All Servicesin this Service Setfor Serversthat support auditing may generate audit entries and shall generate audit Eventsfor failed service invocations and for successful invocation of the OpenSecureChanneland CloseSecureChannelServices. The Clientgenerated audit entries should be setup prior to the actual call, allowing the correct audit record Id to be provided. The OpenSecureChannelService shall generate an audit Eventof type AuditOpenSecureChannelEventTypeor a subtype of it for the requestType ISSUE. Audit Eventsfor the requestType RENEWare only created if the renew fails. The CloseSecureChannelservice shall generate an audit Eventof type AuditChannelEventType or a subtype of it.Both of these Eventtypes are subtypes of theAuditChannelEventType. See OPC 10000-5for the detailed assignment of the SourceNode, the SourceNameand additional parameters. For the failure cases the Messagefor Eventsof this type should include a description of why the service failed. This description should be more detailed than what was returned to the Client. From a security point of view a Clientonly needs to know that it failed, but from an Auditingpoint of view the exact details of the failure need to be known.

In the case of Certificatevalidation errors the CertificateErrorEventIdof theAuditOpenSecureChannelEventTypeshould include the auditEventIdof the specific AuditCertificateEventTypethat was generated to report the Certificateerror. The AuditCertificateEventTypeshall also contain the detailed Certificatevalidation error. The additional parameters should include the details of the request. It is understood that these events may be generated by the underlying Communication Stacksin many cases, but they shall be made available to the Serverand the Servershall report them.