perms):
+    """
+    Change permissions of a file or folder recursively.
+    """
+
+    os.chmod(path, perms)
+
+    if not os.path.isdir(path):
+        return
+
+    for item in os.listdir(path):
+        itempath = os.path.join(path, item)
+
+        if os.path.isfile(itempath):
+            os.chmod(itempath, perms)
+        elif os.path.isdir(itempath):
+            chmod(itempath, perms)
+
+
 def customize_file(input_file, output_file, params):
     """
     Customize a file with specified parameters.
@@ -275,3 +300,62 @@ def read_environment_files(env_file_list=None):
         if not key.strip() or key == u'_':
             continue
         os.environ[key] = value
+
+
+@functools.total_ordering
+class Version(object):
+
+    def __init__(self, obj):
+
+        if isinstance(obj, six.string_types):
+
+            # parse <major>.<minor>.<patch>[<suffix>]
+            match = re.match(r'^(\d+)\.(\d+)\.(\d+)', obj)
+
+            if match is None:
+                raise Exception('Unable to parse version number: %s' % obj)
+
+            self.major = int(match.group(1))
+            self.minor = int(match.group(2))
+            self.patch = int(match.group(3))
+
+        elif isinstance(obj, Version):
+
+            self.major = obj.major
+            self.minor = obj.minor
+            self.patch = obj.patch
+
+        else:
+            raise Exception('Unsupported version type: %s' % type(obj))
+
+    # release is ignored in comparisons
+    def __eq__(self, other):
+        return (self.major == other.major and
+                self.minor == other.minor and
+                self.patch == other.patch)
+
+    def __ne__(self, other):
+        return not self.__eq__(other)
+
+    def __lt__(self, other):
+        if self.major < other.major:
+            return True
+
+        if self.major == other.major and self.minor < other.minor:
+            return True
+
+        if (self.major == other.major and
+                self.minor == other.minor and
+                self.patch < other.patch):
+            return True
+
+        return False
+
+    def __gt__(self, other):
+        return not self.__lt__(other) and not self.__eq__(other)
+
+    # not hashable
+    __hash__ = None
+
+    def __repr__(self):
+        return '%d.%d.%d' % (self.major, self.minor, self.patch)
diff --git a/base/common/sbin/pki-upgrade b/base/common/sbin/pki-upgrade
index 1833de8..b6bf930 100755
--- a/base/common/sbin/pki-upgrade
+++ b/base/common/sbin/pki-upgrade
@@ -26,6 +26,7 @@ import signal
 import sys
 
 import pki
+import pki.util
 import pki.upgrade
 
 # pylint: disable=W0613
@@ -113,7 +114,7 @@ def main(argv):
             reset_tracker = True
 
         elif o == '--set-tracker':
-            tracker_version = pki.upgrade.Version(a)
+            tracker_version = pki.util.Version(a)
 
         elif o in ('-v', '--verbose'):
             pki.upgrade.verbose = True
diff --git a/base/server/python/pki/server/deployment/pkiparser.py b/base/server/python/pki/server/deployment/pkiparser.py
index 2ea7319..8971bb5 100644
--- a/base/server/python/pki/server/deployment/pkiparser.py
+++ b/base/server/python/pki/server/deployment/pkiparser.py
@@ -40,7 +40,7 @@ from six.moves.urllib.parse import urlparse  # pylint: disable=F0401,E0611
 
 # PKI Imports
 import pki
-import pki.upgrade
+import pki.util
 import pki.account
 import pki.client
 import pki.system
@@ -337,7 +337,7 @@ class PKIConfigParser:
         default_http_port = '8080'
         default_https_port = '8443'
 
-        application_version = str(pki.upgrade.Version(
+        application_version = str(pki.util.Version(
             pki.implementation_version()))
 
         self.deployer.main_config = configparser.SafeConfigParser({
diff --git a/base/server/python/pki/server/upgrade.py b/base/server/python/pki/server/upgrade.py
index 926c683..e636b8a 100644
--- a/base/server/python/pki/server/upgrade.py
+++ b/base/server/python/pki/server/upgrade.py
@@ -20,6 +20,7 @@
 
 from __future__ import absolute_import
 from __future__ import print_function
+import logging
 import os
 import traceback
 
@@ -35,6 +36,8 @@ BACKUP_DIR = pki.LOG_DIR + '/server/upgrade'
 INSTANCE_TRACKER = '%s/tomcat.conf'
 SUBSYSTEM_TRACKER = '%s/CS.cfg'
 
+logger = logging.getLogger(__name__)
+
 
 class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet):
 
@@ -65,8 +68,11 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet):
             tracker.set_version(self.version.next)
 
     def upgrade(self):
+
         for instance in self.upgrader.instances():
 
+            logger.info('Upgrading %s instance', instance.name)
+
             self.upgrade_subsystems(instance)
 
             # If upgrading a specific subsystem don't upgrade the instance.
@@ -81,6 +87,7 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet):
             try:
                 if verbose:
                     print('Upgrading ' + str(instance) + ' instance.')
+
                 self.upgrade_instance(instance)
                 self.update_server_tracker(instance)
 
@@ -106,8 +113,11 @@ class PKIServerUpgradeScriptlet(pki.upgrade.PKIUpgradeScriptlet):
                     'Upgrade failed in %s: %s' % (instance, e), e, instance)
 
     def upgrade_subsystems(self, instance):
+
         for subsystem in self.upgrader.subsystems(instance):
 
+            logger.info('Upgrading %s subsystem', subsystem.name)
+
             if not self.can_upgrade_server(instance, subsystem):
                 if verbose:
                     print('Skipping ' + str(subsystem) + ' subsystem.')
diff --git a/base/server/sbin/pki-server-upgrade b/base/server/sbin/pki-server-upgrade
index 73e0e4a..932f1c5 100755
--- a/base/server/sbin/pki-server-upgrade
+++ b/base/server/sbin/pki-server-upgrade
@@ -22,6 +22,7 @@
 from __future__ import absolute_import
 from __future__ import print_function
 import getopt
+import logging
 import signal
 import sys
 
@@ -29,6 +30,8 @@ import pki
 import pki.upgrade
 import pki.server.upgrade
 
+logger = logging.getLogger('pki.server.cli.upgrade')
+
 
 # pylint: disable=W0613
 def interrupt_handler(event, frame):
@@ -71,13 +74,15 @@ def main(argv):
 
     signal.signal(signal.SIGINT, interrupt_handler)
 
+    logging.basicConfig(format='%(levelname)s: %(message)s')
+
     try:
         opts, _ = getopt.getopt(argv[1:], 'hi:s:t:vX', [
             'instance=', 'subsystem=', 'instance-type=',
             'scriptlet-version=', 'scriptlet-index=',
             'silent', 'status', 'revert',
             'remove-tracker', 'reset-tracker', 'set-tracker=',
-            'verbose', 'help'])
+            'verbose', 'debug', 'help'])
 
     except getopt.GetoptError as e:
         print('ERROR: ' + str(e))
@@ -132,10 +137,14 @@ def main(argv):
             reset_tracker = True
 
         elif o == '--set-tracker':
-            tracker_version = pki.upgrade.Version(a)
+            tracker_version = pki.util.Version(a)
 
         elif o in ('-v', '--verbose'):
             pki.upgrade.verbose = True
+            logging.getLogger().setLevel(logging.INFO)
+
+        elif o == '--debug':
+            logging.getLogger().setLevel(logging.DEBUG)
 
         elif o in ('-h', '--help'):
             usage()
@@ -171,21 +180,27 @@ def main(argv):
             silent=silent)
 
         if status:
+            logger.info('Getting PKI server upgrade status')
             upgrader.status()
 
         elif revert:
+            logger.info('Reverting PKI server last upgrade')
             upgrader.revert()
 
         elif remove_tracker:
+            logger.info('Removing PKI server upgrade tracker')
             upgrader.remove_tracker()
 
         elif reset_tracker:
+            logger.info('Resetting PKI server upgrade tracker')
             upgrader.reset_tracker()
 
         elif tracker_version is not None:
+            logger.info('Setting PKI server upgrade tracker')
             upgrader.set_tracker(tracker_version)
 
         else:
+            logger.info('Upgrading PKI server')
             upgrader.upgrade()
 
     except pki.PKIException as e:
-- 
1.8.3.1


From a7e4a037ed99dfc44de67dd4396627d452c34355 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 31 Oct 2018 22:57:17 +0100
Subject: [PATCH 02/26] Removed empty upgrade folders

The empty upgrade folders have been removed since they
are no longer necessary for upgrades.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 42f14ef88deb25336563a23c67fb2ad3a3a8aa3c)
---
 base/common/upgrade/10.0.0/.gitignore  | 4 ----
 base/common/upgrade/10.0.2/.gitignore  | 4 ----
 base/common/upgrade/10.0.4/.gitignore  | 4 ----
 base/common/upgrade/10.0.5/.gitignore  | 4 ----
 base/common/upgrade/10.0.6/.gitignore  | 4 ----
 base/common/upgrade/10.1.0/.gitignore  | 4 ----
 base/common/upgrade/10.1.1/.gitignore  | 4 ----
 base/common/upgrade/10.1.2/.gitignore  | 4 ----
 base/common/upgrade/10.1.99/.gitignore | 4 ----
 base/common/upgrade/10.2.0/.gitignore  | 4 ----
 base/common/upgrade/10.2.1/.gitignore  | 4 ----
 base/common/upgrade/10.2.2/.gitignore  | 4 ----
 base/common/upgrade/10.2.3/.gitignore  | 4 ----
 base/common/upgrade/10.2.4/.gitignore  | 0
 base/common/upgrade/10.2.5/.gitignore  | 4 ----
 base/common/upgrade/10.2.6/.gitignore  | 4 ----
 base/common/upgrade/10.3.0/.gitignore  | 4 ----
 base/common/upgrade/10.3.1/.gitignore  | 4 ----
 base/common/upgrade/10.3.2/.gitignore  | 4 ----
 base/common/upgrade/10.3.3/.gitignore  | 4 ----
 base/common/upgrade/10.3.4/.gitignore  | 4 ----
 base/common/upgrade/10.3.5/.gitignore  | 4 ----
 base/common/upgrade/10.4.0/.gitignore  | 4 ----
 base/common/upgrade/10.4.1/.gitignore  | 4 ----
 base/common/upgrade/10.4.2/.gitignore  | 4 ----
 base/common/upgrade/10.4.3/.gitignore  | 4 ----
 base/common/upgrade/10.4.4/.gitignore  | 4 ----
 base/common/upgrade/10.4.5/.gitignore  | 4 ----
 base/common/upgrade/10.4.6/.gitignore  | 4 ----
 base/server/upgrade/10.0.0/.gitignore  | 4 ----
 base/server/upgrade/10.0.2/.gitignore  | 4 ----
 base/server/upgrade/10.0.3/.gitignore  | 4 ----
 base/server/upgrade/10.0.4/.gitignore  | 4 ----
 base/server/upgrade/10.0.6/.gitignore  | 4 ----
 base/server/upgrade/10.1.0/.gitignore  | 4 ----
 base/server/upgrade/10.1.2/.gitignore  | 4 ----
 base/server/upgrade/10.2.0/.gitignore  | 4 ----
 base/server/upgrade/10.3.1/.gitignore  | 4 ----
 base/server/upgrade/10.3.2/.gitignore  | 4 ----
 base/server/upgrade/10.3.4/.gitignore  | 4 ----
 base/server/upgrade/10.4.1/.gitignore  | 4 ----
 base/server/upgrade/10.4.3/.gitignore  | 4 ----
 base/server/upgrade/10.4.4/.gitignore  | 4 ----
 base/server/upgrade/10.4.5/.gitignore  | 4 ----
 base/server/upgrade/10.5.1/.gitignore  | 4 ----
 45 files changed, 176 deletions(-)
 delete mode 100644 base/common/upgrade/10.0.0/.gitignore
 delete mode 100644 base/common/upgrade/10.0.2/.gitignore
 delete mode 100644 base/common/upgrade/10.0.4/.gitignore
 delete mode 100644 base/common/upgrade/10.0.5/.gitignore
 delete mode 100644 base/common/upgrade/10.0.6/.gitignore
 delete mode 100644 base/common/upgrade/10.1.0/.gitignore
 delete mode 100644 base/common/upgrade/10.1.1/.gitignore
 delete mode 100644 base/common/upgrade/10.1.2/.gitignore
 delete mode 100644 base/common/upgrade/10.1.99/.gitignore
 delete mode 100644 base/common/upgrade/10.2.0/.gitignore
 delete mode 100644 base/common/upgrade/10.2.1/.gitignore
 delete mode 100644 base/common/upgrade/10.2.2/.gitignore
 delete mode 100644 base/common/upgrade/10.2.3/.gitignore
 delete mode 100644 base/common/upgrade/10.2.4/.gitignore
 delete mode 100644 base/common/upgrade/10.2.5/.gitignore
 delete mode 100644 base/common/upgrade/10.2.6/.gitignore
 delete mode 100644 base/common/upgrade/10.3.0/.gitignore
 delete mode 100644 base/common/upgrade/10.3.1/.gitignore
 delete mode 100644 base/common/upgrade/10.3.2/.gitignore
 delete mode 100644 base/common/upgrade/10.3.3/.gitignore
 delete mode 100644 base/common/upgrade/10.3.4/.gitignore
 delete mode 100644 base/common/upgrade/10.3.5/.gitignore
 delete mode 100644 base/common/upgrade/10.4.0/.gitignore
 delete mode 100644 base/common/upgrade/10.4.1/.gitignore
 delete mode 100644 base/common/upgrade/10.4.2/.gitignore
 delete mode 100644 base/common/upgrade/10.4.3/.gitignore
 delete mode 100644 base/common/upgrade/10.4.4/.gitignore
 delete mode 100644 base/common/upgrade/10.4.5/.gitignore
 delete mode 100644 base/common/upgrade/10.4.6/.gitignore
 delete mode 100644 base/server/upgrade/10.0.0/.gitignore
 delete mode 100644 base/server/upgrade/10.0.2/.gitignore
 delete mode 100644 base/server/upgrade/10.0.3/.gitignore
 delete mode 100644 base/server/upgrade/10.0.4/.gitignore
 delete mode 100644 base/server/upgrade/10.0.6/.gitignore
 delete mode 100644 base/server/upgrade/10.1.0/.gitignore
 delete mode 100644 base/server/upgrade/10.1.2/.gitignore
 delete mode 100644 base/server/upgrade/10.2.0/.gitignore
 delete mode 100644 base/server/upgrade/10.3.1/.gitignore
 delete mode 100644 base/server/upgrade/10.3.2/.gitignore
 delete mode 100644 base/server/upgrade/10.3.4/.gitignore
 delete mode 100644 base/server/upgrade/10.4.1/.gitignore
 delete mode 100644 base/server/upgrade/10.4.3/.gitignore
 delete mode 100644 base/server/upgrade/10.4.4/.gitignore
 delete mode 100644 base/server/upgrade/10.4.5/.gitignore
 delete mode 100644 base/server/upgrade/10.5.1/.gitignore

diff --git a/base/common/upgrade/10.0.0/.gitignore b/base/common/upgrade/10.0.0/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.0.0/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.0.2/.gitignore b/base/common/upgrade/10.0.2/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.0.2/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.0.4/.gitignore b/base/common/upgrade/10.0.4/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.0.4/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.0.5/.gitignore b/base/common/upgrade/10.0.5/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.0.5/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.0.6/.gitignore b/base/common/upgrade/10.0.6/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.0.6/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.1.0/.gitignore b/base/common/upgrade/10.1.0/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.1.0/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.1.1/.gitignore b/base/common/upgrade/10.1.1/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.1.1/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.1.2/.gitignore b/base/common/upgrade/10.1.2/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.1.2/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.1.99/.gitignore b/base/common/upgrade/10.1.99/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.1.99/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.2.0/.gitignore b/base/common/upgrade/10.2.0/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.2.0/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.2.1/.gitignore b/base/common/upgrade/10.2.1/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.2.1/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.2.2/.gitignore b/base/common/upgrade/10.2.2/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.2.2/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.2.3/.gitignore b/base/common/upgrade/10.2.3/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.2.3/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.2.4/.gitignore b/base/common/upgrade/10.2.4/.gitignore
deleted file mode 100644
index e69de29..0000000
diff --git a/base/common/upgrade/10.2.5/.gitignore b/base/common/upgrade/10.2.5/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.2.5/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.2.6/.gitignore b/base/common/upgrade/10.2.6/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.2.6/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.3.0/.gitignore b/base/common/upgrade/10.3.0/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.3.0/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.3.1/.gitignore b/base/common/upgrade/10.3.1/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.3.1/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.3.2/.gitignore b/base/common/upgrade/10.3.2/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.3.2/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.3.3/.gitignore b/base/common/upgrade/10.3.3/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.3.3/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.3.4/.gitignore b/base/common/upgrade/10.3.4/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.3.4/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.3.5/.gitignore b/base/common/upgrade/10.3.5/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.3.5/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.4.0/.gitignore b/base/common/upgrade/10.4.0/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.4.0/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.4.1/.gitignore b/base/common/upgrade/10.4.1/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.4.1/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.4.2/.gitignore b/base/common/upgrade/10.4.2/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.4.2/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.4.3/.gitignore b/base/common/upgrade/10.4.3/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.4.3/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.4.4/.gitignore b/base/common/upgrade/10.4.4/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.4.4/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.4.5/.gitignore b/base/common/upgrade/10.4.5/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.4.5/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/common/upgrade/10.4.6/.gitignore b/base/common/upgrade/10.4.6/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/common/upgrade/10.4.6/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.0.0/.gitignore b/base/server/upgrade/10.0.0/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.0.0/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.0.2/.gitignore b/base/server/upgrade/10.0.2/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.0.2/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.0.3/.gitignore b/base/server/upgrade/10.0.3/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.0.3/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.0.4/.gitignore b/base/server/upgrade/10.0.4/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.0.4/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.0.6/.gitignore b/base/server/upgrade/10.0.6/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.0.6/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.1.0/.gitignore b/base/server/upgrade/10.1.0/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.1.0/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.1.2/.gitignore b/base/server/upgrade/10.1.2/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.1.2/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.2.0/.gitignore b/base/server/upgrade/10.2.0/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.2.0/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.3.1/.gitignore b/base/server/upgrade/10.3.1/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.3.1/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.3.2/.gitignore b/base/server/upgrade/10.3.2/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.3.2/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.3.4/.gitignore b/base/server/upgrade/10.3.4/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.3.4/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.4.1/.gitignore b/base/server/upgrade/10.4.1/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.4.1/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.4.3/.gitignore b/base/server/upgrade/10.4.3/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.4.3/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.4.4/.gitignore b/base/server/upgrade/10.4.4/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.4.4/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.4.5/.gitignore b/base/server/upgrade/10.4.5/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.4.5/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
diff --git a/base/server/upgrade/10.5.1/.gitignore b/base/server/upgrade/10.5.1/.gitignore
deleted file mode 100644
index 5e7d273..0000000
--- a/base/server/upgrade/10.5.1/.gitignore
+++ /dev/null
@@ -1,4 +0,0 @@
-# Ignore everything in this directory
-*
-# Except this file
-!.gitignore
-- 
1.8.3.1


From 8bdcb3dcb6d304604dc68e44917847b71724cde5 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 1 Nov 2018 04:34:50 +0100
Subject: [PATCH 03/26] Updated pki-server <subsystem>-audit-event-find

The pki-server <subsystem>-audit-event-find has been modified
to support searching all events, enabled events, and disabled
events.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 1d7b48538cc6ede7780489cc22bc631caffebe04)
---
 base/server/python/pki/server/__init__.py | 95 ++++++++++++++++++++++++++++---
 1 file changed, 88 insertions(+), 7 deletions(-)

diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index b5180f0..ace98f3 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -428,24 +428,105 @@ class PKISubsystem(object):
 
     def find_audit_events(self, enabled=None):
 
-        if not enabled:
-            raise Exception('This operation is not yet supported. Specify --enabled True.')
-
         events = []
 
-        names = self.config['log.instance.SignedAudit.events'].split(',')
-        names = list(map(str.strip, names))
-        names.sort()
+        # get enabled events
+        enabled_event_names = self.get_enabled_audit_events()
+
+        if enabled is None:
+            # get all events
+            names = self.get_audit_events()
+
+        elif enabled:  # enabled == True
+            # get enabled events
+            names = enabled_event_names
+
+        else:  # enabled == False
+            # get all events
+            all_event_names = self.get_audit_events()
+
+            # get disabled events by subtracting enabled events from all events
+            names = sorted(set(all_event_names) - set(enabled_event_names))
 
+        # get event properties
         for name in names:
             event = {}
             event['name'] = name
-            event['enabled'] = True
+            event['enabled'] = name in enabled_event_names
             event['filter'] = self.config.get('log.instance.SignedAudit.filters.%s' % name)
             events.append(event)
 
         return events
 
+    def get_audit_events(self):
+
+        # get the full list of audit events from LogMessages.properties
+
+        properties = {}
+        tmpdir = tempfile.mkdtemp()
+
+        try:
+            # export LogMessages.properties from cmsbundle.jar
+            cmsbundle_jar = \
+                '/usr/share/pki/%s/webapps/%s/WEB-INF/lib/pki-cmsbundle.jar' \
+                % (self.name, self.name)
+
+            cmd = [
+                'jar',
+                'xf',
+                cmsbundle_jar,
+                'LogMessages.properties'
+            ]
+
+            logger.debug('Command: %s', ' '.join(cmd))
+
+            subprocess.check_output(
+                cmd,
+                cwd=tmpdir,
+                stderr=subprocess.STDOUT)
+
+            # load LogMessages.properties
+            log_messages_properties = os.path.join(tmpdir, 'LogMessages.properties')
+            pki.util.load_properties(log_messages_properties, properties)
+
+        finally:
+            shutil.rmtree(tmpdir)
+
+        # get audit events
+        events = set()
+        name_pattern = re.compile(r'LOGGING_SIGNED_AUDIT_')
+        value_pattern = re.compile(r'<type=(.*)>:')
+
+        for name in properties:
+
+            name_match = name_pattern.match(name)
+            if not name_match:
+                continue
+
+            value = properties[name]
+
+            value_match = value_pattern.match(value)
+            if not value_match:
+                continue
+
+            event = value_match.group(1)
+            events.add(event)
+
+        return sorted(events)
+
+    def get_enabled_audit_events(self):
+
+        # parse enabled audit events
+        value = self.config['log.instance.SignedAudit.events']
+        event_list = value.replace(' ', '').split(',')
+
+        # remove duplicates
+        events = set()
+        for event in event_list:
+            events.add(event)
+
+        return sorted(events)
+
     def get_audit_log_dir(self):
 
         current_file_path = self.config['log.instance.SignedAudit.fileName']
-- 
1.8.3.1


From bcc43b903a67a88c254240840e885407e7c51f3c Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 7 Nov 2018 16:53:57 +0100
Subject: [PATCH 04/26] Updated pki.util.load_properties()

The pki.util.load_properties() has been modified to support
multi-line property value.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 618c5aec2cf1f16bcf30e676d3ed1f84722a32e3)
---
 base/common/python/pki/util.py | 38 +++++++++++++++++++++++++++++---------
 1 file changed, 29 insertions(+), 9 deletions(-)

diff --git a/base/common/python/pki/util.py b/base/common/python/pki/util.py
index 65a861f..a5d220f 100644
--- a/base/common/python/pki/util.py
+++ b/base/common/python/pki/util.py
@@ -180,22 +180,42 @@ def load_properties(filename, properties):
     with open(filename) as f:
 
         lines = f.read().splitlines()
+        name = None
+        multi_line = False
 
         for index, line in enumerate(lines):
 
-            line = line.strip()
+            if multi_line:
+                # append line to previous property
 
-            if not line or line.startswith('#'):
-                continue
+                value = properties[name]
+                value = value + line
 
-            parts = line.split('=', 1)
+            else:
+                # parse line for new property
+
+                line = line.lstrip()
+                if not line or line.startswith('#'):
+                    continue
+
+                parts = line.split('=', 1)
+                if len(parts) < 2:
+                    raise Exception('Missing delimiter in %s line %d' %
+                                    (filename, index + 1))
 
-            if len(parts) < 2:
-                raise Exception('Missing delimiter in %s line %d' %
-                                (filename, index + 1))
+                name = parts[0].rstrip()
+                value = parts[1].lstrip()
+
+            # check if the value is multi-line
+            if value.endswith('\\'):
+                value = value[:-1]
+                multi_line = True
+
+            else:
+                value = value.rstrip()
+                multi_line = False
 
-            name = parts[0].strip()
-            value = parts[1].strip()
+            # store value in properties
             properties[name] = value
 
 
-- 
1.8.3.1


From 68427be67b3b5cf1c55b2ffe5eefd37f45dd8cab Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 9 Nov 2018 16:34:14 +0100
Subject: [PATCH 05/26] Added audit event management tools

The pki-server <subsystem>-audit-* commands have been backported
to PKI 10.5.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit adc316972072789b12ab2c2feb391bbdb01768d5)
---
 base/server/python/pki/server/__init__.py  |  83 +++-
 base/server/python/pki/server/cli/audit.py | 587 ++++++++++++++++++++++++++++-
 2 files changed, 662 insertions(+), 8 deletions(-)

diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index ace98f3..6cbda2f 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -426,7 +426,65 @@ class PKISubsystem(object):
 
         pki.util.customize_file(input_file, output_file, params)
 
-    def find_audit_events(self, enabled=None):
+    def enable_audit_event(self, event_name):
+
+        if not event_name:
+            raise ValueError("Please specify the Event name")
+
+        names = self.get_audit_events()
+        if event_name not in names:
+            raise PKIServerException('Invalid audit event: %s' % event_name)
+
+        value = self.config['log.instance.SignedAudit.events']
+        events = set(value.replace(' ', '').split(','))
+
+        if event_name in events:
+            return False
+
+        events.add(event_name)
+        event_list = ','.join(sorted(events))
+        self.config['log.instance.SignedAudit.events'] = event_list
+
+        return True
+
+    def update_audit_event_filter(self, event_name, event_filter):
+
+        if not event_name:
+            raise ValueError("Please specify the Event name")
+
+        names = self.get_audit_events()
+        if event_name not in names:
+            raise PKIServerException('Invalid audit event: %s' % event_name)
+
+        name = 'log.instance.SignedAudit.filters.%s' % event_name
+
+        if event_filter:
+            self.config[name] = event_filter
+        else:
+            self.config.pop(name, None)
+
+    def disable_audit_event(self, event_name):
+
+        if not event_name:
+            raise ValueError("Please specify the Event name")
+
+        names = self.get_audit_events()
+        if event_name not in names:
+            raise PKIServerException('Invalid audit event: %s' % event_name)
+
+        value = self.config['log.instance.SignedAudit.events']
+        events = set(value.replace(' ', '').split(','))
+
+        if event_name not in events:
+            return False
+
+        events.remove(event_name)
+        event_list = ','.join(sorted(events))
+        self.config['log.instance.SignedAudit.events'] = event_list
+
+        return True
+
+    def find_audit_event_configs(self, enabled=None):
 
         events = []
 
@@ -458,6 +516,22 @@ class PKISubsystem(object):
 
         return events
 
+    def get_audit_event_config(self, name):
+
+        names = self.get_audit_events()
+
+        if name not in names:
+            raise PKIServerException('Invalid audit event: %s' % name)
+
+        enabled_event_names = self.get_enabled_audit_events()
+
+        event = {}
+        event['name'] = name
+        event['enabled'] = name in enabled_event_names
+        event['filter'] = self.config.get('log.instance.SignedAudit.filters.%s' % name)
+
+        return event
+
     def get_audit_events(self):
 
         # get the full list of audit events from LogMessages.properties
@@ -518,12 +592,7 @@ class PKISubsystem(object):
 
         # parse enabled audit events
         value = self.config['log.instance.SignedAudit.events']
-        event_list = value.replace(' ', '').split(',')
-
-        # remove duplicates
-        events = set()
-        for event in event_list:
-            events.add(event)
+        events = set(value.replace(' ', '').split(','))
 
         return sorted(events)
 
diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py
index bbbdd10..44fd86a 100644
--- a/base/server/python/pki/server/cli/audit.py
+++ b/base/server/python/pki/server/cli/audit.py
@@ -20,6 +20,7 @@
 
 from __future__ import absolute_import
 from __future__ import print_function
+
 import getopt
 import os
 import shutil
@@ -37,10 +38,271 @@ class AuditCLI(pki.cli.CLI):
             'audit', 'Audit management commands')
 
         self.parent = parent
+        self.add_module(AuditConfigShowCLI(self))
+        self.add_module(AuditConfigModifyCLI(self))
         self.add_module(AuditEventFindCLI(self))
+        self.add_module(AuditEventShowCLI(self))
+        self.add_module(AuditEventEnableCLI(self))
+        self.add_module(AuditEventDisableCLI(self))
+        self.add_module(AuditEventUpdateCLI(self))
         self.add_module(AuditFileFindCLI(self))
         self.add_module(AuditFileVerifyCLI(self))
 
+    @staticmethod
+    def print_audit_config(subsystem):
+
+        name = 'log.instance.SignedAudit.%s'
+
+        enabled = subsystem.config[name % 'enable'].lower() == 'true'
+
+        fileName = subsystem.config[name % 'fileName']
+        bufferSize = subsystem.config[name % 'bufferSize']
+        flushInterval = subsystem.config[name % 'flushInterval']
+
+        maxFileSize = subsystem.config[name % 'maxFileSize']
+        rolloverInterval = subsystem.config[name % 'rolloverInterval']
+        expirationTime = subsystem.config[name % 'expirationTime']
+
+        logSigning = subsystem.config[name % 'logSigning'].lower() == 'true'
+        signedAuditCertNickname = subsystem.config[name % 'signedAuditCertNickname']
+
+        print('  Enabled: %s' % enabled)
+
+        print('  Log File: %s' % fileName)
+        print('  Buffer Size (bytes): %s' % bufferSize)
+        print('  Flush Interval (seconds): %s' % flushInterval)
+
+        print('  Max File Size (bytes): %s' % maxFileSize)
+        print('  Rollover Interval (seconds): %s' % rolloverInterval)
+        print('  Expiration Time (seconds): %s' % expirationTime)
+
+        print('  Log Signing: %s' % logSigning)
+        print('  Signing Certificate: %s' % signedAuditCertNickname)
+
+    @staticmethod
+    def print_audit_event_config(event):
+        print('  Event Name: %s' % event.get('name'))
+        print('  Enabled: %s' % event.get('enabled'))
+        print('  Filter: %s' % event.get('filter'))
+
+
+class AuditConfigShowCLI(pki.cli.CLI):
+
+    def __init__(self, parent):
+        super(AuditConfigShowCLI, self).__init__(
+            'config-show', 'Display audit configuration')
+        self.parent = parent
+
+    def print_help(self):
+        print('Usage: pki-server %s-audit-config-show [OPTIONS]' % self.parent.parent.name)
+        print()
+        print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
+        print('      --help                         Show help message.')
+        print()
+
+    def execute(self, argv):
+        try:
+            opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+                'instance=',
+                'verbose', 'help'])
+
+        except getopt.GetoptError as e:
+            print('ERROR: ' + str(e))
+            self.print_help()
+            sys.exit(1)
+
+        instance_name = 'pki-tomcat'
+
+        for o, a in opts:
+            if o in ('-i', '--instance'):
+                instance_name = a
+
+            elif o == '--help':
+                self.print_help()
+                sys.exit()
+
+            else:
+                print('ERROR: unknown option ' + o)
+                self.print_help()
+                sys.exit(1)
+
+        instance = pki.server.PKIInstance(instance_name)
+        if not instance.is_valid():
+            print('ERROR: Invalid instance %s.' % instance_name)
+            sys.exit(1)
+
+        instance.load()
+
+        subsystem_name = self.parent.parent.name
+        subsystem = instance.get_subsystem(subsystem_name)
+
+        if not subsystem:
+            print('ERROR: No %s subsystem in instance %s.'
+                  % (subsystem_name.upper(), instance_name))
+            sys.exit(1)
+
+        AuditCLI.print_audit_config(subsystem)
+
+
+class AuditConfigModifyCLI(pki.cli.CLI):
+
+    def __init__(self, parent):
+        super(AuditConfigModifyCLI, self).__init__(
+            'config-mod', 'Modify audit configuration')
+        self.parent = parent
+
+    def print_help(self):
+        print('Usage: pki-server %s-audit-config-mod [OPTIONS]' % self.parent.parent.name)
+        print()
+        print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
+        print('      --enabled <True|False>         Enable/disable audit logging.')
+        print('      --logFile <path>               Set log file.')
+        print('      --bufferSize <size>            Set buffer size (bytes).')
+        print('      --flushInterval <interval>     Set flush interval (seconds).')
+        print('      --maxFileSize <size>           Set maximum file size (bytes).')
+        print('      --rolloverInterval <interval>  Set rollover interval (seconds).')
+        print('      --expirationTime <time>        Set expiration time (seconds).')
+        print('      --logSigning <True|False>      Enable/disable log signing.')
+        print('      --signingCert <nickname>       Set signing certificate.')
+        print('      --help                         Show help message.')
+        print()
+
+    def execute(self, argv):
+        try:
+            opts, _ = getopt.gnu_getopt(argv, 'i:v', [
+                'instance=',
+                'enabled=',
+                'logFile=', 'bufferSize=', 'flushInterval=',
+                'maxFileSize=', 'rolloverInterval=', 'expirationTime=',
+                'logSigning=', 'signingCert=',
+                'verbose', 'help'])
+
+        except getopt.GetoptError as e:
+            print('ERROR: ' + str(e))
+            self.print_help()
+            sys.exit(1)
+
+        instance_name = 'pki-tomcat'
+        enabled = None
+        logFile = None
+        bufferSize = None
+        flushInterval = None
+        maxFileSize = None
+        rolloverInterval = None
+        expirationTime = None
+        logSigning = None
+        signingCert = None
+
+        for o, a in opts:
+            if o in ('-i', '--instance'):
+                instance_name = a
+
+            elif o == '--enabled':
+                if a.lower().title() not in ['True', 'False']:
+                    raise ValueError("Invalid input: Enabled must be True or False")
+                enabled = a.lower() == 'true'
+
+            elif o == '--logFile':
+                logFile = a
+
+            elif o == '--bufferSize':
+                if not a.isdigit():
+                    raise ValueError("Invalid input: Buffer size must be a number")
+                bufferSize = a
+
+            elif o == '--flushInterval':
+                if not a.isdigit():
+                    raise ValueError("Invalid input: Flush interval must be a number")
+                flushInterval = a
+
+            elif o == '--maxFileSize':
+                if not a.isdigit():
+                    raise ValueError("Invalid input: Max file size must be a number")
+                maxFileSize = a
+
+            elif o == '--rolloverInterval':
+                if not a.isdigit():
+                    raise ValueError("Invalid input: Rollover interval must be a number")
+                rolloverInterval = a
+
+            elif o == '--expirationTime':
+                if not a.isdigit():
+                    raise ValueError("Invalid input: Expiration time must be a number")
+                expirationTime = a
+
+            elif o == '--logSigning':
+                if a.lower().title() not in ['True', 'False']:
+                    raise ValueError("Invalid input: Log signing must be True or False")
+                logSigning = a.lower() == 'true'
+
+            elif o == '--signingCert':
+                signingCert = a
+
+            elif o == '--help':
+                self.print_help()
+                sys.exit()
+
+            else:
+                print('ERROR: unknown option ' + o)
+                self.print_help()
+                sys.exit(1)
+
+        instance = pki.server.PKIInstance(instance_name)
+        if not instance.is_valid():
+            print('ERROR: Invalid instance %s.' % instance_name)
+            sys.exit(1)
+
+        instance.load()
+
+        subsystem_name = self.parent.parent.name
+        subsystem = instance.get_subsystem(subsystem_name)
+
+        if not subsystem:
+            print('ERROR: No %s subsystem in instance %s.'
+                  % (subsystem_name.upper(), instance_name))
+            sys.exit(1)
+
+        name = 'log.instance.SignedAudit.%s'
+
+        if enabled is None:
+            pass
+        elif enabled:
+            subsystem.config[name % 'enable'] = 'true'
+        else:
+            subsystem.config[name % 'enable'] = 'false'
+
+        if logFile:
+            subsystem.config[name % 'fileName'] = logFile
+
+        if bufferSize:
+            subsystem.config[name % 'bufferSize'] = bufferSize
+
+        if flushInterval:
+            subsystem.config[name % 'flushInterval'] = flushInterval
+
+        if maxFileSize:
+            subsystem.config[name % 'maxFileSize'] = maxFileSize
+
+        if rolloverInterval:
+            subsystem.config[name % 'rolloverInterval'] = rolloverInterval
+
+        if expirationTime:
+            subsystem.config[name % 'expirationTime'] = expirationTime
+
+        if logSigning is None:
+            pass
+        elif logSigning:
+            subsystem.config[name % 'logSigning'] = 'true'
+        else:
+            subsystem.config[name % 'logSigning'] = 'false'
+
+        if signingCert:
+            subsystem.config[name % 'signedAuditCertNickname'] = signingCert
+
+        subsystem.save()
+
+        AuditCLI.print_audit_config(subsystem)
+
 
 class AuditEventFindCLI(pki.cli.CLI):
 
@@ -108,7 +370,7 @@ class AuditEventFindCLI(pki.cli.CLI):
                   % (subsystem_name.upper(), instance_name))
             sys.exit(1)
 
-        events = subsystem.find_audit_events(enabled)
+        events = subsystem.find_audit_event_configs(enabled)
 
         self.print_message('%s entries matched' % len(events))
 
@@ -124,6 +386,329 @@ class AuditEventFindCLI(pki.cli.CLI):
             print('  Filter: %s' % event.get('filter'))
 
 
+class AuditEventShowCLI(pki.cli.CLI):
+
+    def __init__(self, parent):
+        super(AuditEventShowCLI, self).__init__(
+            'event-show', 'Show audit event configuration')
+
+        self.parent = parent
+
+    def print_help(self):
+        print('Usage: pki-server %s-audit-event-show [OPTIONS] <event name>'
+              % self.parent.parent.name)
+        print()
+        print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
+        print('  -v, --verbose                      Run in verbose mode.')
+        print('      --help                         Show help message.')
+        print()
+
+    def execute(self, argv):
+
+        try:
+            opts, args = getopt.gnu_getopt(argv, 'i:v', [
+                'instance=',
+                'verbose', 'help'])
+
+        except getopt.GetoptError as e:
+            print('ERROR: ' + str(e))
+            self.print_help()
+            sys.exit(1)
+
+        instance_name = 'pki-tomcat'
+
+        for o, a in opts:
+            if o in ('-i', '--instance'):
+                instance_name = a
+
+            elif o in ('-v', '--verbose'):
+                self.set_verbose(True)
+
+            elif o == '--help':
+                self.print_help()
+                sys.exit()
+
+            else:
+                print('ERROR: unknown option ' + o)
+                self.print_help()
+                sys.exit(1)
+
+        if len(args) == 0:
+            raise getopt.GetoptError("Missing event name.")
+
+        if len(args) > 1:
+            raise getopt.GetoptError("Too many arguments specified.")
+
+        event_name = args[0]
+
+        instance = pki.server.PKIInstance(instance_name)
+        if not instance.is_valid():
+            print('ERROR: Invalid instance %s.' % instance_name)
+            sys.exit(1)
+
+        instance.load()
+
+        subsystem_name = self.parent.parent.name
+        subsystem = instance.get_subsystem(subsystem_name)
+
+        if not subsystem:
+            print('ERROR: No %s subsystem in instance %s.'
+                  % (subsystem_name.upper(), instance_name))
+            sys.exit(1)
+
+        event = subsystem.get_audit_event_config(event_name)
+        AuditCLI.print_audit_event_config(event)
+
+
+class AuditEventEnableCLI(pki.cli.CLI):
+
+    def __init__(self, parent):
+        super(AuditEventEnableCLI, self).__init__(
+            'event-enable', 'Enable audit event configurations')
+
+        self.parent = parent
+
+    def print_help(self):
+        print('Usage: pki-server %s-audit-event-enable <event_name> [OPTIONS]'
+              % self.parent.parent.name)
+        print()
+        print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
+        print('  -v, --verbose                      Run in verbose mode.')
+        print('      --help                         Show help message.')
+        print()
+
+    def execute(self, argv):
+
+        try:
+            opts, args = getopt.gnu_getopt(argv, 'i:v', [
+                'instance=', 'verbose', 'help'])
+
+        except getopt.GetoptError as e:
+            print('ERROR: ' + str(e))
+            self.print_help()
+            sys.exit(1)
+
+        instance_name = 'pki-tomcat'
+
+        for o, a in opts:
+            if o in ('-i', '--instance'):
+                instance_name = a
+
+            elif o in ('-v', '--verbose'):
+                self.set_verbose(True)
+
+            elif o == '--help':
+                self.print_help()
+                sys.exit()
+
+            else:
+                print('ERROR: unknown option ' + o)
+                self.print_help()
+                sys.exit(1)
+
+        if len(args) == 0:
+            raise getopt.GetoptError("Missing event name.")
+        if len(args) > 1:
+            raise getopt.GetoptError("Too many arguments specified.")
+        event_name = args[0]
+
+        instance = pki.server.PKIInstance(instance_name)
+        if not instance.is_valid():
+            print('ERROR: Invalid instance %s.' % instance_name)
+            sys.exit(1)
+
+        instance.load()
+
+        subsystem_name = self.parent.parent.name
+        subsystem = instance.get_subsystem(subsystem_name)
+        if not subsystem:
+            print('ERROR: No %s subsystem in instance %s.'
+                  % (subsystem_name.upper(), instance_name))
+            sys.exit(1)
+
+        enabled = subsystem.enable_audit_event(event_name)
+        subsystem.save()
+
+        msg = None
+        if enabled:
+            msg = 'Event "{}" enabled successfully. You may need to ' \
+                  'restart the instance.'.format(event_name)
+        else:
+            msg = 'Event "{}" may be already enabled.'.format(event_name)
+
+        print(len(msg) * '-')
+        print(msg)
+        print(len(msg) * '-')
+
+        event = subsystem.get_audit_event_config(event_name)
+        AuditCLI.print_audit_event_config(event)
+
+
+class AuditEventUpdateCLI(pki.cli.CLI):
+
+    def __init__(self, parent):
+        super(AuditEventUpdateCLI, self).__init__(
+            'event-update', 'Update audit event configurations')
+
+        self.parent = parent
+
+    def print_help(self):
+        print('Usage: pki-server %s-audit-event-update <event_name> '
+              '[OPTIONS]' % self.parent.parent.name)
+        print()
+        print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
+        print('  -f, --filter <event filter>        Event Filter (Ex: (Outcome=Failure)).')
+        print('  -v, --verbose                      Run in verbose mode.')
+        print('      --help                         Show help message.')
+        print()
+
+    def execute(self, argv):
+
+        try:
+            opts, args = getopt.gnu_getopt(argv, 'i:f:v',
+                                           ['instance=', 'filter=', 'verbose',
+                                            'help'])
+
+        except getopt.GetoptError as e:
+            print('ERROR: ' + str(e))
+            self.print_help()
+            sys.exit(1)
+
+        instance_name = 'pki-tomcat'
+        event_filter = None
+
+        for o, a in opts:
+            if o in ('-i', '--instance'):
+                instance_name = a
+
+            elif o in ('-f', '--filter'):
+                event_filter = a
+
+            elif o in ('-v', '--verbose'):
+                self.set_verbose(True)
+
+            elif o == '--help':
+                self.print_help()
+                sys.exit()
+
+            else:
+                print('ERROR: unknown option ' + o)
+                self.print_help()
+                sys.exit(1)
+
+        if len(args) == 0:
+            raise getopt.GetoptError("Missing event name.")
+        if len(args) > 1:
+            raise getopt.GetoptError("Too many arguments specified.")
+
+        event_name = args[0]
+
+        instance = pki.server.PKIInstance(instance_name)
+        if not instance.is_valid():
+            print('ERROR: Invalid instance %s.' % instance_name)
+            sys.exit(1)
+
+        instance.load()
+
+        subsystem_name = self.parent.parent.name
+        subsystem = instance.get_subsystem(subsystem_name)
+        if not subsystem:
+            print('ERROR: No %s subsystem in instance %s.'
+                  % (subsystem_name.upper(), instance_name))
+            sys.exit(1)
+
+        subsystem.update_audit_event_filter(event_name, event_filter)
+        subsystem.save()
+
+        event = subsystem.get_audit_event_config(event_name)
+        AuditCLI.print_audit_event_config(event)
+
+
+class AuditEventDisableCLI(pki.cli.CLI):
+
+    def __init__(self, parent):
+        super(AuditEventDisableCLI, self).__init__(
+            'event-disable', 'Disable audit event configurations')
+
+        self.parent = parent
+
+    def print_help(self):
+        print('Usage: pki-server %s-audit-event-disable <event_name> [OPTIONS]'
+              % self.parent.parent.name)
+        print()
+        print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
+        print('  -v, --verbose                      Run in verbose mode.')
+        print('      --help                         Show help message.')
+        print()
+
+    def execute(self, argv):
+
+        try:
+            opts, args = getopt.gnu_getopt(argv, 'i:v', [
+                'instance=', 'verbose', 'help'])
+
+        except getopt.GetoptError as e:
+            print('ERROR: ' + str(e))
+            self.print_help()
+            sys.exit(1)
+
+        instance_name = 'pki-tomcat'
+
+        for o, a in opts:
+            if o in ('-i', '--instance'):
+                instance_name = a
+
+            elif o in ('-v', '--verbose'):
+                self.set_verbose(True)
+
+            elif o == '--help':
+                self.print_help()
+                sys.exit()
+
+            else:
+                print('ERROR: unknown option ' + o)
+                self.print_help()
+                sys.exit(1)
+
+        if len(args) == 0:
+            raise getopt.GetoptError("Missing event name.")
+        if len(args) > 1:
+            raise getopt.GetoptError("Too many arguments specified.")
+
+        event_name = args[0]
+
+        instance = pki.server.PKIInstance(instance_name)
+        if not instance.is_valid():
+            print('ERROR: Invalid instance %s.' % instance_name)
+            sys.exit(1)
+
+        instance.load()
+
+        subsystem_name = self.parent.parent.name
+        subsystem = instance.get_subsystem(subsystem_name)
+        if not subsystem:
+            print('ERROR: No %s subsystem in instance %s.'
+                  % (subsystem_name.upper(), instance_name))
+            sys.exit(1)
+
+        disable = subsystem.disable_audit_event(event_name)
+        subsystem.save()
+
+        msg = None
+        if disable:
+            msg = 'Audit event "{}" disabled. You may need to restart the ' \
+                  'instance.'.format(event_name)
+        else:
+            msg = 'Audit event "{}" already disabled.'.format(event_name)
+
+        print(len(msg) * '-')
+        print(msg)
+        print(len(msg) * '-')
+
+        event = subsystem.get_audit_event_config(event_name)
+        AuditCLI.print_audit_event_config(event)
+
+
 class AuditFileFindCLI(pki.cli.CLI):
 
     def __init__(self, parent):
-- 
1.8.3.1


From 1998eb79515b3c1aaf7fc1140bf0b116be521fd5 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 16 Nov 2018 00:36:35 +0100
Subject: [PATCH 06/26] Merged TOKEN_AUTH events

TOKEN_AUTH_FAILURE and TOKEN_AUTH_SUCCESS events have been
merged into a single TOKEN_AUTH event with different outcomes.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 1ee41e4650c97cb1d14cadba1b43c6fe0f67dcc4)
---
 .../com/netscape/certsrv/logging/AuditEvent.java   |  5 +-
 .../certsrv/logging/event/TokenAuthEvent.java      | 86 ++++++++++++++++++++++
 base/server/cmsbundle/src/LogMessages.properties   |  4 +-
 .../server/tps/processor/TPSEnrollProcessor.java   | 22 +++---
 .../server/tps/processor/TPSProcessor.java         | 51 ++++++++-----
 5 files changed, 134 insertions(+), 34 deletions(-)
 create mode 100644 base/common/src/com/netscape/certsrv/logging/event/TokenAuthEvent.java

diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index db58f34..15cde46 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -139,10 +139,7 @@ public class AuditEvent extends LogEvent {
             "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9";
     public final static String TOKEN_KEY_CHANGEOVER_REQUIRED =
             "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10";
-    public final static String TOKEN_AUTH_FAILURE =
-            "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9";
-    public final static String TOKEN_AUTH_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9";
+
     public final static String CONFIG_TOKEN_GENERAL =
             "LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5";
     public final static String CONFIG_TOKEN_PROFILE =
diff --git a/base/common/src/com/netscape/certsrv/logging/event/TokenAuthEvent.java b/base/common/src/com/netscape/certsrv/logging/event/TokenAuthEvent.java
new file mode 100644
index 0000000..f1c5a74
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/event/TokenAuthEvent.java
@@ -0,0 +1,86 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2018 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging.event;
+
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.SignedAuditEvent;
+
+public class TokenAuthEvent extends SignedAuditEvent {
+
+    private static final long serialVersionUID = 1L;
+
+    public final static String SUCCESS =
+            "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS";
+
+    public final static String FAILURE =
+            "LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE";
+
+    public TokenAuthEvent(String messageID) {
+        super(messageID);
+    }
+
+    public static TokenAuthEvent success(
+            String ip,
+            String subjectID,
+            String cuid,
+            String msn,
+            String op,
+            String tokenType,
+            String appletVersion,
+            String authManagerID) {
+
+        TokenAuthEvent event = new TokenAuthEvent(SUCCESS);
+
+        event.setAttribute("IP", ip);
+        event.setAttribute("SubjectID", subjectID);
+        event.setAttribute("CUID", cuid);
+        event.setAttribute("MSN", msn);
+        event.setAttribute("Outcome", ILogger.SUCCESS);
+        event.setAttribute("OP", op);
+        event.setAttribute("tokenType", tokenType);
+        event.setAttribute("AppletVersion", appletVersion);
+        event.setAttribute("AuthMgr", authManagerID);
+
+        return event;
+    }
+
+    public static TokenAuthEvent failure(
+            String ip,
+            String subjectID,
+            String cuid,
+            String msn,
+            String op,
+            String tokenType,
+            String appletVersion,
+            String authManagerID) {
+
+        TokenAuthEvent event = new TokenAuthEvent(FAILURE);
+
+        event.setAttribute("IP", ip);
+        event.setAttribute("SubjectID", subjectID);
+        event.setAttribute("CUID", cuid);
+        event.setAttribute("MSN", msn);
+        event.setAttribute("Outcome", ILogger.FAILURE);
+        event.setAttribute("OP", op);
+        event.setAttribute("tokenType", tokenType);
+        event.setAttribute("AppletVersion", appletVersion);
+        event.setAttribute("AuthMgr", authManagerID);
+
+        return event;
+    }
+}
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index a8a8deb..f436973 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2657,7 +2657,7 @@ LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=<type=TOKEN_KEY_CHANGEOVER>:[A
 # AuthMgr must be the authentication manager instance name that did
 #   this authentication
 #
-LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9=<type=TOKEN_AUTH_FAILURE>:[AuditEvent=TOKEN_AUTH_FAILURE][IP={0}][AttemptedID={1}][CUID={2}][MSN={3}][Outcome={4}][OP={5}][tokenType={6}][AppletVersion={7}][AuthMgr={8}] token authentication failure
+LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH]{0} token authentication failure
 #
 # LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS
 # - used when authentication succeeded
@@ -2665,7 +2665,7 @@ LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE_9=<type=TOKEN_AUTH_FAILURE>:[AuditEvent=
 # AuthMgr must be the authentication manager instance name that did
 #   this authentication
 #
-LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS_9=<type=TOKEN_AUTH_SUCCESS>:[AuditEvent=TOKEN_AUTH_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][OP={5}][tokenType={6}][AppletVersion={7}][AuthMgr={8}] token authentication success
+LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH]{0} token authentication success
 #
 # LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL
 # - used when doing general TPS configuration
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
index 98ed9e2..c451468 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSEnrollProcessor.java
@@ -15,12 +15,6 @@ import java.util.LinkedHashMap;
 import java.util.Map;
 import java.util.zip.DataFormatException;
 
-import netscape.security.provider.RSAPublicKey;
-//import org.mozilla.jss.pkcs11.PK11ECPublicKey;
-import netscape.security.util.BigInt;
-import netscape.security.x509.RevocationReason;
-import netscape.security.x509.X509CertImpl;
-
 import org.dogtagpki.server.tps.TPSSession;
 import org.dogtagpki.server.tps.TPSSubsystem;
 import org.dogtagpki.server.tps.TPSTokenPolicy;
@@ -59,8 +53,6 @@ import org.mozilla.jss.pkcs11.PK11PubKey;
 import org.mozilla.jss.pkcs11.PK11RSAPublicKey;
 import org.mozilla.jss.pkix.primitive.SubjectPublicKeyInfo;
 
-import sun.security.pkcs11.wrapper.PKCS11Constants;
-
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
 import com.netscape.certsrv.base.EPropertyNotFound;
@@ -70,6 +62,12 @@ import com.netscape.certsrv.tps.token.TokenStatus;
 import com.netscape.cmscore.security.JssSubsystem;
 import com.netscape.cmsutil.util.Utils;
 
+import netscape.security.provider.RSAPublicKey;
+import netscape.security.util.BigInt;
+import netscape.security.x509.RevocationReason;
+import netscape.security.x509.X509CertImpl;
+import sun.security.pkcs11.wrapper.PKCS11Constants;
+
 public class TPSEnrollProcessor extends TPSProcessor {
 
     public TPSEnrollProcessor(TPSSession session) {
@@ -172,11 +170,13 @@ public class TPSEnrollProcessor extends TPSProcessor {
                 CMS.debug("In TPSEnrollProcessor.enroll: isExternalReg: calling requestUserId");
                 userAuth = getAuthentication(authId);
                 processAuthentication(TPSEngine.ENROLL_OP, userAuth, cuid, tokenRecord);
-                auditAuth(userid, currentTokenOperation, appletInfo, "success", authId);
+                auditAuthSuccess(userid, currentTokenOperation, appletInfo, authId);
+
             } catch (Exception e) {
-                auditAuth(userid, currentTokenOperation, appletInfo, "failure",
-                        (userAuth != null) ? userAuth.getID() : null);
                 // all exceptions are considered login failure
+                auditAuthFailure(userid, currentTokenOperation, appletInfo,
+                        (userAuth != null) ? userAuth.getID() : null);
+
                 CMS.debug(method + ": authentication exception thrown: " + e);
                 logMsg = "ExternalReg authentication failed, status = STATUS_ERROR_LOGIN";
 
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index 811c9a7..83a45db 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -96,6 +96,7 @@ import com.netscape.certsrv.common.Constants;
 import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.LogEvent;
 import com.netscape.certsrv.logging.event.TokenAppletUpgradeEvent;
+import com.netscape.certsrv.logging.event.TokenAuthEvent;
 import com.netscape.certsrv.logging.event.TokenKeyChangeoverEvent;
 import com.netscape.certsrv.tps.token.TokenStatus;
 import com.netscape.cms.logging.Logger;
@@ -2089,11 +2090,13 @@ public class TPSProcessor {
                     userAuth = getAuthentication(authId);
 
                     processAuthentication(TPSEngine.FORMAT_OP, userAuth, cuid, tokenRecord);
-                    auditAuth(userid, currentTokenOperation, appletInfo, "success", authId);
+                    auditAuthSuccess(userid, currentTokenOperation, appletInfo, authId);
+
                 } catch (Exception e) {
-                    auditAuth(userid, currentTokenOperation, appletInfo, "failure",
-                            (userAuth != null) ? userAuth.getID() : null);
                     // all exceptions are considered login failure
+                    auditAuthFailure(userid, currentTokenOperation, appletInfo,
+                            (userAuth != null) ? userAuth.getID() : null);
+
                     CMS.debug("TPSProcessor.format:: authentication exception thrown: " + e);
                     logMsg = "authentication failed, status = STATUS_ERROR_LOGIN";
 
@@ -2216,12 +2219,14 @@ public class TPSProcessor {
                 try {
                     userAuth = getAuthentication(TPSEngine.OP_FORMAT_PREFIX, tokenType);
                     processAuthentication(TPSEngine.FORMAT_OP, userAuth, cuid, tokenRecord);
-                    auditAuth(userid, currentTokenOperation, appletInfo, "success",
+                    auditAuthSuccess(userid, currentTokenOperation, appletInfo,
                             (userAuth != null) ? userAuth.getID() : null);
+
                 } catch (Exception e) {
-                    auditAuth(userid, currentTokenOperation, appletInfo, "failure",
-                            (userAuth != null) ? userAuth.getID() : null);
                     // all exceptions are considered login failure
+                    auditAuthFailure(userid, currentTokenOperation, appletInfo,
+                            (userAuth != null) ? userAuth.getID() : null);
+
                     CMS.debug("TPSProcessor.format:: authentication exception thrown: " + e);
                     logMsg = "authentication failed, status = STATUS_ERROR_LOGIN";
 
@@ -3662,13 +3667,14 @@ public class TPSProcessor {
                 try {
                     userAuth = getAuthentication(opPrefix, tokenType);
                     processAuthentication(TPSEngine.ENROLL_OP, userAuth, appletInfo.getCUIDhexString(), tokenRecord);
-                    auditAuth(userid, currentTokenOperation, appletInfo, "success",
+                    auditAuthSuccess(userid, currentTokenOperation, appletInfo,
                             (userAuth != null) ? userAuth.getID() : null);
 
                 } catch (Exception e) {
                     // all exceptions are considered login failure
-                    auditAuth(userid, currentTokenOperation, appletInfo, "failure",
+                    auditAuthFailure(userid, currentTokenOperation, appletInfo,
                             (userAuth != null) ? userAuth.getID() : null);
+
                     CMS.debug("TPSProcessor.checkAndAuthenticateUser:: authentication exception thrown: " + e);
                     String msg = "TPS error user authentication failed:" + e;
                     tps.tdb.tdbActivity(ActivityDatabase.OP_ENROLLMENT, tokenRecord, session.getIpAddress(), msg,
@@ -4089,27 +4095,38 @@ public class TPSProcessor {
     }
     */
 
-    protected void auditAuth(String subjectID, String op,
+    protected void auditAuthSuccess(String subjectID, String op,
             AppletInfo aInfo,
-            String status,
             String authMgrId) {
 
-        String auditType = AuditEvent.TOKEN_AUTH_FAILURE;
-        if (status.equals("success"))
-            auditType = AuditEvent.TOKEN_AUTH_SUCCESS;
+        TokenAuthEvent event = TokenAuthEvent.success(
+                session.getIpAddress(),
+                subjectID,
+                (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
+                (aInfo != null) ? aInfo.getMSNString() : null,
+                op,
+                getSelectedTokenType(),
+                (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+                authMgrId);
+
+        signedAuditLogger.log(event);
+    }
 
-        String auditMessage = CMS.getLogMessage(
-                auditType,
+    protected void auditAuthFailure(String subjectID, String op,
+            AppletInfo aInfo,
+            String authMgrId) {
+
+        TokenAuthEvent event = TokenAuthEvent.failure(
                 session.getIpAddress(),
                 subjectID,
                 (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
                 (aInfo != null) ? aInfo.getMSNString() : null,
-                status,
                 op,
                 getSelectedTokenType(),
                 (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
                 authMgrId);
-        audit(auditMessage);
+
+        signedAuditLogger.log(event);
     }
 
     /*
-- 
1.8.3.1


From 4f7c458e33da2669725d0e8322167cd806124ff5 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 16 Nov 2018 03:41:26 +0100
Subject: [PATCH 07/26] Merged ENCRYPT_DATA_REQUEST_PROCESSED events

ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE and
ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS have been merged
into a single ENCRYPT_DATA_REQUEST_PROCESSED event with
different outcomes.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 46ffa881907ca3093fd5b39c9d7d2bde5a4117d3)
---
 .../com/netscape/certsrv/logging/AuditEvent.java   |   4 -
 .../event/EncryptDataRequestProcessedEvent.java    | 100 +++++++++++++++++++++
 base/server/cmsbundle/src/LogMessages.properties   |   4 +-
 .../dogtagpki/server/tks/servlet/TokenServlet.java |  22 ++---
 4 files changed, 114 insertions(+), 16 deletions(-)
 create mode 100644 base/common/src/com/netscape/certsrv/logging/event/EncryptDataRequestProcessedEvent.java

diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index 15cde46..33b995d 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -107,10 +107,6 @@ public class AuditEvent extends LogEvent {
             "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_13"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
     public final static String ENCRYPT_DATA_REQUEST =
             "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
-    public final static String ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_12";
-    public final static String ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE =
-            "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_13";
 
     public final static String SECURITY_DOMAIN_UPDATE =
             "LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1";
diff --git a/base/common/src/com/netscape/certsrv/logging/event/EncryptDataRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/EncryptDataRequestProcessedEvent.java
new file mode 100644
index 0000000..f13335e
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/event/EncryptDataRequestProcessedEvent.java
@@ -0,0 +1,100 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2018 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging.event;
+
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.SignedAuditEvent;
+
+public class EncryptDataRequestProcessedEvent extends SignedAuditEvent {
+
+    private static final long serialVersionUID = 1L;
+
+    public final static String SUCCESS =
+            "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS";
+
+    public final static String FAILURE =
+            "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE";
+
+    public EncryptDataRequestProcessedEvent(String messageID) {
+        super(messageID);
+    }
+
+    public static EncryptDataRequestProcessedEvent success(
+            String CUID_decoded,
+            String KDD_decoded,
+            String status,
+            String agentID,
+            String isRandom,
+            String selectedToken,
+            String keyNickName,
+            String keySet,
+            String keyVersion,
+            String nistSP800_108KdfOnKeyVersion,
+            String nistSP800_108KdfUseCuidAsKdd) {
+
+        EncryptDataRequestProcessedEvent event = new EncryptDataRequestProcessedEvent(SUCCESS);
+
+        event.setAttribute("CUID_decoded", CUID_decoded);
+        event.setAttribute("KDD_decoded", KDD_decoded);
+        event.setAttribute("Outcome", ILogger.SUCCESS);
+        event.setAttribute("status", status);
+        event.setAttribute("AgentID", agentID);
+        event.setAttribute("isRandom", isRandom);
+        event.setAttribute("SelectedToken", selectedToken);
+        event.setAttribute("KeyNickName", keyNickName);
+        event.setAttribute("TKSKeyset", keySet);
+        event.setAttribute("KeyInfo_KeyVersion", keyVersion);
+        event.setAttribute("NistSP800_108KdfOnKeyVersion", nistSP800_108KdfOnKeyVersion);
+        event.setAttribute("NistSP800_108KdfUseCuidAsKdd", nistSP800_108KdfUseCuidAsKdd);
+
+        return event;
+    }
+
+    public static EncryptDataRequestProcessedEvent failure(
+            String CUID_decoded,
+            String KDD_decoded,
+            String status,
+            String agentID,
+            String isRandom,
+            String selectedToken,
+            String keyNickName,
+            String keySet,
+            String keyVersion,
+            String nistSP800_108KdfOnKeyVersion,
+            String nistSP800_108KdfUseCuidAsKdd,
+            String error) {
+
+        EncryptDataRequestProcessedEvent event = new EncryptDataRequestProcessedEvent(FAILURE);
+
+        event.setAttribute("CUID_decoded", CUID_decoded);
+        event.setAttribute("KDD_decoded", KDD_decoded);
+        event.setAttribute("Outcome", ILogger.FAILURE);
+        event.setAttribute("status", status);
+        event.setAttribute("AgentID", agentID);
+        event.setAttribute("isRandom", isRandom);
+        event.setAttribute("SelectedToken", selectedToken);
+        event.setAttribute("KeyNickName", keyNickName);
+        event.setAttribute("TKSKeyset", keySet);
+        event.setAttribute("KeyInfo_KeyVersion", keyVersion);
+        event.setAttribute("NistSP800_108KdfOnKeyVersion", nistSP800_108KdfOnKeyVersion);
+        event.setAttribute("NistSP800_108KdfUseCuidAsKdd", nistSP800_108KdfUseCuidAsKdd);
+        event.setAttribute("Error", error);
+
+        return event;
+    }
+}
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index f436973..7d1c656 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2429,7 +2429,7 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=<type=ENCRYPT_DATA_REQUEST>:[AuditEv
 # KeyInfo_KeyVersion is the key version number requested in hex.
 # NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
 # NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
-LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_12=<type=ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS][CUID_decoded={0}][KDD_decoded={1}][Outcome={2}][status={3}][AgentID={4}][isRandom={5}][SelectedToken={6}][KeyNickName={7}][TKSKeyset={8}][KeyInfo_KeyVersion={9}][NistSP800_108KdfOnKeyVersion={10}][NistSP800_108KdfUseCuidAsKdd={11}] TKS encrypt data request processed successfully
+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=<type=ENCRYPT_DATA_REQUEST_PROCESSED>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request processed successfully
 
 #
 # LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
@@ -2452,7 +2452,7 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS_12=<type=ENCRYPT_DAT
 # KeyInfo_KeyVersion is the key version number requested in hex.
 # NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
 # NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
-LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE_13=<type=ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE][CUID_decoded={0}][KDD_decoded={1}][Outcome={2}][status={3}][AgentID={4}][isRandom={5}][SelectedToken={6}][KeyNickName={7}][TKSKeyset={8}][KeyInfo_KeyVersion={9}][NistSP800_108KdfOnKeyVersion={10}][NistSP800_108KdfUseCuidAsKdd={11}][Error={12}] TKS encrypt data request failed
+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=<type=ENCRYPT_DATA_REQUEST_PROCESSED>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request failed
 #
 #
 # LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE
diff --git a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
index eb245cd..18c7926 100644
--- a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
+++ b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
@@ -49,6 +49,7 @@ import com.netscape.certsrv.base.IPrettyPrintFormat;
 import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.event.EncryptDataRequestProcessedEvent;
 import com.netscape.cms.logging.Logger;
 import com.netscape.cms.servlet.base.CMSServlet;
 import com.netscape.cms.servlet.common.CMSRequest;
@@ -2215,9 +2216,9 @@ public class TokenServlet extends CMSServlet {
             // AC: KDF SPEC CHANGE - Log both CUID and KDD
             //                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
             //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+            EncryptDataRequestProcessedEvent event = EncryptDataRequestProcessedEvent.success(
+                    log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
                     log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
-                    ILogger.SUCCESS, // Outcome
                     status, // status
                     agentId, // AgentID
                     s_isRandom, // isRandom
@@ -2227,15 +2228,17 @@ public class TokenServlet extends CMSServlet {
                     log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
                     "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
-            };
-            auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS, logParams);
+            );
+
+            signedAuditLogger.log(event);
+
         } else {
             // AC: KDF SPEC CHANGE - Log both CUID and KDD
             //                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
             //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+            EncryptDataRequestProcessedEvent event = EncryptDataRequestProcessedEvent.failure(
+                    log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
                     log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
-                    ILogger.FAILURE, // Outcome
                     status, // status
                     agentId, // AgentID
                     s_isRandom, // isRandom
@@ -2246,11 +2249,10 @@ public class TokenServlet extends CMSServlet {
                     "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
                     errorMsg // Error
-            };
-            auditMessage = CMS.getLogMessage(AuditEvent.ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE, logParams);
-        }
+            );
 
-        audit(auditMessage);
+            signedAuditLogger.log(event);
+        }
     }
 
     /*
-- 
1.8.3.1


From 77a8df6fdbfe10a724a58766d84b9179ba454ca1 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 16 Nov 2018 01:08:07 +0100
Subject: [PATCH 08/26] Merged TOKEN_FORMAT events

TOKEN_FORMAT_FAILURE and TOKEN_FORMAT_SUCCESS events have been
merged into a single TOKEN_FORMAT event with different outcomes.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 7b82ae6e0c3581136c22783daad91abb83a0bb1e)
---
 .../com/netscape/certsrv/logging/AuditEvent.java   |  4 --
 .../certsrv/logging/event/TokenFormatEvent.java    | 82 ++++++++++++++++++++++
 base/server/cmsbundle/src/LogMessages.properties   |  4 +-
 .../server/tps/processor/TPSProcessor.java         | 46 ++++++------
 4 files changed, 109 insertions(+), 27 deletions(-)
 create mode 100644 base/common/src/com/netscape/certsrv/logging/event/TokenFormatEvent.java

diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index 33b995d..f59ed8f 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -129,10 +129,6 @@ public class AuditEvent extends LogEvent {
             "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE_6";
     public final static String TOKEN_OP_REQUEST =
             "LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6";
-    public final static String TOKEN_FORMAT_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9";
-    public final static String TOKEN_FORMAT_FAILURE =
-            "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9";
     public final static String TOKEN_KEY_CHANGEOVER_REQUIRED =
             "LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10";
 
diff --git a/base/common/src/com/netscape/certsrv/logging/event/TokenFormatEvent.java b/base/common/src/com/netscape/certsrv/logging/event/TokenFormatEvent.java
new file mode 100644
index 0000000..400e37b5
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/event/TokenFormatEvent.java
@@ -0,0 +1,82 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2018 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging.event;
+
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.SignedAuditEvent;
+
+public class TokenFormatEvent extends SignedAuditEvent {
+
+    private static final long serialVersionUID = 1L;
+
+    public final static String SUCCESS =
+            "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS";
+
+    public final static String FAILURE =
+            "LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE";
+
+    public TokenFormatEvent(String messageID) {
+        super(messageID);
+    }
+
+    public static TokenFormatEvent success(
+            String ip,
+            String subjectID,
+            String cuid,
+            String msn,
+            String tokenType,
+            String appletVersion,
+            String keyVersion) {
+
+        TokenFormatEvent event = new TokenFormatEvent(SUCCESS);
+
+        event.setAttribute("IP", ip);
+        event.setAttribute("SubjectID", subjectID);
+        event.setAttribute("CUID", cuid);
+        event.setAttribute("MSN", msn);
+        event.setAttribute("Outcome", ILogger.SUCCESS);
+        event.setAttribute("tokenType", tokenType);
+        event.setAttribute("AppletVersion", appletVersion);
+        event.setAttribute("KeyVersion", keyVersion);
+
+        return event;
+    }
+
+    public static TokenFormatEvent failure(
+            String ip,
+            String subjectID,
+            String cuid,
+            String msn,
+            String tokenType,
+            String appletVersion,
+            String info) {
+
+        TokenFormatEvent event = new TokenFormatEvent(FAILURE);
+
+        event.setAttribute("IP", ip);
+        event.setAttribute("SubjectID", subjectID);
+        event.setAttribute("CUID", cuid);
+        event.setAttribute("MSN", msn);
+        event.setAttribute("Outcome", ILogger.FAILURE);
+        event.setAttribute("tokenType", tokenType);
+        event.setAttribute("AppletVersion", appletVersion);
+        event.setAttribute("Info", info);
+
+        return event;
+    }
+}
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index 7d1c656..5c8c9e4 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2619,11 +2619,11 @@ LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=<type=TOKEN_OP_REQUEST>:[AuditEvent=TOKE
 #
 # LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS
 # - used when token format op succeeded
-LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS_9=<type=TOKEN_FORMAT_SUCCESS>:[AuditEvent=TOKEN_FORMAT_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][KeyVersion={7}][Info={8}] token op format success
+LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format success
 #
 # LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE
 # - used when token format op failed
-LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE_9=<type=TOKEN_FORMAT_FAILURE>:[AuditEvent=TOKEN_FORMAT_FAILURE][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][KeyVersion={7}][Info={8}] token op format failure
+LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format failure
 #
 #
 # LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index 83a45db..b4f4d33 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -97,6 +97,7 @@ import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.LogEvent;
 import com.netscape.certsrv.logging.event.TokenAppletUpgradeEvent;
 import com.netscape.certsrv.logging.event.TokenAuthEvent;
+import com.netscape.certsrv.logging.event.TokenFormatEvent;
 import com.netscape.certsrv.logging.event.TokenKeyChangeoverEvent;
 import com.netscape.certsrv.tps.token.TokenStatus;
 import com.netscape.cms.logging.Logger;
@@ -2204,8 +2205,8 @@ public class TPSProcessor {
                 isAuthRequired = configStore.getBoolean(configName, true);
             } catch (EBaseException e) {
                 String info = " Internal Error obtaining mandatory config values. Error: " + e;
-                auditFormat(userid, appletInfo, "failure",
-                        null, info);
+                auditFormatFailure(userid, appletInfo, info);
+
                 CMS.debug("TPSProcessor.format: " + info);
                 logMsg = "TPS error: " + info;
                 tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), logMsg,
@@ -2252,8 +2253,7 @@ public class TPSProcessor {
                         " to " + newState;
                 CMS.debug("TPSProcessor.format: token transition: " + info);
                 logMsg = "Operation for CUID " + appletInfo.getCUIDhexStringPlain() + " Disabled. " + info;
-                auditFormat(userid, appletInfo, "failure",
-                        null, info);
+                auditFormatFailure(userid, appletInfo, info);
 
                 tps.tdb.tdbActivity(ActivityDatabase.OP_FORMAT, tokenRecord, session.getIpAddress(), logMsg,
                         "failure");
@@ -2327,7 +2327,7 @@ public class TPSProcessor {
         }
         channel.externalAuthenticate();
 
-        auditFormat(userid, appletInfo, "success", channel.getKeyInfoData().toHexStringPlain(), null);
+        auditFormatSuccess(userid, appletInfo, channel.getKeyInfoData().toHexStringPlain());
 
         if (isTokenPresent && revokeCertsAtFormat()) {
             // Revoke certificates on token, if so configured
@@ -4149,32 +4149,36 @@ public class TPSProcessor {
         audit(auditMessage);
     }
 
-    protected void auditFormat(String subjectID,
+    protected void auditFormatSuccess(String subjectID,
+            AppletInfo aInfo,
+            String keyVersion) {
+
+        TokenFormatEvent event = TokenFormatEvent.success(
+                session.getIpAddress(),
+                subjectID,
+                (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
+                (aInfo != null) ? aInfo.getMSNString() : null,
+                getSelectedTokenType(),
+                (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+                keyVersion);
+
+        signedAuditLogger.log(event);
+    }
+
+    protected void auditFormatFailure(String subjectID,
             AppletInfo aInfo,
-            String status,
-            String keyVersion,
             String info) {
-        String auditType = "";
-        switch (status) {
-        case "success":
-            auditType = AuditEvent.TOKEN_FORMAT_SUCCESS;
-            break;
-        default:
-            auditType = AuditEvent.TOKEN_FORMAT_FAILURE;
-        }
 
-        String auditMessage = CMS.getLogMessage(
-                auditType,
+        TokenFormatEvent event = TokenFormatEvent.failure(
                 session.getIpAddress(),
                 subjectID,
                 (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
                 (aInfo != null) ? aInfo.getMSNString() : null,
-                status,
                 getSelectedTokenType(),
                 (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
-                keyVersion,
                 info);
-        audit(auditMessage);
+
+        signedAuditLogger.log(event);
     }
 
     protected void auditAppletUpgrade(AppletInfo aInfo,
-- 
1.8.3.1


From 8e0576c281fbad2c86ee7000c6019c70763c7aea Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 16 Nov 2018 01:48:54 +0100
Subject: [PATCH 09/26] Merged TOKEN_PIN_RESET events

TOKEN_PIN_RESET_FAILURE and TOKEN_PIN_RESET_SUCCESS events have
been merged into a single TOKEN_PIN_RESET event with different
outcomes.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 2cab965e97c670c90a198c98fc4acc1e574720cc)
---
 .../com/netscape/certsrv/logging/AuditEvent.java   |  4 --
 .../certsrv/logging/event/TokenPinResetEvent.java  | 78 ++++++++++++++++++++++
 base/server/cmsbundle/src/LogMessages.properties   |  4 +-
 .../server/tps/processor/TPSPinResetProcessor.java | 55 ++++++++-------
 .../server/tps/processor/TPSProcessor.java         |  2 +-
 5 files changed, 112 insertions(+), 31 deletions(-)
 create mode 100644 base/common/src/com/netscape/certsrv/logging/event/TokenPinResetEvent.java

diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index f59ed8f..6fee5f4 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -123,10 +123,6 @@ public class AuditEvent extends LogEvent {
             "LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10";
     public final static String TOKEN_CERT_STATUS_CHANGE_REQUEST =
             "LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10";
-    public final static String TOKEN_PIN_RESET_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS_6";
-    public final static String TOKEN_PIN_RESET_FAILURE =
-            "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE_6";
     public final static String TOKEN_OP_REQUEST =
             "LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6";
     public final static String TOKEN_KEY_CHANGEOVER_REQUIRED =
diff --git a/base/common/src/com/netscape/certsrv/logging/event/TokenPinResetEvent.java b/base/common/src/com/netscape/certsrv/logging/event/TokenPinResetEvent.java
new file mode 100644
index 0000000..fb6d68b
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/event/TokenPinResetEvent.java
@@ -0,0 +1,78 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2018 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging.event;
+
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.SignedAuditEvent;
+
+public class TokenPinResetEvent extends SignedAuditEvent {
+
+    private static final long serialVersionUID = 1L;
+
+    public final static String SUCCESS =
+            "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS";
+
+    public final static String FAILURE =
+            "LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE";
+
+    public TokenPinResetEvent(String messageID) {
+        super(messageID);
+    }
+
+    public static TokenPinResetEvent success(
+            String ip,
+            String subjectID,
+            String cuid,
+            String tokenType,
+            String appletVersion,
+            String keyVersion) {
+
+        TokenPinResetEvent event = new TokenPinResetEvent(SUCCESS);
+
+        event.setAttribute("IP", ip);
+        event.setAttribute("SubjectID", subjectID);
+        event.setAttribute("CUID", cuid);
+        event.setAttribute("Outcome", ILogger.SUCCESS);
+        event.setAttribute("tokenType", tokenType);
+        event.setAttribute("AppletVersion", appletVersion);
+        event.setAttribute("KeyVersion", keyVersion);
+
+        return event;
+    }
+
+    public static TokenPinResetEvent failure(
+            String ip,
+            String subjectID,
+            String cuid,
+            String tokenType,
+            String appletVersion,
+            String info) {
+
+        TokenPinResetEvent event = new TokenPinResetEvent(FAILURE);
+
+        event.setAttribute("IP", ip);
+        event.setAttribute("SubjectID", subjectID);
+        event.setAttribute("CUID", cuid);
+        event.setAttribute("Outcome", ILogger.FAILURE);
+        event.setAttribute("tokenType", tokenType);
+        event.setAttribute("AppletVersion", appletVersion);
+        event.setAttribute("Info", info);
+
+        return event;
+    }
+}
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index 5c8c9e4..af45ee6 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2606,11 +2606,11 @@ LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10=<type=TOKEN_CERT_STATUS
 #
 # LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS
 # - used when token pin reset request succeeded
-LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS_6=<type=TOKEN_PIN_RESET_SUCCESS>:[AuditEvent=TOKEN_PIN_RESET_SUCCESS][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][AppletVersion={4}][KeyVersion={5}] token op pin reset success
+LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS=<type=TOKEN_PIN_RESET>:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset success
 #
 # LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE
 # - used when token pin reset request failed
-LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE_6=<type=TOKEN_PIN_RESET_FAILURE>:[AuditEvent=TOKEN_PIN_RESET_FAILURE][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][AppletVersion={4}][KeyVersion={5}] token op pin reset failure
+LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE=<type=TOKEN_PIN_RESET>:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset failure
 #
 # LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST
 # - used when token processor op request is made
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
index b309657..ffc0974 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSPinResetProcessor.java
@@ -33,7 +33,7 @@ import org.dogtagpki.tps.msg.BeginOpMsg;
 import org.dogtagpki.tps.msg.EndOpMsg.TPSStatus;
 
 import com.netscape.certsrv.apps.CMS;
-import com.netscape.certsrv.logging.AuditEvent;
+import com.netscape.certsrv.logging.event.TokenPinResetEvent;
 import com.netscape.certsrv.tps.token.TokenStatus;
 
 public class TPSPinResetProcessor extends TPSProcessor {
@@ -92,7 +92,8 @@ public class TPSPinResetProcessor extends TPSProcessor {
         if (tokenRecord == null) {
             //We can't reset the pin of a token that does not exist.
             logMsg = method + "Token does not exist!";
-            auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg);
+            auditPinResetFailure(session.getIpAddress(), userid, appletInfo, logMsg);
+
             tps.tdb.tdbActivity(ActivityDatabase.OP_PIN_RESET, tokenRecord, session.getIpAddress(), logMsg,
                     "failure");
             CMS.debug(logMsg);
@@ -123,7 +124,8 @@ public class TPSPinResetProcessor extends TPSProcessor {
             }
         } catch (TPSException e) {
             logMsg = e.toString();
-            auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg);
+            auditPinResetFailure(session.getIpAddress(), userid, appletInfo, logMsg);
+
             tps.tdb.tdbActivity(ActivityDatabase.OP_PIN_RESET, tokenRecord, session.getIpAddress(), logMsg,
                     "failure");
 
@@ -142,7 +144,8 @@ public class TPSPinResetProcessor extends TPSProcessor {
 
         if (!status.equals(TokenStatus.ACTIVE)) {
             logMsg = method + "Can not reset the pin of a non active token.";
-            auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg);
+            auditPinResetFailure(session.getIpAddress(), userid, appletInfo, logMsg);
+
             throw new TPSException(method + " Attempt to reset pin of token not currently active!",
                     TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
 
@@ -153,7 +156,8 @@ public class TPSPinResetProcessor extends TPSProcessor {
         CMS.debug(method + ": PinResetPolicy: Pin Reset Allowed:  " + pinResetAllowed);
         logMsg = method + " PinReset Policy forbids pin reset operation.";
         if (pinResetAllowed == false) {
-            auditPinReset(session.getIpAddress(), userid, appletInfo, "failure", null, logMsg);
+            auditPinResetFailure(session.getIpAddress(), userid, appletInfo, logMsg);
+
             throw new TPSException(method + " Attempt to reset pin when token policy disallows it.!",
                     TPSStatus.STATUS_ERROR_MAC_RESET_PIN_PDU);
 
@@ -169,8 +173,8 @@ public class TPSPinResetProcessor extends TPSProcessor {
 
         checkAndHandlePinReset(channel);
 
-        auditPinReset(session.getIpAddress(), userid, appletInfo, "success",
-                channel.getKeyInfoData().toHexStringPlain(), null);
+        auditPinResetSuccess(session.getIpAddress(), userid, appletInfo,
+                channel.getKeyInfoData().toHexStringPlain());
 
         statusUpdate(100, "PROGRESS_PIN_RESET_COMPLETE");
         logMsg = "update token during pin reset";
@@ -189,31 +193,34 @@ public class TPSPinResetProcessor extends TPSProcessor {
 
     }
 
-    protected void auditPinReset(String ip, String subjectID,
+    protected void auditPinResetSuccess(String ip, String subjectID,
             AppletInfo aInfo,
-            String status,
-            String keyVersion,
-            String info) {
+            String keyVersion) {
 
-        String auditType = "";
-        switch (status) {
-        case "success":
-            auditType = AuditEvent.TOKEN_PIN_RESET_SUCCESS;
-            break;
-        default:
-            auditType = AuditEvent.TOKEN_PIN_RESET_FAILURE;
-        }
+        TokenPinResetEvent event = TokenPinResetEvent.success(
+                ip,
+                subjectID,
+                (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
+                getSelectedTokenType(),
+                (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
+                keyVersion);
+
+        signedAuditLogger.log(event);
+    }
 
-        String auditMessage = CMS.getLogMessage(
-                auditType,
+    protected void auditPinResetFailure(String ip, String subjectID,
+            AppletInfo aInfo,
+            String info) {
+
+        TokenPinResetEvent event = TokenPinResetEvent.failure(
                 ip,
                 subjectID,
                 (aInfo != null) ? aInfo.getCUIDhexStringPlain() : null,
-                status,
                 getSelectedTokenType(),
-                keyVersion,
+                (aInfo != null) ? aInfo.getFinalAppletVersion() : null,
                 info);
-        audit(auditMessage);
+
+        signedAuditLogger.log(event);
     }
 
     public static void main(String[] args) {
diff --git a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
index b4f4d33..a572826 100644
--- a/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
+++ b/base/tps/src/org/dogtagpki/server/tps/processor/TPSProcessor.java
@@ -110,7 +110,7 @@ import netscape.security.x509.RevocationReason;
 
 public class TPSProcessor {
 
-    private static Logger signedAuditLogger = SignedAuditLogger.getLogger();
+    protected static Logger signedAuditLogger = SignedAuditLogger.getLogger();
 
     public static final int RESULT_NO_ERROR = 0;
     public static final int RESULT_ERROR = -1;
-- 
1.8.3.1


From 3d5ddb32e20549d8ec37cd73cf859e066299df4a Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 16 Nov 2018 04:32:30 +0100
Subject: [PATCH 10/26] Merged DIVERSIFY_KEY_REQUEST_PROCESSED events

DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE and
DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS have been merged
into a single DIVERSIFY_KEY_REQUEST_PROCESSED event with
different outcomes.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 1b893667a567ff79da9933e059084a200ebbde24)
---
 .../com/netscape/certsrv/logging/AuditEvent.java   |   4 -
 .../event/DiversifyKeyRequestProcessedEvent.java   | 100 +++++++++++++++++++++
 base/server/cmsbundle/src/LogMessages.properties   |   4 +-
 .../dogtagpki/server/tks/servlet/TokenServlet.java |  22 ++---
 4 files changed, 114 insertions(+), 16 deletions(-)
 create mode 100644 base/common/src/com/netscape/certsrv/logging/event/DiversifyKeyRequestProcessedEvent.java

diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index 6fee5f4..36c45c8 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -101,10 +101,6 @@ public class AuditEvent extends LogEvent {
             "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_14"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
     public final static String DIVERSIFY_KEY_REQUEST =
             "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
-    public final static String DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_12"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
-    public final static String DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE =
-            "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_13"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
     public final static String ENCRYPT_DATA_REQUEST =
             "LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
 
diff --git a/base/common/src/com/netscape/certsrv/logging/event/DiversifyKeyRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/DiversifyKeyRequestProcessedEvent.java
new file mode 100644
index 0000000..dfc16db
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/event/DiversifyKeyRequestProcessedEvent.java
@@ -0,0 +1,100 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2018 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging.event;
+
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.SignedAuditEvent;
+
+public class DiversifyKeyRequestProcessedEvent extends SignedAuditEvent {
+
+    private static final long serialVersionUID = 1L;
+
+    public final static String SUCCESS =
+            "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS";
+
+    public final static String FAILURE =
+            "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE";
+
+    public DiversifyKeyRequestProcessedEvent(String messageID) {
+        super(messageID);
+    }
+
+    public static DiversifyKeyRequestProcessedEvent success(
+            String CUID_decoded,
+            String KDD_decoded,
+            String status,
+            String agentID,
+            String oldMasterKeyName,
+            String newMasterKeyName,
+            String keySet,
+            String oldKeyInfo_KeyVersion,
+            String newKeyInfo_KeyVersion,
+            String nistSP800_108KdfOnKeyVersion,
+            String nistSP800_108KdfUseCuidAsKdd) {
+
+        DiversifyKeyRequestProcessedEvent event = new DiversifyKeyRequestProcessedEvent(SUCCESS);
+
+        event.setAttribute("CUID_decoded", CUID_decoded);
+        event.setAttribute("KDD_decoded", KDD_decoded);
+        event.setAttribute("Outcome", ILogger.SUCCESS);
+        event.setAttribute("status", status);
+        event.setAttribute("AgentID", agentID);
+        event.setAttribute("oldMasterKeyName", oldMasterKeyName);
+        event.setAttribute("newMasterKeyName", newMasterKeyName);
+        event.setAttribute("TKSKeyset", keySet);
+        event.setAttribute("OldKeyInfo_KeyVersion", oldKeyInfo_KeyVersion);
+        event.setAttribute("NewKeyInfo_KeyVersion", newKeyInfo_KeyVersion);
+        event.setAttribute("NistSP800_108KdfOnKeyVersion", nistSP800_108KdfOnKeyVersion);
+        event.setAttribute("NistSP800_108KdfUseCuidAsKdd", nistSP800_108KdfUseCuidAsKdd);
+
+        return event;
+    }
+
+    public static DiversifyKeyRequestProcessedEvent failure(
+            String CUID_decoded,
+            String KDD_decoded,
+            String status,
+            String agentID,
+            String oldMasterKeyName,
+            String newMasterKeyName,
+            String keySet,
+            String oldKeyInfo_KeyVersion,
+            String newKeyInfo_KeyVersion,
+            String nistSP800_108KdfOnKeyVersion,
+            String nistSP800_108KdfUseCuidAsKdd,
+            String error) {
+
+        DiversifyKeyRequestProcessedEvent event = new DiversifyKeyRequestProcessedEvent(FAILURE);
+
+        event.setAttribute("CUID_decoded", CUID_decoded);
+        event.setAttribute("KDD_decoded", KDD_decoded);
+        event.setAttribute("Outcome", ILogger.FAILURE);
+        event.setAttribute("status", status);
+        event.setAttribute("AgentID", agentID);
+        event.setAttribute("oldMasterKeyName", oldMasterKeyName);
+        event.setAttribute("newMasterKeyName", newMasterKeyName);
+        event.setAttribute("TKSKeyset", keySet);
+        event.setAttribute("OldKeyInfo_KeyVersion", oldKeyInfo_KeyVersion);
+        event.setAttribute("NewKeyInfo_KeyVersion", newKeyInfo_KeyVersion);
+        event.setAttribute("NistSP800_108KdfOnKeyVersion", nistSP800_108KdfOnKeyVersion);
+        event.setAttribute("NistSP800_108KdfUseCuidAsKdd", nistSP800_108KdfUseCuidAsKdd);
+        event.setAttribute("Error", error);
+
+        return event;
+    }
+}
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index af45ee6..5ea320c 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2370,7 +2370,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=<type=DIVERSIFY_KEY_REQUEST>:[Audit
 # NewKeyInfo_KeyVersion is the new key version number in hex.
 # NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
 # NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
-LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_12=<type=DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS][CUID_decoded={0}][KDD_decoded={1}][Outcome={2}][status={3}][AgentID={4}][oldMasterKeyName={5}][newMasterKeyName={6}][TKSKeyset={7}][OldKeyInfo_KeyVersion={8}][NewKeyInfo_KeyVersion={9}][NistSP800_108KdfOnKeyVersion={10}][NistSP800_108KdfUseCuidAsKdd={11}] TKS Key Change Over request processed successfully
+LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=<type=DIVERSIFY_KEY_REQUEST_PROCESSED>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request processed successfully
 
 #
 ###########################
@@ -2393,7 +2393,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS_12=<type=DIVERSIFY_
 # NewKeyInfo_KeyVersion is the new key version number in hex.
 # NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
 # NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex
-LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE_13=<type=DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE][CUID_decoded={0}][KDD_decoded={1}][Outcome={2}][status={3}][AgentID={4}][oldMasterKeyName={5}][newMasterKeyName={6}][TKSKeyset={7}][OldKeyInfo_KeyVersion={8}][NewKeyInfo_KeyVersion={9}][NistSP800_108KdfOnKeyVersion={10}][NistSP800_108KdfUseCuidAsKdd={11}][Error={12}] TKS Key Change Over request failed
+LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=<type=DIVERSIFY_KEY_REQUEST_PROCESSED>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request failed
 
 # LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST
 # - request from TPS to TKS to encrypt data
diff --git a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
index 18c7926..85aa28c 100644
--- a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
+++ b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
@@ -49,6 +49,7 @@ import com.netscape.certsrv.base.IPrettyPrintFormat;
 import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.event.DiversifyKeyRequestProcessedEvent;
 import com.netscape.certsrv.logging.event.EncryptDataRequestProcessedEvent;
 import com.netscape.cms.logging.Logger;
 import com.netscape.cms.servlet.base.CMSServlet;
@@ -1875,9 +1876,9 @@ public class TokenServlet extends CMSServlet {
             // AC: KDF SPEC CHANGE - Log both CUID and KDD
             //                       Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
             //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+            DiversifyKeyRequestProcessedEvent event = DiversifyKeyRequestProcessedEvent.success(
+                    log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
                     log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
-                    ILogger.SUCCESS, // Outcome
                     status, // status
                     agentId, // AgentID
 
@@ -1890,15 +1891,17 @@ public class TokenServlet extends CMSServlet {
                     log_string_from_keyInfo(xnewkeyInfo), // NewKeyInfo_KeyVersion
                     "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
-            };
-            auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, logParams);
+            );
+
+            signedAuditLogger.log(event);
+
         } else {
             // AC: KDF SPEC CHANGE - Log both CUID and KDD
             //                       Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
             //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+            DiversifyKeyRequestProcessedEvent event = DiversifyKeyRequestProcessedEvent.failure(
+                    log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
                     log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
-                    ILogger.FAILURE, // Outcome
                     status, // status
                     agentId, // AgentID
 
@@ -1912,11 +1915,10 @@ public class TokenServlet extends CMSServlet {
                     "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
                     errorMsg // Error
-            };
-            auditMessage = CMS.getLogMessage(AuditEvent.DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE, logParams);
-        }
+            );
 
-        audit(auditMessage);
+            signedAuditLogger.log(event);
+        }
     }
 
     private void processEncryptData(HttpServletRequest req,
-- 
1.8.3.1


From db4ce9e5f5990b560ea96a02119fce764a39fbed Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 16 Nov 2018 05:12:22 +0100
Subject: [PATCH 11/26] Merged COMPUTE_SESSION_KEY_REQUEST_PROCESSED events

COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE and
COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS have been merged
into a single COMPUTE_SESSION_KEY_REQUEST_PROCESSED event with
different outcomes.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit d2c9fe4effe04e585d5a1ecdd29931bec4ec23f1)
---
 .../com/netscape/certsrv/logging/AuditEvent.java   |   4 -
 .../ComputeSessionKeyRequestProcessedEvent.java    | 104 +++++++++++++++++++++
 base/server/cmsbundle/src/LogMessages.properties   |   4 +-
 .../dogtagpki/server/tks/servlet/TokenServlet.java |  72 +++++++-------
 4 files changed, 140 insertions(+), 44 deletions(-)
 create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ComputeSessionKeyRequestProcessedEvent.java

diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index 36c45c8..e513087 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -95,10 +95,6 @@ public class AuditEvent extends LogEvent {
             "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE_4";
     public final static String COMPUTE_SESSION_KEY_REQUEST =
             "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
-    public final static String COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_13"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
-    public final static String COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE =
-            "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_14"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.  Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd.
     public final static String DIVERSIFY_KEY_REQUEST =
             "LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
     public final static String ENCRYPT_DATA_REQUEST =
diff --git a/base/common/src/com/netscape/certsrv/logging/event/ComputeSessionKeyRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ComputeSessionKeyRequestProcessedEvent.java
new file mode 100644
index 0000000..29b4cac
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/event/ComputeSessionKeyRequestProcessedEvent.java
@@ -0,0 +1,104 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2018 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging.event;
+
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.SignedAuditEvent;
+
+public class ComputeSessionKeyRequestProcessedEvent extends SignedAuditEvent {
+
+    private static final long serialVersionUID = 1L;
+
+    public final static String SUCCESS =
+            "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS";
+
+    public final static String FAILURE =
+            "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE";
+
+    public ComputeSessionKeyRequestProcessedEvent(String messageID) {
+        super(messageID);
+    }
+
+    public static ComputeSessionKeyRequestProcessedEvent success(
+            String CUID_decoded,
+            String KDD_decoded,
+            String status,
+            String agentID,
+            String isCryptoValidate,
+            String isServerSideKeygen,
+            String selectedToken,
+            String keyNickName,
+            String keyset,
+            String keyInfo_KeyVersion,
+            String nistSP800_108KdfOnKeyVersion,
+            String nistSP800_108KdfUseCuidAsKdd) {
+
+        ComputeSessionKeyRequestProcessedEvent event = new ComputeSessionKeyRequestProcessedEvent(SUCCESS);
+
+        event.setAttribute("CUID_decoded", CUID_decoded);
+        event.setAttribute("KDD_decoded", KDD_decoded);
+        event.setAttribute("Outcome", ILogger.SUCCESS);
+        event.setAttribute("status", status);
+        event.setAttribute("AgentID", agentID);
+        event.setAttribute("IsCryptoValidate", isCryptoValidate);
+        event.setAttribute("IsServerSideKeygen", isServerSideKeygen);
+        event.setAttribute("SelectedToken", selectedToken);
+        event.setAttribute("KeyNickName", keyNickName);
+        event.setAttribute("TKSKeyset", keyset);
+        event.setAttribute("KeyInfo_KeyVersion", keyInfo_KeyVersion);
+        event.setAttribute("NistSP800_108KdfOnKeyVersion", nistSP800_108KdfOnKeyVersion);
+        event.setAttribute("NistSP800_108KdfUseCuidAsKdd", nistSP800_108KdfUseCuidAsKdd);
+
+        return event;
+    }
+
+    public static ComputeSessionKeyRequestProcessedEvent failure(
+            String CUID_decoded,
+            String KDD_decoded,
+            String status,
+            String agentID,
+            String isCryptoValidate,
+            String isServerSideKeygen,
+            String selectedToken,
+            String keyNickName,
+            String keyset,
+            String keyInfo_KeyVersion,
+            String nistSP800_108KdfOnKeyVersion,
+            String nistSP800_108KdfUseCuidAsKdd,
+            String error) {
+
+        ComputeSessionKeyRequestProcessedEvent event = new ComputeSessionKeyRequestProcessedEvent(FAILURE);
+
+        event.setAttribute("CUID_decoded", CUID_decoded);
+        event.setAttribute("KDD_decoded", KDD_decoded);
+        event.setAttribute("Outcome", ILogger.FAILURE);
+        event.setAttribute("status", status);
+        event.setAttribute("AgentID", agentID);
+        event.setAttribute("IsCryptoValidate", isCryptoValidate);
+        event.setAttribute("IsServerSideKeygen", isServerSideKeygen);
+        event.setAttribute("SelectedToken", selectedToken);
+        event.setAttribute("KeyNickName", keyNickName);
+        event.setAttribute("TKSKeyset", keyset);
+        event.setAttribute("KeyInfo_KeyVersion", keyInfo_KeyVersion);
+        event.setAttribute("NistSP800_108KdfOnKeyVersion", nistSP800_108KdfOnKeyVersion);
+        event.setAttribute("NistSP800_108KdfUseCuidAsKdd", nistSP800_108KdfUseCuidAsKdd);
+        event.setAttribute("Error", error);
+
+        return event;
+    }
+}
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index 5ea320c..c39e975 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2310,7 +2310,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=<type=COMPUTE_SESSION_KEY_REQ
 # KeyInfo_KeyVersion is the key version number requested in hex.
 # NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
 # NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
-LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_13=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS][CUID_decoded={0}][KDD_decoded={1}][Outcome={2}][status={3}][AgentID={4}][IsCryptoValidate={5}][IsServerSideKeygen={6}][SelectedToken={7}][KeyNickName={8}][TKSKeyset={9}][KeyInfo_KeyVersion={10}][NistSP800_108KdfOnKeyVersion={11}][NistSP800_108KdfUseCuidAsKdd={12}] TKS Compute session key request processed successfully
+LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request processed successfully
 
 #
 #
@@ -2335,7 +2335,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS_13=<type=COMP
 # KeyInfo_KeyVersion is the key version number requested in hex.
 # NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
 # NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex
-LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE_14=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE][CUID_decoded={0}][KDD_decoded={1}][Outcome={2}][status={3}][AgentID={4}][IsCryptoValidate={5}][IsServerSideKeygen={6}][SelectedToken={7}][KeyNickName={8}][TKSKeyset={9}][KeyInfo_KeyVersion={10}][NistSP800_108KdfOnKeyVersion={11}][NistSP800_108KdfUseCuidAsKdd={12}][Error={13}] TKS Compute session key request failed
+LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request failed
 
 
 # LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST
diff --git a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
index 85aa28c..1f9d427 100644
--- a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
+++ b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
@@ -49,6 +49,7 @@ import com.netscape.certsrv.base.IPrettyPrintFormat;
 import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.event.ComputeSessionKeyRequestProcessedEvent;
 import com.netscape.certsrv.logging.event.DiversifyKeyRequestProcessedEvent;
 import com.netscape.certsrv.logging.event.EncryptDataRequestProcessedEvent;
 import com.netscape.cms.logging.Logger;
@@ -792,9 +793,9 @@ public class TokenServlet extends CMSServlet {
 
         if (status.equals("0")) {
 
-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+            ComputeSessionKeyRequestProcessedEvent event = ComputeSessionKeyRequestProcessedEvent.success(
+                    log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
                     log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
-                    ILogger.SUCCESS, // Outcome
                     status, // status
                     agentId, // AgentID
                     isCryptoValidate ? "true" : "false", // IsCryptoValidate
@@ -805,15 +806,15 @@ public class TokenServlet extends CMSServlet {
                     log_string_from_keyInfo(keyInfo), // KeyInfo_KeyVersion
                     "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
-            };
-            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
-                    logParams);
+            );
+
+            signedAuditLogger.log(event);;
 
         } else {
 
-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+            ComputeSessionKeyRequestProcessedEvent event = ComputeSessionKeyRequestProcessedEvent.failure(
+                    log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
                     log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
-                    ILogger.FAILURE, // Outcome
                     status, // status
                     agentId, // AgentID
                     isCryptoValidate ? "true" : "false", // IsCryptoValidate
@@ -825,13 +826,10 @@ public class TokenServlet extends CMSServlet {
                     "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
                     errorMsg // Error
-            };
-            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
-                    logParams);
-        }
-
-        audit(auditMessage);
+            );
 
+            signedAuditLogger.log(event);
+        }
     }
 
     private void processComputeSessionKey(HttpServletRequest req,
@@ -1449,9 +1447,9 @@ public class TokenServlet extends CMSServlet {
             // AC: KDF SPEC CHANGE - Log both CUID and KDD.
             //                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
             //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+            ComputeSessionKeyRequestProcessedEvent event = ComputeSessionKeyRequestProcessedEvent.success(
+                    log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
                     log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
-                    ILogger.SUCCESS, // Outcome
                     status, // status
                     agentId, // AgentID
                     isCryptoValidate ? "true" : "false", // IsCryptoValidate
@@ -1462,17 +1460,17 @@ public class TokenServlet extends CMSServlet {
                     log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
                     "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd) // NistSP800_108KdfUseCuidAsKdd
-            };
-            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
-                    logParams);
+            );
+
+            signedAuditLogger.log(event);
 
         } else {
             // AC: KDF SPEC CHANGE - Log both CUID and KDD
             //                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
             //                       Finally, log CUID and KDD in ASCII-HEX format, as long as special-decoded version is available.
-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+            ComputeSessionKeyRequestProcessedEvent event = ComputeSessionKeyRequestProcessedEvent.failure(
+                    log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
                     log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
-                    ILogger.FAILURE, // Outcome
                     status, // status
                     agentId, // AgentID
                     isCryptoValidate ? "true" : "false", // IsCryptoValidate
@@ -1484,13 +1482,10 @@ public class TokenServlet extends CMSServlet {
                     "0x" + Integer.toHexString(nistSP800_108KdfOnKeyVersion & 0x000000FF), // NistSP800_108KdfOnKeyVersion
                     Boolean.toString(nistSP800_108KdfUseCuidAsKdd), // NistSP800_108KdfUseCuidAsKdd
                     errorMsg // Error
-            };
-            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
-                    logParams);
+            );
 
+            signedAuditLogger.log(event);
         }
-
-        audit(auditMessage);
     }
 
     // This method will return the shared secret name.  In new 10.1 subsystems, this
@@ -2915,9 +2910,9 @@ public class TokenServlet extends CMSServlet {
         }
 
         if (status.equals("0")) {
-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+            ComputeSessionKeyRequestProcessedEvent event = ComputeSessionKeyRequestProcessedEvent.success(
+                    log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
                     log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
-                    ILogger.SUCCESS, // Outcome
                     status, // status
                     agentId, // AgentID
                     isCryptoValidate ? "true" : "false", // IsCryptoValidate
@@ -2926,14 +2921,16 @@ public class TokenServlet extends CMSServlet {
                     keyNickName, // KeyNickName
                     keySet, // TKSKeyset
                     log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
-            };
-            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS,
-                    logParams);
+                    null,
+                    null
+            );
+
+            signedAuditLogger.log(event);
 
         } else {
-            String[] logParams = { log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
+            ComputeSessionKeyRequestProcessedEvent event = ComputeSessionKeyRequestProcessedEvent.failure(
+                    log_string_from_specialDecoded_byte_array(xCUID), // CUID_decoded
                     log_string_from_specialDecoded_byte_array(xKDD), // KDD_decoded
-                    ILogger.FAILURE, // Outcome
                     status, // status
                     agentId, // AgentID
                     isCryptoValidate ? "true" : "false", // IsCryptoValidate
@@ -2942,15 +2939,14 @@ public class TokenServlet extends CMSServlet {
                     keyNickName, // KeyNickName
                     keySet, // TKSKeyset
                     log_string_from_keyInfo(xkeyInfo), // KeyInfo_KeyVersion
+                    null,
+                    null,
                     errorMsg // Error
-            };
-            auditMessage = CMS.getLogMessage(AuditEvent.COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,
-                    logParams);
-
-        }
+            );
 
-        audit(auditMessage);
+            signedAuditLogger.log(event);
 
+        }
     }
 
     /**
-- 
1.8.3.1


From 6ab503f223674128cc7df6537d798465059f0ded Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 16 Nov 2018 05:27:06 +0100
Subject: [PATCH 12/26] Merged COMPUTE_RANDOM_DATA_REQUEST_PROCESSED events

COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE and
COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS have been merged
into a single COMPUTE_RANDOM_DATA_REQUEST_PROCESSED event with
different outcomes.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 745aa2e37b65a5564f58e94373093d8366feddd7)
---
 .../com/netscape/certsrv/logging/AuditEvent.java   |  4 --
 .../ComputeRandomDataRequestProcessedEvent.java    | 64 ++++++++++++++++++++++
 base/server/cmsbundle/src/LogMessages.properties   |  4 +-
 .../dogtagpki/server/tks/servlet/TokenServlet.java | 16 +++---
 4 files changed, 74 insertions(+), 14 deletions(-)
 create mode 100644 base/common/src/com/netscape/certsrv/logging/event/ComputeRandomDataRequestProcessedEvent.java

diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index e513087..3712e73 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -89,10 +89,6 @@ public class AuditEvent extends LogEvent {
 
     public final static String COMPUTE_RANDOM_DATA_REQUEST =
             "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2";
-    public final static String COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS =
-            "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS_3";
-    public final static String COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE =
-            "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE_4";
     public final static String COMPUTE_SESSION_KEY_REQUEST =
             "LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4"; // AC: KDF SPEC CHANGE:  Need to log both KDD and CUID.
     public final static String DIVERSIFY_KEY_REQUEST =
diff --git a/base/common/src/com/netscape/certsrv/logging/event/ComputeRandomDataRequestProcessedEvent.java b/base/common/src/com/netscape/certsrv/logging/event/ComputeRandomDataRequestProcessedEvent.java
new file mode 100644
index 0000000..58e4aa7
--- /dev/null
+++ b/base/common/src/com/netscape/certsrv/logging/event/ComputeRandomDataRequestProcessedEvent.java
@@ -0,0 +1,64 @@
+// --- BEGIN COPYRIGHT BLOCK ---
+// This program is free software; you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation; version 2 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License along
+// with this program; if not, write to the Free Software Foundation, Inc.,
+// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+//
+// (C) 2018 Red Hat, Inc.
+// All rights reserved.
+// --- END COPYRIGHT BLOCK ---
+package com.netscape.certsrv.logging.event;
+
+import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.SignedAuditEvent;
+
+public class ComputeRandomDataRequestProcessedEvent extends SignedAuditEvent {
+
+    private static final long serialVersionUID = 1L;
+
+    public final static String SUCCESS =
+            "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS";
+
+    public final static String FAILURE =
+            "LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE";
+
+    public ComputeRandomDataRequestProcessedEvent(String messageID) {
+        super(messageID);
+    }
+
+    public static ComputeRandomDataRequestProcessedEvent success(
+            String status,
+            String agentID) {
+
+        ComputeRandomDataRequestProcessedEvent event = new ComputeRandomDataRequestProcessedEvent(SUCCESS);
+
+        event.setAttribute("Outcome", ILogger.SUCCESS);
+        event.setAttribute("Status", status);
+        event.setAttribute("AgentID", agentID);
+
+        return event;
+    }
+
+    public static ComputeRandomDataRequestProcessedEvent failure(
+            String status,
+            String agentID,
+            String error) {
+
+        ComputeRandomDataRequestProcessedEvent event = new ComputeRandomDataRequestProcessedEvent(FAILURE);
+
+        event.setAttribute("Outcome", ILogger.FAILURE);
+        event.setAttribute("Status", status);
+        event.setAttribute("AgentID", agentID);
+        event.setAttribute("Error", error);
+
+        return event;
+    }
+}
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index c39e975..10c1213 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -2263,7 +2263,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=<type=COMPUTE_RANDOM_DATA_REQ
 # Outcome is SUCCESS or FAILURE
 # Status is 0 for no error.
 # AgentID must be the trusted agent id used to make the request
-LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS_3=<type=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS][Outcome={0}][Status={1}][AgentID={2}] TKS Compute random data request processed successfully
+LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED]{0} TKS Compute random data request processed successfully
 
 # LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
 # - used for TPS to TKS to get random challenge data
@@ -2271,7 +2271,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS_3=<type=COMPU
 # Status is 0 for no error.
 # Error gives the error message
 # AgentID must be the trusted agent id used to make the request
-LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE_4=<type=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCCESED_FAILURE][Outcome={0}][Status={1}][AgentID={2}][Error={3}] TKS Compute random data request failed
+LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=<type=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCCESED]{0} TKS Compute random data request failed
 
 #
 #
diff --git a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
index 1f9d427..8716586 100644
--- a/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
+++ b/base/tks/src/org/dogtagpki/server/tks/servlet/TokenServlet.java
@@ -49,6 +49,7 @@ import com.netscape.certsrv.base.IPrettyPrintFormat;
 import com.netscape.certsrv.base.SessionContext;
 import com.netscape.certsrv.logging.AuditEvent;
 import com.netscape.certsrv.logging.ILogger;
+import com.netscape.certsrv.logging.event.ComputeRandomDataRequestProcessedEvent;
 import com.netscape.certsrv.logging.event.ComputeSessionKeyRequestProcessedEvent;
 import com.netscape.certsrv.logging.event.DiversifyKeyRequestProcessedEvent;
 import com.netscape.certsrv.logging.event.EncryptDataRequestProcessedEvent;
@@ -2368,21 +2369,20 @@ public class TokenServlet extends CMSServlet {
         }
 
         if (status.equals("0")) {
-            auditMessage = CMS.getLogMessage(
-                    AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,
-                    ILogger.SUCCESS,
+            ComputeRandomDataRequestProcessedEvent event = ComputeRandomDataRequestProcessedEvent.success(
                     status,
                     agentId);
+
+            signedAuditLogger.log(event);
+
         } else {
-            auditMessage = CMS.getLogMessage(
-                    AuditEvent.COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,
-                    ILogger.FAILURE,
+            ComputeRandomDataRequestProcessedEvent event = ComputeRandomDataRequestProcessedEvent.failure(
                     status,
                     agentId,
                     errorMsg);
-        }
 
-        audit(auditMessage);
+            signedAuditLogger.log(event);
+        }
     }
 
     public void process(CMSRequest cmsReq) throws EBaseException {
-- 
1.8.3.1


From 9b5a3a7bda8d2d95508ed337e6e0cb1c7543f059 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 27 Nov 2018 00:16:12 +0100
Subject: [PATCH 13/26] Getting audit events from LogMessages.properties

The LogSubsystem has been modified to construct the list
of all available audit events from LogMessages.properties
on initialization.

The AuditService has been modified to get the list of all
available audit events from LogSubsystem instead of the
log.instance.SignedAudit.unselected.events property in
CS.cfg when requested. It will also no longer update the
property in CS.cfg.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 37eef0740cdf075dff85178311519b6dc3d00c88)
---
 .../org/dogtagpki/server/rest/AuditService.java    | 21 +++++--------
 .../com/netscape/cmscore/logging/LogSubsystem.java | 34 ++++++++++++++++++++++
 2 files changed, 42 insertions(+), 13 deletions(-)

diff --git a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
index c53604d..1dada70 100644
--- a/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
+++ b/base/server/cms/src/org/dogtagpki/server/rest/AuditService.java
@@ -55,6 +55,7 @@ import com.netscape.certsrv.logging.AuditResource;
 import com.netscape.certsrv.logging.ILogger;
 import com.netscape.certsrv.logging.event.ConfigSignedAuditEvent;
 import com.netscape.cms.servlet.base.SubsystemService;
+import com.netscape.cmscore.logging.LogSubsystem;
 
 /**
  * @author Endi S. Dewata
@@ -101,15 +102,14 @@ public class AuditService extends SubsystemService implements AuditResource {
 
         Map<String, String> eventConfigs = new TreeMap<String, String>();
 
-        // unselected optional events
-        val = cs.getString("log.instance.SignedAudit.unselected.events", "");
-        if (auditParams != null)
-            auditParams.put("unselected.events", val);
-        for (String event : StringUtils.split(val, ", ")) {
-            eventConfigs.put(event.trim(), "disabled");
+        LogSubsystem logSubsystem = (LogSubsystem) CMS.getSubsystem(LogSubsystem.ID);
+
+        // load all audit events as disabled initially
+        for (String name : logSubsystem.getAuditEvents()) {
+            eventConfigs.put(name, "disabled");
         }
 
-        // selected optional events
+        // overwrite with enabled events
         val = cs.getString("log.instance.SignedAudit.events", "");
         if (auditParams != null)
             auditParams.put("events", val);
@@ -117,7 +117,7 @@ public class AuditService extends SubsystemService implements AuditResource {
             eventConfigs.put(event.trim(), "enabled");
         }
 
-        // always selected mandatory events
+        // overwrite with mandatory events
         val = cs.getString("log.instance.SignedAudit.mandatory.events", "");
         if (auditParams != null)
             auditParams.put("mandatory.events", val);
@@ -187,7 +187,6 @@ public class AuditService extends SubsystemService implements AuditResource {
                 // update events if specified
 
                 Collection<String> selected = new TreeSet<String>();
-                Collection<String> unselected = new TreeSet<String>();
 
                 for (Map.Entry<String, String> entry : eventConfigs.entrySet()) {
                     String name = entry.getKey();
@@ -224,9 +223,6 @@ public class AuditService extends SubsystemService implements AuditResource {
                     if ("enabled".equals(value)) {
                         selected.add(name);
 
-                    } else if ("disabled".equals(value)) {
-                        unselected.add(name);
-
                     } else {
                         PKIException e = new PKIException("Invalid event configuration: " + name + "=" + value);
                         auditModParams.put("Info", e.toString());
@@ -236,7 +232,6 @@ public class AuditService extends SubsystemService implements AuditResource {
                 }
 
                 cs.putString("log.instance.SignedAudit.events", StringUtils.join(selected, ","));
-                cs.putString("log.instance.SignedAudit.unselected.events", StringUtils.join(unselected, ","));
             }
 
             for (String name : currentEventConfigs.keySet()) {
diff --git a/base/server/cmscore/src/com/netscape/cmscore/logging/LogSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/logging/LogSubsystem.java
index e09e1c2..6c62161 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/logging/LogSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/logging/LogSubsystem.java
@@ -17,9 +17,15 @@
 // --- END COPYRIGHT BLOCK ---
 package com.netscape.cmscore.logging;
 
+import java.util.Collection;
 import java.util.Enumeration;
 import java.util.Hashtable;
+import java.util.ResourceBundle;
+import java.util.Set;
+import java.util.TreeSet;
 import java.util.Vector;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 import com.netscape.certsrv.apps.CMS;
 import com.netscape.certsrv.base.EBaseException;
@@ -58,6 +64,7 @@ public class LogSubsystem implements ILogSubsystem {
 
     public Hashtable<String, LogPlugin> mLogPlugins = new Hashtable<String, LogPlugin>();
     public Hashtable<String, ILogEventListener> mLogInsts = new Hashtable<String, ILogEventListener>();
+    public Set<String> auditEvents = new TreeSet<>();
 
     /**
      * Constructs a log subsystem.
@@ -150,6 +157,33 @@ public class LogSubsystem implements ILogSubsystem {
                 Debug.trace("loaded log instance " + insName + " impl " + implName);
         }
 
+        // load audit events from LogMessages.properties
+        ResourceBundle rb = ResourceBundle.getBundle("LogMessages");
+        Pattern name_pattern = Pattern.compile("^LOGGING_SIGNED_AUDIT_.*");
+        Pattern value_pattern = Pattern.compile("^<type=(.*)>:.*");
+
+        for (String name : rb.keySet()) {
+
+            Matcher name_matcher = name_pattern.matcher(name);
+            if (!name_matcher.matches())  {
+                continue;
+            }
+
+            String value = rb.getString(name);
+
+            Matcher value_matcher = value_pattern.matcher(value);
+            if (!value_matcher.matches()) {
+                continue;
+            }
+
+            String event = value_matcher.group(1);
+
+            auditEvents.add(event.trim());
+        }
+    }
+
+    public Collection<String> getAuditEvents() {
+        return auditEvents;
     }
 
     public void startup() throws EBaseException {
-- 
1.8.3.1


From 208be4c397f5a38b537a09d35db6ae7ef8c07c39 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 18 Dec 2018 13:12:26 +0100
Subject: [PATCH 14/26] Removed log.instance.SignedAudit.unselected.events

The LogFile class has been modified to no longer use or
maintain the list of unused events since it is now loaded
from LogMessages.properties.

The default log.instance.SignedAudit.unselected.events
property in TPS CS.cfg has been removed.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit a07430d89608fc7cb7f2d61d3e24b01d81c1d478)
---
 .../cms/src/com/netscape/cms/logging/LogFile.java   | 21 +--------------------
 base/tps/shared/conf/CS.cfg                         |  1 -
 2 files changed, 1 insertion(+), 21 deletions(-)

diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
index a4a691b..0f58720 100644
--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
@@ -108,7 +108,6 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
     public static final String PROP_SIGNED_AUDIT_CERT_NICKNAME =
                               "signedAuditCertNickname";
     public static final String PROP_SIGNED_AUDIT_SELECTED_EVENTS = "events";
-    public static final String PROP_SIGNED_AUDIT_UNSELECTED_EVENTS = "unselected.events";
     public static final String PROP_SIGNED_AUDIT_MANDATORY_EVENTS = "mandatory.events";
     public static final String PROP_SIGNED_AUDIT_FILTERS = "filters";
 
@@ -207,11 +206,6 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
     protected Set<String> selectedEvents = new LinkedHashSet<String>();
 
     /**
-     * The unselected log event types
-     */
-    protected Set<String> unselectedEvents = new LinkedHashSet<String>();
-
-    /**
      * The event filters
      */
     protected Map<String, JDAPFilter> filters = new HashMap<String, JDAPFilter>();
@@ -311,12 +305,6 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
             selectedEvents.add(event);
         }
 
-        // unselected events
-        String unselectedEventsList = config.getString(PROP_SIGNED_AUDIT_UNSELECTED_EVENTS, "");
-        for (String event : StringUtils.split(unselectedEventsList, ", ")) {
-            unselectedEvents.add(event);
-        }
-
         CMS.debug("Event filters:");
         IConfigStore filterStore = config.getSubStore(PROP_SIGNED_AUDIT_FILTERS);
         for (Enumeration<String> e = filterStore.getPropertyNames(); e.hasMoreElements(); ) {
@@ -369,7 +357,6 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
      */
     public void selectEvent(String event) {
         selectedEvents.add(event);
-        unselectedEvents.remove(event);
     }
 
     /**
@@ -379,7 +366,6 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
      */
     public void deselectEvent(String event) {
         selectedEvents.remove(event);
-        unselectedEvents.add(event);
     }
 
     /**
@@ -389,7 +375,6 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
      */
     public void replaceEvents(String events) {
         // unselect all events
-        unselectedEvents.addAll(selectedEvents);
         selectedEvents.clear();
 
         // select specified events
@@ -1580,7 +1565,6 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
         v.addElement(PROP_SIGNED_AUDIT_CERT_NICKNAME + "=");
         v.addElement(PROP_SIGNED_AUDIT_MANDATORY_EVENTS + "=");
         v.addElement(PROP_SIGNED_AUDIT_SELECTED_EVENTS + "=");
-        v.addElement(PROP_SIGNED_AUDIT_UNSELECTED_EVENTS + "=");
         //}
 
         return v;
@@ -1635,7 +1619,6 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
 
                 v.addElement(PROP_SIGNED_AUDIT_MANDATORY_EVENTS + "=" + StringUtils.join(mandatoryEvents, ","));
                 v.addElement(PROP_SIGNED_AUDIT_SELECTED_EVENTS + "=" + StringUtils.join(selectedEvents, ","));
-                v.addElement(PROP_SIGNED_AUDIT_UNSELECTED_EVENTS + "=" + StringUtils.join(unselectedEvents, ","));
             }
         } catch (Exception e) {
         }
@@ -1671,9 +1654,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
                     PROP_SIGNED_AUDIT_MANDATORY_EVENTS +
                             ";string;A comma-separated list of strings used to specify mandatory signed audit log events",
                     PROP_SIGNED_AUDIT_SELECTED_EVENTS +
-                            ";string;A comma-separated list of strings used to specify selected signed audit log events",
-                    PROP_SIGNED_AUDIT_UNSELECTED_EVENTS +
-                            ";string;A comma-separated list of strings used to specify unselected signed audit log events",
+                            ";string;A comma-separated list of strings used to specify selected signed audit log events"
             };
 
             return params;
diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
index 3671100..bc8479c 100644
--- a/base/tps/shared/conf/CS.cfg
+++ b/base/tps/shared/conf/CS.cfg
@@ -234,7 +234,6 @@ log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
 log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
 log.instance.SignedAudit.filters.TOKEN_APPLET_UPGRADE=(Outcome=Failure)
 log.instance.SignedAudit.filters.TOKEN_KEY_CHANGEOVER=(Outcome=Failure)
-log.instance.SignedAudit.unselected.events=
 log.instance.SignedAudit.mandatory.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING
 log.instance.SignedAudit.expirationTime=0
 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/tps_cert-tps_audit
-- 
1.8.3.1


From d8303beb4f90c32a592cc42786a37d102c3065a7 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 17 Jan 2019 02:28:33 +0100
Subject: [PATCH 15/26] Simplified CMS.getLogMessage()

The following methods have been modified to handle variable
number of parameters using varargs:
- CMS.getLogMessage()
- ICMSEngine.getLogMessage()
- CMSEngine.getLogMessage()
- CMSEngineDefaultStub.getLogMessage()

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 962eb8ce754b854c5d05cc16740b92a4e16ba578)
---
 base/common/src/com/netscape/certsrv/apps/CMS.java | 162 +--------------------
 .../src/com/netscape/certsrv/apps/ICMSEngine.java  | 147 -------------------
 .../src/com/netscape/cmscore/apps/CMSEngine.java   |  68 ---------
 .../netscape/cmscore/app/CMSEngineDefaultStub.java |  48 ------
 4 files changed, 7 insertions(+), 418 deletions(-)

diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java
index b6b74e6..e326b27 100644
--- a/base/common/src/com/netscape/certsrv/apps/CMS.java
+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java
@@ -667,177 +667,29 @@ public final class CMS {
      * @return localized log message
      */
     public static String getLogMessage(String msgID) {
-        return _engine.getLogMessage(msgID);
+        return _engine.getLogMessage(msgID, null);
     }
 
     /**
      * Retrieves the centralized log message from LogMessages.properties.
      *
      * @param msgID message id defined in LogMessages.properties
-     * @param p an array of parameters
-     * @return localized log message
-     */
-    public static String getLogMessage(String msgID, Object p[]) {
-        return _engine.getLogMessage(msgID, p);
-    }
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @return localized log message
-     */
-    public static String getLogMessage(String msgID, String p1) {
-        return _engine.getLogMessage(msgID, p1);
-    }
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @return localized log message
-     */
-    public static String getLogMessage(String msgID, String p1, String p2) {
-        return _engine.getLogMessage(msgID, p1, p2);
-    }
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @param p3 3rd parameter
-     * @return localized log message
-     */
-    public static String getLogMessage(String msgID, String p1, String p2, String p3) {
-        return _engine.getLogMessage(msgID, p1, p2, p3);
-    }
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @param p3 3rd parameter
-     * @param p4 4th parameter
-     * @return localized log message
-     */
-    public static String getLogMessage(String msgID, String p1, String p2, String p3, String p4) {
-        return _engine.getLogMessage(msgID, p1, p2, p3, p4);
-    }
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @param p3 3rd parameter
-     * @param p4 4th parameter
-     * @param p5 5th parameter
-     * @return localized log message
-     */
-    public static String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5) {
-        return _engine.getLogMessage(msgID, p1, p2, p3, p4, p5);
-    }
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @param p3 3rd parameter
-     * @param p4 4th parameter
-     * @param p5 5th parameter
-     * @param p6 6th parameter
-     * @return localized log message
-     */
-    public static String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6) {
-        return _engine.getLogMessage(msgID, p1, p2, p3, p4, p5, p6);
-    }
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @param p3 3rd parameter
-     * @param p4 4th parameter
-     * @param p5 5th parameter
-     * @param p6 6th parameter
-     * @param p7 7th parameter
+     * @param params object parameters
      * @return localized log message
      */
-    public static String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
-            String p7) {
-        return _engine.getLogMessage(msgID, p1, p2, p3, p4, p5, p6, p7);
+    public static String getLogMessage(String msgID, Object params[]) {
+        return _engine.getLogMessage(msgID, params);
     }
 
     /**
      * Retrieves the centralized log message from LogMessages.properties.
      *
      * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @param p3 3rd parameter
-     * @param p4 4th parameter
-     * @param p5 5th parameter
-     * @param p6 6th parameter
-     * @param p7 7th parameter
-     * @param p8 8th parameter
-     * @return localized log message
-     */
-    public static String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
-            String p7, String p8) {
-        return _engine.getLogMessage(msgID, p1, p2, p3, p4, p5, p6, p7, p8);
-    }
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @param p3 3rd parameter
-     * @param p4 4th parameter
-     * @param p5 5th parameter
-     * @param p6 6th parameter
-     * @param p7 7th parameter
-     * @param p8 8th parameter
-     * @param p9 9th parameter
-     * @return localized log message
-     */
-    public static String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
-            String p7, String p8, String p9) {
-        return _engine.getLogMessage(msgID, p1, p2, p3, p4, p5, p6, p7, p8, p9);
-    }
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @param p3 3rd parameter
-     * @param p4 4th parameter
-     * @param p5 5th parameter
-     * @param p6 6th parameter
-     * @param p7 7th parameter
-     * @param p8 8th parameter
-     * @param p9 9th parameter
-     * @param p10 10th parameter
+     * @param params string parameters
      * @return localized log message
      */
-    public static String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
-            String p7, String p8, String p9, String p10) {
-        return _engine.getLogMessage(msgID, p1, p2, p3, p4, p5, p6, p7, p8, p9, p10);
+    public static String getLogMessage(String msgID, String... params) {
+        return _engine.getLogMessage(msgID, params);
     }
 
     /**
diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
index d996d90..5b61227 100644
--- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
+++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
@@ -313,159 +313,12 @@ public interface ICMSEngine extends ISubsystem {
      * Retrieves the centralized log message from LogMessages.properties.
      *
      * @param msgID message id defined in LogMessages.properties
-     * @return localized log message
-     */
-    public String getLogMessage(String msgID);
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
      * @param p an array of parameters
      * @return localized log message
      */
     public String getLogMessage(String msgID, Object p[]);
 
     /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @return localized log message
-     */
-    public String getLogMessage(String msgID, String p1);
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @return localized log message
-     */
-    public String getLogMessage(String msgID, String p1, String p2);
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @param p3 3rd parameter
-     * @return localized log message
-     */
-    public String getLogMessage(String msgID, String p1, String p2, String p3);
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @param p3 3rd parameter
-     * @param p4 4th parameter
-     * @return localized log message
-     */
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4);
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @param p3 3rd parameter
-     * @param p4 4th parameter
-     * @param p5 5th parameter
-     * @return localized log message
-     */
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5);
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @param p3 3rd parameter
-     * @param p4 4th parameter
-     * @param p5 5th parameter
-     * @param p6 6th parameter
-     * @return localized log message
-     */
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6);
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @param p3 3rd parameter
-     * @param p4 4th parameter
-     * @param p5 5th parameter
-     * @param p6 6th parameter
-     * @param p7 7th parameter
-     * @return localized log message
-     */
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
-            String p7);
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @param p3 3rd parameter
-     * @param p4 4th parameter
-     * @param p5 5th parameter
-     * @param p6 6th parameter
-     * @param p7 7th parameter
-     * @param p8 8th parameter
-     * @return localized log message
-     */
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
-            String p7, String p8);
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @param p3 3rd parameter
-     * @param p4 4th parameter
-     * @param p5 5th parameter
-     * @param p6 6th parameter
-     * @param p7 7th parameter
-     * @param p8 8th parameter
-     * @param p9 9th parameter
-     * @return localized log message
-     */
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
-            String p7, String p8, String p9);
-
-    /**
-     * Retrieves the centralized log message from LogMessages.properties.
-     *
-     * @param msgID message id defined in LogMessages.properties
-     * @param p1 1st parameter
-     * @param p2 2nd parameter
-     * @param p3 3rd parameter
-     * @param p4 4th parameter
-     * @param p5 5th parameter
-     * @param p6 6th parameter
-     * @param p7 7th parameter
-     * @param p8 8th parameter
-     * @param p9 9th parameter
-     * @param p10 10th parameter
-     * @return localized log message
-     */
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
-            String p7, String p8, String p9, String p10);
-
-    /**
      * Creates an issuing poing record.
      *
      * @return issuing record
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index f1a3b78..72f98ac 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -1557,74 +1557,6 @@ public class CMSEngine implements ICMSEngine {
         Debug.traceHashKey(type, key, val, def);
     }
 
-    public String getLogMessage(String msgID) {
-        return getLogMessage(msgID, (String[]) null);
-    }
-
-    public String getLogMessage(String msgID, String p1) {
-        String params[] = { p1 };
-
-        return getLogMessage(msgID, params);
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2) {
-        String params[] = { p1, p2 };
-
-        return getLogMessage(msgID, params);
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2, String p3) {
-        String params[] = { p1, p2, p3 };
-
-        return getLogMessage(msgID, params);
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4) {
-        String params[] = { p1, p2, p3, p4 };
-
-        return getLogMessage(msgID, params);
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5) {
-        String params[] = { p1, p2, p3, p4, p5 };
-
-        return getLogMessage(msgID, params);
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6) {
-        String params[] = { p1, p2, p3, p4, p5, p6 };
-
-        return getLogMessage(msgID, params);
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
-            String p7) {
-        String params[] = { p1, p2, p3, p4, p5, p6, p7 };
-
-        return getLogMessage(msgID, params);
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
-            String p7, String p8) {
-        String params[] = { p1, p2, p3, p4, p5, p6, p7, p8 };
-
-        return getLogMessage(msgID, params);
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
-            String p7, String p8, String p9) {
-        String params[] = { p1, p2, p3, p4, p5, p6, p7, p8, p9 };
-
-        return getLogMessage(msgID, params);
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
-            String p7, String p8, String p9, String p10) {
-        String params[] = { p1, p2, p3, p4, p5, p6, p7, p8, p9, p10 };
-
-        return getLogMessage(msgID, params);
-    }
-
     public void getSubjAltNameConfigDefaultParams(String name,
             Vector<String> params) {
         GeneralNameUtil.SubjAltNameGN.getDefaultParams(name, params);
diff --git a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
index b65dae1..ebbb173 100644
--- a/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
+++ b/base/server/test/com/netscape/cmscore/app/CMSEngineDefaultStub.java
@@ -206,58 +206,10 @@ public class CMSEngineDefaultStub implements ICMSEngine {
         return null;
     }
 
-    public String getLogMessage(String msgID) {
-        return null;
-    }
-
     public String getLogMessage(String msgID, Object p[]) {
         return null;
     }
 
-    public String getLogMessage(String msgID, String p1) {
-        return null;
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2) {
-        return null;
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2, String p3) {
-        return null;
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4) {
-        return null;
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5) {
-        return null;
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6) {
-        return null;
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
-            String p7) {
-        return null;
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
-            String p7, String p8) {
-        return null;
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
-            String p7, String p8, String p9) {
-        return null;
-    }
-
-    public String getLogMessage(String msgID, String p1, String p2, String p3, String p4, String p5, String p6,
-            String p7, String p8, String p9, String p10) {
-        return null;
-    }
-
     public ICRLIssuingPointRecord createCRLIssuingPointRecord(String id, BigInteger crlNumber, Long crlSize,
             Date thisUpdate, Date nextUpdate) {
         return null;
-- 
1.8.3.1


From a0d83fb70d580efae4e8d2b18940015e985d4509 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 17 Jan 2019 02:52:00 +0100
Subject: [PATCH 16/26] Reorganized audit event definitions

The audit event definitions have been moved from
LogMessages.properties to audit-events.properties.

The CMSEngine.getLogMessage() has been modified to support
retrieving the log messages from either file depending on
the message ID.

The LogSubsystem.init() and PKISubsystem.get_audit_events()
have been modified to load the audit events from the new file.
These methods are used by the Web UI and CLI, respectively.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit c36b05eaa7994892394c25511347fc5ad8cc139a)
---
 base/common/src/com/netscape/certsrv/apps/CMS.java |   12 +-
 .../src/com/netscape/certsrv/apps/ICMSEngine.java  |    4 +-
 base/server/cmsbundle/src/CMakeLists.txt           |    1 +
 base/server/cmsbundle/src/LogMessages.properties   | 1032 --------------------
 base/server/cmsbundle/src/audit-events.properties  | 1031 +++++++++++++++++++
 .../src/com/netscape/cmscore/apps/CMSEngine.java   |   32 +-
 .../com/netscape/cmscore/logging/LogSubsystem.java |   10 +-
 base/server/python/pki/server/__init__.py          |   15 +-
 8 files changed, 1071 insertions(+), 1066 deletions(-)
 create mode 100644 base/server/cmsbundle/src/audit-events.properties

diff --git a/base/common/src/com/netscape/certsrv/apps/CMS.java b/base/common/src/com/netscape/certsrv/apps/CMS.java
index e326b27..8efa3b7 100644
--- a/base/common/src/com/netscape/certsrv/apps/CMS.java
+++ b/base/common/src/com/netscape/certsrv/apps/CMS.java
@@ -661,9 +661,9 @@ public final class CMS {
     }
 
     /**
-     * Retrieves the centralized log message from LogMessages.properties.
+     * Retrieves log message from LogMessages.properties or audit-events.properties.
      *
-     * @param msgID message id defined in LogMessages.properties
+     * @param msgID message ID defined in LogMessages.properties or audit-events.properties
      * @return localized log message
      */
     public static String getLogMessage(String msgID) {
@@ -671,9 +671,9 @@ public final class CMS {
     }
 
     /**
-     * Retrieves the centralized log message from LogMessages.properties.
+     * Retrieves log message from LogMessages.properties or audit-events.properties.
      *
-     * @param msgID message id defined in LogMessages.properties
+     * @param msgID message ID defined in LogMessages.properties or audit-events.properties
      * @param params object parameters
      * @return localized log message
      */
@@ -682,9 +682,9 @@ public final class CMS {
     }
 
     /**
-     * Retrieves the centralized log message from LogMessages.properties.
+     * Retrieves log message from LogMessages.properties or audit-events.properties.
      *
-     * @param msgID message id defined in LogMessages.properties
+     * @param msgID message ID defined in LogMessages.properties or audit-events.properties
      * @param params string parameters
      * @return localized log message
      */
diff --git a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
index 5b61227..cd78c13 100644
--- a/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
+++ b/base/common/src/com/netscape/certsrv/apps/ICMSEngine.java
@@ -310,9 +310,9 @@ public interface ICMSEngine extends ISubsystem {
     public String getUserMessage(Locale locale, String msgID, String p1, String p2, String p3);
 
     /**
-     * Retrieves the centralized log message from LogMessages.properties.
+     * Retrieves log message from LogMessages.properties or audit-evenst.properties.
      *
-     * @param msgID message id defined in LogMessages.properties
+     * @param msgID message ID defined in LogMessages.properties or audit-evenst.properties
      * @param p an array of parameters
      * @return localized log message
      */
diff --git a/base/server/cmsbundle/src/CMakeLists.txt b/base/server/cmsbundle/src/CMakeLists.txt
index cc9a72a..d3f078b 100644
--- a/base/server/cmsbundle/src/CMakeLists.txt
+++ b/base/server/cmsbundle/src/CMakeLists.txt
@@ -14,6 +14,7 @@ jar(pki-cmsbundle-jar
     PARAMS
         ${CMAKE_CURRENT_BINARY_DIR}/pki-cmsbundle.mf
     FILES
+        audit-events.properties
         LogMessages.properties
         UserMessages.properties
     DEPENDS
diff --git a/base/server/cmsbundle/src/LogMessages.properties b/base/server/cmsbundle/src/LogMessages.properties
index 10c1213..2099041 100644
--- a/base/server/cmsbundle/src/LogMessages.properties
+++ b/base/server/cmsbundle/src/LogMessages.properties
@@ -1774,1038 +1774,6 @@ LISTENERS_SEND_FAILED=Send failed: {0}
 ##################################################################
 LOGGING_READ_ERROR=logging: {0}: read error at line {1}
 LOGGING_FILE_NOT_FOUND=logging: {0} not found
-#
-####################### SIGNED AUDIT EVENTS #############################
-# The following are signedAudit events. They are required by CIMC PP.
-# Please consult cfu before adding/deleting/modifying the following events
-#
-# signedAudit messages common fields:
-# Outcome must be "success" or "failure"
-# SubjectID must be the UID of the user responsible for the operation
-#           "$System$" if system-initiated operation (e.g. log signing)
-#
-# LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP
-# - used at audit function startup
-#
-LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=<type=AUDIT_LOG_STARTUP>:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup
-#
-# LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN
-# - used at audit function shutdown
-#
-LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=<type=AUDIT_LOG_SHUTDOWN>:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown
-#
-# LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION
-# - used for verifying CIMC system certificates
-# - CertNickName is the cert nickname
-#
-LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CIMC certificate verification
-#
-# LOGGING_SIGNED_AUDIT_ROLE_ASSUME
-# - used when user assumes a role (in current CS that's when one accesses a
-#     role port)
-# Role must be be one of the valid roles, by default: "Administrators",
-#     "Certificate Manager Agents", and "Auditors"
-#     note that customized role names can be used once configured
-#
-LOGGING_SIGNED_AUDIT_ROLE_ASSUME=<type=ROLE_ASSUME>:[AuditEvent=ROLE_ASSUME]{0} assume privileged role
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY
-# - used when configuring certificate policy constraints and extensions
-# ParamNameValPairs must be a name;;value pair
-# (where name and value are separated by the delimiter ;;)
-# separated by + (if more than one name;;value pair) of config params changed
-#
-LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=<type=CONFIG_CERT_POLICY>:[AuditEvent=CONFIG_CERT_POLICY][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate policy constraint or extension configuration parameter(s) change
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE
-# - used when configuring certificate profile
-#    (general settings and certificate profile)
-#    (extensions and constraints policies are to be obsoleted but do it anyway)
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#
-LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=<type=CONFIG_CERT_PROFILE>:[AuditEvent=CONFIG_CERT_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate profile configuration parameter(s) change
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE
-# - used when configuring  CRL profile
-#    (extensions, frequency, CRL format)
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#
-LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=<type=CONFIG_CRL_PROFILE>:[AuditEvent=CONFIG_CRL_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] CRL profile configuration parameter(s) change
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE
-# - used when configuring OCSP profile
-#    (everything under Online Certificate Status Manager)
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#
-LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=<type=CONFIG_OCSP_PROFILE>:[AuditEvent=CONFIG_OCSP_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] OCSP profile configuration parameter(s) change
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_AUTH
-# - used when configuring authentication
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#   --- Password MUST NOT be logged ---
-#
-LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=<type=CONFIG_AUTH>:[AuditEvent=CONFIG_AUTH][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] authentication configuration parameter(s) change
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_ROLE
-# - used when configuring role information (anything under users/groups)
-#       add/remove/edit a role, etc)
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#
-LOGGING_SIGNED_AUDIT_CONFIG_ROLE=<type=CONFIG_ROLE>:[AuditEvent=CONFIG_ROLE]{0} role configuration parameter(s) change
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_ACL
-# - used when configuring ACL information
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#
-LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=<type=CONFIG_ACL>:[AuditEvent=CONFIG_ACL][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] ACL configuration parameter(s) change
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT
-# - used when configuring signedAudit
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#
-LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=<type=CONFIG_SIGNED_AUDIT>:[AuditEvent=CONFIG_SIGNED_AUDIT]{0} signed audit configuration parameter(s) change
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION
-# - used when configuring encryption (cert settings and SSL cipher preferences)
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#
-LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=<type=CONFIG_ENCRYPTION>:[AuditEvent=CONFIG_ENCRYPTION][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] encryption configuration parameter(s) change
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY
-# - used when
-#      1. "Manage Certificate" is used to edit the trustness of certificates
-#         and deletion of certificates
-#      2. "Certificate Setup Wizard" is used to import CA certificates into the
-#         certificate database (Although CrossCertificatePairs are stored
-#         within internaldb, audit them as well)
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#
-LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=<type=CONFIG_TRUSTED_PUBLIC_KEY>:[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY]{0} certificate database configuration
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_DRM
-# - used when configuring DRM
-#     (Key recovery scheme, change of any secret component)
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#   --- secret component (password) MUST NOT be logged ---
-#
-LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=<type=CONFIG_DRM>:[AuditEvent=CONFIG_DRM][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] DRM configuration parameter(s) change
-#
-# LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION
-# - used when self tests are run
-#
-LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details)
-#
-# LOGGING_SIGNED_AUDIT_LOG_DELETE
-# - used AFTER audit log gets expired (authz should not allow,
-#    but in case authz gets compromised.  Make sure it is written
-#    AFTER the log expiration happens)
-# LogFile must be the complete name (including the path) of the
-#    signedAudit log that is attempted to be deleted
-#
-LOGGING_SIGNED_AUDIT_LOG_DELETE_3=<type=AUDIT_LOG_DELETE>:[AuditEvent=AUDIT_LOG_DELETE][SubjectID={0}][Outcome={1}][LogFile={2}] signedAudit log deletion
-#
-# LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE
-# - used when log file name (including any path changes) for any of
-#    audit, system, transaction, or other customized log file
-#    change is attempted (authz should not allow, but make sure it's
-#    written after the attempt)
-# LogType must be "System", "Transaction", or "SignedAudit"
-# toLogFile must be the name (including any path changes) that the user is
-#    attempting to change to
-#
-LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PATH_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][toLogFile={3}] log path change attempt
-#
-# LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE
-# - used when log expiration time change is attempted (authz should not
-#    allow, but make sure it's written after the attempt)
-# LogType must be "System", "Transaction", or "SignedAudit"
-# ExpirationTime must be the amount of time (in seconds) that is
-#    attempted to be changed to
-#
-# -- feature disabled --
-#LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=<type=LOG_EXPIRATION_CHANGE>:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt
-#
-# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST
-# - used when server-side key generation request is made
-#    This is for tokenkeys
-# EntityID must be the representation of the subject that will be on the certificate when issued
-LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request
-#
-# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
-# - used when server-side key generation request has been processed.
-#    This is for tokenkeys
-# EntityID must be the representation of the subject that will be on the certificate when issued
-# PubKey must be the base-64 encoded public key associated with
-#    the private key to be archived
-LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=<type=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED]{0} server-side key generation request processed
-#
-# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST
-# - used when key recovery request is made
-# RecoveryID must be the recovery request ID
-# PubKey must be the base-64 encoded public key associated with
-#    the private key to be recovered
-#
-LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=<type=KEY_RECOVERY_REQUEST>:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made
-#
-# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN
-# - used when DRM agents login as recovery agents to approve
-#       key recovery requests
-# RecoveryID must be the recovery request ID
-# RecoveryAgent must be the recovery agent the DRM agent is
-#       logging in with
-#
-LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=<type=KEY_RECOVERY_AGENT_LOGIN>:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login
-#
-# LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC
-# - used when asymmetric keys are generated
-#   (like when CA certificate requests are generated -
-#      e.g. CA certificate change over, renewal with new key, etc.)
-# PubKey must be the base-64 encoded public key material
-#
-LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=<type=KEY_GEN_ASYMMETRIC>:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation
-#
-# LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO
-#
-LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO=<type=CERT_SIGNING_INFO>:[AuditEvent=CERT_SIGNING_INFO]{0} certificate signing info
-#
-# LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO
-#
-LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO=<type=OCSP_SIGNING_INFO>:[AuditEvent=OCSP_SIGNING_INFO]{0} OCSP signing info
-#
-# LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO
-#
-LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=<type=CRL_SIGNING_INFO>:[AuditEvent=CRL_SIGNING_INFO]{0} CRL signing info
-#
-# LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST
-# - used when a non-profile certificate request is made (before approval process)
-# SubjectID must be the UID of user that triggered this event
-#        (if CMC enrollment requests signed by an agent, SubjectID should
-#        be that of the agent), while
-# CertSubject must be the certificate subject name of the certificate request
-# ReqID must be the certificate request ID
-# ServiceID must be the identity of the servlet that submitted the original
-#        request
-#
-LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=<type=NON_PROFILE_CERT_REQUEST>:[AuditEvent=NON_PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ServiceID={3}][CertSubject={4}] certificate request made without certificate profiles
-#
-# LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED
-# - used when a CMC request is received.
-# SubjectID must be the UID of user that triggered this event
-#        (if CMC requests is signed by an agent, SubjectID should
-#        be that of the agent)
-#        In case of an unsigned request, it would bear $Unidentified$
-#
-LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=<type=CMC_REQUEST_RECEIVED>:[AuditEvent=CMC_REQUEST_RECEIVED][SubjectID={0}][Outcome={1}][CMCRequest={2}] CMC request received
-#
-# LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT
-# - used when a CMC response is sent
-# SubjectID must be the UID of user that triggered this event
-#
-LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=<type=CMC_RESPONSE_SENT>:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent
-#
-# LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST
-# - used when a profile certificate request is made (before approval process)
-# SubjectID must be the UID of user that triggered this event
-#        (if CMC enrollment requests signed by an agent, SubjectID should
-#        be that of the agent), while
-# CertSubject must be the certificate subject name of the certificate request
-# ReqID must be the certificate request ID
-# ProfileID must be one of the certificate profiles defined by the
-#        administrator
-#
-LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=<type=PROFILE_CERT_REQUEST>:[AuditEvent=PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ProfileID={3}][CertSubject={4}] certificate request made with certificate profiles
-#
-# LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED
-# - used when certificate request has just been through the approval process
-# SubjectID must be the UID of the agent who approves, rejects, or cancels
-#        the certificate request
-# ReqID must be the request ID
-# InfoName must be value "certificate" (in case of approval), "rejectReason"
-#        (in case of reject), or "cancelReason" (in case of cancel)
-# InfoValue must contain the certificate (in case of success), a reject reason in
-#        text, or a cancel reason in text
-#
-LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=<type=CERT_REQUEST_PROCESSED>:[AuditEvent=CERT_REQUEST_PROCESSED]{0} certificate request processed
-#
-# LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST
-# - used when a certificate status change request (e.g. revocation)
-#        is made (before approval process)
-# ReqID must be the request ID
-# CertSerialNum must be the serial number (in hex) of the certificate to be revoked
-# RequestType must be "revoke", "on-hold", "off-hold"
-#
-LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=<type=CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=CERT_STATUS_CHANGE_REQUEST]{0} certificate revocation/unrevocation request made
-#
-# LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED
-# - used when certificate status is changed (revoked, expired, on-hold,
-#        off-hold)
-# SubjectID must be the UID of the agent that processed the request
-# ReqID must be the request ID
-# RequestType must be "revoke", "on-hold", "off-hold"
-# Approval must be "complete", "rejected", or "canceled"
-#        (note that "complete" means "approved")
-# CertSerialNum must be the serial number (in hex)
-# RevokeReasonNum must contain one of the following number:
-#       reason number       reason
-#       --------------------------------------
-#       0              Unspecified
-#       1              Key compromised
-#       2              CA key compromised (should not be used)
-#       3              Affiliation changed
-#       4              Certificate superceded
-#       5              Cessation of operation
-#       6              Certificate is on-hold
-#
-LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=<type=CERT_STATUS_CHANGE_REQUEST_PROCESSED>:[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED]{0} certificate status change request processed
-#
-# LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS
-# - used when authorization is successful
-# Outcome must be success for this event
-# aclResource must be the ACL resource ID as defined in ACL resource list
-# Op must be one of the operations as defined with the ACL statement
-#    e.g. "read" for an ACL statement containing "(read,write)"
-#
-LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization success
-#
-# LOGGING_SIGNED_AUDIT_AUTHZ_FAIL
-# - used when authorization has failed
-# Outcome must be failure for this event
-# aclResource must be the ACL resource ID as defined in ACL resource list
-# Op must be one of the operations as defined with the ACL statement
-#    e.g. "read" for an ACL statement containing "(read,write)"
-#
-LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization failure
-#
-# LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS
-# - used when inter-CIMC_Boundary data transfer is successful
-#   (this is used when data does not need to be captured)
-# ProtectionMethod must be one of the following: "SSL", or "unknown"
-# ReqType must be the request type
-# ReqID must be the request ID
-#
-LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=<type=INTER_BOUNDARY>:[AuditEvent=INTER_BOUNDARY][SubjectID={0}][Outcome={1}][ProtectionMethod={2}][ReqType={3}][ReqID={4}] inter-CIMC_Boundary communication (data exchange) success
-#
-# LOGGING_SIGNED_AUDIT_AUTH_FAIL
-# - used when authentication fails (in case of SSL-client auth,
-#    only webserver env can pick up the SSL violation;
-#    CS authMgr can pick up certificate mis-match, so this event is used)
-# Outcome should always be "failure" in this event
-#   (obviously, if authentication failed, you won't have a valid SubjectID, so
-#       in this case, SubjectID should be $Unidentified$)
-# AuthMgr must be the authentication manager instance name that did
-#   this authentication
-# AttemptedCred must be the credential attempted and failed
-#
-LOGGING_SIGNED_AUDIT_AUTH_FAIL=<type=AUTH>:[AuditEvent=AUTH]{0} authentication failure
-#
-# LOGGING_SIGNED_AUDIT_AUTH_SUCCESS
-# - used when authentication succeeded
-# Outcome should always be "success" in this event
-# AuthMgr must be the authentication manager instance name that did
-#   this authentication
-#
-LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authentication success
-#
-# LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL
-# - used when an agent approves/disapproves a certificate profile set by the
-#     administrator for automatic approval
-# ProfileID must be one of the profiles defined by the administrator
-#           and to be approved by an agent
-# Op must be "approve" or "disapprove"
-#
-LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval
-#
-# LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION
-# - used for proof of possession during certificate enrollment processing
-#
-LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession
-# LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION
-# - used for proof of identification during CMC request processing
-# - In case of success, "SubjectID" is the actual identified identification;
-# - In case of failure, "SubjectID" is the attempted identification
-#
-LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=<type=CMC_PROOF_OF_IDENTIFICATION>:[AuditEvent=CMC_PROOF_OF_IDENTIFICATION][SubjectID={0}][Outcome={1}][Info={2}] proof of identification in CMC request
-# - used for identification and POP linking verification during CMC request processing
-#
-LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=<type=CMC_ID_POP_LINK_WITNESS>:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification
-#
-# LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION
-# - used when CRL generation is scheduled
-# Outcome is "success" when CRL generation is scheduled successfully, "failure" otherwise
-#
-LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION=<type=SCHEDULE_CRL_GENERATION>:[AuditEvent=SCHEDULE_CRL_GENERATION]{0} schedule for CRL generation
-#
-# LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION
-# - used when delta CRL generation is complete
-# Outcome is "success" when delta CRL is generated successfully, "failure" otherwise
-#
-LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=<type=DELTA_CRL_GENERATION>:[AuditEvent=DELTA_CRL_GENERATION]{0} Delta CRL generation
-#
-# LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING
-# - used when delta CRL publishing is complete
-# Outcome is "success" when delta CRL is publishing successfully, "failure" otherwise
-#
-LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=<type=DELTA_CRL_PUBLISHING>:[AuditEvent=DELTA_CRL_PUBLISHING]{0} Delta CRL publishing
-#
-# LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION
-# - used when full CRL generation is complete
-# Outcome is "success" when full CRL is generated successfully, "failure" otherwise
-#
-LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=<type=FULL_CRL_GENERATION>:[AuditEvent=FULL_CRL_GENERATION]{0} Full CRL generation
-#
-# LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING
-# - used when full  CRL publishing is complete
-# Outcome is "success" when full CRL is publishing successfully, "failure" otherwise
-#
-LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=<type=FULL_CRL_PUBLISHING>:[AuditEvent=FULL_CRL_PUBLISHING]{0} Full CRL publishing
-#
-# LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL
-# - used when CRLs are retrieved by the OCSP Responder
-# Outcome is "success" when CRL is retrieved successfully, "failure" otherwise
-# CRLnum is the CRL number that identifies the CRL
-#
-LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=<type=CRL_RETRIEVAL>:[AuditEvent=CRL_RETRIEVAL][SubjectID={0}][Outcome={1}][CRLnum={2}] CRL retrieval
-#
-# LOGGING_SIGNED_AUDIT_CRL_VALIDATION
-# - used when CRL is retrieved and validation process occurs
-#
-LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=<type=CRL_VALIDATION>:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation
-#
-# LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST
-# - used when a CA is attempted to be added to the OCSP Responder
-# Outcome is "success" as the request is made
-# CA must be the base-64 encoded PKCS7 certificate (or chain)
-LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST=<type=OCSP_ADD_CA_REQUEST>:[AuditEvent=OCSP_ADD_CA_REQUEST]{0} request to add a CA for OCSP Responder
-#
-# LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED
-# - used when an add CA request to the OCSP Responder is processed
-# Outcome is "success" when CA is added successfully, "failure" otherwise
-# CASubjectDN is the subject DN of the leaf CA cert in the chain
-LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED=<type=OCSP_ADD_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED]{0} Add CA for OCSP Responder
-#
-# LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST
-# - used when a CA is attempted to be removed from the OCSP Responder
-# Outcome is "success" as the request is made
-# CA must be the DN id of the CA
-LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST=<type=OCSP_REMOVE_CA_REQUEST>:[AuditEvent=OCSP_REMOVE_CA_REQUEST]{0} request to remove a CA from OCSP Responder
-#
-# LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED_SUCCESS
-# - used when a remove CA request to the OCSP Responder is processed successfully
-# Outcome is "success" when CA is removed successfully, "failure" otherwise
-# CASubjectDN is the subject DN of the leaf CA cert in the chain
-LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS=<type=OCSP_REMOVE_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder is successful
-#
-# LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE
-# - used when a remove CA request to the OCSP Responder is processed and failed
-# Outcome is  "failure"
-# CASubjectDN is  DN ID of the CA
-LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE=<type=OCSP_REMOVE_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder has failed
-#
-# LOGGING_SIGNED_AUDIT_OCSP_GENERATION
-# - used when an OCSP response generated is complete
-# Outcome is "success" when OCSP response is generated successfully, "failure" otherwise
-LOGGING_SIGNED_AUDIT_OCSP_GENERATION=<type=OCSP_GENERATION>:[AuditEvent=OCSP_GENERATION]{0} OCSP response generation
-#
-# LOGGING_SIGNED_AUDIT_RANDOM_GENERATION
-# - used when a random number generation is complete
-# Info:
-# - Caller is PKI code that calls the random number generator
-# - Size is size of random number in bytes
-# Outcome is "success" when a random number is generated successfully, "failure" otherwise
-LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=<type=RANDOM_GENERATION>:[AuditEvent=RANDOM_GENERATION]{0} Random number generation
-#
-# LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY
-# - used when agent signed CMC certificate requests or revocation requests
-#   are submitted and signature is verified
-# ReqType must be the request type (enrollment, or revocation)
-# CertSubject must be the certificate subject name of the certificate request
-# SignerInfo must be a unique String representation for the signer
-#
-LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=<type=CMC_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent signed CMC request signature verification
-#
-# LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY
-# - used when CMC (user-signed or self-signed) certificate requests or revocation requests
-#   are submitted and signature is verified
-# ReqType must be the request type (enrollment, or revocation)
-# CertSubject must be the certificate subject name of the certificate request
-# CMCSignerInfo must be a unique String representation for the CMC request signer
-#
-LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification success
-LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification failure
-
-# LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST
-# - used for TPS to TKS to get random challenge data
-# AgentID must be the trusted agent id used to make the request
-LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=<type=COMPUTE_RANDOM_DATA_REQUEST>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request
-
-# LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
-# - used for TPS to TKS to get random challenge data
-# Outcome is SUCCESS or FAILURE
-# Status is 0 for no error.
-# AgentID must be the trusted agent id used to make the request
-LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED]{0} TKS Compute random data request processed successfully
-
-# LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
-# - used for TPS to TKS to get random challenge data
-# Outcome is SUCCESS or FAILURE
-# Status is 0 for no error.
-# Error gives the error message
-# AgentID must be the trusted agent id used to make the request
-LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=<type=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCCESED]{0} TKS Compute random data request failed
-
-#
-#
-# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST
-# - used for TPS to TKS to get a sessoin key for secure channel setup
-# SubjectID must be the CUID of the token establishing the secure channel
-# AgentID must be the trusted agent id used to make the request
-## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the
-##   CUID.  Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that
-##   encoded parameters are being logged.
-# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel
-# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel
-LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=<type=COMPUTE_SESSION_KEY_REQUEST>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}] TKS Compute session key request
-
-#
-#
-# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
-# - request for TPS to TKS to get a sessoin key for secure channel processed
-# SubjectID must be the CUID of the token establishing the secure channel
-# AgentID must be the trusted agent id used to make the request
-# Outcome is SUCCESS or FAILURE
-# Status is 0 for no error.
-# IsCryptoValidate tells if the card cryptogram is to be validated
-# IsServerSideKeygen tells if the keys are to be generated on server
-# SelectedToken is the cryptographic token performing key operations
-# KeyNickName is the number keyset ex: #01#01
-#
-## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the
-##   CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact
-##   that decoded parameters are now logged.
-##       Also added TKSKeyset, KeyInfo_KeyVersion,
-##            NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
-# TKSKeyset is the name of the TKS keyset being used for this request.
-# KeyInfo_KeyVersion is the key version number requested in hex.
-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
-LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request processed successfully
-
-#
-#
-# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
-# - request for TPS to TKS to get a sessoin key for secure channel processed
-# SubjectID must be the CUID of the token establishing the secure channel
-# Outcome is SUCCESS or FAILURE
-# Status is error code or 0 for no error.
-# AgentID must be the trusted agent id used to make the request
-# status is 0 for success, non-zero for various errors
-# IsCryptoValidate tells if the card cryptogram is to be validated
-# IsServerSideKeygen tells if the keys are to be generated on server
-# SelectedToken is the cryptographic token performing key operations
-# KeyNickName is the numeric keyset ex: #01#01
-# Error gives the error message
-#
-## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
-##                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
-# TKSKeyset is the name of the TKS keyset being used for this request.
-# KeyInfo_KeyVersion is the key version number requested in hex.
-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex
-LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request failed
-
-
-# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST
-# - request for TPS to TKS to do key change over
-# SubjectID must be the CUID of the token requesting key change over
-# AgentID must be the trusted agent id used to make the request
-# status is 0 for success, non-zero for various errors
-# oldMasterKeyName is the old master key name
-# newMasterKeyName is the new master key name
-#
-## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged.
-# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel
-# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel
-LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=<type=DIVERSIFY_KEY_REQUEST>:[AuditEvent=DIVERSIFY_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}][oldMasterKeyName={4}][newMasterKeyName={5}] TKS Key Change Over request
-
-###########################
-# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
-# - request for TPS to TKS to do key change over request processed
-# SubjectID must be the CUID of the token requesting key change over
-# AgentID must be the trusted agent id used to make the request
-# Outcome is SUCCESS or FAILURE
-# status is 0 for success, non-zero for various errors
-# oldMasterKeyName is the old master key name
-# newMasterKeyName is the new master key name
-#
-## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
-##                       Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
-# TKSKeyset is the name of the TKS keyset being used for this request.
-# OldKeyInfo_KeyVersion is the old key version number in hex.
-# NewKeyInfo_KeyVersion is the new key version number in hex.
-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
-LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=<type=DIVERSIFY_KEY_REQUEST_PROCESSED>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request processed successfully
-
-#
-###########################
-# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
-# - request for TPS to TKS to do key change over request processed
-# SubjectID must be the CUID of the token requesting key change over
-# AgentID must be the trusted agent id used to make the request
-# Outcome is SUCCESS or FAILURE
-# status is 0 for success, non-zero for various errors
-# oldMasterKeyName is the old master key name
-# newMasterKeyName is the new master key name
-# Error gives the error message
-#
-## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
-##                       Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
-# TKSKeyset is the name of the TKS keyset being used for this request.
-# OldKeyInfo_KeyVersion is the old key version number in hex.
-# NewKeyInfo_KeyVersion is the new key version number in hex.
-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex
-LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=<type=DIVERSIFY_KEY_REQUEST_PROCESSED>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request failed
-
-# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST
-# - request from TPS to TKS to encrypt data
-#        (or generate random data and encrypt)
-# SubjectID must be the CUID of the token requesting encrypt data
-# AgentID must be the trusted agent id used to make the request
-# status is 0 for success, non-zero for various errors
-# isRandom tells if the data is randomly generated on TKS
-LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=<type=ENCRYPT_DATA_REQUEST>:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3}] TKS encrypt data request
-#
-## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged.
-# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel
-# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel
-LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=<type=ENCRYPT_DATA_REQUEST>:[AuditEvent=ENCRYPT_DATA_REQUEST][CUID_encoded={0}][KDD_encoded={1}][status={2}][AgentID={3}][isRandom={4}] TKS encrypt data request
-
-#
-# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
-# - request from TPS to TKS to encrypt data
-#        (or generate random data and encrypt)
-# SubjectID must be the CUID of the token requesting encrypt data
-# AgentID must be the trusted agent id used to make the request
-# Outcome is SUCCESS or FAILURE
-# status is 0 for success, non-zero for various errors
-# isRandom tells if the data is randomly generated on TKS
-# SelectedToken is the cryptographic token performing key operations
-# KeyNickName is the numeric keyset ex: #01#01
-#
-## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
-##                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
-# TKSKeyset is the name of the TKS keyset being used for this request.
-# KeyInfo_KeyVersion is the key version number requested in hex.
-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
-LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=<type=ENCRYPT_DATA_REQUEST_PROCESSED>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request processed successfully
-
-#
-# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
-# - request from TPS to TKS to encrypt data
-#        (or generate random data and encrypt)
-# SubjectID must be the CUID of the token requesting encrypt data
-# AgentID must be the trusted agent id used to make the request
-# Outocme is SUCCESS or FAILURE
-# status is 0 for success, non-zero for various errors
-# isRandom tells if the data is randomly generated on TKS
-# SelectedToken is the cryptographic token performing key operations
-# KeyNickName is the numeric keyset ex: #01#01
-# Error gives the error message
-#
-## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
-##                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
-# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
-# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
-# TKSKeyset is the name of the TKS keyset being used for this request.
-# KeyInfo_KeyVersion is the key version number requested in hex.
-# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
-# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
-LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=<type=ENCRYPT_DATA_REQUEST_PROCESSED>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request failed
-#
-#
-# LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE
-# - used when updating contents of security domain
-#       (add/remove a subsystem)
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#
-LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=<type=SECURITY_DOMAIN_UPDATE>:[AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] security domain update
-#
-#
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER
-# - used when configuring serial number ranges
-#      (when requesting a serial number range when cloning, for example)
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#
-LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=<type=CONFIG_SERIAL_NUMBER>:[AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] serial number range update
-#
-# LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED
-# - used when user security data archive request is processed
-#    this is when DRM receives and processed the request
-# ArchivalRequestID is the requestID provided by the CA through the connector
-#    It is used to track the request through from CA to KRA.
-# RequestId is the KRA archival request ID
-# ClientKeyID must be the user supplied client ID associated with
-#    the security data to be archived
-#
-LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=<type=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED]{0} security data archival request processed
-#
-# LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST
-# - used when security data recovery request is made
-# ArchivalRequestID is the requestID provided by the CA through the connector
-#    It is used to track the request through from CA to KRA.
-# RequestId is the KRA archival request ID
-# ClientKeyID must be the user supplied client ID associated with
-#    the security data to be archived
-#
-LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=<type=SECURITY_DATA_ARCHIVAL_REQUEST>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST]{0} security data archival request made
-#
-#
-# LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED
-# - used when security data recovery request is processed
-# RecoveryID must be the recovery request ID
-# KeyID is the ID of the security data being requested to be recovered
-# RecoveryAgents are the UIDs of the recovery agents approving this request
-#
-LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=<type=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED]{0} security data recovery request processed
-#
-#
-# LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST
-# - used when security data recovery request is made
-# RecoveryID must be the recovery request ID
-# DataID is the ID of the security data to be recovered
-#
-LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=<type=SECURITY_DATA_RECOVERY_REQUEST>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST]{0} security data recovery request made
-#
-# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_STATE_CHANGE
-# - used when DRM agents login as recovery agents to change
-#   the state of key recovery requests
-# RecoveryID must be the recovery request ID
-# Operation is the operation performed (approve, reject, cancel etc.)
-#
-LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=<type=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE]{0} security data recovery request state change
-#
-# LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY
-# - used when user attempts to retrieve key after the recovery request
-#   has been approved.
-#
-# RecoveryID must be the recovery request ID
-# KeyID is the key being retrieved
-# Info is the failure reason if the export fails.
-# PubKey is the public key for the private key being retrieved
-#
-LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY=<type=SECURITY_DATA_EXPORT_KEY>:[AuditEvent=SECURITY_DATA_EXPORT_KEY]{0} security data retrieval request
-#
-# LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO
-# - used when user attempts to get metadata information about a key
-#
-# RecoveryID must be the recovery request ID
-# KeyID is the key being retrieved
-# Info is the failure reason if the export fails.
-# PubKey is the public key for the private key being retrieved
-#
-LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=<type=SECURITY_DATA_INFO>:[AuditEvent=SECURITY_DATA_INFO]{0} security data info request
-#
-# LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE
-# - used when modify key status is executed
-# keyID must be an existing key id in the database
-# oldStatus is the old status to change from
-# newStatus is the new status to change to
-#
-LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=<type=KEY_STATUS_CHANGE>:[AuditEvent=KEY_STATUS_CHANGE]{0} Key Status Change
-#
-# LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED
-# - used when symmetric key generation request is processed
-#    this is when DRM receives and processes the request
-# Client ID must be the user supplied client ID associated with
-#    the symmetric key to be generated and archived
-#
-LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=<type=SYMKEY_GENERATION_REQUEST_PROCESSED>:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED]{0} symkey generation request processed
-#
-# LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST
-# - used when symmetric key generation request is made
-# ClientKeyID is the ID of the symmetirc key to be generated and archived
-#
-LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=<type=SYMKEY_GENERATION_REQUEST>:[AuditEvent=SYMKEY_GENERATION_REQUEST]{0} symkey generation request made
-#
-# LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST
-# - used when asymmetric key generation request is made
-LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=<type=ASYMKEY_GENERATION_REQUEST>:[AuditEvent=ASYMKEY_GENERATION_REQUEST]{0} Asymkey generation request made
-#
-# LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED
-# - used when a request to generate asymmetric keys received by the DRM
-#   is processed.
-LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=<type=ASYMKEY_GENERATION_REQUEST_PROCESSED>:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED]{0} Asymkey generation request processed
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT
-# - used for TPS when token certificate enrollment request is made
-# - Info is normally used to store more info in case of failure
-#
-LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=<type=TOKEN_CERT_ENROLLMENT>:[AuditEvent=TOKEN_CERT_ENROLLMENT][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate enrollment request made
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL
-# - used for TPS when token certificate renewal request is made
-# - Info is normally used to store more info in case of failure
-#
-LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[AuditEvent=TOKEN_CERT_RENEWAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate renewal request made
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL
-# - used for TPS when token certificate retrieval request is made;
-#   usually used during recovery, along with LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY
-#
-LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9=<type=TOKEN_CERT_RETRIEVAL>:[AuditEvent=TOKEN_CERT_RETRIEVAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate retrieval request made
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY
-# - used for TPS when token certificate key recovery request is made
-#
-LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=<type=TOKEN_KEY_RECOVERY>:[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST
-# - used when a token certificate status change request (e.g. revocation) is made
-# CUID must be the last token that the certificate was associated with
-# CertSerialNum must be the serial number (in decimal) of the certificate to be revoked
-# RequestType must be "revoke", "on-hold", "off-hold"
-#
-LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10=<type=TOKEN_CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][CertSerialNum={5}][RequestType={6}][RevokeReasonNum={7}][CA_ID={8}][Info={9}] token certificate revocation/unrevocation request made
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS
-# - used when token pin reset request succeeded
-LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS=<type=TOKEN_PIN_RESET>:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset success
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE
-# - used when token pin reset request failed
-LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE=<type=TOKEN_PIN_RESET>:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset failure
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST
-# - used when token processor op request is made
-# - OP can be "format", "enroll", or "pinReset"
-LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=<type=TOKEN_OP_REQUEST>:[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token processor op request made
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS
-# - used when token format op succeeded
-LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format success
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE
-# - used when token format op failed
-LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format failure
-#
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS
-# - used when token apple upgrade succeeded
-LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success
-#
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE
-# - used when token apple upgrade failed
-LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade failure
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED
-# - used when token key changeover is required
-LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=<type=TOKEN_KEY_CHANGEOVER_REQUIRED>:[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS
-# - used when token key changeover succeeded
-# - Info usually is unused for success
-LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover success
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE
-# - used when token key changeover failed
-# - Info is used for storing more info in case of failure
-LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover failure
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE
-# - used when authentication failed
-# Outcome should always be "failure" in this event
-#   (obviously, if authentication failed, you won't have a valid SubjectID, so
-#       in this case, AttemptedID is recorded)
-# AuthMgr must be the authentication manager instance name that did
-#   this authentication
-#
-LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH]{0} token authentication failure
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS
-# - used when authentication succeeded
-# Outcome should always be "success" in this event
-# AuthMgr must be the authentication manager instance name that did
-#   this authentication
-#
-LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH]{0} token authentication success
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL
-# - used when doing general TPS configuration
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#   --- secret component (password) MUST NOT be logged ---
-# - info in general is used for caturing error info for failed cases
-#
-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5=<type=CONFIG_TOKEN_GENERAL>:[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID={0}][Outcome={1}][Service={2}][ParamNameValPairs={3}][Info={4}] TPS token configuration parameter(s) change
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE
-# - used when configuring token profile
-# Service can be any of the methods offered
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#   --- secret component (password) MUST NOT be logged ---
-# - info in general is used for caturing error info for failed cases
-#
-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6=<type=CONFIG_TOKEN_PROFILE>:[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID={0}][Outcome={1}][Service={2}][ProfileID={3}][ParamNameValPairs={4}][Info={5}] token profile configuration parameter(s) change
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER
-# - used when configuring token mapping resolver
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#   --- secret component (password) MUST NOT be logged ---
-# - info in general is used for caturing error info for failed cases
-#
-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6=<type=CONFIG_TOKEN_MAPPING_RESOLVER>:[AuditEvent=CONFIG_TOKEN_MAPPING_RESOLVER][SubjectID={0}][Outcome={1}][Service={2}][MappingResolverID={3}][ParamNameValPairs={4}][Info={5}] token mapping resolver configuration parameter(s) change
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR
-# - used when configuring token authenticators
-# Service can be any of the methods offered
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#   --- secret component (password) MUST NOT be logged ---
-# - info in general is used for caturing error info for failed cases
-#
-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6=<type=CONFIG_TOKEN_AUTHENTICATOR>:[AuditEvent=CONFIG_TOKEN_AUTHENTICATOR][SubjectID={0}][Outcome={1}][OP={2}][Authenticator={3}][ParamNameValPairs={4}][Info={5}] token authenticator configuration parameter(s) change
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR
-# - used when configuring token connectors
-# Service can be any of the methods offered
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#   --- secret component (password) MUST NOT be logged ---
-# - info in general is used for caturing error info for failed cases
-#
-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6=<type=CONFIG_TOKEN_CONNECTOR>:[AuditEvent=CONFIG_TOKEN_CONNECTOR][SubjectID={0}][Outcome={1}][Service={2}][Connector={3}][ParamNameValPairs={4}][Info={5}] token connector configuration parameter(s) change
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD
-# - used when information in token record changed
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#   --- secret component (password) MUST NOT be logged ---
-# - info in general is used for caturing error info for failed cases
-#
-LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6=<type=CONFIG_TOKEN_RECORD>:[AuditEvent=CONFIG_TOKEN_RECORD][SubjectID={0}][Outcome={1}][OP={2}][TokenID={3}][ParamNameValPairs={4}][Info={5}] token record configuration parameter(s) change
-#
-# LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE
-# - used when token state changed
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#   --- secret component (password) MUST NOT be logged ---
-# - info in general is used for caturing error info for failed cases
-#
-LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8=<type=TOKEN_STATE_CHANGE>:[AuditEvent=TOKEN_STATE_CHANGE][SubjectID={0}][Outcome={1}][oldState={2}][oldReason={3}][newState={4}][newReason={5}][ParamNameValPairs={6}][Info={7}] token state changed
-#
-# LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG
-# - used when configuring lightweight authorities
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#
-LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=<type=AUTHORITY_CONFIG>:[AuditEvent=AUTHORITY_CONFIG][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] lightweight authority configuration change
-#
-# LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE
-# - used when access session failed to establish
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#
-LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\
-<type=ACCESS_SESSION_ESTABLISH>:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish failure
-#
-# LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS
-# - used when access session was established successfully
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#
-LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
-<type=ACCESS_SESSION_ESTABLISH>:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish success
-#
-# LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED
-# - used when access session was terminated
-# ParamNameValPairs must be a name;;value pair
-#    (where name and value are separated by the delimiter ;;)
-#    separated by + (if more than one name;;value pair) of config params changed
-#
-LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\
-<type=ACCESS_SESSION_TERMINATED>:[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated
-
-#
-# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE
-# access session failed to establish when Certificate System acts as client
-#
-LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
-<type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client
-#
-# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS
-# - used when access session was established successfully when
-#   Certificate System acts as client
-#
-LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
-<type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client
-#
-# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED
-# - used when access session was terminated when Certificate System acts as client
-#
-LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\
-<type=CLIENT_ACCESS_SESSION_TERMINATED>:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client
-
-
-###########################
-#Unselectable signedAudit Events
-#
-# LOGGING_SIGNED_AUDIT_SIGNING
-# - used when a signature on the audit log is generated (same as "flush" time)
-# SubjectID is predefined to be "$System$" because this operation
-#   associates with no user
-# sig must be the base-64 encoded signature of the buffer just flushed
-#
-LOGGING_SIGNED_AUDIT_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2}
 ##################################################################
 # For com.netscape.cms.ocsp
 ##################################################################
diff --git a/base/server/cmsbundle/src/audit-events.properties b/base/server/cmsbundle/src/audit-events.properties
new file mode 100644
index 0000000..e7f5499
--- /dev/null
+++ b/base/server/cmsbundle/src/audit-events.properties
@@ -0,0 +1,1031 @@
+####################### SIGNED AUDIT EVENTS #############################
+# The following are signedAudit events. They are required by CIMC PP.
+# Please consult cfu before adding/deleting/modifying the following events
+#
+# signedAudit messages common fields:
+# Outcome must be "success" or "failure"
+# SubjectID must be the UID of the user responsible for the operation
+#           "$System$" if system-initiated operation (e.g. log signing)
+#
+# LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP
+# - used at audit function startup
+#
+LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=<type=AUDIT_LOG_STARTUP>:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup
+#
+# LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN
+# - used at audit function shutdown
+#
+LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=<type=AUDIT_LOG_SHUTDOWN>:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown
+#
+# LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION
+# - used for verifying CIMC system certificates
+# - CertNickName is the cert nickname
+#
+LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CIMC certificate verification
+#
+# LOGGING_SIGNED_AUDIT_ROLE_ASSUME
+# - used when user assumes a role (in current CS that's when one accesses a
+#     role port)
+# Role must be be one of the valid roles, by default: "Administrators",
+#     "Certificate Manager Agents", and "Auditors"
+#     note that customized role names can be used once configured
+#
+LOGGING_SIGNED_AUDIT_ROLE_ASSUME=<type=ROLE_ASSUME>:[AuditEvent=ROLE_ASSUME]{0} assume privileged role
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY
+# - used when configuring certificate policy constraints and extensions
+# ParamNameValPairs must be a name;;value pair
+# (where name and value are separated by the delimiter ;;)
+# separated by + (if more than one name;;value pair) of config params changed
+#
+LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=<type=CONFIG_CERT_POLICY>:[AuditEvent=CONFIG_CERT_POLICY][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate policy constraint or extension configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE
+# - used when configuring certificate profile
+#    (general settings and certificate profile)
+#    (extensions and constraints policies are to be obsoleted but do it anyway)
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#
+LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=<type=CONFIG_CERT_PROFILE>:[AuditEvent=CONFIG_CERT_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate profile configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE
+# - used when configuring  CRL profile
+#    (extensions, frequency, CRL format)
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#
+LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=<type=CONFIG_CRL_PROFILE>:[AuditEvent=CONFIG_CRL_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] CRL profile configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE
+# - used when configuring OCSP profile
+#    (everything under Online Certificate Status Manager)
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#
+LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=<type=CONFIG_OCSP_PROFILE>:[AuditEvent=CONFIG_OCSP_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] OCSP profile configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_AUTH
+# - used when configuring authentication
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#   --- Password MUST NOT be logged ---
+#
+LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=<type=CONFIG_AUTH>:[AuditEvent=CONFIG_AUTH][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] authentication configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_ROLE
+# - used when configuring role information (anything under users/groups)
+#       add/remove/edit a role, etc)
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#
+LOGGING_SIGNED_AUDIT_CONFIG_ROLE=<type=CONFIG_ROLE>:[AuditEvent=CONFIG_ROLE]{0} role configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_ACL
+# - used when configuring ACL information
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#
+LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=<type=CONFIG_ACL>:[AuditEvent=CONFIG_ACL][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] ACL configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT
+# - used when configuring signedAudit
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#
+LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=<type=CONFIG_SIGNED_AUDIT>:[AuditEvent=CONFIG_SIGNED_AUDIT]{0} signed audit configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION
+# - used when configuring encryption (cert settings and SSL cipher preferences)
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#
+LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=<type=CONFIG_ENCRYPTION>:[AuditEvent=CONFIG_ENCRYPTION][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] encryption configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY
+# - used when
+#      1. "Manage Certificate" is used to edit the trustness of certificates
+#         and deletion of certificates
+#      2. "Certificate Setup Wizard" is used to import CA certificates into the
+#         certificate database (Although CrossCertificatePairs are stored
+#         within internaldb, audit them as well)
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#
+LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=<type=CONFIG_TRUSTED_PUBLIC_KEY>:[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY]{0} certificate database configuration
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_DRM
+# - used when configuring DRM
+#     (Key recovery scheme, change of any secret component)
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#   --- secret component (password) MUST NOT be logged ---
+#
+LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=<type=CONFIG_DRM>:[AuditEvent=CONFIG_DRM][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] DRM configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION
+# - used when self tests are run
+#
+LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details)
+#
+# LOGGING_SIGNED_AUDIT_LOG_DELETE
+# - used AFTER audit log gets expired (authz should not allow,
+#    but in case authz gets compromised.  Make sure it is written
+#    AFTER the log expiration happens)
+# LogFile must be the complete name (including the path) of the
+#    signedAudit log that is attempted to be deleted
+#
+LOGGING_SIGNED_AUDIT_LOG_DELETE_3=<type=AUDIT_LOG_DELETE>:[AuditEvent=AUDIT_LOG_DELETE][SubjectID={0}][Outcome={1}][LogFile={2}] signedAudit log deletion
+#
+# LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE
+# - used when log file name (including any path changes) for any of
+#    audit, system, transaction, or other customized log file
+#    change is attempted (authz should not allow, but make sure it's
+#    written after the attempt)
+# LogType must be "System", "Transaction", or "SignedAudit"
+# toLogFile must be the name (including any path changes) that the user is
+#    attempting to change to
+#
+LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PATH_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][toLogFile={3}] log path change attempt
+#
+# LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE
+# - used when log expiration time change is attempted (authz should not
+#    allow, but make sure it's written after the attempt)
+# LogType must be "System", "Transaction", or "SignedAudit"
+# ExpirationTime must be the amount of time (in seconds) that is
+#    attempted to be changed to
+#
+# -- feature disabled --
+#LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=<type=LOG_EXPIRATION_CHANGE>:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt
+#
+# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST
+# - used when server-side key generation request is made
+#    This is for tokenkeys
+# EntityID must be the representation of the subject that will be on the certificate when issued
+LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request
+#
+# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
+# - used when server-side key generation request has been processed.
+#    This is for tokenkeys
+# EntityID must be the representation of the subject that will be on the certificate when issued
+# PubKey must be the base-64 encoded public key associated with
+#    the private key to be archived
+LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=<type=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED]{0} server-side key generation request processed
+#
+# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST
+# - used when key recovery request is made
+# RecoveryID must be the recovery request ID
+# PubKey must be the base-64 encoded public key associated with
+#    the private key to be recovered
+#
+LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=<type=KEY_RECOVERY_REQUEST>:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made
+#
+# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN
+# - used when DRM agents login as recovery agents to approve
+#       key recovery requests
+# RecoveryID must be the recovery request ID
+# RecoveryAgent must be the recovery agent the DRM agent is
+#       logging in with
+#
+LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=<type=KEY_RECOVERY_AGENT_LOGIN>:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login
+#
+# LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC
+# - used when asymmetric keys are generated
+#   (like when CA certificate requests are generated -
+#      e.g. CA certificate change over, renewal with new key, etc.)
+# PubKey must be the base-64 encoded public key material
+#
+LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=<type=KEY_GEN_ASYMMETRIC>:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation
+#
+# LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO
+#
+LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO=<type=CERT_SIGNING_INFO>:[AuditEvent=CERT_SIGNING_INFO]{0} certificate signing info
+#
+# LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO
+#
+LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO=<type=OCSP_SIGNING_INFO>:[AuditEvent=OCSP_SIGNING_INFO]{0} OCSP signing info
+#
+# LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO
+#
+LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=<type=CRL_SIGNING_INFO>:[AuditEvent=CRL_SIGNING_INFO]{0} CRL signing info
+#
+# LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST
+# - used when a non-profile certificate request is made (before approval process)
+# SubjectID must be the UID of user that triggered this event
+#        (if CMC enrollment requests signed by an agent, SubjectID should
+#        be that of the agent), while
+# CertSubject must be the certificate subject name of the certificate request
+# ReqID must be the certificate request ID
+# ServiceID must be the identity of the servlet that submitted the original
+#        request
+#
+LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=<type=NON_PROFILE_CERT_REQUEST>:[AuditEvent=NON_PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ServiceID={3}][CertSubject={4}] certificate request made without certificate profiles
+#
+# LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED
+# - used when a CMC request is received.
+# SubjectID must be the UID of user that triggered this event
+#        (if CMC requests is signed by an agent, SubjectID should
+#        be that of the agent)
+#        In case of an unsigned request, it would bear $Unidentified$
+#
+LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=<type=CMC_REQUEST_RECEIVED>:[AuditEvent=CMC_REQUEST_RECEIVED][SubjectID={0}][Outcome={1}][CMCRequest={2}] CMC request received
+#
+# LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT
+# - used when a CMC response is sent
+# SubjectID must be the UID of user that triggered this event
+#
+LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=<type=CMC_RESPONSE_SENT>:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent
+#
+# LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST
+# - used when a profile certificate request is made (before approval process)
+# SubjectID must be the UID of user that triggered this event
+#        (if CMC enrollment requests signed by an agent, SubjectID should
+#        be that of the agent), while
+# CertSubject must be the certificate subject name of the certificate request
+# ReqID must be the certificate request ID
+# ProfileID must be one of the certificate profiles defined by the
+#        administrator
+#
+LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=<type=PROFILE_CERT_REQUEST>:[AuditEvent=PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ProfileID={3}][CertSubject={4}] certificate request made with certificate profiles
+#
+# LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED
+# - used when certificate request has just been through the approval process
+# SubjectID must be the UID of the agent who approves, rejects, or cancels
+#        the certificate request
+# ReqID must be the request ID
+# InfoName must be value "certificate" (in case of approval), "rejectReason"
+#        (in case of reject), or "cancelReason" (in case of cancel)
+# InfoValue must contain the certificate (in case of success), a reject reason in
+#        text, or a cancel reason in text
+#
+LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=<type=CERT_REQUEST_PROCESSED>:[AuditEvent=CERT_REQUEST_PROCESSED]{0} certificate request processed
+#
+# LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST
+# - used when a certificate status change request (e.g. revocation)
+#        is made (before approval process)
+# ReqID must be the request ID
+# CertSerialNum must be the serial number (in hex) of the certificate to be revoked
+# RequestType must be "revoke", "on-hold", "off-hold"
+#
+LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=<type=CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=CERT_STATUS_CHANGE_REQUEST]{0} certificate revocation/unrevocation request made
+#
+# LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED
+# - used when certificate status is changed (revoked, expired, on-hold,
+#        off-hold)
+# SubjectID must be the UID of the agent that processed the request
+# ReqID must be the request ID
+# RequestType must be "revoke", "on-hold", "off-hold"
+# Approval must be "complete", "rejected", or "canceled"
+#        (note that "complete" means "approved")
+# CertSerialNum must be the serial number (in hex)
+# RevokeReasonNum must contain one of the following number:
+#       reason number       reason
+#       --------------------------------------
+#       0              Unspecified
+#       1              Key compromised
+#       2              CA key compromised (should not be used)
+#       3              Affiliation changed
+#       4              Certificate superceded
+#       5              Cessation of operation
+#       6              Certificate is on-hold
+#
+LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=<type=CERT_STATUS_CHANGE_REQUEST_PROCESSED>:[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED]{0} certificate status change request processed
+#
+# LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS
+# - used when authorization is successful
+# Outcome must be success for this event
+# aclResource must be the ACL resource ID as defined in ACL resource list
+# Op must be one of the operations as defined with the ACL statement
+#    e.g. "read" for an ACL statement containing "(read,write)"
+#
+LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization success
+#
+# LOGGING_SIGNED_AUDIT_AUTHZ_FAIL
+# - used when authorization has failed
+# Outcome must be failure for this event
+# aclResource must be the ACL resource ID as defined in ACL resource list
+# Op must be one of the operations as defined with the ACL statement
+#    e.g. "read" for an ACL statement containing "(read,write)"
+#
+LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization failure
+#
+# LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS
+# - used when inter-CIMC_Boundary data transfer is successful
+#   (this is used when data does not need to be captured)
+# ProtectionMethod must be one of the following: "SSL", or "unknown"
+# ReqType must be the request type
+# ReqID must be the request ID
+#
+LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=<type=INTER_BOUNDARY>:[AuditEvent=INTER_BOUNDARY][SubjectID={0}][Outcome={1}][ProtectionMethod={2}][ReqType={3}][ReqID={4}] inter-CIMC_Boundary communication (data exchange) success
+#
+# LOGGING_SIGNED_AUDIT_AUTH_FAIL
+# - used when authentication fails (in case of SSL-client auth,
+#    only webserver env can pick up the SSL violation;
+#    CS authMgr can pick up certificate mis-match, so this event is used)
+# Outcome should always be "failure" in this event
+#   (obviously, if authentication failed, you won't have a valid SubjectID, so
+#       in this case, SubjectID should be $Unidentified$)
+# AuthMgr must be the authentication manager instance name that did
+#   this authentication
+# AttemptedCred must be the credential attempted and failed
+#
+LOGGING_SIGNED_AUDIT_AUTH_FAIL=<type=AUTH>:[AuditEvent=AUTH]{0} authentication failure
+#
+# LOGGING_SIGNED_AUDIT_AUTH_SUCCESS
+# - used when authentication succeeded
+# Outcome should always be "success" in this event
+# AuthMgr must be the authentication manager instance name that did
+#   this authentication
+#
+LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authentication success
+#
+# LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL
+# - used when an agent approves/disapproves a certificate profile set by the
+#     administrator for automatic approval
+# ProfileID must be one of the profiles defined by the administrator
+#           and to be approved by an agent
+# Op must be "approve" or "disapprove"
+#
+LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval
+#
+# LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION
+# - used for proof of possession during certificate enrollment processing
+#
+LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession
+# LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION
+# - used for proof of identification during CMC request processing
+# - In case of success, "SubjectID" is the actual identified identification;
+# - In case of failure, "SubjectID" is the attempted identification
+#
+LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=<type=CMC_PROOF_OF_IDENTIFICATION>:[AuditEvent=CMC_PROOF_OF_IDENTIFICATION][SubjectID={0}][Outcome={1}][Info={2}] proof of identification in CMC request
+# - used for identification and POP linking verification during CMC request processing
+#
+LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=<type=CMC_ID_POP_LINK_WITNESS>:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification
+#
+# LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION
+# - used when CRL generation is scheduled
+# Outcome is "success" when CRL generation is scheduled successfully, "failure" otherwise
+#
+LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION=<type=SCHEDULE_CRL_GENERATION>:[AuditEvent=SCHEDULE_CRL_GENERATION]{0} schedule for CRL generation
+#
+# LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION
+# - used when delta CRL generation is complete
+# Outcome is "success" when delta CRL is generated successfully, "failure" otherwise
+#
+LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=<type=DELTA_CRL_GENERATION>:[AuditEvent=DELTA_CRL_GENERATION]{0} Delta CRL generation
+#
+# LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING
+# - used when delta CRL publishing is complete
+# Outcome is "success" when delta CRL is publishing successfully, "failure" otherwise
+#
+LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=<type=DELTA_CRL_PUBLISHING>:[AuditEvent=DELTA_CRL_PUBLISHING]{0} Delta CRL publishing
+#
+# LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION
+# - used when full CRL generation is complete
+# Outcome is "success" when full CRL is generated successfully, "failure" otherwise
+#
+LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=<type=FULL_CRL_GENERATION>:[AuditEvent=FULL_CRL_GENERATION]{0} Full CRL generation
+#
+# LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING
+# - used when full  CRL publishing is complete
+# Outcome is "success" when full CRL is publishing successfully, "failure" otherwise
+#
+LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=<type=FULL_CRL_PUBLISHING>:[AuditEvent=FULL_CRL_PUBLISHING]{0} Full CRL publishing
+#
+# LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL
+# - used when CRLs are retrieved by the OCSP Responder
+# Outcome is "success" when CRL is retrieved successfully, "failure" otherwise
+# CRLnum is the CRL number that identifies the CRL
+#
+LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=<type=CRL_RETRIEVAL>:[AuditEvent=CRL_RETRIEVAL][SubjectID={0}][Outcome={1}][CRLnum={2}] CRL retrieval
+#
+# LOGGING_SIGNED_AUDIT_CRL_VALIDATION
+# - used when CRL is retrieved and validation process occurs
+#
+LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=<type=CRL_VALIDATION>:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation
+#
+# LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST
+# - used when a CA is attempted to be added to the OCSP Responder
+# Outcome is "success" as the request is made
+# CA must be the base-64 encoded PKCS7 certificate (or chain)
+LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST=<type=OCSP_ADD_CA_REQUEST>:[AuditEvent=OCSP_ADD_CA_REQUEST]{0} request to add a CA for OCSP Responder
+#
+# LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED
+# - used when an add CA request to the OCSP Responder is processed
+# Outcome is "success" when CA is added successfully, "failure" otherwise
+# CASubjectDN is the subject DN of the leaf CA cert in the chain
+LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED=<type=OCSP_ADD_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED]{0} Add CA for OCSP Responder
+#
+# LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST
+# - used when a CA is attempted to be removed from the OCSP Responder
+# Outcome is "success" as the request is made
+# CA must be the DN id of the CA
+LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST=<type=OCSP_REMOVE_CA_REQUEST>:[AuditEvent=OCSP_REMOVE_CA_REQUEST]{0} request to remove a CA from OCSP Responder
+#
+# LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED_SUCCESS
+# - used when a remove CA request to the OCSP Responder is processed successfully
+# Outcome is "success" when CA is removed successfully, "failure" otherwise
+# CASubjectDN is the subject DN of the leaf CA cert in the chain
+LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS=<type=OCSP_REMOVE_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder is successful
+#
+# LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE
+# - used when a remove CA request to the OCSP Responder is processed and failed
+# Outcome is  "failure"
+# CASubjectDN is  DN ID of the CA
+LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE=<type=OCSP_REMOVE_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder has failed
+#
+# LOGGING_SIGNED_AUDIT_OCSP_GENERATION
+# - used when an OCSP response generated is complete
+# Outcome is "success" when OCSP response is generated successfully, "failure" otherwise
+LOGGING_SIGNED_AUDIT_OCSP_GENERATION=<type=OCSP_GENERATION>:[AuditEvent=OCSP_GENERATION]{0} OCSP response generation
+#
+# LOGGING_SIGNED_AUDIT_RANDOM_GENERATION
+# - used when a random number generation is complete
+# Info:
+# - Caller is PKI code that calls the random number generator
+# - Size is size of random number in bytes
+# Outcome is "success" when a random number is generated successfully, "failure" otherwise
+LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=<type=RANDOM_GENERATION>:[AuditEvent=RANDOM_GENERATION]{0} Random number generation
+#
+# LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY
+# - used when agent signed CMC certificate requests or revocation requests
+#   are submitted and signature is verified
+# ReqType must be the request type (enrollment, or revocation)
+# CertSubject must be the certificate subject name of the certificate request
+# SignerInfo must be a unique String representation for the signer
+#
+LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=<type=CMC_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent signed CMC request signature verification
+#
+# LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY
+# - used when CMC (user-signed or self-signed) certificate requests or revocation requests
+#   are submitted and signature is verified
+# ReqType must be the request type (enrollment, or revocation)
+# CertSubject must be the certificate subject name of the certificate request
+# CMCSignerInfo must be a unique String representation for the CMC request signer
+#
+LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification success
+LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification failure
+
+# LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST
+# - used for TPS to TKS to get random challenge data
+# AgentID must be the trusted agent id used to make the request
+LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=<type=COMPUTE_RANDOM_DATA_REQUEST>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request
+
+# LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
+# - used for TPS to TKS to get random challenge data
+# Outcome is SUCCESS or FAILURE
+# Status is 0 for no error.
+# AgentID must be the trusted agent id used to make the request
+LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED]{0} TKS Compute random data request processed successfully
+
+# LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
+# - used for TPS to TKS to get random challenge data
+# Outcome is SUCCESS or FAILURE
+# Status is 0 for no error.
+# Error gives the error message
+# AgentID must be the trusted agent id used to make the request
+LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=<type=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCCESED]{0} TKS Compute random data request failed
+
+#
+#
+# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST
+# - used for TPS to TKS to get a sessoin key for secure channel setup
+# SubjectID must be the CUID of the token establishing the secure channel
+# AgentID must be the trusted agent id used to make the request
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the
+##   CUID.  Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that
+##   encoded parameters are being logged.
+# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel
+# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel
+LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=<type=COMPUTE_SESSION_KEY_REQUEST>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}] TKS Compute session key request
+
+#
+#
+# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
+# - request for TPS to TKS to get a sessoin key for secure channel processed
+# SubjectID must be the CUID of the token establishing the secure channel
+# AgentID must be the trusted agent id used to make the request
+# Outcome is SUCCESS or FAILURE
+# Status is 0 for no error.
+# IsCryptoValidate tells if the card cryptogram is to be validated
+# IsServerSideKeygen tells if the keys are to be generated on server
+# SelectedToken is the cryptographic token performing key operations
+# KeyNickName is the number keyset ex: #01#01
+#
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the
+##   CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact
+##   that decoded parameters are now logged.
+##       Also added TKSKeyset, KeyInfo_KeyVersion,
+##            NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
+# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
+# TKSKeyset is the name of the TKS keyset being used for this request.
+# KeyInfo_KeyVersion is the key version number requested in hex.
+# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
+# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
+LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request processed successfully
+
+#
+#
+# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
+# - request for TPS to TKS to get a sessoin key for secure channel processed
+# SubjectID must be the CUID of the token establishing the secure channel
+# Outcome is SUCCESS or FAILURE
+# Status is error code or 0 for no error.
+# AgentID must be the trusted agent id used to make the request
+# status is 0 for success, non-zero for various errors
+# IsCryptoValidate tells if the card cryptogram is to be validated
+# IsServerSideKeygen tells if the keys are to be generated on server
+# SelectedToken is the cryptographic token performing key operations
+# KeyNickName is the numeric keyset ex: #01#01
+# Error gives the error message
+#
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
+##                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
+# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
+# TKSKeyset is the name of the TKS keyset being used for this request.
+# KeyInfo_KeyVersion is the key version number requested in hex.
+# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
+# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex
+LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request failed
+
+
+# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST
+# - request for TPS to TKS to do key change over
+# SubjectID must be the CUID of the token requesting key change over
+# AgentID must be the trusted agent id used to make the request
+# status is 0 for success, non-zero for various errors
+# oldMasterKeyName is the old master key name
+# newMasterKeyName is the new master key name
+#
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged.
+# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel
+# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel
+LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=<type=DIVERSIFY_KEY_REQUEST>:[AuditEvent=DIVERSIFY_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}][oldMasterKeyName={4}][newMasterKeyName={5}] TKS Key Change Over request
+
+###########################
+# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
+# - request for TPS to TKS to do key change over request processed
+# SubjectID must be the CUID of the token requesting key change over
+# AgentID must be the trusted agent id used to make the request
+# Outcome is SUCCESS or FAILURE
+# status is 0 for success, non-zero for various errors
+# oldMasterKeyName is the old master key name
+# newMasterKeyName is the new master key name
+#
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
+##                       Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
+# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
+# TKSKeyset is the name of the TKS keyset being used for this request.
+# OldKeyInfo_KeyVersion is the old key version number in hex.
+# NewKeyInfo_KeyVersion is the new key version number in hex.
+# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
+# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
+LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=<type=DIVERSIFY_KEY_REQUEST_PROCESSED>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request processed successfully
+
+#
+###########################
+# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
+# - request for TPS to TKS to do key change over request processed
+# SubjectID must be the CUID of the token requesting key change over
+# AgentID must be the trusted agent id used to make the request
+# Outcome is SUCCESS or FAILURE
+# status is 0 for success, non-zero for various errors
+# oldMasterKeyName is the old master key name
+# newMasterKeyName is the new master key name
+# Error gives the error message
+#
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
+##                       Also added TKSKeyset, OldKeyInfo_KeyVersion, NewKeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
+# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
+# TKSKeyset is the name of the TKS keyset being used for this request.
+# OldKeyInfo_KeyVersion is the old key version number in hex.
+# NewKeyInfo_KeyVersion is the new key version number in hex.
+# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
+# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex
+LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=<type=DIVERSIFY_KEY_REQUEST_PROCESSED>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request failed
+
+# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST
+# - request from TPS to TKS to encrypt data
+#        (or generate random data and encrypt)
+# SubjectID must be the CUID of the token requesting encrypt data
+# AgentID must be the trusted agent id used to make the request
+# status is 0 for success, non-zero for various errors
+# isRandom tells if the data is randomly generated on TKS
+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=<type=ENCRYPT_DATA_REQUEST>:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3}] TKS encrypt data request
+#
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged.
+# CUID_encoded must be the special-encoded CUID of the token establishing the secure channel
+# KDD_encoded must be the special-encoded KDD of the token establishing the secure channel
+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=<type=ENCRYPT_DATA_REQUEST>:[AuditEvent=ENCRYPT_DATA_REQUEST][CUID_encoded={0}][KDD_encoded={1}][status={2}][AgentID={3}][isRandom={4}] TKS encrypt data request
+
+#
+# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
+# - request from TPS to TKS to encrypt data
+#        (or generate random data and encrypt)
+# SubjectID must be the CUID of the token requesting encrypt data
+# AgentID must be the trusted agent id used to make the request
+# Outcome is SUCCESS or FAILURE
+# status is 0 for success, non-zero for various errors
+# isRandom tells if the data is randomly generated on TKS
+# SelectedToken is the cryptographic token performing key operations
+# KeyNickName is the numeric keyset ex: #01#01
+#
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
+##                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
+# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
+# TKSKeyset is the name of the TKS keyset being used for this request.
+# KeyInfo_KeyVersion is the key version number requested in hex.
+# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
+# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=<type=ENCRYPT_DATA_REQUEST_PROCESSED>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request processed successfully
+
+#
+# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
+# - request from TPS to TKS to encrypt data
+#        (or generate random data and encrypt)
+# SubjectID must be the CUID of the token requesting encrypt data
+# AgentID must be the trusted agent id used to make the request
+# Outocme is SUCCESS or FAILURE
+# status is 0 for success, non-zero for various errors
+# isRandom tells if the data is randomly generated on TKS
+# SelectedToken is the cryptographic token performing key operations
+# KeyNickName is the numeric keyset ex: #01#01
+# Error gives the error message
+#
+## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_decoded" and "KDD_decoded" to reflect fact that decoded parameters are now logged.
+##                       Also added TKSKeyset, KeyInfo_KeyVersion, NistSP800_108KdfOnKeyVersion, NistSP800_108KdfUseCuidAsKdd
+# CUID_decoded must be the ASCII-HEX representation of the CUID of the token establishing the secure channel
+# KDD_decoded must be the ASCII-HEX representation of the KDD of the token establishing the secure channel
+# TKSKeyset is the name of the TKS keyset being used for this request.
+# KeyInfo_KeyVersion is the key version number requested in hex.
+# NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
+# NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=<type=ENCRYPT_DATA_REQUEST_PROCESSED>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request failed
+#
+#
+# LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE
+# - used when updating contents of security domain
+#       (add/remove a subsystem)
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#
+LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=<type=SECURITY_DOMAIN_UPDATE>:[AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] security domain update
+#
+#
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER
+# - used when configuring serial number ranges
+#      (when requesting a serial number range when cloning, for example)
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#
+LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=<type=CONFIG_SERIAL_NUMBER>:[AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] serial number range update
+#
+# LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED
+# - used when user security data archive request is processed
+#    this is when DRM receives and processed the request
+# ArchivalRequestID is the requestID provided by the CA through the connector
+#    It is used to track the request through from CA to KRA.
+# RequestId is the KRA archival request ID
+# ClientKeyID must be the user supplied client ID associated with
+#    the security data to be archived
+#
+LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=<type=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED]{0} security data archival request processed
+#
+# LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST
+# - used when security data recovery request is made
+# ArchivalRequestID is the requestID provided by the CA through the connector
+#    It is used to track the request through from CA to KRA.
+# RequestId is the KRA archival request ID
+# ClientKeyID must be the user supplied client ID associated with
+#    the security data to be archived
+#
+LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=<type=SECURITY_DATA_ARCHIVAL_REQUEST>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST]{0} security data archival request made
+#
+#
+# LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED
+# - used when security data recovery request is processed
+# RecoveryID must be the recovery request ID
+# KeyID is the ID of the security data being requested to be recovered
+# RecoveryAgents are the UIDs of the recovery agents approving this request
+#
+LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=<type=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED]{0} security data recovery request processed
+#
+#
+# LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST
+# - used when security data recovery request is made
+# RecoveryID must be the recovery request ID
+# DataID is the ID of the security data to be recovered
+#
+LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=<type=SECURITY_DATA_RECOVERY_REQUEST>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST]{0} security data recovery request made
+#
+# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_STATE_CHANGE
+# - used when DRM agents login as recovery agents to change
+#   the state of key recovery requests
+# RecoveryID must be the recovery request ID
+# Operation is the operation performed (approve, reject, cancel etc.)
+#
+LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=<type=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE]{0} security data recovery request state change
+#
+# LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY
+# - used when user attempts to retrieve key after the recovery request
+#   has been approved.
+#
+# RecoveryID must be the recovery request ID
+# KeyID is the key being retrieved
+# Info is the failure reason if the export fails.
+# PubKey is the public key for the private key being retrieved
+#
+LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY=<type=SECURITY_DATA_EXPORT_KEY>:[AuditEvent=SECURITY_DATA_EXPORT_KEY]{0} security data retrieval request
+#
+# LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO
+# - used when user attempts to get metadata information about a key
+#
+# RecoveryID must be the recovery request ID
+# KeyID is the key being retrieved
+# Info is the failure reason if the export fails.
+# PubKey is the public key for the private key being retrieved
+#
+LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=<type=SECURITY_DATA_INFO>:[AuditEvent=SECURITY_DATA_INFO]{0} security data info request
+#
+# LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE
+# - used when modify key status is executed
+# keyID must be an existing key id in the database
+# oldStatus is the old status to change from
+# newStatus is the new status to change to
+#
+LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=<type=KEY_STATUS_CHANGE>:[AuditEvent=KEY_STATUS_CHANGE]{0} Key Status Change
+#
+# LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED
+# - used when symmetric key generation request is processed
+#    this is when DRM receives and processes the request
+# Client ID must be the user supplied client ID associated with
+#    the symmetric key to be generated and archived
+#
+LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=<type=SYMKEY_GENERATION_REQUEST_PROCESSED>:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED]{0} symkey generation request processed
+#
+# LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST
+# - used when symmetric key generation request is made
+# ClientKeyID is the ID of the symmetirc key to be generated and archived
+#
+LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=<type=SYMKEY_GENERATION_REQUEST>:[AuditEvent=SYMKEY_GENERATION_REQUEST]{0} symkey generation request made
+#
+# LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST
+# - used when asymmetric key generation request is made
+LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=<type=ASYMKEY_GENERATION_REQUEST>:[AuditEvent=ASYMKEY_GENERATION_REQUEST]{0} Asymkey generation request made
+#
+# LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED
+# - used when a request to generate asymmetric keys received by the DRM
+#   is processed.
+LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=<type=ASYMKEY_GENERATION_REQUEST_PROCESSED>:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED]{0} Asymkey generation request processed
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT
+# - used for TPS when token certificate enrollment request is made
+# - Info is normally used to store more info in case of failure
+#
+LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=<type=TOKEN_CERT_ENROLLMENT>:[AuditEvent=TOKEN_CERT_ENROLLMENT][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate enrollment request made
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL
+# - used for TPS when token certificate renewal request is made
+# - Info is normally used to store more info in case of failure
+#
+LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[AuditEvent=TOKEN_CERT_RENEWAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate renewal request made
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL
+# - used for TPS when token certificate retrieval request is made;
+#   usually used during recovery, along with LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY
+#
+LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9=<type=TOKEN_CERT_RETRIEVAL>:[AuditEvent=TOKEN_CERT_RETRIEVAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate retrieval request made
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY
+# - used for TPS when token certificate key recovery request is made
+#
+LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=<type=TOKEN_KEY_RECOVERY>:[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST
+# - used when a token certificate status change request (e.g. revocation) is made
+# CUID must be the last token that the certificate was associated with
+# CertSerialNum must be the serial number (in decimal) of the certificate to be revoked
+# RequestType must be "revoke", "on-hold", "off-hold"
+#
+LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10=<type=TOKEN_CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][CertSerialNum={5}][RequestType={6}][RevokeReasonNum={7}][CA_ID={8}][Info={9}] token certificate revocation/unrevocation request made
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS
+# - used when token pin reset request succeeded
+LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS=<type=TOKEN_PIN_RESET>:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset success
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE
+# - used when token pin reset request failed
+LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE=<type=TOKEN_PIN_RESET>:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset failure
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST
+# - used when token processor op request is made
+# - OP can be "format", "enroll", or "pinReset"
+LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=<type=TOKEN_OP_REQUEST>:[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token processor op request made
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS
+# - used when token format op succeeded
+LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format success
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE
+# - used when token format op failed
+LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format failure
+#
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS
+# - used when token apple upgrade succeeded
+LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success
+#
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE
+# - used when token apple upgrade failed
+LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade failure
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED
+# - used when token key changeover is required
+LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=<type=TOKEN_KEY_CHANGEOVER_REQUIRED>:[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS
+# - used when token key changeover succeeded
+# - Info usually is unused for success
+LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover success
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE
+# - used when token key changeover failed
+# - Info is used for storing more info in case of failure
+LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover failure
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE
+# - used when authentication failed
+# Outcome should always be "failure" in this event
+#   (obviously, if authentication failed, you won't have a valid SubjectID, so
+#       in this case, AttemptedID is recorded)
+# AuthMgr must be the authentication manager instance name that did
+#   this authentication
+#
+LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH]{0} token authentication failure
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS
+# - used when authentication succeeded
+# Outcome should always be "success" in this event
+# AuthMgr must be the authentication manager instance name that did
+#   this authentication
+#
+LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH]{0} token authentication success
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL
+# - used when doing general TPS configuration
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#   --- secret component (password) MUST NOT be logged ---
+# - info in general is used for caturing error info for failed cases
+#
+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5=<type=CONFIG_TOKEN_GENERAL>:[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID={0}][Outcome={1}][Service={2}][ParamNameValPairs={3}][Info={4}] TPS token configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE
+# - used when configuring token profile
+# Service can be any of the methods offered
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#   --- secret component (password) MUST NOT be logged ---
+# - info in general is used for caturing error info for failed cases
+#
+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6=<type=CONFIG_TOKEN_PROFILE>:[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID={0}][Outcome={1}][Service={2}][ProfileID={3}][ParamNameValPairs={4}][Info={5}] token profile configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER
+# - used when configuring token mapping resolver
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#   --- secret component (password) MUST NOT be logged ---
+# - info in general is used for caturing error info for failed cases
+#
+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6=<type=CONFIG_TOKEN_MAPPING_RESOLVER>:[AuditEvent=CONFIG_TOKEN_MAPPING_RESOLVER][SubjectID={0}][Outcome={1}][Service={2}][MappingResolverID={3}][ParamNameValPairs={4}][Info={5}] token mapping resolver configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR
+# - used when configuring token authenticators
+# Service can be any of the methods offered
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#   --- secret component (password) MUST NOT be logged ---
+# - info in general is used for caturing error info for failed cases
+#
+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6=<type=CONFIG_TOKEN_AUTHENTICATOR>:[AuditEvent=CONFIG_TOKEN_AUTHENTICATOR][SubjectID={0}][Outcome={1}][OP={2}][Authenticator={3}][ParamNameValPairs={4}][Info={5}] token authenticator configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR
+# - used when configuring token connectors
+# Service can be any of the methods offered
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#   --- secret component (password) MUST NOT be logged ---
+# - info in general is used for caturing error info for failed cases
+#
+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6=<type=CONFIG_TOKEN_CONNECTOR>:[AuditEvent=CONFIG_TOKEN_CONNECTOR][SubjectID={0}][Outcome={1}][Service={2}][Connector={3}][ParamNameValPairs={4}][Info={5}] token connector configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD
+# - used when information in token record changed
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#   --- secret component (password) MUST NOT be logged ---
+# - info in general is used for caturing error info for failed cases
+#
+LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6=<type=CONFIG_TOKEN_RECORD>:[AuditEvent=CONFIG_TOKEN_RECORD][SubjectID={0}][Outcome={1}][OP={2}][TokenID={3}][ParamNameValPairs={4}][Info={5}] token record configuration parameter(s) change
+#
+# LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE
+# - used when token state changed
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#   --- secret component (password) MUST NOT be logged ---
+# - info in general is used for caturing error info for failed cases
+#
+LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8=<type=TOKEN_STATE_CHANGE>:[AuditEvent=TOKEN_STATE_CHANGE][SubjectID={0}][Outcome={1}][oldState={2}][oldReason={3}][newState={4}][newReason={5}][ParamNameValPairs={6}][Info={7}] token state changed
+#
+# LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG
+# - used when configuring lightweight authorities
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#
+LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=<type=AUTHORITY_CONFIG>:[AuditEvent=AUTHORITY_CONFIG][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] lightweight authority configuration change
+#
+# LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE
+# - used when access session failed to establish
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#
+LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\
+<type=ACCESS_SESSION_ESTABLISH>:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish failure
+#
+# LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS
+# - used when access session was established successfully
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#
+LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
+<type=ACCESS_SESSION_ESTABLISH>:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish success
+#
+# LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED
+# - used when access session was terminated
+# ParamNameValPairs must be a name;;value pair
+#    (where name and value are separated by the delimiter ;;)
+#    separated by + (if more than one name;;value pair) of config params changed
+#
+LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\
+<type=ACCESS_SESSION_TERMINATED>:[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated
+
+#
+# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE
+# access session failed to establish when Certificate System acts as client
+#
+LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
+<type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client
+#
+# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS
+# - used when access session was established successfully when
+#   Certificate System acts as client
+#
+LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
+<type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client
+#
+# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED
+# - used when access session was terminated when Certificate System acts as client
+#
+LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\
+<type=CLIENT_ACCESS_SESSION_TERMINATED>:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client
+
+
+###########################
+#Unselectable signedAudit Events
+#
+# LOGGING_SIGNED_AUDIT_SIGNING
+# - used when a signature on the audit log is generated (same as "flush" time)
+# SubjectID is predefined to be "$System$" because this operation
+#   associates with no user
+# sig must be the base-64 encoded signature of the buffer just flushed
+#
+LOGGING_SIGNED_AUDIT_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2}
diff --git a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
index 72f98ac..08e6f8d 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/apps/CMSEngine.java
@@ -1471,21 +1471,37 @@ public class CMSEngine implements ICMSEngine {
         return getUserMessage(locale, msgID, params);
     }
 
-    public String getLogMessage(String msgID, Object params[]) {
-        ResourceBundle rb = ResourceBundle.getBundle(
-                "LogMessages");
+    public String getLogMessage(String msgID, Object[] params) {
+
+        String bundleName;
+
+        // check whether requested message is an audit event
+        if (msgID.startsWith("LOGGING_SIGNED_AUDIT_")) {
+            // get audit event from audit-events.properties
+            bundleName = "audit-events";
+        } else {
+            // get log message from LogMessages.properties
+            bundleName = "LogMessages";
+        }
+
+        ResourceBundle rb = ResourceBundle.getBundle(bundleName);
         String msg = rb.getString(msgID);
 
-        if (params == null)
+        if (params == null) {
             return msg;
+        }
+
         MessageFormat mf = new MessageFormat(msg);
 
         Object escapedParams[] = new Object[params.length];
         for (int i = 0; i < params.length; i++) {
-            if (params[i] instanceof String)
-                escapedParams[i] = escapeLogMessageParam((String) params[i]);
-            else
-                escapedParams[i] = params[i];
+            Object param = params[i];
+
+            if (param instanceof String) {
+                escapedParams[i] = escapeLogMessageParam((String) param);
+            } else {
+                escapedParams[i] = param;
+            }
         }
 
         return mf.format(escapedParams);
diff --git a/base/server/cmscore/src/com/netscape/cmscore/logging/LogSubsystem.java b/base/server/cmscore/src/com/netscape/cmscore/logging/LogSubsystem.java
index 6c62161..48a32a9 100644
--- a/base/server/cmscore/src/com/netscape/cmscore/logging/LogSubsystem.java
+++ b/base/server/cmscore/src/com/netscape/cmscore/logging/LogSubsystem.java
@@ -157,18 +157,12 @@ public class LogSubsystem implements ILogSubsystem {
                 Debug.trace("loaded log instance " + insName + " impl " + implName);
         }
 
-        // load audit events from LogMessages.properties
-        ResourceBundle rb = ResourceBundle.getBundle("LogMessages");
-        Pattern name_pattern = Pattern.compile("^LOGGING_SIGNED_AUDIT_.*");
+        // load audit events from audit-events.properties
+        ResourceBundle rb = ResourceBundle.getBundle("audit-events");
         Pattern value_pattern = Pattern.compile("^<type=(.*)>:.*");
 
         for (String name : rb.keySet()) {
 
-            Matcher name_matcher = name_pattern.matcher(name);
-            if (!name_matcher.matches())  {
-                continue;
-            }
-
             String value = rb.getString(name);
 
             Matcher value_matcher = value_pattern.matcher(value);
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 6cbda2f..49bee4b 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -534,13 +534,13 @@ class PKISubsystem(object):
 
     def get_audit_events(self):
 
-        # get the full list of audit events from LogMessages.properties
+        # get the full list of audit events from audit-events.properties
 
         properties = {}
         tmpdir = tempfile.mkdtemp()
 
         try:
-            # export LogMessages.properties from cmsbundle.jar
+            # export audit-events.properties from cmsbundle.jar
             cmsbundle_jar = \
                 '/usr/share/pki/%s/webapps/%s/WEB-INF/lib/pki-cmsbundle.jar' \
                 % (self.name, self.name)
@@ -549,7 +549,7 @@ class PKISubsystem(object):
                 'jar',
                 'xf',
                 cmsbundle_jar,
-                'LogMessages.properties'
+                'audit-events.properties'
             ]
 
             logger.debug('Command: %s', ' '.join(cmd))
@@ -559,8 +559,8 @@ class PKISubsystem(object):
                 cwd=tmpdir,
                 stderr=subprocess.STDOUT)
 
-            # load LogMessages.properties
-            log_messages_properties = os.path.join(tmpdir, 'LogMessages.properties')
+            # load audit-events.properties
+            log_messages_properties = os.path.join(tmpdir, 'audit-events.properties')
             pki.util.load_properties(log_messages_properties, properties)
 
         finally:
@@ -568,15 +568,10 @@ class PKISubsystem(object):
 
         # get audit events
         events = set()
-        name_pattern = re.compile(r'LOGGING_SIGNED_AUDIT_')
         value_pattern = re.compile(r'<type=(.*)>:')
 
         for name in properties:
 
-            name_match = name_pattern.match(name)
-            if not name_match:
-                continue
-
             value = properties[name]
 
             value_match = value_pattern.match(value)
-- 
1.8.3.1


From 4c22488d9edef4b3eabce1e383713607cb7d83a3 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Fri, 9 Nov 2018 20:41:28 +0100
Subject: [PATCH 17/26] Updated pki-server <subsystem>-audit-event-find

The pki-server <subsystem>-audit-event-find has been modified
to return only the audit events that are applicable to the
subsystem based on the information stored in the comments in
audit-events.properties.

The comments in audit-events.properties have been modified such
that they can be parsed more easily to get the list of audit
events and their applicable subsystems.

The information about the applicable subsystems will be added
in subsequent patches.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 5c799d3bb6204a6a988740e963a0a3f22f921850)
---
 base/server/cmsbundle/src/audit-events.properties | 332 ++++++++++++----------
 base/server/python/pki/server/__init__.py         |  69 ++++-
 2 files changed, 235 insertions(+), 166 deletions(-)

diff --git a/base/server/cmsbundle/src/audit-events.properties b/base/server/cmsbundle/src/audit-events.properties
index e7f5499..e30d996 100644
--- a/base/server/cmsbundle/src/audit-events.properties
+++ b/base/server/cmsbundle/src/audit-events.properties
@@ -1,29 +1,44 @@
 ####################### SIGNED AUDIT EVENTS #############################
-# The following are signedAudit events. They are required by CIMC PP.
-# Please consult cfu before adding/deleting/modifying the following events
+# This file defines signed audit events which are required by CIMC PP.
+# Please consult cfu before adding/deleting/modifying the events.
 #
-# signedAudit messages common fields:
-# Outcome must be "success" or "failure"
-# SubjectID must be the UID of the user responsible for the operation
-#           "$System$" if system-initiated operation (e.g. log signing)
+# WARNING: The comments are incrementally being transformed into parsable
+# document. Please use the following format when updating the comments.
 #
-# LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP
+#   Event: <event type>
+#   Description: <event description>
+#   Applicable subsystems: <comma-separated list of subsystems>
+#   Fields:
+#   - <field name>: <field description>
+#
+# Note: In the actual event definition there should be exactly 1 space
+# after the # sign.
+#
+# Common fields:
+# - Outcome: must be "success" or "failure"
+# - SubjectID: must be the UID of the user responsible for the operation
+#             "$System$" if system-initiated operation (e.g. log signing)
+#
+#########################################################################
+# Selectable Signed Audit Events
+#
+# Event: AUDIT_LOG_STARTUP
 # - used at audit function startup
 #
 LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=<type=AUDIT_LOG_STARTUP>:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup
 #
-# LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN
+# Event: AUDIT_LOG_SHUTDOWN
 # - used at audit function shutdown
 #
 LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=<type=AUDIT_LOG_SHUTDOWN>:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown
 #
-# LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION
+# Event: CIMC_CERT_VERIFICATION
 # - used for verifying CIMC system certificates
 # - CertNickName is the cert nickname
 #
 LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CIMC certificate verification
 #
-# LOGGING_SIGNED_AUDIT_ROLE_ASSUME
+# Event: ROLE_ASSUME
 # - used when user assumes a role (in current CS that's when one accesses a
 #     role port)
 # Role must be be one of the valid roles, by default: "Administrators",
@@ -32,7 +47,7 @@ LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[Aud
 #
 LOGGING_SIGNED_AUDIT_ROLE_ASSUME=<type=ROLE_ASSUME>:[AuditEvent=ROLE_ASSUME]{0} assume privileged role
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY
+# Event: CONFIG_CERT_POLICY
 # - used when configuring certificate policy constraints and extensions
 # ParamNameValPairs must be a name;;value pair
 # (where name and value are separated by the delimiter ;;)
@@ -40,7 +55,7 @@ LOGGING_SIGNED_AUDIT_ROLE_ASSUME=<type=ROLE_ASSUME>:[AuditEvent=ROLE_ASSUME]{0}
 #
 LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=<type=CONFIG_CERT_POLICY>:[AuditEvent=CONFIG_CERT_POLICY][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate policy constraint or extension configuration parameter(s) change
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE
+# Event: CONFIG_CERT_PROFILE
 # - used when configuring certificate profile
 #    (general settings and certificate profile)
 #    (extensions and constraints policies are to be obsoleted but do it anyway)
@@ -50,7 +65,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=<type=CONFIG_CERT_POLICY>:[AuditEvent=
 #
 LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=<type=CONFIG_CERT_PROFILE>:[AuditEvent=CONFIG_CERT_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] certificate profile configuration parameter(s) change
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE
+# Event: CONFIG_CRL_PROFILE
 # - used when configuring  CRL profile
 #    (extensions, frequency, CRL format)
 # ParamNameValPairs must be a name;;value pair
@@ -59,7 +74,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=<type=CONFIG_CERT_PROFILE>:[AuditEven
 #
 LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=<type=CONFIG_CRL_PROFILE>:[AuditEvent=CONFIG_CRL_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] CRL profile configuration parameter(s) change
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE
+# Event: CONFIG_OCSP_PROFILE
 # - used when configuring OCSP profile
 #    (everything under Online Certificate Status Manager)
 # ParamNameValPairs must be a name;;value pair
@@ -68,7 +83,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=<type=CONFIG_CRL_PROFILE>:[AuditEvent=
 #
 LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=<type=CONFIG_OCSP_PROFILE>:[AuditEvent=CONFIG_OCSP_PROFILE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] OCSP profile configuration parameter(s) change
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_AUTH
+# Event: CONFIG_AUTH
 # - used when configuring authentication
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -77,7 +92,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=<type=CONFIG_OCSP_PROFILE>:[AuditEven
 #
 LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=<type=CONFIG_AUTH>:[AuditEvent=CONFIG_AUTH][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] authentication configuration parameter(s) change
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_ROLE
+# Event: CONFIG_ROLE
 # - used when configuring role information (anything under users/groups)
 #       add/remove/edit a role, etc)
 # ParamNameValPairs must be a name;;value pair
@@ -86,7 +101,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=<type=CONFIG_AUTH>:[AuditEvent=CONFIG_AUTH][S
 #
 LOGGING_SIGNED_AUDIT_CONFIG_ROLE=<type=CONFIG_ROLE>:[AuditEvent=CONFIG_ROLE]{0} role configuration parameter(s) change
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_ACL
+# Event: CONFIG_ACL
 # - used when configuring ACL information
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -94,7 +109,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ROLE=<type=CONFIG_ROLE>:[AuditEvent=CONFIG_ROLE]{0}
 #
 LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=<type=CONFIG_ACL>:[AuditEvent=CONFIG_ACL][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] ACL configuration parameter(s) change
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT
+# Event: CONFIG_SIGNED_AUDIT
 # - used when configuring signedAudit
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -102,7 +117,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=<type=CONFIG_ACL>:[AuditEvent=CONFIG_ACL][Subj
 #
 LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=<type=CONFIG_SIGNED_AUDIT>:[AuditEvent=CONFIG_SIGNED_AUDIT]{0} signed audit configuration parameter(s) change
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION
+# Event: CONFIG_ENCRYPTION
 # - used when configuring encryption (cert settings and SSL cipher preferences)
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -110,7 +125,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=<type=CONFIG_SIGNED_AUDIT>:[AuditEvent=
 #
 LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=<type=CONFIG_ENCRYPTION>:[AuditEvent=CONFIG_ENCRYPTION][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] encryption configuration parameter(s) change
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY
+# Event: CONFIG_TRUSTED_PUBLIC_KEY
 # - used when
 #      1. "Manage Certificate" is used to edit the trustness of certificates
 #         and deletion of certificates
@@ -123,7 +138,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=<type=CONFIG_ENCRYPTION>:[AuditEvent=CO
 #
 LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=<type=CONFIG_TRUSTED_PUBLIC_KEY>:[AuditEvent=CONFIG_TRUSTED_PUBLIC_KEY]{0} certificate database configuration
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_DRM
+# Event: CONFIG_DRM
 # - used when configuring DRM
 #     (Key recovery scheme, change of any secret component)
 # ParamNameValPairs must be a name;;value pair
@@ -133,12 +148,12 @@ LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=<type=CONFIG_TRUSTED_PUBLIC_KEY>:
 #
 LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=<type=CONFIG_DRM>:[AuditEvent=CONFIG_DRM][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] DRM configuration parameter(s) change
 #
-# LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION
+# Event: SELFTESTS_EXECUTION
 # - used when self tests are run
 #
 LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details)
 #
-# LOGGING_SIGNED_AUDIT_LOG_DELETE
+# Event: AUDIT_LOG_DELETE
 # - used AFTER audit log gets expired (authz should not allow,
 #    but in case authz gets compromised.  Make sure it is written
 #    AFTER the log expiration happens)
@@ -147,7 +162,7 @@ LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEven
 #
 LOGGING_SIGNED_AUDIT_LOG_DELETE_3=<type=AUDIT_LOG_DELETE>:[AuditEvent=AUDIT_LOG_DELETE][SubjectID={0}][Outcome={1}][LogFile={2}] signedAudit log deletion
 #
-# LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE
+# Event: LOG_PATH_CHANGE
 # - used when log file name (including any path changes) for any of
 #    audit, system, transaction, or other customized log file
 #    change is attempted (authz should not allow, but make sure it's
@@ -158,7 +173,7 @@ LOGGING_SIGNED_AUDIT_LOG_DELETE_3=<type=AUDIT_LOG_DELETE>:[AuditEvent=AUDIT_LOG_
 #
 LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PATH_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][toLogFile={3}] log path change attempt
 #
-# LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE
+# Event: LOG_EXPIRATION_CHANGE
 # - used when log expiration time change is attempted (authz should not
 #    allow, but make sure it's written after the attempt)
 # LogType must be "System", "Transaction", or "SignedAudit"
@@ -168,21 +183,23 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
 # -- feature disabled --
 #LOGGING_SIGNED_AUDIT_LOG_EXPIRATION_CHANGE_4=<type=LOG_EXPIRATION_CHANGE>:[AuditEvent=LOG_EXPIRATION_CHANGE][SubjectID={0}][Outcome={1}][LogType={2}][ExpirationTime={3}] log expiration time change attempt
 #
-# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST
+# Event: SERVER_SIDE_KEYGEN_REQUEST
 # - used when server-side key generation request is made
 #    This is for tokenkeys
 # EntityID must be the representation of the subject that will be on the certificate when issued
+#
 LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request
 #
-# LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
+# Event: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
 # - used when server-side key generation request has been processed.
 #    This is for tokenkeys
 # EntityID must be the representation of the subject that will be on the certificate when issued
 # PubKey must be the base-64 encoded public key associated with
 #    the private key to be archived
+#
 LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=<type=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST_PROCESSED]{0} server-side key generation request processed
 #
-# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST
+# Event: KEY_RECOVERY_REQUEST
 # - used when key recovery request is made
 # RecoveryID must be the recovery request ID
 # PubKey must be the base-64 encoded public key associated with
@@ -190,7 +207,7 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=<type=SERVER_SIDE_KEYG
 #
 LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=<type=KEY_RECOVERY_REQUEST>:[AuditEvent=KEY_RECOVERY_REQUEST][SubjectID={0}][Outcome={1}][RecoveryID={2}][PubKey={3}] key recovery request made
 #
-# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN
+# Event: KEY_RECOVERY_AGENT_LOGIN
 # - used when DRM agents login as recovery agents to approve
 #       key recovery requests
 # RecoveryID must be the recovery request ID
@@ -199,7 +216,7 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=<type=KEY_RECOVERY_REQUEST>:[AuditEv
 #
 LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=<type=KEY_RECOVERY_AGENT_LOGIN>:[AuditEvent=KEY_RECOVERY_AGENT_LOGIN][SubjectID={0}][Outcome={1}][RecoveryID={2}][RecoveryAgent={3}] key recovery agent login
 #
-# LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC
+# Event: KEY_GEN_ASYMMETRIC
 # - used when asymmetric keys are generated
 #   (like when CA certificate requests are generated -
 #      e.g. CA certificate change over, renewal with new key, etc.)
@@ -207,19 +224,19 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=<type=KEY_RECOVERY_AGENT_LOGIN>:
 #
 LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=<type=KEY_GEN_ASYMMETRIC>:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation
 #
-# LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO
+# Event: CERT_SIGNING_INFO
 #
 LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO=<type=CERT_SIGNING_INFO>:[AuditEvent=CERT_SIGNING_INFO]{0} certificate signing info
 #
-# LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO
+# Event: OCSP_SIGNING_INFO
 #
 LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO=<type=OCSP_SIGNING_INFO>:[AuditEvent=OCSP_SIGNING_INFO]{0} OCSP signing info
 #
-# LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO
+# Event: CRL_SIGNING_INFO
 #
 LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=<type=CRL_SIGNING_INFO>:[AuditEvent=CRL_SIGNING_INFO]{0} CRL signing info
 #
-# LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST
+# Event: NON_PROFILE_CERT_REQUEST
 # - used when a non-profile certificate request is made (before approval process)
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC enrollment requests signed by an agent, SubjectID should
@@ -231,7 +248,7 @@ LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=<type=CRL_SIGNING_INFO>:[AuditEvent=CRL_SI
 #
 LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=<type=NON_PROFILE_CERT_REQUEST>:[AuditEvent=NON_PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ServiceID={3}][CertSubject={4}] certificate request made without certificate profiles
 #
-# LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED
+# Event: CMC_REQUEST_RECEIVED
 # - used when a CMC request is received.
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC requests is signed by an agent, SubjectID should
@@ -240,13 +257,13 @@ LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=<type=NON_PROFILE_CERT_REQUEST>:
 #
 LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=<type=CMC_REQUEST_RECEIVED>:[AuditEvent=CMC_REQUEST_RECEIVED][SubjectID={0}][Outcome={1}][CMCRequest={2}] CMC request received
 #
-# LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT
+# Event: CMC_RESPONSE_SENT
 # - used when a CMC response is sent
 # SubjectID must be the UID of user that triggered this event
 #
 LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=<type=CMC_RESPONSE_SENT>:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent
 #
-# LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST
+# Event: PROFILE_CERT_REQUEST
 # - used when a profile certificate request is made (before approval process)
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC enrollment requests signed by an agent, SubjectID should
@@ -258,7 +275,7 @@ LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=<type=CMC_RESPONSE_SENT>:[AuditEvent=CM
 #
 LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=<type=PROFILE_CERT_REQUEST>:[AuditEvent=PROFILE_CERT_REQUEST][SubjectID={0}][Outcome={1}][ReqID={2}][ProfileID={3}][CertSubject={4}] certificate request made with certificate profiles
 #
-# LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED
+# Event: CERT_REQUEST_PROCESSED
 # - used when certificate request has just been through the approval process
 # SubjectID must be the UID of the agent who approves, rejects, or cancels
 #        the certificate request
@@ -270,7 +287,7 @@ LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=<type=PROFILE_CERT_REQUEST>:[AuditEv
 #
 LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=<type=CERT_REQUEST_PROCESSED>:[AuditEvent=CERT_REQUEST_PROCESSED]{0} certificate request processed
 #
-# LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST
+# Event: CERT_STATUS_CHANGE_REQUEST
 # - used when a certificate status change request (e.g. revocation)
 #        is made (before approval process)
 # ReqID must be the request ID
@@ -279,7 +296,7 @@ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=<type=CERT_REQUEST_PROCESSED>:[Audit
 #
 LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=<type=CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=CERT_STATUS_CHANGE_REQUEST]{0} certificate revocation/unrevocation request made
 #
-# LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED
+# Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED
 # - used when certificate status is changed (revoked, expired, on-hold,
 #        off-hold)
 # SubjectID must be the UID of the agent that processed the request
@@ -301,7 +318,7 @@ LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=<type=CERT_STATUS_CHANGE_REQUEST
 #
 LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=<type=CERT_STATUS_CHANGE_REQUEST_PROCESSED>:[AuditEvent=CERT_STATUS_CHANGE_REQUEST_PROCESSED]{0} certificate status change request processed
 #
-# LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS
+# Event: AUTHZ with [Outcome=Success]
 # - used when authorization is successful
 # Outcome must be success for this event
 # aclResource must be the ACL resource ID as defined in ACL resource list
@@ -310,7 +327,7 @@ LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=<type=CERT_STATUS_CHAN
 #
 LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization success
 #
-# LOGGING_SIGNED_AUDIT_AUTHZ_FAIL
+# Event: AUTHZ with [Outcome=Failure]
 # - used when authorization has failed
 # Outcome must be failure for this event
 # aclResource must be the ACL resource ID as defined in ACL resource list
@@ -319,7 +336,7 @@ LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorizat
 #
 LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization failure
 #
-# LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS
+# Event: INTER_BOUNDARY
 # - used when inter-CIMC_Boundary data transfer is successful
 #   (this is used when data does not need to be captured)
 # ProtectionMethod must be one of the following: "SSL", or "unknown"
@@ -328,7 +345,7 @@ LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization
 #
 LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=<type=INTER_BOUNDARY>:[AuditEvent=INTER_BOUNDARY][SubjectID={0}][Outcome={1}][ProtectionMethod={2}][ReqType={3}][ReqID={4}] inter-CIMC_Boundary communication (data exchange) success
 #
-# LOGGING_SIGNED_AUDIT_AUTH_FAIL
+# Event: AUTH with [Outcome=Failure]
 # - used when authentication fails (in case of SSL-client auth,
 #    only webserver env can pick up the SSL violation;
 #    CS authMgr can pick up certificate mis-match, so this event is used)
@@ -341,7 +358,7 @@ LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=<type=INTER_BOUNDARY>:[AuditEvent=
 #
 LOGGING_SIGNED_AUDIT_AUTH_FAIL=<type=AUTH>:[AuditEvent=AUTH]{0} authentication failure
 #
-# LOGGING_SIGNED_AUDIT_AUTH_SUCCESS
+# Event: AUTH with [Outcome=Success]
 # - used when authentication succeeded
 # Outcome should always be "success" in this event
 # AuthMgr must be the authentication manager instance name that did
@@ -349,7 +366,7 @@ LOGGING_SIGNED_AUDIT_AUTH_FAIL=<type=AUTH>:[AuditEvent=AUTH]{0} authentication f
 #
 LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authentication success
 #
-# LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL
+# Event: CERT_PROFILE_APPROVAL
 # - used when an agent approves/disapproves a certificate profile set by the
 #     administrator for automatic approval
 # ProfileID must be one of the profiles defined by the administrator
@@ -358,98 +375,106 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authenticatio
 #
 LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[AuditEvent=CERT_PROFILE_APPROVAL][SubjectID={0}][Outcome={1}][ProfileID={2}][Op={3}] certificate profile approval
 #
-# LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION
+# Event: PROOF_OF_POSSESSION
 # - used for proof of possession during certificate enrollment processing
 #
 LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession
-# LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION
+#
+# Event: CMC_PROOF_OF_IDENTIFICATION
 # - used for proof of identification during CMC request processing
 # - In case of success, "SubjectID" is the actual identified identification;
 # - In case of failure, "SubjectID" is the attempted identification
 #
 LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=<type=CMC_PROOF_OF_IDENTIFICATION>:[AuditEvent=CMC_PROOF_OF_IDENTIFICATION][SubjectID={0}][Outcome={1}][Info={2}] proof of identification in CMC request
+#
+# Event: CMC_ID_POP_LINK_WITNESS
 # - used for identification and POP linking verification during CMC request processing
 #
 LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=<type=CMC_ID_POP_LINK_WITNESS>:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification
 #
-# LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION
+# Event: SCHEDULE_CRL_GENERATION
 # - used when CRL generation is scheduled
 # Outcome is "success" when CRL generation is scheduled successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION=<type=SCHEDULE_CRL_GENERATION>:[AuditEvent=SCHEDULE_CRL_GENERATION]{0} schedule for CRL generation
 #
-# LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION
+# Event: DELTA_CRL_GENERATION
 # - used when delta CRL generation is complete
 # Outcome is "success" when delta CRL is generated successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=<type=DELTA_CRL_GENERATION>:[AuditEvent=DELTA_CRL_GENERATION]{0} Delta CRL generation
 #
-# LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING
+# Event: DELTA_CRL_PUBLISHING
 # - used when delta CRL publishing is complete
 # Outcome is "success" when delta CRL is publishing successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=<type=DELTA_CRL_PUBLISHING>:[AuditEvent=DELTA_CRL_PUBLISHING]{0} Delta CRL publishing
 #
-# LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION
+# Event: FULL_CRL_GENERATION
 # - used when full CRL generation is complete
 # Outcome is "success" when full CRL is generated successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=<type=FULL_CRL_GENERATION>:[AuditEvent=FULL_CRL_GENERATION]{0} Full CRL generation
 #
-# LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING
+# Event: FULL_CRL_PUBLISHING
 # - used when full  CRL publishing is complete
 # Outcome is "success" when full CRL is publishing successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=<type=FULL_CRL_PUBLISHING>:[AuditEvent=FULL_CRL_PUBLISHING]{0} Full CRL publishing
 #
-# LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL
+# Event: CRL_RETRIEVAL
 # - used when CRLs are retrieved by the OCSP Responder
 # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise
 # CRLnum is the CRL number that identifies the CRL
 #
 LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=<type=CRL_RETRIEVAL>:[AuditEvent=CRL_RETRIEVAL][SubjectID={0}][Outcome={1}][CRLnum={2}] CRL retrieval
 #
-# LOGGING_SIGNED_AUDIT_CRL_VALIDATION
+# Event: CRL_VALIDATION
 # - used when CRL is retrieved and validation process occurs
 #
 LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=<type=CRL_VALIDATION>:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation
 #
-# LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST
+# Event: OCSP_ADD_CA_REQUEST
 # - used when a CA is attempted to be added to the OCSP Responder
 # Outcome is "success" as the request is made
 # CA must be the base-64 encoded PKCS7 certificate (or chain)
+#
 LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST=<type=OCSP_ADD_CA_REQUEST>:[AuditEvent=OCSP_ADD_CA_REQUEST]{0} request to add a CA for OCSP Responder
 #
-# LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED
+# Event: OCSP_ADD_CA_REQUEST_PROCESSED
 # - used when an add CA request to the OCSP Responder is processed
 # Outcome is "success" when CA is added successfully, "failure" otherwise
 # CASubjectDN is the subject DN of the leaf CA cert in the chain
+#
 LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED=<type=OCSP_ADD_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_ADD_CA_REQUEST_PROCESSED]{0} Add CA for OCSP Responder
 #
-# LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST
+# Event: OCSP_REMOVE_CA_REQUEST
 # - used when a CA is attempted to be removed from the OCSP Responder
 # Outcome is "success" as the request is made
 # CA must be the DN id of the CA
 LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST=<type=OCSP_REMOVE_CA_REQUEST>:[AuditEvent=OCSP_REMOVE_CA_REQUEST]{0} request to remove a CA from OCSP Responder
 #
-# LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED_SUCCESS
+# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Success]
 # - used when a remove CA request to the OCSP Responder is processed successfully
 # Outcome is "success" when CA is removed successfully, "failure" otherwise
 # CASubjectDN is the subject DN of the leaf CA cert in the chain
+#
 LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS=<type=OCSP_REMOVE_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder is successful
 #
-# LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE
+# Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Failure]
 # - used when a remove CA request to the OCSP Responder is processed and failed
 # Outcome is  "failure"
 # CASubjectDN is  DN ID of the CA
+#
 LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE=<type=OCSP_REMOVE_CA_REQUEST_PROCESSED>:[AuditEvent=OCSP_REMOVE_CA_REQUEST_PROCESSED]{0} Remove CA for OCSP Responder has failed
 #
-# LOGGING_SIGNED_AUDIT_OCSP_GENERATION
+# Event: OCSP_GENERATION
 # - used when an OCSP response generated is complete
 # Outcome is "success" when OCSP response is generated successfully, "failure" otherwise
+#
 LOGGING_SIGNED_AUDIT_OCSP_GENERATION=<type=OCSP_GENERATION>:[AuditEvent=OCSP_GENERATION]{0} OCSP response generation
 #
-# LOGGING_SIGNED_AUDIT_RANDOM_GENERATION
+# Event: RANDOM_GENERATION
 # - used when a random number generation is complete
 # Info:
 # - Caller is PKI code that calls the random number generator
@@ -457,7 +482,7 @@ LOGGING_SIGNED_AUDIT_OCSP_GENERATION=<type=OCSP_GENERATION>:[AuditEvent=OCSP_GEN
 # Outcome is "success" when a random number is generated successfully, "failure" otherwise
 LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=<type=RANDOM_GENERATION>:[AuditEvent=RANDOM_GENERATION]{0} Random number generation
 #
-# LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY
+# Event: CMC_SIGNED_REQUEST_SIG_VERIFY
 # - used when agent signed CMC certificate requests or revocation requests
 #   are submitted and signature is verified
 # ReqType must be the request type (enrollment, or revocation)
@@ -466,7 +491,7 @@ LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=<type=RANDOM_GENERATION>:[AuditEvent=RAND
 #
 LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=<type=CMC_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_SIGNED_REQUEST_SIG_VERIFY]{0} agent signed CMC request signature verification
 #
-# LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY
+# Event: CMC_USER_SIGNED_REQUEST_SIG_VERIFY
 # - used when CMC (user-signed or self-signed) certificate requests or revocation requests
 #   are submitted and signature is verified
 # ReqType must be the request type (enrollment, or revocation)
@@ -475,30 +500,30 @@ LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=<type=CMC_SIGNED_REQUEST_SIG_
 #
 LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification success
 LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=<type=CMC_USER_SIGNED_REQUEST_SIG_VERIFY>:[AuditEvent=CMC_USER_SIGNED_REQUEST_SIG_VERIFY]{0} User signed CMC request signature verification failure
-
-# LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST
+#
+# Event: COMPUTE_RANDOM_DATA_REQUEST
 # - used for TPS to TKS to get random challenge data
 # AgentID must be the trusted agent id used to make the request
+#
 LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=<type=COMPUTE_RANDOM_DATA_REQUEST>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request
-
-# LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS
+#
+# Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Success]
 # - used for TPS to TKS to get random challenge data
 # Outcome is SUCCESS or FAILURE
 # Status is 0 for no error.
 # AgentID must be the trusted agent id used to make the request
 LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED]{0} TKS Compute random data request processed successfully
-
-# LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE
+#
+# Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Failure]
 # - used for TPS to TKS to get random challenge data
 # Outcome is SUCCESS or FAILURE
 # Status is 0 for no error.
 # Error gives the error message
 # AgentID must be the trusted agent id used to make the request
-LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=<type=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCCESED]{0} TKS Compute random data request failed
-
 #
+LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=<type=COMPUTE_RANDOM_DATA_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST_PROCCESED]{0} TKS Compute random data request failed
 #
-# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST
+# Event: COMPUTE_SESSION_KEY_REQUEST
 # - used for TPS to TKS to get a sessoin key for secure channel setup
 # SubjectID must be the CUID of the token establishing the secure channel
 # AgentID must be the trusted agent id used to make the request
@@ -507,11 +532,10 @@ LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=<type=COMPUTE
 ##   encoded parameters are being logged.
 # CUID_encoded must be the special-encoded CUID of the token establishing the secure channel
 # KDD_encoded must be the special-encoded KDD of the token establishing the secure channel
-LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=<type=COMPUTE_SESSION_KEY_REQUEST>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}] TKS Compute session key request
-
 #
+LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=<type=COMPUTE_SESSION_KEY_REQUEST>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}] TKS Compute session key request
 #
-# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS
+# Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Success]
 # - request for TPS to TKS to get a sessoin key for secure channel processed
 # SubjectID must be the CUID of the token establishing the secure channel
 # AgentID must be the trusted agent id used to make the request
@@ -533,11 +557,10 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=<type=COMPUTE_SESSION_KEY_REQ
 # KeyInfo_KeyVersion is the key version number requested in hex.
 # NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
 # NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
-LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request processed successfully
-
 #
+LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request processed successfully
 #
-# LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE
+# Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Failure]
 # - request for TPS to TKS to get a sessoin key for secure channel processed
 # SubjectID must be the CUID of the token establishing the secure channel
 # Outcome is SUCCESS or FAILURE
@@ -558,10 +581,10 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE
 # KeyInfo_KeyVersion is the key version number requested in hex.
 # NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
 # NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex
+#
 LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=<type=COMPUTE_SESSION_KEY_REQUEST_PROCESSED>:[AuditEvent=COMPUTE_SESSION_KEY_REQUEST_PROCESSED]{0} TKS Compute session key request failed
-
-
-# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST
+#
+# Event: DIVERSIFY_KEY_REQUEST
 # - request for TPS to TKS to do key change over
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
@@ -572,10 +595,10 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=<type=COMPUTE
 ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged.
 # CUID_encoded must be the special-encoded CUID of the token establishing the secure channel
 # KDD_encoded must be the special-encoded KDD of the token establishing the secure channel
+#
 LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=<type=DIVERSIFY_KEY_REQUEST>:[AuditEvent=DIVERSIFY_KEY_REQUEST][CUID_encoded={0}][KDD_encoded={1}][Outcome={2}][AgentID={3}][oldMasterKeyName={4}][newMasterKeyName={5}] TKS Key Change Over request
-
-###########################
-# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS
+#
+# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Success]
 # - request for TPS to TKS to do key change over request processed
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
@@ -593,11 +616,10 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=<type=DIVERSIFY_KEY_REQUEST>:[Audit
 # NewKeyInfo_KeyVersion is the new key version number in hex.
 # NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
 # NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
+#
 LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=<type=DIVERSIFY_KEY_REQUEST_PROCESSED>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request processed successfully
-
 #
-###########################
-# LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE
+# Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Failure]
 # - request for TPS to TKS to do key change over request processed
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
@@ -616,24 +638,26 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=<type=DIVERSIFY_KEY
 # NewKeyInfo_KeyVersion is the new key version number in hex.
 # NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
 # NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex
+#
 LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=<type=DIVERSIFY_KEY_REQUEST_PROCESSED>:[AuditEvent=DIVERSIFY_KEY_REQUEST_PROCESSED]{0} TKS Key Change Over request failed
-
-# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST
+#
+# Event: ENCRYPT_DATA_REQUEST
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # status is 0 for success, non-zero for various errors
 # isRandom tells if the data is randomly generated on TKS
+#
 LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_4=<type=ENCRYPT_DATA_REQUEST>:[AuditEvent=ENCRYPT_DATA_REQUEST][SubjectID={0}][status={1}][AgentID={2}][isRandom={3}] TKS encrypt data request
 #
 ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the CUID.  Renamed to "CUID_encoded" and "KDD_encoded" to reflect fact that encoded parameters are being logged.
 # CUID_encoded must be the special-encoded CUID of the token establishing the secure channel
 # KDD_encoded must be the special-encoded KDD of the token establishing the secure channel
+#
 LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=<type=ENCRYPT_DATA_REQUEST>:[AuditEvent=ENCRYPT_DATA_REQUEST][CUID_encoded={0}][KDD_encoded={1}][status={2}][AgentID={3}][isRandom={4}] TKS encrypt data request
-
 #
-# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS
+# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Success]
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
 # SubjectID must be the CUID of the token requesting encrypt data
@@ -652,10 +676,10 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=<type=ENCRYPT_DATA_REQUEST>:[AuditEv
 # KeyInfo_KeyVersion is the key version number requested in hex.
 # NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
 # NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
+#
 LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=<type=ENCRYPT_DATA_REQUEST_PROCESSED>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request processed successfully
-
 #
-# LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE
+# Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Failure]
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
 # SubjectID must be the CUID of the token requesting encrypt data
@@ -675,10 +699,10 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=<type=ENCRYPT_DATA_R
 # KeyInfo_KeyVersion is the key version number requested in hex.
 # NistSP800_108KdfOnKeyVersion lists the value of the corresponding setting in hex.
 # NistSP800_108KdfUseCuidAsKdd lists the value of the corresponding setting in hex.
-LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=<type=ENCRYPT_DATA_REQUEST_PROCESSED>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request failed
 #
+LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=<type=ENCRYPT_DATA_REQUEST_PROCESSED>:[AuditEvent=ENCRYPT_DATA_REQUEST_PROCESSED]{0} TKS encrypt data request failed
 #
-# LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE
+# Event: SECURITY_DOMAIN_UPDATE
 # - used when updating contents of security domain
 #       (add/remove a subsystem)
 # ParamNameValPairs must be a name;;value pair
@@ -687,9 +711,7 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=<type=ENCRYPT_DATA_R
 #
 LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=<type=SECURITY_DOMAIN_UPDATE>:[AuditEvent=SECURITY_DOMAIN_UPDATE][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] security domain update
 #
-#
-#
-# LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER
+# Event: CONFIG_SERIAL_NUMBER
 # - used when configuring serial number ranges
 #      (when requesting a serial number range when cloning, for example)
 # ParamNameValPairs must be a name;;value pair
@@ -698,7 +720,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=<type=SECURITY_DOMAIN_UPDATE>:[Aud
 #
 LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=<type=CONFIG_SERIAL_NUMBER>:[AuditEvent=CONFIG_SERIAL_NUMBER][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] serial number range update
 #
-# LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED
+# Event: SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED
 # - used when user security data archive request is processed
 #    this is when DRM receives and processed the request
 # ArchivalRequestID is the requestID provided by the CA through the connector
@@ -709,7 +731,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=<type=CONFIG_SERIAL_NUMBER>:[AuditEv
 #
 LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=<type=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED]{0} security data archival request processed
 #
-# LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST
+# Event: SECURITY_DATA_ARCHIVAL_REQUEST
 # - used when security data recovery request is made
 # ArchivalRequestID is the requestID provided by the CA through the connector
 #    It is used to track the request through from CA to KRA.
@@ -719,8 +741,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=<type=SECURITY_DAT
 #
 LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=<type=SECURITY_DATA_ARCHIVAL_REQUEST>:[AuditEvent=SECURITY_DATA_ARCHIVAL_REQUEST]{0} security data archival request made
 #
-#
-# LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED
+# Event: SECURITY_DATA_RECOVERY_REQUEST_PROCESSED
 # - used when security data recovery request is processed
 # RecoveryID must be the recovery request ID
 # KeyID is the ID of the security data being requested to be recovered
@@ -728,15 +749,14 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=<type=SECURITY_DATA_ARCHIVAL
 #
 LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=<type=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_PROCESSED]{0} security data recovery request processed
 #
-#
-# LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST
+# Event: SECURITY_DATA_RECOVERY_REQUEST
 # - used when security data recovery request is made
 # RecoveryID must be the recovery request ID
 # DataID is the ID of the security data to be recovered
 #
 LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=<type=SECURITY_DATA_RECOVERY_REQUEST>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST]{0} security data recovery request made
 #
-# LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_STATE_CHANGE
+# Event: SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE
 # - used when DRM agents login as recovery agents to change
 #   the state of key recovery requests
 # RecoveryID must be the recovery request ID
@@ -744,7 +764,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=<type=SECURITY_DATA_RECOVERY
 #
 LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=<type=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE>:[AuditEvent=SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE]{0} security data recovery request state change
 #
-# LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY
+# Event: SECURITY_DATA_EXPORT_KEY
 # - used when user attempts to retrieve key after the recovery request
 #   has been approved.
 #
@@ -755,7 +775,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=<type=SECURITY_
 #
 LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY=<type=SECURITY_DATA_EXPORT_KEY>:[AuditEvent=SECURITY_DATA_EXPORT_KEY]{0} security data retrieval request
 #
-# LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO
+# Event: SECURITY_DATA_INFO
 # - used when user attempts to get metadata information about a key
 #
 # RecoveryID must be the recovery request ID
@@ -765,7 +785,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY=<type=SECURITY_DATA_EXPORT_KEY>:[A
 #
 LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=<type=SECURITY_DATA_INFO>:[AuditEvent=SECURITY_DATA_INFO]{0} security data info request
 #
-# LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE
+# Event: KEY_STATUS_CHANGE
 # - used when modify key status is executed
 # keyID must be an existing key id in the database
 # oldStatus is the old status to change from
@@ -773,7 +793,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=<type=SECURITY_DATA_INFO>:[AuditEvent=SE
 #
 LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=<type=KEY_STATUS_CHANGE>:[AuditEvent=KEY_STATUS_CHANGE]{0} Key Status Change
 #
-# LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED
+# Event: SYMKEY_GENERATION_REQUEST_PROCESSED
 # - used when symmetric key generation request is processed
 #    this is when DRM receives and processes the request
 # Client ID must be the user supplied client ID associated with
@@ -781,45 +801,47 @@ LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=<type=KEY_STATUS_CHANGE>:[AuditEvent=KEY_
 #
 LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=<type=SYMKEY_GENERATION_REQUEST_PROCESSED>:[AuditEvent=SYMKEY_GENERATION_REQUEST_PROCESSED]{0} symkey generation request processed
 #
-# LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST
+# Event: SYMKEY_GENERATION_REQUEST
 # - used when symmetric key generation request is made
 # ClientKeyID is the ID of the symmetirc key to be generated and archived
 #
 LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=<type=SYMKEY_GENERATION_REQUEST>:[AuditEvent=SYMKEY_GENERATION_REQUEST]{0} symkey generation request made
 #
-# LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST
+# Event: ASYMKEY_GENERATION_REQUEST
 # - used when asymmetric key generation request is made
+#
 LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=<type=ASYMKEY_GENERATION_REQUEST>:[AuditEvent=ASYMKEY_GENERATION_REQUEST]{0} Asymkey generation request made
 #
-# LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED
+# Event: ASYMKEY_GENERATION_REQUEST_PROCESSED
 # - used when a request to generate asymmetric keys received by the DRM
 #   is processed.
+#
 LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=<type=ASYMKEY_GENERATION_REQUEST_PROCESSED>:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED]{0} Asymkey generation request processed
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT
+# Event: TOKEN_CERT_ENROLLMENT
 # - used for TPS when token certificate enrollment request is made
 # - Info is normally used to store more info in case of failure
 #
 LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=<type=TOKEN_CERT_ENROLLMENT>:[AuditEvent=TOKEN_CERT_ENROLLMENT][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate enrollment request made
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL
+# Event: TOKEN_CERT_RENEWAL
 # - used for TPS when token certificate renewal request is made
 # - Info is normally used to store more info in case of failure
 #
 LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[AuditEvent=TOKEN_CERT_RENEWAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate renewal request made
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL
+# Event: TOKEN_CERT_RETRIEVAL
 # - used for TPS when token certificate retrieval request is made;
 #   usually used during recovery, along with LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY
 #
 LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9=<type=TOKEN_CERT_RETRIEVAL>:[AuditEvent=TOKEN_CERT_RETRIEVAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate retrieval request made
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY
+# Event: TOKEN_KEY_RECOVERY
 # - used for TPS when token certificate key recovery request is made
 #
 LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=<type=TOKEN_KEY_RECOVERY>:[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST
+# Event: TOKEN_CERT_STATUS_CHANGE_REQUEST
 # - used when a token certificate status change request (e.g. revocation) is made
 # CUID must be the last token that the certificate was associated with
 # CertSerialNum must be the serial number (in decimal) of the certificate to be revoked
@@ -827,52 +849,60 @@ LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=<type=TOKEN_KEY_RECOVERY>:[AuditEvent
 #
 LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10=<type=TOKEN_CERT_STATUS_CHANGE_REQUEST>:[AuditEvent=TOKEN_CERT_STATUS_CHANGE_REQUEST][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][CertSerialNum={5}][RequestType={6}][RevokeReasonNum={7}][CA_ID={8}][Info={9}] token certificate revocation/unrevocation request made
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS
+# Event: TOKEN_PIN_RESET with [Outcome=Success]
 # - used when token pin reset request succeeded
+#
 LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS=<type=TOKEN_PIN_RESET>:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset success
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE
+# Event: TOKEN_PIN_RESET with [Outcome=Failure]
 # - used when token pin reset request failed
+#
 LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE=<type=TOKEN_PIN_RESET>:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset failure
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST
+# Event: TOKEN_OP_REQUEST
 # - used when token processor op request is made
 # - OP can be "format", "enroll", or "pinReset"
+#
 LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=<type=TOKEN_OP_REQUEST>:[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token processor op request made
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS
+# Event: TOKEN_FORMAT with [Outcome=Success]
 # - used when token format op succeeded
+#
 LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format success
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE
+# Event: TOKEN_FORMAT with [Outcome=Failure]
 # - used when token format op failed
-LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format failure
 #
+LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format failure
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS
+# Event: TOKEN_APPLET_UPGRADE with [Outcome=Success]
 # - used when token apple upgrade succeeded
-LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success
 #
+LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE
+# Event: TOKEN_APPLET_UPGRADE with [Outcome=Failure]
 # - used when token apple upgrade failed
+#
 LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade failure
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED
+# Event: TOKEN_KEY_CHANGEOVER_REQUIRED
 # - used when token key changeover is required
+#
 LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=<type=TOKEN_KEY_CHANGEOVER_REQUIRED>:[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS
+# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Success]
 # - used when token key changeover succeeded
 # - Info usually is unused for success
+#
 LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover success
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE
+# Event: TOKEN_KEY_CHANGEOVER with [Outcome=Failure]
 # - used when token key changeover failed
 # - Info is used for storing more info in case of failure
+#
 LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover failure
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE
+# Event: TOKEN_AUTH with [Outcome=Failure]
 # - used when authentication failed
 # Outcome should always be "failure" in this event
 #   (obviously, if authentication failed, you won't have a valid SubjectID, so
@@ -882,7 +912,7 @@ LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=<type=TOKEN_KEY_CHANGEOVER>:[A
 #
 LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH]{0} token authentication failure
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS
+# Event: TOKEN_AUTH with [Outcome=Success]
 # - used when authentication succeeded
 # Outcome should always be "success" in this event
 # AuthMgr must be the authentication manager instance name that did
@@ -890,7 +920,7 @@ LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH
 #
 LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH]{0} token authentication success
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL
+# Event: CONFIG_TOKEN_GENERAL
 # - used when doing general TPS configuration
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -900,7 +930,7 @@ LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH
 #
 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5=<type=CONFIG_TOKEN_GENERAL>:[AuditEvent=CONFIG_TOKEN_GENERAL][SubjectID={0}][Outcome={1}][Service={2}][ParamNameValPairs={3}][Info={4}] TPS token configuration parameter(s) change
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE
+# Event: CONFIG_TOKEN_PROFILE
 # - used when configuring token profile
 # Service can be any of the methods offered
 # ParamNameValPairs must be a name;;value pair
@@ -911,7 +941,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5=<type=CONFIG_TOKEN_GENERAL>:[AuditEv
 #
 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6=<type=CONFIG_TOKEN_PROFILE>:[AuditEvent=CONFIG_TOKEN_PROFILE][SubjectID={0}][Outcome={1}][Service={2}][ProfileID={3}][ParamNameValPairs={4}][Info={5}] token profile configuration parameter(s) change
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER
+# Event: CONFIG_TOKEN_MAPPING_RESOLVER
 # - used when configuring token mapping resolver
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -921,7 +951,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6=<type=CONFIG_TOKEN_PROFILE>:[AuditEv
 #
 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6=<type=CONFIG_TOKEN_MAPPING_RESOLVER>:[AuditEvent=CONFIG_TOKEN_MAPPING_RESOLVER][SubjectID={0}][Outcome={1}][Service={2}][MappingResolverID={3}][ParamNameValPairs={4}][Info={5}] token mapping resolver configuration parameter(s) change
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR
+# Event: CONFIG_TOKEN_AUTHENTICATOR
 # - used when configuring token authenticators
 # Service can be any of the methods offered
 # ParamNameValPairs must be a name;;value pair
@@ -932,7 +962,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6=<type=CONFIG_TOKEN_MAPPING_
 #
 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6=<type=CONFIG_TOKEN_AUTHENTICATOR>:[AuditEvent=CONFIG_TOKEN_AUTHENTICATOR][SubjectID={0}][Outcome={1}][OP={2}][Authenticator={3}][ParamNameValPairs={4}][Info={5}] token authenticator configuration parameter(s) change
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR
+# Event: CONFIG_TOKEN_CONNECTOR
 # - used when configuring token connectors
 # Service can be any of the methods offered
 # ParamNameValPairs must be a name;;value pair
@@ -943,7 +973,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6=<type=CONFIG_TOKEN_AUTHENTICAT
 #
 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6=<type=CONFIG_TOKEN_CONNECTOR>:[AuditEvent=CONFIG_TOKEN_CONNECTOR][SubjectID={0}][Outcome={1}][Service={2}][Connector={3}][ParamNameValPairs={4}][Info={5}] token connector configuration parameter(s) change
 #
-# LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD
+# Event: CONFIG_TOKEN_RECORD
 # - used when information in token record changed
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -953,7 +983,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6=<type=CONFIG_TOKEN_CONNECTOR>:[Aud
 #
 LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6=<type=CONFIG_TOKEN_RECORD>:[AuditEvent=CONFIG_TOKEN_RECORD][SubjectID={0}][Outcome={1}][OP={2}][TokenID={3}][ParamNameValPairs={4}][Info={5}] token record configuration parameter(s) change
 #
-# LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE
+# Event: TOKEN_STATE_CHANGE
 # - used when token state changed
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -963,7 +993,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6=<type=CONFIG_TOKEN_RECORD>:[AuditEven
 #
 LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8=<type=TOKEN_STATE_CHANGE>:[AuditEvent=TOKEN_STATE_CHANGE][SubjectID={0}][Outcome={1}][oldState={2}][oldReason={3}][newState={4}][newReason={5}][ParamNameValPairs={6}][Info={7}] token state changed
 #
-# LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG
+# Event: AUTHORITY_CONFIG
 # - used when configuring lightweight authorities
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -971,7 +1001,7 @@ LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8=<type=TOKEN_STATE_CHANGE>:[AuditEvent=
 #
 LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=<type=AUTHORITY_CONFIG>:[AuditEvent=AUTHORITY_CONFIG][SubjectID={0}][Outcome={1}][ParamNameValPairs={2}] lightweight authority configuration change
 #
-# LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE
+# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
 # - used when access session failed to establish
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -980,7 +1010,7 @@ LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=<type=AUTHORITY_CONFIG>:[AuditEvent=AUTH
 LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 <type=ACCESS_SESSION_ESTABLISH>:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish failure
 #
-# LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS
+# Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success]
 # - used when access session was established successfully
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -989,7 +1019,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
 <type=ACCESS_SESSION_ESTABLISH>:[AuditEvent=ACCESS_SESSION_ESTABLISH]{0} access session establish success
 #
-# LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED
+# Event: ACCESS_SESSION_TERMINATED
 # - used when access session was terminated
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -997,32 +1027,30 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
 #
 LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\
 <type=ACCESS_SESSION_TERMINATED>:[AuditEvent=ACCESS_SESSION_TERMINATED]{0} access session terminated
-
 #
-# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE
+# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
 # access session failed to establish when Certificate System acts as client
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 <type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client
 #
-# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS
+# Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success]
 # - used when access session was established successfully when
 #   Certificate System acts as client
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
 <type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client
 #
-# LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED
+# Event: CLIENT_ACCESS_SESSION_TERMINATED
 # - used when access session was terminated when Certificate System acts as client
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\
 <type=CLIENT_ACCESS_SESSION_TERMINATED>:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client
-
-
-###########################
-#Unselectable signedAudit Events
 #
-# LOGGING_SIGNED_AUDIT_SIGNING
+#########################################################################
+# Unselectable Signed Audit Events
+#
+# Event: AUDIT_LOG_SIGNING
 # - used when a signature on the audit log is generated (same as "flush" time)
 # SubjectID is predefined to be "$System$" because this operation
 #   associates with no user
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 49bee4b..6e8dd31 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -73,6 +73,51 @@ class PKIServer(object):
 
         return instances
 
+    @staticmethod
+    def load_audit_events(filename):
+
+        logger.info('Loading %s', filename)
+
+        with open(filename) as f:
+            lines = f.read().splitlines()
+
+        events = {}
+
+        event_pattern = re.compile(r'# Event: (\S+)')
+        subsystems_pattern = re.compile(r'# Applicable subsystems: (.*)')
+        event = None
+
+        for line in lines:
+
+            logger.debug('Parsing: %s', line)
+
+            event_match = event_pattern.match(line)
+            if event_match:
+
+                event = event_match.group(1)
+                logger.info('Found event %s', event)
+
+                events[event] = []
+                continue
+
+            subsystems_match = subsystems_pattern.match(line)
+            if subsystems_match:
+
+                subsystems = subsystems_match.group(1)
+                logger.info('Found subsystems %s', subsystems)
+
+                subsystems = subsystems.replace(' ', '').split(',')
+                event_subsystems = events.get(event)
+                event_subsystems.extend(subsystems)
+
+        logger.info('Events:')
+
+        for event in events:
+            subsystems = events[event]
+            logger.info('- %s: %s', event, subsystems)
+
+        return events
+
 
 @functools.total_ordering
 class PKISubsystem(object):
@@ -536,7 +581,6 @@ class PKISubsystem(object):
 
         # get the full list of audit events from audit-events.properties
 
-        properties = {}
         tmpdir = tempfile.mkdtemp()
 
         try:
@@ -560,28 +604,25 @@ class PKISubsystem(object):
                 stderr=subprocess.STDOUT)
 
             # load audit-events.properties
-            log_messages_properties = os.path.join(tmpdir, 'audit-events.properties')
-            pki.util.load_properties(log_messages_properties, properties)
+            filename = os.path.join(tmpdir, 'audit-events.properties')
+            events = PKIServer.load_audit_events(filename)
 
         finally:
             shutil.rmtree(tmpdir)
 
-        # get audit events
-        events = set()
-        value_pattern = re.compile(r'<type=(.*)>:')
+        # get audit events for the subsystem
+        results = set()
+        subsystem = self.name.upper()
 
-        for name in properties:
+        for event, subsystems in events.items():
 
-            value = properties[name]
-
-            value_match = value_pattern.match(value)
-            if not value_match:
+            if subsystem not in subsystems:
                 continue
 
-            event = value_match.group(1)
-            events.add(event)
+            logger.info('Returning %s', event)
+            results.add(event)
 
-        return sorted(events)
+        return sorted(results)
 
     def get_enabled_audit_events(self):
 
-- 
1.8.3.1


From 02a1af45650b9846ac8fd2299ee03843b091d3f0 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Wed, 23 Jan 2019 14:03:57 -0600
Subject: [PATCH 18/26] Moved list of available CA audit events

The list of available CA audit events has been moved from
log.instance.SignedAudit._005 property in CS.cfg into the
"Applicable subsystems" fields in audit-events.properties.

Note that the following events do not have any corresponding
entries in audit-events.properties:

- KEY_RECOVERY_REQUEST_ASYNC
- KEY_RECOVERY_REQUEST_PROCESSED
- KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
- PRIVATE_KEY_ARCHIVE_REQUEST
- PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
- PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS
- PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 48a1fea9b6b75cd9bb821d3ee3b23831f890bd7f)
---
 base/ca/shared/conf/CS.cfg                        | 10 +--
 base/server/cmsbundle/src/audit-events.properties | 76 +++++++++++++++++++++++
 2 files changed, 82 insertions(+), 4 deletions(-)

diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
index 29d4fd4..5621b0a 100644
--- a/base/ca/shared/conf/CS.cfg
+++ b/base/ca/shared/conf/CS.cfg
@@ -903,10 +903,12 @@ log.impl.file.class=com.netscape.cms.logging.RollingLogFile
 log.instance.SignedAudit._000=##
 log.instance.SignedAudit._001=## Signed Audit Logging
 log.instance.SignedAudit._002=##
-log.instance.SignedAudit._003=##
-log.instance.SignedAudit._004=## Available Audit events:
-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,CERT_SIGNING_INFO,OCSP_SIGNING_INFO,CRL_SIGNING_INFO,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CMC_PROOF_OF_IDENTIFICATION,CMC_ID_POP_LINK_WITNESS,SCHEDULE_CRL_GENERATION,DELTA_CRL_GENERATION,DELTA_CRL_PUBLISHING,FULL_CRL_GENERATION,FULL_CRL_PUBLISHING,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,AUTHORITY_CONFIG,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,SECURITY_DATA_ARCHIVAL_REQUEST,RANDOM_GENERATION
-log.instance.SignedAudit._006=##
+log.instance.SignedAudit._003=## To list available audit events:
+log.instance.SignedAudit._004=## $ pki-server ca-audit-event-find
+log.instance.SignedAudit._005=##
+log.instance.SignedAudit._006=## To enable/disable audit event:
+log.instance.SignedAudit._007=## $ pki-server ca-audit-event-enable/disable <event name>
+log.instance.SignedAudit._008=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
 log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG
diff --git a/base/server/cmsbundle/src/audit-events.properties b/base/server/cmsbundle/src/audit-events.properties
index e30d996..ddfa4d2 100644
--- a/base/server/cmsbundle/src/audit-events.properties
+++ b/base/server/cmsbundle/src/audit-events.properties
@@ -24,16 +24,19 @@
 #
 # Event: AUDIT_LOG_STARTUP
 # - used at audit function startup
+# Applicable subsystems: CA
 #
 LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=<type=AUDIT_LOG_STARTUP>:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup
 #
 # Event: AUDIT_LOG_SHUTDOWN
 # - used at audit function shutdown
+# Applicable subsystems: CA
 #
 LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=<type=AUDIT_LOG_SHUTDOWN>:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown
 #
 # Event: CIMC_CERT_VERIFICATION
 # - used for verifying CIMC system certificates
+# Applicable subsystems: CA
 # - CertNickName is the cert nickname
 #
 LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CIMC certificate verification
@@ -41,6 +44,7 @@ LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[Aud
 # Event: ROLE_ASSUME
 # - used when user assumes a role (in current CS that's when one accesses a
 #     role port)
+# Applicable subsystems: CA
 # Role must be be one of the valid roles, by default: "Administrators",
 #     "Certificate Manager Agents", and "Auditors"
 #     note that customized role names can be used once configured
@@ -49,6 +53,7 @@ LOGGING_SIGNED_AUDIT_ROLE_ASSUME=<type=ROLE_ASSUME>:[AuditEvent=ROLE_ASSUME]{0}
 #
 # Event: CONFIG_CERT_POLICY
 # - used when configuring certificate policy constraints and extensions
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 # (where name and value are separated by the delimiter ;;)
 # separated by + (if more than one name;;value pair) of config params changed
@@ -59,6 +64,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=<type=CONFIG_CERT_POLICY>:[AuditEvent=
 # - used when configuring certificate profile
 #    (general settings and certificate profile)
 #    (extensions and constraints policies are to be obsoleted but do it anyway)
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -68,6 +74,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=<type=CONFIG_CERT_PROFILE>:[AuditEven
 # Event: CONFIG_CRL_PROFILE
 # - used when configuring  CRL profile
 #    (extensions, frequency, CRL format)
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -77,6 +84,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=<type=CONFIG_CRL_PROFILE>:[AuditEvent=
 # Event: CONFIG_OCSP_PROFILE
 # - used when configuring OCSP profile
 #    (everything under Online Certificate Status Manager)
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -85,6 +93,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=<type=CONFIG_OCSP_PROFILE>:[AuditEven
 #
 # Event: CONFIG_AUTH
 # - used when configuring authentication
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -95,6 +104,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=<type=CONFIG_AUTH>:[AuditEvent=CONFIG_AUTH][S
 # Event: CONFIG_ROLE
 # - used when configuring role information (anything under users/groups)
 #       add/remove/edit a role, etc)
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -103,6 +113,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ROLE=<type=CONFIG_ROLE>:[AuditEvent=CONFIG_ROLE]{0}
 #
 # Event: CONFIG_ACL
 # - used when configuring ACL information
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -111,6 +122,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=<type=CONFIG_ACL>:[AuditEvent=CONFIG_ACL][Subj
 #
 # Event: CONFIG_SIGNED_AUDIT
 # - used when configuring signedAudit
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -119,6 +131,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=<type=CONFIG_SIGNED_AUDIT>:[AuditEvent=
 #
 # Event: CONFIG_ENCRYPTION
 # - used when configuring encryption (cert settings and SSL cipher preferences)
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -132,6 +145,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=<type=CONFIG_ENCRYPTION>:[AuditEvent=CO
 #      2. "Certificate Setup Wizard" is used to import CA certificates into the
 #         certificate database (Although CrossCertificatePairs are stored
 #         within internaldb, audit them as well)
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -141,6 +155,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=<type=CONFIG_TRUSTED_PUBLIC_KEY>:
 # Event: CONFIG_DRM
 # - used when configuring DRM
 #     (Key recovery scheme, change of any secret component)
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -150,6 +165,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=<type=CONFIG_DRM>:[AuditEvent=CONFIG_DRM][Subj
 #
 # Event: SELFTESTS_EXECUTION
 # - used when self tests are run
+# Applicable subsystems: CA
 #
 LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details)
 #
@@ -157,6 +173,7 @@ LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEven
 # - used AFTER audit log gets expired (authz should not allow,
 #    but in case authz gets compromised.  Make sure it is written
 #    AFTER the log expiration happens)
+# Applicable subsystems: CA
 # LogFile must be the complete name (including the path) of the
 #    signedAudit log that is attempted to be deleted
 #
@@ -167,6 +184,7 @@ LOGGING_SIGNED_AUDIT_LOG_DELETE_3=<type=AUDIT_LOG_DELETE>:[AuditEvent=AUDIT_LOG_
 #    audit, system, transaction, or other customized log file
 #    change is attempted (authz should not allow, but make sure it's
 #    written after the attempt)
+# Applicable subsystems: CA
 # LogType must be "System", "Transaction", or "SignedAudit"
 # toLogFile must be the name (including any path changes) that the user is
 #    attempting to change to
@@ -176,6 +194,7 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
 # Event: LOG_EXPIRATION_CHANGE
 # - used when log expiration time change is attempted (authz should not
 #    allow, but make sure it's written after the attempt)
+# Applicable subsystems: CA
 # LogType must be "System", "Transaction", or "SignedAudit"
 # ExpirationTime must be the amount of time (in seconds) that is
 #    attempted to be changed to
@@ -186,6 +205,7 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
 # Event: SERVER_SIDE_KEYGEN_REQUEST
 # - used when server-side key generation request is made
 #    This is for tokenkeys
+# Applicable subsystems: CA
 # EntityID must be the representation of the subject that will be on the certificate when issued
 #
 LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request
@@ -193,6 +213,7 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST
 # Event: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
 # - used when server-side key generation request has been processed.
 #    This is for tokenkeys
+# Applicable subsystems: CA
 # EntityID must be the representation of the subject that will be on the certificate when issued
 # PubKey must be the base-64 encoded public key associated with
 #    the private key to be archived
@@ -201,6 +222,7 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=<type=SERVER_SIDE_KEYG
 #
 # Event: KEY_RECOVERY_REQUEST
 # - used when key recovery request is made
+# Applicable subsystems: CA
 # RecoveryID must be the recovery request ID
 # PubKey must be the base-64 encoded public key associated with
 #    the private key to be recovered
@@ -210,6 +232,7 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=<type=KEY_RECOVERY_REQUEST>:[AuditEv
 # Event: KEY_RECOVERY_AGENT_LOGIN
 # - used when DRM agents login as recovery agents to approve
 #       key recovery requests
+# Applicable subsystems: CA
 # RecoveryID must be the recovery request ID
 # RecoveryAgent must be the recovery agent the DRM agent is
 #       logging in with
@@ -220,24 +243,29 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=<type=KEY_RECOVERY_AGENT_LOGIN>:
 # - used when asymmetric keys are generated
 #   (like when CA certificate requests are generated -
 #      e.g. CA certificate change over, renewal with new key, etc.)
+# Applicable subsystems: CA
 # PubKey must be the base-64 encoded public key material
 #
 LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=<type=KEY_GEN_ASYMMETRIC>:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation
 #
 # Event: CERT_SIGNING_INFO
+# Applicable subsystems: CA
 #
 LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO=<type=CERT_SIGNING_INFO>:[AuditEvent=CERT_SIGNING_INFO]{0} certificate signing info
 #
 # Event: OCSP_SIGNING_INFO
+# Applicable subsystems: CA
 #
 LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO=<type=OCSP_SIGNING_INFO>:[AuditEvent=OCSP_SIGNING_INFO]{0} OCSP signing info
 #
 # Event: CRL_SIGNING_INFO
+# Applicable subsystems: CA
 #
 LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=<type=CRL_SIGNING_INFO>:[AuditEvent=CRL_SIGNING_INFO]{0} CRL signing info
 #
 # Event: NON_PROFILE_CERT_REQUEST
 # - used when a non-profile certificate request is made (before approval process)
+# Applicable subsystems: CA
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC enrollment requests signed by an agent, SubjectID should
 #        be that of the agent), while
@@ -250,6 +278,7 @@ LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=<type=NON_PROFILE_CERT_REQUEST>:
 #
 # Event: CMC_REQUEST_RECEIVED
 # - used when a CMC request is received.
+# Applicable subsystems: CA
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC requests is signed by an agent, SubjectID should
 #        be that of the agent)
@@ -259,12 +288,14 @@ LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=<type=CMC_REQUEST_RECEIVED>:[AuditEv
 #
 # Event: CMC_RESPONSE_SENT
 # - used when a CMC response is sent
+# Applicable subsystems: CA
 # SubjectID must be the UID of user that triggered this event
 #
 LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=<type=CMC_RESPONSE_SENT>:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent
 #
 # Event: PROFILE_CERT_REQUEST
 # - used when a profile certificate request is made (before approval process)
+# Applicable subsystems: CA
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC enrollment requests signed by an agent, SubjectID should
 #        be that of the agent), while
@@ -277,6 +308,7 @@ LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=<type=PROFILE_CERT_REQUEST>:[AuditEv
 #
 # Event: CERT_REQUEST_PROCESSED
 # - used when certificate request has just been through the approval process
+# Applicable subsystems: CA
 # SubjectID must be the UID of the agent who approves, rejects, or cancels
 #        the certificate request
 # ReqID must be the request ID
@@ -290,6 +322,7 @@ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=<type=CERT_REQUEST_PROCESSED>:[Audit
 # Event: CERT_STATUS_CHANGE_REQUEST
 # - used when a certificate status change request (e.g. revocation)
 #        is made (before approval process)
+# Applicable subsystems: CA
 # ReqID must be the request ID
 # CertSerialNum must be the serial number (in hex) of the certificate to be revoked
 # RequestType must be "revoke", "on-hold", "off-hold"
@@ -299,6 +332,7 @@ LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=<type=CERT_STATUS_CHANGE_REQUEST
 # Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED
 # - used when certificate status is changed (revoked, expired, on-hold,
 #        off-hold)
+# Applicable subsystems: CA
 # SubjectID must be the UID of the agent that processed the request
 # ReqID must be the request ID
 # RequestType must be "revoke", "on-hold", "off-hold"
@@ -320,6 +354,7 @@ LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=<type=CERT_STATUS_CHAN
 #
 # Event: AUTHZ with [Outcome=Success]
 # - used when authorization is successful
+# Applicable subsystems: CA
 # Outcome must be success for this event
 # aclResource must be the ACL resource ID as defined in ACL resource list
 # Op must be one of the operations as defined with the ACL statement
@@ -329,6 +364,7 @@ LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorizat
 #
 # Event: AUTHZ with [Outcome=Failure]
 # - used when authorization has failed
+# Applicable subsystems: CA
 # Outcome must be failure for this event
 # aclResource must be the ACL resource ID as defined in ACL resource list
 # Op must be one of the operations as defined with the ACL statement
@@ -339,6 +375,7 @@ LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization
 # Event: INTER_BOUNDARY
 # - used when inter-CIMC_Boundary data transfer is successful
 #   (this is used when data does not need to be captured)
+# Applicable subsystems: CA
 # ProtectionMethod must be one of the following: "SSL", or "unknown"
 # ReqType must be the request type
 # ReqID must be the request ID
@@ -349,6 +386,7 @@ LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=<type=INTER_BOUNDARY>:[AuditEvent=
 # - used when authentication fails (in case of SSL-client auth,
 #    only webserver env can pick up the SSL violation;
 #    CS authMgr can pick up certificate mis-match, so this event is used)
+# Applicable subsystems: CA
 # Outcome should always be "failure" in this event
 #   (obviously, if authentication failed, you won't have a valid SubjectID, so
 #       in this case, SubjectID should be $Unidentified$)
@@ -360,6 +398,7 @@ LOGGING_SIGNED_AUDIT_AUTH_FAIL=<type=AUTH>:[AuditEvent=AUTH]{0} authentication f
 #
 # Event: AUTH with [Outcome=Success]
 # - used when authentication succeeded
+# Applicable subsystems: CA
 # Outcome should always be "success" in this event
 # AuthMgr must be the authentication manager instance name that did
 #   this authentication
@@ -369,6 +408,7 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authenticatio
 # Event: CERT_PROFILE_APPROVAL
 # - used when an agent approves/disapproves a certificate profile set by the
 #     administrator for automatic approval
+# Applicable subsystems: CA
 # ProfileID must be one of the profiles defined by the administrator
 #           and to be approved by an agent
 # Op must be "approve" or "disapprove"
@@ -377,11 +417,13 @@ LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[Audit
 #
 # Event: PROOF_OF_POSSESSION
 # - used for proof of possession during certificate enrollment processing
+# Applicable subsystems: CA
 #
 LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession
 #
 # Event: CMC_PROOF_OF_IDENTIFICATION
 # - used for proof of identification during CMC request processing
+# Applicable subsystems: CA
 # - In case of success, "SubjectID" is the actual identified identification;
 # - In case of failure, "SubjectID" is the attempted identification
 #
@@ -389,41 +431,48 @@ LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=<type=CMC_PROOF_OF_IDENTIFICA
 #
 # Event: CMC_ID_POP_LINK_WITNESS
 # - used for identification and POP linking verification during CMC request processing
+# Applicable subsystems: CA
 #
 LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=<type=CMC_ID_POP_LINK_WITNESS>:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification
 #
 # Event: SCHEDULE_CRL_GENERATION
 # - used when CRL generation is scheduled
+# Applicable subsystems: CA
 # Outcome is "success" when CRL generation is scheduled successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION=<type=SCHEDULE_CRL_GENERATION>:[AuditEvent=SCHEDULE_CRL_GENERATION]{0} schedule for CRL generation
 #
 # Event: DELTA_CRL_GENERATION
 # - used when delta CRL generation is complete
+# Applicable subsystems: CA
 # Outcome is "success" when delta CRL is generated successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=<type=DELTA_CRL_GENERATION>:[AuditEvent=DELTA_CRL_GENERATION]{0} Delta CRL generation
 #
 # Event: DELTA_CRL_PUBLISHING
 # - used when delta CRL publishing is complete
+# Applicable subsystems: CA
 # Outcome is "success" when delta CRL is publishing successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=<type=DELTA_CRL_PUBLISHING>:[AuditEvent=DELTA_CRL_PUBLISHING]{0} Delta CRL publishing
 #
 # Event: FULL_CRL_GENERATION
 # - used when full CRL generation is complete
+# Applicable subsystems: CA
 # Outcome is "success" when full CRL is generated successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=<type=FULL_CRL_GENERATION>:[AuditEvent=FULL_CRL_GENERATION]{0} Full CRL generation
 #
 # Event: FULL_CRL_PUBLISHING
 # - used when full  CRL publishing is complete
+# Applicable subsystems: CA
 # Outcome is "success" when full CRL is publishing successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=<type=FULL_CRL_PUBLISHING>:[AuditEvent=FULL_CRL_PUBLISHING]{0} Full CRL publishing
 #
 # Event: CRL_RETRIEVAL
 # - used when CRLs are retrieved by the OCSP Responder
+# Applicable subsystems: CA
 # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise
 # CRLnum is the CRL number that identifies the CRL
 #
@@ -431,6 +480,7 @@ LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=<type=CRL_RETRIEVAL>:[AuditEvent=CRL_RETRIE
 #
 # Event: CRL_VALIDATION
 # - used when CRL is retrieved and validation process occurs
+# Applicable subsystems: CA
 #
 LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=<type=CRL_VALIDATION>:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation
 #
@@ -470,12 +520,14 @@ LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE=<type=OCSP_REMOVE_
 #
 # Event: OCSP_GENERATION
 # - used when an OCSP response generated is complete
+# Applicable subsystems: CA
 # Outcome is "success" when OCSP response is generated successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_OCSP_GENERATION=<type=OCSP_GENERATION>:[AuditEvent=OCSP_GENERATION]{0} OCSP response generation
 #
 # Event: RANDOM_GENERATION
 # - used when a random number generation is complete
+# Applicable subsystems: CA
 # Info:
 # - Caller is PKI code that calls the random number generator
 # - Size is size of random number in bytes
@@ -485,6 +537,7 @@ LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=<type=RANDOM_GENERATION>:[AuditEvent=RAND
 # Event: CMC_SIGNED_REQUEST_SIG_VERIFY
 # - used when agent signed CMC certificate requests or revocation requests
 #   are submitted and signature is verified
+# Applicable subsystems: CA
 # ReqType must be the request type (enrollment, or revocation)
 # CertSubject must be the certificate subject name of the certificate request
 # SignerInfo must be a unique String representation for the signer
@@ -494,6 +547,7 @@ LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=<type=CMC_SIGNED_REQUEST_SIG_
 # Event: CMC_USER_SIGNED_REQUEST_SIG_VERIFY
 # - used when CMC (user-signed or self-signed) certificate requests or revocation requests
 #   are submitted and signature is verified
+# Applicable subsystems: CA
 # ReqType must be the request type (enrollment, or revocation)
 # CertSubject must be the certificate subject name of the certificate request
 # CMCSignerInfo must be a unique String representation for the CMC request signer
@@ -503,12 +557,14 @@ LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=<type=CMC_USER_S
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST
 # - used for TPS to TKS to get random challenge data
+# Applicable subsystems: CA
 # AgentID must be the trusted agent id used to make the request
 #
 LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=<type=COMPUTE_RANDOM_DATA_REQUEST>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Success]
 # - used for TPS to TKS to get random challenge data
+# Applicable subsystems: CA
 # Outcome is SUCCESS or FAILURE
 # Status is 0 for no error.
 # AgentID must be the trusted agent id used to make the request
@@ -516,6 +572,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Failure]
 # - used for TPS to TKS to get random challenge data
+# Applicable subsystems: CA
 # Outcome is SUCCESS or FAILURE
 # Status is 0 for no error.
 # Error gives the error message
@@ -525,6 +582,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=<type=COMPUTE
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST
 # - used for TPS to TKS to get a sessoin key for secure channel setup
+# Applicable subsystems: CA
 # SubjectID must be the CUID of the token establishing the secure channel
 # AgentID must be the trusted agent id used to make the request
 ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the
@@ -537,6 +595,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=<type=COMPUTE_SESSION_KEY_REQ
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Success]
 # - request for TPS to TKS to get a sessoin key for secure channel processed
+# Applicable subsystems: CA
 # SubjectID must be the CUID of the token establishing the secure channel
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -562,6 +621,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Failure]
 # - request for TPS to TKS to get a sessoin key for secure channel processed
+# Applicable subsystems: CA
 # SubjectID must be the CUID of the token establishing the secure channel
 # Outcome is SUCCESS or FAILURE
 # Status is error code or 0 for no error.
@@ -586,6 +646,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=<type=COMPUTE
 #
 # Event: DIVERSIFY_KEY_REQUEST
 # - request for TPS to TKS to do key change over
+# Applicable subsystems: CA
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # status is 0 for success, non-zero for various errors
@@ -600,6 +661,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=<type=DIVERSIFY_KEY_REQUEST>:[Audit
 #
 # Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Success]
 # - request for TPS to TKS to do key change over request processed
+# Applicable subsystems: CA
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -621,6 +683,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=<type=DIVERSIFY_KEY
 #
 # Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Failure]
 # - request for TPS to TKS to do key change over request processed
+# Applicable subsystems: CA
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -644,6 +707,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=<type=DIVERSIFY_KEY
 # Event: ENCRYPT_DATA_REQUEST
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
+# Applicable subsystems: CA
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # status is 0 for success, non-zero for various errors
@@ -660,6 +724,7 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=<type=ENCRYPT_DATA_REQUEST>:[AuditEv
 # Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Success]
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
+# Applicable subsystems: CA
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -682,6 +747,7 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=<type=ENCRYPT_DATA_R
 # Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Failure]
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
+# Applicable subsystems: CA
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # Outocme is SUCCESS or FAILURE
@@ -705,6 +771,7 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=<type=ENCRYPT_DATA_R
 # Event: SECURITY_DOMAIN_UPDATE
 # - used when updating contents of security domain
 #       (add/remove a subsystem)
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -714,6 +781,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=<type=SECURITY_DOMAIN_UPDATE>:[Aud
 # Event: CONFIG_SERIAL_NUMBER
 # - used when configuring serial number ranges
 #      (when requesting a serial number range when cloning, for example)
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -733,6 +801,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=<type=SECURITY_DAT
 #
 # Event: SECURITY_DATA_ARCHIVAL_REQUEST
 # - used when security data recovery request is made
+# Applicable subsystems: CA
 # ArchivalRequestID is the requestID provided by the CA through the connector
 #    It is used to track the request through from CA to KRA.
 # RequestId is the KRA archival request ID
@@ -995,6 +1064,7 @@ LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8=<type=TOKEN_STATE_CHANGE>:[AuditEvent=
 #
 # Event: AUTHORITY_CONFIG
 # - used when configuring lightweight authorities
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1003,6 +1073,7 @@ LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=<type=AUTHORITY_CONFIG>:[AuditEvent=AUTH
 #
 # Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
 # - used when access session failed to establish
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1012,6 +1083,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 #
 # Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success]
 # - used when access session was established successfully
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1021,6 +1093,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
 #
 # Event: ACCESS_SESSION_TERMINATED
 # - used when access session was terminated
+# Applicable subsystems: CA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1030,6 +1103,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\
 #
 # Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
 # access session failed to establish when Certificate System acts as client
+# Applicable subsystems: CA
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 <type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client
@@ -1037,12 +1111,14 @@ LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 # Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success]
 # - used when access session was established successfully when
 #   Certificate System acts as client
+# Applicable subsystems: CA
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
 <type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client
 #
 # Event: CLIENT_ACCESS_SESSION_TERMINATED
 # - used when access session was terminated when Certificate System acts as client
+# Applicable subsystems: CA
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\
 <type=CLIENT_ACCESS_SESSION_TERMINATED>:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client
-- 
1.8.3.1


From 6db2a37a54b942af62b4e9a61ffc0964f8164d93 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 24 Jan 2019 17:11:54 +0100
Subject: [PATCH 19/26] Moved list of available KRA audit events

The list of available KRA audit events has been moved from
log.instance.SignedAudit._005 property in CS.cfg into the
"Applicable subsystems" fields in audit-events.properties.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 4e3494fec2079c9be89523da1b9c18514a1135c0)
---
 base/kra/shared/conf/CS.cfg                       |  10 +-
 base/server/cmsbundle/src/audit-events.properties | 129 ++++++++++++----------
 2 files changed, 75 insertions(+), 64 deletions(-)

diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
index 6108576..bc22f2e 100644
--- a/base/kra/shared/conf/CS.cfg
+++ b/base/kra/shared/conf/CS.cfg
@@ -298,10 +298,12 @@ log.impl.file.class=com.netscape.cms.logging.RollingLogFile
 log.instance.SignedAudit._000=##
 log.instance.SignedAudit._001=## Signed Audit Logging
 log.instance.SignedAudit._002=##
-log.instance.SignedAudit._003=##
-log.instance.SignedAudit._004=## Available Audit events:
-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,KEY_RECOVERY_AGENT_LOGIN,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CONFIG_SERIAL_NUMBER,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DATA_EXPORT_KEY,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,KEY_STATUS_CHANGE,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,SECURITY_DATA_INFO,RANDOM_GENERATION
-log.instance.SignedAudit._006=##
+log.instance.SignedAudit._003=## To list available audit events:
+log.instance.SignedAudit._004=## $ pki-server kra-audit-event-find
+log.instance.SignedAudit._005=##
+log.instance.SignedAudit._006=## To enable/disable audit event:
+log.instance.SignedAudit._007=## $ pki-server kra-audit-event-enable/disable <event name>
+log.instance.SignedAudit._008=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
 log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL
diff --git a/base/server/cmsbundle/src/audit-events.properties b/base/server/cmsbundle/src/audit-events.properties
index ddfa4d2..9b6f86a 100644
--- a/base/server/cmsbundle/src/audit-events.properties
+++ b/base/server/cmsbundle/src/audit-events.properties
@@ -24,19 +24,19 @@
 #
 # Event: AUDIT_LOG_STARTUP
 # - used at audit function startup
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 #
 LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=<type=AUDIT_LOG_STARTUP>:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup
 #
 # Event: AUDIT_LOG_SHUTDOWN
 # - used at audit function shutdown
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 #
 LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=<type=AUDIT_LOG_SHUTDOWN>:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown
 #
 # Event: CIMC_CERT_VERIFICATION
 # - used for verifying CIMC system certificates
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # - CertNickName is the cert nickname
 #
 LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CIMC certificate verification
@@ -44,7 +44,7 @@ LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[Aud
 # Event: ROLE_ASSUME
 # - used when user assumes a role (in current CS that's when one accesses a
 #     role port)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # Role must be be one of the valid roles, by default: "Administrators",
 #     "Certificate Manager Agents", and "Auditors"
 #     note that customized role names can be used once configured
@@ -53,7 +53,7 @@ LOGGING_SIGNED_AUDIT_ROLE_ASSUME=<type=ROLE_ASSUME>:[AuditEvent=ROLE_ASSUME]{0}
 #
 # Event: CONFIG_CERT_POLICY
 # - used when configuring certificate policy constraints and extensions
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ParamNameValPairs must be a name;;value pair
 # (where name and value are separated by the delimiter ;;)
 # separated by + (if more than one name;;value pair) of config params changed
@@ -64,7 +64,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=<type=CONFIG_CERT_POLICY>:[AuditEvent=
 # - used when configuring certificate profile
 #    (general settings and certificate profile)
 #    (extensions and constraints policies are to be obsoleted but do it anyway)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -74,7 +74,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=<type=CONFIG_CERT_PROFILE>:[AuditEven
 # Event: CONFIG_CRL_PROFILE
 # - used when configuring  CRL profile
 #    (extensions, frequency, CRL format)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -84,7 +84,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=<type=CONFIG_CRL_PROFILE>:[AuditEvent=
 # Event: CONFIG_OCSP_PROFILE
 # - used when configuring OCSP profile
 #    (everything under Online Certificate Status Manager)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -93,7 +93,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=<type=CONFIG_OCSP_PROFILE>:[AuditEven
 #
 # Event: CONFIG_AUTH
 # - used when configuring authentication
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -104,7 +104,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=<type=CONFIG_AUTH>:[AuditEvent=CONFIG_AUTH][S
 # Event: CONFIG_ROLE
 # - used when configuring role information (anything under users/groups)
 #       add/remove/edit a role, etc)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -113,7 +113,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ROLE=<type=CONFIG_ROLE>:[AuditEvent=CONFIG_ROLE]{0}
 #
 # Event: CONFIG_ACL
 # - used when configuring ACL information
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -122,7 +122,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=<type=CONFIG_ACL>:[AuditEvent=CONFIG_ACL][Subj
 #
 # Event: CONFIG_SIGNED_AUDIT
 # - used when configuring signedAudit
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -131,7 +131,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=<type=CONFIG_SIGNED_AUDIT>:[AuditEvent=
 #
 # Event: CONFIG_ENCRYPTION
 # - used when configuring encryption (cert settings and SSL cipher preferences)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -145,7 +145,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=<type=CONFIG_ENCRYPTION>:[AuditEvent=CO
 #      2. "Certificate Setup Wizard" is used to import CA certificates into the
 #         certificate database (Although CrossCertificatePairs are stored
 #         within internaldb, audit them as well)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -155,7 +155,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=<type=CONFIG_TRUSTED_PUBLIC_KEY>:
 # Event: CONFIG_DRM
 # - used when configuring DRM
 #     (Key recovery scheme, change of any secret component)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -165,7 +165,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=<type=CONFIG_DRM>:[AuditEvent=CONFIG_DRM][Subj
 #
 # Event: SELFTESTS_EXECUTION
 # - used when self tests are run
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 #
 LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details)
 #
@@ -173,7 +173,7 @@ LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEven
 # - used AFTER audit log gets expired (authz should not allow,
 #    but in case authz gets compromised.  Make sure it is written
 #    AFTER the log expiration happens)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # LogFile must be the complete name (including the path) of the
 #    signedAudit log that is attempted to be deleted
 #
@@ -184,7 +184,7 @@ LOGGING_SIGNED_AUDIT_LOG_DELETE_3=<type=AUDIT_LOG_DELETE>:[AuditEvent=AUDIT_LOG_
 #    audit, system, transaction, or other customized log file
 #    change is attempted (authz should not allow, but make sure it's
 #    written after the attempt)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # LogType must be "System", "Transaction", or "SignedAudit"
 # toLogFile must be the name (including any path changes) that the user is
 #    attempting to change to
@@ -194,7 +194,7 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
 # Event: LOG_EXPIRATION_CHANGE
 # - used when log expiration time change is attempted (authz should not
 #    allow, but make sure it's written after the attempt)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # LogType must be "System", "Transaction", or "SignedAudit"
 # ExpirationTime must be the amount of time (in seconds) that is
 #    attempted to be changed to
@@ -205,7 +205,7 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
 # Event: SERVER_SIDE_KEYGEN_REQUEST
 # - used when server-side key generation request is made
 #    This is for tokenkeys
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # EntityID must be the representation of the subject that will be on the certificate when issued
 #
 LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request
@@ -213,7 +213,7 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST
 # Event: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
 # - used when server-side key generation request has been processed.
 #    This is for tokenkeys
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # EntityID must be the representation of the subject that will be on the certificate when issued
 # PubKey must be the base-64 encoded public key associated with
 #    the private key to be archived
@@ -232,7 +232,7 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=<type=KEY_RECOVERY_REQUEST>:[AuditEv
 # Event: KEY_RECOVERY_AGENT_LOGIN
 # - used when DRM agents login as recovery agents to approve
 #       key recovery requests
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # RecoveryID must be the recovery request ID
 # RecoveryAgent must be the recovery agent the DRM agent is
 #       logging in with
@@ -243,7 +243,7 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=<type=KEY_RECOVERY_AGENT_LOGIN>:
 # - used when asymmetric keys are generated
 #   (like when CA certificate requests are generated -
 #      e.g. CA certificate change over, renewal with new key, etc.)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # PubKey must be the base-64 encoded public key material
 #
 LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=<type=KEY_GEN_ASYMMETRIC>:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation
@@ -265,7 +265,7 @@ LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=<type=CRL_SIGNING_INFO>:[AuditEvent=CRL_SI
 #
 # Event: NON_PROFILE_CERT_REQUEST
 # - used when a non-profile certificate request is made (before approval process)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC enrollment requests signed by an agent, SubjectID should
 #        be that of the agent), while
@@ -295,7 +295,7 @@ LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=<type=CMC_RESPONSE_SENT>:[AuditEvent=CM
 #
 # Event: PROFILE_CERT_REQUEST
 # - used when a profile certificate request is made (before approval process)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC enrollment requests signed by an agent, SubjectID should
 #        be that of the agent), while
@@ -322,7 +322,7 @@ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=<type=CERT_REQUEST_PROCESSED>:[Audit
 # Event: CERT_STATUS_CHANGE_REQUEST
 # - used when a certificate status change request (e.g. revocation)
 #        is made (before approval process)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ReqID must be the request ID
 # CertSerialNum must be the serial number (in hex) of the certificate to be revoked
 # RequestType must be "revoke", "on-hold", "off-hold"
@@ -332,7 +332,7 @@ LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=<type=CERT_STATUS_CHANGE_REQUEST
 # Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED
 # - used when certificate status is changed (revoked, expired, on-hold,
 #        off-hold)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # SubjectID must be the UID of the agent that processed the request
 # ReqID must be the request ID
 # RequestType must be "revoke", "on-hold", "off-hold"
@@ -354,7 +354,7 @@ LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=<type=CERT_STATUS_CHAN
 #
 # Event: AUTHZ with [Outcome=Success]
 # - used when authorization is successful
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # Outcome must be success for this event
 # aclResource must be the ACL resource ID as defined in ACL resource list
 # Op must be one of the operations as defined with the ACL statement
@@ -364,7 +364,7 @@ LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorizat
 #
 # Event: AUTHZ with [Outcome=Failure]
 # - used when authorization has failed
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # Outcome must be failure for this event
 # aclResource must be the ACL resource ID as defined in ACL resource list
 # Op must be one of the operations as defined with the ACL statement
@@ -375,7 +375,7 @@ LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization
 # Event: INTER_BOUNDARY
 # - used when inter-CIMC_Boundary data transfer is successful
 #   (this is used when data does not need to be captured)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ProtectionMethod must be one of the following: "SSL", or "unknown"
 # ReqType must be the request type
 # ReqID must be the request ID
@@ -386,7 +386,7 @@ LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=<type=INTER_BOUNDARY>:[AuditEvent=
 # - used when authentication fails (in case of SSL-client auth,
 #    only webserver env can pick up the SSL violation;
 #    CS authMgr can pick up certificate mis-match, so this event is used)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # Outcome should always be "failure" in this event
 #   (obviously, if authentication failed, you won't have a valid SubjectID, so
 #       in this case, SubjectID should be $Unidentified$)
@@ -398,7 +398,7 @@ LOGGING_SIGNED_AUDIT_AUTH_FAIL=<type=AUTH>:[AuditEvent=AUTH]{0} authentication f
 #
 # Event: AUTH with [Outcome=Success]
 # - used when authentication succeeded
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # Outcome should always be "success" in this event
 # AuthMgr must be the authentication manager instance name that did
 #   this authentication
@@ -408,7 +408,7 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authenticatio
 # Event: CERT_PROFILE_APPROVAL
 # - used when an agent approves/disapproves a certificate profile set by the
 #     administrator for automatic approval
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ProfileID must be one of the profiles defined by the administrator
 #           and to be approved by an agent
 # Op must be "approve" or "disapprove"
@@ -417,7 +417,7 @@ LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[Audit
 #
 # Event: PROOF_OF_POSSESSION
 # - used for proof of possession during certificate enrollment processing
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 #
 LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession
 #
@@ -472,7 +472,7 @@ LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=<type=FULL_CRL_PUBLISHING>:[AuditEvent=
 #
 # Event: CRL_RETRIEVAL
 # - used when CRLs are retrieved by the OCSP Responder
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise
 # CRLnum is the CRL number that identifies the CRL
 #
@@ -480,7 +480,7 @@ LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=<type=CRL_RETRIEVAL>:[AuditEvent=CRL_RETRIE
 #
 # Event: CRL_VALIDATION
 # - used when CRL is retrieved and validation process occurs
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 #
 LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=<type=CRL_VALIDATION>:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation
 #
@@ -527,7 +527,7 @@ LOGGING_SIGNED_AUDIT_OCSP_GENERATION=<type=OCSP_GENERATION>:[AuditEvent=OCSP_GEN
 #
 # Event: RANDOM_GENERATION
 # - used when a random number generation is complete
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # Info:
 # - Caller is PKI code that calls the random number generator
 # - Size is size of random number in bytes
@@ -537,7 +537,7 @@ LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=<type=RANDOM_GENERATION>:[AuditEvent=RAND
 # Event: CMC_SIGNED_REQUEST_SIG_VERIFY
 # - used when agent signed CMC certificate requests or revocation requests
 #   are submitted and signature is verified
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ReqType must be the request type (enrollment, or revocation)
 # CertSubject must be the certificate subject name of the certificate request
 # SignerInfo must be a unique String representation for the signer
@@ -557,14 +557,14 @@ LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=<type=CMC_USER_S
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST
 # - used for TPS to TKS to get random challenge data
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # AgentID must be the trusted agent id used to make the request
 #
 LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=<type=COMPUTE_RANDOM_DATA_REQUEST>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Success]
 # - used for TPS to TKS to get random challenge data
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # Outcome is SUCCESS or FAILURE
 # Status is 0 for no error.
 # AgentID must be the trusted agent id used to make the request
@@ -572,7 +572,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Failure]
 # - used for TPS to TKS to get random challenge data
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # Outcome is SUCCESS or FAILURE
 # Status is 0 for no error.
 # Error gives the error message
@@ -582,7 +582,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=<type=COMPUTE
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST
 # - used for TPS to TKS to get a sessoin key for secure channel setup
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # SubjectID must be the CUID of the token establishing the secure channel
 # AgentID must be the trusted agent id used to make the request
 ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the
@@ -595,7 +595,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=<type=COMPUTE_SESSION_KEY_REQ
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Success]
 # - request for TPS to TKS to get a sessoin key for secure channel processed
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # SubjectID must be the CUID of the token establishing the secure channel
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -621,7 +621,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Failure]
 # - request for TPS to TKS to get a sessoin key for secure channel processed
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # SubjectID must be the CUID of the token establishing the secure channel
 # Outcome is SUCCESS or FAILURE
 # Status is error code or 0 for no error.
@@ -646,7 +646,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=<type=COMPUTE
 #
 # Event: DIVERSIFY_KEY_REQUEST
 # - request for TPS to TKS to do key change over
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # status is 0 for success, non-zero for various errors
@@ -661,7 +661,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=<type=DIVERSIFY_KEY_REQUEST>:[Audit
 #
 # Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Success]
 # - request for TPS to TKS to do key change over request processed
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -683,7 +683,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=<type=DIVERSIFY_KEY
 #
 # Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Failure]
 # - request for TPS to TKS to do key change over request processed
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -707,7 +707,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=<type=DIVERSIFY_KEY
 # Event: ENCRYPT_DATA_REQUEST
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # status is 0 for success, non-zero for various errors
@@ -724,7 +724,7 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=<type=ENCRYPT_DATA_REQUEST>:[AuditEv
 # Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Success]
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -747,7 +747,7 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=<type=ENCRYPT_DATA_R
 # Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Failure]
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # Outocme is SUCCESS or FAILURE
@@ -781,7 +781,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=<type=SECURITY_DOMAIN_UPDATE>:[Aud
 # Event: CONFIG_SERIAL_NUMBER
 # - used when configuring serial number ranges
 #      (when requesting a serial number range when cloning, for example)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -791,6 +791,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=<type=CONFIG_SERIAL_NUMBER>:[AuditEv
 # Event: SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED
 # - used when user security data archive request is processed
 #    this is when DRM receives and processed the request
+# Applicable subsystems: KRA
 # ArchivalRequestID is the requestID provided by the CA through the connector
 #    It is used to track the request through from CA to KRA.
 # RequestId is the KRA archival request ID
@@ -801,7 +802,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=<type=SECURITY_DAT
 #
 # Event: SECURITY_DATA_ARCHIVAL_REQUEST
 # - used when security data recovery request is made
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ArchivalRequestID is the requestID provided by the CA through the connector
 #    It is used to track the request through from CA to KRA.
 # RequestId is the KRA archival request ID
@@ -812,6 +813,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=<type=SECURITY_DATA_ARCHIVAL
 #
 # Event: SECURITY_DATA_RECOVERY_REQUEST_PROCESSED
 # - used when security data recovery request is processed
+# Applicable subsystems: KRA
 # RecoveryID must be the recovery request ID
 # KeyID is the ID of the security data being requested to be recovered
 # RecoveryAgents are the UIDs of the recovery agents approving this request
@@ -820,6 +822,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=<type=SECURITY_DAT
 #
 # Event: SECURITY_DATA_RECOVERY_REQUEST
 # - used when security data recovery request is made
+# Applicable subsystems: KRA
 # RecoveryID must be the recovery request ID
 # DataID is the ID of the security data to be recovered
 #
@@ -828,6 +831,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=<type=SECURITY_DATA_RECOVERY
 # Event: SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE
 # - used when DRM agents login as recovery agents to change
 #   the state of key recovery requests
+# Applicable subsystems: KRA
 # RecoveryID must be the recovery request ID
 # Operation is the operation performed (approve, reject, cancel etc.)
 #
@@ -836,7 +840,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=<type=SECURITY_
 # Event: SECURITY_DATA_EXPORT_KEY
 # - used when user attempts to retrieve key after the recovery request
 #   has been approved.
-#
+# Applicable subsystems: KRA
 # RecoveryID must be the recovery request ID
 # KeyID is the key being retrieved
 # Info is the failure reason if the export fails.
@@ -846,7 +850,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY=<type=SECURITY_DATA_EXPORT_KEY>:[A
 #
 # Event: SECURITY_DATA_INFO
 # - used when user attempts to get metadata information about a key
-#
+# Applicable subsystems: KRA
 # RecoveryID must be the recovery request ID
 # KeyID is the key being retrieved
 # Info is the failure reason if the export fails.
@@ -856,6 +860,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=<type=SECURITY_DATA_INFO>:[AuditEvent=SE
 #
 # Event: KEY_STATUS_CHANGE
 # - used when modify key status is executed
+# Applicable subsystems: KRA
 # keyID must be an existing key id in the database
 # oldStatus is the old status to change from
 # newStatus is the new status to change to
@@ -865,6 +870,7 @@ LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=<type=KEY_STATUS_CHANGE>:[AuditEvent=KEY_
 # Event: SYMKEY_GENERATION_REQUEST_PROCESSED
 # - used when symmetric key generation request is processed
 #    this is when DRM receives and processes the request
+# Applicable subsystems: KRA
 # Client ID must be the user supplied client ID associated with
 #    the symmetric key to be generated and archived
 #
@@ -872,18 +878,21 @@ LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=<type=SYMKEY_GENERATION_REQUES
 #
 # Event: SYMKEY_GENERATION_REQUEST
 # - used when symmetric key generation request is made
+# Applicable subsystems: KRA
 # ClientKeyID is the ID of the symmetirc key to be generated and archived
 #
 LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=<type=SYMKEY_GENERATION_REQUEST>:[AuditEvent=SYMKEY_GENERATION_REQUEST]{0} symkey generation request made
 #
 # Event: ASYMKEY_GENERATION_REQUEST
 # - used when asymmetric key generation request is made
+# Applicable subsystems: KRA
 #
 LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=<type=ASYMKEY_GENERATION_REQUEST>:[AuditEvent=ASYMKEY_GENERATION_REQUEST]{0} Asymkey generation request made
 #
 # Event: ASYMKEY_GENERATION_REQUEST_PROCESSED
 # - used when a request to generate asymmetric keys received by the DRM
 #   is processed.
+# Applicable subsystems: KRA
 #
 LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=<type=ASYMKEY_GENERATION_REQUEST_PROCESSED>:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED]{0} Asymkey generation request processed
 #
@@ -1073,7 +1082,7 @@ LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=<type=AUTHORITY_CONFIG>:[AuditEvent=AUTH
 #
 # Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
 # - used when access session failed to establish
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1083,7 +1092,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 #
 # Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success]
 # - used when access session was established successfully
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1093,7 +1102,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
 #
 # Event: ACCESS_SESSION_TERMINATED
 # - used when access session was terminated
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1103,7 +1112,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\
 #
 # Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
 # access session failed to establish when Certificate System acts as client
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 <type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client
@@ -1111,14 +1120,14 @@ LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 # Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success]
 # - used when access session was established successfully when
 #   Certificate System acts as client
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
 <type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client
 #
 # Event: CLIENT_ACCESS_SESSION_TERMINATED
 # - used when access session was terminated when Certificate System acts as client
-# Applicable subsystems: CA
+# Applicable subsystems: CA, KRA
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\
 <type=CLIENT_ACCESS_SESSION_TERMINATED>:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client
-- 
1.8.3.1


From 5063f0c39d6a4482bd0f70947548ba9f4ee84b03 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 24 Jan 2019 17:38:36 +0100
Subject: [PATCH 20/26] Moved list of available OCSP audit events

The list of available OCSP audit events has been moved from
log.instance.SignedAudit._005 property in CS.cfg into the
"Applicable subsystems" fields in audit-events.properties.

Note that the following events do not have any corresponding
entries in audit-events.properties:

- KEY_RECOVERY_REQUEST_ASYNC
- KEY_RECOVERY_REQUEST_PROCESSED
- KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
- PRIVATE_KEY_ARCHIVE_REQUEST
- PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
- PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
- PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit b2bb882a0859ee750c4a9ab0cad8ed5956d431d4)
---
 base/ocsp/shared/conf/CS.cfg                      |  10 +-
 base/server/cmsbundle/src/audit-events.properties | 123 +++++++++++-----------
 2 files changed, 70 insertions(+), 63 deletions(-)

diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg
index d2e5256..201afbd 100644
--- a/base/ocsp/shared/conf/CS.cfg
+++ b/base/ocsp/shared/conf/CS.cfg
@@ -214,10 +214,12 @@ log.impl.file.class=com.netscape.cms.logging.RollingLogFile
 log.instance.SignedAudit._000=##
 log.instance.SignedAudit._001=## Signed Audit Logging
 log.instance.SignedAudit._002=##
-log.instance.SignedAudit._003=##
-log.instance.SignedAudit._004=## Available Audit events:
-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,OCSP_ADD_CA_REQUEST,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_GENERATION,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION
-log.instance.SignedAudit._006=##
+log.instance.SignedAudit._003=## To list available audit events:
+log.instance.SignedAudit._004=## $ pki-server ocsp-audit-event-find
+log.instance.SignedAudit._005=##
+log.instance.SignedAudit._006=## To enable/disable audit event:
+log.instance.SignedAudit._007=## $ pki-server ocsp-audit-event-enable/disable <event name>
+log.instance.SignedAudit._008=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
 log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
diff --git a/base/server/cmsbundle/src/audit-events.properties b/base/server/cmsbundle/src/audit-events.properties
index 9b6f86a..5599c20 100644
--- a/base/server/cmsbundle/src/audit-events.properties
+++ b/base/server/cmsbundle/src/audit-events.properties
@@ -24,19 +24,19 @@
 #
 # Event: AUDIT_LOG_STARTUP
 # - used at audit function startup
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 #
 LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=<type=AUDIT_LOG_STARTUP>:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup
 #
 # Event: AUDIT_LOG_SHUTDOWN
 # - used at audit function shutdown
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 #
 LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=<type=AUDIT_LOG_SHUTDOWN>:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown
 #
 # Event: CIMC_CERT_VERIFICATION
 # - used for verifying CIMC system certificates
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # - CertNickName is the cert nickname
 #
 LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CIMC certificate verification
@@ -44,7 +44,7 @@ LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[Aud
 # Event: ROLE_ASSUME
 # - used when user assumes a role (in current CS that's when one accesses a
 #     role port)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # Role must be be one of the valid roles, by default: "Administrators",
 #     "Certificate Manager Agents", and "Auditors"
 #     note that customized role names can be used once configured
@@ -53,7 +53,7 @@ LOGGING_SIGNED_AUDIT_ROLE_ASSUME=<type=ROLE_ASSUME>:[AuditEvent=ROLE_ASSUME]{0}
 #
 # Event: CONFIG_CERT_POLICY
 # - used when configuring certificate policy constraints and extensions
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ParamNameValPairs must be a name;;value pair
 # (where name and value are separated by the delimiter ;;)
 # separated by + (if more than one name;;value pair) of config params changed
@@ -64,7 +64,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=<type=CONFIG_CERT_POLICY>:[AuditEvent=
 # - used when configuring certificate profile
 #    (general settings and certificate profile)
 #    (extensions and constraints policies are to be obsoleted but do it anyway)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -74,7 +74,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=<type=CONFIG_CERT_PROFILE>:[AuditEven
 # Event: CONFIG_CRL_PROFILE
 # - used when configuring  CRL profile
 #    (extensions, frequency, CRL format)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -84,7 +84,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=<type=CONFIG_CRL_PROFILE>:[AuditEvent=
 # Event: CONFIG_OCSP_PROFILE
 # - used when configuring OCSP profile
 #    (everything under Online Certificate Status Manager)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -93,7 +93,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=<type=CONFIG_OCSP_PROFILE>:[AuditEven
 #
 # Event: CONFIG_AUTH
 # - used when configuring authentication
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -104,7 +104,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=<type=CONFIG_AUTH>:[AuditEvent=CONFIG_AUTH][S
 # Event: CONFIG_ROLE
 # - used when configuring role information (anything under users/groups)
 #       add/remove/edit a role, etc)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -113,7 +113,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ROLE=<type=CONFIG_ROLE>:[AuditEvent=CONFIG_ROLE]{0}
 #
 # Event: CONFIG_ACL
 # - used when configuring ACL information
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -122,7 +122,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=<type=CONFIG_ACL>:[AuditEvent=CONFIG_ACL][Subj
 #
 # Event: CONFIG_SIGNED_AUDIT
 # - used when configuring signedAudit
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -131,7 +131,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=<type=CONFIG_SIGNED_AUDIT>:[AuditEvent=
 #
 # Event: CONFIG_ENCRYPTION
 # - used when configuring encryption (cert settings and SSL cipher preferences)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -145,7 +145,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=<type=CONFIG_ENCRYPTION>:[AuditEvent=CO
 #      2. "Certificate Setup Wizard" is used to import CA certificates into the
 #         certificate database (Although CrossCertificatePairs are stored
 #         within internaldb, audit them as well)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -155,7 +155,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=<type=CONFIG_TRUSTED_PUBLIC_KEY>:
 # Event: CONFIG_DRM
 # - used when configuring DRM
 #     (Key recovery scheme, change of any secret component)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -165,7 +165,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=<type=CONFIG_DRM>:[AuditEvent=CONFIG_DRM][Subj
 #
 # Event: SELFTESTS_EXECUTION
 # - used when self tests are run
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 #
 LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details)
 #
@@ -173,7 +173,7 @@ LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEven
 # - used AFTER audit log gets expired (authz should not allow,
 #    but in case authz gets compromised.  Make sure it is written
 #    AFTER the log expiration happens)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # LogFile must be the complete name (including the path) of the
 #    signedAudit log that is attempted to be deleted
 #
@@ -184,7 +184,7 @@ LOGGING_SIGNED_AUDIT_LOG_DELETE_3=<type=AUDIT_LOG_DELETE>:[AuditEvent=AUDIT_LOG_
 #    audit, system, transaction, or other customized log file
 #    change is attempted (authz should not allow, but make sure it's
 #    written after the attempt)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # LogType must be "System", "Transaction", or "SignedAudit"
 # toLogFile must be the name (including any path changes) that the user is
 #    attempting to change to
@@ -194,7 +194,7 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
 # Event: LOG_EXPIRATION_CHANGE
 # - used when log expiration time change is attempted (authz should not
 #    allow, but make sure it's written after the attempt)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # LogType must be "System", "Transaction", or "SignedAudit"
 # ExpirationTime must be the amount of time (in seconds) that is
 #    attempted to be changed to
@@ -205,7 +205,7 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
 # Event: SERVER_SIDE_KEYGEN_REQUEST
 # - used when server-side key generation request is made
 #    This is for tokenkeys
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # EntityID must be the representation of the subject that will be on the certificate when issued
 #
 LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request
@@ -213,7 +213,7 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST
 # Event: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
 # - used when server-side key generation request has been processed.
 #    This is for tokenkeys
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # EntityID must be the representation of the subject that will be on the certificate when issued
 # PubKey must be the base-64 encoded public key associated with
 #    the private key to be archived
@@ -222,7 +222,7 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=<type=SERVER_SIDE_KEYG
 #
 # Event: KEY_RECOVERY_REQUEST
 # - used when key recovery request is made
-# Applicable subsystems: CA
+# Applicable subsystems: CA, OCSP
 # RecoveryID must be the recovery request ID
 # PubKey must be the base-64 encoded public key associated with
 #    the private key to be recovered
@@ -232,7 +232,7 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=<type=KEY_RECOVERY_REQUEST>:[AuditEv
 # Event: KEY_RECOVERY_AGENT_LOGIN
 # - used when DRM agents login as recovery agents to approve
 #       key recovery requests
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # RecoveryID must be the recovery request ID
 # RecoveryAgent must be the recovery agent the DRM agent is
 #       logging in with
@@ -243,7 +243,7 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=<type=KEY_RECOVERY_AGENT_LOGIN>:
 # - used when asymmetric keys are generated
 #   (like when CA certificate requests are generated -
 #      e.g. CA certificate change over, renewal with new key, etc.)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # PubKey must be the base-64 encoded public key material
 #
 LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=<type=KEY_GEN_ASYMMETRIC>:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation
@@ -265,7 +265,7 @@ LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=<type=CRL_SIGNING_INFO>:[AuditEvent=CRL_SI
 #
 # Event: NON_PROFILE_CERT_REQUEST
 # - used when a non-profile certificate request is made (before approval process)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC enrollment requests signed by an agent, SubjectID should
 #        be that of the agent), while
@@ -295,7 +295,7 @@ LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=<type=CMC_RESPONSE_SENT>:[AuditEvent=CM
 #
 # Event: PROFILE_CERT_REQUEST
 # - used when a profile certificate request is made (before approval process)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC enrollment requests signed by an agent, SubjectID should
 #        be that of the agent), while
@@ -308,7 +308,7 @@ LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=<type=PROFILE_CERT_REQUEST>:[AuditEv
 #
 # Event: CERT_REQUEST_PROCESSED
 # - used when certificate request has just been through the approval process
-# Applicable subsystems: CA
+# Applicable subsystems: CA, OCSP
 # SubjectID must be the UID of the agent who approves, rejects, or cancels
 #        the certificate request
 # ReqID must be the request ID
@@ -322,7 +322,7 @@ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=<type=CERT_REQUEST_PROCESSED>:[Audit
 # Event: CERT_STATUS_CHANGE_REQUEST
 # - used when a certificate status change request (e.g. revocation)
 #        is made (before approval process)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ReqID must be the request ID
 # CertSerialNum must be the serial number (in hex) of the certificate to be revoked
 # RequestType must be "revoke", "on-hold", "off-hold"
@@ -332,7 +332,7 @@ LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=<type=CERT_STATUS_CHANGE_REQUEST
 # Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED
 # - used when certificate status is changed (revoked, expired, on-hold,
 #        off-hold)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # SubjectID must be the UID of the agent that processed the request
 # ReqID must be the request ID
 # RequestType must be "revoke", "on-hold", "off-hold"
@@ -354,7 +354,7 @@ LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=<type=CERT_STATUS_CHAN
 #
 # Event: AUTHZ with [Outcome=Success]
 # - used when authorization is successful
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # Outcome must be success for this event
 # aclResource must be the ACL resource ID as defined in ACL resource list
 # Op must be one of the operations as defined with the ACL statement
@@ -364,7 +364,7 @@ LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorizat
 #
 # Event: AUTHZ with [Outcome=Failure]
 # - used when authorization has failed
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # Outcome must be failure for this event
 # aclResource must be the ACL resource ID as defined in ACL resource list
 # Op must be one of the operations as defined with the ACL statement
@@ -375,7 +375,7 @@ LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization
 # Event: INTER_BOUNDARY
 # - used when inter-CIMC_Boundary data transfer is successful
 #   (this is used when data does not need to be captured)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ProtectionMethod must be one of the following: "SSL", or "unknown"
 # ReqType must be the request type
 # ReqID must be the request ID
@@ -386,7 +386,7 @@ LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=<type=INTER_BOUNDARY>:[AuditEvent=
 # - used when authentication fails (in case of SSL-client auth,
 #    only webserver env can pick up the SSL violation;
 #    CS authMgr can pick up certificate mis-match, so this event is used)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # Outcome should always be "failure" in this event
 #   (obviously, if authentication failed, you won't have a valid SubjectID, so
 #       in this case, SubjectID should be $Unidentified$)
@@ -398,7 +398,7 @@ LOGGING_SIGNED_AUDIT_AUTH_FAIL=<type=AUTH>:[AuditEvent=AUTH]{0} authentication f
 #
 # Event: AUTH with [Outcome=Success]
 # - used when authentication succeeded
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # Outcome should always be "success" in this event
 # AuthMgr must be the authentication manager instance name that did
 #   this authentication
@@ -408,7 +408,7 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authenticatio
 # Event: CERT_PROFILE_APPROVAL
 # - used when an agent approves/disapproves a certificate profile set by the
 #     administrator for automatic approval
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ProfileID must be one of the profiles defined by the administrator
 #           and to be approved by an agent
 # Op must be "approve" or "disapprove"
@@ -417,7 +417,7 @@ LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[Audit
 #
 # Event: PROOF_OF_POSSESSION
 # - used for proof of possession during certificate enrollment processing
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 #
 LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession
 #
@@ -472,7 +472,7 @@ LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=<type=FULL_CRL_PUBLISHING>:[AuditEvent=
 #
 # Event: CRL_RETRIEVAL
 # - used when CRLs are retrieved by the OCSP Responder
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise
 # CRLnum is the CRL number that identifies the CRL
 #
@@ -480,12 +480,13 @@ LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=<type=CRL_RETRIEVAL>:[AuditEvent=CRL_RETRIE
 #
 # Event: CRL_VALIDATION
 # - used when CRL is retrieved and validation process occurs
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 #
 LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=<type=CRL_VALIDATION>:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation
 #
 # Event: OCSP_ADD_CA_REQUEST
 # - used when a CA is attempted to be added to the OCSP Responder
+# Applicable subsystems: OCSP
 # Outcome is "success" as the request is made
 # CA must be the base-64 encoded PKCS7 certificate (or chain)
 #
@@ -493,6 +494,7 @@ LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST=<type=OCSP_ADD_CA_REQUEST>:[AuditEvent=
 #
 # Event: OCSP_ADD_CA_REQUEST_PROCESSED
 # - used when an add CA request to the OCSP Responder is processed
+# Applicable subsystems: OCSP
 # Outcome is "success" when CA is added successfully, "failure" otherwise
 # CASubjectDN is the subject DN of the leaf CA cert in the chain
 #
@@ -500,12 +502,14 @@ LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED=<type=OCSP_ADD_CA_REQUEST_PRO
 #
 # Event: OCSP_REMOVE_CA_REQUEST
 # - used when a CA is attempted to be removed from the OCSP Responder
+# Applicable subsystems: OCSP
 # Outcome is "success" as the request is made
 # CA must be the DN id of the CA
 LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST=<type=OCSP_REMOVE_CA_REQUEST>:[AuditEvent=OCSP_REMOVE_CA_REQUEST]{0} request to remove a CA from OCSP Responder
 #
 # Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Success]
 # - used when a remove CA request to the OCSP Responder is processed successfully
+# Applicable subsystems: OCSP
 # Outcome is "success" when CA is removed successfully, "failure" otherwise
 # CASubjectDN is the subject DN of the leaf CA cert in the chain
 #
@@ -513,6 +517,7 @@ LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS=<type=OCSP_REMOVE_
 #
 # Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Failure]
 # - used when a remove CA request to the OCSP Responder is processed and failed
+# Applicable subsystems: OCSP
 # Outcome is  "failure"
 # CASubjectDN is  DN ID of the CA
 #
@@ -520,14 +525,14 @@ LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE=<type=OCSP_REMOVE_
 #
 # Event: OCSP_GENERATION
 # - used when an OCSP response generated is complete
-# Applicable subsystems: CA
+# Applicable subsystems: CA, OCSP
 # Outcome is "success" when OCSP response is generated successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_OCSP_GENERATION=<type=OCSP_GENERATION>:[AuditEvent=OCSP_GENERATION]{0} OCSP response generation
 #
 # Event: RANDOM_GENERATION
 # - used when a random number generation is complete
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # Info:
 # - Caller is PKI code that calls the random number generator
 # - Size is size of random number in bytes
@@ -537,7 +542,7 @@ LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=<type=RANDOM_GENERATION>:[AuditEvent=RAND
 # Event: CMC_SIGNED_REQUEST_SIG_VERIFY
 # - used when agent signed CMC certificate requests or revocation requests
 #   are submitted and signature is verified
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ReqType must be the request type (enrollment, or revocation)
 # CertSubject must be the certificate subject name of the certificate request
 # SignerInfo must be a unique String representation for the signer
@@ -557,14 +562,14 @@ LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=<type=CMC_USER_S
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST
 # - used for TPS to TKS to get random challenge data
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # AgentID must be the trusted agent id used to make the request
 #
 LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=<type=COMPUTE_RANDOM_DATA_REQUEST>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Success]
 # - used for TPS to TKS to get random challenge data
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # Outcome is SUCCESS or FAILURE
 # Status is 0 for no error.
 # AgentID must be the trusted agent id used to make the request
@@ -572,7 +577,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Failure]
 # - used for TPS to TKS to get random challenge data
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # Outcome is SUCCESS or FAILURE
 # Status is 0 for no error.
 # Error gives the error message
@@ -582,7 +587,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=<type=COMPUTE
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST
 # - used for TPS to TKS to get a sessoin key for secure channel setup
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # SubjectID must be the CUID of the token establishing the secure channel
 # AgentID must be the trusted agent id used to make the request
 ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the
@@ -595,7 +600,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=<type=COMPUTE_SESSION_KEY_REQ
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Success]
 # - request for TPS to TKS to get a sessoin key for secure channel processed
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # SubjectID must be the CUID of the token establishing the secure channel
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -621,7 +626,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Failure]
 # - request for TPS to TKS to get a sessoin key for secure channel processed
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # SubjectID must be the CUID of the token establishing the secure channel
 # Outcome is SUCCESS or FAILURE
 # Status is error code or 0 for no error.
@@ -646,7 +651,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=<type=COMPUTE
 #
 # Event: DIVERSIFY_KEY_REQUEST
 # - request for TPS to TKS to do key change over
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # status is 0 for success, non-zero for various errors
@@ -661,7 +666,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=<type=DIVERSIFY_KEY_REQUEST>:[Audit
 #
 # Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Success]
 # - request for TPS to TKS to do key change over request processed
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -683,7 +688,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=<type=DIVERSIFY_KEY
 #
 # Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Failure]
 # - request for TPS to TKS to do key change over request processed
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -707,7 +712,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=<type=DIVERSIFY_KEY
 # Event: ENCRYPT_DATA_REQUEST
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # status is 0 for success, non-zero for various errors
@@ -724,7 +729,7 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=<type=ENCRYPT_DATA_REQUEST>:[AuditEv
 # Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Success]
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -747,7 +752,7 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=<type=ENCRYPT_DATA_R
 # Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Failure]
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # Outocme is SUCCESS or FAILURE
@@ -1082,7 +1087,7 @@ LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=<type=AUTHORITY_CONFIG>:[AuditEvent=AUTH
 #
 # Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
 # - used when access session failed to establish
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1092,7 +1097,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 #
 # Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success]
 # - used when access session was established successfully
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1102,7 +1107,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
 #
 # Event: ACCESS_SESSION_TERMINATED
 # - used when access session was terminated
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1112,7 +1117,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\
 #
 # Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
 # access session failed to establish when Certificate System acts as client
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 <type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client
@@ -1120,14 +1125,14 @@ LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 # Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success]
 # - used when access session was established successfully when
 #   Certificate System acts as client
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
 <type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client
 #
 # Event: CLIENT_ACCESS_SESSION_TERMINATED
 # - used when access session was terminated when Certificate System acts as client
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, OCSP
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\
 <type=CLIENT_ACCESS_SESSION_TERMINATED>:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client
-- 
1.8.3.1


From 5395814aac9826fb49a3f51ecf38781f4cc87186 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 24 Jan 2019 18:21:15 +0100
Subject: [PATCH 21/26] Moved list of available TKS audit events

The list of available TKS audit events has been moved from
log.instance.SignedAudit._005 property in CS.cfg into the
"Applicable subsystems" fields in audit-events.properties.

Note that the following events do not have any corresponding
entries in audit-events.properties:

- KEY_RECOVERY_REQUEST_ASYNC
- KEY_RECOVERY_REQUEST_PROCESSED
- KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
- PRIVATE_KEY_ARCHIVE_REQUEST
- PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
- PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
- PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 97dbda87ceb36bf1c053b6322a9414865ffbfbe0)
---
 base/server/cmsbundle/src/audit-events.properties | 116 +++++++++++-----------
 base/tks/shared/conf/CS.cfg                       |  10 +-
 2 files changed, 64 insertions(+), 62 deletions(-)

diff --git a/base/server/cmsbundle/src/audit-events.properties b/base/server/cmsbundle/src/audit-events.properties
index 5599c20..09265ee 100644
--- a/base/server/cmsbundle/src/audit-events.properties
+++ b/base/server/cmsbundle/src/audit-events.properties
@@ -24,19 +24,19 @@
 #
 # Event: AUDIT_LOG_STARTUP
 # - used at audit function startup
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 #
 LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=<type=AUDIT_LOG_STARTUP>:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup
 #
 # Event: AUDIT_LOG_SHUTDOWN
 # - used at audit function shutdown
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 #
 LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=<type=AUDIT_LOG_SHUTDOWN>:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown
 #
 # Event: CIMC_CERT_VERIFICATION
 # - used for verifying CIMC system certificates
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # - CertNickName is the cert nickname
 #
 LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CIMC certificate verification
@@ -44,7 +44,7 @@ LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[Aud
 # Event: ROLE_ASSUME
 # - used when user assumes a role (in current CS that's when one accesses a
 #     role port)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # Role must be be one of the valid roles, by default: "Administrators",
 #     "Certificate Manager Agents", and "Auditors"
 #     note that customized role names can be used once configured
@@ -53,7 +53,7 @@ LOGGING_SIGNED_AUDIT_ROLE_ASSUME=<type=ROLE_ASSUME>:[AuditEvent=ROLE_ASSUME]{0}
 #
 # Event: CONFIG_CERT_POLICY
 # - used when configuring certificate policy constraints and extensions
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ParamNameValPairs must be a name;;value pair
 # (where name and value are separated by the delimiter ;;)
 # separated by + (if more than one name;;value pair) of config params changed
@@ -64,7 +64,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=<type=CONFIG_CERT_POLICY>:[AuditEvent=
 # - used when configuring certificate profile
 #    (general settings and certificate profile)
 #    (extensions and constraints policies are to be obsoleted but do it anyway)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -74,7 +74,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=<type=CONFIG_CERT_PROFILE>:[AuditEven
 # Event: CONFIG_CRL_PROFILE
 # - used when configuring  CRL profile
 #    (extensions, frequency, CRL format)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -84,7 +84,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=<type=CONFIG_CRL_PROFILE>:[AuditEvent=
 # Event: CONFIG_OCSP_PROFILE
 # - used when configuring OCSP profile
 #    (everything under Online Certificate Status Manager)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -93,7 +93,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=<type=CONFIG_OCSP_PROFILE>:[AuditEven
 #
 # Event: CONFIG_AUTH
 # - used when configuring authentication
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -104,7 +104,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=<type=CONFIG_AUTH>:[AuditEvent=CONFIG_AUTH][S
 # Event: CONFIG_ROLE
 # - used when configuring role information (anything under users/groups)
 #       add/remove/edit a role, etc)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -113,7 +113,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ROLE=<type=CONFIG_ROLE>:[AuditEvent=CONFIG_ROLE]{0}
 #
 # Event: CONFIG_ACL
 # - used when configuring ACL information
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -122,7 +122,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=<type=CONFIG_ACL>:[AuditEvent=CONFIG_ACL][Subj
 #
 # Event: CONFIG_SIGNED_AUDIT
 # - used when configuring signedAudit
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -131,7 +131,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=<type=CONFIG_SIGNED_AUDIT>:[AuditEvent=
 #
 # Event: CONFIG_ENCRYPTION
 # - used when configuring encryption (cert settings and SSL cipher preferences)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -145,7 +145,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=<type=CONFIG_ENCRYPTION>:[AuditEvent=CO
 #      2. "Certificate Setup Wizard" is used to import CA certificates into the
 #         certificate database (Although CrossCertificatePairs are stored
 #         within internaldb, audit them as well)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -155,7 +155,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=<type=CONFIG_TRUSTED_PUBLIC_KEY>:
 # Event: CONFIG_DRM
 # - used when configuring DRM
 #     (Key recovery scheme, change of any secret component)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -165,7 +165,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=<type=CONFIG_DRM>:[AuditEvent=CONFIG_DRM][Subj
 #
 # Event: SELFTESTS_EXECUTION
 # - used when self tests are run
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 #
 LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details)
 #
@@ -173,7 +173,7 @@ LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEven
 # - used AFTER audit log gets expired (authz should not allow,
 #    but in case authz gets compromised.  Make sure it is written
 #    AFTER the log expiration happens)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # LogFile must be the complete name (including the path) of the
 #    signedAudit log that is attempted to be deleted
 #
@@ -184,7 +184,7 @@ LOGGING_SIGNED_AUDIT_LOG_DELETE_3=<type=AUDIT_LOG_DELETE>:[AuditEvent=AUDIT_LOG_
 #    audit, system, transaction, or other customized log file
 #    change is attempted (authz should not allow, but make sure it's
 #    written after the attempt)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # LogType must be "System", "Transaction", or "SignedAudit"
 # toLogFile must be the name (including any path changes) that the user is
 #    attempting to change to
@@ -194,7 +194,7 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
 # Event: LOG_EXPIRATION_CHANGE
 # - used when log expiration time change is attempted (authz should not
 #    allow, but make sure it's written after the attempt)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # LogType must be "System", "Transaction", or "SignedAudit"
 # ExpirationTime must be the amount of time (in seconds) that is
 #    attempted to be changed to
@@ -205,7 +205,7 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
 # Event: SERVER_SIDE_KEYGEN_REQUEST
 # - used when server-side key generation request is made
 #    This is for tokenkeys
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # EntityID must be the representation of the subject that will be on the certificate when issued
 #
 LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request
@@ -213,7 +213,7 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST
 # Event: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
 # - used when server-side key generation request has been processed.
 #    This is for tokenkeys
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # EntityID must be the representation of the subject that will be on the certificate when issued
 # PubKey must be the base-64 encoded public key associated with
 #    the private key to be archived
@@ -222,7 +222,7 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=<type=SERVER_SIDE_KEYG
 #
 # Event: KEY_RECOVERY_REQUEST
 # - used when key recovery request is made
-# Applicable subsystems: CA, OCSP
+# Applicable subsystems: CA, OCSP, TKS
 # RecoveryID must be the recovery request ID
 # PubKey must be the base-64 encoded public key associated with
 #    the private key to be recovered
@@ -232,7 +232,7 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=<type=KEY_RECOVERY_REQUEST>:[AuditEv
 # Event: KEY_RECOVERY_AGENT_LOGIN
 # - used when DRM agents login as recovery agents to approve
 #       key recovery requests
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # RecoveryID must be the recovery request ID
 # RecoveryAgent must be the recovery agent the DRM agent is
 #       logging in with
@@ -243,7 +243,7 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=<type=KEY_RECOVERY_AGENT_LOGIN>:
 # - used when asymmetric keys are generated
 #   (like when CA certificate requests are generated -
 #      e.g. CA certificate change over, renewal with new key, etc.)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # PubKey must be the base-64 encoded public key material
 #
 LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=<type=KEY_GEN_ASYMMETRIC>:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation
@@ -265,7 +265,7 @@ LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=<type=CRL_SIGNING_INFO>:[AuditEvent=CRL_SI
 #
 # Event: NON_PROFILE_CERT_REQUEST
 # - used when a non-profile certificate request is made (before approval process)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC enrollment requests signed by an agent, SubjectID should
 #        be that of the agent), while
@@ -295,7 +295,7 @@ LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=<type=CMC_RESPONSE_SENT>:[AuditEvent=CM
 #
 # Event: PROFILE_CERT_REQUEST
 # - used when a profile certificate request is made (before approval process)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC enrollment requests signed by an agent, SubjectID should
 #        be that of the agent), while
@@ -308,7 +308,7 @@ LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=<type=PROFILE_CERT_REQUEST>:[AuditEv
 #
 # Event: CERT_REQUEST_PROCESSED
 # - used when certificate request has just been through the approval process
-# Applicable subsystems: CA, OCSP
+# Applicable subsystems: CA, OCSP, TKS
 # SubjectID must be the UID of the agent who approves, rejects, or cancels
 #        the certificate request
 # ReqID must be the request ID
@@ -322,7 +322,7 @@ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=<type=CERT_REQUEST_PROCESSED>:[Audit
 # Event: CERT_STATUS_CHANGE_REQUEST
 # - used when a certificate status change request (e.g. revocation)
 #        is made (before approval process)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ReqID must be the request ID
 # CertSerialNum must be the serial number (in hex) of the certificate to be revoked
 # RequestType must be "revoke", "on-hold", "off-hold"
@@ -332,7 +332,7 @@ LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=<type=CERT_STATUS_CHANGE_REQUEST
 # Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED
 # - used when certificate status is changed (revoked, expired, on-hold,
 #        off-hold)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # SubjectID must be the UID of the agent that processed the request
 # ReqID must be the request ID
 # RequestType must be "revoke", "on-hold", "off-hold"
@@ -354,7 +354,7 @@ LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=<type=CERT_STATUS_CHAN
 #
 # Event: AUTHZ with [Outcome=Success]
 # - used when authorization is successful
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # Outcome must be success for this event
 # aclResource must be the ACL resource ID as defined in ACL resource list
 # Op must be one of the operations as defined with the ACL statement
@@ -364,7 +364,7 @@ LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorizat
 #
 # Event: AUTHZ with [Outcome=Failure]
 # - used when authorization has failed
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # Outcome must be failure for this event
 # aclResource must be the ACL resource ID as defined in ACL resource list
 # Op must be one of the operations as defined with the ACL statement
@@ -375,7 +375,7 @@ LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization
 # Event: INTER_BOUNDARY
 # - used when inter-CIMC_Boundary data transfer is successful
 #   (this is used when data does not need to be captured)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ProtectionMethod must be one of the following: "SSL", or "unknown"
 # ReqType must be the request type
 # ReqID must be the request ID
@@ -386,7 +386,7 @@ LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=<type=INTER_BOUNDARY>:[AuditEvent=
 # - used when authentication fails (in case of SSL-client auth,
 #    only webserver env can pick up the SSL violation;
 #    CS authMgr can pick up certificate mis-match, so this event is used)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # Outcome should always be "failure" in this event
 #   (obviously, if authentication failed, you won't have a valid SubjectID, so
 #       in this case, SubjectID should be $Unidentified$)
@@ -398,7 +398,7 @@ LOGGING_SIGNED_AUDIT_AUTH_FAIL=<type=AUTH>:[AuditEvent=AUTH]{0} authentication f
 #
 # Event: AUTH with [Outcome=Success]
 # - used when authentication succeeded
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # Outcome should always be "success" in this event
 # AuthMgr must be the authentication manager instance name that did
 #   this authentication
@@ -408,7 +408,7 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authenticatio
 # Event: CERT_PROFILE_APPROVAL
 # - used when an agent approves/disapproves a certificate profile set by the
 #     administrator for automatic approval
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ProfileID must be one of the profiles defined by the administrator
 #           and to be approved by an agent
 # Op must be "approve" or "disapprove"
@@ -417,7 +417,7 @@ LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[Audit
 #
 # Event: PROOF_OF_POSSESSION
 # - used for proof of possession during certificate enrollment processing
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 #
 LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession
 #
@@ -472,7 +472,7 @@ LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=<type=FULL_CRL_PUBLISHING>:[AuditEvent=
 #
 # Event: CRL_RETRIEVAL
 # - used when CRLs are retrieved by the OCSP Responder
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise
 # CRLnum is the CRL number that identifies the CRL
 #
@@ -480,7 +480,7 @@ LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=<type=CRL_RETRIEVAL>:[AuditEvent=CRL_RETRIE
 #
 # Event: CRL_VALIDATION
 # - used when CRL is retrieved and validation process occurs
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 #
 LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=<type=CRL_VALIDATION>:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation
 #
@@ -532,7 +532,7 @@ LOGGING_SIGNED_AUDIT_OCSP_GENERATION=<type=OCSP_GENERATION>:[AuditEvent=OCSP_GEN
 #
 # Event: RANDOM_GENERATION
 # - used when a random number generation is complete
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # Info:
 # - Caller is PKI code that calls the random number generator
 # - Size is size of random number in bytes
@@ -542,7 +542,7 @@ LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=<type=RANDOM_GENERATION>:[AuditEvent=RAND
 # Event: CMC_SIGNED_REQUEST_SIG_VERIFY
 # - used when agent signed CMC certificate requests or revocation requests
 #   are submitted and signature is verified
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ReqType must be the request type (enrollment, or revocation)
 # CertSubject must be the certificate subject name of the certificate request
 # SignerInfo must be a unique String representation for the signer
@@ -562,14 +562,14 @@ LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=<type=CMC_USER_S
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST
 # - used for TPS to TKS to get random challenge data
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # AgentID must be the trusted agent id used to make the request
 #
 LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=<type=COMPUTE_RANDOM_DATA_REQUEST>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Success]
 # - used for TPS to TKS to get random challenge data
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # Outcome is SUCCESS or FAILURE
 # Status is 0 for no error.
 # AgentID must be the trusted agent id used to make the request
@@ -577,7 +577,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Failure]
 # - used for TPS to TKS to get random challenge data
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # Outcome is SUCCESS or FAILURE
 # Status is 0 for no error.
 # Error gives the error message
@@ -587,7 +587,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=<type=COMPUTE
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST
 # - used for TPS to TKS to get a sessoin key for secure channel setup
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # SubjectID must be the CUID of the token establishing the secure channel
 # AgentID must be the trusted agent id used to make the request
 ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the
@@ -600,7 +600,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=<type=COMPUTE_SESSION_KEY_REQ
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Success]
 # - request for TPS to TKS to get a sessoin key for secure channel processed
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # SubjectID must be the CUID of the token establishing the secure channel
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -626,7 +626,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Failure]
 # - request for TPS to TKS to get a sessoin key for secure channel processed
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # SubjectID must be the CUID of the token establishing the secure channel
 # Outcome is SUCCESS or FAILURE
 # Status is error code or 0 for no error.
@@ -651,7 +651,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=<type=COMPUTE
 #
 # Event: DIVERSIFY_KEY_REQUEST
 # - request for TPS to TKS to do key change over
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # status is 0 for success, non-zero for various errors
@@ -666,7 +666,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=<type=DIVERSIFY_KEY_REQUEST>:[Audit
 #
 # Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Success]
 # - request for TPS to TKS to do key change over request processed
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -688,7 +688,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=<type=DIVERSIFY_KEY
 #
 # Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Failure]
 # - request for TPS to TKS to do key change over request processed
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -712,7 +712,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=<type=DIVERSIFY_KEY
 # Event: ENCRYPT_DATA_REQUEST
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # status is 0 for success, non-zero for various errors
@@ -729,7 +729,7 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=<type=ENCRYPT_DATA_REQUEST>:[AuditEv
 # Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Success]
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -752,7 +752,7 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=<type=ENCRYPT_DATA_R
 # Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Failure]
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # Outocme is SUCCESS or FAILURE
@@ -1087,7 +1087,7 @@ LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=<type=AUTHORITY_CONFIG>:[AuditEvent=AUTH
 #
 # Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
 # - used when access session failed to establish
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1097,7 +1097,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 #
 # Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success]
 # - used when access session was established successfully
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1107,7 +1107,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
 #
 # Event: ACCESS_SESSION_TERMINATED
 # - used when access session was terminated
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1117,7 +1117,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\
 #
 # Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
 # access session failed to establish when Certificate System acts as client
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 <type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client
@@ -1125,14 +1125,14 @@ LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 # Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success]
 # - used when access session was established successfully when
 #   Certificate System acts as client
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
 <type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client
 #
 # Event: CLIENT_ACCESS_SESSION_TERMINATED
 # - used when access session was terminated when Certificate System acts as client
-# Applicable subsystems: CA, KRA, OCSP
+# Applicable subsystems: CA, KRA, OCSP, TKS
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\
 <type=CLIENT_ACCESS_SESSION_TERMINATED>:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client
diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg
index 60a3355..3d95735 100644
--- a/base/tks/shared/conf/CS.cfg
+++ b/base/tks/shared/conf/CS.cfg
@@ -206,10 +206,12 @@ log.impl.file.class=com.netscape.cms.logging.RollingLogFile
 log.instance.SignedAudit._000=##
 log.instance.SignedAudit._001=## Signed Audit Logging
 log.instance.SignedAudit._002=##
-log.instance.SignedAudit._003=##
-log.instance.SignedAudit._004=## Available Audit events:
-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION
-log.instance.SignedAudit._006=##
+log.instance.SignedAudit._003=## To list available audit events:
+log.instance.SignedAudit._004=## $ pki-server tks-audit-event-find
+log.instance.SignedAudit._005=##
+log.instance.SignedAudit._006=## To enable/disable audit event:
+log.instance.SignedAudit._007=## $ pki-server tks-audit-event-enable/disable <event name>
+log.instance.SignedAudit._008=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
 log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
-- 
1.8.3.1


From 77894b8a6c91823070b7405c0169df85011009f6 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 24 Jan 2019 18:53:57 +0100
Subject: [PATCH 22/26] Moved list of available TPS audit events

The list of available TPS audit events has been moved from
log.instance.SignedAudit._005 property in CS.cfg into the
"Applicable subsystems" fields in audit-events.properties.

Note that the following events do not have any corresponding
entries in audit-events.properties:

- KEY_RECOVERY_REQUEST_ASYNC
- KEY_RECOVERY_REQUEST_PROCESSED
- KEY_RECOVERY_REQUEST_PROCESSED_ASYNC
- PRIVATE_KEY_ARCHIVE_REQUEST
- PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED
- PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE
- PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 6c0efb65dd38e36eb2c5a8f9eb0f520944977ced)
---
 base/server/cmsbundle/src/audit-events.properties | 136 +++++++++++++---------
 base/tps/shared/conf/CS.cfg                       |  10 +-
 2 files changed, 85 insertions(+), 61 deletions(-)

diff --git a/base/server/cmsbundle/src/audit-events.properties b/base/server/cmsbundle/src/audit-events.properties
index 09265ee..8559d98 100644
--- a/base/server/cmsbundle/src/audit-events.properties
+++ b/base/server/cmsbundle/src/audit-events.properties
@@ -24,19 +24,19 @@
 #
 # Event: AUDIT_LOG_STARTUP
 # - used at audit function startup
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 #
 LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=<type=AUDIT_LOG_STARTUP>:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup
 #
 # Event: AUDIT_LOG_SHUTDOWN
 # - used at audit function shutdown
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 #
 LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=<type=AUDIT_LOG_SHUTDOWN>:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown
 #
 # Event: CIMC_CERT_VERIFICATION
 # - used for verifying CIMC system certificates
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # - CertNickName is the cert nickname
 #
 LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CIMC certificate verification
@@ -44,7 +44,7 @@ LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[Aud
 # Event: ROLE_ASSUME
 # - used when user assumes a role (in current CS that's when one accesses a
 #     role port)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # Role must be be one of the valid roles, by default: "Administrators",
 #     "Certificate Manager Agents", and "Auditors"
 #     note that customized role names can be used once configured
@@ -53,7 +53,7 @@ LOGGING_SIGNED_AUDIT_ROLE_ASSUME=<type=ROLE_ASSUME>:[AuditEvent=ROLE_ASSUME]{0}
 #
 # Event: CONFIG_CERT_POLICY
 # - used when configuring certificate policy constraints and extensions
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ParamNameValPairs must be a name;;value pair
 # (where name and value are separated by the delimiter ;;)
 # separated by + (if more than one name;;value pair) of config params changed
@@ -64,7 +64,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=<type=CONFIG_CERT_POLICY>:[AuditEvent=
 # - used when configuring certificate profile
 #    (general settings and certificate profile)
 #    (extensions and constraints policies are to be obsoleted but do it anyway)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -74,7 +74,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=<type=CONFIG_CERT_PROFILE>:[AuditEven
 # Event: CONFIG_CRL_PROFILE
 # - used when configuring  CRL profile
 #    (extensions, frequency, CRL format)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -84,7 +84,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=<type=CONFIG_CRL_PROFILE>:[AuditEvent=
 # Event: CONFIG_OCSP_PROFILE
 # - used when configuring OCSP profile
 #    (everything under Online Certificate Status Manager)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -93,7 +93,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=<type=CONFIG_OCSP_PROFILE>:[AuditEven
 #
 # Event: CONFIG_AUTH
 # - used when configuring authentication
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -104,7 +104,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=<type=CONFIG_AUTH>:[AuditEvent=CONFIG_AUTH][S
 # Event: CONFIG_ROLE
 # - used when configuring role information (anything under users/groups)
 #       add/remove/edit a role, etc)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -113,7 +113,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ROLE=<type=CONFIG_ROLE>:[AuditEvent=CONFIG_ROLE]{0}
 #
 # Event: CONFIG_ACL
 # - used when configuring ACL information
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -122,7 +122,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=<type=CONFIG_ACL>:[AuditEvent=CONFIG_ACL][Subj
 #
 # Event: CONFIG_SIGNED_AUDIT
 # - used when configuring signedAudit
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -131,7 +131,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=<type=CONFIG_SIGNED_AUDIT>:[AuditEvent=
 #
 # Event: CONFIG_ENCRYPTION
 # - used when configuring encryption (cert settings and SSL cipher preferences)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -145,7 +145,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=<type=CONFIG_ENCRYPTION>:[AuditEvent=CO
 #      2. "Certificate Setup Wizard" is used to import CA certificates into the
 #         certificate database (Although CrossCertificatePairs are stored
 #         within internaldb, audit them as well)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -155,7 +155,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=<type=CONFIG_TRUSTED_PUBLIC_KEY>:
 # Event: CONFIG_DRM
 # - used when configuring DRM
 #     (Key recovery scheme, change of any secret component)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -165,7 +165,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=<type=CONFIG_DRM>:[AuditEvent=CONFIG_DRM][Subj
 #
 # Event: SELFTESTS_EXECUTION
 # - used when self tests are run
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 #
 LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details)
 #
@@ -173,7 +173,7 @@ LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEven
 # - used AFTER audit log gets expired (authz should not allow,
 #    but in case authz gets compromised.  Make sure it is written
 #    AFTER the log expiration happens)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # LogFile must be the complete name (including the path) of the
 #    signedAudit log that is attempted to be deleted
 #
@@ -184,7 +184,7 @@ LOGGING_SIGNED_AUDIT_LOG_DELETE_3=<type=AUDIT_LOG_DELETE>:[AuditEvent=AUDIT_LOG_
 #    audit, system, transaction, or other customized log file
 #    change is attempted (authz should not allow, but make sure it's
 #    written after the attempt)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # LogType must be "System", "Transaction", or "SignedAudit"
 # toLogFile must be the name (including any path changes) that the user is
 #    attempting to change to
@@ -194,7 +194,7 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
 # Event: LOG_EXPIRATION_CHANGE
 # - used when log expiration time change is attempted (authz should not
 #    allow, but make sure it's written after the attempt)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # LogType must be "System", "Transaction", or "SignedAudit"
 # ExpirationTime must be the amount of time (in seconds) that is
 #    attempted to be changed to
@@ -205,7 +205,7 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
 # Event: SERVER_SIDE_KEYGEN_REQUEST
 # - used when server-side key generation request is made
 #    This is for tokenkeys
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # EntityID must be the representation of the subject that will be on the certificate when issued
 #
 LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request
@@ -213,7 +213,7 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST
 # Event: SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
 # - used when server-side key generation request has been processed.
 #    This is for tokenkeys
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # EntityID must be the representation of the subject that will be on the certificate when issued
 # PubKey must be the base-64 encoded public key associated with
 #    the private key to be archived
@@ -222,7 +222,7 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=<type=SERVER_SIDE_KEYG
 #
 # Event: KEY_RECOVERY_REQUEST
 # - used when key recovery request is made
-# Applicable subsystems: CA, OCSP, TKS
+# Applicable subsystems: CA, OCSP, TKS, TPS, TPS
 # RecoveryID must be the recovery request ID
 # PubKey must be the base-64 encoded public key associated with
 #    the private key to be recovered
@@ -232,7 +232,7 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=<type=KEY_RECOVERY_REQUEST>:[AuditEv
 # Event: KEY_RECOVERY_AGENT_LOGIN
 # - used when DRM agents login as recovery agents to approve
 #       key recovery requests
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # RecoveryID must be the recovery request ID
 # RecoveryAgent must be the recovery agent the DRM agent is
 #       logging in with
@@ -243,7 +243,7 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=<type=KEY_RECOVERY_AGENT_LOGIN>:
 # - used when asymmetric keys are generated
 #   (like when CA certificate requests are generated -
 #      e.g. CA certificate change over, renewal with new key, etc.)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # PubKey must be the base-64 encoded public key material
 #
 LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=<type=KEY_GEN_ASYMMETRIC>:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation
@@ -265,7 +265,7 @@ LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=<type=CRL_SIGNING_INFO>:[AuditEvent=CRL_SI
 #
 # Event: NON_PROFILE_CERT_REQUEST
 # - used when a non-profile certificate request is made (before approval process)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC enrollment requests signed by an agent, SubjectID should
 #        be that of the agent), while
@@ -295,7 +295,7 @@ LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=<type=CMC_RESPONSE_SENT>:[AuditEvent=CM
 #
 # Event: PROFILE_CERT_REQUEST
 # - used when a profile certificate request is made (before approval process)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC enrollment requests signed by an agent, SubjectID should
 #        be that of the agent), while
@@ -308,7 +308,7 @@ LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=<type=PROFILE_CERT_REQUEST>:[AuditEv
 #
 # Event: CERT_REQUEST_PROCESSED
 # - used when certificate request has just been through the approval process
-# Applicable subsystems: CA, OCSP, TKS
+# Applicable subsystems: CA, OCSP, TKS, TPS
 # SubjectID must be the UID of the agent who approves, rejects, or cancels
 #        the certificate request
 # ReqID must be the request ID
@@ -322,7 +322,7 @@ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=<type=CERT_REQUEST_PROCESSED>:[Audit
 # Event: CERT_STATUS_CHANGE_REQUEST
 # - used when a certificate status change request (e.g. revocation)
 #        is made (before approval process)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ReqID must be the request ID
 # CertSerialNum must be the serial number (in hex) of the certificate to be revoked
 # RequestType must be "revoke", "on-hold", "off-hold"
@@ -332,7 +332,7 @@ LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=<type=CERT_STATUS_CHANGE_REQUEST
 # Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED
 # - used when certificate status is changed (revoked, expired, on-hold,
 #        off-hold)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # SubjectID must be the UID of the agent that processed the request
 # ReqID must be the request ID
 # RequestType must be "revoke", "on-hold", "off-hold"
@@ -354,7 +354,7 @@ LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=<type=CERT_STATUS_CHAN
 #
 # Event: AUTHZ with [Outcome=Success]
 # - used when authorization is successful
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # Outcome must be success for this event
 # aclResource must be the ACL resource ID as defined in ACL resource list
 # Op must be one of the operations as defined with the ACL statement
@@ -364,7 +364,7 @@ LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorizat
 #
 # Event: AUTHZ with [Outcome=Failure]
 # - used when authorization has failed
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # Outcome must be failure for this event
 # aclResource must be the ACL resource ID as defined in ACL resource list
 # Op must be one of the operations as defined with the ACL statement
@@ -375,7 +375,7 @@ LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization
 # Event: INTER_BOUNDARY
 # - used when inter-CIMC_Boundary data transfer is successful
 #   (this is used when data does not need to be captured)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ProtectionMethod must be one of the following: "SSL", or "unknown"
 # ReqType must be the request type
 # ReqID must be the request ID
@@ -386,7 +386,7 @@ LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=<type=INTER_BOUNDARY>:[AuditEvent=
 # - used when authentication fails (in case of SSL-client auth,
 #    only webserver env can pick up the SSL violation;
 #    CS authMgr can pick up certificate mis-match, so this event is used)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # Outcome should always be "failure" in this event
 #   (obviously, if authentication failed, you won't have a valid SubjectID, so
 #       in this case, SubjectID should be $Unidentified$)
@@ -398,7 +398,7 @@ LOGGING_SIGNED_AUDIT_AUTH_FAIL=<type=AUTH>:[AuditEvent=AUTH]{0} authentication f
 #
 # Event: AUTH with [Outcome=Success]
 # - used when authentication succeeded
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # Outcome should always be "success" in this event
 # AuthMgr must be the authentication manager instance name that did
 #   this authentication
@@ -408,7 +408,7 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authenticatio
 # Event: CERT_PROFILE_APPROVAL
 # - used when an agent approves/disapproves a certificate profile set by the
 #     administrator for automatic approval
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ProfileID must be one of the profiles defined by the administrator
 #           and to be approved by an agent
 # Op must be "approve" or "disapprove"
@@ -417,7 +417,7 @@ LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[Audit
 #
 # Event: PROOF_OF_POSSESSION
 # - used for proof of possession during certificate enrollment processing
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 #
 LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession
 #
@@ -472,7 +472,7 @@ LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=<type=FULL_CRL_PUBLISHING>:[AuditEvent=
 #
 # Event: CRL_RETRIEVAL
 # - used when CRLs are retrieved by the OCSP Responder
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise
 # CRLnum is the CRL number that identifies the CRL
 #
@@ -480,7 +480,7 @@ LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=<type=CRL_RETRIEVAL>:[AuditEvent=CRL_RETRIE
 #
 # Event: CRL_VALIDATION
 # - used when CRL is retrieved and validation process occurs
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 #
 LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=<type=CRL_VALIDATION>:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation
 #
@@ -532,7 +532,7 @@ LOGGING_SIGNED_AUDIT_OCSP_GENERATION=<type=OCSP_GENERATION>:[AuditEvent=OCSP_GEN
 #
 # Event: RANDOM_GENERATION
 # - used when a random number generation is complete
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # Info:
 # - Caller is PKI code that calls the random number generator
 # - Size is size of random number in bytes
@@ -542,7 +542,7 @@ LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=<type=RANDOM_GENERATION>:[AuditEvent=RAND
 # Event: CMC_SIGNED_REQUEST_SIG_VERIFY
 # - used when agent signed CMC certificate requests or revocation requests
 #   are submitted and signature is verified
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ReqType must be the request type (enrollment, or revocation)
 # CertSubject must be the certificate subject name of the certificate request
 # SignerInfo must be a unique String representation for the signer
@@ -562,14 +562,14 @@ LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=<type=CMC_USER_S
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST
 # - used for TPS to TKS to get random challenge data
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # AgentID must be the trusted agent id used to make the request
 #
 LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=<type=COMPUTE_RANDOM_DATA_REQUEST>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Success]
 # - used for TPS to TKS to get random challenge data
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # Outcome is SUCCESS or FAILURE
 # Status is 0 for no error.
 # AgentID must be the trusted agent id used to make the request
@@ -577,7 +577,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Failure]
 # - used for TPS to TKS to get random challenge data
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # Outcome is SUCCESS or FAILURE
 # Status is 0 for no error.
 # Error gives the error message
@@ -587,7 +587,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=<type=COMPUTE
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST
 # - used for TPS to TKS to get a sessoin key for secure channel setup
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # SubjectID must be the CUID of the token establishing the secure channel
 # AgentID must be the trusted agent id used to make the request
 ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the
@@ -600,7 +600,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=<type=COMPUTE_SESSION_KEY_REQ
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Success]
 # - request for TPS to TKS to get a sessoin key for secure channel processed
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # SubjectID must be the CUID of the token establishing the secure channel
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -626,7 +626,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Failure]
 # - request for TPS to TKS to get a sessoin key for secure channel processed
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # SubjectID must be the CUID of the token establishing the secure channel
 # Outcome is SUCCESS or FAILURE
 # Status is error code or 0 for no error.
@@ -651,7 +651,7 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=<type=COMPUTE
 #
 # Event: DIVERSIFY_KEY_REQUEST
 # - request for TPS to TKS to do key change over
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # status is 0 for success, non-zero for various errors
@@ -666,7 +666,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=<type=DIVERSIFY_KEY_REQUEST>:[Audit
 #
 # Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Success]
 # - request for TPS to TKS to do key change over request processed
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -688,7 +688,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=<type=DIVERSIFY_KEY
 #
 # Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Failure]
 # - request for TPS to TKS to do key change over request processed
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -712,7 +712,7 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=<type=DIVERSIFY_KEY
 # Event: ENCRYPT_DATA_REQUEST
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # status is 0 for success, non-zero for various errors
@@ -729,7 +729,7 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=<type=ENCRYPT_DATA_REQUEST>:[AuditEv
 # Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Success]
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -752,7 +752,7 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=<type=ENCRYPT_DATA_R
 # Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Failure]
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # Outocme is SUCCESS or FAILURE
@@ -776,7 +776,7 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=<type=ENCRYPT_DATA_R
 # Event: SECURITY_DOMAIN_UPDATE
 # - used when updating contents of security domain
 #       (add/remove a subsystem)
-# Applicable subsystems: CA
+# Applicable subsystems: CA, TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -786,7 +786,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=<type=SECURITY_DOMAIN_UPDATE>:[Aud
 # Event: CONFIG_SERIAL_NUMBER
 # - used when configuring serial number ranges
 #      (when requesting a serial number range when cloning, for example)
-# Applicable subsystems: CA, KRA
+# Applicable subsystems: CA, KRA, TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -903,12 +903,14 @@ LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=<type=ASYMKEY_GENERATION_REQU
 #
 # Event: TOKEN_CERT_ENROLLMENT
 # - used for TPS when token certificate enrollment request is made
+# Applicable subsystems: TPS
 # - Info is normally used to store more info in case of failure
 #
 LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=<type=TOKEN_CERT_ENROLLMENT>:[AuditEvent=TOKEN_CERT_ENROLLMENT][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate enrollment request made
 #
 # Event: TOKEN_CERT_RENEWAL
 # - used for TPS when token certificate renewal request is made
+# Applicable subsystems: TPS
 # - Info is normally used to store more info in case of failure
 #
 LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[AuditEvent=TOKEN_CERT_RENEWAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate renewal request made
@@ -916,11 +918,13 @@ LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[AuditEvent=
 # Event: TOKEN_CERT_RETRIEVAL
 # - used for TPS when token certificate retrieval request is made;
 #   usually used during recovery, along with LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY
+# Applicable subsystems: TPS
 #
 LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9=<type=TOKEN_CERT_RETRIEVAL>:[AuditEvent=TOKEN_CERT_RETRIEVAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate retrieval request made
 #
 # Event: TOKEN_KEY_RECOVERY
 # - used for TPS when token certificate key recovery request is made
+# Applicable subsystems: TPS
 #
 LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=<type=TOKEN_KEY_RECOVERY>:[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made
 #
@@ -939,54 +943,64 @@ LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS=<type=TOKEN_PIN_RESET>:[AuditEvent=
 #
 # Event: TOKEN_PIN_RESET with [Outcome=Failure]
 # - used when token pin reset request failed
+# Applicable subsystems: TPS
 #
 LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE=<type=TOKEN_PIN_RESET>:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset failure
 #
 # Event: TOKEN_OP_REQUEST
 # - used when token processor op request is made
+# Applicable subsystems: TPS
 # - OP can be "format", "enroll", or "pinReset"
 #
 LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=<type=TOKEN_OP_REQUEST>:[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token processor op request made
 #
 # Event: TOKEN_FORMAT with [Outcome=Success]
 # - used when token format op succeeded
+# Applicable subsystems: TPS
 #
 LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format success
 #
 # Event: TOKEN_FORMAT with [Outcome=Failure]
 # - used when token format op failed
+# Applicable subsystems: TPS
 #
 LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format failure
 #
 # Event: TOKEN_APPLET_UPGRADE with [Outcome=Success]
 # - used when token apple upgrade succeeded
+# Applicable subsystems: TPS
 #
 LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success
 #
 # Event: TOKEN_APPLET_UPGRADE with [Outcome=Failure]
 # - used when token apple upgrade failed
+# Applicable subsystems: TPS
 #
 LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade failure
 #
 # Event: TOKEN_KEY_CHANGEOVER_REQUIRED
 # - used when token key changeover is required
+# Applicable subsystems: TPS
 #
 LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=<type=TOKEN_KEY_CHANGEOVER_REQUIRED>:[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required
 #
 # Event: TOKEN_KEY_CHANGEOVER with [Outcome=Success]
 # - used when token key changeover succeeded
+# Applicable subsystems: TPS
 # - Info usually is unused for success
 #
 LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover success
 #
 # Event: TOKEN_KEY_CHANGEOVER with [Outcome=Failure]
 # - used when token key changeover failed
+# Applicable subsystems: TPS
 # - Info is used for storing more info in case of failure
 #
 LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover failure
 #
 # Event: TOKEN_AUTH with [Outcome=Failure]
 # - used when authentication failed
+# Applicable subsystems: TPS
 # Outcome should always be "failure" in this event
 #   (obviously, if authentication failed, you won't have a valid SubjectID, so
 #       in this case, AttemptedID is recorded)
@@ -997,6 +1011,7 @@ LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH
 #
 # Event: TOKEN_AUTH with [Outcome=Success]
 # - used when authentication succeeded
+# Applicable subsystems: TPS
 # Outcome should always be "success" in this event
 # AuthMgr must be the authentication manager instance name that did
 #   this authentication
@@ -1005,6 +1020,7 @@ LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH
 #
 # Event: CONFIG_TOKEN_GENERAL
 # - used when doing general TPS configuration
+# Applicable subsystems: TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1015,6 +1031,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5=<type=CONFIG_TOKEN_GENERAL>:[AuditEv
 #
 # Event: CONFIG_TOKEN_PROFILE
 # - used when configuring token profile
+# Applicable subsystems: TPS
 # Service can be any of the methods offered
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -1026,6 +1043,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6=<type=CONFIG_TOKEN_PROFILE>:[AuditEv
 #
 # Event: CONFIG_TOKEN_MAPPING_RESOLVER
 # - used when configuring token mapping resolver
+# Applicable subsystems: TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1036,6 +1054,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6=<type=CONFIG_TOKEN_MAPPING_
 #
 # Event: CONFIG_TOKEN_AUTHENTICATOR
 # - used when configuring token authenticators
+# Applicable subsystems: TPS
 # Service can be any of the methods offered
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -1047,6 +1066,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6=<type=CONFIG_TOKEN_AUTHENTICAT
 #
 # Event: CONFIG_TOKEN_CONNECTOR
 # - used when configuring token connectors
+# Applicable subsystems: TPS
 # Service can be any of the methods offered
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -1058,6 +1078,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6=<type=CONFIG_TOKEN_CONNECTOR>:[Aud
 #
 # Event: CONFIG_TOKEN_RECORD
 # - used when information in token record changed
+# Applicable subsystems: TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1068,6 +1089,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6=<type=CONFIG_TOKEN_RECORD>:[AuditEven
 #
 # Event: TOKEN_STATE_CHANGE
 # - used when token state changed
+# Applicable subsystems: TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1087,7 +1109,7 @@ LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=<type=AUTHORITY_CONFIG>:[AuditEvent=AUTH
 #
 # Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
 # - used when access session failed to establish
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1097,7 +1119,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 #
 # Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success]
 # - used when access session was established successfully
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1107,7 +1129,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
 #
 # Event: ACCESS_SESSION_TERMINATED
 # - used when access session was terminated
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
index bc8479c..2c6a92b 100644
--- a/base/tps/shared/conf/CS.cfg
+++ b/base/tps/shared/conf/CS.cfg
@@ -223,10 +223,12 @@ log.impl.file.class=com.netscape.cms.logging.RollingLogFile
 log.instance.SignedAudit._000=##
 log.instance.SignedAudit._001=## Signed Audit Logging
 log.instance.SignedAudit._002=##
-log.instance.SignedAudit._003=##
-log.instance.SignedAudit._004=## Available Audit events:
-log.instance.SignedAudit._005=## AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,ROLE_ASSUME,CONFIG_CERT_POLICY,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_AUTH,CONFIG_ROLE,CONFIG_ACL,CONFIG_SIGNED_AUDIT,CONFIG_ENCRYPTION,CONFIG_TRUSTED_PUBLIC_KEY,CONFIG_DRM,SELFTESTS_EXECUTION,AUDIT_LOG_DELETE,LOG_PATH_CHANGE,LOG_EXPIRATION_CHANGE,PRIVATE_KEY_ARCHIVE_REQUEST,PRIVATE_KEY_ARCHIVE_REQUEST_PROCESSED,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_SUCCESS,PRIVATE_KEY_EXPORT_REQUEST_PROCESSED_FAILURE,KEY_RECOVERY_REQUEST,KEY_RECOVERY_REQUEST_ASYNC,KEY_RECOVERY_AGENT_LOGIN,KEY_RECOVERY_REQUEST_PROCESSED,KEY_RECOVERY_REQUEST_PROCESSED_ASYNC,KEY_GEN_ASYMMETRIC,NON_PROFILE_CERT_REQUEST,PROFILE_CERT_REQUEST,CERT_REQUEST_PROCESSED,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,AUTHZ,INTER_BOUNDARY,AUTH,CERT_PROFILE_APPROVAL,PROOF_OF_POSSESSION,CRL_RETRIEVAL,CRL_VALIDATION,CMC_SIGNED_REQUEST_SIG_VERIFY,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS,SERVER_SIDE_KEYGEN_REQUEST,COMPUTE_SESSION_KEY_REQUEST,COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS, COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE,DIVERSIFY_KEY_REQUEST,DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS, DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE,ENCRYPT_DATA_REQUEST,ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS,ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE,COMPUTE_RANDOM_DATA_REQUEST,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS,COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE,CIMC_CERT_VERIFICATION,SECURITY_DOMAIN_UPDATE,CONFIG_SERIAL_NUMBER,TOKEN_CERT_ENROLLMENT,TOKEN_CERT_RENEWAL,TOKEN_PIN_RESET_SUCCESS,TOKEN_PIN_RESET_FAILURE,TOKEN_OP_REQUEST,TOKEN_FORMAT_SUCCESS,TOKEN_FORMAT_FAILURE,TOKEN_APPLET_UPGRADE_SUCCESS,TOKEN_APPLET_UPGRADE_FAILURE,TOKEN_KEY_CHANGEOVER_REQUIREDTOKEN_KEY_CHANGEOVER_FAILURE,CONFIG_TOKEN_PROFILE,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_GENERAL,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_RECORD,CONFIG_TOKEN_AUTHENTICATOR,TOKEN_STATE_CHANGE,TOKEN_CERT_RETRIEVAL,TOKEN_KEY_RECOVERY,TOKEN_AUTH_SUCCESS,TOKEN_AUTH_FAILURE,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,RANDOM_GENERATION
-log.instance.SignedAudit._006=##
+log.instance.SignedAudit._003=## To list available audit events:
+log.instance.SignedAudit._004=## $ pki-server tps-audit-event-find
+log.instance.SignedAudit._005=##
+log.instance.SignedAudit._006=## To enable/disable audit event:
+log.instance.SignedAudit._007=## $ pki-server tps-audit-event-enable/disable <event name>
+log.instance.SignedAudit._008=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
 log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER,CONFIG_ACL
-- 
1.8.3.1


From 3a3c637415ceac69c175c210549e5b72ee3c3572 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Tue, 29 Jan 2019 21:11:09 +0100
Subject: [PATCH 23/26] Added enabled by default info

The audit-events.properties has been modified to include the
"Enabled by default" fields.

The pki-server <subsystem>-audit-event-find has been modified
to provide an option to show the events enabled by default
based on the information in audit-events.properties.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 0807a26e9d815c4df4e4a4be881923ac7a754665)
---
 base/server/cmsbundle/src/audit-events.properties | 190 ++++++++++++++++++----
 base/server/python/pki/server/__init__.py         | 120 +++++++++-----
 base/server/python/pki/server/cli/audit.py        |  22 ++-
 3 files changed, 248 insertions(+), 84 deletions(-)

diff --git a/base/server/cmsbundle/src/audit-events.properties b/base/server/cmsbundle/src/audit-events.properties
index 8559d98..b103020 100644
--- a/base/server/cmsbundle/src/audit-events.properties
+++ b/base/server/cmsbundle/src/audit-events.properties
@@ -1,6 +1,7 @@
 ####################### SIGNED AUDIT EVENTS #############################
-# This file defines signed audit events which are required by CIMC PP.
-# Please consult cfu before adding/deleting/modifying the events.
+# This file defines signed audit events where many of them are required
+# to meet security standards. Please consult cfu before adding, deleting,
+# or modifying the events.
 #
 # WARNING: The comments are incrementally being transformed into parsable
 # document. Please use the following format when updating the comments.
@@ -8,6 +9,7 @@
 #   Event: <event type>
 #   Description: <event description>
 #   Applicable subsystems: <comma-separated list of subsystems>
+#   Enabled by default: <Yes|No>
 #   Fields:
 #   - <field name>: <field description>
 #
@@ -25,18 +27,21 @@
 # Event: AUDIT_LOG_STARTUP
 # - used at audit function startup
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 #
 LOGGING_SIGNED_AUDIT_AUDIT_LOG_STARTUP_2=<type=AUDIT_LOG_STARTUP>:[AuditEvent=AUDIT_LOG_STARTUP][SubjectID={0}][Outcome={1}] audit function startup
 #
 # Event: AUDIT_LOG_SHUTDOWN
 # - used at audit function shutdown
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 #
 LOGGING_SIGNED_AUDIT_AUDIT_LOG_SHUTDOWN_2=<type=AUDIT_LOG_SHUTDOWN>:[AuditEvent=AUDIT_LOG_SHUTDOWN][SubjectID={0}][Outcome={1}] audit function shutdown
 #
 # Event: CIMC_CERT_VERIFICATION
 # - used for verifying CIMC system certificates
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: No
 # - CertNickName is the cert nickname
 #
 LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[AuditEvent=CIMC_CERT_VERIFICATION][SubjectID={0}][Outcome={1}][CertNickName={2}] CIMC certificate verification
@@ -45,6 +50,7 @@ LOGGING_SIGNED_AUDIT_CIMC_CERT_VERIFICATION_3=<type=CIMC_CERT_VERIFICATION>:[Aud
 # - used when user assumes a role (in current CS that's when one accesses a
 #     role port)
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # Role must be be one of the valid roles, by default: "Administrators",
 #     "Certificate Manager Agents", and "Auditors"
 #     note that customized role names can be used once configured
@@ -53,7 +59,8 @@ LOGGING_SIGNED_AUDIT_ROLE_ASSUME=<type=ROLE_ASSUME>:[AuditEvent=ROLE_ASSUME]{0}
 #
 # Event: CONFIG_CERT_POLICY
 # - used when configuring certificate policy constraints and extensions
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: CA
+# Enabled by default: No
 # ParamNameValPairs must be a name;;value pair
 # (where name and value are separated by the delimiter ;;)
 # separated by + (if more than one name;;value pair) of config params changed
@@ -64,7 +71,8 @@ LOGGING_SIGNED_AUDIT_CONFIG_CERT_POLICY_3=<type=CONFIG_CERT_POLICY>:[AuditEvent=
 # - used when configuring certificate profile
 #    (general settings and certificate profile)
 #    (extensions and constraints policies are to be obsoleted but do it anyway)
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: CA
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -74,7 +82,8 @@ LOGGING_SIGNED_AUDIT_CONFIG_CERT_PROFILE_3=<type=CONFIG_CERT_PROFILE>:[AuditEven
 # Event: CONFIG_CRL_PROFILE
 # - used when configuring  CRL profile
 #    (extensions, frequency, CRL format)
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: CA
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -84,7 +93,8 @@ LOGGING_SIGNED_AUDIT_CONFIG_CRL_PROFILE_3=<type=CONFIG_CRL_PROFILE>:[AuditEvent=
 # Event: CONFIG_OCSP_PROFILE
 # - used when configuring OCSP profile
 #    (everything under Online Certificate Status Manager)
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: OCSP
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -94,6 +104,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_OCSP_PROFILE_3=<type=CONFIG_OCSP_PROFILE>:[AuditEven
 # Event: CONFIG_AUTH
 # - used when configuring authentication
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -105,6 +116,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_AUTH_3=<type=CONFIG_AUTH>:[AuditEvent=CONFIG_AUTH][S
 # - used when configuring role information (anything under users/groups)
 #       add/remove/edit a role, etc)
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -114,6 +126,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ROLE=<type=CONFIG_ROLE>:[AuditEvent=CONFIG_ROLE]{0}
 # Event: CONFIG_ACL
 # - used when configuring ACL information
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -123,6 +136,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ACL_3=<type=CONFIG_ACL>:[AuditEvent=CONFIG_ACL][Subj
 # Event: CONFIG_SIGNED_AUDIT
 # - used when configuring signedAudit
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -132,6 +146,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_SIGNED_AUDIT=<type=CONFIG_SIGNED_AUDIT>:[AuditEvent=
 # Event: CONFIG_ENCRYPTION
 # - used when configuring encryption (cert settings and SSL cipher preferences)
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -146,6 +161,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_ENCRYPTION_3=<type=CONFIG_ENCRYPTION>:[AuditEvent=CO
 #         certificate database (Although CrossCertificatePairs are stored
 #         within internaldb, audit them as well)
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -155,7 +171,8 @@ LOGGING_SIGNED_AUDIT_CONFIG_TRUSTED_PUBLIC_KEY=<type=CONFIG_TRUSTED_PUBLIC_KEY>:
 # Event: CONFIG_DRM
 # - used when configuring DRM
 #     (Key recovery scheme, change of any secret component)
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: KRA
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -166,6 +183,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_DRM_3=<type=CONFIG_DRM>:[AuditEvent=CONFIG_DRM][Subj
 # Event: SELFTESTS_EXECUTION
 # - used when self tests are run
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 #
 LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEvent=SELFTESTS_EXECUTION][SubjectID={0}][Outcome={1}] self tests execution (see selftests.log for details)
 #
@@ -174,6 +192,7 @@ LOGGING_SIGNED_AUDIT_SELFTESTS_EXECUTION_2=<type=SELFTESTS_EXECUTION>:[AuditEven
 #    but in case authz gets compromised.  Make sure it is written
 #    AFTER the log expiration happens)
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: No
 # LogFile must be the complete name (including the path) of the
 #    signedAudit log that is attempted to be deleted
 #
@@ -185,6 +204,7 @@ LOGGING_SIGNED_AUDIT_LOG_DELETE_3=<type=AUDIT_LOG_DELETE>:[AuditEvent=AUDIT_LOG_
 #    change is attempted (authz should not allow, but make sure it's
 #    written after the attempt)
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # LogType must be "System", "Transaction", or "SignedAudit"
 # toLogFile must be the name (including any path changes) that the user is
 #    attempting to change to
@@ -195,6 +215,7 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
 # - used when log expiration time change is attempted (authz should not
 #    allow, but make sure it's written after the attempt)
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: No
 # LogType must be "System", "Transaction", or "SignedAudit"
 # ExpirationTime must be the amount of time (in seconds) that is
 #    attempted to be changed to
@@ -206,6 +227,7 @@ LOGGING_SIGNED_AUDIT_LOG_PATH_CHANGE_4=<type=LOG_PATH_CHANGE>:[AuditEvent=LOG_PA
 # - used when server-side key generation request is made
 #    This is for tokenkeys
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # EntityID must be the representation of the subject that will be on the certificate when issued
 #
 LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST>:[AuditEvent=SERVER_SIDE_KEYGEN_REQUEST]{0} server-side key generation request
@@ -214,6 +236,7 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST=<type=SERVER_SIDE_KEYGEN_REQUEST
 # - used when server-side key generation request has been processed.
 #    This is for tokenkeys
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # EntityID must be the representation of the subject that will be on the certificate when issued
 # PubKey must be the base-64 encoded public key associated with
 #    the private key to be archived
@@ -223,6 +246,7 @@ LOGGING_SIGNED_AUDIT_SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=<type=SERVER_SIDE_KEYG
 # Event: KEY_RECOVERY_REQUEST
 # - used when key recovery request is made
 # Applicable subsystems: CA, OCSP, TKS, TPS, TPS
+# Enabled by default: No
 # RecoveryID must be the recovery request ID
 # PubKey must be the base-64 encoded public key associated with
 #    the private key to be recovered
@@ -232,7 +256,8 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=<type=KEY_RECOVERY_REQUEST>:[AuditEv
 # Event: KEY_RECOVERY_AGENT_LOGIN
 # - used when DRM agents login as recovery agents to approve
 #       key recovery requests
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: KRA
+# Enabled by default: Yes
 # RecoveryID must be the recovery request ID
 # RecoveryAgent must be the recovery agent the DRM agent is
 #       logging in with
@@ -244,28 +269,33 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_AGENT_LOGIN_4=<type=KEY_RECOVERY_AGENT_LOGIN>:
 #   (like when CA certificate requests are generated -
 #      e.g. CA certificate change over, renewal with new key, etc.)
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # PubKey must be the base-64 encoded public key material
 #
 LOGGING_SIGNED_AUDIT_KEY_GEN_ASYMMETRIC_3=<type=KEY_GEN_ASYMMETRIC>:[AuditEvent=KEY_GEN_ASYMMETRIC][SubjectID={0}][Outcome={1}][PubKey={2}] asymmetric key generation
 #
 # Event: CERT_SIGNING_INFO
 # Applicable subsystems: CA
+# Enabled by default: Yes
 #
 LOGGING_SIGNED_AUDIT_CERT_SIGNING_INFO=<type=CERT_SIGNING_INFO>:[AuditEvent=CERT_SIGNING_INFO]{0} certificate signing info
 #
 # Event: OCSP_SIGNING_INFO
-# Applicable subsystems: CA
+# Applicable subsystems: CA, OCSP
+# Enabled by default: Yes
 #
 LOGGING_SIGNED_AUDIT_OCSP_SIGNING_INFO=<type=OCSP_SIGNING_INFO>:[AuditEvent=OCSP_SIGNING_INFO]{0} OCSP signing info
 #
 # Event: CRL_SIGNING_INFO
 # Applicable subsystems: CA
+# Enabled by default: Yes
 #
 LOGGING_SIGNED_AUDIT_CRL_SIGNING_INFO=<type=CRL_SIGNING_INFO>:[AuditEvent=CRL_SIGNING_INFO]{0} CRL signing info
 #
 # Event: NON_PROFILE_CERT_REQUEST
 # - used when a non-profile certificate request is made (before approval process)
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: No
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC enrollment requests signed by an agent, SubjectID should
 #        be that of the agent), while
@@ -279,6 +309,7 @@ LOGGING_SIGNED_AUDIT_NON_PROFILE_CERT_REQUEST_5=<type=NON_PROFILE_CERT_REQUEST>:
 # Event: CMC_REQUEST_RECEIVED
 # - used when a CMC request is received.
 # Applicable subsystems: CA
+# Enabled by default: Yes
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC requests is signed by an agent, SubjectID should
 #        be that of the agent)
@@ -289,13 +320,15 @@ LOGGING_SIGNED_AUDIT_CMC_REQUEST_RECEIVED_3=<type=CMC_REQUEST_RECEIVED>:[AuditEv
 # Event: CMC_RESPONSE_SENT
 # - used when a CMC response is sent
 # Applicable subsystems: CA
+# Enabled by default: Yes
 # SubjectID must be the UID of user that triggered this event
 #
 LOGGING_SIGNED_AUDIT_CMC_RESPONSE_SENT_3=<type=CMC_RESPONSE_SENT>:[AuditEvent=CMC_RESPONSE_SENT][SubjectID={0}][Outcome={1}][CMCResponse={2}] CMC response sent
 #
 # Event: PROFILE_CERT_REQUEST
 # - used when a profile certificate request is made (before approval process)
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: CA
+# Enabled by default: Yes
 # SubjectID must be the UID of user that triggered this event
 #        (if CMC enrollment requests signed by an agent, SubjectID should
 #        be that of the agent), while
@@ -308,7 +341,8 @@ LOGGING_SIGNED_AUDIT_PROFILE_CERT_REQUEST_5=<type=PROFILE_CERT_REQUEST>:[AuditEv
 #
 # Event: CERT_REQUEST_PROCESSED
 # - used when certificate request has just been through the approval process
-# Applicable subsystems: CA, OCSP, TKS, TPS
+# Applicable subsystems: CA
+# Enabled by default: Yes
 # SubjectID must be the UID of the agent who approves, rejects, or cancels
 #        the certificate request
 # ReqID must be the request ID
@@ -322,7 +356,8 @@ LOGGING_SIGNED_AUDIT_CERT_REQUEST_PROCESSED=<type=CERT_REQUEST_PROCESSED>:[Audit
 # Event: CERT_STATUS_CHANGE_REQUEST
 # - used when a certificate status change request (e.g. revocation)
 #        is made (before approval process)
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: CA
+# Enabled by default: Yes
 # ReqID must be the request ID
 # CertSerialNum must be the serial number (in hex) of the certificate to be revoked
 # RequestType must be "revoke", "on-hold", "off-hold"
@@ -332,7 +367,8 @@ LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST=<type=CERT_STATUS_CHANGE_REQUEST
 # Event: CERT_STATUS_CHANGE_REQUEST_PROCESSED
 # - used when certificate status is changed (revoked, expired, on-hold,
 #        off-hold)
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: CA
+# Enabled by default: Yes
 # SubjectID must be the UID of the agent that processed the request
 # ReqID must be the request ID
 # RequestType must be "revoke", "on-hold", "off-hold"
@@ -355,6 +391,7 @@ LOGGING_SIGNED_AUDIT_CERT_STATUS_CHANGE_REQUEST_PROCESSED=<type=CERT_STATUS_CHAN
 # Event: AUTHZ with [Outcome=Success]
 # - used when authorization is successful
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # Outcome must be success for this event
 # aclResource must be the ACL resource ID as defined in ACL resource list
 # Op must be one of the operations as defined with the ACL statement
@@ -365,6 +402,7 @@ LOGGING_SIGNED_AUDIT_AUTHZ_SUCCESS=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorizat
 # Event: AUTHZ with [Outcome=Failure]
 # - used when authorization has failed
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # Outcome must be failure for this event
 # aclResource must be the ACL resource ID as defined in ACL resource list
 # Op must be one of the operations as defined with the ACL statement
@@ -376,6 +414,7 @@ LOGGING_SIGNED_AUDIT_AUTHZ_FAIL=<type=AUTHZ>:[AuditEvent=AUTHZ]{0} authorization
 # - used when inter-CIMC_Boundary data transfer is successful
 #   (this is used when data does not need to be captured)
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: No
 # ProtectionMethod must be one of the following: "SSL", or "unknown"
 # ReqType must be the request type
 # ReqID must be the request ID
@@ -387,6 +426,7 @@ LOGGING_SIGNED_AUDIT_INTER_BOUNDARY_SUCCESS_5=<type=INTER_BOUNDARY>:[AuditEvent=
 #    only webserver env can pick up the SSL violation;
 #    CS authMgr can pick up certificate mis-match, so this event is used)
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # Outcome should always be "failure" in this event
 #   (obviously, if authentication failed, you won't have a valid SubjectID, so
 #       in this case, SubjectID should be $Unidentified$)
@@ -399,6 +439,7 @@ LOGGING_SIGNED_AUDIT_AUTH_FAIL=<type=AUTH>:[AuditEvent=AUTH]{0} authentication f
 # Event: AUTH with [Outcome=Success]
 # - used when authentication succeeded
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # Outcome should always be "success" in this event
 # AuthMgr must be the authentication manager instance name that did
 #   this authentication
@@ -408,7 +449,8 @@ LOGGING_SIGNED_AUDIT_AUTH_SUCCESS=<type=AUTH>:[AuditEvent=AUTH]{0} authenticatio
 # Event: CERT_PROFILE_APPROVAL
 # - used when an agent approves/disapproves a certificate profile set by the
 #     administrator for automatic approval
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: CA
+# Enabled by default: Yes
 # ProfileID must be one of the profiles defined by the administrator
 #           and to be approved by an agent
 # Op must be "approve" or "disapprove"
@@ -417,13 +459,15 @@ LOGGING_SIGNED_AUDIT_CERT_PROFILE_APPROVAL_4=<type=CERT_PROFILE_APPROVAL>:[Audit
 #
 # Event: PROOF_OF_POSSESSION
 # - used for proof of possession during certificate enrollment processing
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: CA
+# Enabled by default: Yes
 #
 LOGGING_SIGNED_AUDIT_PROOF_OF_POSSESSION_3=<type=PROOF_OF_POSSESSION>:[AuditEvent=PROOF_OF_POSSESSION][SubjectID={0}][Outcome={1}][Info={2}] proof of possession
 #
 # Event: CMC_PROOF_OF_IDENTIFICATION
 # - used for proof of identification during CMC request processing
 # Applicable subsystems: CA
+# Enabled by default: No
 # - In case of success, "SubjectID" is the actual identified identification;
 # - In case of failure, "SubjectID" is the attempted identification
 #
@@ -432,12 +476,14 @@ LOGGING_SIGNED_AUDIT_CMC_PROOF_OF_IDENTIFICATION_3=<type=CMC_PROOF_OF_IDENTIFICA
 # Event: CMC_ID_POP_LINK_WITNESS
 # - used for identification and POP linking verification during CMC request processing
 # Applicable subsystems: CA
+# Enabled by default: No
 #
 LOGGING_SIGNED_AUDIT_CMC_ID_POP_LINK_WITNESS_3=<type=CMC_ID_POP_LINK_WITNESS>:[AuditEvent=CMC_ID_POP_LINK_WITNESS][SubjectID={0}][Outcome={1}][Info={2}] Identification Proof of Possession linking witness verification
 #
 # Event: SCHEDULE_CRL_GENERATION
 # - used when CRL generation is scheduled
 # Applicable subsystems: CA
+# Enabled by default: No
 # Outcome is "success" when CRL generation is scheduled successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION=<type=SCHEDULE_CRL_GENERATION>:[AuditEvent=SCHEDULE_CRL_GENERATION]{0} schedule for CRL generation
@@ -445,6 +491,7 @@ LOGGING_SIGNED_AUDIT_SCHEDULE_CRL_GENERATION=<type=SCHEDULE_CRL_GENERATION>:[Aud
 # Event: DELTA_CRL_GENERATION
 # - used when delta CRL generation is complete
 # Applicable subsystems: CA
+# Enabled by default: Yes
 # Outcome is "success" when delta CRL is generated successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=<type=DELTA_CRL_GENERATION>:[AuditEvent=DELTA_CRL_GENERATION]{0} Delta CRL generation
@@ -452,6 +499,7 @@ LOGGING_SIGNED_AUDIT_DELTA_CRL_GENERATION=<type=DELTA_CRL_GENERATION>:[AuditEven
 # Event: DELTA_CRL_PUBLISHING
 # - used when delta CRL publishing is complete
 # Applicable subsystems: CA
+# Enabled by default: No
 # Outcome is "success" when delta CRL is publishing successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=<type=DELTA_CRL_PUBLISHING>:[AuditEvent=DELTA_CRL_PUBLISHING]{0} Delta CRL publishing
@@ -459,6 +507,7 @@ LOGGING_SIGNED_AUDIT_DELTA_CRL_PUBLISHING=<type=DELTA_CRL_PUBLISHING>:[AuditEven
 # Event: FULL_CRL_GENERATION
 # - used when full CRL generation is complete
 # Applicable subsystems: CA
+# Enabled by default: Yes
 # Outcome is "success" when full CRL is generated successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=<type=FULL_CRL_GENERATION>:[AuditEvent=FULL_CRL_GENERATION]{0} Full CRL generation
@@ -466,13 +515,15 @@ LOGGING_SIGNED_AUDIT_FULL_CRL_GENERATION=<type=FULL_CRL_GENERATION>:[AuditEvent=
 # Event: FULL_CRL_PUBLISHING
 # - used when full  CRL publishing is complete
 # Applicable subsystems: CA
+# Enabled by default: No
 # Outcome is "success" when full CRL is publishing successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_FULL_CRL_PUBLISHING=<type=FULL_CRL_PUBLISHING>:[AuditEvent=FULL_CRL_PUBLISHING]{0} Full CRL publishing
 #
 # Event: CRL_RETRIEVAL
 # - used when CRLs are retrieved by the OCSP Responder
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: OCSP
+# Enabled by default: No
 # Outcome is "success" when CRL is retrieved successfully, "failure" otherwise
 # CRLnum is the CRL number that identifies the CRL
 #
@@ -480,13 +531,15 @@ LOGGING_SIGNED_AUDIT_CRL_RETRIEVAL_3=<type=CRL_RETRIEVAL>:[AuditEvent=CRL_RETRIE
 #
 # Event: CRL_VALIDATION
 # - used when CRL is retrieved and validation process occurs
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: OCSP
+# Enabled by default: No
 #
 LOGGING_SIGNED_AUDIT_CRL_VALIDATION_2=<type=CRL_VALIDATION>:[AuditEvent=CRL_VALIDATION][SubjectID={0}][Outcome={1}] CRL validation
 #
 # Event: OCSP_ADD_CA_REQUEST
 # - used when a CA is attempted to be added to the OCSP Responder
 # Applicable subsystems: OCSP
+# Enabled by default: No
 # Outcome is "success" as the request is made
 # CA must be the base-64 encoded PKCS7 certificate (or chain)
 #
@@ -495,6 +548,7 @@ LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST=<type=OCSP_ADD_CA_REQUEST>:[AuditEvent=
 # Event: OCSP_ADD_CA_REQUEST_PROCESSED
 # - used when an add CA request to the OCSP Responder is processed
 # Applicable subsystems: OCSP
+# Enabled by default: Yes
 # Outcome is "success" when CA is added successfully, "failure" otherwise
 # CASubjectDN is the subject DN of the leaf CA cert in the chain
 #
@@ -503,6 +557,7 @@ LOGGING_SIGNED_AUDIT_OCSP_ADD_CA_REQUEST_PROCESSED=<type=OCSP_ADD_CA_REQUEST_PRO
 # Event: OCSP_REMOVE_CA_REQUEST
 # - used when a CA is attempted to be removed from the OCSP Responder
 # Applicable subsystems: OCSP
+# Enabled by default: No
 # Outcome is "success" as the request is made
 # CA must be the DN id of the CA
 LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST=<type=OCSP_REMOVE_CA_REQUEST>:[AuditEvent=OCSP_REMOVE_CA_REQUEST]{0} request to remove a CA from OCSP Responder
@@ -510,6 +565,7 @@ LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST=<type=OCSP_REMOVE_CA_REQUEST>:[Audit
 # Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Success]
 # - used when a remove CA request to the OCSP Responder is processed successfully
 # Applicable subsystems: OCSP
+# Enabled by default: Yes
 # Outcome is "success" when CA is removed successfully, "failure" otherwise
 # CASubjectDN is the subject DN of the leaf CA cert in the chain
 #
@@ -518,6 +574,7 @@ LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS=<type=OCSP_REMOVE_
 # Event: OCSP_REMOVE_CA_REQUEST_PROCESSED with [Outcome=Failure]
 # - used when a remove CA request to the OCSP Responder is processed and failed
 # Applicable subsystems: OCSP
+# Enabled by default: Yes
 # Outcome is  "failure"
 # CASubjectDN is  DN ID of the CA
 #
@@ -526,6 +583,7 @@ LOGGING_SIGNED_AUDIT_OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE=<type=OCSP_REMOVE_
 # Event: OCSP_GENERATION
 # - used when an OCSP response generated is complete
 # Applicable subsystems: CA, OCSP
+# Enabled by default: Yes
 # Outcome is "success" when OCSP response is generated successfully, "failure" otherwise
 #
 LOGGING_SIGNED_AUDIT_OCSP_GENERATION=<type=OCSP_GENERATION>:[AuditEvent=OCSP_GENERATION]{0} OCSP response generation
@@ -533,6 +591,7 @@ LOGGING_SIGNED_AUDIT_OCSP_GENERATION=<type=OCSP_GENERATION>:[AuditEvent=OCSP_GEN
 # Event: RANDOM_GENERATION
 # - used when a random number generation is complete
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # Info:
 # - Caller is PKI code that calls the random number generator
 # - Size is size of random number in bytes
@@ -542,7 +601,8 @@ LOGGING_SIGNED_AUDIT_RANDOM_GENERATION=<type=RANDOM_GENERATION>:[AuditEvent=RAND
 # Event: CMC_SIGNED_REQUEST_SIG_VERIFY
 # - used when agent signed CMC certificate requests or revocation requests
 #   are submitted and signature is verified
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: CA
+# Enabled by default: Yes
 # ReqType must be the request type (enrollment, or revocation)
 # CertSubject must be the certificate subject name of the certificate request
 # SignerInfo must be a unique String representation for the signer
@@ -553,6 +613,7 @@ LOGGING_SIGNED_AUDIT_CMC_SIGNED_REQUEST_SIG_VERIFY=<type=CMC_SIGNED_REQUEST_SIG_
 # - used when CMC (user-signed or self-signed) certificate requests or revocation requests
 #   are submitted and signature is verified
 # Applicable subsystems: CA
+# Enabled by default: Yes
 # ReqType must be the request type (enrollment, or revocation)
 # CertSubject must be the certificate subject name of the certificate request
 # CMCSignerInfo must be a unique String representation for the CMC request signer
@@ -562,14 +623,16 @@ LOGGING_SIGNED_AUDIT_CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE=<type=CMC_USER_S
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST
 # - used for TPS to TKS to get random challenge data
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: TKS, TPS
+# Enabled by default: No
 # AgentID must be the trusted agent id used to make the request
 #
 LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_2=<type=COMPUTE_RANDOM_DATA_REQUEST>:[AuditEvent=COMPUTE_RANDOM_DATA_REQUEST][Outcome={0}][AgentID={1}] TKS Compute random data request
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Success]
 # - used for TPS to TKS to get random challenge data
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: TKS, TPS
+# Enabled by default: No
 # Outcome is SUCCESS or FAILURE
 # Status is 0 for no error.
 # AgentID must be the trusted agent id used to make the request
@@ -577,7 +640,8 @@ LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE
 #
 # Event: COMPUTE_RANDOM_DATA_REQUEST_PROCESSED with [Outcome=Failure]
 # - used for TPS to TKS to get random challenge data
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: TKS, TPS
+# Enabled by default: No
 # Outcome is SUCCESS or FAILURE
 # Status is 0 for no error.
 # Error gives the error message
@@ -587,7 +651,8 @@ LOGGING_SIGNED_AUDIT_COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE=<type=COMPUTE
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST
 # - used for TPS to TKS to get a sessoin key for secure channel setup
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: TKS, TPS
+# Enabled by default: No
 # SubjectID must be the CUID of the token establishing the secure channel
 # AgentID must be the trusted agent id used to make the request
 ## AC: KDF SPEC CHANGE - Need to log both the KDD and CUID, not just the
@@ -600,7 +665,8 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_4=<type=COMPUTE_SESSION_KEY_REQ
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Success]
 # - request for TPS to TKS to get a sessoin key for secure channel processed
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: TKS, TPS
+# Enabled by default: No
 # SubjectID must be the CUID of the token establishing the secure channel
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -626,7 +692,8 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS=<type=COMPUTE
 #
 # Event: COMPUTE_SESSION_KEY_REQUEST_PROCESSED with [Outcome=Failure]
 # - request for TPS to TKS to get a sessoin key for secure channel processed
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: TKS, TPS
+# Enabled by default: No
 # SubjectID must be the CUID of the token establishing the secure channel
 # Outcome is SUCCESS or FAILURE
 # Status is error code or 0 for no error.
@@ -651,7 +718,8 @@ LOGGING_SIGNED_AUDIT_COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE=<type=COMPUTE
 #
 # Event: DIVERSIFY_KEY_REQUEST
 # - request for TPS to TKS to do key change over
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: TKS, TPS
+# Enabled by default: No
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # status is 0 for success, non-zero for various errors
@@ -666,7 +734,8 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_6=<type=DIVERSIFY_KEY_REQUEST>:[Audit
 #
 # Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Success]
 # - request for TPS to TKS to do key change over request processed
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: TKS, TPS
+# Enabled by default: No
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -688,7 +757,8 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS=<type=DIVERSIFY_KEY
 #
 # Event: DIVERSIFY_KEY_REQUEST_PROCESSED with [Outcome=Failure]
 # - request for TPS to TKS to do key change over request processed
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: TKS, TPS
+# Enabled by default: No
 # SubjectID must be the CUID of the token requesting key change over
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -712,7 +782,8 @@ LOGGING_SIGNED_AUDIT_DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE=<type=DIVERSIFY_KEY
 # Event: ENCRYPT_DATA_REQUEST
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: TKS, TPS
+# Enabled by default: No
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # status is 0 for success, non-zero for various errors
@@ -729,7 +800,8 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_5=<type=ENCRYPT_DATA_REQUEST>:[AuditEv
 # Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Success]
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: TKS, TPS
+# Enabled by default: No
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # Outcome is SUCCESS or FAILURE
@@ -752,7 +824,8 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS=<type=ENCRYPT_DATA_R
 # Event: ENCRYPT_DATA_REQUEST_PROCESSED with [Outcome=Failure]
 # - request from TPS to TKS to encrypt data
 #        (or generate random data and encrypt)
-# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Applicable subsystems: TKS, TPS
+# Enabled by default: No
 # SubjectID must be the CUID of the token requesting encrypt data
 # AgentID must be the trusted agent id used to make the request
 # Outocme is SUCCESS or FAILURE
@@ -776,7 +849,8 @@ LOGGING_SIGNED_AUDIT_ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE=<type=ENCRYPT_DATA_R
 # Event: SECURITY_DOMAIN_UPDATE
 # - used when updating contents of security domain
 #       (add/remove a subsystem)
-# Applicable subsystems: CA, TPS
+# Applicable subsystems: CA
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -787,6 +861,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=<type=SECURITY_DOMAIN_UPDATE>:[Aud
 # - used when configuring serial number ranges
 #      (when requesting a serial number range when cloning, for example)
 # Applicable subsystems: CA, KRA, TPS
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -797,6 +872,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_SERIAL_NUMBER_1=<type=CONFIG_SERIAL_NUMBER>:[AuditEv
 # - used when user security data archive request is processed
 #    this is when DRM receives and processed the request
 # Applicable subsystems: KRA
+# Enabled by default: Yes
 # ArchivalRequestID is the requestID provided by the CA through the connector
 #    It is used to track the request through from CA to KRA.
 # RequestId is the KRA archival request ID
@@ -808,6 +884,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=<type=SECURITY_DAT
 # Event: SECURITY_DATA_ARCHIVAL_REQUEST
 # - used when security data recovery request is made
 # Applicable subsystems: CA, KRA
+# Enabled by default: Yes
 # ArchivalRequestID is the requestID provided by the CA through the connector
 #    It is used to track the request through from CA to KRA.
 # RequestId is the KRA archival request ID
@@ -819,6 +896,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_ARCHIVAL_REQUEST=<type=SECURITY_DATA_ARCHIVAL
 # Event: SECURITY_DATA_RECOVERY_REQUEST_PROCESSED
 # - used when security data recovery request is processed
 # Applicable subsystems: KRA
+# Enabled by default: Yes
 # RecoveryID must be the recovery request ID
 # KeyID is the ID of the security data being requested to be recovered
 # RecoveryAgents are the UIDs of the recovery agents approving this request
@@ -828,6 +906,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=<type=SECURITY_DAT
 # Event: SECURITY_DATA_RECOVERY_REQUEST
 # - used when security data recovery request is made
 # Applicable subsystems: KRA
+# Enabled by default: Yes
 # RecoveryID must be the recovery request ID
 # DataID is the ID of the security data to be recovered
 #
@@ -837,6 +916,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST=<type=SECURITY_DATA_RECOVERY
 # - used when DRM agents login as recovery agents to change
 #   the state of key recovery requests
 # Applicable subsystems: KRA
+# Enabled by default: Yes
 # RecoveryID must be the recovery request ID
 # Operation is the operation performed (approve, reject, cancel etc.)
 #
@@ -846,6 +926,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=<type=SECURITY_
 # - used when user attempts to retrieve key after the recovery request
 #   has been approved.
 # Applicable subsystems: KRA
+# Enabled by default: No
 # RecoveryID must be the recovery request ID
 # KeyID is the key being retrieved
 # Info is the failure reason if the export fails.
@@ -856,6 +937,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_EXPORT_KEY=<type=SECURITY_DATA_EXPORT_KEY>:[A
 # Event: SECURITY_DATA_INFO
 # - used when user attempts to get metadata information about a key
 # Applicable subsystems: KRA
+# Enabled by default: No
 # RecoveryID must be the recovery request ID
 # KeyID is the key being retrieved
 # Info is the failure reason if the export fails.
@@ -866,6 +948,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DATA_INFO=<type=SECURITY_DATA_INFO>:[AuditEvent=SE
 # Event: KEY_STATUS_CHANGE
 # - used when modify key status is executed
 # Applicable subsystems: KRA
+# Enabled by default: No
 # keyID must be an existing key id in the database
 # oldStatus is the old status to change from
 # newStatus is the new status to change to
@@ -876,6 +959,7 @@ LOGGING_SIGNED_AUDIT_KEY_STATUS_CHANGE=<type=KEY_STATUS_CHANGE>:[AuditEvent=KEY_
 # - used when symmetric key generation request is processed
 #    this is when DRM receives and processes the request
 # Applicable subsystems: KRA
+# Enabled by default: Yes
 # Client ID must be the user supplied client ID associated with
 #    the symmetric key to be generated and archived
 #
@@ -884,6 +968,7 @@ LOGGING_SIGNED_AUDIT_SYMKEY_GEN_REQUEST_PROCESSED=<type=SYMKEY_GENERATION_REQUES
 # Event: SYMKEY_GENERATION_REQUEST
 # - used when symmetric key generation request is made
 # Applicable subsystems: KRA
+# Enabled by default: Yes
 # ClientKeyID is the ID of the symmetirc key to be generated and archived
 #
 LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=<type=SYMKEY_GENERATION_REQUEST>:[AuditEvent=SYMKEY_GENERATION_REQUEST]{0} symkey generation request made
@@ -891,6 +976,7 @@ LOGGING_SIGNED_AUDIT_SYMKEY_GENERATION_REQUEST=<type=SYMKEY_GENERATION_REQUEST>:
 # Event: ASYMKEY_GENERATION_REQUEST
 # - used when asymmetric key generation request is made
 # Applicable subsystems: KRA
+# Enabled by default: Yes
 #
 LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=<type=ASYMKEY_GENERATION_REQUEST>:[AuditEvent=ASYMKEY_GENERATION_REQUEST]{0} Asymkey generation request made
 #
@@ -898,12 +984,14 @@ LOGGING_SIGNED_AUDIT_ASYMKEY_GENERATION_REQUEST=<type=ASYMKEY_GENERATION_REQUEST
 # - used when a request to generate asymmetric keys received by the DRM
 #   is processed.
 # Applicable subsystems: KRA
+# Enabled by default: Yes
 #
 LOGGING_SIGNED_AUDIT_ASYMKEY_GEN_REQUEST_PROCESSED=<type=ASYMKEY_GENERATION_REQUEST_PROCESSED>:[AuditEvent=ASYMKEY_GENERATION_REQUEST_PROCESSED]{0} Asymkey generation request processed
 #
 # Event: TOKEN_CERT_ENROLLMENT
 # - used for TPS when token certificate enrollment request is made
 # Applicable subsystems: TPS
+# Enabled by default: No
 # - Info is normally used to store more info in case of failure
 #
 LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=<type=TOKEN_CERT_ENROLLMENT>:[AuditEvent=TOKEN_CERT_ENROLLMENT][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate enrollment request made
@@ -911,6 +999,7 @@ LOGGING_SIGNED_AUDIT_TOKEN_CERT_ENROLLMENT_9=<type=TOKEN_CERT_ENROLLMENT>:[Audit
 # Event: TOKEN_CERT_RENEWAL
 # - used for TPS when token certificate renewal request is made
 # Applicable subsystems: TPS
+# Enabled by default: No
 # - Info is normally used to store more info in case of failure
 #
 LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[AuditEvent=TOKEN_CERT_RENEWAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate renewal request made
@@ -919,17 +1008,21 @@ LOGGING_SIGNED_AUDIT_TOKEN_CERT_RENEWAL_9=<type=TOKEN_CERT_RENEWAL>:[AuditEvent=
 # - used for TPS when token certificate retrieval request is made;
 #   usually used during recovery, along with LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY
 # Applicable subsystems: TPS
+# Enabled by default: No
 #
 LOGGING_SIGNED_AUDIT_TOKEN_CERT_RETRIEVAL_9=<type=TOKEN_CERT_RETRIEVAL>:[AuditEvent=TOKEN_CERT_RETRIEVAL][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][Info={8}] token certificate retrieval request made
 #
 # Event: TOKEN_KEY_RECOVERY
 # - used for TPS when token certificate key recovery request is made
 # Applicable subsystems: TPS
+# Enabled by default: No
 #
 LOGGING_SIGNED_AUDIT_TOKEN_KEY_RECOVERY_10=<type=TOKEN_KEY_RECOVERY>:[AuditEvent=TOKEN_KEY_RECOVERY][IP={0}][SubjectID={1}][CUID={2}][Outcome={3}][tokenType={4}][KeyVersion={5}][Serial={6}][CA_ID={7}][KRA_ID={8}][Info={9}] token certificate/key recovery request made
 #
 # Event: TOKEN_CERT_STATUS_CHANGE_REQUEST
 # - used when a token certificate status change request (e.g. revocation) is made
+# Applicable subsystems: TPS
+# Enabled by default: No
 # CUID must be the last token that the certificate was associated with
 # CertSerialNum must be the serial number (in decimal) of the certificate to be revoked
 # RequestType must be "revoke", "on-hold", "off-hold"
@@ -938,18 +1031,22 @@ LOGGING_SIGNED_AUDIT_TOKEN_CERT_STATUS_CHANGE_REQUEST_10=<type=TOKEN_CERT_STATUS
 #
 # Event: TOKEN_PIN_RESET with [Outcome=Success]
 # - used when token pin reset request succeeded
+# Applicable subsystems: TPS
+# Enabled by default: No
 #
 LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_SUCCESS=<type=TOKEN_PIN_RESET>:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset success
 #
 # Event: TOKEN_PIN_RESET with [Outcome=Failure]
 # - used when token pin reset request failed
 # Applicable subsystems: TPS
+# Enabled by default: No
 #
 LOGGING_SIGNED_AUDIT_TOKEN_PIN_RESET_FAILURE=<type=TOKEN_PIN_RESET>:[AuditEvent=TOKEN_PIN_RESET]{0} token op pin reset failure
 #
 # Event: TOKEN_OP_REQUEST
 # - used when token processor op request is made
 # Applicable subsystems: TPS
+# Enabled by default: No
 # - OP can be "format", "enroll", or "pinReset"
 #
 LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=<type=TOKEN_OP_REQUEST>:[AuditEvent=TOKEN_OP_REQUEST][IP={0}][CUID={1}][MSN={2}][Outcome={3}][OP={4}][AppletVersion={5}] token processor op request made
@@ -957,36 +1054,42 @@ LOGGING_SIGNED_AUDIT_TOKEN_OP_REQUEST_6=<type=TOKEN_OP_REQUEST>:[AuditEvent=TOKE
 # Event: TOKEN_FORMAT with [Outcome=Success]
 # - used when token format op succeeded
 # Applicable subsystems: TPS
+# Enabled by default: No
 #
 LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_SUCCESS=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format success
 #
 # Event: TOKEN_FORMAT with [Outcome=Failure]
 # - used when token format op failed
 # Applicable subsystems: TPS
+# Enabled by default: No
 #
 LOGGING_SIGNED_AUDIT_TOKEN_FORMAT_FAILURE=<type=TOKEN_FORMAT>:[AuditEvent=TOKEN_FORMAT]{0} token op format failure
 #
 # Event: TOKEN_APPLET_UPGRADE with [Outcome=Success]
 # - used when token apple upgrade succeeded
 # Applicable subsystems: TPS
+# Enabled by default: Yes
 #
 LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_SUCCESS=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade success
 #
 # Event: TOKEN_APPLET_UPGRADE with [Outcome=Failure]
 # - used when token apple upgrade failed
 # Applicable subsystems: TPS
+# Enabled by default: Yes
 #
 LOGGING_SIGNED_AUDIT_TOKEN_APPLET_UPGRADE_FAILURE=<type=TOKEN_APPLET_UPGRADE>:[AuditEvent=TOKEN_APPLET_UPGRADE]{0} token applet upgrade failure
 #
 # Event: TOKEN_KEY_CHANGEOVER_REQUIRED
 # - used when token key changeover is required
 # Applicable subsystems: TPS
+# Enabled by default: Yes
 #
 LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_REQUIRED_10=<type=TOKEN_KEY_CHANGEOVER_REQUIRED>:[AuditEvent=TOKEN_KEY_CHANGEOVER_REQUIRED][IP={0}][SubjectID={1}][CUID={2}][MSN={3}][Outcome={4}][tokenType={5}][AppletVersion={6}][oldKeyVersion={7}][newKeyVersion={8}][Info={9}] token key changeover required
 #
 # Event: TOKEN_KEY_CHANGEOVER with [Outcome=Success]
 # - used when token key changeover succeeded
 # Applicable subsystems: TPS
+# Enabled by default: Yes
 # - Info usually is unused for success
 #
 LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover success
@@ -994,6 +1097,7 @@ LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_SUCCESS=<type=TOKEN_KEY_CHANGEOVER>:[A
 # Event: TOKEN_KEY_CHANGEOVER with [Outcome=Failure]
 # - used when token key changeover failed
 # Applicable subsystems: TPS
+# Enabled by default: Yes
 # - Info is used for storing more info in case of failure
 #
 LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=<type=TOKEN_KEY_CHANGEOVER>:[AuditEvent=TOKEN_KEY_CHANGEOVER]{0} token key changeover failure
@@ -1001,6 +1105,7 @@ LOGGING_SIGNED_AUDIT_TOKEN_KEY_CHANGEOVER_FAILURE=<type=TOKEN_KEY_CHANGEOVER>:[A
 # Event: TOKEN_AUTH with [Outcome=Failure]
 # - used when authentication failed
 # Applicable subsystems: TPS
+# Enabled by default: No
 # Outcome should always be "failure" in this event
 #   (obviously, if authentication failed, you won't have a valid SubjectID, so
 #       in this case, AttemptedID is recorded)
@@ -1012,6 +1117,7 @@ LOGGING_SIGNED_AUDIT_TOKEN_AUTH_FAILURE=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH
 # Event: TOKEN_AUTH with [Outcome=Success]
 # - used when authentication succeeded
 # Applicable subsystems: TPS
+# Enabled by default: No
 # Outcome should always be "success" in this event
 # AuthMgr must be the authentication manager instance name that did
 #   this authentication
@@ -1021,6 +1127,7 @@ LOGGING_SIGNED_AUDIT_TOKEN_AUTH_SUCCESS=<type=TOKEN_AUTH>:[AuditEvent=TOKEN_AUTH
 # Event: CONFIG_TOKEN_GENERAL
 # - used when doing general TPS configuration
 # Applicable subsystems: TPS
+# Enabled by default: No
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1032,6 +1139,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_GENERAL_5=<type=CONFIG_TOKEN_GENERAL>:[AuditEv
 # Event: CONFIG_TOKEN_PROFILE
 # - used when configuring token profile
 # Applicable subsystems: TPS
+# Enabled by default: No
 # Service can be any of the methods offered
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -1044,6 +1152,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_PROFILE_6=<type=CONFIG_TOKEN_PROFILE>:[AuditEv
 # Event: CONFIG_TOKEN_MAPPING_RESOLVER
 # - used when configuring token mapping resolver
 # Applicable subsystems: TPS
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1055,6 +1164,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_MAPPING_RESOLVER_6=<type=CONFIG_TOKEN_MAPPING_
 # Event: CONFIG_TOKEN_AUTHENTICATOR
 # - used when configuring token authenticators
 # Applicable subsystems: TPS
+# Enabled by default: Yes
 # Service can be any of the methods offered
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -1067,6 +1177,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_AUTHENTICATOR_6=<type=CONFIG_TOKEN_AUTHENTICAT
 # Event: CONFIG_TOKEN_CONNECTOR
 # - used when configuring token connectors
 # Applicable subsystems: TPS
+# Enabled by default: Yes
 # Service can be any of the methods offered
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
@@ -1079,6 +1190,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_CONNECTOR_6=<type=CONFIG_TOKEN_CONNECTOR>:[Aud
 # Event: CONFIG_TOKEN_RECORD
 # - used when information in token record changed
 # Applicable subsystems: TPS
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1090,6 +1202,7 @@ LOGGING_SIGNED_AUDIT_CONFIG_TOKEN_RECORD_6=<type=CONFIG_TOKEN_RECORD>:[AuditEven
 # Event: TOKEN_STATE_CHANGE
 # - used when token state changed
 # Applicable subsystems: TPS
+# Enabled by default: No
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1101,6 +1214,7 @@ LOGGING_SIGNED_AUDIT_TOKEN_STATE_CHANGE_8=<type=TOKEN_STATE_CHANGE>:[AuditEvent=
 # Event: AUTHORITY_CONFIG
 # - used when configuring lightweight authorities
 # Applicable subsystems: CA
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1110,6 +1224,7 @@ LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3=<type=AUTHORITY_CONFIG>:[AuditEvent=AUTH
 # Event: ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
 # - used when access session failed to establish
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1120,6 +1235,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 # Event: ACCESS_SESSION_ESTABLISH with [Outcome=Success]
 # - used when access session was established successfully
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1130,6 +1246,7 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
 # Event: ACCESS_SESSION_TERMINATED
 # - used when access session was terminated
 # Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
 #    separated by + (if more than one name;;value pair) of config params changed
@@ -1139,7 +1256,8 @@ LOGGING_SIGNED_AUDIT_ACCESS_SESSION_TERMINATED=\
 #
 # Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Failure]
 # access session failed to establish when Certificate System acts as client
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 <type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session failed to establish when Certificate System acts as client
@@ -1147,14 +1265,16 @@ LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_FAILURE=\
 # Event: CLIENT_ACCESS_SESSION_ESTABLISH with [Outcome=Success]
 # - used when access session was established successfully when
 #   Certificate System acts as client
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_ESTABLISH_SUCCESS=\
 <type=CLIENT_ACCESS_SESSION_ESTABLISH>:[AuditEvent=CLIENT_ACCESS_SESSION_ESTABLISH]{0} access session establish successfully when Certificate System acts as client
 #
 # Event: CLIENT_ACCESS_SESSION_TERMINATED
 # - used when access session was terminated when Certificate System acts as client
-# Applicable subsystems: CA, KRA, OCSP, TKS
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 #
 LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\
 <type=CLIENT_ACCESS_SESSION_TERMINATED>:[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED]{0} access session terminated when Certificate System acts as client
@@ -1164,6 +1284,8 @@ LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\
 #
 # Event: AUDIT_LOG_SIGNING
 # - used when a signature on the audit log is generated (same as "flush" time)
+# Applicable subsystems: CA, KRA, OCSP, TKS, TPS
+# Enabled by default: Yes
 # SubjectID is predefined to be "$System$" because this operation
 #   associates with no user
 # sig must be the base-64 encoded signature of the buffer just flushed
diff --git a/base/server/python/pki/server/__init__.py b/base/server/python/pki/server/__init__.py
index 6e8dd31..e0989a9 100644
--- a/base/server/python/pki/server/__init__.py
+++ b/base/server/python/pki/server/__init__.py
@@ -75,6 +75,10 @@ class PKIServer(object):
 
     @staticmethod
     def load_audit_events(filename):
+        '''
+        This method loads audit event info from audit-events.properties
+        and return it as a map of objects.
+        '''
 
         logger.info('Loading %s', filename)
 
@@ -85,6 +89,8 @@ class PKIServer(object):
 
         event_pattern = re.compile(r'# Event: (\S+)')
         subsystems_pattern = re.compile(r'# Applicable subsystems: (.*)')
+        enabled_pattern = re.compile(r'# Enabled by default: (.*)')
+
         event = None
 
         for line in lines:
@@ -94,10 +100,15 @@ class PKIServer(object):
             event_match = event_pattern.match(line)
             if event_match:
 
-                event = event_match.group(1)
-                logger.info('Found event %s', event)
+                name = event_match.group(1)
+                logger.info('Found event %s', name)
+
+                event = {}
+                event['name'] = name
+                event['subsystems'] = []
+                event['enabled_by_default'] = False
 
-                events[event] = []
+                events[name] = event
                 continue
 
             subsystems_match = subsystems_pattern.match(line)
@@ -107,14 +118,25 @@ class PKIServer(object):
                 logger.info('Found subsystems %s', subsystems)
 
                 subsystems = subsystems.replace(' ', '').split(',')
-                event_subsystems = events.get(event)
-                event_subsystems.extend(subsystems)
+                event['subsystems'] = subsystems
+
+            enabled_match = enabled_pattern.match(line)
+            if enabled_match:
+
+                enabled = enabled_match.group(1)
+                logger.info('Found enabled by default %s', enabled)
+
+                if enabled == 'Yes':
+                    event['enabled_by_default'] = True
+                else:
+                    event['enabled_by_default'] = False
 
         logger.info('Events:')
 
-        for event in events:
-            subsystems = events[event]
-            logger.info('- %s: %s', event, subsystems)
+        for name, event in events.items():
+            logger.info('- %s', name)
+            logger.info('  Applicable subsystems: %s', event['subsystems'])
+            logger.info('  Enabled by default: %s', event['enabled_by_default'])
 
         return events
 
@@ -476,8 +498,7 @@ class PKISubsystem(object):
         if not event_name:
             raise ValueError("Please specify the Event name")
 
-        names = self.get_audit_events()
-        if event_name not in names:
+        if event_name not in self.get_audit_events():
             raise PKIServerException('Invalid audit event: %s' % event_name)
 
         value = self.config['log.instance.SignedAudit.events']
@@ -497,8 +518,7 @@ class PKISubsystem(object):
         if not event_name:
             raise ValueError("Please specify the Event name")
 
-        names = self.get_audit_events()
-        if event_name not in names:
+        if event_name not in self.get_audit_events():
             raise PKIServerException('Invalid audit event: %s' % event_name)
 
         name = 'log.instance.SignedAudit.filters.%s' % event_name
@@ -513,8 +533,7 @@ class PKISubsystem(object):
         if not event_name:
             raise ValueError("Please specify the Event name")
 
-        names = self.get_audit_events()
-        if event_name not in names:
+        if event_name not in self.get_audit_events():
             raise PKIServerException('Invalid audit event: %s' % event_name)
 
         value = self.config['log.instance.SignedAudit.events']
@@ -529,43 +548,55 @@ class PKISubsystem(object):
 
         return True
 
-    def find_audit_event_configs(self, enabled=None):
+    def find_audit_event_configs(self, enabled=None, enabled_by_default=None):
+        '''
+        This method returns current audit configuration based on the specified
+        filters.
+        '''
 
-        events = []
+        events = self.get_audit_events()
+        enabled_events = set(self.get_enabled_audit_events())
 
-        # get enabled events
-        enabled_event_names = self.get_enabled_audit_events()
+        # apply "enabled_by_default" filter
+        if enabled_by_default is None:
+            # return all events
+            names = set(events.keys())
 
+        else:
+            # return events enabled by default
+            names = set()
+            for name, event in events.items():
+                if enabled_by_default is event['enabled_by_default']:
+                    names.add(name)
+
+        # apply "enabled" filter
         if enabled is None:
-            # get all events
-            names = self.get_audit_events()
+            # return all events
+            pass
 
         elif enabled:  # enabled == True
-            # get enabled events
-            names = enabled_event_names
+            # return currently enabled events
+            names = names.intersection(enabled_events)
 
         else:  # enabled == False
-            # get all events
-            all_event_names = self.get_audit_events()
+            # return currently disabled events
+            names = names.difference(enabled_events)
 
-            # get disabled events by subtracting enabled events from all events
-            names = sorted(set(all_event_names) - set(enabled_event_names))
+        results = []
 
         # get event properties
-        for name in names:
+        for name in sorted(names):
             event = {}
             event['name'] = name
-            event['enabled'] = name in enabled_event_names
+            event['enabled'] = name in enabled_events
             event['filter'] = self.config.get('log.instance.SignedAudit.filters.%s' % name)
-            events.append(event)
+            results.append(event)
 
-        return events
+        return results
 
     def get_audit_event_config(self, name):
 
-        names = self.get_audit_events()
-
-        if name not in names:
+        if name not in self.get_audit_events():
             raise PKIServerException('Invalid audit event: %s' % name)
 
         enabled_event_names = self.get_enabled_audit_events()
@@ -578,8 +609,12 @@ class PKISubsystem(object):
         return event
 
     def get_audit_events(self):
+        '''
+        This method returns audit events applicable to this subsystem
+        as a map of objects.
+        '''
 
-        # get the full list of audit events from audit-events.properties
+        # get the list of audit events from audit-events.properties
 
         tmpdir = tempfile.mkdtemp()
 
@@ -610,19 +645,16 @@ class PKISubsystem(object):
         finally:
             shutil.rmtree(tmpdir)
 
-        # get audit events for the subsystem
-        results = set()
+        # get audit events for this subsystem
+        results = {}
         subsystem = self.name.upper()
 
-        for event, subsystems in events.items():
-
-            if subsystem not in subsystems:
-                continue
-
-            logger.info('Returning %s', event)
-            results.add(event)
+        for name, event in events.items():
+            if subsystem in event['subsystems']:
+                logger.info('Returning %s', name)
+                results[name] = event
 
-        return sorted(results)
+        return results
 
     def get_enabled_audit_events(self):
 
diff --git a/base/server/python/pki/server/cli/audit.py b/base/server/python/pki/server/cli/audit.py
index 44fd86a..2fc96dc 100644
--- a/base/server/python/pki/server/cli/audit.py
+++ b/base/server/python/pki/server/cli/audit.py
@@ -315,10 +315,16 @@ class AuditEventFindCLI(pki.cli.CLI):
     def print_help(self):
         print('Usage: pki-server %s-audit-event-find [OPTIONS]' % self.parent.parent.name)
         print()
-        print('  -i, --instance <instance ID>       Instance ID (default: pki-tomcat).')
-        print('      --enabled <True|False>         Show enabled/disabled events only.')
-        print('  -v, --verbose                      Run in verbose mode.')
-        print('      --help                         Show help message.')
+        print('  -i, --instance <instance ID>       '
+              '  Instance ID (default: pki-tomcat).')
+        print('      --enabled <True|False>         '
+              '  Show events currently enabled/disabled only.')
+        print('      --enabledByDefault <True|False>'
+              '  Show events enabled/disabled by default only.')
+        print('  -v, --verbose                      '
+              '  Run in verbose mode.')
+        print('      --help                         '
+              '  Show help message.')
         print()
 
     def execute(self, argv):
@@ -326,7 +332,7 @@ class AuditEventFindCLI(pki.cli.CLI):
         try:
             opts, _ = getopt.gnu_getopt(argv, 'i:v', [
                 'instance=',
-                'enabled=',
+                'enabled=', 'enabledByDefault=',
                 'verbose', 'help'])
 
         except getopt.GetoptError as e:
@@ -336,6 +342,7 @@ class AuditEventFindCLI(pki.cli.CLI):
 
         instance_name = 'pki-tomcat'
         enabled = None
+        enabled_by_default = None
 
         for o, a in opts:
             if o in ('-i', '--instance'):
@@ -344,6 +351,9 @@ class AuditEventFindCLI(pki.cli.CLI):
             elif o == '--enabled':
                 enabled = a == 'True'
 
+            elif o == '--enabledByDefault':
+                enabled_by_default = a == 'True'
+
             elif o in ('-v', '--verbose'):
                 self.set_verbose(True)
 
@@ -370,7 +380,7 @@ class AuditEventFindCLI(pki.cli.CLI):
                   % (subsystem_name.upper(), instance_name))
             sys.exit(1)
 
-        events = subsystem.find_audit_event_configs(enabled)
+        events = subsystem.find_audit_event_configs(enabled, enabled_by_default)
 
         self.print_message('%s entries matched' % len(events))
 
-- 
1.8.3.1


From aec8a79e4acbb14f1a64ed49c4552ff50ce77cac Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 31 Jan 2019 00:09:31 +0100
Subject: [PATCH 24/26] Additional changes to audit-events.properties

The TPS has been dropped from CONFIG_SERIAL_NUMBER.
The KEY_RECOVERY_AGENT_LOGIN is now disabled by default.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit a0e6619b2c3cb9b66943425ca8bb02fefd5e9896)
---
 base/server/cmsbundle/src/audit-events.properties | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/base/server/cmsbundle/src/audit-events.properties b/base/server/cmsbundle/src/audit-events.properties
index b103020..d181db5 100644
--- a/base/server/cmsbundle/src/audit-events.properties
+++ b/base/server/cmsbundle/src/audit-events.properties
@@ -257,7 +257,7 @@ LOGGING_SIGNED_AUDIT_KEY_RECOVERY_REQUEST_4=<type=KEY_RECOVERY_REQUEST>:[AuditEv
 # - used when DRM agents login as recovery agents to approve
 #       key recovery requests
 # Applicable subsystems: KRA
-# Enabled by default: Yes
+# Enabled by default: No
 # RecoveryID must be the recovery request ID
 # RecoveryAgent must be the recovery agent the DRM agent is
 #       logging in with
@@ -860,7 +860,7 @@ LOGGING_SIGNED_AUDIT_SECURITY_DOMAIN_UPDATE_1=<type=SECURITY_DOMAIN_UPDATE>:[Aud
 # Event: CONFIG_SERIAL_NUMBER
 # - used when configuring serial number ranges
 #      (when requesting a serial number range when cloning, for example)
-# Applicable subsystems: CA, KRA, TPS
+# Applicable subsystems: CA, KRA
 # Enabled by default: Yes
 # ParamNameValPairs must be a name;;value pair
 #    (where name and value are separated by the delimiter ;;)
-- 
1.8.3.1


From 2b105fe11c99e4ebe34aa19949123959158ae780 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 31 Jan 2019 00:43:31 +0100
Subject: [PATCH 25/26] Added audit event upgrade script

The log.instance.SignedAudit.events has been updated with
the list of events enabled by default as defined in
audit-events.properties.

An upgrade script has been added to merge some SUCCESS and
FAILURE audit events in CS.cfg, and also to fix misspelled
event names.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit fdf48b80d525a718e3dbbaac8c81028cb58a01ea)
---
 base/ca/shared/conf/CS.cfg                         |   3 +-
 .../com/netscape/certsrv/logging/AuditEvent.java   |   2 +-
 base/kra/shared/conf/CS.cfg                        |   7 +-
 base/ocsp/shared/conf/CS.cfg                       |   3 +-
 .../cms/src/com/netscape/cms/logging/LogFile.java  |   2 +-
 base/server/cmsbundle/src/audit-events.properties  |   2 +-
 base/server/upgrade/10.5.14/01-UpdateAuditEvents   | 117 +++++++++++++++++++++
 base/tks/shared/conf/CS.cfg                        |   3 +-
 base/tps-client/doc/CS.cfg                         |   2 +-
 base/tps/shared/conf/CS.cfg                        |   5 +-
 10 files changed, 129 insertions(+), 17 deletions(-)
 create mode 100755 base/server/upgrade/10.5.14/01-UpdateAuditEvents

diff --git a/base/ca/shared/conf/CS.cfg b/base/ca/shared/conf/CS.cfg
index 5621b0a..63cb299 100644
--- a/base/ca/shared/conf/CS.cfg
+++ b/base/ca/shared/conf/CS.cfg
@@ -911,14 +911,13 @@ log.instance.SignedAudit._007=## $ pki-server ca-audit-event-enable/disable <eve
 log.instance.SignedAudit._008=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CERT_PROFILE_APPROVAL,CONFIG_CRL_PROFILE,CONFIG_OCSP_PROFILE,CONFIG_ACL,CONFIG_DRM,AUTHORITY_CONFIG
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUDIT_LOG_SHUTDOWN,AUDIT_LOG_SIGNING,AUDIT_LOG_STARTUP,AUTH,AUTHORITY_CONFIG,AUTHZ,CERT_PROFILE_APPROVAL,CERT_REQUEST_PROCESSED,CERT_SIGNING_INFO,CERT_STATUS_CHANGE_REQUEST,CERT_STATUS_CHANGE_REQUEST_PROCESSED,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CMC_REQUEST_RECEIVED,CMC_RESPONSE_SENT,CMC_SIGNED_REQUEST_SIG_VERIFY,CMC_USER_SIGNED_REQUEST_SIG_VERIFY,CONFIG_ACL,CONFIG_AUTH,CONFIG_CERT_PROFILE,CONFIG_CRL_PROFILE,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,CRL_SIGNING_INFO,DELTA_CRL_GENERATION,FULL_CRL_GENERATION,KEY_GEN_ASYMMETRIC,LOG_PATH_CHANGE,OCSP_GENERATION,OCSP_SIGNING_INFO,PROFILE_CERT_REQUEST,PROOF_OF_POSSESSION,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
 log.instance.SignedAudit.filters.CMC_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
 log.instance.SignedAudit.filters.CMC_USER_SIGNED_REQUEST_SIG_VERIFY=(Outcome=Failure)
 log.instance.SignedAudit.filters.DELTA_CRL_GENERATION=(Outcome=Failure)
 log.instance.SignedAudit.filters.FULL_CRL_GENERATION=(Outcome=Failure)
 log.instance.SignedAudit.filters.OCSP_GENERATION=(Outcome=Failure)
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
-log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
 log.instance.SignedAudit.expirationTime=0
 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ca_audit
 log.instance.SignedAudit.flushInterval=5
diff --git a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
index 3712e73..c5587a5 100644
--- a/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
+++ b/base/common/src/com/netscape/certsrv/logging/AuditEvent.java
@@ -134,7 +134,7 @@ public class AuditEvent extends LogEvent {
             "LOGGING_SIGNED_AUDIT_AUTHORITY_CONFIG_3";
 
     public final static String AUDIT_LOG_SIGNING =
-            "LOGGING_SIGNED_AUDIT_SIGNING_3";
+            "LOGGING_SIGNED_AUDIT_AUDIT_LOG_SIGNING_3";
 
     private static final long serialVersionUID = -844306657733902324L;
 
diff --git a/base/kra/shared/conf/CS.cfg b/base/kra/shared/conf/CS.cfg
index bc22f2e..8bfb0fb 100644
--- a/base/kra/shared/conf/CS.cfg
+++ b/base/kra/shared/conf/CS.cfg
@@ -306,9 +306,9 @@ log.instance.SignedAudit._007=## $ pki-server kra-audit-event-enable/disable <ev
 log.instance.SignedAudit._008=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GEN_REQUEST_PROCESSED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,KEY_RECOVERY_AGENT_LOGIN,LOG_PATH_CHANGE,PROFILE_CERT_REQUEST,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GEN_REQUEST_PROCESSED,CONFIG_ACL
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,ASYMKEY_GENERATION_REQUEST,ASYMKEY_GENERATION_REQUEST_PROCESSED,AUDIT_LOG_SHUTDOWN,AUDIT_LOG_SIGNING,AUDIT_LOG_STARTUP,AUTH,AUTHZ,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CONFIG_ACL,CONFIG_AUTH,CONFIG_DRM,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SERIAL_NUMBER,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DATA_ARCHIVAL_REQUEST,SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST,SECURITY_DATA_RECOVERY_REQUEST_PROCESSED,SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,SYMKEY_GENERATION_REQUEST,SYMKEY_GENERATION_REQUEST_PROCESSED
 log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST=(Outcome=Failure)
-log.instance.SignedAudit.filters.ASYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure)
+log.instance.SignedAudit.filters.ASYMKEY_GENERATION_REQUEST_PROCESSED=(Outcome=Failure)
 log.instance.SignedAudit.filters.KEY_GEN_ASYMMETRIC=(Outcome=Failure)
 log.instance.SignedAudit.filters.KEY_RECOVERY_AGENT_LOGIN=(Outcome=Failure)
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
@@ -317,11 +317,10 @@ log.instance.SignedAudit.filters.SECURITY_DATA_ARCHIVAL_REQUEST_PROCESSED=(Outco
 log.instance.SignedAudit.filters.SECURITY_DATA_RECOVERY_REQUEST=(Outcome=Failure)
 log.instance.SignedAudit.filters.SECURITY_DATA_RECOVERY_REQUEST_PROCESSED=(Outcome=Failure)
 log.instance.SignedAudit.filters.SECURITY_DATA_RECOVERY_REQUEST_STATE_CHANGE=(Outcome=Failure)
-log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
 log.instance.SignedAudit.filters.SERVER_SIDE_KEYGEN_REQUEST=(Outcome=Failure)
 log.instance.SignedAudit.filters.SERVER_SIDE_KEYGEN_REQUEST_PROCESSED=(Outcome=Failure)
 log.instance.SignedAudit.filters.SYMKEY_GENERATION_REQUEST=(Outcome=Failure)
-log.instance.SignedAudit.filters.SYMKEY_GEN_REQUEST_PROCESSED=(Outcome=Failure)
+log.instance.SignedAudit.filters.SYMKEY_GENERATION_REQUEST_PROCESSED=(Outcome=Failure)
 log.instance.SignedAudit.expirationTime=0
 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/kra_cert-kra_audit
 log.instance.SignedAudit.flushInterval=5
diff --git a/base/ocsp/shared/conf/CS.cfg b/base/ocsp/shared/conf/CS.cfg
index 201afbd..2fd546a 100644
--- a/base/ocsp/shared/conf/CS.cfg
+++ b/base/ocsp/shared/conf/CS.cfg
@@ -222,9 +222,8 @@ log.instance.SignedAudit._007=## $ pki-server ocsp-audit-event-enable/disable <e
 log.instance.SignedAudit._008=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUDIT_LOG_SHUTDOWN,AUDIT_LOG_SIGNING,AUDIT_LOG_STARTUP,AUTH,AUTHZ,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CONFIG_ACL,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_OCSP_PROFILE,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,LOG_PATH_CHANGE,OCSP_ADD_CA_REQUEST_PROCESSED,OCSP_GENERATION,OCSP_REMOVE_CA_REQUEST_PROCESSED,OCSP_SIGNING_INFO,RANDOM_GENERATION,ROLE_ASSUME,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
-log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
 log.instance.SignedAudit.expirationTime=0
 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/ocsp_cert-ocsp_audit
 log.instance.SignedAudit.flushInterval=5
diff --git a/base/server/cms/src/com/netscape/cms/logging/LogFile.java b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
index 0f58720..564f1bb 100644
--- a/base/server/cms/src/com/netscape/cms/logging/LogFile.java
+++ b/base/server/cms/src/com/netscape/cms/logging/LogFile.java
@@ -703,7 +703,7 @@ public class LogFile implements ILogEventListener, IExtendedPluginInfo {
      * <P>
      *
      * <ul>
-     * <li>signed.audit LOGGING_SIGNED_AUDIT_SIGNING used when a signature on the audit log is generated (same as
+     * <li>signed.audit AUDIT_LOG_SIGNING used when a signature on the audit log is generated (same as
      * "flush" time)
      * </ul>
      *
diff --git a/base/server/cmsbundle/src/audit-events.properties b/base/server/cmsbundle/src/audit-events.properties
index d181db5..ddc278e 100644
--- a/base/server/cmsbundle/src/audit-events.properties
+++ b/base/server/cmsbundle/src/audit-events.properties
@@ -1290,4 +1290,4 @@ LOGGING_SIGNED_AUDIT_CLIENT_ACCESS_SESSION_TERMINATED=\
 #   associates with no user
 # sig must be the base-64 encoded signature of the buffer just flushed
 #
-LOGGING_SIGNED_AUDIT_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2}
+LOGGING_SIGNED_AUDIT_AUDIT_LOG_SIGNING_3=[AuditEvent=AUDIT_LOG_SIGNING][SubjectID={0}][Outcome={1}] signature of audit buffer just flushed: sig: {2}
diff --git a/base/server/upgrade/10.5.14/01-UpdateAuditEvents b/base/server/upgrade/10.5.14/01-UpdateAuditEvents
new file mode 100755
index 0000000..ebedc8d
--- /dev/null
+++ b/base/server/upgrade/10.5.14/01-UpdateAuditEvents
@@ -0,0 +1,117 @@
+#!/usr/bin/python
+# Authors:
+#     Endi S. Dewata <edewata@redhat.com>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; version 2 of the License.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License along
+# with this program; if not, write to the Free Software Foundation, Inc.,
+# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Copyright (C) 2018 Red Hat, Inc.
+# All rights reserved.
+#
+
+from __future__ import absolute_import
+
+import pki
+
+
+class UpdateAuditEvents(
+        pki.server.upgrade.PKIServerUpgradeScriptlet):
+
+    REPLACEMENTS = [
+        ['ACCESS_SESSION_ESTABLISH_FAILURE', 'ACCESS_SESSION_ESTABLISH'],
+        ['ACCESS_SESSION_ESTABLISH_SUCCESS', 'ACCESS_SESSION_ESTABLISH'],
+        ['AUTH_FAIL', 'AUTH'],
+        ['AUTH_SUCCESS', 'AUTH'],
+        ['AUTHZ_FAIL', 'AUTHZ'],
+        ['AUTHZ_SUCCESS', 'AUTHZ'],
+        ['ASYMKEY_GEN_REQUEST_PROCESSED', 'ASYMKEY_GENERATION_REQUEST_PROCESSED'],
+        ['CMC_USER_SIGNED_REQUEST_SIG_VERIFY_FAILURE', 'CMC_USER_SIGNED_REQUEST_SIG_VERIFY'],
+        ['CMC_USER_SIGNED_REQUEST_SIG_VERIFY_SUCCESS', 'CMC_USER_SIGNED_REQUEST_SIG_VERIFY'],
+        ['COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_FAILURE', 'COMPUTE_RANDOM_DATA_REQUEST_PROCESSED'],
+        ['COMPUTE_RANDOM_DATA_REQUEST_PROCESSED_SUCCESS', 'COMPUTE_RANDOM_DATA_REQUEST_PROCESSED'],
+        ['COMPUTE_SESSION_KEY_REQUEST_PROCESSED_FAILURE', 'COMPUTE_SESSION_KEY_REQUEST_PROCESSED'],
+        ['COMPUTE_SESSION_KEY_REQUEST_PROCESSED_SUCCESS', 'COMPUTE_SESSION_KEY_REQUEST_PROCESSED'],
+        ['DIVERSIFY_KEY_REQUEST_PROCESSED_FAILURE', 'DIVERSIFY_KEY_REQUEST_PROCESSED'],
+        ['DIVERSIFY_KEY_REQUEST_PROCESSED_SUCCESS', 'DIVERSIFY_KEY_REQUEST_PROCESSED'],
+        ['ENCRYPT_DATA_REQUEST_PROCESSED_FAILURE', 'ENCRYPT_DATA_REQUEST_PROCESSED'],
+        ['ENCRYPT_DATA_REQUEST_PROCESSED_SUCCESS', 'ENCRYPT_DATA_REQUEST_PROCESSED'],
+        ['LOGGING_SIGNED_AUDIT_SIGNING', 'AUDIT_LOG_SIGNING'],
+        ['OCSP_REMOVE_CA_REQUEST_PROCESSED_FAILURE', 'OCSP_REMOVE_CA_REQUEST_PROCESSED'],
+        ['OCSP_REMOVE_CA_REQUEST_PROCESSED_SUCCESS', 'OCSP_REMOVE_CA_REQUEST_PROCESSED'],
+        ['SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_FAILURE', 'SERVER_SIDE_KEYGEN_REQUEST_PROCESSED'],
+        ['SERVER_SIDE_KEYGEN_REQUEST_PROCESSED_SUCCESS', 'SERVER_SIDE_KEYGEN_REQUEST_PROCESSED'],
+        ['SYMKEY_GEN_REQUEST_PROCESSED', 'SYMKEY_GENERATION_REQUEST_PROCESSED'],
+        ['TOKEN_APPLET_UPGRADE_FAILURE', 'TOKEN_APPLET_UPGRADE'],
+        ['TOKEN_APPLET_UPGRADE_SUCCESS', 'TOKEN_APPLET_UPGRADE'],
+        ['TOKEN_AUTH_FAILURE', 'TOKEN_AUTH'],
+        ['TOKEN_AUTH_SUCCESS', 'TOKEN_AUTH'],
+        ['TOKEN_FORMAT_FAILURE', 'TOKEN_FORMAT'],
+        ['TOKEN_FORMAT_SUCCESS', 'TOKEN_FORMAT'],
+        ['TOKEN_KEY_CHANGEOVER_FAILURE', 'TOKEN_KEY_CHANGEOVER'],
+        ['TOKEN_KEY_CHANGEOVER_SUCCESS', 'TOKEN_KEY_CHANGEOVER'],
+        ['TOKEN_PIN_RESET_FAILURE', 'TOKEN_PIN_RESET'],
+        ['TOKEN_PIN_RESET_SUCCESS', 'TOKEN_PIN_RESET'],
+    ]
+
+    def __init__(self):
+        super(UpdateAuditEvents, self).__init__()
+        self.message = 'Update audit events'
+
+    def upgrade_subsystem(self, instance, subsystem):
+
+        self.backup(subsystem.cs_conf)
+
+        # update documentation
+        subsystem.config['log.instance.SignedAudit._003'] = \
+            '## To list available audit events:'
+        subsystem.config['log.instance.SignedAudit._004'] = \
+            '## $ pki-server %s-audit-event-find' % subsystem.name
+        subsystem.config['log.instance.SignedAudit._005'] = \
+            '##'
+        subsystem.config['log.instance.SignedAudit._006'] = \
+            '## To enable/disable audit event:'
+        subsystem.config['log.instance.SignedAudit._007'] = \
+            '## $ pki-server %s-audit-event-enable/disable <event name>' % subsystem.name
+        subsystem.config['log.instance.SignedAudit._008'] = \
+            '##'
+
+        # update selected audit events
+        self.update_audit_events(subsystem, 'log.instance.SignedAudit.events')
+
+        # update mandatory audit events
+        self.update_audit_events(subsystem, 'log.instance.SignedAudit.mandatory.events')
+
+        # remove unselected audit events
+        subsystem.config.pop('log.instance.SignedAudit.unselected.events', None)
+
+        subsystem.save()
+
+    def update_audit_events(self, subsystem, prop_name):
+
+        value = subsystem.config.get(prop_name, None)
+        if not value:
+            return
+
+        events = set(value.replace(' ', '').split(','))
+
+        for replacement in UpdateAuditEvents.REPLACEMENTS:
+
+            old_event = replacement[0]
+            new_event = replacement[1]
+
+            if old_event in events:
+                events.remove(old_event)
+                events.add(new_event)
+
+        event_list = ','.join(sorted(events))
+        subsystem.config[prop_name] = event_list
diff --git a/base/tks/shared/conf/CS.cfg b/base/tks/shared/conf/CS.cfg
index 3d95735..2face58 100644
--- a/base/tks/shared/conf/CS.cfg
+++ b/base/tks/shared/conf/CS.cfg
@@ -214,9 +214,8 @@ log.instance.SignedAudit._007=## $ pki-server tks-audit-event-enable/disable <ev
 log.instance.SignedAudit._008=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,CONFIG_ACL
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUDIT_LOG_SHUTDOWN,AUDIT_LOG_SIGNING,AUDIT_LOG_STARTUP,AUTH,AUTHZ,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CONFIG_ACL,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
-log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
 log.instance.SignedAudit.expirationTime=0
 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/tks_cert-tks_audit
 log.instance.SignedAudit.flushInterval=5
diff --git a/base/tps-client/doc/CS.cfg b/base/tps-client/doc/CS.cfg
index b8e79ab..a528763 100644
--- a/base/tps-client/doc/CS.cfg
+++ b/base/tps-client/doc/CS.cfg
@@ -104,7 +104,7 @@ logging.audit.logSigning=false
 logging.audit.signedAuditCertNickname=auditSigningCert cert-[PKI_INSTANCE_NAME]
 logging.audit.selected.events=AUTHZ,AUTH,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION
 logging.audit.selectable.events=AUTHZ,AUTH,ROLE_ASSUME,ENROLLMENT,PIN_RESET,FORMAT,CONFIG,CONFIG_ROLE,CONFIG_TOKEN,CONFIG_PROFILE,CONFIG_AUDIT,APPLET_UPGRADE,KEY_CHANGEOVER,RENEWAL,CIMC_CERT_VERIFICATION
-logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING
+logging.audit.nonselectable.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,AUDIT_LOG_SIGNING
 logging.audit.buffer.size=512
 logging.audit.flush.interval=5
 logging.audit.file.type=RollingLogFile
diff --git a/base/tps/shared/conf/CS.cfg b/base/tps/shared/conf/CS.cfg
index 2c6a92b..610683a 100644
--- a/base/tps/shared/conf/CS.cfg
+++ b/base/tps/shared/conf/CS.cfg
@@ -231,12 +231,11 @@ log.instance.SignedAudit._007=## $ pki-server tps-audit-event-enable/disable <ev
 log.instance.SignedAudit._008=##
 log.instance.SignedAudit.bufferSize=512
 log.instance.SignedAudit.enable=true
-log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUTH,AUTHZ,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SECURITY_DOMAIN_UPDATE,SELFTESTS_EXECUTION,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER_REQUIRED,TOKEN_KEY_CHANGEOVER,CONFIG_ACL
+log.instance.SignedAudit.events=ACCESS_SESSION_ESTABLISH,ACCESS_SESSION_TERMINATED,AUDIT_LOG_SHUTDOWN,AUDIT_LOG_SIGNING,AUDIT_LOG_STARTUP,AUTH,AUTHZ,CLIENT_ACCESS_SESSION_ESTABLISH,CLIENT_ACCESS_SESSION_TERMINATED,CONFIG_ACL,CONFIG_AUTH,CONFIG_ENCRYPTION,CONFIG_ROLE,CONFIG_SIGNED_AUDIT,CONFIG_TOKEN_AUTHENTICATOR,CONFIG_TOKEN_CONNECTOR,CONFIG_TOKEN_MAPPING_RESOLVER,CONFIG_TOKEN_RECORD,CONFIG_TRUSTED_PUBLIC_KEY,KEY_GEN_ASYMMETRIC,LOG_PATH_CHANGE,RANDOM_GENERATION,ROLE_ASSUME,SELFTESTS_EXECUTION,SERVER_SIDE_KEYGEN_REQUEST,SERVER_SIDE_KEYGEN_REQUEST_PROCESSED,TOKEN_APPLET_UPGRADE,TOKEN_KEY_CHANGEOVER,TOKEN_KEY_CHANGEOVER_REQUIRED
 log.instance.SignedAudit.filters.RANDOM_GENERATION=(Outcome=Failure)
-log.instance.SignedAudit.filters.SELFTESTS_EXECUTION=(Outcome=Failure)
 log.instance.SignedAudit.filters.TOKEN_APPLET_UPGRADE=(Outcome=Failure)
 log.instance.SignedAudit.filters.TOKEN_KEY_CHANGEOVER=(Outcome=Failure)
-log.instance.SignedAudit.mandatory.events=AUDIT_LOG_STARTUP,AUDIT_LOG_SHUTDOWN,LOGGING_SIGNED_AUDIT_SIGNING
+log.instance.SignedAudit.mandatory.events=AUDIT_LOG_SHUTDOWN,AUDIT_LOG_SIGNING,AUDIT_LOG_STARTUP
 log.instance.SignedAudit.expirationTime=0
 log.instance.SignedAudit.fileName=[PKI_INSTANCE_PATH]/logs/[PKI_SUBSYSTEM_TYPE]/signedAudit/tps_cert-tps_audit
 log.instance.SignedAudit.flushInterval=5
-- 
1.8.3.1


From 46f1d968e52af701591eb4b997aafb6f6f9530d8 Mon Sep 17 00:00:00 2001
From: "Endi S. Dewata" <edewata@redhat.com>
Date: Thu, 31 Jan 2019 01:32:59 +0100
Subject: [PATCH 26/26] Added method to upgrade event filters

The upgrade script has been modified to upgrade audit event
filters as well.

https://pagure.io/dogtagpki/issue/2686
(cherry picked from commit 49bf217d04af878ebbf980656f5969abfb40970c)
---
 base/server/upgrade/10.5.14/01-UpdateAuditEvents | 29 ++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/base/server/upgrade/10.5.14/01-UpdateAuditEvents b/base/server/upgrade/10.5.14/01-UpdateAuditEvents
index ebedc8d..34934b5 100755
--- a/base/server/upgrade/10.5.14/01-UpdateAuditEvents
+++ b/base/server/upgrade/10.5.14/01-UpdateAuditEvents
@@ -94,6 +94,9 @@ class UpdateAuditEvents(
         # remove unselected audit events
         subsystem.config.pop('log.instance.SignedAudit.unselected.events', None)
 
+        # update audit event filters
+        self.update_audit_event_filters(subsystem, 'log.instance.SignedAudit.filters.')
+
         subsystem.save()
 
     def update_audit_events(self, subsystem, prop_name):
@@ -115,3 +118,29 @@ class UpdateAuditEvents(
 
         event_list = ','.join(sorted(events))
         subsystem.config[prop_name] = event_list
+
+    def update_audit_event_filters(self, subsystem, prefix):
+
+        prop_names = subsystem.config.keys()
+        for prop_name in prop_names:
+
+            # not a filter, skip
+            if not prop_name.startswith(prefix):
+                continue
+
+            event_name = prop_name[len(prefix):]
+
+            for replacement in UpdateAuditEvents.REPLACEMENTS:
+
+                old_event = replacement[0]
+                new_event = replacement[1]
+
+                if event_name != old_event:
+                    continue
+
+                # remove filter for old event
+                event_filter = subsystem.config.pop(prop_name)
+
+                # add filter for new event
+                prop_name = prefix + new_event
+                subsystem.config[prop_name] = event_filter
-- 
1.8.3.1