Log Event Formats
Describes the log events sent when Log Streaming is enabled.
Log Streaming collects specific events about your WPC from various log sources and writes them into your configured AWS S3 bucket. The information in the log events is described in JSON. The collected JSON events are compressed as a .gz file and written to the AWS S3 bucket.
All the JSON events contain the same Header fields and a log JSON object containing specific fields based on the type of event. The event type can be distinguished based on the value of the eventName JSON field.
The information in this section will assist any tools collecting these logs from the AWS S3 bucket in correctly parsing and displaying the information in these log events. These log event definitions are currently 'version 1' as populated in the CloudConnexaLogVersion JSON field. The version number should be referenced before parsing the JSON.
Log Event Header Fields
Describes the standard fields in the header section of the JSON for every log event stored in the AWS S3 bucket using Log Streaming.
Every logged event has a standard set of JSON fields called a 'Header.' The description of the header's fields is shown in the table below.
Field Name | Type | Description |
|---|---|---|
CloudConnexaLogVersion | Integer | The version of log event definitions and format. |
category | String | The event category. |
eventName | String | The type of log event. Specific information about the event will be in a JSON object called |
timestamp | DateTime | The timestamp of when the event occurred. |
cloudId | String | The Cloud ID that identifies the WPC. |
service | String | A fixed value with the name of the service - “CloudConnexa" |
traceId | String | A unique identifier for an event. |
initiatorType | String | The entity type that initiated the event. The value can be one of User, Device, or Connector. |
initiator | String | A unique identifier for the specific entity that initiated the event. More details about the initiator can be found using the API with the values of this field and the |
parentEntityType | String | The parent entity type of the initiator The value can be one of User, UserGroup, or NetworkOrHost. |
parentEntity | String | A unique identifier for the parent of the specific entity that initiated the event. More details about the parent entity can be found using the API with the values of this field and the |
userAgent | String | The HTTP UserAgent field from the request. |
Log-Stream-Started Log Event JSON Format
This document describes the JSON log event fields of the Log Streaming Log-Stream-Started event and provides an example.
The log-stream-started event is generated when Log Streaming is started. Refer to Activate Log Streaming. This event is added to the logs with the details on the destination AWS S3 bucket and Region.
The log event JSON contains the Header fields and a log JSON object. The fields in the log JSON object for when the eventName in the Header is set to log-stream-started are described in the table below. For more information on the Header, refer to Log Event Header Fields.
Field Name | Type | Description |
|---|---|---|
aws-s3-bucket | String | The name of the configured AWS S3 bucket. |
aws-region | String | The configured AWS S3 bucket's Region. |
{
"CloudConnexaLogVersion": 1,
"timestamp": "2023-11-09T10:27:35.716006Z",
"cloudId": "test",
"service": "CloudConnexa",
"traceId": "c50f4490-84c1-4156-aa24-cb61a1bb13cb",
"publicIp": "100.96.3.11",
"initiator": "2cc6965a-267e-40b2-9b67-ef2a9ecc2fe6",
"initiatorRole": "Admin",
"initiatorType": "User",
"parentEntity": "e7856d84-d6b6-4803-94e1-b14e1abe483c",
"parentEntityType": "UserGroup",
"category": "Audit.Admin",
"eventName": "log-stream-started",
"log": {
"aws-s3-bucket": "s3-bucket",
"aws-region": "eu-central-1"
},
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
}Log-Stream-Paused Log Event JSON Format
This document describes the JSON log event fields of the Log Streaming Log-Stream-Paused event and provides an example.
The log-stream-paused event is generated when Log Streaming is paused. Refer to Pause Log Streaming. This event is added to the logs with the details on the destination AWS S3 bucket and Region.
The log event JSON contains the Header fields and a log JSON object. The fields in the log JSON object for when the eventName in the Header is set to log-stream-paused are described in the table below. For more information on the Header, refer to Log Event Header Fields.
Field Name | Type | Description |
|---|---|---|
aws-s3-bucket | String | The name of the configured AWS S3 bucket. |
aws-region | String | The configured AWS S3 bucket's Region. |
{
"CloudConnexaLogVersion": 1,
"timestamp": "2023-11-09T10:31:33.761596Z",
"cloudId": "test",
"service": "CloudConnexa",
"traceId": "1faa0790-9ac8-44c5-92ba-dea27112ebb7",
"publicIp": "100.96.3.11",
"initiator": "2cc6965a-267e-40b2-9b67-ef2a9ecc2fe6",
"initiatorRole": "Admin",
"initiatorType": "User",
"parentEntity": "e7856d84-d6b6-4803-94e1-b14e1abe483c",
"parentEntityType": "UserGroup",
"category": "Audit.Admin",
"eventName": "log-stream-paused",
"log": {
"aws-s3-bucket": "s3-bucket",
"aws-region": "eu-central-1"
},
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
}Test-Message Log Event JSON Format
Describes the JSON log event fields of the Log Streaming Test-Message and provides an example.
This log event is generated when the Administrator generates a test message using the Administration portal. Refer to Test Log Streaming
The JSON for this message contains the Header fields and no log JSON object. For more information on the Header, refer to Log Event Header Fields.
{
"CloudConnexaLogVersion": 1,
"timestamp": "2023-11-09T10:28:04.239880Z",
"cloudId": "test",
"service": "CloudConnexa",
"traceId": "0a94d102-8c98-4117-8b0e-5205d9788e67",
"publicIp": "100.96.3.11",
"initiator": "2cc6965a-267e-40b2-9b67-ef2a9ecc2fe6",
"initiatorRole": "Admin",
"initiatorType": "User",
"parentEntity": "e7856d84-d6b6-4803-94e1-b14e1abe483c",
"parentEntityType": "UserGroup",
"category": "Activity.Admin",
"eventName": "test-message",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36"
}Client-Connected Log Event JSON Format
This document describes the JSON log event fields of the Log Streaming Client-Connected log event and provides an example.
The client-connected log event is generated when an OpenVPN client (including Connectors) connects to CloudConnexa.
The log event JSON contains the Header fields and a log JSON object. The fields in the log JSON object for when the eventName in the Header is set to client-connected are described in the table below. For more information on the Header, refer to Log Event Header Fields.
Field Name | Type | Description |
|---|---|---|
clientUUID | String | The unique hardware UUID of the connected device. |
clientSessionId | String | A unique identifier assigned to the connection. Can be used to correlate other session events. |
clientOsType | String | The client's operating system. |
clientOsVersion | String | The version of the client's operating system. |
clientPublicIp | String | The client's public IP address. |
clientTunnelIpV4 | String | The IPv4 address of the client's OpenVPN tunnel. |
clientTunnelIpV6 | String | The IPv6 address of the client's OpenVPN tunnel. |
sessionProtocol | String | The protocol used for the OpenVPN tunnel. |
sessionTunnelProtocol | String | The type of tunneling protocol used. |
sessionStartTime | DateTime | The timestamp of when the connection started. |
gatewayRegionName | String | The name of the CloudConnexa Region that the client connected to. |
gatewayRegion | String | The identifier of the CloudConnexa Region that the client connected to. |
gatewayId | String | The identifier of the specific gateway in the Region the client is connected to. |
{
"CloudConnexaLogVersion": 1,
"timestamp": "2023-12-19T22:43:06.000000Z",
"cloudId": "test",
"service": "CloudConnexa",
"traceId": "c0e67713-576e-4a17-a549-3406596f0352",
"clientPublicIp": "2600:1f1c:480:75cb:456f:a183:7166:30d9",
"initiator": "ef9711c1-8011-4d0b-be03-92f83994ed44",
"initiatorType": "Connector",
"parentEntity": "db133159-7d87-4ed4-be3b-02cba18861e6",
"parentEntityType": "NetworkOrHost",
"category": "Security.Logins",
"eventName": "client-connected",
"log": {
"clientUUID": "9d504069d0a94e7aa827cc1cafa8a9efeb011079af3241ea1a151e799d2c4141",
"clientOsType": "Linux",
"clientOsVersion": "Ubuntu 20.04.5 LTS",
"sessionProtocol": "UDP",
"clientPublicIp": "2600:1f1c:480:75cb:456f:a183:7166:30d9",
"sessionStartTime": "2023-12-19T22:43:06.000000Z",
"clientTunnelIpV4": "100.96.3.22",
"clientTunnelIpV6": "fd:0:0:8121::6",
"clientSessionId": "65821c894203d502df48e919",
"gatewayRegionName": "San Jose (CA)",
"gatewayRegion": "us-dev-1",
"gatewayId": "us-ord-dc1-g1",
"sessionTunnelProtocol": "OpenVPN"
}
}Client-Disconnected Log Event JSON Format
This document describes the JSON log event fields of the Log Streaming Client-Disconnected log event and provides an example.
The client-disconnected log event is generated when an OpenVPN client (including Connectors) disconnects from CloudConnexa.
The log event JSON contains the Header fields and a log JSON object. The fields in the log JSON object for when the eventName in the Header is set to client-disconnected are described in the table below. For more information on the Header, refer to Log Event Header Fields.
Field Name | Type | Description |
|---|---|---|
sessionBytesIn | Integer | The number of bytes transferred to the Client from CloudConnexa. |
sessionBytesOut | Integer | The number of bytes transferred from the Client to CloudConnexa. |
sessionDisconnectReason | String | The reason the connection was disconnected. |
sessionDurationSeconds | Integer | The time in seconds that the Client was connected. |
sessionEndTime | DateTime | The timestamp of when the connection was disconnected. |
clientUUID | String | The unique hardware UUID of the disconnected device. |
clientSessionId | String | A unique identifier assigned to the connection. Can be used to correlate other session events. |
clientOsType | String | The client's operating system. |
clientOsVersion | String | The version of the client's operating system. |
clientPublicIp | String | The client's public IP address. |
clientTunnelIpV4 | String | The IPv4 address of the client's OpenVPN tunnel. |
clientTunnelIpV6 | String | The IPv6 address of the client's OpenVPN tunnel. |
sessionProtocol | String | The protocol used for the OpenVPN tunnel. |
sessionTunnelProtocol | String | The type of tunneling protocol used. |
sessionStartTime | DateTime | The timestamp of when the connection started. |
gatewayRegionName | String | The name of the CloudConnexa Region that the client disconnected from. |
gatewayRegion | String | The identifier of the CloudConnexa Region that the client disconnected from. |
gatewayId | String | The identifier of the specific gateway in the Region the client disconnected from. |
{
"CloudConnexaLogVersion": 1,
"timestamp": "2023-12-20T10:45:14.000000Z",
"cloudId": "test",
"service": "CloudConnexa",
"traceId": "693bbbde-626d-4940-ac2b-4e75efb49bf7",
"clientPublicIp": "178.136.162.32",
"initiator": "5d34eabe-f88d-4570-9954-818c03b90b4b",
"initiatorType": "Device",
"parentEntity": "new@gmail.com",
"parentEntityType": "User",
"category": "Security.Logins",
"eventName": "client-disconnected",
"log": {
"sessionBytesIn": 34409,
"sessionBytesOut": 30971,
"clientUUID": "8EE244A8-90C8-5AFF-8F83-9B7E8290E4A5",
"sessionDisconnectReason": "User Disconnected",
"clientOsType": "macOS",
"clientOsVersion": "Ventura (13.3.1)",
"sessionProtocol": "UDP",
"clientPublicIp": "178.136.162.32",
"sessionDurationSeconds": 4,
"sessionEndTime": "2023-12-20T10:45:14.000000Z",
"sessionStartTime": "2023-12-20T10:45:10.000000Z",
"clientTunnelIpV4": "100.96.1.34",
"clientTunnelIpV6": "fd:0:0:8102::2",
"clientSessionId": "6582c5be4203d502df029d4a",
"gatewayRegionName": "San Jose (CA)",
"gatewayRegion": "us-dev-1",
"gatewayId": "us-ord-dc1-g1",
"sessionTunnelProtocol": "OpenVPN"
}
}Domain-Blocked Log Event JSON Format
This document describes the JSON log event fields of the Log Streaming Test Message and provides an example.
The domain-blocked log event is generated when Cyber Shield Domain Filtering blocks a domain name resolution.
The log event JSON contains the Header fields and a log JSON object. The fields in the log JSON object for when the eventName in the Header is set to domain-blocked are described in the table below. For more information on the Header, refer to Log Event Header Fields.
Field Name | Type | Description |
|---|---|---|
domain | String | The name of the domain that was blocked. |
category | String | The content filtering category of the blocked domain. |
queryType | String | The type of DNS query used for domain resolution. |
protocol | String | The DNS protocol used. |
{
"CloudConnexaLogVersion": 1,
"timestamp": "2023-11-10T15:52:11.000000Z",
"cloudId": "test",
"service": "CloudConnexa",
"traceId": "e8387be6-7a05-4c73-8dae-34047b414194",
"initiator": "521572bc-fcc2-4c05-a78c-d2a9654cc676",
"initiatorType": "Device",
"parentEntity": "43efdaaa-d8a1-4af1-acc1-d96b77313f42",
"parentEntityType": "User",
"category": "Security.CyberShieldBlockedDomains",
"eventName": "domain-blocked",
"log": {
"domain": "c2c-test-domain.openvpn.com",
"category": "Command and Control",
"queryType": "A",
"protocol": "UDP"
}
}Flow-Established Log Event JSON Format
This document describes the JSON log event fields of the Log Streaming Flow-Established log event and provides an example.
The flow-established log event is generated when an OpenVPN client (including Connectors) disconnects from CloudConnexa.
The log event JSON contains the Header fields and a log JSON object. The fields in the log JSON object for when the eventName in the Header is set to flow-established are described in the table below. For more information on the Header, refer to Log Event Header Fields.
Field Name | Type | Description |
|---|---|---|
sourceEntityType | String | The entity type of traffic flow source. |
sourceEntityId | String | The unique identifier of the traffic flow source. |
sourceParentType | String | The type of entity that is the parent of the traffic source. |
sourceParentId | String | The unique identifier of the parent entity. |
sourceGatewayRegion | String | The identifier of the CloudConnexa Region from which the traffic flow originated. |
sourceGatewayRegionName | String | The name of the CloudConnexa Region from which the traffic flow originated. |
sourceIp | String | The IP address of the traffic source. |
destinationEntityType | String | The entity type of the traffic flow destination. |
destinationEntityId | String | The unique identifier of the traffic flow destination. |
destinationParentId | String | The identifier of the entity that is the parent of the traffic destination. |
destinationParentType | String | The type of entity that is the parent of the traffic destination. |
destinationEntityIp | String | The IP address of the traffic destination. |
destinationGatewayRegion | String | The identifier of the destination CloudConnexa Region. |
destinationGatewayRegionName | String | The name of the destination CloudConnexa Region. |
allowed | Boolean | Is set to 'True' if the traffic flow was allowed and 'False' if it was blocked. |
clientSessionId | String | The unique identifier of the tunnel which can be used to correlate all related events. |
protocolName | String | The name of the traffic flow's protocol. |
protocol | Integer | The traffic flow's protocol number according to IANA. |
destinationPort | Integer | The traffic flow's destination port. |
{
"CloudConnexaLogVersion": 1,
"timestamp": "2023-12-20T11:21:41.000000Z",
"cloudId": "test",
"service": "CloudConnexa",
"traceId": "f09df4d0-cf27-4fda-ae24-3d0dbf0332b6",
"publicIp": "178.136.162.32",
"initiator": "new",
"initiatorType": "User",
"parentEntity": "e2184d09-2441-4b58-8e63-224ede0e7203",
"parentEntityType": "Group",
"category": "Activity.AV",
"eventName": "flow-established",
"log": {
"clientSessionId": "6582cc9d4203d502df225933",
"sourceParentId": "new",
"sourceParentType": "User",
"sourceEntityId": "5d34eabe-f88d-4570-9954-818c03b90b4b",
"sourceEntityType": "Device",
"sourceIp": "100.96.1.34",
"sourceGatewayRegion": "us-dev-1",
"destinationParentId": "db133159-7d87-4ed4-be3b-02cba18861e6",
"destinationParentType": "Internet Gateway",
"destinationEntityId": "ef9711c1-8011-4d0b-be03-92f83994ed44",
"destinationEntityType": "Connector",
"destinationEntityIp": "18.221.229.81",
"destinationPort": 443,
"destinationGatewayRegion": "us-dev-1",
"allowed": true,
"protocolName": "tcp",
"protocol": "6",
"sourceGatewayRegionName": "San Jose (CA)",
"destinationGatewayRegionName": "San Jose (CA)"
}
}Traffic-Blocked Log Event JSON Format
This document describes the JSON log event fields of the Log Streaming Traffic Blocked log event and provides an example.
The traffic-blocked log event is generated when Cyber Shield Traffic Filtering blocks a traffic flow.
The log event JSON contains the Header fields and a log JSON object. The fields in the log JSON object for when the eventName in the Header is set to traffic-blocked are described in the table below. For more information on the Header, refer to Log Event Header Fields.
Field Name | Type | Description |
|---|---|---|
signatureId | String | The ID of the traffic signature, which matched the traffic flow to cause it to be blocked. |
eventName | String | Informative text describing the traffic signature with which the blocked traffic flow was matched. |
classification | String | Informative text describing the threat classification of the blocked traffic flow. |
priority | Integer | The Cyber Shield Traffic Filtering priority level. Traffic matching specific patterns of interest are classified into three threat priority levels, where 1 is the highest severity, and 3 is the lowest. |
category | String | The Cyber Shield traffic filter category of the blocked traffic flow. |
protocol | String | The protocol of the blocked traffic flow. |
sourceIp | String | The IP address of the traffic source. |
sourcePort | Integer | The port number of the traffic source. |
destinationIp | String | The IP address of the intended traffic destination. |
destinationPort | Integer | The port number of the intended traffic destination. |
{
"CloudConnexaLogVersion": 1,
"timestamp": "2023-11-10T15:50:04.000000Z",
"cloudId": "test",
"service": "CloudConnexa",
"traceId": "33249eb9-836e-4f9c-b9da-3688166bfa2b",
"initiator": "521572bc-fcc2-4c05-a78c-d2a9654cc676",
"initiatorType": "Device",
"parentEntity": "43efdaaa-d8a1-4af1-acc1-d96b77313f42",
"parentEntityType": "User",
"category": "Security.CyberShieldBlockedTraffic",
"eventName": "traffic-blocked",
"log": {
"signatureId": "1:99999907:1",
"eventName": "ET WORM OpenVPN generate event for category Malware prio 1",
"classification": "Attempted Information Leak",
"priority": 1,
"category": "Malware and Ransomware",
"protocol": "TCP",
"sourceIp": "100.96.1.130",
"sourcePort": 55544,
"destinationIp": "104.18.21.80",
"destinationPort": 80
}
}