Log Fields

All Security Gateway log messages are written in JSON format. This is a list of all available JSON fields along with a short description. The column "CEF Alias" shows the field aliases used in CEF exports.

Field Name
CEF Alias
Description
action
act
Action taken by Airlock Gateway for this request
attack_type
cs4
Type of the blocked attack
audit_token
suser
Audit token set by the authentication server. This usually represents an individual user.
back_dst_ip
The IP address of the back-end server Airlock Gateway connected to
back_dst_port
The port of the back-end server Airlock Gateway connected to
back_host
The back-end host the request was sent to
back_host_ip
The IP address of the back-end host the request was sent to
back_host_port
The port of the back-end host the request was sent to
back_host_proto
The protocol of the back-end host the request was sent to
back_src_ip
The IP address Airlock Gateway used to connect to the back-end server
back_src_port
The port Airlock Gateway used to connect to the back-end server
backend_url
Back-end URL of the request
block_type
Technology used to block the attack
client_ip
src / c6a2
The IP address of the client. Usually, this is the connection IP address (front_src_ip). If a reverse proxy or load balancer is in place and sets the X-Forwarded-For header, Airlock Gateway can be configured to use the X-Forwarded-For value as client_ip
constraint
Violated constraint that lead to the block
corr_id
Request correlation ID
corr_id_2
Second request correlation ID
corr_id_3
Third request correlation ID
entry_path
request
Entry path of the request
entry_query
request
Query parameters of the entry URL
entry_url
Entry URL of the request
error_code
The error code returned by libcurl
file
Filename
front_dst_ip
The IP address the client connected to
front_dst_port
The port the client connected to
front_src_ip
The IP address from which the front-end TCP connection was established
front_src_port
The port from which the front-end TCP connection was established
front_tls_cipher
The TLS cipher that has been negotiated on the front-end
front_tls_client_subject_dn
The subject's distinguished name (DN) of the TLS client certificate
front_tls_proto
The TLS protocol that has been negotiated on the front-end
front_tls_sess_id
The ID of the TLS session on the front-end
geoip_continent
Continent code resolved for the client IP address (client_ip)
geoip_country
Country code resolved for the client IP address (client_ip)
geoip_location
cs3
Latitude and longitude resolved for the client IP address (client_ip)
http_accept_lang
The accept language header sent by the client
http_method
requestMethod
The HTTP method used in the request
http_redirect_url
The redirect URL delivered to the client
http_referrer
requestContext
The referrer URL sent by the client
http_status
cn1
The HTTP status code delivered to the client
http_user_agent
The user agent header sent by the client
ip_lists
Matching IP list names
lifetime
Lifetime of the session in seconds
log_cat
Message category
log_id
Message ID
mapping
destinationServiceName
Mapping name used to handle the request
message
msg
Message describing the log event
ml_anomaly
Anomaly Shield session anomaly tag
ml_app
Anomaly Shield application
position
Description of where the error/block was detected
reason
Reason for connection or session termination
reject_type
Reject type for the rejected request
req_id
cs1
ID of the request
req_rate
The measured request rate (requests per second)
req_rate_licensed
The licensed request rate (requests per second)
req_size
in
The number of bytes received from the client
resp_size
out
The number of bytes received from the back-end
rule_group
Name of the deny rule group which triggered the block
rule_group_key
Short name of the deny rule group which triggered the block
rule_name
Name of the rule which triggered the block
sess_auth
Flag indicating whether the session was authenticated or not
sess_id
cs2
ID of the session the request belongs to
tech_client_display_name
Display name of the technical client.
tech_client_id
Technical client ID extracted from request.
tech_client_label
Label of the technical client.
tech_client_subscription_id
Subscription ID of the technical client.
tenant
Tenant of the requested mapping or virtual host
th_mode
Threat handling mode
time_backend
The time waited until the back-end sent an answer, in microseconds
time_filter
The time taken to filter the request, in microseconds
time_req_icap
The time taken by ICAP services for processing the request, in microseconds
time_resp
The time taken to process the response from the back-end, in microseconds
time_resp_icap
The time taken by ICAP services for processing the response, in microseconds
time_total
cn2
The total time taken to handle the request, in microseconds
time_wsock_total
The total time taken to handle the WebSocket connection, in microseconds
trunc
This field is only added when one or more fields have been skipped by the truncation mechanism. It is added with the value "1".
vhost
dhost
The FQDN of the virtual host
vhost_ip
dst / c6a3
The IP address the virtual host is listening on
vhost_port
dpt
The port the virtual host is listening on
vhost_proto
app
The HTTP protocol used in the request
vhost_proto_vers
The HTTP protocol version used in the request
wsock_bytes_in
Number of bytes received from the client (WebSocket)
wsock_bytes_out
Number of bytes sent to the client (WebSocket)