Stream Activity Log Models
The Log Streaming Service can send user activity log information to any third-party log analytics tool, such as Splunk and Syslog.
The following table provides information about the activity logs models sent to Splunk and Syslog:
ZTNA Activity Log
The following model represent logs for ZTNA access events:
| Field | Description | Example |
|---|---|---|
sessionId <string> | Session unique identifier | "669bb0452cf7448b9a0e8d1d119eab37" |
eventId <string> | Unique ID for the displayed event - uuid format | "3d0cac48-e37b-49c0-b488-b897714761de" |
applicationId <string> | Application unique identifier | "3ace5d82-84f6-47bd-8b9d-32dac627c051" |
applicationName <string> | Application name as configured in the Management Console | "Internal Web App" |
applicationProtocol <string> | The protocol used for accessing the application | "RDP" |
applicationAddress <string> | Address and port used to access the application when connecting through a local network | "acme.corp:443" |
operationSystem <string> | Client’s device operating system | "Mac", "Windows", "IOS" |
sourceIp <string> | IP address of the users device | "147.235.204.90" |
geoLocation <string> | Geo-location of the user (ip-based) - In the format of ISO_3166-1_alpha-2 | "US" |
userId <string> | User unique identifier, as appears in the IdP | "046fea17a8b949e9bdc7418970bc355f|Natan" |
username <string> | For Axis IdPs: username as configured. For third party IdPs: alias | "Jack Smith" |
userDisplayName <string> | User’s name as appears in the IdP | "Jack Smith" |
groups <List of strings> | IDP groups that the user belongs to | "Sales", "Marketing” |
identityProviderId <string> | Authenticating IdP unique identifier | "18378644-1c6d-4645-8052-4681adc2988c |
isBlocked <boolean> | Boolean field indicating whether the event was blocked (true) or allowed (false) by policy. | false |
ruleId <string> | Unique identifier for the policy rule that blocked/allowed the session | "2889882e-233b-49e3-b21a-14292edad903" |
ruleName <string> | Name of the policy rule that blocked/allowed the session | "RDP Access" |
eventType <string> | A user's activity within the application | "Connect" |
eventDescription <string> | A sentence describing the activity | "TCP connection established" |
additionalData <JSON> | actualApplicationAddress - full application address and port used for the connection | { "actualApplicationAddress": "signaler-pa.clients6.google.com:443" } |
tenantName <string> | Axis tenant name | "ACME Prod" |
tenantId <string> | Axis tenant unique ID | "a823f5f3-6304-4605-85da-6f898bcb6e91" |
time <string> | Date and time of the event | "2023-11-01T08:41:04.983Z" |
DNS Request Activity Log
The following model represent logs for DNS Requests events:
| Field | Description | Example |
|---|---|---|
trafficSourceType <string> | The method in which the user accessed | "Agent" |
userId <string> | Unique ID for the user | "046fea17a8b949e9bdc7418970bc355f|Natan" |
userName <string> | For Axis IdPs: username as configured. For third party IdPs: alias | "Jack Smith" |
userDisplayName <string> | User’s name as appears in the IdP | "Jack Smith" |
userEmail <string> | User email | "[email protected]" |
identityGroup <List of strings> | IDP groups that the user belongs to | "Sales", "Marketing” |
identityProviderName <string> | "Okta" | |
operatingSystem <string> | Client’s device operating system | "Mac", "Windows", "IOS" |
sourceIp <string> | IP address of the users device | "147.235.204.90" |
geoLocation <string> | Geo-location of the user (ip-based) - In the format of ISO_3166-1_alpha-2 | "US" |
hostname <string> | Requested domain name | "acme.com" |
destinationInfo <JSON> | - domainAge <integer>- domainReputation <integer>- categories <json format>-- id <integer>-- name <integer> | "destinationInfo": { "categories": [ { "id": 4, "name": "Business and Economy" }, { "id": 5, "name": "Computer and Internet Info" } ], "domainAgeMonths": 127, "reputationLevel": "Trustworthy" |
inlineCasb <JSON> | SaaS fingerprinting for the accessed web page: - appId <integer>- appName <string>- appCategoryId <integer>- appCategoryName <string>- suitId <integer>- organizationId <integer>- organizationName <string>- functionId <integer>- functionName <string> | "inlineCasb": { "appId": 11624, "appName": "Google Drive", "categoryId": 2, "suiteId": 2, "organizationId": 2, "functionId": 2, "functionName": "Share" } |
eventType <string> | The displayed event type : “DnsRequest” | “DnsRequest” |
activityType <string> | The displayed activity type : “DnsRequest” | “DnsRequest” |
isBlocked <boolean> | Boolean field indicating whether the event was blocked (true) or allowed (false) by policy. | false |
eventId <string> | Unique ID for the displayed event - uuid format | "873da43f-2b66-4437-948f-df73e61f1ba2" |
correlationId <string> | Unique ID of the event which is presented in the Exploration tool | "UTUP-GHAL" |
ruleId <string> | Unique identifier for the policy rule that blocked/allowed the session | "d99564aa-4d66-48bc-803b-af20400c9871" |
ruleName <string> | Name of the policy rule that blocked/allowed the session | "Web Traffic Default" |
tenantName <string> | Axis tenant name | "ACME Prod" |
tenantId <string> | Axis tenant unique ID | "a823f5f3-6304-4605-85da-6f898bcb6e91" |
time <string> | Date and time of the event | "2023-10-19T11:19:59.423Z" |
SWG Activity Log
The following model represent logs for SWG related events:
| Field | Description | Example |
|---|---|---|
trafficSourceType <string> | The method in which the user accessed | "Agent" |
applicationAddress <string> | Full URL Address that the user accessed | "acme.com/news" |
ruleId <string> | Unique ID for the policy rule the traffic was matched on | "d99564aa-4d66-48bc-803b-af20400c9871" |
ruleName <string> | The name of the policy rule the traffic was matched on | "Web Traffic Default" |
hostname <string> | Accessed domain name | "acme.com" |
path <string> | The specific path the user accessed under the domain | "/news" |
| sslInfo | tlsVersion cipherSuite | "sslInfo": { "tlsVersion": "TLS 1.3", "cipherSuite": "TLS_AES_128_GCM_SHA256" } |
| httpInfo | method httpStatus responseContentLength requestContentLength contentType referer userAgent | "httpInfo": { "method": "GET", "httpStatus": 200, "responseContentLength": 64323, "requestContentLength": 2908, "contentType": "image/webp", "referer": "https://www.dropbox.com/", "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36" } |
destinationInfo <JSON> | - domainAge <integer>- domainReputation <integer>- categories <json format>-- id <integer>-- name <integer> | "destinationInfo": { "categories": [ { "id": 4, "name": "Business and Economy" }, { "id": 5, "name": "Computer and Internet Info" } ], "domainAgeMonths": 127, "reputationLevel": "Trustworthy" |
inlineCasb <JSON> | SaaS fingerprinting for the accessed web page: - appId <integer>- appName <string>- appCategoryId <integer>- appCategoryName <string>- suitId <integer>- organizationId <integer>- organizationName <string>- functionId <integer>- functionName <string> | "inlineCasb": { "appId": 11624, "appName": "Google Drive", "categoryId": 2, "suiteId": 2, "organizationId": 2, "functionId": 2, "functionName": "Share" } |
sourceIp <string> | IP address of the users device | "147.235.204.90" |
userId <string> | Unique ID for the user | "046fea17a8b949e9bdc7418970bc355f|Natan" |
username <string> | The name of the user | "Jack Smith" |
userDisplayName <string> | User’s name as appears in the IdP | "Jack Smith" |
userEmail <string> | User Email | "[email protected]" |
operatingSystem <string> | Client’s device operating system | "Mac", "Windows", "IOS" |
identityGroup <List of strings> | IDP groups that the user belongs to | "Sales", "Marketing” |
geoLocation <string> | Geo-location of the user (ip-based) - In the format of ISO_3166-1_alpha-2 | "US" |
eventType <string> | The displayed event type : “SWG” | “SWG” |
identityProviderName <string> | Identity Provider Name | "Okta" |
activityType <string> | HTTP Event Activity | "View" |
isBlocked <boolean> | Boolean field indicating whether the event was blocked (true) or allowed (false) by policy. | false |
eventId <string> | Unique ID for the displayed event | "873da43f-2b66-4437-948f-df73e61f1ba2" |
correlationId <string> | Unique ID of the event which is presented in the Exploration tool | "UTUP-GHAL" |
tenantName <string> | Axis tenant name | "ACME Prod" |
tenantId <string> | Axis tenant unique ID | "a823f5f3-6304-4605-85da-6f898bcb6e91" |
time <string> | Date and time of the event | "2023-10-19T11:19:59.423Z" |
IPsec Host Filtering Activity Log
The following model represent logs for IPsec tunnel originating traffic without SSL inspection events:
| Field | Description | Example |
|---|---|---|
trafficSourceType <string> | The method in which the user accessed | "Location" |
destinationInfo <JSON> | - domainAge <integer>- domainReputation <integer>- categories <json format>-- id <integer>-- name <integer> | "destinationInfo": { "categories": [ { "id": 4, "name": "Business and Economy" }, { "id": 5, "name": "Computer and Internet Info" } ], "domainAgeMonths": 127, "reputationLevel": "Trustworthy" } |
inlineCasb <JSON> | SaaS fingerprinting for the accessed web page: - appId <integer>- appName <string>- appCategoryId <integer>- appCategoryName <string>- suitId <integer>- organizationId <integer>- organizationName <string>- functionId <integer>- functionName <string> | "inlineCasb": { "appId": 11624, "appName": "Google Drive", "categoryId": 2, "suiteId": 2, "organizationId": 2, "functionId": 2, "functionName": "Share" } |
hostname <string> | Accessed domain name | "google.com" |
ipSecLocation <string> | The Location from which the traffic originated from | "Boston Office" |
ipSecSubLocation <string> | The Sub-Location from which the traffic originated from | "Guest WIFI" |
ipSecTunnel <string> | The Tunnel Name from which the traffic originated from | "office tunnel 1" |
tunnelSourceIP <string> | The IP address of the device that initiated the IPsec tunnel | "147.235.204.90" |
internalSourceIp <string> | The IP address of the device that created the event | "192.168.110.43" |
ruleId <string> | Unique identifier for the policy rule that blocked/allowed the session | "d99564aa-4d66-48bc-803b-af20400c9871" |
ruleName <string> | Name of the policy rule that blocked/allowed the session | "Web Traffic Default" |
eventType <string> | The displayed event type : “IPSecHostFiltering” | “IPSecHostFiltering” |
activityType <string> | HTTP Event Activity | "Connect" |
eventId <string> | Unique ID for the displayed event | "873da43f-2b66-4437-948f-df73e61f1ba2" |
correlationId <string> | Unique ID of the event which is presented in the Exploration tool | "UTUP-GHAL" |
isBlocked <boolean> | Boolean field indicating whether the event was blocked (true) or allowed (false) by policy. | false |
tenantName <string> | Axis tenant name | "ACME Prod" |
tenantId <string> | Axis tenant unique ID | "a823f5f3-6304-4605-85da-6f898bcb6e91" |
time <string> | Date and time of the event | "2023-10-19T11:19:59.423Z" |
IPsec Direct Activity Log
The following model represent logs for non HTTP/S IPsec tunnel originating traffic events:
| Field | Description | Example |
|---|---|---|
trafficSourceType <string> | The method in which the user accessed | "Location" |
destinationIp <string> | The destination IP address | "8.8.8.8" |
destinationPort <string> | The destination port | "53" |
ipSecLocation <string> | The Location from which the traffic originated from | "Boston Office" |
ipSecSubLocation <string> | The Sub-Location from which the traffic originated from | "Guest WIFI" |
ipSecTunnel <string> | The Tunnel Name from which the traffic originated from | "office tunnel 1" |
tunnelSourceIP <string> | The IP address of the device that initiated the IPsec tunnel | "147.235.204.90" |
internalSourceIp <string> | The IP address of the device that created the event | "192.168.110.43" |
eventType <string> | The displayed event type : “IPSecDirect” | “IPSecDirect” |
eventId <string> | Unique ID for the displayed event | "d364ed67-4495-46d1-b548-65e739dcef91" |
activityType <string> | Session event activity | "Connect" |
isBlocked <boolean> | Boolean field indicating whether the event was blocked (true) or allowed (false) by policy. | "d364ed67-4495-46d1-b548-65e739dcef91" |
correlationId <string> | Unique ID of the event which is presented in the Exploration tool | "4I72-3VAU" |
tenantName <string> | Axis tenant name | "ACME Prod" |
tenantId <string> | Axis tenant unique ID | "a823f5f3-6304-4605-85da-6f898bcb6e91" |
time <string> | Date and time of the event | "2023-10-19T11:19:59.423Z" |
Updated about 1 month ago