Syslog format
To learn how to enable the export of syslog, please read the procedure here: Syslog export
Event Logging Format
Node event logs are generated by default for all nodes. These logs are also visible in the Orchestrator user interface.
The CATEGORY field may be either: NODE, HA or ENDPOINT.
An example node event log entry is shown here.
Sep 12 08:32:54 blastshield-ff22524feaf50cbb orchestrator: CATEGORY=NODE, EVENT=LOGIN, ID=c56bb32514828062, TYPE=USER, NAME=AliceG, PUBLIC_IP=86.137.109.176, LOCATION=Durham|England|United Kingdom
An example HA event log entry is shown here.
Sep 12 08:32:54 blastshield-ff22524feaf50cbb orchestrator: CATEGORY=HA, EVENT=ACTIVE_NODE, ID=c68cc0b911c16494, NAME=Gateway 1, ACTIVE_ID=86791867bc819416, ACTIVE_NAME=Gateway 2
An example Endpoint event log entry is shown here.
Sep 12 08:32:54 blastshield-ff22524feaf50cbb orchestrator: CATEGORY=ENDPOINT, STATUS=UNREACHABLE, REASON=GATEWAY_OFFLINE, ID=126, NAME=Endpoint name, ADDRESS=172.16.0.3, GATEWAY_ID=d6c74276ae49e9d1
The log format is explained in the following tables.
Example | Field | Description |
|---|---|---|
Sep 12 | Date | Date of log event |
08:32:54 | Time | Time of log event |
blastshield-ff22524feaf50cbb | Network ID | The network ID (8-byte hex string) |
CATEGORY=NODE | CATEGORY | "NODE" The node type is specified in the TYPE field. |
EVENT=LOGIN | EVENT | Node Event types can be: "login" "logout" "new location" "registered new public key" |
ID=c56bb32514828062 | ID | Node ID (8-byte hex string) |
TYPE=USER | TYPE | Node types can be: "user" "agent" "gateway" |
NAME=AliceG | NAME | Name of the node. The given name is what is provisioned in the Orchestrator. |
PUBLIC_IP=86.137.109.176 | PUBLIC_IP | Public IP address of the node. |
LOCATION=Durham|England|United Kingdom | LOCATION | Geo-location based on the node's public IP address. |
Example | Field | Description |
|---|---|---|
Sep 12 | Date | Date of log event |
08:32:54 | Time | Time of log event |
blastshield-ff22524feaf50cbb | Network ID | The network ID (8-byte hex string) |
CATEGORY=HA | CATEGORY | "HA" Gateway high availability. Only present if Gateway high availability is configured. |
EVENT=ACTIVE_NODE | EVENT | Event types can be: "NEW_STATE" (state of active node has changed)" "ACTIVE_NODE" (node has been promoted to the active node). |
ID=c68cc0b911c16494 | ID | Gateway HA ID (8-byte hex string) |
NAME=Gateway 1 | NAME | Name of the Gateway |
ACTIVE_ID=86791867bc819416 | ACTIVE_ID | ID of the active node in the HA group (8-byte hex string) |
ACTIVE_NAME=Gateway 1 | ACTIVE_NAME | Name of the active node in the HA group |
STATE=Online | STATE | High Availability state. State types can be: "Online" "Degraded" "Offline" |
Example | Field | Description |
|---|---|---|
Sep 12 | Date | Date of log event |
08:32:54 | Time | Time of log event |
blastshield-ff22524feaf50cbb | Network ID | The network ID (8-byte hex string) |
CATEGORY=ENDPOINT | CATEGORY | "Endpoint" A protected endpoint device. |
STATUS=REACHABLE | Endpoint Status | Status can be: "REACHABLE" "UNREACHABLE" |
ID=126 | ID | Endpoint ID (Decimal) |
NAME=Endpoint name | NAME | Name of the endpoint. The given name is what is provisioned in the Orchestrator. |
ADDRESS=172.16.0.3 | ADDRESS | Overlay IP address of the endpoint. |
GATEWAY_ID=d6c74276ae49e9d1 | GATEWAY_ID | ID of the Gateway which is managing the endpoint (8-byte hex string) |
REASON=GATEWAY_OFFLINE | REASON | If the endpoint is unreachable, the reason for the endpoint being unreachable. |
Proxy Event Logging Format
Proxy event logs will be generated if you have configured a Proxy Exit Agent. To learn how to configure a Proxy Exit Agent, please read the following instructions: The BlastShield™ SaaS Proxy Agent
An example log entry is shown here.
Sep 12 08:32:54 blastshield-ff22524feaf50cbb orchestrator: CATEGORY=PROXY, EVENT=REQUEST, REQUEST=CONNECT login.microsoftonline.com:443, CLIENT=AliceG, PROXY_AGENT=Exit Agent 1
The log format is explained in the following table.
Example | Field | Description |
|---|---|---|
Sep 12 | Date | Date of log event |
08:32:54 | Time | Time of log event |
blastshield-ff22524feaf50cbb | Network ID | The network ID (8-byte hex string) |
orchestrator: CATEGORY=PROXY | Category | Proxy event Log |
EVENT=REQUEST | Event | Event types can be: "request"
|
REQUEST=CONNECT login.microsoftonline.com:443 | Proxy domain | The name of the domain being proxied in the request. |
CLIENT=AliceG | Name | Name of the client in the connection. The given name is what is provisioned in the Orchestrator. |
PROXY_AGENT=Exit Agent 1 | Proxy Agent | Name of the Proxy Agent which is processing the request. |
Extended Access Logging Format
Extended access logging is not enabled by default and must be enabled in the Orchestrator at an individual policy level. To learn how to do this, please read the following instructions: Enable Extended Access Logging
An example log entry is shown here.
Sep 12 08:32:54 blastshield-ff22524feaf50cbb orchestrator: CATEGORY=CONNECTION, EVENT=CONNECTION_ESTABLISHED, CLIENT=AliceG, CLIENT_PORT=64233, CLIENT_PUBLIC_IP=86.137.109.176, CLIENT_LOCATION=Durham|England|United Kingdom, SERVER=Raspberry pi, SERVER_PORT=22, RECEIVED=64, SENT=60
The log format is explained in the following table.
Example | Field | Description |
|---|---|---|
Sep 12 | Date | Date of log event |
08:32:54 | Time | Time of log event |
blastshield-ff22524feaf50cbb | Network ID | The network ID (8-byte hex string) |
orchestrator: CATEGORY=CONNECTION | Category | Connection Log |
EVENT=CONNECTION_ESTABLISHED | Event | Event types can be: "connection_established" "connection_ended" "terminated_by_policy" (policy change that wouldn't allow a connection any longer, eg remove group from policy) "connection_refused" (Regular connection failure) "connection_timed_out" (Regular connection failure) |
CLIENT=AliceG | Client | Name of the Client in the connection. The given name is what is provisioned in the Orchestrator. |
CLIENT_PORT=64233 | Client Port | Client port number |
CLIENT_PUBLIC_IP=86.137.109.176 | Client public IP | Public IP address of the client in the connection |
CLIENT_LOCATION=Durham|England|United Kingdom | Client Location | Geo-location based on the client Public IP address. |
SERVER=Raspberry pi | Server | Name of the server in the connection. The given name is what is provisioned in the Orchestrator. |
SERVER_PORT=22 | Server Port | Server port number |
RECEIVED=64 | Bytes received | Bytes received in the connection. Including all headers and protocol signalling, etc. |
SENT=60 | Bytes sent | Bytes sent in the connection. Including all headers and protocol signalling, etc. |