Vault Audit Action Codes

The following table lists the action codes available in the User and Safe Activities (LogList) report that can be exported to a SIEM solution using Syslog protocol.


Alerts indicate that an unauthorized operation was performed, such as performing a task without permission, authentication failure, etc.

Recommended Action Codes for Monitoring

The Vault has a large number of action codes that can be used to monitor different behaviors. For general monitoring, we recommend monitoring the action codes listed in the table below.

Code Action
4 User Authentication
22 CPM Verify Password
24 CPM Change Password
31 CPM Reconcile Password
38 CPM Verify Password Failed
57 CPM Change Password Failed
60 CPM Reconcile Password Failed
130 CPM Disable Password
295 Retrieve Password succeeded
300 PSM Connect
302 PSM Disconnect
308 Use Password
319 Retrieve Password (from Provider)
344 Privileged Command Initiated
346 Privileged Command Completed
359 PSM SQL Command


PSM SQL Command Failure

361 PSM Keystrokes


PSM Keystrokes failure

378 PSM Secure Connect Session Start
380 PSM Secure Connect Session End
411 PSM Window Title


PSM Windows Title Failure

All Action Codes