All Security Gateway log messages are written in JSON format. This is a list of all available JSON fields along with a short description. The column "CEF Alias" shows the field aliases used in CEF exports.
Field Name | CEF Alias | Description |
action | act | Action taken by Airlock Gateway for this request |
attack_type | cs4 | Type of the blocked attack |
audit_token | suser | Audit token set by the authentication server. This usually represents an individual user. |
back_dst_ip | The IP address of the back-end server Airlock Gateway connected to | |
back_dst_port | The port of the back-end server Airlock Gateway connected to | |
back_host | The back-end host the request was sent to | |
back_host_ip | The IP address of the back-end host the request was sent to | |
back_host_port | The port of the back-end host the request was sent to | |
back_host_proto | The protocol of the back-end host the request was sent to | |
back_src_ip | The IP address Airlock Gateway used to connect to the back-end server | |
back_src_port | The port Airlock Gateway used to connect to the back-end server | |
backend_url | Back-end URL of the request | |
block_type | Technology used to block the attack | |
client_ip | src / c6a2 | The IP address of the client. Usually, this is the connection IP address (front_src_ip). If a reverse proxy or load balancer is in place and sets the X-Forwarded-For header, Airlock Gateway can be configured to use the X-Forwarded-For value as client_ip |
constraint | Violated constraint that lead to the block | |
corr_id | Request correlation ID | |
corr_id_2 | Second request correlation ID | |
corr_id_3 | Third request correlation ID | |
entry_path | request | Entry path of the request |
entry_query | request | Query parameters of the entry URL |
entry_url | Entry URL of the request | |
error_code | The error code returned by libcurl | |
file | Filename | |
front_dst_ip | The IP address the client connected to | |
front_dst_port | The port the client connected to | |
front_src_ip | The IP address from which the front-end TCP connection was established | |
front_src_port | The port from which the front-end TCP connection was established | |
front_tls_cipher | The TLS cipher that has been negotiated on the front-end | |
front_tls_client_subject_dn | The subject's distinguished name (DN) of the TLS client certificate | |
front_tls_proto | The TLS protocol that has been negotiated on the front-end | |
front_tls_sess_id | The ID of the TLS session on the front-end | |
geoip_continent | Continent code resolved for the client IP address (client_ip) | |
geoip_country | Country code resolved for the client IP address (client_ip) | |
geoip_location | cs3 | Latitude and longitude resolved for the client IP address (client_ip) |
http_accept_lang | The accept language header sent by the client | |
http_method | requestMethod | The HTTP method used in the request |
http_redirect_url | The redirect URL delivered to the client | |
http_referrer | requestContext | The referrer URL sent by the client |
http_status | cn1 | The HTTP status code delivered to the client |
http_user_agent | The user agent header sent by the client | |
ip_lists | Matching IP list names | |
lifetime | Lifetime of the session in seconds | |
log_cat | Message category | |
log_id | Message ID | |
mapping | destinationServiceName | Mapping name used to handle the request |
message | msg | Message describing the log event |
ml_anomaly | Anomaly Shield session anomaly tag | |
ml_app | Anomaly Shield application | |
position | Description of where the error/block was detected | |
reason | Reason for connection or session termination | |
reject_type | Reject type for the rejected request | |
req_id | cs1 | ID of the request |
req_rate | The measured request rate (requests per second) | |
req_rate_licensed | The licensed request rate (requests per second) | |
req_size | in | The number of bytes received from the client |
resp_size | out | The number of bytes received from the back-end |
rule_group | Name of the deny rule group which triggered the block | |
rule_group_key | Short name of the deny rule group which triggered the block | |
rule_name | Name of the rule which triggered the block | |
sess_auth | Flag indicating whether the session was authenticated or not | |
sess_id | cs2 | ID of the session the request belongs to |
tech_client_display_name | Display name of the technical client. | |
tech_client_id | Technical client ID extracted from request. | |
tech_client_label | Label of the technical client. | |
tech_client_subscription_id | Subscription ID of the technical client. | |
tenant | Tenant of the requested mapping or virtual host | |
th_mode | Threat handling mode | |
time_backend | The time waited until the back-end sent an answer, in microseconds | |
time_filter | The time taken to filter the request, in microseconds | |
time_req_icap | The time taken by ICAP services for processing the request, in microseconds | |
time_resp | The time taken to process the response from the back-end, in microseconds | |
time_resp_icap | The time taken by ICAP services for processing the response, in microseconds | |
time_total | cn2 | The total time taken to handle the request, in microseconds |
time_wsock_total | The total time taken to handle the WebSocket connection, in microseconds | |
trunc | This field is only added when one or more fields have been skipped by the truncation mechanism. It is added with the value "1". | |
vhost | dhost | The FQDN of the virtual host |
vhost_ip | dst / c6a3 | The IP address the virtual host is listening on |
vhost_port | dpt | The port the virtual host is listening on |
vhost_proto | app | The HTTP protocol used in the request |
vhost_proto_vers | The HTTP protocol version used in the request | |
wsock_bytes_in | Number of bytes received from the client (WebSocket) | |
wsock_bytes_out | Number of bytes sent to the client (WebSocket) |