Access Gateway Audit log


Access Gateway audit logs include information on the following events:

  • Applicationrelated activity such as create, update, delete, activate or deactivate.
  • System status events such as system up, system down, identify provider connection status, EBS subsystem up, valid or invalid NGINX configuration and others.
  • Authentication and Authorization events such as authentication, authorization, and policy.
  • Connectivity and validation between Access Gateway and external resources such as back end applications, data stores and similar conditions.
  • Kerberos related activity such as create, update or delete.

 

Before you begin

Event Fields

Field

Description

TIMESTAMP

Current system date and time

HOSTNAME

Hostname of node generating event

APPLICATION

One of:

  • ACCESS_GATEWAY
  • OAG
  • OAG_MONITOR 
  • or a specific service such as check connection, log and others

SUB-PROCESS

One of:

  • ApplicationService
  • ACCESS
  • ADMIN_CONSOLE
  • EBS_SSOAGENT
  • HOST_IP_CHECK
  • MONITOR
  • SCRIPT
  • SERVICE
  • TrustedOriginUpdateScheduler
  • WEB_CONSOLE
  • Or a specific service such as check_connection

COMPONENT

Component of the sub-process such as:

  • AUTHN
  • AUTHZ
  • ERROR
  • IDP
  • INFO
  • KRB5
  • LOG_DOWNLOAD_STATUS
  • LOG_PREPARE_OPERATION
  • LOG_PREPARE_STATUS
  • NGINX
  • SYSTEM
  • TRUSTED_DOMAINS

SUB-COMPONENT

Sub-component of the process such as:

  • ALERT
  • EBS_SSOAGENT
  • HOST
  • INFO
  • LOCAL
  • NETCAT
  • POLICY
  • SESSION
  • STARTUP/SHUTDOWN

LOG_LEVEL

Log level, one of: TRACE, DEBUG, INFO, WARN, ERROR, or FATAL.

EVENT

Event type

STRUCTURED_DATA

Data related to the occurred event.

MESSAGE

Readable message.

Application

SYSTEM_APP_EVENT

Event issued when an application is created, updated, deleted, activated or deactivated.

  • Message:Application: <Application Name> action: CREATE
    Application: <Application Name> action: UPDATE
    Application: <Application Name> action: DELETE
    Application: <Application Name> action: ENABLE
    Application: <Application Name> action: DISABLE

  • Examples:
    2020-06-24T09:40:36.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="93d2e78a-c6b7-4c27-83c8-15c2b783d3bb" NAME="Sample Header App" TYPE="SAMPLEHEADER_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="CREATE" SESSION_ID="3dKU4yqIlHkcRUeGb9f9Dh6OSgFjHq3hIMVktx7h" SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'CREATE'

    2020-06-24T09:40:36.000-05:00 example.myaccessgateway.com ACCESSS_GATEWAY WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="<Application GUID>" NAME="Sample Header App" TYPE="SAMPLEHEADER_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="UPDATE" SESSION_ID="<Session ID> " SUBJECT="user@<Domain.tld>" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'UPDATE'

    2020-06-24T09:40:36.000-05:00 example.myaccessgateway.com ACCESSS_GATEWAY WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="<Application GUID> " NAME="Sample Header App" TYPE="SAMPLEHEADER_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="ENABLE" SESSION_ID="<Session ID>" SUBJECT="user@<Domain.tld>" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'ENABLE'

    2020-06-24T09:40:36.000-05:00 example.myaccessgateway.com ACCESSS_GATEWAY WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="<Application GUID>" NAME="Sample Header App" TYPE="SAMPLEHEADER_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="DISABLE" SESSION_ID="<Session ID> " SUBJECT="user@<Domain.tld>" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'DISABLE'

    2020-06-24T09:40:36.000-05:00 example.myaccessgateway.com WEB_CONSOLE APP - INFO SYSTEM_APP_EVENT [GUID="<Applicatuin GUID> " NAME="Sample Header App" TYPE="SAMPLEHEADER_APP" DOMAIN="<App Domain URL>" IDP="<IDP URL>" IDP_TYPE="<Identity Provider type>" REASON="DELETE" SESSION_ID="<Session ID> " SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Application: 'Sample Header App' action: 'DELETE'

  • Structured data:
    • GUID - Application identifier.
    • NAME - Application name.
    • TYPE - Application Type
    • DOMAIN - Application domain
    • IDP - IDP of application.
    • IDP_TYPE- Okta or LOCAL
    • REASON - One of CREATE, UPDATE, DELETE, ENABLE or DISABLE
    • SESSION_ID - This is an internal session ID created for the user session.
    • SUBJECT - User performing action, admin.
    • REMOTE_ID - IP address of user, if available.
    • USER_AGENT - Browser details.

System status

EBS_SSOAGENT

Event issued when Access Gateway has successfully connected with an configured identity provider.

  • Message:EBS SSOAgent, system ready.
  • Example:
    2020-06-24T09:40:36.000-05:00 ebsinstance.ebsdomain.com ACCESS_GATEWAY EBS_SSOAGENT - EBS_SSOAGENT INFO SYSTEM_STARTUP [] EBS SSOAgent, system ready.
  • Structured data: none.

CONFIG_TEST

Event issued when NGINX has completed its configuration check successfully.

  • Message: nginx: the configuration file /tmp/nginx/nginx.conf syntax is ok nginx: configuration file /tmp/nginx/nginx.conf test is successful..
  • Example:
    2020-06-24T05:40:25.786-05:00 example.myaccessgateway.com OAG_MONITOR MONITOR NGINX INFO CONFIG_TEST [STATUS="VALID" UUID="<ID>"] nginx: the configuration file /tmp/nginx/nginx.conf syntax is ok nginx: configuration file /tmp/nginx/nginx.conf test is successful.

  • Structured data:
    • STATUS - Valid or invalid.
    • UUID - UUID of configuration.

SYSTEM_STARTUP

Event issues when system start has completed.

  • Message: Startup complete, system ready.
  • Example:
    2020-06-24T10:05:56.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE - - INFO SYSTEM_STARTUP [] Startup complete, system ready.
  • Structured data: none.

SHUTDOWN

Event issued when system shutdown has begun.

  • Message: Shutting down system.
  • Example:
    O2020-06-24T08:31:25.729-05:00 example.myaccessgateway.com OAG ADMIN_CONSOLE SYSTEM SHUTDOWN INFO SHUTDOWN [USER="oag-mgmt"] Shutting down system.
  • Structured data:
    • USER - user who performed the action.

SYSTEM_IDP_STATUS

Event issued when Access Gateway has successfully connected with a configured identity provider.
Event issued when Access Gateway cannot successfully connect with a configured identity provider.
Event issued when Access Gateway API token is invalid, or expired.

  • Messages:
    Success confirming IDP status with:org.okta[preview].com.
    Failure confirming connectivity with IDP: <IDP URL>>. Please verify your network configuration.
    Failure validating security token with IDP: <IDP Domain>. Please validate token exists and is enabled.
  • Example success:
    2020-06-24T04:00:01.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE IDP LOCAL INFO SYSTEM_IDP_STATUS [NAME="MyIDP" DOMAIN="someorg.oktapreview.com" TYPE="IDP_OKTA" RESULT="PASS" REASON="VALID"] Success confirming IDP status with: someorg.oktapreview.com.
  • Example: Network connectivity error
    2020-06-24T04:00:01.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE IDP LOCAL INFO SYSTEM_IDP_STATUS [NAME="<IDP Name> IDP" DOMAIN="<IDP URL>" TYPE="<Identity Provider type>" RESULT="FAIL" REASON="INVALID_NETWORK_CONN"] Failure confirming connectivity with IDP: <IDP URL>>. Please verify your network configuration.
  • Example: Invalid API token
    2020-06-24T04:00:01.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE IDP LOCAL INFO SYSTEM_IDP_STATUS [NAME="<IDP Name> IDP" DOMAIN="<IDP URL>" TYPE="<Identity Provider type>" RESULT="FAIL" REASON="INVALID_NETWORK_CONN"] Failure validating security token with IDP: <IDP Domain>. Please validate token exists and is enabled.
  • Structured data:
    • NAME - Name of IDP.
    • DOMAIN - Associated domain.
    • TYPE - Type of IDP. IDP_OKTA or LOCAL.
    • RESULT - PASS or FAIL.
    • REASON - Valid or reason for failure.

SYSTEM_STARTUP

Event issued when Access Gateway has successfully started.

  • Message: Startup complete, system ready.
  • Example:
    22020-06-24T09:40:52.000-05:00 ec2-18-209-113-130.compute-1.amazonaws.com ACCESS_GATEWAY WEB_CONSOLE - - INFO SYSTEM_STARTUP [] Startup complete, system ready.
  • Structured data: None

Kerberos

SYSTEM_KRB5_EVENT

Event issued when an action is performed on a Kerberos realm such as create, update, delete, activate or deactivate

  • MessageKerberos Realm: <Kerberos Realm> action: CREATE.
    Kerberos Realm: <Kerberos Realm> action: UPDATE
    Kerberos Realm: <Kerberos Realm> action: DELETE
  • Examples:
    2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE KRB5 - INFO SYSTEM_KRB5_EVENT [REALM="<Kerberos Realm>" REASON="CREATE" SESSION_ID="<Session ID>" SUBJECT="admin" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Kerberos Realm: '<Kerberos Realm>' action: 'CREATE'

    2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE KRB5 - INFO SYSTEM_KRB5_EVENT [REALM="<Kerberos Realm>" REASON="UPDATE" SESSION_ID="<Session ID>" SUBJECT="user@<Domain.tld>" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Kerberos Realm: '<Kerberos Realm>' action: 'UPDATE'

    O2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE KRB5 - INFO SYSTEM_KRB5_EVENT [REALM="<Kerberos Realm>" REASON="DELETE" SESSION_ID="<Session ID>" SUBJECT="user@<Domain.tld>" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Kerberos Realm: '<Kerberos Realm>' action: 'DELETE'

  • Structured data
    • REALM - Associated Kerberos realm.
    • REASON - CREATE, UPDATE, or DELETE.
    • SESSION_ID - Associated local session id.
    • SUBJECT - User performing the action, admin.
    • REMOTE_IP- Remote IP is available
    • USER_AGENT - Remote operating system, browser, etc.

 

Authentication and Authorization

USER_LOGIN

Event issued when a user attempt to log in. See event for success or failure.

  • Message:User login success: user.
    User login failed: [user]
    Received an assertion that has expired. Check clock synchronization on IdP and SP.
  • Examples:
    2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE AUTHN LOCAL INFO USER_LOGIN [SESSION_ID="<Session ID>" SUBJECT="<User login name>" TYPE="LOCAL" RESULT="PASS" REASON="VALID_CREDENTIALS" REMOTE_IP="-" USER_AGENT="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36"] User login success: user@<domain.tld>

    2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY WEB_CONSOLE AUTHN LOCAL INFO USER_LOGIN [SESSION_ID="<Session ID> " SUBJECT="<User login name>" TYPE="LOCAL" RESULT="FAIL" REASON="INVALID_CREDENTIALS" REMOTE_IP="-" USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36"] User login failed: user@<domain.tld>

    2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHN SAML INFO USER_AUTHN [SESSION_ID="<Session ID> " SESSION_AUTH="<Session AUTH Information> " SUBJECT="<User login name>" TYPE="SAML_2_0" SOURCE="IDP Source URL" SOURCE_TYPE="<Identity Provider type>" SOURCE_DOMAIN="<IDP URL>" SOURCE_AUTHN_TYPE="urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport" APP="Sample Header App" APP_DOMAIN="<App Domain URL>" RESULT="PASS" REASON="Valid SAML Assertion" REMOTE_IP="192.168.10.20" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] User login:user@<domain.tld>

    2020-06-24T10:06:23.000-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHN SAML ERROR USER_AUTHN [TYPE="SAML_2_0" TRACKER_ID="<Tracking ID>" SOURCE="https://<IDP URL>/app/template_saml_2_0/exkckwwaxvY3crKhn0h7/sso/saml" RESULT="FAIL" REASON="Invalid SAML Assertion" REMOTE_IP="192.168.10.192" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36"] Received an assertion that has expired. Check clock synchronization on IdP and SP.

  • Structured data
    • SESSION_ID - LOCAL.
    • SUBJECT - Subject identifier, for example email address.
    • TYPE - SAML or the involved authentication module.
    • RESULT - PASS or FAIL
    • REASON- Valid credentials or reason for failure
    • REMOTE_IP- Remote IP is available
    • USER_AGENT - Remote operating system, browser, etc.

USER_SESSION

Event issued when a request for a session is issued.

  • Message:No session cookie. Sending to handler.
    Upgraded auth cookie. App session created.
    This should be investigated by your security group.
  • Example:
    2020-06-04T13:53:53.483-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHZ SESSION INFO USER_SESSION [SESSION_ID="<Session ID>" APP="Local OAG Admin Console" APP_TYPE="ADMINUI_APP" APP_DOMAIN="<Application Domain>" RESULT="DENY" REASON="NOT_EXIST" REMOTE_IP="10.63.182.118" USER_AGENT="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"] No session cookie. Sending to handler.

    2020-06-04T13:53:53.483-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHZ SESSION INFO USER_SESSION [SESSION_ID="<Session ID>" SESSION_AUTH="<Session Auth ID>" SESSION_APP="e701ddf534554eab8ea671e884438b99" SUBJECT="<User login name>" APP="Sample Header App" APP_TYPE="SAMPLEHEADER_APP" APP_DOMAIN="<App Domain URL>" RESULT="ALLOW" REASON="VALID_AUTHCOOKIE" REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] Upgraded auth cookie. App session created.

    2020-06-04T13:53:53.483-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHZ SESSION WARN USER_SESSION [SESSION_ID="<Session ID>" SESSION_AUTH="<Session Auth ID>" APP="Sample Header App" APP_TYPE="SAMPLEHEADER_APP" APP_DOMAIN="<App Domain URL>" RESULT="DENY" REASON="INVALID_AUTHCOOKIE" REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] This should be investigated by your security group.


  • Structured data
    • SESSION_ID - Assigned session id, if it exists.
    • APP - Application name.
    • APP_TYPE - Application session was used against.
    • APP_DOMAIN - associated application domain.
    • RESULT- ALLOW or DENY.
    • REASON - Reason why request was allowed or denied.
    • REMOTE_IP - Remote IP from which user attempted to log in.
    • USER_AGENT- Remote operating system, browser, etc.

USER_LOGOUT

Event issues when a used logs out.

  • Message:User logout success: user@<Application Domain>.
  • Example:
    2020-06-04T13:53:59.986-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHN SESSION INFO USER_LOGOUT [SESSION_ID="<Session ID> " SUBJECT="user@<Application Domain.tld>" APP="Local OAG Admin Console" APP_TYPE="ADMINUI_APP" APP_DOMAIN="<Application Domain>"" RESULT="PASS" REASON="VALID_SESSION" REMOTE_IP="10.63.182.118" USER_AGENT="Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.138 Safari/537.36"] User logout success: user@<Application Domain.tld>.
  • Structured data
    • SESSION_ID - Assigned session id.
    • APP - Application name
    • APP_TYPE - Application session was used against. For example ADMINUI_APP.
    • APP_DOMAIN - associated application domain.
    • RESULT- ALLOW or DENY.
    • REASON - Reason why request was allowed or denied.
    • REMOTE_IP - Remote IP from which user attempted to log in.
    • USER_AGENT- Remote operating system, browser, etc.

POLICY

Event issued when a used attempts to access a resource.

  • Message: allow access to resource.
    Deny access to resource.
  • Example:
    2020-06-24T09:40:55.667-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="_8832d5961146a7d69baafe864b05eac3d5e3bb72bb" SUBJECT="admin@<Domain.tld>" RESOURCE="/" METHOD="GET" POLICY="root" POLICY_TYPE="PROTECTED" DURATION="0" APP="Local OAG Admin Console" APP_TYPE="ADMINUI_APP" APP_DOMAIN="gw-admin.saganich.com" RESULT="ALLOW" REASON="N/A - SESSIONID=_8832d5961146a7d69baafe864b05eac3d5e3bb72bb X-Authorization=admin@oag.okta.com username=admin X-SPGW-KEY=5b626d19e16f4d18ac42ef5d9cc8654a RelayDomain=gw-admin.domain.tld oag_username=admin@domain.tld UserName=admin@<Domain.tld >SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport RemoteIP=10.0.0.110 USER_AGENT=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36 "] allow access to resource.

    2020-06-24T09:40:55.667-05:00 example.myaccessgateway.com ACCESS_GATEWAY ACCESS AUTHZ POLICY INFO USER_AUTHZ [SESSION_ID="_4a3fdbbc52dadda2109e0e789098f9b473d4f68c7e" SUBJECT="user@<Domain.tld>" RESOURCE="/alt" METHOD="GET" POLICY="altroot" POLICY_TYPE="PROTECTED_REGEX" DURATION="0" APP="Sample Header App" APP_TYPE="SAMPLEHEADER_APP" APP_DOMAIN="<App Domain URL>" RESULT="DENY" REASON="Groups=(?!.*Everyone:) - SESSIONID=_4a3fdbbc52dadda2109e0e789098f9b473d4f68c7e RelayDomain=<App Domain URL> static_a=aaaaa static-b=bbbbb staticc=ccccc _staticd=ddddd -statice=eeeee staticcookie=1234 secret=secretvalue spgw_username=<User login name> UserName=<User login name> login=<User login name> firstname=<User first name> lastname=<User last name> email=<User login name> samplecookie<User first name> Groups=Everyone:Group A:Group C:Group E:Group B: SourceAuthNType=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport RemoteIP=192.168.10.20 USER_AGENT=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36 creationTime=1507265129865 maxInactiveInterval=3600000 maxActiveInterval=28800000 lastAccessedTime=1507265129865 " REMOTE_IP="" USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36"] deny access to resource
  • Structured data
    • SESSION_ID - Assigned session id.
    • SUBJECT - Requestor
    • RESOURCE- Requested resource
    • METHOD-Request method.
    • POLICY-Applied policy
    • POLICY_TYPE-One of the policy types.
    • DURATION-Duration of request
    • APP - Application name
    • APP_TYPE - Application session was used against. For example ADMINUI_APP.
    • APP_DOMAIN - associated application domain.
    • RESULT- ALLOW or DENY.
    • REASON - Reason why request was allowed or denied. Including a variety of other policy related information.

Connectivity and validation

CHECK_CONNECTION

Event issued when an application is being added. <Application Domain> is tested to determine if valid or invalid.

See also CHECK_HOST.

  • Message:Host <Application Domain> not found.
  • Example :
    2020-06-24T09:41:16.766-05:00 example.myaccessgateway.com CHECK_HOST HOST_IP_CHECK INFO HOST [USER="admin" <Application Domain>] Host <Application Domain> not found
  • Structured data
    • USER - Internal user running the check.
    • Application domain used in application,

CHECK_HOST

Event issued immediate after a check connection is performed.  Results of the check noted in message.

  • Message:Ncat: Connection refused.
  • Example :
    2020-06-24T09:45:28.024-05:00 example.myaccessgateway.com CHECK_HOST checkConnection.sh INFO 10.0.0.1 7001 [USER="admin"] Ncat: Connection refused.
  • Structured data
    • USER - Internal user running the command.

ACCESS AUTHN - - STORE

Event issued immediate after a check connection is performed.  Results of the check noted in message.

  • Message:tore failed during initialization.
  • Example :
    22020-06-25T14:18:52.458-05: example.store.com ACCESS_GATEWAY ACCESS AUTHN FAILED WARN STORE [STORE_NAME="Name of datastore - Entry DN" FAILURE_COUNT="3"] Store failed during initialization.
  • Structured data
    • STORE_NAME - Name of data store which failed to initialize.
    • FAILURE_COUNT - Number of attempts to access store.