Log fields

The request summary consists of the following fields. Some fields may be left out when there is no value available, others may write "<n/a>" instead.

Field Name

Description

Examples

req_id

ID of the request

X4asK6znLjlW-3ZhEhrCOgAAADY

sess_id

ID of the session the request belongs to

e36a8ba0dc23afc17210311a4a2246a7

corr_id

Request correlation ID

corr_id_2

Second request correlation ID

corr_id_3

Third request correlation ID

mapping

Mapping name used to handle the request

ExternalOWA

audit_token

Audit token set by the authentication server. This usually represents an individual user.

<n/a> smueller@intra.com

tenant

Tenant of the requested mapping or virtual host

entry_url

Entry URL of the request

https://docs.airlock.com/iam/latest/

tech_client_id

Technical client ID extracted from request.

tech_client_display_name

Display name of the technical client.

tech_client_label

Label of the technical client.

tech_client_subscription_id

Subscription ID of the technical client.

vhost

The FQDN of the virtual host

docs.airlock.com

vhost_ip

The IP address the virtual host is listening on

10.11.12.13

vhost_port

The port the virtual host is listening on

443

vhost_proto

The HTTP protocol used in the request

https

http_method

The HTTP method used in the request

GET

DELETE

http_status

The HTTP status code delivered to the client

200

404

entry_path

Entry path of the request

/iam/latest/

entry_query

Query parameters of the entry URL

a=b&c=d&since=%233327

vhost_proto_vers

The HTTP protocol version used in the request

sess_auth

Flag indicating whether the session was authenticated or not

false

backend_url

Back-end URL of the request

http://intra.local.net:8080/iam/latest/resources/js/src/dom.js

http_redirect_url

The redirect URL delivered to the client

/test/

http_referrer

The referrer URL sent by the client

https://docs.airlock.com/iam/latest/ <n/a>

req_size

The number of bytes received from the client

Kibana: 454B

JSON: 454

resp_size

The number of bytes received from the back-end

Kibana: 11.07KB

JSON: 11336

time_total

The total time taken to handle the request, in microseconds

Kibana (ms): 1005.871

JSON (μs): 1005871

time_filter

The time taken to filter the request, in microseconds

Kibana (ms): 0.334

JSON (μs): 334

time_req_icap

The time taken by ICAP services for processing the request, in microseconds

See "time_total"

time_backend

The time waited until the back-end sent an answer, in microseconds

See "time_total"

time_resp

The time taken to process the response from the back-end, in microseconds

See "time_total"

time_resp_icap

The time taken by ICAP services for processing the response, in microseconds

See "time_total"

client_ip

The IP address of the client. Usually, this is the connection IP address (front_src_ip). If a reverse proxy or load balancer is in place and sets the X-Forwarded-For header, Airlock Gateway can be configured to use the X-Forwarded-For value as client_ip

118.12.110.137

front_src_ip

The IP address from which the front-end TCP connection was established

192.168.110.137

front_src_port

The port from which the front-end TCP connection was established

geoip_continent

Continent code resolved for the client IP address (client_ip)

EU

geoip_country

Country code resolved for the client IP address (client_ip)

CH

geoip_location

Latitude and longitude resolved for the client IP address (client_ip)

47.38250,8.14420

action

Action taken by Airlock Gateway for this request

allowed

blocked

ml_app

Anomaly Shield application

ml_anomaly

Anomaly Shield session anomaly tag

  • normal
  • anomalous
  • exception
  • redeemed

attack_type

Type of the blocked attack

HTML injection

block_type

Technology used to block the attack

Deny Rule

message

Message describing the log event

Request processed