• You will see messages similar to the following  in /var/vcap/sys/log/uaa/uaa.log on the pivotal-container-service API-VM.
  

  [2025-03-09T12:30:44.543633Z] uaa - 12 [https-jsse-nio-8443-exec-7] - [93xxxxxxxxx0e,93xxxxxxxxxxx0e] ....  INFO --- Audit: ClientAuthenticationSuccess ('Client authentication success'): principal=pks_cluster_client, origin=[remoteAddress=10.x.x.20, clientId=pks_cluster_client], identityZoneId=[uaa]
  
  [2025-03-09T12:30:44.548806Z] uaa - 12 [https-jsse-nio-8443-exec-7] - [93xxxxxxxxx0e,93xxxxxxxxxxx0e] ....  INFO --- Audit: UserNotFound (''): principal=1Trxxxxxxxxxxxxxxxxxxbb=, origin=[remoteAddress=10.x.x.20, clientId=pks_cluster_client], identityZoneId=[uaa]
  
  [2025-03-09T12:30:44.548914Z] uaa - 12 [https-jsse-nio-8443-exec-7] - [93xxxxxxxxx0e,93xxxxxxxxxxx0e] ....  INFO --- Audit: PrincipalAuthenticationFailure ('null'): principal=UserName, origin=[10.x.x.20], identityZoneId=[uaa]
  
  [2025-03-09T12:30:45.806853Z] uaa - 12 [https-jsse-nio-8443-exec-7] - [93xxxxxxxxx0e,93xxxxxxxxxxx0e] ....  INFO --- Audit: IdentityProviderAuthenticationSuccess ('UserName'): principal=41fxxx-xxxx-xxxxx-xxxx-xxxxxxxxxx9c, origin=[remoteAddress=10.x.x.20, clientId=pks_cluster_client], identityZoneId=[uaa], authenticationType=[ldap]
  
  [2025-03-09T12:30:45.807040Z] uaa - 12 [https-jsse-nio-8443-exec-7] - [93xxxxxxxxx0e,93xxxxxxxxxxx0e] ....  INFO --- Audit: UserAuthenticationSuccess ('UserName'): principal=41fxxx-xxxx-xxxxx-xxxx-xxxxxxxxxx9c, origin=[remoteAddress=10.x.x.20, clientId=pks_cluster_client], identityZoneId=[uaa]
  
  [2025-03-09T12:30:45.834057Z] uaa - 12 [https-jsse-nio-8443-exec-7] - [93xxxxxxxxx0e,93xxxxxxxxxxx0e] ....  INFO --- Audit: TokenIssuedEvent ('["openid","roles"]'): principal=41fxxx-xxxx-xxxxx-xxxx-xxxxxxxxxx9c, origin=[client=pks_cluster_client, user=UserName], identityZoneId=[uaa]

  
  
  
  Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

VMware Tanzu Kubernetes Grid Integrated (TKGi).

To understand if the authentication audit events in the uaa.log is related to successful login or not, one can use the following example flows for a UAA configured with LDAP as a guied.

• Browser flows

  • Successful login: UserNotFound -> PrincipalAuthenticationFailure -> UserCreatedEvent -> IdentityProviderAuthenticationSuccess -> UserAuthenticationSuccess
    
    
  • Invalid password: UserNotFound -> PrincipalAuthenticationFailure -> IdentityProviderAuthenticationFailure
    
    
  • Unknown user: UserNotFound -> PrincipalAuthenticationFailure -> IdentityProviderAuthenticationFailure

• Password grant

  • Successful login: ClientAuthenticationSuccess -> UserNotFound -> PrincipalAuthenticationFailure -> IdentityProviderAuthenticationSuccess -> UserAuthenticationSuccess -> TokenIssuedEvent
    
    
  • Invalid password: ClientAuthenticationSuccess -> UserNotFound -> PrincipalAuthenticationFailure -> IdentityProviderAuthenticationFailure
    
    
  • Unknown user: ClientAuthenticationSuccess -> UserNotFound -> PrincipalAuthenticationFailure -> IdentityProviderAuthenticationFailure

For more information see Authentication and password events