Event logging

The Specops Password Policy components log their operations to the application log. Specops Breached Password Protection components log their operations to the Applications and Services Logs.

Find event IDs in the table.

Sentinel Service Events

Event type	ID	Description
Information	100	Initializing... Logged when the Specops Sentinel is starting.
Information	101	Successfully initialized version X.X.X.X. Logged when the Specops Sentinel has successfully started.
Information	102	Successful password change.
Information	103	Successful password reset.
Information	104	Verbose logging enabled.
Information	105	Verbose logging disabled.
Information	108	A user account was automatically unlocked.
Information	109	Minor information notices.
Information	110	User not found. Master key not found when storing or loading encrypted passwords.
Warning	202	Failed password change.
Warning	203	Failed password reset.
Warning	209	Minor warning notices.
Warning	244	Problems detected when processing encrypted password data.
Error	300	Initialization failed. Logged if the Specops Sentinel component failed to start.
Error	301	An error occurred during the password change/reset process.
Error	302	General exception occurred in the filter or notifier.
Information	600	Sentinel Password Filter loaded.
Information	1001	The Sentinel service is about to start.
Information	1002	The Sentinel service started successfully.
Error	1003	Failed to start the Sentinel service.
Information	1004	The Sentinel service is about to stop.
Information	1005	The Sentinel service stopped successfully.
Information	1006	A valid custom service command was sent to the Sentinel service.
Information	1007	The Arbiter URLs were loaded successfully from the SCPs.
Warning	1009	The URLs for the Arbiters could not be read from the SCP in Active Directory.
Information	1010	The password that was set for a user was found in the breach list, but user does not need to change it according to the GPO configuration.
Information	1011	The password that was set for a user was found in the breach list, user will be forced to change it at next logon.
Warning	1012	A password for a user was found in the breach list, but the password could not be expired.
Information	1013	The password that was set for a user was not found in the breach list.
Warning	1015	Failed to check if a password is in the breach list. An error occurred on the Arbiter server.
Warning	1018	An unexpected error occurred in the file queue for the Sentinel service.
Warning	1022	Something unexpected went wrong in the communication between the Sentinel password filter and the Sentinel service.
Warning	1023	Something unexpected went wrong in the communication between the Sentinel password filter and the Sentinel service.
Warning	1024	An error occurred when communicating with the Arbiter server.
Warning	1029	An unexpected error occurred in the file queue for the Sentinel service.
Error	1039	Failed to process a message in the file queue from the Sentinel password filter.
Error	1046	Failed to read a file into the cache.
Warning	1058	An unexpected error occurred in the file queue for the Sentinel service.
Warning	1062	An SMTP related error occurred when attempting to send an email.
Warning	1063	The sender email address is invalid. Email cannot be sent.
Error	1064	Failed to send a Breach Password protection API email notification to a user.
Information	1067	The Sentinel service WebApi has started.
Information	1073	User counting is starting. This happens every night on the PDC emulator.
Error	1074	An error occurred when initiating one of the subprocesses of the user counting.
Error	1078	An error occurred when finalizing one of the subprocesses of the user counting.
Information	1079	User counting completed.
Error	1081	Failed to send a license information email.
Error	1087	Failed to send a password expiration reminder email.
Error	1091	Failed to update a user's subobject in Active Directory.
Error	1095	Failed to expire the password for a user.
Error	1097	Failed to send a Breach Password protection express email notification to a user.
Error	1098	Failed to check if a user's password is in the breach list.
Warning	1102	Failed to update the flags attribute on a user subobject.
Information	1104	A sub process of the user counting completed.
Error	1106	An unexpected error occurred when processing a user account during user counting.
Warning	1107	Failed to send a password expiration email reminder to a user that does not have an email address on their user account in Active Directory.
Warning	1108	Failed to send a password expiration email reminder to a user that does not have an email address on their user account in Active Directory. The email will be sent to the CC recipient.
Error	1109	Cannot send breached password notification because account has no email address.
Error	1111	The user counting was aborted unexpectedly.
Information	1113	A breached password protection against the local express list has started due to a command being sent to the Web API.
Information	1114	A license report email is sent to Specops.
Information	1115	A license information email is sent to the configured admin email address.
Warning	1116	A unknown custom service command was sent to the Sentinel service.
Warning	1118	User counting cannot be started because a previous count has not completed.
Error	1119	The user counting was aborted due to a license error
Information	1120	Sending BPP Complete Email: Breached Password Protection sent a notification.
Error	1121	Hash Load Error: A password hash cannot be read by Breached Password Protection Express.
Information	1122	The user counting will not be performed because Specops Password Policy is disabled in the domain.
Information	1123	Password Is Already Expired: a user’s password has already expired, and no Breached Password Protection Express breach check and notification are performed.
Information	1166	Password never expires flag was removed due to breached password.

Specops Arbiter events

Event type	ID	Description
Information	2001	Service starting.
Information	2002	Service started.
Error	2003	Service failed to start
Information	2004	Service stopping.
Information	2005	Service stopped.
Information	2006	Custom control message sent to service.
Warning	2008	An email notification request was not sent for the user. The SPP Breached Password Protection policy settings for the GPO lacks a subject for the email notification.
Warning	2009	An email notification request was not sent for the user. The SPP Breached Password Protection policy settings for the GPO lacks body text for the email notification.
Warning	2010	A text message notification request was not sent for the user. The SPP Breached Password Protection policy settings for the GPO lacks text message notification text.
Error	2022	An email notification failed to send for this email address. The server returned an error code and message.
Error	2014	Request to the Breached Password Protection API has failed.
Error	2047	Failed to start WebApiHost.
Information	2048	WebApiHost starting.
Error	2049	Unhandled error in WebApiHost application.

Debug logging

You can configure the components of Specops Password Policy to log their internal activity to a verbose debug log. The debug log allows you to follow the events leading up to the error. Debug logging is enabled by changing the relevant registry key from “0” to “1.” Additional logging will be returned by using the higher debug levels “2” or “3.”

Registry Key	Description
HKLM\Software\Specopssoft\Specops Password Policy\Filter\Debug	Enables debug logging for the sentinel component. Default value = 0 (set to 1 to enable logging) The default log path is: %WINDIR%\Debug\SPP3FLT [LSASS].log
HKLM\Software\Specopssoft\Specops Password Policy\Administration\Debug	Enables debug logging for the GPMC snap-in and the Domain Administration tool. Default value = 0 (set to 1 to enable logging) The default log paths are: %USERPROFILE%\AppData\Local\SpecopsSoft\ SpecopsPasswordPolicy2GpmcSnapIn.log %USERPROFILE%\AppData\Local\SpecopsSoft\ SpecopsPasswordPolicyDomainAdministration.log
HKLM\SOFTWARE\Specopssoft\Specops Password Policy\Blacklist\Arbiter\Logging	Enables debug logging for the arbiter component. Default value = 0 (set to 1 to enable logging). The default log path is: %windir%\ServiceProfiles\NetworkService\AppData\ Local\Specopssoft\SpecopsPasswordArbiter.log

Legacy event codes

These event codes have been deprecated. They are still valid for Specops Password Policy version 7.5 and older.

Event type	ID	Description
Information	106	Started processing password expiration email notifications.
Information	107	Information about expiration email notifications.
Information	650	Periodic job will not be performed, since this DC is not the PDC emulator.
Information	677	User has breached password, will not be enforced to change at next logon.
Information	678	User has breached password, will be enforced to change at next logon.
Information	681	User has breached password, request to notify user enqueued to Sentinel Service.