Log Fields

All Security Gateway log messages are written in JSON format. This is a list of all available JSON fields along with a short description. The column "CEF Alias" shows the field aliases used in CEF exports.

Field Name

CEF Alias

Description

action

act

Action taken by Airlock Gateway for this request

attack_type

cs4

Type of the blocked attack

audit_token

suser

Audit token set by the authentication server. This usually represents an individual user.

back_dst_ip

The IP address of the back-end server Airlock Gateway connected to

back_dst_port

The port of the back-end server Airlock Gateway connected to

back_host

The back-end host the request was sent to

back_host_ip

The IP address of the back-end host the request was sent to

back_host_port

The port of the back-end host the request was sent to

back_host_proto

The protocol of the back-end host the request was sent to

back_src_ip

The IP address Airlock Gateway used to connect to the back-end server

back_src_port

The port Airlock Gateway used to connect to the back-end server

backend_url

Back-end URL of the request

block_type

Technology used to block the attack

client_ip

src / c6a2

The IP address of the client. Usually, this is the connection IP address (front_src_ip). If a reverse proxy or load balancer is in place and sets the X-Forwarded-For header, Airlock Gateway can be configured to use the X-Forwarded-For value as client_ip

constraint

Violated constraint that lead to the block

corr_id

Request correlation ID

corr_id_2

Second request correlation ID

corr_id_3

Third request correlation ID

entry_path

request

Entry path of the request

entry_query

request

Query parameters of the entry URL

entry_url

Entry URL of the request

error_code

The error code returned by libcurl

file

Filename

front_dst_ip

The IP address the client connected to

front_dst_port

The port the client connected to

front_src_ip

The IP address from which the front-end TCP connection was established

front_src_port

The port from which the front-end TCP connection was established

front_tls_cipher

The TLS cipher that has been negotiated on the front-end

front_tls_client_subject_dn

The subject's distinguished name (DN) of the TLS client certificate

front_tls_proto

The TLS protocol that has been negotiated on the front-end

front_tls_sess_id

The ID of the TLS session on the front-end

geoip_continent

Continent code resolved for the client IP address (client_ip)

geoip_country

Country code resolved for the client IP address (client_ip)

geoip_location

cs3

Latitude and longitude resolved for the client IP address (client_ip)

http_accept_lang

The accept language header sent by the client

http_method

requestMethod

The HTTP method used in the request

http_redirect_url

The redirect URL delivered to the client

http_referrer

requestContext

The referrer URL sent by the client

http_status

cn1

The HTTP status code delivered to the client

http_user_agent

The user agent header sent by the client

ip_lists

Matching IP list names

lifetime

Lifetime of the session in seconds

log_cat

Message category

log_id

Message ID

mapping

destinationServiceName

Mapping name used to handle the request

message

msg

Message describing the log event

ml_anomaly

Anomaly Shield session anomaly tag

ml_app

Anomaly Shield application

position

Description of where the error/block was detected

reason

Reason for connection or session termination

reject_type

Reject type for the rejected request

req_id

cs1

ID of the request

req_rate

The measured request rate (requests per second)

req_rate_licensed

The licensed request rate (requests per second)

req_size

in

The number of bytes received from the client

resp_size

out

The number of bytes received from the back-end

rule_group

Name of the deny rule group which triggered the block

rule_group_key

Short name of the deny rule group which triggered the block

rule_name

Name of the rule which triggered the block

sess_auth

Flag indicating whether the session was authenticated or not

sess_id

cs2

ID of the session the request belongs to

tech_client_display_name

Display name of the technical client.

tech_client_id

Technical client ID extracted from request.

tech_client_label

Label of the technical client.

tech_client_subscription_id

Subscription ID of the technical client.

tenant

Tenant of the requested mapping or virtual host

th_mode

Threat handling mode

time_backend

The time waited until the back-end sent an answer, in microseconds

time_filter

The time taken to filter the request, in microseconds

time_req_icap

The time taken by ICAP services for processing the request, in microseconds

time_resp

The time taken to process the response from the back-end, in microseconds

time_resp_icap

The time taken by ICAP services for processing the response, in microseconds

time_total

cn2

The total time taken to handle the request, in microseconds

time_wsock_total

The total time taken to handle the WebSocket connection, in microseconds

trunc

This field is only added when one or more fields have been skipped by the truncation mechanism. It is added with the value "1".

vhost

dhost

The FQDN of the virtual host

vhost_ip

dst / c6a3

The IP address the virtual host is listening on

vhost_port

dpt

The port the virtual host is listening on

vhost_proto

app

The HTTP protocol used in the request

vhost_proto_vers

The HTTP protocol version used in the request

wsock_bytes_in

Number of bytes received from the client (WebSocket)

wsock_bytes_out

Number of bytes sent to the client (WebSocket)