Audit logs can be viewed using the LogServer or forwarded using the LogForwarder to any number of external log collection systems.
Audit logs forwarded to destinations other than LogServer/Elasticsearch/OpenSearch are wrapped in the following structure:
Field | Description |
|---|---|
daemon | Name of the daemon that generated the log event |
date | The date of the event in syslog time format (MMM dd HH:mm:ss) |
hostname | Hostname of the appliance that generated the log event |
log | The audit log content |
timestamp | Timestamp of the event in ISO 8601 UTC format |
version | Version of the wrapper format |
NOTE
Logs received by LogServer/OpenSearch/Elasticsearch will not have the format above. Instead the content of the log element will be on the top level in the hierarchy. The daemon, hostname (renamed to log_source) and timestamp fields are still included but on the same hierarchy level.
Audit Logs always contain a number of standard fields: collective_id and log_source/hostname can be used to correlate the source of log events (even when using more than one Collective); daemon and event_type can be used to drill down to specific areas of interest within a given appliance.
The table below shows the detail of every log record types that is produced by the AppGate ZTNA Collective
Audit log type | Daemon | Description | Parameters included in the log |
Any |
| Common fields that appear in various log records |
|
|
|
| collective_id: unique id in uuid format of the sdp collective |
|
|
| distinguished_name_device_id: device id from the distinguished_name |
|
|
| distinguished_name_ou: identity provider name from the distinguished_name |
|
|
| distinguished_name_user: username from the distinguished_name |
|
|
| geoip: best-effort geoip resolution based on client_ip field, if available |
|
|
| id: unique id in uuid format of the log record |
|
|
| log_source: hostname of the appliance that generated the log event |
|
|
| timestamp: timestamp of the event in ISO 8601 UTC format |
|
|
| version: version of the event, based on the api version of the log_source |
acl_rules_update | cz-vpnd | Statistics relating to a user session |
|
|
|
| statistics.bytes-: Client bytes read/write |
|
|
| statistics.client-connect-time-: Client connection times |
|
|
| statistics.packets-: Client packets read/write |
|
|
| statistics.client-metrics.-: Client connection metrics |
|
|
| statistics.rtt-: Client RTT |
|
|
| statistics.rules-in-place-: true or false |
|
|
| statistics.session-duration-: time of the user's session |
|
|
| statistics.used-entitlement.: count of user hits per Entitlement. TCP connection count related to the IP access audit log interval |
admin_authorization_failed | cz-controllerd | There was no administrator policy available for that (valid) user. |
|
|
|
| client_ip: IP address of the client |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| execution_ms: the time in ms. used to execute all conditions and entitlements scripts and convert them into fw-rules |
|
|
| system_claims: All system claims of the user. For example: clientSrcIp, geoIP etc |
admin_authorization_succeeded | cz-controllerd | An administration token has been issued to an administrator. |
|
|
|
| admin_role_names: List of Admin Role names within the token |
|
|
| admin_token_id: UUID of the administration token generated |
|
|
| claims_token_id: UUID of the claims token used to get the entitlement token |
|
|
| client_ip: IP address of the client |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| execution_ms: the time in ms. used to execute all conditions and entitlements scripts and convert them into fw-rules |
|
|
| policy_names: The policies that have been assigned to the user |
|
|
| system_claims: All system claims of the user. For example: clientSrcIp, geoIP etc |
admin_message_posted | cz-controllerd | The contents of an admin message which has been sent to the dashboard. |
|
|
|
| admin_message: The message |
admin_message_deleted | cz-controllerd | An admin message has been deleted. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| message: The message that was deleted |
admin_messages_listed | cz-controllerd | Admin messages have been viewed. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
all_admin_messages_deleted | cz-controllerd | All admin messages have been deleted. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
admin_otp_settings_viewed | cz-controllerd | The OTP settings for admin access have been viewed. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
admin_otp_settings_updated | cz-controllerd | The OTP settings for admin access have been updated. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| client_ip: IP address of the administrator |
|
|
| original_settings: Original Admin OTP Settings |
|
|
| settings: Admin OTP Settings |
alert_triggered | cz-sessiond | A packet was detected that was connected to an alert, and the Gateway claim "alert" has not been set before for this session. This will trigger a policy evaluation since the "alert" claim was set in the session. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| session_id: Gateway identifier of the session |
allocated_ips_listed | cz-controllerd | IP addresses allocated to user&devices are listed to an administrator. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| client_ip: IP address of the administrator |
|
|
| count: count of the IPs returned |
appliance_activated | cz-controllerd | An appliance has activated itself using the seed. |
|
|
|
| appliance_ip: IP address of the appliance |
|
|
| entity_id: UUID of the appliance |
|
|
| entity_name: Name of the appliance |
appliance_deactivated | cz-controllerd | An appliance has been deactivated by an admin. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| client_ip: IP address of the administrator |
|
|
| entity_id: UUID of the appliance |
|
|
| entity_name: name of the appliance |
appliance_backup_deleted | cz-controllerd | A backup file is deleted from an appliance. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| backup_id: UUID of the backup |
|
|
| client_ip: IP address of the administrator |
|
|
| entity_id: UUID of the appliance |
|
|
| entity_name: name of the appliance |
appliance_backup_downloaded | cz-controllerd | A backup file is downloaded from an appliance. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| backup_id: UUID of the backup |
|
|
| client_ip: IP address of the administrator |
|
|
| entity_id: UUID of the appliance |
|
|
| entity_name: name of the appliance |
appliance_backup_initialized | cz-controllerd | A backup operation is initialized on an appliance. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| backup_id: UUID of the backup |
|
|
| client_ip: IP address of the administrator |
|
|
| entity_id: UUID of the appliance |
|
|
| entity_name: name of the appliance |
appliance_customization_downloaded | cz-controllerd | An appliance customization is downloaded by an administrator. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| entity_id: UUID of the appliance customization |
|
|
| entity_name: the name of the appliance customization |
appliance_downloaded_customization | cz-controllerd | An appliance has downloaded a customization to apply. |
|
|
|
| appliance_ip: IP address of the appliance |
|
|
| customization_id: UUID of the appliance customization |
|
|
| entity_id: UUID of the appliance |
|
|
| entity_name: Name of the appliance |
appliance_download_customization_failed | cz-controllerd | An appliance has failed to download a customization to apply. |
|
|
|
| appliance_ip: IP address of the appliance |
|
|
| customization_id: UUID of the appliance customization |
|
|
| entity_id: UUID of the appliance |
|
|
| entity_name: Name of the appliance |
|
|
| reason: The failure reason |
appliance_downloaded_file | cz-controllerd | An appliance has downloaded a file from controller to perform an upgrade. |
|
|
|
| appliance_ip: IP address of the appliance |
|
|
| creation_time: The time the file was created |
|
|
| entity_id: UUID of the appliance |
|
|
| entity_name: Name of the appliance |
|
|
| filename: The filename downloaded |
|
|
| last_modified_time: The time the file was last modified |
appliance_download_file_failed | cz-controllerd | An appliance has failed to download a file from controller to perform an upgrade. |
|
|
|
| appliance_ip: IP address of the appliance |
|
|
| entity_id: UUID of the appliance |
|
|
| entity_name: Name of the appliance |
|
|
| filename: The filename downloaded |
|
|
| reason: The failure reason |
appliance_function_suspended | cz-configd | An appliance has been suspended. |
|
|
|
| function: Appliance function |
|
|
| reason_code: Why the appliance was suspended. |
|
|
| value: Overflow value. |
|
|
| description: Description of value. |
|
|
| low_watermark: What value the count must go under to resume again. |
|
|
| high_watermark: What value the count must go over to trigger the suspension. |
appliance_function_resumed | cz-configd | An appliance's function has resumed after suspension. |
|
|
|
| function: Appliance function |
|
|
| reason_code: Why the appliance was suspended. |
|
|
| value: Overflow value. |
|
|
| description: Description of value. |
|
|
| low_watermark: What value the count must go under to resume again. |
|
|
| high_watermark: What value the count must go over to trigger the suspension. |
appliance_seed_exported | cz-controllerd | An appliance seed file has been exported from the Controller. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| client_ip: IP address of the administrator |
|
|
| entity_id: UUID of the appliance |
|
|
| entity_name: name of the appliance |
appliance_logs_downloaded | cz-controllerd | The debug logs have been downloaded from an appliance. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| client_ip: IP address of the administrator |
|
|
| entity_id: UUID of the appliance |
|
|
| entity_name: name of the appliance |
appliance_certificate_renewed | cz-controllerd | An appliance has successfully renewed its certificate. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| entity_id: UUID of the appliance |
|
|
| entity_name: Name of the appliance |
appliance_certificate_signed_with_next_ca_certificate | cz-controllerd | An appliance has successfully created a certificate for the CA migration and got it signed. This occurs whenever a next CA certificate is generated and is a part of the preparation for migration. |
|
|
|
| appliance_ip: IP address of the appliance |
|
|
| entity_id: UUID of the appliance |
|
|
| entity_name: Name of the appliance |
appliance_rebooted | cz-controllerd | An appliance has been rebooted by an administrator via the controller. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| client_ip: IP address of the administrator |
|
|
| entity_id: UUID of the appliance |
|
|
| entity_name: name of the appliance |
appliance_remote_command_run | cz-controllerd | A remote command has been run on an Appliance. |
|
|
|
| command: The command that was run. |
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| entity_id: UUID of the appliance |
|
|
| entity_name: name of the appliance |
appliance_shutdown | cz-configd | An appliance has shutdown. |
|
|
|
| appliance_version: version number |
appliance_started | cz-configd | An appliance has booted. |
|
|
|
| appliance_version: version number |
appliance_status_changed | cz-configd | An appliance top-level status has changed, for example from healthy to error |
|
|
|
| appliance_version: version number |
|
|
| cpu: CPU status json |
|
|
| memory: Memory status json |
|
|
| network: Network status json |
|
|
| roles: Roles status json |
|
|
| status: Appliance top level status, can be one of: healthy, warning, error |
|
|
| volume_number: Currently used volume number, integer. This identifies which image and state partition is in use |
audit_drop | cz-logd | logd needs to drop audit logs - for example the maximum of logs on disc is exceeded. |
|
|
|
| count: Number of dropped audit log records |
|
|
| reason: reason for the log drop such as "audit log is too large" |
authentication_succeeded | cz-controllerd | A user has authenticated. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| authentication_type: 'Client' or 'Admin' |
|
|
| claims_token_id: UUID of the token generated for the user |
|
|
| client_ip: IP address of the client |
|
|
| user_claim_script_names: Names of the User Claim Scripts assigned (only shown when user claim script is in use) |
|
|
| user_claims: Unencrpyted user claims |
authentication_failed | cz-controllerd | A user has failed to authenticate. |
|
|
|
| authentication_type: 'Client' or 'Admin' |
|
|
| client_ip: IP address of the client |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| hostname: Hostname of the device |
|
|
| reason: Reason for the failure e.g., "Invalid username or password" |
authorization_succeeded | cz-controllerd | An entitlement token has been issued to a client. |
|
|
|
| claims_token_id: UUID of the claims token used to get the entitlement token |
|
|
| client_ip: IP address of the client |
|
|
| device_claims: Device claims during authorization |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| dns_settings: Shows any Match domains and IP addresses from the DNS Policy |
|
|
| entitlement_names: List of the names of the entitlements within the token |
|
|
| entitlement_token_ids: UUID of the entitlement tokens generated |
|
|
| execution_ms: The time in ms. used to evaluate assignment of Policies and generation of tokens |
|
|
| local_site_name: Name of the Site used |
|
|
| mapped_v4_ips: IPv4 addresses that are mapped via site settings |
|
|
| mapped_v6_ips: IPv6 addresses that are mapped via site settings |
|
|
| nearest_site_name: Name of the Site used |
|
|
| policy_names: List of the Policies selected |
|
|
| pool_v4_ip: IPv4 address allocated for the user |
|
|
| pool_v6_ip: IPv6 address allocated for the user |
|
|
| proxy_auto_config: Proxy configuration assigned to the Client. |
|
|
| ringfence_rule_names: List of the names of the ringfence rules within the token |
|
|
| scripted_user_claims: The result object from the resolved user claim scripts |
|
|
| site_names: Name of the site the entitlement token is for |
|
|
| system_claims: System claims during authorization |
|
|
| tamper_proofing: Whether tamper proofing is assigned to the Client or not. |
|
|
| trusted_network_check: Trusted network check settings assigned to the Client for auto-suspend. |
authorization_failed | cz-controllerd | There was no policy available for that (valid) user. |
|
|
|
| client_ip: IP address of the client |
|
|
| device_claims: Device claims during authorization |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| execution_ms: the time in ms. used to execute all conditions and entitlements scripts and convert them into fw-rules |
|
|
| scripted_user_claims: The result object from the resolved user claim scripts |
|
|
| system_claims: System claims during authorization |
auto_update_settings_viewed | cz-controllerd | Client Auto-Update settings viewed. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
auto_update_settings_updated | cz-controllerd | Client Auto-Update settings updated. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| client_ip: IP address of the administrator |
|
|
| original_settings: The original auto-update settings |
|
|
| settings: The auto-update settings |
denylist_entry_added | cz-controllerd | A user is added to the denylist. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| reason: (Optional) The reason to send user to the denylist. |
|
|
| user_distinguished_name: The user on the denylist. Format: CN=<username>,OU=<identity_provider_name> |
denylist_entry_removed | cz-controllerd | A user is removed from the denylist. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| user_distinguished_name: The user who is removed from the denylist. Format: CN=<username>,OU=<identity_provider_name> |
denylist_viewed | cz-controllerd | An administrator viewed the denylist. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| descending: true/false for whether the ordering was descending or not |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| order_by: The field name used for ordering the list |
|
|
| query: The query given to filter the list, e.g., `tag=built_in' which will only list entities with the 'built_in' tag |
|
|
| range: Range of the objects listed, e.g., '5-10/12' meaning the second page in 5 tokens per page window out of total 12 objects |
certificate_issued | cz-controllerd | A certificate issued by CA. |
|
|
|
| certificate_type: Appliance/Client |
|
|
| certificate.xxxx: details of the certificate (version, serial, issuer, validFrom, validTo, subject, subjectPublicKey, certificate) |
|
|
| signed_certificate_id: ID assigned to the issued certificate |
claims_token_accepted | cz-controllerd | An admin has accessed kibana to view the audit logs. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
claims_token_accepted | cz-sessiond | A valid claims-token was sent from the client, and a new session was created. This will trigger a policy evaluation. |
|
|
|
| claims_token_id: UUID of the token |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| expiration_time: Time when the token will expire |
|
|
| session_id: gateway identifier of the session |
claims_token_expired | cz-sessiond | The claims-token for the session has expired. This will also remove the session. |
|
|
|
| claims_token_id: UUID of the token |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| session_id: gateway identifier of the session |
claims_token_not_accepted | cz-sessiond | A claims-token received from the client was not accepted. Reason could be that the token had expired, had been revoked or was invalid. |
|
|
|
| claims_token_id: UUID of the token |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| reason: (optional) reason for not accepting the token |
|
|
| session_id: (optional) gateway identifier of the session |
|
|
| url: url of the service invoked on the gateway |
claims_token_refreshed | cz-controllerd | A claims-token is refreshed for new gateways. |
|
|
|
| claims_token_id: UUID of the token |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
client_profile_exported | cz-controllerd | Client profile has been exported. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| entity_name: Name of the profile |
client_notification_token_revocation | cz-sessiond | A token has been revoked in the system, and the client notified that the token is being revoked. If the revocation time is in the future the client is always notified about the forthcoming revocation. If the revoked token is a claims-token and the revocation time is omitted or in the past, a session_removed audit log will be created and sent to the client instead. |
|
|
|
| claims_token_id: UUID of the token if the token is a claims token. |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| entitlement_token_id: UUID of the token if the token is an entitlement token |
|
|
| reason: (optional) reason for revocation |
|
|
| session_id: gateway identifier of the session |
crl_downloaded | cz-controllerd | Certificate Revocation List is downloaded by an administrator. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
device_claims_accepted | cz-sessiond | The client has updated the client-supplied claims, such as Operating system, client version, or remedy. This will trigger a policy evaluation. |
|
|
|
| device_claims: key, value pairs of claims from the client |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| session_id: gateway identifier of the session |
device_on_boarded | cz-controllerd | A user&device is on-boarded. |
|
|
|
| client_hostname : hostname of the user's device |
|
|
| client_ip: IP address of the client |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
device_claim_script_downloaded | cz-controllerd | A device claim script is downloaded by a client or administrator. |
|
|
|
| client_ip: IP address of the client/administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| entity_id: UUID of the device claim script |
|
|
| entity_name: the name of the device claim script |
device_token_revoked | cz-controllerd | A token has been revoked by an administrator. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| delay_minutes: The time before the revoke will be actioned by the Gateways. Typically this is 5 minutes |
|
|
| distinguished_name: User&Device distinguished name of the administrator who revoked the token. CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| reason: reason of revocation given by the administrator, optional |
|
|
| target_distinguished_name: distinguished name of the User&Device whose token is revoked |
|
|
| tokenType: the type of tokenbeing revoked |
discovered_app_analysis_started | cz-controllerd | Hourly analysis of discovered apps manually started |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| client_ip: IP address of the administrator |
discovered_app_deleted | cz-controllerd | A discovered app was removed from the list of discovered apps |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| client_ip: IP address of the administrator |
|
|
| app_id: ID of the app |
discovered_app_reset | cz-controllerd | A discovered app had its data reset |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| client_ip: IP address of the administrator |
|
|
| app_id: ID of the app |
discovered_app_specific_access_created | cz-controllerd | A Policy / Entitlement was created from the discovered app. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| client_ip: IP address of the administrator |
|
|
| app_id: ID of the app |
discovered_app_stats_viewed | cz-controllerd | Application Discovery stats have been viewed |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| client_ip: IP address of the administrator |
discovered_app_viewed | cz-controllerd | A specific discovered app was viewed. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| client_ip: IP address of the administrator |
|
|
| app_id: ID of the app |
discovered_apps_data_wiped | cz-controllerd | App discovery analysis history has been wiped |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| client_ip: IP address of the administrator |
discovered_apps_listed | cz-controllerd | The discovered apps were listed |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| client_ip: IP address of the administrator |
entitlement_token_expired | cz-sessiond | The entitlement-token has expired. This will not remove the session but will block all connections through the gateway until a new entitlement-token has been provided. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| entitlement_token_id: UUID of the token |
|
|
| session_id: gateway identifier of the session |
entitlement_token_not_accepted | cz-sessiond | An entitlement-token received from the client was not accepted. Reason could be that the token had expired, was revoked or was invalid. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| reason: (optional) reason for not accepting the token |
|
|
| session_id: (optional) gateway identifier of the session |
|
|
| token_id: (optional) UUID of the token |
|
|
| url: url of the service invoked on the gateway |
entitlement_token_accepted | cz-sessiond | A valid entitlement-token was sent from the client and accepted by the gateway. This will trigger a policy evaluation. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| entitlement_token_id: UUID of the token |
|
|
| expiration_time: Time when the token will expire |
|
|
| pool_v4_ip: (if present): allocated ipv4 tunnel address |
|
|
| pool_v6_ip: (if present): allocated ipv6 tunnel address |
|
|
| session_id: gateway identifier of the session |
entitlement_token_evaluated | cz-sessiond | Entitlement token is evaluated in Gateway. |
|
|
|
| app_shortcuts: details the status of any related app shortcuts. |
|
|
| cached_values_used: cached values was used during the evaluation |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| entitlement_token_available: entitlement token available during evaluation |
|
|
| entitlement_token_id: id of the entitlement token evaluated |
|
|
| error_condition_names: conditions that could not be evaluated |
|
|
| execution_ms: the time in ms. used to execute all conditions and entitlements scripts and convert them into fw-rules. |
|
|
| reason: the reason for the (re)evaluation. |
|
|
| failed_condition_names: conditions that did not evaluate successfuly |
|
|
| failed_entitlement_names: entitlements that did not pass all conditions |
|
|
| remedy_condition_names: conditions that evaluated with the status remedy |
|
|
| scheduled_evaluation_time: When the entitlement will be evaluated again based on timed conditions |
|
|
| successful_condition_names: conditions that evaluated successfuly |
|
|
| successful_entitlement_names: entitlements with all conditions passed |
entities_listed | cz-controllerd | A type of entity has been listed by an administrator. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| descending: true/false for whether the ordering was descending or not |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| entity_type: type of the entity listed, such as AdministrativeRole, Appliance, Condition, Entitlement, IdentityProvider, etc |
|
|
| order_by: The field name used for ordering the list |
|
|
| query: The query given to filter the list, e.g., `tag=built_in' which will only list entities with the 'built_in' tag. Optional |
|
|
| range: Range of the objects listed, e.g., '5-10/12' meaning the second page in 5 tokens per page window out of total 12 objects |
entity_created | cz-controllerd | An entity had been created by an administrator. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| entity_id: UUID of the entity |
|
|
| entity_name: name of the entity. |
|
|
| entity_type: type of the entity, e.g., AdministrativeRole, Appliance, Condition, Entitlement, IdentityProvider, IpPool, LocalUser, Policy, etc. |
|
|
| entity: JSON view only for representation of the entity created |
entity_deleted | cz-controllerd | An entity has been deleted by an administrator. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| entity_id: UUID of the entity |
|
|
| entity_name: name of the entity |
|
|
| entity_type: type of the entity, e.g., AdministrativeRole, Appliance, Condition, Entitlement, IdentityProvider, IpPool, LocalUser, Policy, etc. |
entity_updated | cz-controllerd | An entity has been updated by an administrator. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| entity_id: UUID of the entity |
|
|
| entity_name: name of the entity |
|
|
| entity_type: type of the entity, e.g., AdministrativeRole, Appliance, Condition, Entitlement, IdentityProvider, IpPool, LocalUser, Policy, etc. |
|
|
| entity: JSON view only for representation of the entity updated |
|
|
| original_entity: JSON view only for representation of the original entity |
entity_viewed | cz-controllerd | An entity has been viewed by an administrator. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| entity_id: UUID of the entity |
|
|
| entity_name: name of the entity |
|
|
| entity_type: type of the entity, e.g., AdministrativeRole, Appliance, Condition, Entitlement, IdentityProvider, IpPool, LocalUser, Policy, etc. |
evaluation_log | cz-controllerd | A custom message is logged while evaluating a policy or condition. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| script_log: The message defined in the policy or condition code |
evaluation_log | cz-sessiond | A custom message is logged while evaluating a policy or condition. |
|
|
|
| client_ip: IP address of the client |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| script_log: The message defined in the policy or condition code |
fido2_device_registered | cz-controllerd | U2F device registered by user |
|
|
|
| client_ip: IP address of the administrator |
|
|
| user_distinguished_name: The user whose FIDO2 device has been removed. Format: CN=<username>,OU=<identity_provider_name> |
fido2_device_removed | cz-controllerd | U2F device is removed by an administrator |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name of the administrator. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| user_distinguished_name: The user whose FIDO2 device has been removed. Format: CN=<username>,OU=<identity_provider_name> |
fido2_devices_listed | cz-controllerd | U2F devices have been listed. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| descending: true/false for whether the ordering was descending or not |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| order_by: The field name used for ordering the list |
|
|
| query: The query given to filter the list, e.g., `tag=built_in' which will only list entities with the 'built_in' tag. Optional. |
|
|
| range: Range of the objects listed, e.g., '5-10/12' meaning the second page in 5 tokens per page window out of total 12 objects. |
file_deleted | cz-controllerd | A file has been deleted by an administrator. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| filename: Name of the file deleted |
files_listed | cz-controllerd | All files have been listed by an administrator. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| count: The amount of files returned |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
file_uploaded_by_url | cz-controllerd | A file has been downloaded to controller from a URL provided by an administrator. |
|
|
|
| checksum: Checksum of the file (SHA256) |
|
|
| client_ip: IP address of the administrator |
|
|
| creation_time: The time the file was created |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| filename: Name of the file |
|
|
| last_modified_time: The time the file was last modified |
|
|
| host: Hostname/IP of the server on which the file was downloaded by the controller |
file_uploaded | cz-controllerd | A file has been uploaded to controller by an administrator. |
|
|
|
| checksum: Checksum of the file (SHA256) |
|
|
| client_ip: IP address of the administrator |
|
|
| creation_time: The time the file was created |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| filename: Name of the file |
|
|
| last_modified_time: The time the file was last modified |
file_upload_failed | cz-controllerd | A file upload to controller by an administrator has failed. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| filename: Name of the file |
|
|
| reason: The failure reason |
global_settings_viewed | cz-controllerd | Global Settings is viewed by an administrator. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
global_settings_updated | cz-controllerd | Global Settings is updated by an administrator. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| original_settings: Original global settings |
|
|
| settings: Updated global settings |
ip_access | cz-vpnd | Client attempted to access an endpoint. |
|
|
|
| action: result of the firewall engine evaluation |
|
|
| client_ip: IP address of the client |
|
|
| client_port: Client's port |
|
|
| connection_type: new or established |
|
|
| destination_ip: ip of the endpoint |
|
|
| destination_port: port of the endpoint |
|
|
| direction: direction of the communication. 'up' for client-to-endpoint, 'down' for endpoint-to-client |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| drop-reason: Details of why the 'drop' action happened |
|
|
| entitlement_token_id: UUID of the token |
|
|
| icmp_code: code of the icmp packet. Available only when protocol is icmp |
|
|
| icmp_type: type of the icmp packet. Available only when protocol is icmp |
|
|
| name: name of the Entitlement that got triggered and the Action index number |
|
|
| nat_src_ip: IP address (of the Gateway) [optional] |
|
|
| nat_src_port: port assigned [optional] |
|
|
| packet_size: size of the packet in bytes |
|
|
| protocol: protocol of the communication, e.g., TCP, UDP, ICMP, AH, ESP, GRE |
|
|
| rdns: best-effort reverse-dns-lookup of the destination_ip |
|
|
| rule_name: name of the rule |
|
|
| rule_subnet: subnet rule that was used |
|
|
| source_ip: ip address of the tun device |
|
|
| source_port: port of the client |
issued_certificate_revoked | cz-controllerd | An issued certificate has been revoked by an administrator. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name of the administrator who revoked the certificate. CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| issued_certificate_id: ID of the issued certificate. |
|
|
| notes: Free-text revocation notes |
|
|
| reason: X509 certificate revocation reason. See RFC 5280. |
issued_certificates_listed | cz-controllerd | Certificates issued by CA are listed. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| descending: true/false for whether the ordering was descending or not |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| order_by: The field name used for ordering the list. |
|
|
| query: The query given to filter the list, e.g., `tag=built_in' which will only list entities with the 'built_in' tag. Optional. |
|
|
| range: Range of the objects listed, e.g., '5-10/12' meaning the second page in 5 tokens per page window out of total 12 objects |
license_removed | cz-controllerd | The existing license has been removed, all user licenses have been removed and the system started to use the built-in license. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
license_uploaded | cz-controllerd | A new license has been uploaded. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| license: Details of the license: id, request, type, maxUsers, maxGateways, maxControllers, maxLogServers |
local_user_locked | cz-controllerd | A local user has failed to authenticate consecutively 5 times and is locked out. |
|
|
|
| user_distinguished_name: The user who is locked for 1 minutes. Format: CN=<username>,OU=<identity_provider_name> |
|
|
| user_id: UUID of the user in the database |
next_ca_certificate_generated | cz-controllerd | A new CA certificate is generated for future migration. |
|
|
|
| certificate: details of the certificate (version, serial, issuer, validFrom, validTo, subject, subjectPublicKey, certificate) |
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
next_ca_certificate_deleted | cz-controllerd | The CA certificate for future migration is deleted. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
next_license_uploaded | cz-controllerd | A new license has been uploaded for the next CA certificate. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| license: Details of the license: id, request, type, maxUsers, maxGateways, maxControllers, maxLogServers |
next_license_removed | cz-controllerd | The existing license for the next CA certificate has been removed. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
on_boarded_devices_listed | cz-controllerd | All on-boarded devices is listed. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| descending: true/false for whether the ordering was descending or not |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| order_by: The field name used for ordering the list |
|
|
| query: The query given to filter the list, e.g., `tag=built_in' which will only list entities with the 'built_in' tag. Optional. |
|
|
| range: Range of the objects listed, e.g., '5-10/12' meaning the second page in 5 tokens per page window out of total 12 objects |
on_boarded_device_deleted | cz-controllerd | An on-boarded device is deleted from the system. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: Distinguished name of the administrator who deleted the on-boarded device.. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| target_distinguished_name : Distinguished name of the device getting deleted. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
otp_authentication_succeeded | cz-controllerd | A user has authenticated successfully for an OTP Remedy Action. |
|
|
|
| claim_name: remedy action label which is added to the claim-name |
|
|
| claims_token_id: UUID of the token used by the user |
|
|
| client_ip: IP address of the client |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
otp_authentication_failed | cz-controllerd | A user has failed to authenticate for an OTP Remedy Action. |
|
|
|
| claim_name: remedy action label which is added to the claim-name |
|
|
| claims_token_id: UUID of the token used by the user |
|
|
| client_ip: IP address of the client |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| reason: reason for the failure, e.g., "Invalid username or OTP" |
otp_time_based_seed_generated | cz-controllerd | OTP seed has been initialized for a Default-Time-Based OTP provider. |
|
|
|
| client_ip: IP address of the client |
|
|
| user_distinguished_name: The user whose OTP seed has been generated. Format: CN=<username>,OU=<identity_provider_name> |
otp_seeds_listed | cz-controllerd | An administrator listed the users with Default-Time-Based OTP seeds. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| descending: true/false for whether the ordering was descending or not |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| order_by: The field name used for ordering the list |
|
|
| query: The query given to filter the list, e.g., `tag=built_in' which will only list entities with the 'built_in' tag. Optional |
|
|
| range: Range of the objects listed, e.g., '5-10/12' meaning the second page in 5 tokens per page window out of total 12 objects |
otp_seed_removed | cz-controllerd | An administrator removed an OTP seed from a user. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| user_distinguished_name: The user whose OTP seed has been removed. Format: CN=<username>,OU=<identity_provider_name> |
password_authentication_succeeded | cz-controllerd | A user has authenticated successfully for a Password Remedy Action. |
|
|
|
| claim_name: remedy action label which is added to the claim-name |
|
|
| claims_token_id: UUID of the token used by the user |
|
|
| client_ip: IP address of the client |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
password_authentication_failed | cz-controllerd | A user has failed to authenticate for a Password Remedy Action. |
|
|
|
| claim_name: remedy action label which is added to the claim-name |
|
|
| claims_token_id: UUID of the token used by the user |
|
|
| client_ip: IP address of the client |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| reason: reason of the failure, e.g., "Invalid username or password" |
remedy_action_triggered | cz-sessiond | A remedy action is triggerred by attempting to access an endpoint. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| entitlement_name: The name of the entitlement connected to this remedy |
|
|
| hosts: The hosts part of the action connected to the remedy, for example 10.0.0.1/32 |
|
|
| icmp_types: The icmp types connected to the remedy, for example 0-255 |
|
|
| ports: The ports of connected to the remedy |
|
|
| protocol: The protocol and direction part of the action connected to the remedy, for example: icmp_up |
|
|
| remedy_logic: Shows the remedies specified requires OR or AND logics |
|
|
| remedy_types: The types of remedies, for example OtpAuthentication |
remedy_conditions_evaluated | cz-sessiond | A remedy condition was evaluated. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| entitlement_token_available: Was the entitlementToken available during evaluation? |
|
|
| entitlement_token_id: Id of the entitlementToken that the conditions belong to |
|
|
| error_condition_names: Condtions that failed, timed-out or was not able to execute; for example a syntax error |
|
|
| remedy_condition_names: Conditions that will trigger a remedy in this evaluation |
|
|
| session_id: gateway identifier of the session |
|
|
| successful_condition_names: List of what conditions that returned true |
risk_model_updated | cz-controllerd | The risk model has been updated. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
risk_model_viewed | cz-controllerd | The risk model has been viewed. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
rule_monitor_health_change | cz-vpnd | The health of the monitored rule has changed. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| reason: ACK received/RST received/SYN timeout/Missed ACKs/ICMP received |
|
|
| rule_name: name of the rule that health change occurred for |
|
|
| status: Healthy/Unhealthy |
|
|
| timeout: Seconds until a TCP connection can be established |
session_signed_out [DEPRECATED] | cz-sessiond | The client has ended the session, which will be removed. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| session_id: gateway identifier of the session |
session_created | cz-sessiond | The session daemon has created a new session for a new client. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| session_id: gateway identifier of the session |
|
|
| system_claims: a map of all the system-claims in this session, such as tun-ip, alert, client-ip |
session_reconnected | cz-sessiond | A client has reconnected to the Gateway. It could be after computer sleep, network interruption or similar. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| session_id: gateway identifier of the session |
|
|
| system_claims: a map of all the system-claims in this session, such as tun-ip, alert, client-ip |
session_removed | cz-sessiond | The session has been removed. This could be gateway initiated or client initiated. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| reason: Such as 'No Subscription' which means the vpnd session is no longer present |
|
|
| session_id: gateway identifier of the session |
ssh_access_failed | cz-sshd | SSH access to an appliance is denied. |
|
|
|
| authentication_method: authentication method used |
|
|
| client_ip: IP address of the SSH client |
|
|
| client_port: Port used by SSH client |
|
|
| protocol: The protocol being used; such as SSH2 |
|
|
| username: user used |
ssh_access_succeeded | cz-sshd | SSH access to an appliance has succeeded. |
|
|
|
| authentication_method: authentication method used |
|
|
| client_ip: IP address of the SSH client |
|
|
| client_port: Port used by SSH client |
|
|
| protocol: The protocol being used; such as SSH2 |
|
|
| username: user used |
switched_to_next_ca_certificate | cz-controllerd | The CA certificate migration is triggered. |
|
|
|
| client_ip: IP address of the admin |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
tokens_listed | cz-controllerd | An administrator has listed token records. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| descending: true/false for whether the ordering was descending or not. |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| order_by: The field name used for ordering the list |
|
|
| query: The query given to filter the list, e.g., `tag=built_in' which will only list entities with the 'built_in' tag. Optional |
|
|
| range: Range of the objects listed, e.g., '5-10/12' meaning the second page in 5 tokens per page window out of total 12 objects |
tunnel_closed | cz-vpnd | The tunnel with the client has been closed. |
|
|
|
| client_ip: IP address of the client |
|
|
| client_port: Client's port |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| mapped_v4_ip: IPv4 address that are mapped via site settings |
|
|
| mapped_v6_ip: IPv6 address that are mapped via site settings |
|
|
| pool_v4_ip: IPv4 address allocated for the user |
|
|
| pool_v6_ip: IPv6 address allocated for the user |
|
|
| reason: The reason that triggered Gateway to close down the tunnel with the client |
|
|
| statistics: Reports the session stats such as session duration (sec) and bytes-read |
tunnel_connected | cz-vpnd | A tunnel TLS handshake has been completed. |
|
|
|
| client_ip: Client's IP (the peer of the Gateway; the real client might be NAT'd) |
|
|
| client_port: Client's port |
|
|
| client_version: Client version (i.e. 5.0.0-12345) |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| mapped_v4_ip: IPv4 address that are mapped via site settings |
|
|
| mapped_v6_ip: IPv6 address that are mapped via site settings |
|
|
| pool_v4_ip: IPv4 address allocated for the user |
|
|
| pool_v6_ip: IPv6 address allocated for the user |
|
|
| tunnel_protocol: TLS or DTLS |
tunnel_established | cz-vpnd | A tunnel, tunneling IP and rules are all ready for traffic to be passed. |
|
|
|
| client_ip: Client's IP (the peer of the Gateway; the real client might be NAT'd) |
|
|
| client_port: Client's port |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| pool_v4_ip: IPv4 tunneling IP |
|
|
| pool_v6_ip: IPv6 tunneling IP |
|
|
| tunnel_protocol: TLS or DTLS |
update_command_sent_to_client | cz-controllerd | Auto-update command sent to a client. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| client_update_url: The URL sent to the client |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
url_access | cz-nginx | Client attempted to access an endpoint. |
|
|
|
| action_id: unique UUID generated that identifies action/rule. |
|
|
| action: result of the firewall engine evaluation |
|
|
| destination_ip: ip of the endpoint |
|
|
| destination_port: port of the endpoint |
|
|
| direction: always 'up' (client-to-endpoint) |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| module: module within nginx reporting |
|
|
| name: name of the rule that got triggered and the index number |
|
|
| protocol: protocol of the communication, e.g., HTTP/1.1 |
|
|
| source_ip: ip address of the tun device |
|
|
| source_port: port of the client |
|
|
| uri: Full URI being accessed |
user_license_deleted | cz-controllerd | A user license has been deleted by an administrator. |
|
|
|
| license_type: Normal/Portal |
|
|
| user_distinguished_name: The user whose license has been deleted automatically. Format: CN=<username>,OU=<identity_provider_name> |
user_licenses_listed | cz-controllerd | User licenses have been listed. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| descending: true/false for whether the ordering was descending or not. |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| order_by: The field name used for ordering the list |
|
|
| query: The query given to filter the list, e.g., `tag=built_in' which will only list entities with the 'built_in' tag. Optional. |
|
|
| range: Range of the objects listed, e.g., '5-10/12' meaning the second page in 5 tokens per page window out of total 12 objects |
user_license_allocated | cz-controllerd | A user license is allocated. |
|
|
|
| license_type: Normal/Portal |
|
|
| user_distinguished_name: The user who has allocated a license by signing in. Format: CN=<username>,OU=<identity_provider_name> |
vpn_certificate_signed | cz-controllerd | The VPN certificate used by the Client to establish a TLS connection has been issued. |
|
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
|
|
| certificate.xxxx: details of the certificate (version, serial, issuer, validFrom, validTo, subject, subjectPublicKey, certificate) |
|
|
| client_ip: IP address of the administrator |
ztp_status_viewed | cz-controllerd | ASC settings viewed. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
ztp_registered | cz-controllerd | ASC token registration suceeded. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
ztp_unregistered | cz-controllerd | ASC token unregistered. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |
ztp_version_status_viewed | cz-controllerd | Admin UI performs a version check. |
|
|
|
| client_ip: IP address of the administrator |
|
|
| distinguished_name: User&Device distinguished name. Format: CN=<device_id>,CN=<username>,OU=<identity_provider_name> |