Stream Activity Logs

The Log Streaming Service can send user activity log information to any third-party log analytics tool, such as Splunk and Syslog. The information sent to Syslog and Splunk includes Audit Logs and Activity Logs.

The following table provides information about the activity logs sent to Splunk and Syslog:

Activity Log FieldDescription
applicationIdApplication unique identifier
applicationNameApplication name as configured in the Management Console
applicationProtocolThe protocol used for accessing the application
applicationTypeWhether the application was created in the User Portal or in the Management Console
applicationAddressAddress and port used to access the application when connecting through a local network
eventIdEvent’s unique identifier. An event is described as any user activity in the system
eventDescriptionA sentence describing the activity
eventTypeA user's activity within the application
geoLocationUser’s country based on the IP
isBlockedBoolean field indicating whether the event was blocked (true) or allowed (false) by policy. Click here to learn more about policy rules
identityProviderIdAuthenticating IdP unique identifier
operationSystemClient’s device operating system
ruleIdUnique identifier for the policy rule that blocked/allowed the session
RuleNameName of the policy rule that blocked/allowed the session
sessionIdSession unique identifier
TenantIdAxis tenant ID. Click here to learn about tenant management.
TenantNameAxis tenant name
timestampDate and time when the event occurred
userIdUser unique identifier, as appears in the IdP
usernameFor Axis IdPs: username as configured. For third party IdPs: alias
userDisplayNameUser’s name as appears in the IdP