Logging and auditing overview

The purpose of this document is to explain the logging implementation in the Access Gateway system. Access Gateway writes all events and actions to the logs for auditing purposes. It includes administrative actions and user access and authorization states.

Log format

Access Gateway logs the audit events in the following format:

TIMESTAMP HOSTNAME APPLICATION PROCID COMPONENT SUB-COMPONENT LOG_LEVEL EVENT [STRUCTURED_DATA] MESSAGE

Log Statement Fields

Field

Description

TIMESTAMP

Current system date and time

HOSTNAME

Machine hostname

APPLICATION

Access Gateway

PROC_ID

Process layer

COMPONENT

Component of the process

SUB-COMPONENT

Sub-component of the process

LOG_LEVEL

Log level

EVENT

Type of event

STRUCTURED_DATA

Data related to the occurred event important for analysis/troubleshooting

MESSAGE

Readable message

Events and Monitoring

Access Gateway can be customized to send logs to any external log monitoring system. It writes all important events to the log that can be used for monitoring. The following tables list the events generated by Access Gateway and the keywords to implement monitoring.

Web Console

Startup

Log identifier

Field Value

PROC_ID

WEB_CONSOLE

COMPONENT

-

SUB-COMPONENT

-

EVENT

SYSTEM_STARTUP

  1. Initial authentication with access layer success

    1. Log Level: INFO

    2. Message: Startup complete, system ready.

    3. Log Sample:

      Oct 9 09:47:02 example.myaccessgateway.com WEB_CONSOLE - - INFO SYSTEM_STARTUP [] Startup complete, system ready.

User Login

Log identifier

Field Value

PROC_ID

WEB_CONSOLE

COMPONENT

AUTHN

SUB-COMPONENT

LOCAL

EVENT

USER_LOGIN

Structured data

Field Description

SESSION_ID

This is the internal session ID created for the user session. This can be used to track user activity.

SUBJECT

Username (adminAn abbreviation of administrator. This is the individual(s) who have access to the Okta Administrator Dashboard. They control the provisioning and deprovisioning of end users, the assigning of apps, the resetting of passwords, and the overall end user experience. Only administrators have the Administration button on the upper right side of the My Applications page.)

TYPE

LOCAL

RESULT

PASS/FAIL

REASON

Reason of successful/unsuccessful authentication

REMOTE_IP

User remote IP address

USER_AGENTA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations.

User browser info

  1. Initial authentication with access layer success

    1. Log Level: INFO

    2. Message: User login success: <Username>

    3. Log Sample:

      Oct 9 09:53:08 example.myaccessgateway.com WEB_CONSOLE AUTHN LOCAL INFO USER_LOGIN [SESSION_ID="xNQ45qBSM7iDSh3SJMYRIxud2NOEKKxCRE2xsHSH" SUBJECT="admin" TYPE="LOCAL" RESULT="FAIL" REASON="INVALID_CREDENTIALS" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] User login failed: admin

      Oct 9 09:53:17 example.myaccessgateway.com WEB_CONSOLE AUTHN LOCAL INFO USER_LOGIN [SESSION_ID="xNQ45qBSM7iDSh3SJMYRIxud2NOEKKxCRE2xsHSH" SUBJECT="admin" TYPE="LOCAL" RESULT="PASS" REASON="VALID_CREDENTIALS" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] User login success: admin

User Logout

Log identifier

Field Value

PROC_ID

WEB_CONSOLE

COMPONENT

SESSION

SUB-COMPONENT

LOCAL

EVENT

USER_LOGIN

Structured data

Field Description

SESSION_ID

This is the internal session ID created for the user session. This can be used to track user activity.

SUBJECT

Username (admin)

REASON

USER_ACTION

REMOTE_IP

User remote IP address

USER_AGENT

User browser info

  1. Initial authentication with access layer success

    1. Log Level: INFO

    2. Message: User logout: admin

    3. Log Sample:

      Oct 9 09:58:04 example.myaccessgateway.com WEB_CONSOLE SESSION LOCAL INFO USER_LOGOUT [SESSION_ID="xNQ45qBSM7iDSh3SJMYRIxud2NOEKKxCRE2xsHSH" SUBJECT="admin" REASON="USER_ACTION" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] User logout: admin

System Access Gateway Events

Access Gateway Setup

Log identifier

Field Value

PROC_ID

WEB_CONSOLE

COMPONENT

OAG

SUB-COMPONENT

-

EVENT

SYSTEM_SPGW_SETUP

Structured data

Field Description

GUID

System identifier

HOST

Access Gateway virtual hostname

COOKIE_DOMAINA domain is an attribute of an Okta organization. Okta uses a fully-qualified domain name, meaning it always includes the top-level domain (.com, .eu, etc.), but does not include the protocol (https).

Access Gateway cookie domain

REASON

SYSTEM_SPGW_SETUP

SESSION_ID

This is the internal session ID created for the user session. This can be used to track user activity.

SUBJECT

Username

REMOTE_IP

User remote IP address

USER_AGENT

User browser info

  1. Setup Access Gateway

    1. Log Level: INFO

    2. REASON: OAG_ACCEPT_LICENSE

    3. Message: Access Gateway event host: <Access Gateway Hostname> action: SYSTEM_SPGW_SETUP

    4. Log Sample:

      Oct 9 13:59:59 example.myaccessgateway.com WEB_CONSOLE OAG - INFO SYSTEM_SPGW_SETUP [GUID="82847f5a-2954-4beb-ad47-98d7ab4bdfe2" HOST="<host URL>" COOKIE_DOMAIN="<cookie domain>" REASON="OAG_ACCEPT_LICENSE" SESSION_ID="z8PtxiHk8KPi3Ft3Q-9OSOsODZUaaG04nn91roW5" SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Access Gateway event host: '<host URL>' action: 'SYSTEM_SPGW_SETUP'

Access Gateway Reset

Log identifier

Field Value

PROC_ID

WEB_CONSOLE

COMPONENT

OAG

SUB-COMPONENT

-

EVENT

SYSTEM_SPGW_RESET

Structured data

Field Description

GUID

System identifier

HOST

Access Gateway virtual hostname

COOKIE_DOMAIN

Access Gateway cookie domain

REASON

SYSTEM_OAG_RESET

SESSION_ID

This is the internal session ID created for the user session. This can be used to track user activity.

SUBJECT

Username

REMOTE_IP

User remote IP address

USER_AGENT

User browser info

  1. Setup Access Gateway

    1. Log Level: INFO

    2. REASON: OAG_ACCEPT_LICENSE

    3. Message: Access Gateway event host: <Access Gateway Hostname> action: SYSTEM_OAG_RESET

    4. Log Sample:

      Oct 9 14:23:17 example.myaccessgateway.com WEB_CONSOLE OAG - INFO SYSTEM_OAG_RESET [GUID="82847f5a-2954-4beb-ad47-98d7ab4bdfe2" HOST="<host URL>" COOKIE_DOMAIN="<cookie domain>" REASON="OAG_ACCEPT_LICENSE" SESSION_ID="ThiCzcAPvxVQSkeSi3AIqJUBTIGyJDIOwGc4DRsh" SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Access Gateway event host: '<host URL>' action: 'SYSTEM_OAG_RESET'

System IDP Status

Log identifier

Field Value

PROC_ID

WEB_CONSOLE

COMPONENT

IDPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta.

SUB-COMPONENT

LOCAL

EVENT

SYSTEM_IDP_STATUS

Structured data

Field Description

NAME

IDP Name

DOMAIN

IDP Domain

TYPE

IDP Type

RESULT

PASS/FAIL

REASON

VALID / INVALID_NETWORK_CONN (FAIL), INVALID_TOKEN (FAIL)

  1. Valid IDP

    1. Log Level: INFO

    2. RESULT: PASS

    3. REASON: VALID

    4. Message: Success confirming IDP status with: <IDP Domain>

    5. Log Sample:

      Oct 9 04:00:00 Access Gateway WEB_CONSOLE IDP LOCAL INFO SYSTEM_IDP_STATUS [NAME="<IDP Name> IDP" DOMAIN="<IDP URL>" TYPE="<Identity Provider type>" RESULT="PASS" REASON="VALID"] Success confirming IDP status with: <IDP URL>

  2. IDP No longer network reachable

    1. Log Level: ALERT

    2. RESULT: FAIL

    3. REASON: INVALID_NETWORK_CONN

    4. Message: Failure confirming connectivity with IDP: <IDP Domain>. Please verify your network configuration.

    5. Log Sample:

      Oct 9 04:02:00 Access Gateway WEB_CONSOLE IDP LOCAL INFO SYSTEM_IDP_STATUS [NAME="<IDP Name> IDP" DOMAIN="<IDP URL>" TYPE="<Identity Provider type>" RESULT="FAIL" REASON="INVALID_NETWORK_CONN"] Failure confirming connectivity with IDP: <IDP URL>>. Please verify your network configuration.

  3. IDP Security Key is no longer valid

    1. Log Level: ALERT

    2. RESULT: FAIL

    3. REASON: INVALID_TOKEN

    4. Message: Failure validating security token with IDP: <IDP Domain>. Please validate token exists and is enabled.

    5. Log Sample:

      Oct 9 04:02:23 Access Gateway WEB_CONSOLE IDP LOCAL INFO SYSTEM_IDP_STATUS [NAME="<IDP Name> IDP" DOMAIN="<IDP URL>" TYPE="<Identity Provider type>" RESULT="FAIL" REASON="INVALID_NETWORK_CONN"] Failure validating security token with IDP: <IDP Domain>. Please validate token exists and is enabled.

System KRB5 Events

Log identifier

Field Value

PROC_ID

WEB_CONSOLE

COMPONENT

KRB5

SUB-COMPONENT

-

EVENT

SYSTEM_KRB5_EVENT

Structured data

Field Description

REALM

Kerberos Realm

REASON

CREATE/UPDATE/DELETE

SESSION_ID

This is an internal session ID created for the user session. This can be used to track user activity.

SUBJECT

Username

REMOTE_IP

User remote IP address

USER_AGENT

User browser info

  1. Add Kerberos Configuration

    1. Log Level: INFO

    2. REASON: CREATE

    3. Message: Kerberos Realm: <Kerberos Realm> action: CREATE

    4. Log Sample:

      Oct 9 13:06:21 example.myaccessgateway.com WEB_CONSOLE KRB5 - INFO SYSTEM_KRB5_EVENT [REALM="<Kerberos Realm>" REASON="CREATE" SESSION_ID="lAf-w_UtYs2JmxzajaAj2tChuaSk-lKWQK1CAibO" SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Kerberos Realm: '<Kerberos Realm>' action: 'CREATE'

  2. Update Kerberos Configuration

    1. Log Level: INFO

    2. REASON: UPDATE

    3. Message: Kerberos Realm: <Kerberos Realm> action: UPDATE

    4. Log Sample:

      Oct 9 13:06:40 example.myaccessgateway.com WEB_CONSOLE KRB5 - INFO SYSTEM_KRB5_EVENT [REALM="<Kerberos Realm>" REASON="UPDATE" SESSION_ID="lAf-w_UtYs2JmxzajaAj2tChuaSk-lKWQK1CAibO" SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Kerberos Realm: '<Kerberos Realm>' action: 'UPDATE'

  3. Delete Kerberos Configuration

    1. Log Level: INFO

    2. REASON: DELETE

    3. Message: Kerberos Realm: <Kerberos Realm> action: DELETE

    4. Log Sample:

      Oct 9 13:06:53 example.myaccessgateway.com WEB_CONSOLE KRB5 - INFO SYSTEM_KRB5_EVENT [REALM="<Kerberos Realm>" REASON="DELETE" SESSION_ID="lAf-w_UtYs2JmxzajaAj2tChuaSk-lKWQK1CAibO" SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Kerberos Realm: '<Kerberos Realm>' action: 'DELETE'

System App Events

Log identifier

Field Value

PROC_ID

WEB_CONSOLE

COMPONENT

APPAn abbreviation of application. Essentially, it is a web-based site used to perform any number of specific tasks, and requires authentication from end users by signing in.

SUB-COMPONENT

-

EVENT

SYSTEM_APP_EVENT

Structured data

Field Description

GUID

Application identifier

NAME

Application name

TYPE

Application type

DOMAIN

Public domain of application

IDP

IDP Domain

IDP_TYPE

IDP Type

REASON

CREATE, UPDATE, DELETE, ACTIVATE, DEACTIVATE

SESSION_ID

This is an internal session ID created for the user session. This can be used to track user activity.

SUBJECT

Username

REMOTE_IP

User remote IP address

USER_AGENT

User browser info

  1. Create Application

    1. Log Level: INFO

    2. REASON: CREATE

    3. Message: Application: <Application Name> action: CREATE

    4. Log Sample:

      Oct 9 11:30:48 example.myaccessgateway.com WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="93d2e78a-c6b7-4c27-83c8-15c2b783d3bb" NAME="Sample Header App" TYPE="SAMPLEHEADER2015_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="CREATE" SESSION_ID="3dKU4yqIlHkcRUeGb9f9Dh6OSgFjHq3hIMVktx7h" SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'CREATE'

  2. Update Application

    1. Log Level: INFO

    2. REASON: UPDATE

    3. Message: Application: <Application Name> action: UPDATE

    4. Log Sample:

      Oct 9 11:39:19 example.myaccessgateway.com WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="93d2e78a-c6b7-4c27-83c8-15c2b783d3bb" NAME="Sample Header App" TYPE="SAMPLEHEADER2015_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="UPDATE" SESSION_ID="3dKU4yqIlHkcRUeGb9f9Dh6OSgFjHq3hIMVktx7h" SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'UPDATE'

  3. Activate Application

    1. Log Level: INFO

    2. REASON: ENABLE

    3. Message: Application: <Application Name> action: ENABLE

    4. Log Sample:

      Oct 9 11:40:56 example.myaccessgateway.com WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="93d2e78a-c6b7-4c27-83c8-15c2b783d3bb" NAME="Sample Header App" TYPE="SAMPLEHEADER2015_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="ENABLE" SESSION_ID="3dKU4yqIlHkcRUeGb9f9Dh6OSgFjHq3hIMVktx7h" SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'ENABLE'

  4. Deactivate Application

    1. Log Level: INFO

    2. REASON: DISABLE

    3. Message: Application <Application Name> action: DISABLE

    4. Log Sample:

      Oct 9 11:40:08 example.myaccessgateway.com WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="93d2e78a-c6b7-4c27-83c8-15c2b783d3bb" NAME="Sample Header App" TYPE="SAMPLEHEADER2015_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="DISABLE" SESSION_ID="3dKU4yqIlHkcRUeGb9f9Dh6OSgFjHq3hIMVktx7h" SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'DISABLE'

  5. Delete Application

    1. Log Level: INFO

    2. REASON: DELETE

    3. Message: Application: <Application Name> action: DELETE

    4. Log Sample:

      Oct 9 11:43:09 example.myaccessgateway.com WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="93d2e78a-c6b7-4c27-83c8-15c2b783d3bb" NAME="Sample Header App" TYPE="SAMPLEHEADER2015_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="DELETE" SESSION_ID="3dKU4yqIlHkcRUeGb9f9Dh6OSgFjHq3hIMVktx7h" SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'DELETE'

Gateway

Authentication

Log identifier

Field Value

PROC_ID

ACCESS

COMPONENT

AUTHN

SUB-COMPONENT

SAMLAn acronym for Security Assertion Markup Language, SAML is an XML-based standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). The SAML standard addresses issues unique to the single sign-on (SSO) solution, and defines three roles: the end user, the IDP, and the SP. Here's how SAML works through Okta: SP-initiated flow: the end user requests (principally through a browser) a service from the SP. The SP requests and obtains an identity assertion from the IdP (in this case, Okta). On the basis of this assertion, the SP can decide whether or not to authorize or authenticate the service for the end user. IdP-initiated flow: with Okta as the IdP, an end user goes to the Okta browser and clicks on a chiclet, sending a SAMLResponse to the configured SP. A session is established with the SP, and the end user is authenticated.

EVENT

USER_AUTHN

Structured data

Field Description

SESSION_ID

This is an internal session ID created for the user session. This can be used to track user activity.

SESSION_AUTH

Temporary session ID

SUBJECT

Username sent with SAML assertion

TYPE

SAML or the involved authentication module

SOURCE

EntityID

SOURCE_TYPE

<Identity Provider type>, IDP_IDCS, IDP_SAML_LOCAL

SOURCE_DOMAIN

IDP domain

SOURCE_AUTHN_TYPE

The authNcontext type from the SAML assertion

APP

Application name that is requested

APP_DOMAIN

Public domain of the requested application

RESULT

PASS/FAIL

REASON

INVALID_RELAY_STATE

REMOTE_IP

User remote IP address

USER_AGENT

User browser info

MSG

The end user message

  1. Initial authentication with access layer success

    1. Log Level: INFO

    2. Message: User login:<Username>

    3. RESULT: PASS

    4. REASON: Valid SAML Assertion

    5. Log Sample:

      Oct 5 22:57:05 example.myaccessgateway.com Access Gateway ACCESS AUTHN SAML INFO USER_AUTHN [SESSION_ID="_6f89fde9801702d4055216fad847dc889536592839" SESSION_AUTH="_99077d998f2b3c0f65ee8dbea6abd1fb389a6e18a4" SUBJECT="<User login name>" TYPE="SAML_2_0" SOURCE="IDP Source URL" SOURCE_TYPE="<Identity Provider type>" SOURCE_DOMAIN="<IDP URL>" SOURCE_AUTHN_TYPE="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" APP="Sample Header App" APP_DOMAIN="<App Domain URL>" RESULT="PASS" REASON="Valid SAML Assertion" REMOTE_IP="192.168.10.20" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] User login:<User login name>

  2. Time not in sync

    1. Log Level: ERROR

    2. RESULT: FAIL

    3. REASON: INVALID_RELAYSTATE

    4. Message: Failed RelayState validation. RelayState:<Bad RelayState> changed to:<Expected RelayState>

    5. Log Sample:

      Oct 29 10:05:14 example.myaccessgateway.com Access Gateway ACCESS AUTHN SAML ERROR USER_AUTHN [TYPE="SAML_2_0" TRACKER_ID="cd6525dee8" SOURCE="https://<IDP URL>/app/template_saml_2_0/exkckwwaxvY3crKhn0h7/ssoAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones./saml" RESULT="FAIL" REASON="Invalid SAML Assertion" REMOTE_IP="192.168.10.192" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36"] Received an assertion that has expired. Check clock synchronization on IdP and SPAn acronym for service provider. Generally, an SP is a company, usually providing organizations with communications, storage, processing, and a host of other services. Within Okta, it is any website that accepts SAML responses as a way of signing in users, and has the ability to redirect a user to an IdP (e.g., Okta) to begin the authentication process..

  3. RelayState failed validation

    1. Log Level: WARN

    2. RESULT: FAIL

    3. REASON: Invalid SAML Assertion

    4. Message: Received an assertion that was expired. Check clock synchronization on IdP and SP.

    5. Log Sample:

      Oct 6 12:56:34 example.myaccessgateway.com Access Gateway ACCESS AUTHN SAML WARN USER_AUTHN [SESSION_ID="_a9b67d3c0007f1614c4ca7ae991e6803d340a3e252" SESSION_AUTH="-" SUBJECT="<User login name>" TYPE="SAML_2_0" SOURCE="http://www.okta.com/exkca4yif7Qpdc6en0h7" SOURCE_TYPE="<Identity Provider type>" SOURCE_DOMAIN="<IDP URL>" SOURCE_AUTHN_TYPE="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" APP="Sample Header App" APP_DOMAIN="<App Domain URL>" RESULT="FAIL" REASON="INVALID_RELAYSTATE" REMOTE_IP="192.168.10.165" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Failed RelayState validation. RelayState:https://header.okta.com changed to:https://<App Domain URL>

  4. Access Gateway SAML endpoint is accessed directly

    1. Log Level: ERROR

    2. RESULT: FAIL

    3. REASON: Invalid SAML assertion

    4. Message: Unable to find the current binding.

    5. Log Sample:

      Oct 26 10:21:02 example.myaccessgateway.com Access Gateway ACCESS AUTHN SAML ERROR USER_AUTHN [TYPE="SAML_2_0" TRACKER_ID="cd6525dee8" SOURCE="unknown" RESULT="FAIL" REASON="Invalid SAML Assertion" REMOTE_IP="192.168.10.192" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36"] Unable to find the current binding.

Authorization

Log identifier

Field Value

PROC_ID

ACCESS

COMPONENT

AUTHN

SUB-COMPONENT

SAML

EVENT

USER_AUTZ

Structured data

Field Description

SESSION_ID

This is an internal session ID created for the user session. This can be used to track user activity.

SUBJECT

Username from session

RESOURCE

The URI being accessed

POLICY

Name of the policy

POLICY_TYPE

Type of policy

DURATION

Time it takes to execute the policy

APP

Application name

APP_TYPE

The type of OAG application being used

APP_DOMAIN

Public domain of the requested application

RESULT

ALLOW/DENY

REASON

Defined policy

REMOTE_IP

User remote IP address

USER_AGENT

User browser info

MSG

The end user message

  1. Access resource allow

    1. Log Level: INFO

    2. RESULT: ALLOW

    3. Message: Allow access to resource

    4. Log Sample:

      Oct 5 22:57:05 example.myaccessgateway.com Access Gateway ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="_6f89fde9801702d4055216fad847dc889536592839" SUBJECT="<User login name>" RESOURCE="/" METHOD="GET" POLICY="root" POLICY_TYPE="PROTECTED" DURATION="0" APP="Sample Header App" APP_TYPE="SAMPLEHEADER2015_APP" APP_DOMAIN="<App Domain URL>" RESULT="ALLOW" REASON="N/A - SESSIONID=_6f89fde9801702d4055216fad847dc889536592839 RelayDomain=<App Domain URL> static_a=aaaaa static-b=bbbbb staticc=ccccc _staticd=ddddd -statice=eeeee staticcookie=1234 secret=secretvalue spgw_username=<User login name> UserName=<User login name> login=<User login name> firstname=<User first name> lastname=<User last name> email=<User login name> samplecookie<User first name> GroupsGroups allow you to organize your end users and the apps they can access. Assigning apps to large sets of end users is made easier with groups.=Everyone:Group A:Group C:Group E:Group B: SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport RemoteIP=192.168.10.20 USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 " REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] allow access to resource

  2. Access resource deny

    1. Log Level: INFO

    2. RESULT: DENY

    3. Message: Allow access to resource

    4. Log Sample:

      Oct 5 23:47:05 example.myaccessgateway.com Access Gateway ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="_4a3fdbbc52dadda2109e0e789098f9b473d4f68c7e" SUBJECT="<User login name>" RESOURCE="/alt" METHOD="GET" POLICY="altroot" POLICY_TYPE="PROTECTED_REGEX" DURATION="0" APP="Sample Header App" APP_TYPE="SAMPLEHEADER2015_APP" APP_DOMAIN="<App Domain URL>" RESULT="DENY" REASON="Groups=(?!.*Everyone:) - SESSIONID=_4a3fdbbc52dadda2109e0e789098f9b473d4f68c7e RelayDomain=<App Domain URL> static_a=aaaaa static-b=bbbbb staticc=ccccc _staticd=ddddd -statice=eeeee staticcookie=1234 secret=secretvalue spgw_username=<User login name> UserName=<User login name> login=<User login name> firstname=<User first name> lastname=<User last name> email=<User login name> samplecookie<User first name> Groups=Everyone:Group A:Group C:Group E:Group B: SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport RemoteIP=192.168.10.20 USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 creationTime=1507265129865 maxInactiveInterval=3600000 maxActiveInterval=28800000 lastAccessedTime=1507265129865 " REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] deny access to resource

User Session

Log identifier

Field Value

PROC_ID

ACCESS

COMPONENT

AUTHN

SUB-COMPONENT

SAML

EVENT

USER_SESSION

Structured data

Field Description

SESSION_ID

This is an internal session ID created for the user session. This can be used to track user activity.

SESSION_AUTH

The authSession that was used to create this session.

SESSION_APP

Only used on authSession upgraded.

SUBJECT

User from session

APP

Application name

APP_TYPE

The type of OAG application being used

APP_DOMAIN

Public domain of the requested application

RESULT

ALLOW/DENY

REASON

Defined policy

REMOTE_IP

User remote IP address

USER_AGENT

User browser info

MSG

The end user message

  1. AuthSession upgrade with valid authCookie

    1. Log Level: INFO

    2. Message: Upgraded auth cookie. App session created.

    3. REASON: VALID_AUTHCOOKIE

    4. Log Sample:

      Oct 5 22:57:05 example.myaccessgateway.com Access Gateway ACCESS AUTHZ SESSION INFO USER_SESSION [SESSION_ID="_6f89fde9801702d4055216fad847dc889536592839" SESSION_AUTH="_99077d998f2b3c0f65ee8dbea6abd1fb389a6e18a4" SESSION_APP="e701ddf534554eab8ea671e884438b99" SUBJECT="<User login name>" APP="Sample Header App" APP_TYPE="SAMPLEHEADER2015_APP" APP_DOMAIN="<App Domain URL>" RESULT="ALLOW" REASON="VALID_AUTHCOOKIE" REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Upgraded auth cookie. App session created.

  2. AuthSession upgrade with bad authCookie

    1. Log Level: WARN

    2. REASON: INVALID_AUTHCOOKIE

    3. Message: This should be investigated by your security group

    4. Log Sample:

      Oct 6 10:53:16 example.myaccessgateway.com Access Gateway ACCESS AUTHZ SESSION WARN USER_SESSION [SESSION_ID="" SESSION_AUTH="_131f081ec97099fd2e3268033f859901b17da1247d" APP="Sample Header App" APP_TYPE="SAMPLEHEADER2015_APP" APP_DOMAIN="<App Domain URL>" RESULT="DENY" REASON="INVALID_AUTHCOOKIE" REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] This should be investigated by your security group

  3. Access application with non-existing sessionCookie

    1. Log Level: INFO

    2. REASON: NOT_EXIST

    3. Message: No session cookie. Sending to handler.

    4. Log Sample:

      Oct 6 10:12:01 example.myaccessgateway.com Access Gateway ACCESS AUTHZ SESSION INFO USER_SESSION [SESSION_ID="" APP="Sample Header App" APP_TYPE="SAMPLEHEADER2015_APP" APP_DOMAIN="<App Domain URL>" RESULT="DENY" REASON="NOT_EXIST" REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] No session cookie. Sending to handler.

  4. Session integrity failure (Remote IP)

    1. Log Level: WARN

    2. RESULT: DENY

    3. REASON: SESSION_INTEGRITY_REMOTEIP_MISMATCH

    4. Message: SRF Request RemoteIP (x-forwarded-for): <New IP Address> failed to match session RemoteIP: <Old IP Address>

    5. Log Sample:

      Oct 6 13:01:15 example.myaccessgateway.com sampleheaderappamar 2017/10/06 13:01:15 [warn] 14220#0: *53 using uninitialized "messagetitle" variable, clientEssentially, a client is anything that talks to the Okta service. Within the traditional client-server model, Okta is the server. The client might be an agent, an Okta mobile app, or a browser plugin. : 192.168.10.165, server: <App Domain URL>, request: "GET / HTTP/1.1", host: "<App Domain URL>", referrer: "https://<IDP URL>/app/template_saml_2_0/exkca4yif7Qpdc6en0h7/sso/saml" Oct 6 13:01:15 example.myaccessgateway.com Access Gateway ACCESS AUTHZ SESSION WARN USER_SESSION [SESSION_ID="_b3982440f0ad73e954ed7d4fb2db00cfdbb997200c" SUBJECT="<User login name>" APP="Sample Header App" APP_TYPE="SAMPLEHEADER2015_APP" APP_DOMAIN="<App Domain URL>" RESULT="DENY" REASON="SESSION_INTEGRITY_REMOTEIP_MISMATCH" REMOTE_IP="192.168.25.154" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] SRF Request RemoteIP (x-forwarded-for): 192.168.25.154 failed to match session RemoteIP: 192.168.10.165

  5. Session integrity failure (Domain mismatch)

    1. Log Level: ALERT

    2. RESULT: DENY

    3. REASON: SESSION_INTEGRITY_DOMAIN_MISMATCH

    4. Message: Request domain:<Request Domain> does not match session Domain:<Relay Domain>

    5. Log Sample:

      Oct 6 14:09:37 example.myaccessgateway.com sampleheaderappamar <App Domain URL> 192.168.10.165 - - [06/Oct/2017:14:09:37 -0500] "GET / HTTP/1.1" 405 1942 "https://<IDP URL>/app/template_saml_2_0/exkca4yif7Qpdc6en0h7/sso/saml" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36" "-" 0.000 - . Oct 6 14:09:37 example.myaccessgateway.com Access Gateway ACCESS AUTHZ SESSION ALERT USER_SESSION [SESSION_ID="_4cf89806b42002974d023790cbf9b40a2b32a43d38" SUBJECT="<User login name>" APP="Sample Header App" APP_TYPE="SAMPLEHEADER2015_APP" APP_DOMAIN="<App Domain URL>" RESULT="DENY" REASON="SESSION_INTEGRITY_DOMAIN_MISMATCH" REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Request domain:<App Domain URL> does not match session Domain:header.okta.com

Authentication and Session Handling

This section describes the normal flow of authentication that can be tracked using the audit logs to troubleshoot session-related issues. Every user session is assigned a unique session ID. This session ID can also be used to trace a user session and can be helpful in troubleshooting or debugging.

Here is the basic flow of authentication and session creation along with the sequence of audit logs that are generated:

  1. Browser sends request to Access Gateway to access an application. Access Gateway checks if a session already exists, then redirects the browser to IDP for authentication.

    Nov 1 22:46:11 example.myaccessgateway.com Access Gateway ACCESS AUTHZ SESSION INFO USER_SESSION [SESSION_ID="" APP="Sample Header App" APP_TYPE="SAMPLEHEADER2015_APP" APP_DOMAIN="<App Domain URL>" RESULT="DENY" REASON="NOT_EXIST" REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36"] No session cookie. Sending to handler.

  2. User is presented the login page by IDP, enters credentials, and submits the form. Upon successful authentication, browser posts SAML assertion to Access Gateway, and Access Gateway validates the assertion and authenticates the user. Upon successful authentication, Access Gateway creates a new session, assigns a new session ID to the session, and stores SAML attributes to the cache. Access Gateway also sends the domain session cookie to the browser.

    Nov 1 22:46:37 example.myaccessgateway.com Access Gateway ACCESS AUTHN SAML INFO USER_AUTHN [SESSION_ID="_3e9bf6939e3724d6af7844505971d0d52f05cb932d" SESSION_AUTH="_7a0cc86a711ad61bf760a3de582a0f1780a8796359" SUBJECT="<User login name>" TYPE="SAML_2_0" SOURCE="http://www.okta.com/exkco438bkIFqvPfn0h7" SOURCE_TYPE="<Identity Provider type>" SOURCE_DOMAIN="<IDP URL>" SOURCE_AUTHN_TYPE="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" APP="Sample Header App" APP_DOMAIN="<App Domain URL>" RESULT="PASS" REASON="Valid SAML Assertion" REMOTE_IP="192.168.10.20" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36"] User login:<User login name>

  3. The browser requests the application again with the session cookie. Access Gateway verifies the session integrity and sends the user to an error page if any issues are found with the session; otherwise, it proceeds to processing the request.

    Nov 1 22:46:37 example.myaccessgateway.com icsIcsgwAccess <host URL> 192.168.10.20 - - [01/Nov/2017:22:46:37 -0500] "POST /auth/module.php/saml/sp/saml2-acs.php/default-sp HTTP/1.1" 303 601 "https://<IDP URL>/app/template_saml_2_0/exkco438bkIFqvPfn0h7/sso/saml?RelayState=https%3A%2F%2F<App Domain URL>%2F" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36" "-" 0.184 0.164 . Nov 1 22:46:37 example.myaccessgateway.com Access Gateway ACCESS AUTHZ SESSION INFO USER_SESSION [SESSION_ID="_3e9bf6939e3724d6af7844505971d0d52f05cb932d" SUBJECT="<User login name>" APP="Sample Header App" APP_TYPE="SAMPLEHEADER2015_APP" APP_DOMAIN="<App Domain URL>" RESULT="ALLOW" REASON="SESSION_INTEGRITY_VERIFIED" REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36"] SRF Request RemoteIP: verified session RemoteIP: 192.168.10.20

  4. Access Gateway destroys the domain session cookie and creates a FQDN application cookie.

    Nov 1 22:46:37 example.myaccessgateway.com Access Gateway ACCESS AUTHZ SESSION INFO USER_SESSION [SESSION_ID="_3e9bf6939e3724d6af7844505971d0d52f05cb932d" SESSION_AUTH="_7a0cc86a711ad61bf760a3de582a0f1780a8796359" SESSION_APP="7303a91083a04a34bab3c22c54c769ae" SUBJECT="<User login name>" APP="Sample Header App" APP_TYPE="SAMPLEHEADER2015_APP" APP_DOMAIN="<App Domain URL>" RESULT="ALLOW" REASON="VALID_AUTHCOOKIE" REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36"] Upgraded auth cookie. App session created.

  5. Access Gateway gets the attributes from the session cache, injects attributes to the header, and allows access to the application. Application request is sent back to the browser with a FQDN session cookie.

    Nov 1 22:46:37 example.myaccessgateway.com Access Gateway ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="_3e9bf6939e3724d6af7844505971d0d52f05cb932d" SUBJECT="<User login name>" RESOURCE="/" METHOD="GET" POLICY="root" POLICY_TYPE="PROTECTED" DURATION="0" APP="Sample Header App" APP_TYPE="SAMPLEHEADER2015_APP" APP_DOMAIN="<App Domain URL>" RESULT="ALLOW" REASON="N/A - SESSIONID=_3e9bf6939e3724d6af7844505971d0d52f05cb932d RelayDomain=<App Domain URL> static_a=aaaaa static-b=bbbbb staticc=ccccc _staticd=ddddd -statice=eeeee staticcookie=1234 secret=secretvalue spgw_username=<User login name> UserName=<User login name> login=<User login name> firstname=<User first name> lastname=<User last name> email=<User login name> samplecookie<User first name> Groups=Everyone:Group A:Group C:Group E: SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport RemoteIP=192.168.10.20 USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36 " REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36"] allow access to resource

    As shown in the example above, the unique session ID is logged by all audit logs and can be used to track a specific user session.

Process Monitor

NGINX Configuration

Log identifier

Field Value

PROC_ID

OAG_MONITOR

COMPONENT

MONITOR

SUB-COMPONENT

NGINX

EVENT

USER_SESSION

Structured data

Field Description

STATUS

NGINX configuration status codes are defined below

  1. NGINX Configuration check

    1. Log Level, STATUS:

      Status Code Log Level Description

      VALID

      INFO

      Configuration is valid

      CONFLICTING_SERVER_NAME

      WARN

      Duplicate server name

      SUSPICIOUS_SYMBOL

      WARN

      Line note ended or suspicious symbol in configuration file

      UNKNOWN_WARNING

      WARN

      Any unknown warning

      HOST_NOT_FOUND

      ERROR

      Host not resolved

      UNKNOWN_DIRECTIVE

      ERROR

      Unknown directive found

      INVALID_PARAMETER

      ERROR

      Invalid parameter found or missing ;

      DUPLICATE_LOCATION

      ERROR

      Duplicate location block

      UNEXPECTED_END_OF_FILE

      ERROR

      File not complete or missing }

      UNKNOWN_ERROR

      ERROR

      Any unhandled error

    2. Message: NGINX test output

    3. Log Sample:

      Oct 9 15:52:52 example.myaccessgateway.com Access Gateway OAG_MONITOR MONITOR NGINX INFO CONFIG_TEST [STATUS="VALID"] NGINX configuration is valid

NGINX Application Configuration

Log identifier

Field Value

PROC_ID

OAG_MONITOR

COMPONENT

MONITOR

SUB-COMPONENT

NGINX

EVENT

USER_SESSION

Structured data

Field Description

STATUS

NGINX configuration status codes are defined below

UUID

Application identifier

  1. NGINX application configuration check

    1. Log Level, STATUS:

      Status Code Log Level Description

      VALID

      INFO

      Configuration is valid

      CONFLICTING_SERVER_NAME

      WARN

      Duplicate server name

      SUSPICIOUS_SYMBOL

      WARN

      Line note ended or suspicious symbol in configuration file

      UNKNOWN_WARNING

      WARN

      Any unknown warning

      HOST_NOT_FOUND

      ERROR

      Host not resolved

      UNKNOWN_DIRECTIVE

      ERROR

      Unknown directive found

      INVALID_PARAMETER

      ERROR

      Invalid parameter found or missing ;

      DUPLICATE_LOCATION

      ERROR

      Duplicate location block

      UNEXPECTED_END_OF_FILE

      ERROR

      File not complete or missing }

      UNKNOWN_ERROR

      ERROR

      Any unhandled error

    2. Message: NGINX test output

    3. Log Sample:

      Oct 9 15:52:59 example.myaccessgateway.com Access Gateway OAG_MONITOR MONITOR NGINX INFO CONFIG_TEST [STATUS="VALID" UUID="9179e919-43dc-4396-8b26-164387213b1b"] nginx: the configuration file /tmp/nginx/nginx.conf syntax is ok nginx: configuration file /tmp/nginx/nginx.conf test is successful

SSL Certificate

Log identifier

Field Value

PROC_ID

OAG_MONITOR

COMPONENT

MONITOR

SUB-COMPONENT

CERT_CHECK

EVENT

SSL_CERT_VALIDITY_CHECK

Structured data

Field Description

USER

Username

EXPIRY

Certificate expiration date in YYYYMMDD format

  1. Certificate check

    1. Log Level, STATUS:

      Status Code Log Level Description

      VALID

      INFO

      SSL Certificate is valid for more than 30 days

      EXPIREIN30DAYS

      WARN

      SSL Certificate is going to expire in 30 days or less

      EXPIRED

      ERROR

      SSL Certificate has expired

      ERROR

      ERROR

      SSL Certificate not found

    2. Log Sample:

      Oct 9 15:51:18 example.myaccessgateway.com Access Gateway OAG_MONITOR MONITOR CERT_CHECK INFO SSL_CERT_VALIDITY_CHECK [USER="<Username>" EXPIRY="20191009"] SSL Certificate is valid for more than 30 days

Auth Modules

Log identifier

Field Value

PROC_ID

OAG_MONITOR

COMPONENT

MONITOR

SUB-COMPONENT

AUTH_MODULE

EVENT

TEST_AUTHN_AD TEST_AUTHN LDAPLightweight Directory Access Protocol (LDAP) is a lightweight client-server protocol for accessing directory services, specifically X.500-based directory services. LDAP runs over TCP/IP or other connection oriented transfer services.

Structured data

Field Description

STATUS

Status Code

UUID

Auth module identifier

HOST

LDAP/AD host

PORT

LDAP port

USER_SEARCH_BASE_DN

User search base DN

SEARCH_ATTRIBUTE

Search attribute

  1. Auth module check

    1. Log Level, STATUS:

      Status Code Log Level Description

      VALID

      INFO

      Auth module is valid

      LDAP_ERROR_CONNECTION_REFUSED

      WARN

      Host <Hostname> is not available

      LDAP_INVALID_SEARCHBASE

      ERROR

      User Search Base was not found

      LDAP_INVALID_USERBASE

      ERROR

      User Search Base was not found

      LDAP_ERROR_INVALID_CREDENTIALS

      ERROR

      Invalid credentials

      LDAP_ERROR_SEARCH_ATTRIBUTE

      ERROR

      Invalid User Search Attribute

      UNKNOWN_ERROR

      ERROR

      Error validating <Hostname> Settings

    2. Log Sample:

      Oct 9 15:53:05 example.myaccessgateway.com Access Gateway OAG_MONITOR MONITOR AUTH_MODULE INFO TEST_AUTHN_AD [STATUS="LDAP_VALID" UUID="a185d793-4538-4e5f-9deb-46eb40850aba" HOST="<Host IP Address>" PORT="389" USER_SEARCH_BASE_DN="cn=Users,dc=okta,dc=info" SEARCH_ATTRIBUTE="samaccountname"] Auth module is valid

Access Log

Access Log

Field Description

Hostname

Hostname of Access Gateway appliance

Tag

Tag to identify Access Gateway component

Application Hostname

Hostname of the application (public domain of application)

Client IP

User’s IP address

Timestamp

Date and time when request was processed

Request

HTTP request

HTTP Status Code

HTTP status code

Request size

Size of request body in bytes

HTTP Referrer

-

User Agent

Browser information

X-Forwarded-For

X-Forwarded-For header received

Request Time

Time in seconds to receive request

Response Time

Time in seconds to send a response

Log Sample:

Mar 28 13:13:57 example.myaccessgateway.com sampleheaderapptest <App Domain URL> <User's IP Address> - - [28/Mar/2018:13:13:57 -0500] "GET / HTTP/1.1" 200 4828 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36" "<User's IP Address>" 0.006 0.001 .

The following table identifies the data captured in the log sample above:

Access log sample

Field Value

Hostname

<Access Gateway hostname>

Tag

sampleheaderapptest

Application Hostname

<App Domain URL>

Client IP

<User’s IP Address>

Timestamp

28/Mar/2018:13:13:57 -0500

Request

GET /HTTP/1.1

HTTP Status Code

200

Request size

4821

HTTP Referrer

-

User Agent

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

X-Forwarded-For

<User’s IP Address>

Request Time

0.006

Response Time

0.001

HTTP Status Codes

Access Gateway returns the following status codes to the browser in any event. They are also captured in the access log for troubleshooting any issues.

HTTP Status Codes

Status Code Description

200

Successful response

400

Application is being called using IP address or the hostname is not being served by Access Gateway

401

Session does not exist

403

Access Gateway policy rule denied access to resource

404

Uknown page/content/resource

405

Session integrity failure

500

Server side error

502

Backend application not available

503

Application is in maintenance, inactive, or offline mode

504

Request to backend application timed out

Log Rotation and Archival

  1. Access Gateway is configured to rotate logs daily.
  2. Default setup stores the log files for a month and deletes old log files to save disk space.
  3. A service ticket can be opened for Okta Support to update the log rotation and archival configuration as per your requirements.
Top