Access logs

Find explanations for the fields in EAA access logs, authentication details, limitations, examples, and extraction for Splunk environment.
Note: There are two levels of separators used: <space> and - (hyphen). A hyphen replaces any space in a country name or date. For example, United-States. A space separates each field in the log line. For example, 2019-06-24T18:33:08<space>username.
Field sequence of RAW log lines visible in an EAA application
Type of content JSON key Field description Example
1 Datetime datetime ISO 8601 date and time without timezone, local to the machine running the EAA Splunk application.
2 <space>
3 String or empty username Username
Note: If this field is empty, it means that no user is authenticated yet.
4 <space>
5 String apphost Public-facing EAA endpoint hostname that is available in two versions:
  • end-user URL hostname for a web application
  • upstream endpoint for a client application
6 <space>
7 String http_method HTTP method (also called a verb) GET
8 - (hyphen) -
9 String url_path URL path /
10 - (hyphen) -
11 String http_ver HTTP version HTTP/1.1
12 <space>
13 String referer URL Referrer
14 <space>
15 Integer 0-999 status_code HTTP Response code 101
Tip: For more information on response codes, see Application response codes, login events, and errors .
16 <space>
17 Code idpinfo Event category + | +
Note: The authentication status can be empty. See idp.evty and information in EAA end-user authentication details section.
18 <space>
19 IPAddr clientip Client IP address
20 <space>
21 HTTP Verb http_verb2 HTTP method (explicit)
Note: Same as field #7.
22 <space>
23 Float total_resp_time Total Response Time in seconds 0.014
24 <space>
25 Float connector_resp_time EAA Connector Response Time in seconds 0.006
26 <space>
27 Datetime datetime Datetime of the log line event 2019-06-24T18:33:15+00:00
28 <space>
29 Float origin_resp_time Origin Server Response Time in seconds 0.006
30 <space>
31 String origin_host Resolved IP in the datacenter
32 <space>
33 Integer req_size Request size in bytes
34 <space>
35 String content_type Content-type text/html
36 <space>
37 String user_agent User agent Catchpoint
38 <space>
39 String device_type Device type iPhone
40 <space>
41 String device_os Device operating system iOS
42 <space>
43 String geo_city City name Oakland
44 <space>
45 String geo_state State name (North America), province, region or other sub-division
Note: Hyphen means not available.
46 <space>
47 String[2] geo_statecode Two-letter state code (North America)
Note: Hyphen means not available.
48 <space>
49 String[2] geo_countrycode Two-letter country code in ISO 3166-2 format GD
50 <space>
51 String geo_country Country name
Note: Spaces in the country names are replaced by a hyphen (-).
52 <space>
53 String internal_host Internal hostname:port
54 <space>
55 String session_info Session information - idp.einfo. This field displays the following request/error messages:
The request information. For example: Cookie valid, Bearer valid and others.
The error message. For example: Method OPTIONS not supported, No valid auth token and others.
There is no finite list defining different options.
56 <space>
57 String groups Group information Domain+Users,IT+Department
58 <space>
59 String session_id User session ID e3fb292d-9e7a-4f1f-cf77-0998ecf8427e
60 <space>
61 String client_id Client UUID - same ID reported in Device Posture reports, or in EAA Client UI > Diagnostic >Troubleshoot your Device 5c98021e78e9c393b07145e388c20ace7733ca88ed63ba0790c09e7ed5c58cf7
62 <space>
63 String rname ACL deny reason clientIP
64 <space>
65 Integer bytes_out Bytes transferred from the connector to the user (via the EAA cloud). Available only for web applications. Value "-" is for Client-based application traffic. 1234
66 <space>
67 Integer bytes_in Bytes received from the user (via the EAA cloud) by the connector. Available only for web applications. Value "-" is for Client-based application traffic. 1234
68 <space>
69 String Separated into con_ip and con_srcport Connector IP and source port separated by colon (:)

End-user access log examples

RAW format

2021-10-27T10:10:39.175000 user@domain.eaa GET-/-HTTP/1.1 https://intranet 200 SENTRY|V GET 0.200 0.198 2021-10-27T17:10:39+00:00 0.003 ,- 1165 text/html;-charset=UTF-8 Firefox-93-0 Mac-OS-X-10-15 Other Oakland California CA US United-States - cookie-valid - a3f46a0d-bbd8-4429-c43c-7c5c0101708e - cookie-valid 1165 870

JSON format

  "username": "user@domain.eaa",
  "apphost": "",
  "http_method": "GET",
  "url_path": "/",
  "http_ver": "HTTP/1.1",
  "referer": "https://intranet",
  "status_code": 200,
  "idpinfo": "SENTRY|V",
  "clientip": "",
  "http_verb2": "GET",
  "total_resp_time": 0.2,
  "connector_resp_time": 0.198,
  "datetime": "2021-10-27T17:10:39+00:00",
  "origin_resp_time": 0.003,
  "origin_host": ",-",
  "req_size": 1165,
  "content_type": "text/html;-charset=UTF-8",
  "user_agent": "Firefox-93-0",
  "device_os": "Mac-OS-X-10-15",
  "device_type": "Other",
  "geo_city": "Oakland",
  "geo_state": "California",
  "geo_statecode": "CA",
  "geo_countrycode": "US",
  "geo_country": "United-States",
  "internal_host": "-",
  "session_info": "cookie-valid",
  "groups": "-",
  "session_id": "a3f46a0d-bbd8-4429-c43c-7c5c0101708e",
  "client_id": "-",
  "acl_reason": "cookie-valid",
  "bytes_out": "1165",
  "bytes_in": "870",
  "con_ip": "",
  "con_srcport": "38662"