User session management events

User session management consists of the following events: user login and logout, direct session termination, and session expiration.

The following event messages are logged with parameters that describe the subjects that are involved. The (caller) indicated in each message is the user ID of the caller to this event method:

LOGIN (caller): UserID=”xxx”, Client=”xxx”, Origin=”xxx”, SessionID=”xxx”
Logged when a user logs in to an IBM® InfoSphere® Information Server client application or command line tool or when an internal process logs in to InfoSphere Information Server to perform an operation. This event is logged in only after the successful authentication by the user. This action creates an InfoSphere Information Server session. UserID is the userid used to authenticate with the server. In some cases, this userid value indicates a special trusted userid reserved for use by InfoSphere Information Server. This type of login is for performing some scheduled or system-initiated operation. Client indicates the type of application that initiated the login. Check the SESSION_UPDATED audit event with the same session SessionID to know the client type of the logged in user. Origin indicates the host name of the system from which the login originated. SessionID is a unique alphanumeric value that unambiguously associates this login session with a LOGOUT, SESSION_UPDATED, SESSION_TERMINATED, or SESSION_EXPIRED audit event, or with log messages associated with this session in other diagnostic logs. If this event is configured for LOG LEVEL=INFO, the system user login events are filtered out and not logged. These types of log ins are for InfoSphere Information Server internal operations performed for various tasks. An example of a system user login event is a LOGIN event with a UserID=InformationServerSystemUser. These events typically occur every 30 minutes as part of a scheduler activity but can occur for other operations at other times.
SESSION_UPDATED (caller): UserID=”xxx”, Client=”xxx”, Origin=”xxx”, SessionID=”xxx"
Logged after the InfoSphere Information Server LOGIN event occurs. It indicates the client type of the logged in user.
UserID is the authenticated userid that initially created this session. Client indicates the type of application that initiated the login. The Client parameter is updated in this audit event. Origin indicates the host name of the system from which the login originated. SessionID is the same value that was logged with the corresponding LOGIN.
LOGOUT (caller): UserID=”xxx”, Client=”xxx”, Origin=”xxx”, SessionID=”xxx”
Logged when a user or process explicitly logs out of an active InfoSphere Information Server session. This event might not occur when an application abnormally terminates, such as when the Web browser is closed with an active InfoSphere Information Server Web console or when a session is terminated by an administrator or times out (in which case a SESSION_TERMINATED or SESSION_EXPIRED event is logged). UserID is the authenticated userid that initially created this session. Client indicates the type of application that uses this session. Origin indicates the host name of the system from which the login originated. SessionID is the same value that was logged with the corresponding LOGIN event to uniquely identify this session. If this event is configured for LOG LEVEL=INFO, then logouts from system user sessions are filtered out and not logged. These types of log outs are for InfoSphere Information Server internal operations performed for various tasks.
SESSION_TERMINATED (caller): UserID=”xxx”, Client=”xxx”, Origin=”xxx”, SessionID=”xxx"
Logged when an InfoSphere Information Server session is disconnected by an administrator in the IBM InfoSphere Information Server Web console. If Disconnect All is selected, or multiple sessions are selected, each disconnected session is logged as a separate audit event. Only active sessions that are terminated log an audit event. Sessions that are already expired are ignored because they were previously logged with a SESSION_EXPIRED audit event. UserID is the authenticated userid that initially created this session. Client indicates the type of application that uses this session. Origin indicates the host name of the system from which the login originated. SessionID is the same value that was logged with the corresponding LOGIN event to uniquely identify this session.
SESSION_EXPIRED (caller): UserID=”xxx”, Client=”xxx”, Origin=”xxx”, SessionID=”xxx”
Logged when an idle InfoSphere Information Server session times out and is terminated. The timeout is based on the Inactive Session Timeout value configured in Global Session Properties of Session Management in the IBM InfoSphere Information Server Web console.
UserID is the sme userid value that was logged with the corresponding LOGIN. Client indicates the type of application that initiated the login. Origin indicates the host name of the system from which the login originated. SessionID is the same value that was logged with the corresponding LOGIN event to uniquely identify this session.