Logging Overview

Introduction

Purpose of this document is to explain logging implementation in Access Gateway system. Access Gateway writes all the events and actions to the logs for auditing purpose. It includes administrative actions and user access and authorization states.

Events and Monitoring

Access Gateway con be customized to send the logs to any external log monitoring system. It writes all important events to the log that can be used for monitoring. Below tables lists the events generated by Access Gateway and the keywords to implement monitoring:

Application

Tag: ACCESS

Event Type

Event

Log Level

Message

Data Fields available in Log

USER_AUTHN

Initial AuthN with Access layer success

INFO

Subject has successfully authenticated, reason = valid SAML assertion

SESSION_ID: Not shared, allows us to track enduser, this will be translated into session cookie if upgraded SESSION_AUTH: The tmp auth session id SUBJECT: user subject assertion naming identifier TYPE SAML, or which auth module SOURCE: EntityID SOURCE_TYPE: IDP_OKTA, IDP_IDCS SOURCE_DOMAIN: IDP domain SOURCE_AUTHN_TYPE: the authNcontext type from SAML assertion APP: App Name that will be requested APP_DOMAIN: Public domain of the app that will be requested REASON: The reason this was allowed or not REMOTE_IP: User remote IP USER_AGENT: User browser info MSG: The end user message

RelayState failed validation

WARN

Reset relaystate bad url to default, reason=INVALID_RELAYSTATE

USER_AUTHZ

Access resource allow

INFO

 N/A

SESSION_ID: Not shared, allows us to track enduser, this will be translated into session cookie if upgraded SUBJECT: user from session RESOURCE: the URI being accessed METHOD: HTTP verb POLICY: name of policy POLICY_TYPE: type of policy DURATION: time it takes to execute policy APP: App Name APP_TYPE: the type of SPGW app being used APP_DOMAIN: the public domain of the app RESULT: ALLOW / DENY REMOTE_IP: User remote IP USER_AGENT: User browser info MSG: The end user message

Access resource deny

INFO

 N/A

USER_SESSION

AuthSession upgrade with valid authCookie

INFO

Upgraded authcookie, reason=valid authCookie

SESSION_ID: Not shared, allows us to track enduser, this will be translated into session cookie if upgraded SESSION_AUTH: The authSession that was used to create this session SESSION_APP: Only used on authSession upgraded SUBJECT: user from session APP: App Name APP_TYPE: the type of SPGW app being used APP_DOMAIN: the public domain of the app RESULT: ALLOW / DENY REASON: The reason this was allowed or not REMOTE_IP: User remote IP USER_AGENT: User browser info MSG: The end user message

AuthSession upgrade with bad authCookie

WARN

authCookie does not exist this should be investigated, reason = uuid does not exist

Access App with none existing sessionCookie

INFO

No session cookie doing some behavior, reason = No session cookie

Session Integrity failure (RemoteIP)

WARN

Session finger print failed

Session Integrity failure (Session Domain mismatch)

ALERT

 Session finger print failed

USER_LOGOUT

User initiated logout

INFO

Subject logout, reason = valid session

SESSION_ID: Should match the session cookie SUBJECT: user from session APP: App Name APP_DOMAIN: the public domain of the app APP_TYPE: the type of SPGW app being used RESULT: SUCCESS  / FAIL REMOTE_IP: User remote IP USER_AGENT: User browser info MSG: The end user message

Web Console

Event Type

Event

Log Level

Message

Data Fields available in Log

STARTUP

Web console start up

INFO

Startup complete, system ready.

N/A

USER_LOGIN

User login

INFO

User login success/failed: username

SESSION_ID: Not shared, allows us to track enduser SUBJECT: user from session RESULT: PASS/FAIL REASON: VALID_CREDENTIALS/INVALID_CREDENTIALS REMOTE_IP: User remote IP USER_AGENT: User browser info

USER_LOGOUT

User logout

INFO

User logout: username

SESSION_ID: Not shared, allows us to track enduser SUBJECT: user from session REASON: USER_ACTION REMOTE_IP: User remote IP USER_AGENT: User browser info

SYSTEM_IDP_ STATUS

Status is good

INFO

Success confirming IDP status with: <domain>

NAME: IDP Name DOMAIN: IDP Domain TYPE: IDP Type RESULT: PASS / FAIL REASON :VALID / INVALID_NETWORK_CONN (FAIL), INVALID_TOKEN (FAIL)

IDP is no longer network reachable

ALERT

IDP Security KEY is no longer valid

ALERT

SYSTEM_APP_ EVENT

Application create / update / delete / activate / deactivate

INFO

GUID: Application identifier NAME: Application name TYPE: Application type DOMAIN: Application domain IDP_TYPE: IDP Type IDP_DOMAIN: IDP Domain REASON: CREATE, UPDATE, DELETE, ACTIVATE, DEACTIVATE: SUBJECT: Username SESSION_ID: Session ID of the user REMOTE_IP USER_AGENT: User browser information

SYSTEM_KRB5_ EVENT

Krb5 setting add/update/delete

INFO

REALM: REASON: CREATE, UPDATE, DELETE SUBJECT: SESSION_ID: REMOTE_IP: USER_AGENT:

 SYSTEM_SPGW_ EVENT

 SPGW setup, update setting, accept license, reset SPGW

 INFO

GUID: HOST: COOKIE_DOMAIN: REASON: SETUP, UPDATE, ACCEPT, RESET SUBJECT: SESSION_ID: REMOTE_IP: USER_AGENT:

Management Console

 

Process Monitor

 

Rotation and Archival

  1. Access Gateway is configured to rotate logs everyday

  2. Default setup stores the log files for a month and deletes old log files to save disk space.

  3. A service ticket can be opened for Okta Support to get this configuration updated as per the requirement.