Logging Overview
Introduction
Purpose of this document is to explain logging implementation in Access Gateway system. Access Gateway writes all the events and actions to the logs for auditing purpose. It includes administrative actions and user access and authorization states.
Events and Monitoring
Access Gateway con be customized to send the logs to any external log monitoring system. It writes all important events to the log that can be used for monitoring. Below tables lists the events generated by Access Gateway and the keywords to implement monitoring:
Application
Tag: ACCESS
Event Type
Event
Log Level
Message
Data Fields available in Log
USER_AUTHN
Initial AuthN with Access layer success
INFO
Subject has successfully authenticated, reason = valid SAML assertion
SESSION_ID: Not shared, allows us to track enduser, this will be translated into session cookie if upgraded SESSION_AUTH: The tmp auth session id SUBJECT: user subject assertion naming identifier TYPE SAML, or which auth module SOURCE: EntityID SOURCE_TYPE: IDP_OKTA, IDP_IDCS SOURCE_DOMAIN: IDP domain SOURCE_AUTHN_TYPE: the authNcontext type from SAML assertion APP: App Name that will be requested APP_DOMAIN: Public domain of the app that will be requested REASON: The reason this was allowed or not REMOTE_IP: User remote IP USER_AGENT: User browser info MSG: The end user message
RelayState failed validation
WARN
Reset relaystate bad url to default, reason=INVALID_RELAYSTATE
USER_AUTHZ
Access resource allow
INFO
N/A
SESSION_ID: Not shared, allows us to track enduser, this will be translated into session cookie if upgraded SUBJECT: user from session RESOURCE: the URI being accessed METHOD: HTTP verb POLICY: name of policy POLICY_TYPE: type of policy DURATION: time it takes to execute policy APP: App Name APP_TYPE: the type of SPGW app being used APP_DOMAIN: the public domain of the app RESULT: ALLOW / DENY REMOTE_IP: User remote IP USER_AGENT: User browser info MSG: The end user message
Access resource deny
INFO
N/A
USER_SESSION
AuthSession upgrade with valid authCookie
INFO
Upgraded authcookie, reason=valid authCookie
SESSION_ID: Not shared, allows us to track enduser, this will be translated into session cookie if upgraded SESSION_AUTH: The authSession that was used to create this session SESSION_APP: Only used on authSession upgraded SUBJECT: user from session APP: App Name APP_TYPE: the type of SPGW app being used APP_DOMAIN: the public domain of the app RESULT: ALLOW / DENY REASON: The reason this was allowed or not REMOTE_IP: User remote IP USER_AGENT: User browser info MSG: The end user message
AuthSession upgrade with bad authCookie
WARN
authCookie does not exist this should be investigated, reason = uuid does not exist
Access App with none existing sessionCookie
INFO
No session cookie doing some behavior, reason = No session cookie
Session Integrity failure (RemoteIP)
WARN
Session finger print failed
Session Integrity failure (Session Domain mismatch)
ALERT
Session finger print failed
USER_LOGOUT
User initiated logout
INFO
Subject logout, reason = valid session
SESSION_ID: Should match the session cookie SUBJECT: user from session APP: App Name APP_DOMAIN: the public domain of the app APP_TYPE: the type of SPGW app being used RESULT: SUCCESS / FAIL REMOTE_IP: User remote IP USER_AGENT: User browser info MSG: The end user message
Web Console
Event Type
Event
Log Level
Message
Data Fields available in Log
STARTUP
Web console start up
INFO
Startup complete, system ready.
N/A
USER_LOGIN
User login
INFO
User login success/failed: username
SESSION_ID: Not shared, allows us to track enduser SUBJECT: user from session RESULT: PASS/FAIL REASON: VALID_CREDENTIALS/INVALID_CREDENTIALS REMOTE_IP: User remote IP USER_AGENT: User browser info
USER_LOGOUT
User logout
INFO
User logout: username
SESSION_ID: Not shared, allows us to track enduser SUBJECT: user from session REASON: USER_ACTION REMOTE_IP: User remote IP USER_AGENT: User browser info
SYSTEM_IDP_ STATUS
Status is good
INFO
Success confirming IDP status with: <domain>
NAME: IDP Name DOMAIN: IDP Domain TYPE: IDP Type RESULT: PASS / FAIL REASON :VALID / INVALID_NETWORK_CONN (FAIL), INVALID_TOKEN (FAIL)
IDP is no longer network reachable
ALERT
IDP Security KEY is no longer valid
ALERT
SYSTEM_APP_ EVENT
Application create / update / delete / activate / deactivate
INFO
GUID: Application identifier NAME: Application name TYPE: Application type DOMAIN: Application domain IDP_TYPE: IDP Type IDP_DOMAIN: IDP Domain REASON: CREATE, UPDATE, DELETE, ACTIVATE, DEACTIVATE: SUBJECT: Username SESSION_ID: Session ID of the user REMOTE_IP USER_AGENT: User browser information
SYSTEM_KRB5_ EVENT
Krb5 setting add/update/delete
INFO
REALM: REASON: CREATE, UPDATE, DELETE SUBJECT: SESSION_ID: REMOTE_IP: USER_AGENT:
SYSTEM_SPGW_ EVENT
SPGW setup, update setting, accept license, reset SPGW
INFO
GUID: HOST: COOKIE_DOMAIN: REASON: SETUP, UPDATE, ACCEPT, RESET SUBJECT: SESSION_ID: REMOTE_IP: USER_AGENT:
Management Console
Process Monitor
Rotation and Archival
-
Access Gateway is configured to rotate logs everyday
-
Default setup stores the log files for a month and deletes old log files to save disk space.
-
A service ticket can be opened for Okta Support to get this configuration updated as per the requirement.