Below is a typical log flow providing an example of the log types as you might see them in your own audit logs. This example follows a user authenticating to a Controller through to gaining access with a Gateway. This has been marked up with some explanations of what is happening at each stage.
[
//otp_authentication_succeeded on the Controller
{
"client_ip": "194.218.16.18",
"collective_id": "7c0866a6-45a0-4993-884e-874f1582a210",
"daemon": "cz-controllerd",
"distinguished_name": "CN=<device ID>,CN=<name>,OU=<OU>",
"distinguished_name_device_id": "<device ID>",
"distinguished_name_ou": "<OU>",
"distinguished_name_user": "<name>",
"event_type": "otp_authentication_succeeded",
"geoip": {
"city_name": "Stockholm",
"continent_code": "EU",
"cordinates": [
18.0653,
59.3274
],
"country_code2": "SE",
"country_code3": "SE",
"country_name": "Sweden",
"ip": "194.218.16.18",
"latitude": 59.3274,
"location": {
"lat": 59.3274,
"lon": 18.0653
},
"longitude": 18.0653,
"postal_code": "113 20",
"region_code": "AB",
"region_name": "Stockholm County",
"time_zone": "Europe/Stockholm"
},
"id": "7959da63-8396-4b90-b96d-3b12ac5dcb2f",
"log_source": "35.157.235.196",
"timestamp": "2021-11-16T13:45:04.874431Z",
"version": 16
},
//Authentication_succeeded on the Controller. The the authentication step produces a single signed jwt formatted "claims token" which contains identity information of the user. Note the claims_token_id.
{
"authentication_type": "Client",
"claims_token_id": "33747dbe-ad9a-4046-8f9c-5432c58474f1",
"client_ip": "194.218.16.18",
"collective_id": "7c0866a6-45a0-4993-884e-874f1582a210",
"daemon": "cz-controllerd",
"distinguished_name": "CN=<device ID>,CN=<name>,OU=<OU>",
"distinguished_name_device_id": "<device ID>",
"distinguished_name_ou": "<OU>",
"distinguished_name_user": "<name>",
"event_type": "authentication_succeeded",
"geoip": {
"city_name": "Stockholm",
"continent_code": "EU",
"cordinates": [
18.0653,
59.3274
],
"country_code2": "SE",
"country_code3": "SE",
"country_name": "Sweden",
"ip": "194.218.16.18",
"latitude": 59.3274,
"location": {
"lat": 59.3274,
"lon": 18.0653
},
"longitude": 18.0653,
"postal_code": "113 20",
"region_code": "AB",
"region_name": "Stockholm County",
"time_zone": "Europe/Stockholm"
},
"id": "94a98cdd-ba25-491f-9583-c7d754c09a17",
"log_source": "35.157.235.196",
"timestamp": "2021-11-16T13:45:04.908628Z",
"user_claim_script_names": [
"get_risk_score"
],
"user_claims": {
"ag": {
"distinguishedName": "CN=<device ID>,CN=<name>,OU=<OU>",
"identityProviderId": "4331ec7f-c868-43ec-8fb5-4f4041adf6de",
"loginTime": "2021-11-16T13:45:04.876336Z",
"passwordWarning": false
},
"emails": [
"<name>@appgate.com"
],
"firstName": "<first>",
"groups": [
"SDP_Admin",
"SDPDEV_User",
"SDPDEv_App_User",
"SDPDEV_SWE_PowerUser"
//List of AD/Saml group membership
],
"lastName": "<last>",
"otpAuthentication": {
//The timestamp of the MFA auth from previous event
"global": "2021-11-16T13:45:04.876340Z"
},
"username": "<name>@appgate.com"
},
"version": 16
},
//Authorization_succeeded on the controller. The authorization step produces multiple (one per SDP Site) signed jwt formatted "entitlements token" which contains resources user can access on what conditions in that given SDP Site.
{
"@timestamp": "2021-11-16T13:45:06Z",
"@version": "1",
"claims_token_id": "33747dbe-ad9a-4046-8f9c-5432c58474f1", // from the previous step
"client_ip": "194.218.16.18",
"collective_id": "7c0866a6-45a0-4993-884e-874f1582a210",
"daemon": "cz-controllerd",
"device_claims": {
"clientIPs": [
"10.101.2.59"
],
"clientType": "full",
"clientVersion": "5.5.1-27926-6891",
"isFirewallEnabled": false,
"isMultiUser": false,
"isService": false,
"isUserAdmin": true,
"language": "en-us",
"macAddresses": [
"60F81DB57D50",
"820F1E85D000",
"820F1E85D001",
"02F81DB57D50",
"96718B40E1C1"
],
"os": {
"family": "macOS",
"hostname": "MacBook-Pro",
"lcid": "1033",
"name": "macOS 11.6.1",
"platform": "x64",
"type": "desktop",
"version": "11.6.1.20G224"
},
"profileName": "Azure AD",
"spaKey": "CryptZone",
"test_file_exists": false
},
"distinguished_name": "CN=<device ID>,CN=<name>,OU=<OU>",
"distinguished_name_device_id": "<device ID>",
"distinguished_name_ou": "<OU>",
"distinguished_name_user": "<name>",
"dns_settings": [
{
"domain": "github.com",
"servers": [
"100.127.20.30"
]
},
{
"domain": "appgate.com",
"servers": [
"172.1.2.3",
"172.1.2.4"
]
},
{
"domain": "int.appgate.com",
"servers": [
"172.1.2.3",
"172.1.2.4"
]
},
{
"domain": "githubusercontent.com",
"servers": [
"100.127.20.30"
]
}
],
"entitlement_names": [
"Corp – DNS1",
"Corp – DNS2",
"Corp - DNS Forwarder"
//List of all entitlements assigned to user
],
//IDs of the created entitlements token. One token per Site, regardless of how many Gateways in that Site.
"entitlement_token_ids": [
"36d788f7-d210-401b-86c1-d4fb7a69b4c0",
"8fba92bc-a835-401d-9386-3dcf0185ad6c",
"c445f5ce-fb87-43e8-9e83-c31dae5f6f2f",
"56725967-fec2-415a-8623-e43bf37626f2",
"3ff89292-4b0d-4f75-a242-3f587f33cbae",
"79ee2380-10c6-4ac8-8837-4c46367e99c1",
"9d85fe50-d656-4f62-9388-34a9b1d1faef"
],
"event_type": "authorization_succeeded",
"execution_ms": 273,
"geoip": {
"city_name": "Stockholm",
"continent_code": "EU",
"cordinates": [
18.0653,
59.3274
],
"country_code2": "SE",
"country_code3": "SE",
"country_name": "Sweden",
"ip": "194.218.16.18",
"latitude": 59.3274,
"location": {
"lat": 59.3274,
"lon": 18.0653
},
"longitude": 18.0653,
"postal_code": "113 20",
"region_code": "AB",
"region_name": "Stockholm County",
"time_zone": "Europe/Stockholm"
},
"id": "c17c77dd-43bb-4177-8457-492c3081807f",
"log_source": "100.1.2.3",
"policy_names": [
"Developers Policy-Access",
"Developers Policy-Admin",
"DNS Policy"
//List of all matched policies
],
"pool_v4_ip": "192.168.100.121",
"pool_v6_ip": "fd00:ffff:b:20:0:0:0:6f0",
"scripted_user_claims": {},
"site_names": [
"AWS EU 1",
"AWS EU 2",
"London",
"Gothenburg",
"GCP Europe West",
"Azure Europe North",
"AWS SA East"
],
"system_claims": {
"clientSrcIP": "194.218.16.18",
Best effort geoip resolution of clientSrcIP based on MaxiMind free db.
"geoIp": {
"continentCode": "EU",
"countryCode": "SE",
"stateCode": "AB"
}
},
"tamper_proofing": true,
"timestamp": "2021-11-16T13:45:05.446798Z",
"version": 16
},
//After this step, Client is done with the Controller. The rest of the audit logs in this flow are from Gateways.
//Client connects to Gateways, according to the info in the Entitlement Tokens; as user has entitlements in 7 different Sites, Client will pick a Gateway in those Sites based on weight and initiate a TLS connection.
//Tunnel_connected / tunnel_established events from gateways
//Relevant claims_token_accepted and entitlement_token_accepted events from gateways
//Relevant session_created events from gateways
//Relevant entitlement_token_evaluated and remedy_conditions_evaluated events form gateways
//Now Client accesses an Entitlement, dns in this example - the ip_access from the Gateway
{
"action": "allow",
"action_id": "Corp - DNS#e9af9b6d-52ac-3746-82cb-d6e383b84ae6",
"client_ip": "194.218.16.18",
"client_port": 65071,
"collective_id": "7c0866a6-45a0-4993-884e-874f1582a210",
"daemon": "cz-vpnd",
"destination_ip": "172.1.2.3",
"destination_port": 53,
"direction": "up",
"distinguished_name": "CN=<device ID>,CN=<name>,OU=<OU>",
"distinguished_name_device_id": "<device ID>",
"distinguished_name_ou": "<OU>",
"distinguished_name_user": "<name>",
"entitlement_token_id": "56725967-fec2-415a-8623-e43bf37626f2",
"event_type": "ip_access",
"geoip": {
"city_name": "Stockholm",
"continent_code": "EU",
"cordinates": [
18.0653,
59.3274
],
"country_code2": "SE",
"country_code3": "SE",
"country_name": "Sweden",
"ip": "194.218.16.18",
"latitude": 59.3274,
"location": {
"lat": 59.3274,
"lon": 18.0653
},
"longitude": 18.0653,
"postal_code": "113 20",
"region_code": "AB",
"region_name": "Stockholm County",
"time_zone": "Europe/Stockholm"
},
"id": "2bfec1b1-508d-45ba-b763-e6fbb41abe6d",
"log_source": "server.appgate.com",
"packet_size": 73,
"protocol": "UDP",
"rule_name": "CORP DNS1", // name of the entitlement
"source_ip": "192.168.100.121",
"source_port": 52843,
"timestamp": "2021-11-16T14:00:02.825Z",
"version": 16
}
]