The request summary consists of the following fields. Some fields may be left out when there is no value available, others may write "<n/a>" instead.
Field Name | Description | Examples |
req_id | ID of the request | X4asK6znLjlW-3ZhEhrCOgAAADY |
sess_id | ID of the session the request belongs to | e36a8ba0dc23afc17210311a4a2246a7 |
corr_id | Request correlation ID | – |
corr_id_2 | Second request correlation ID | – |
corr_id_3 | Third request correlation ID | – |
mapping | Mapping name used to handle the request | ExternalOWA |
audit_token | Audit token set by the authentication server. This usually represents an individual user. | <n/a> smueller@intra.com |
tenant | Tenant of the requested mapping or virtual host | – |
entry_url | Entry URL of the request | https://docs.airlock.com/iam/latest/ |
tech_client_id | Technical client ID extracted from request. | – |
tech_client_display_name | Display name of the technical client. | – |
tech_client_label | Label of the technical client. | – |
tech_client_subscription_id | Subscription ID of the technical client. | – |
vhost | The FQDN of the virtual host | docs.airlock.com |
vhost_ip | The IP address the virtual host is listening on | 10.11.12.13 |
vhost_port | The port the virtual host is listening on | 443 |
vhost_proto | The HTTP protocol used in the request | https |
http_method | The HTTP method used in the request | GET DELETE |
http_status | The HTTP status code delivered to the client | 200 404 |
entry_path | Entry path of the request | /iam/latest/ |
entry_query | Query parameters of the entry URL | a=b&c=d&since=%233327 |
vhost_proto_vers | The HTTP protocol version used in the request | – |
sess_auth | Flag indicating whether the session was authenticated or not | false |
backend_url | Back-end URL of the request | http://intra.local.net:8080/iam/latest/resources/js/src/dom.js |
http_redirect_url | The redirect URL delivered to the client | /test/ |
http_referrer | The referrer URL sent by the client | https://docs.airlock.com/iam/latest/ <n/a> |
req_size | The number of bytes received from the client | Kibana: 454B JSON: 454 |
resp_size | The number of bytes received from the back-end | Kibana: 11.07KB JSON: 11336 |
time_total | The total time taken to handle the request, in microseconds | Kibana (ms): 1005.871 JSON (μs): 1005871 |
time_filter | The time taken to filter the request, in microseconds | Kibana (ms): 0.334 JSON (μs): 334 |
time_req_icap | The time taken by ICAP services for processing the request, in microseconds | See "time_total" |
time_backend | The time waited until the back-end sent an answer, in microseconds | See "time_total" |
time_resp | The time taken to process the response from the back-end, in microseconds | See "time_total" |
time_resp_icap | The time taken by ICAP services for processing the response, in microseconds | See "time_total" |
client_ip | The IP address of the client. Usually, this is the connection IP address (front_src_ip). If a reverse proxy or load balancer is in place and sets the X-Forwarded-For header, Airlock Gateway can be configured to use the X-Forwarded-For value as client_ip | 118.12.110.137 |
front_src_ip | The IP address from which the front-end TCP connection was established | 192.168.110.137 |
front_src_port | The port from which the front-end TCP connection was established | – |
geoip_continent | Continent code resolved for the client IP address (client_ip) | EU |
geoip_country | Country code resolved for the client IP address (client_ip) | CH |
geoip_location | Latitude and longitude resolved for the client IP address (client_ip) | 47.38250,8.14420 |
action | Action taken by Airlock Gateway for this request | allowed blocked |
ml_app | Anomaly Shield application | – |
ml_anomaly | Anomaly Shield session anomaly tag |
|
attack_type | Type of the blocked attack | HTML injection |
block_type | Technology used to block the attack | Deny Rule |
message | Message describing the log event | Request processed |