Log representation and format
The following provide the representation and format of the data captured in audit and health logs:
| • | Audit log representation and format |
| • | Health log representation and format |
Audit log representation and format
An audit entry is created for each request from a device. A corresponding response entry is created for each request. The audit logs are in JSON format.
The following provide the format for audit log entries:
| • | Audit log entry for a request |
| • | Audit log entry for a response |
| • | Audit log entry for IP VPN response to tunnel establishment request |
| • | Audit log entry for IP VPN internal connection |
Audit log entry for a request
The following provides a description of the fields in the audit log entry for a request.
|
Field |
Description |
|
publishTime |
Actual time of log capture. Logging time might vary based on async strategies. |
|
entryID |
Unique for every audit entry. GUID. |
|
useCaseID |
ID of use-case to which this entry belongs to. This ID is used for relating Request/Response. |
|
entryType |
REQUEST. |
|
userID |
EMM User ID. |
|
deviceID |
Device identification. |
|
deviceType |
Type of device - iPhone, iPad etc. |
|
serviceType |
ActiveSync, CIFS, Access, APP_TUNNEL, TCP_TUNNEL, IP_TUNNEL. |
|
serviceName |
|
|
clientHost |
|
|
clientPort |
|
|
requestUrl |
URL used by device. |
|
httpMethod |
HTTP method used for this request. |
|
applicationId |
|
|
forwardedFor |
If proxy is forwarding request, this will have actual client host identifier. |
|
contextHeaders |
|
|
serverHost |
Details of downstream server. |
|
serverPort |
|
|
action |
ALLOW | BLOCK | NONE (Sentry compliance action taken - NONE - no compliance[Access]) |
Audit log entry for a response
The following provides a description of the fields in the audit log entry for a response.
|
Field |
Description |
|
publishTime |
Actual time of log capture. Logging time might vary based on async strategies. |
|
entryID |
Unique for every audit entry. GUID. |
|
useCaseID |
ID of use-case to which this entry belongs to. This ID is used for relating Request/Response. |
|
entryType |
RESPONSE. |
|
userID |
EMM user ID. |
|
deviceID |
Device identification. |
|
deviceType |
Type of device. |
|
serviceType |
ActiveSync, CIFS, Access, APP_TUNNEL, TCP_TUNNEL, IP_TUNNEL. |
|
serviceName |
Name of service. |
|
clientHost |
Immediate client end-point; if coming via proxy, this could be proxy end-point. |
|
clientPort |
|
|
httpStatus |
HTTP Response code. |
|
sentryHost |
Standalone Sentry hostname. |
|
sentryPort |
Standalone Sentry port. |
|
sentryAddress |
Standalone Sentry IP address. |
Audit log entry for IP VPN response to tunnel establishment request
The following provides a description of the fields in the audit log entry for a request to establish an IP VPN tunnel.
|
Field |
Description |
|
publishTime |
Actual time of log capture. Logging time might vary based on async strategies. |
|
entryID |
Unique for every audit entry. GUID. |
|
useCaseID |
ID of use-case to which this entry belongs to. This ID is used for relating Request/Response. |
|
entryType |
RESPONSE. |
|
userID |
EMM User ID. |
|
deviceID |
Device identification. |
|
serviceType |
IP_TUNNEL. |
|
clientHost |
Immediate client end-point; if coming via proxy, this could be proxy end-point. |
|
clientPort |
|
|
serverPort |
|
|
httpStatus |
HTTP Response code. |
Audit log entry for IP VPN internal connection
The following provides a description of the fields in the audit log entry for an internal IP VPN tunnel connection.
|
Field |
Description |
|
publishTime |
|
|
entryID |
Unique for every audit entry. GUID. |
|
useCaseID |
ID of use-case to which this entry belongs to. This ID is used for relating Request/Response. |
|
entryType |
IP_VPN_CONN. |
|
userID |
|
|
deviceID |
|
|
serviceType |
IP_TUNNEL. |
|
clientHost |
|
|
clientPort |
|
|
serverHost |
|
|
serverPort |
|
|
action |
Compliance action like ALLOW, BLOCK, NONE. |
|
type |
Connection type: UDP or TCP. |
|
sentryHost |
Standalone Sentry hostname. |
|
sentryPort |
Standalone Sentry port. |
|
sentryAddress |
Standalone Sentry IP address. |
Examples for audit log entries
Following are examples of audit log entries:
| • | IPVPN audit log example |
| • | ActiveSync audit log example |
| • | HTTP tunnel audit log example |
| • | TCP tunnel audit log example |
IPVPN audit log example
2017 Nov 1 04:13:59 eapp123.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-43fbd6d7-258d-4d55-aa81-cf1ba11533b4","entryType":"RESPONSE","userId":"hdhindsa","deviceId":"22002","serviceType":"IP_TUNNEL","clientHost":"/24.5.120.210","clientPort":44258,"publishTime":"11/01/2017 4:13:59","entryId":"E-6ec1eeda-5d25-4d3b-8107-5101c188830f","serverPort":443,"httpStatus":"200"}
2017 Nov 1 04:14:06 eapp123.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-43fbd6d7-258d-4d55-aa81-cf1ba11533b4","entryType":"IP_VPN_CONN","userId":"hdhindsa","deviceId":"22002","serviceType":"IP_TUNNEL","clientHost":"/24.5.120.210","clientPort":44258,"publishTime":"11/01/2017 4:14:06","entryId":"E-4190ad90-4391-47b1-b2b3-298aec6aec5a","serverHost":"autodns001.auto.mobileiron.com","serverPort":53,"action":"ALLOW","type":"UDP"}
2017 Nov 1 04:14:06 eapp123.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-43fbd6d7-258d-4d55-aa81-cf1ba11533b4","entryType":"IP_VPN_CONN","userId":"hdhindsa","deviceId":"22002","serviceType":"IP_TUNNEL","clientHost":"/24.5.120.210","clientPort":44258,"publishTime":"11/01/2017 4:14:06","entryId":"E-b30097d0-f888-4437-b49d-232d4f364815","serverHost":"216.58.192.10","serverPort":443, "sentryHost":"10.10.57.239","sentryPort":446", "sentryAddress":"10.25.35.237", "action":"ALLOW","type":"TCP"}
ActiveSync audit log example
2017 Nov 7 21:23:39 app101.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-ee3608c9-4c88-4b93-8221-bd69cb4da900","entryType":"REQUEST","userId":"testuser0851","deviceId":"HroLBGueAofSIkAcECcHMTTqd2","deviceType":"MD723LL","serviceType":"ACTIVE_SYNC","serviceName":"ActiveSync","clientHost":"/10.11.80.93","clientPort":61693,"publishTime":"11/07/2017 21:23:38","entryId":"E-ee3608c9-4c88-4b93-8221-bd69cb4da900","serverHost":"ex2013.auto19.mobileiron.com","serverPort":443,"requestUrl":"/Microsoft-Server-ActiveSync","httpMethod":"POST","action":"ALLOW"}
2017 Nov 7 21:23:41 app101.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-ee3608c9-4c88-4b93-8221-bd69cb4da900","entryType":"RESPONSE","userId":"testuser0851","deviceId":"HroLBGueAofSIkAcECcHMTTqd2","serviceType":"ACTIVE_SYNC","clientHost":"/10.11.80.93","clientPort":61693,"publishTime":"11/07/2017 21:23:39","entryId":"E-49b382b2-07c9-4a82-87d3-3f1f45751879","serverHost":"ex2013.auto19.mobileiron.com","serverPort":443,"sentryHost":"10.10.57.239","sentryPort":446", "sentryAddress":"10.25.35.237", "httpStatus":"200"}
HTTP tunnel audit log example
2017 Nov 3 23:06:57 eapp074.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-dd7086fc-9599-4581-a8bc-5a9057ce085b","entryType":"REQUEST","userId":"testuser7331","deviceId":"62b6ae69-9ca8-4176-85dd-11a7ecaee130","deviceType":"iPhone 6","serviceType":"APP_TUNNEL","serviceName":"<ANY>","clientHost":"/10.11.205.8","clientPort":1821,"publishTime":"11/03/2017 23:06:57","entryId":"E-dd7086fc-9599-4581-a8bc5a9057ce085b","serverHost":"wiki.mobileiron.com","serverPort":443,"requestUrl":"https://wiki.mobileiron.com/login.action?os_destination=%2Findex.action&permissionViolation=true","httpMethod":"GET","applicationId":"com.mobileiron.securebrowser","action":"ALLOW"}
2017 Nov 3 23:06:57 eapp074.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-dd7086fc-9599-4581-a8bc-5a9057ce085b","entryType":"RESPONSE","userId":"testuser7331","deviceId":"62b6ae69-9ca8-4176-85dd-11a7ecaee130","serviceType":"APP_TUNNEL","clientHost":"/10.11.205.8","clientPort":1821,"publishTime":"11/03/2017 23:06:57","entryId":"E-c0cd7a3d-1832-4b85-b28c-7385d2b0eb0c","serverHost":"wiki.mobileiron.com","serverPort":443, "sentryHost":"10.10.57.239","sentryPort":446", "sentryAddress":"10.25.35.237", "httpStatus":"200"}
TCP tunnel audit log example
2017 Nov 3 23:06:07 eapp074.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-bd77654c-42dc-48f3-9b2c-9aa2d5d63650","entryType":"REQUEST","userId":"testuser7331","deviceId":"62b6ae69-9ca8-4176-85dd-11a7ecaee130","serviceType":"TCP_TUNNEL","serviceName":"<TCP_ANY>","clientHost":"/10.11.205.8","clientPort":1391,"publishTime":"11/03/2017 23:06:07","entryId":"E-bd77654c-42dc-48f3-9b2c-9aa2d5d63650","serverHost":"googleads.g.doubleclick.net","serverPort":443,"applicationId":"com.google.chrome.ios","action":"ALLOW"}
2017 Nov 3 23:06:07 eapp074.auto.mobileiron.com SENTRY_AUDIT: INFO {"usecaseId":"U-bd77654c-42dc-48f3-9b2c-9aa2d5d63650","entryType":"RESPONSE","userId":"testuser7331","deviceId":"62b6ae69-9ca8-4176-85dd-11a7ecaee130","serviceType":"TCP_TUNNEL","clientHost":"/10.11.205.8","clientPort":1391,"publishTime":"11/03/2017 23:06:07","entryId":"E-4fa74e1f-e0df-4093-9cd1-a716aa0697ff","serverHost":"googleads.g.doubleclick.net","serverPort":443, "sentryHost":"10.10.57.239","sentryPort":446", "sentryAddress":"10.25.35.237", "httpStatus":"200"}
Health log representation and format
The following provide the representation and format for Sentry health logs:
| • | /var/log/mihealth_export/openPorts.log |
| • | /var/log/mihealth_export/hardware.log |
| • | /var/log/mihealth_export/cpu.log |
| • | /var/log/mihealth_export/vmstat.log |
/var/log/mihealth_export/openPorts.log
sourcetype: sentry_mihealth_openPorts
Proto Port
tcp 9090
...
udp 10012
REGEX = ([^\s]+)\s+([0-9]+)
FORMAT = Proto::"$1" Port::"$2"
/var/log/mihealth_export/hardware.log
sourcetype: sentry_mihealth_hardware
KEY VALUE
CPU_TYPE Intel(R) Xeon(R) CPU E5504 @ 2.00GHz
CPU_CACHE 4096 KB
CPU_COUNT 1
HARD_DRIVES sda (Virtual disk) 200 GB;
NIC_TYPE <notAvailable>
NIC_COUNT 1
MEMORY_REAL 2054232 kB
MEMORY_SWAP 4128764 kB
/var/log/mihealth_export/cpu.log
sourcetype: sentry_mihealth_cpu
CPU pctUser pctNice pctSystem pctIowait pctIdle
all 0.00 1.01 1.01 0.00 97.98
0 0.00 1.01 1.01 0.00 97.98
REGEX = all\s+(\d*\.*\d*)\s+(\d*\.*\d*)\s+(\d*\.*\d*)\s+(\d*\.*\d*)\s+(\d*\.*\d*)
FORMAT = pctUser::$1 pctNice::$2 pctSystem::$3 pctIowait::$4 pctIdle::$5
/var/log/mihealth_export/vmstat.log
/usr/bin/vmstat
sourcetype: sentry_mihealth_vmstat
time=2017-09-05 10:24:01, r=5, b=0, swpd=10268, free=80444, buff=109964, cache=845276, si=0, so=0, bi=5, bo=12, in=115, cs=208, us=1, sy=0, id=99, wa=0, st=0