Audit Logs

  • 2 minute read
Prev Next

The Audit Logs page (Usage > Audit Logs) is visible only when the LogServer function has been configured on an appliance within the Collective. Once you are authenticated in your AppGate ZTNA system, you can access the LogServer with a link instead of navigating to Usage > Audit Logs each time.

Audit Logs redirects you to the LogServer which uses OpenSearch as the UI engine. AppGate ZTNA provides a number of pre-configured report scripts. The OpenSearch UI also provides a number of tools to create your own data reports and visualizations to illustrate AppGate ZTNA performance.

Details of the different types of Audit Logs generated by the AppGate ZTNA Collective are provided in the System monitoring and logs section.

Background information

For information about the handling of audit logs within the AppGate ZTNA system, refer to the System monitoring and logs section.

Using The LogServer

This page provides details about how to use OpenSearch and perform basic searches. For more information you can also try the OpenSearch User Guide: https://docs.aws.amazon.com/opensearch-service/?id=docs_gateway

Pre-configured tools

The menu (top left) includes OpenSearch Dashboards. The following dashboards are likely the most useful:

  • Dashboards. There are two prepared dashboards: Appgate Appliances and Appgate User Activity.

  • Visualize. There is a list of prepared visualizations such as Client version used by OS and Configuration changes.

  • Discover. This is the main tool for performing log analysis. There are also some pre-prepared search scripts which can be accessed by clicking Open at the top right hand side of the screen:

Pre-prepared search scripts including authentication and device claims.

  • Changing time-frame. To change the time frame for the audit log report, click on the calendar button next to the displayed time window:

Time selection options for changing the time frame of an audit report.

  • Filtering the data

  • Changing parameters. You can add or delete the parameters that are included in the search report. For example the "Controller Audit logs" script displays the Time, DN, daemon, and event-type parameters:

Gateway audit logs displaying session events and timestamps for monitoring activity.

To add a parameter to the report, use the Available Fields list on the left hand side of the UI and click <+> next to the parameter you wish to add to the report.

To remove a parameter from the report, use the Selected Fields list on the left hand side and click <X> next to the appropriate parameter:

Log analysis interface displaying event types and distinguished names with a bar chart.

  • Filtering searches. You can also filter searches. Expand any field and it shows the most common values in that field. The <+> and <-> icons can be used to filter the search to include or exclude that type.

Logstash audit logs displaying event types and their corresponding counts over time.

In this case only cz-vpnd logs are displayed

  • Using the search bar. You can enter your own search terms in the search bar to customize searches such as: event_type: ip_access && distinguished_name_user: testuser

However it might be easier to just filter by value. The <+> and <-> icons can be used to filter the search to include or exclude that value.

Audit logs displaying event types and timestamps for various daemons and distinguished names.

In this case the type filter is 'authentication_succeeded' and the value filter is for 'Annie'.

Related articles
  • Audit Logs
    Admin Guide > Admin Guide v6.7 > Admin UI  > Usage
  • Audit Logs
    Admin Guide > Admin Guide v6.5 > Admin UI > Usage
  • Audit logs
    Admin Guide > Admin Guide v6.5 > General administration > System monitoring and logs