Log representation and format

The following provide the representation and format of the data captured in audit and health logs:

Audit log representation and format

Health log representation and format

Audit log representation and format

An audit entry is created for each request from a device. A corresponding response entry is created for each request. The audit logs are in JSON format.

The following provide the format for audit log entries:

Audit log entry for a request

Audit log entry for a response

Audit log entry for IP VPN response to tunnel establishment request

Audit log entry for IP VPN internal connection

Audit log entry for a request

The following provides a description of the fields in the audit log entry for a request.

Table 43.   Field descriptions for a request in audit log

Field

Description

publishTime

Actual time of log capture. Logging time might vary based on async strategies.

entryID

Unique for every audit entry. GUID.

useCaseID

ID of use-case to which this entry belongs to. This ID is used for relating Request/Response.

entryType

REQUEST.

userID

EMM User ID.

deviceID

Device identification.

deviceType

Type of device - iPhone, iPad etc.

serviceType

ActiveSync, CIFS, Access, APP_TUNNEL, TCP_TUNNEL, IP_TUNNEL.

serviceName

 

clientHost

 

clientPort

 

requestUrl

URL used by device.

httpMethod

HTTP method used for this request.

applicationId

 

forwardedFor

If proxy is forwarding request, this will have actual client host identifier.

contextHeaders

 

serverHost

Details of downstream server.

serverPort

 

action

ALLOW | BLOCK | NONE (Sentry compliance action taken - NONE - no compliance[Access])

Audit log entry for a response

The following provides a description of the fields in the audit log entry for a response.

Table 44.   Field descriptions for a response in audit log

Field

Description

publishTime

Actual time of log capture. Logging time might vary based on async strategies.

entryID

Unique for every audit entry. GUID.

useCaseID

ID of use-case to which this entry belongs to. This ID is used for relating Request/Response.

entryType

RESPONSE.

userID

EMM user ID.

deviceID

Device identification.

deviceType

Type of device.

serviceType

ActiveSync, CIFS, Access, APP_TUNNEL, TCP_TUNNEL, IP_TUNNEL.

serviceName

Name of service.

clientHost

Immediate client end-point; if coming via proxy, this could be proxy end-point.

clientPort

 

httpStatus

HTTP Response code.

sentryHost

Standalone Sentry hostname.

sentryPort

Standalone Sentry port.

sentryAddress

Standalone Sentry IP address.

Audit log entry for IP VPN response to tunnel establishment request

The following provides a description of the fields in the audit log entry for a request to establish an IP VPN tunnel.

Table 45.   Field descriptions for IP VPN response to ivanti tunnel establishment request in audit log

Field

Description

publishTime

Actual time of log capture. Logging time might vary based on async strategies.

entryID

Unique for every audit entry. GUID.

useCaseID

ID of use-case to which this entry belongs to. This ID is used for relating Request/Response.

entryType

RESPONSE.

userID

EMM User ID.

deviceID

Device identification.

serviceType

IP_TUNNEL.

clientHost

Immediate client end-point; if coming via proxy, this could be proxy end-point.

clientPort

 

serverPort

 

httpStatus

HTTP Response code.

Audit log entry for IP VPN internal connection

The following provides a description of the fields in the audit log entry for an internal IP VPN tunnel connection.

Table 46.   Field descriptions for an IP VPN internal connection entry in audit logs

Field

Description

publishTime

 

entryID

Unique for every audit entry. GUID.

useCaseID

ID of use-case to which this entry belongs to. This ID is used for relating Request/Response.

entryType

IP_VPN_CONN.

userID

 

deviceID

 

serviceType

IP_TUNNEL.

clientHost

 

clientPort

 

serverHost

 

serverPort

 

action

Compliance action like ALLOW, BLOCK, NONE.

type

Connection type: UDP or TCP.

sentryHost

Standalone Sentry hostname.

sentryPort

Standalone Sentry port.

sentryAddress

Standalone Sentry IP address.

Examples for audit log entries

Following are examples of audit log entries:

IPVPN audit log example

ActiveSync audit log example

HTTP tunnel audit log example

TCP tunnel audit log example

IPVPN audit log example

2017 Nov 1 04:13:59 eapp123.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-43fbd6d7-258d-4d55-aa81-cf1ba11533b4","entryType":"RESPONSE","userId":"hdhindsa","deviceId":"22002","serviceType":"IP_TUNNEL","clientHost":"/24.5.120.210","clientPort":44258,"publishTime":"11/01/2017 4:13:59","entryId":"E-6ec1eeda-5d25-4d3b-8107-5101c188830f","serverPort":443,"httpStatus":"200"}

 

2017 Nov 1 04:14:06 eapp123.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-43fbd6d7-258d-4d55-aa81-cf1ba11533b4","entryType":"IP_VPN_CONN","userId":"hdhindsa","deviceId":"22002","serviceType":"IP_TUNNEL","clientHost":"/24.5.120.210","clientPort":44258,"publishTime":"11/01/2017 4:14:06","entryId":"E-4190ad90-4391-47b1-b2b3-298aec6aec5a","serverHost":"autodns001.auto.mobileiron.com","serverPort":53,"action":"ALLOW","type":"UDP"}

 

2017 Nov 1 04:14:06 eapp123.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-43fbd6d7-258d-4d55-aa81-cf1ba11533b4","entryType":"IP_VPN_CONN","userId":"hdhindsa","deviceId":"22002","serviceType":"IP_TUNNEL","clientHost":"/24.5.120.210","clientPort":44258,"publishTime":"11/01/2017 4:14:06","entryId":"E-b30097d0-f888-4437-b49d-232d4f364815","serverHost":"216.58.192.10","serverPort":443, "sentryHost":"10.10.57.239","sentryPort":446", "sentryAddress":"10.25.35.237", "action":"ALLOW","type":"TCP"}

 

ActiveSync audit log example

2017 Nov 7 21:23:39 app101.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-ee3608c9-4c88-4b93-8221-bd69cb4da900","entryType":"REQUEST","userId":"testuser0851","deviceId":"HroLBGueAofSIkAcECcHMTTqd2","deviceType":"MD723LL","serviceType":"ACTIVE_SYNC","serviceName":"ActiveSync","clientHost":"/10.11.80.93","clientPort":61693,"publishTime":"11/07/2017 21:23:38","entryId":"E-ee3608c9-4c88-4b93-8221-bd69cb4da900","serverHost":"ex2013.auto19.mobileiron.com","serverPort":443,"requestUrl":"/Microsoft-Server-ActiveSync","httpMethod":"POST","action":"ALLOW"}

 

2017 Nov 7 21:23:41 app101.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-ee3608c9-4c88-4b93-8221-bd69cb4da900","entryType":"RESPONSE","userId":"testuser0851","deviceId":"HroLBGueAofSIkAcECcHMTTqd2","serviceType":"ACTIVE_SYNC","clientHost":"/10.11.80.93","clientPort":61693,"publishTime":"11/07/2017 21:23:39","entryId":"E-49b382b2-07c9-4a82-87d3-3f1f45751879","serverHost":"ex2013.auto19.mobileiron.com","serverPort":443,"sentryHost":"10.10.57.239","sentryPort":446", "sentryAddress":"10.25.35.237", "httpStatus":"200"}

 

HTTP tunnel audit log example

 

2017 Nov 3 23:06:57 eapp074.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-dd7086fc-9599-4581-a8bc-5a9057ce085b","entryType":"REQUEST","userId":"testuser7331","deviceId":"62b6ae69-9ca8-4176-85dd-11a7ecaee130","deviceType":"iPhone 6","serviceType":"APP_TUNNEL","serviceName":"<ANY>","clientHost":"/10.11.205.8","clientPort":1821,"publishTime":"11/03/2017 23:06:57","entryId":"E-dd7086fc-9599-4581-a8bc5a9057ce085b","serverHost":"wiki.mobileiron.com","serverPort":443,"requestUrl":"https://wiki.mobileiron.com/login.action?os_destination=%2Findex.action&permissionViolation=true","httpMethod":"GET","applicationId":"com.mobileiron.securebrowser","action":"ALLOW"}

 

2017 Nov 3 23:06:57 eapp074.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-dd7086fc-9599-4581-a8bc-5a9057ce085b","entryType":"RESPONSE","userId":"testuser7331","deviceId":"62b6ae69-9ca8-4176-85dd-11a7ecaee130","serviceType":"APP_TUNNEL","clientHost":"/10.11.205.8","clientPort":1821,"publishTime":"11/03/2017 23:06:57","entryId":"E-c0cd7a3d-1832-4b85-b28c-7385d2b0eb0c","serverHost":"wiki.mobileiron.com","serverPort":443, "sentryHost":"10.10.57.239","sentryPort":446", "sentryAddress":"10.25.35.237", "httpStatus":"200"}

 

TCP tunnel audit log example

 

2017 Nov 3 23:06:07 eapp074.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-bd77654c-42dc-48f3-9b2c-9aa2d5d63650","entryType":"REQUEST","userId":"testuser7331","deviceId":"62b6ae69-9ca8-4176-85dd-11a7ecaee130","serviceType":"TCP_TUNNEL","serviceName":"<TCP_ANY>","clientHost":"/10.11.205.8","clientPort":1391,"publishTime":"11/03/2017 23:06:07","entryId":"E-bd77654c-42dc-48f3-9b2c-9aa2d5d63650","serverHost":"googleads.g.doubleclick.net","serverPort":443,"applicationId":"com.google.chrome.ios","action":"ALLOW"}

 

 

2017 Nov 3 23:06:07 eapp074.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-bd77654c-42dc-48f3-9b2c-9aa2d5d63650","entryType":"RESPONSE","userId":"testuser7331","deviceId":"62b6ae69-9ca8-4176-85dd-11a7ecaee130","serviceType":"TCP_TUNNEL","clientHost":"/10.11.205.8","clientPort":1391,"publishTime":"11/03/2017 23:06:07","entryId":"E-4fa74e1f-e0df-4093-9cd1-a716aa0697ff","serverHost":"googleads.g.doubleclick.net","serverPort":443, "sentryHost":"10.10.57.239","sentryPort":446", "sentryAddress":"10.25.35.237", "httpStatus":"200"}

Health log representation and format

The following provide the representation and format for Sentry health logs:

/var/log/mihealth_export/openPorts.log

/var/log/mihealth_export/hardware.log

/var/log/mihealth_export/cpu.log

/var/log/mihealth_export/vmstat.log

/var/log/mihealth_export/openPorts.log

sourcetype: sentry_mihealth_openPorts

Proto Port

tcp 9090

...

udp 10012

REGEX = ([^\s]+)\s+([0-9]+)

FORMAT = Proto::"$1" Port::"$2"

/var/log/mihealth_export/hardware.log

sourcetype: sentry_mihealth_hardware

KEY VALUE

CPU_TYPE Intel(R) Xeon(R) CPU E5504 @ 2.00GHz

CPU_CACHE 4096 KB

CPU_COUNT 1

HARD_DRIVES sda (Virtual disk) 200 GB;

NIC_TYPE <notAvailable>

NIC_COUNT 1

MEMORY_REAL 2054232 kB

MEMORY_SWAP 4128764 kB

/var/log/mihealth_export/cpu.log

sourcetype: sentry_mihealth_cpu

CPU pctUser pctNice pctSystem pctIowait pctIdle

all 0.00 1.01 1.01 0.00 97.98

0 0.00 1.01 1.01 0.00 97.98

REGEX = all\s+(\d*\.*\d*)\s+(\d*\.*\d*)\s+(\d*\.*\d*)\s+(\d*\.*\d*)\s+(\d*\.*\d*)

FORMAT = pctUser::$1 pctNice::$2 pctSystem::$3 pctIowait::$4 pctIdle::$5

/var/log/mihealth_export/vmstat.log

/usr/bin/vmstat

sourcetype: sentry_mihealth_vmstat

time=2017-09-05 10:24:01, r=5, b=0, swpd=10268, free=80444, buff=109964, cache=845276, si=0, so=0, bi=5, bo=12, in=115, cs=208, us=1, sy=0, id=99, wa=0, st=0