Use EAA data feeds in SIEM solutions. Here you can find examples in RAW and in JSON formats and descriptions of the different log fields for EAA user access logs, EAA authentication logs, Admin audit logs, and Connector health logs. See how to use these logs with the SIEM solution you choose.

Access logs

In the table below you can find fields of RAW log lines definitions from EAA user access logs, authentication details, limitations, examples, and extraction for Splunk environment.

There are two levels of separators used in these files: blank space and - (a hyphen). A hyphen replaces any space in a country name or date (for example in United-States). A space separates each field in the log line. For example, 2019-06-24T18:33:08<space>username.

📘
Note
Blank rows like 2, 4, 6, 12, 14, and so on, indicate a space.

	Type of content	JSON key	Field description	Example
1	datetime	`local_datetime`	ISO 8601 date and time when the log was fetch, no specified timezone, local to the host fetching the data.	`2022-09-22T15:15:06.153000`
2
3	String or empty	`username`	Username Note: If this field is empty, it means that no user is authenticated yet.	`username`
4
5	String	`apphost`	Public-facing EAA endpoint hostname that is available in two versions: user URL hostname for a web application upstream endpoint for a client application	`tunnel-app.frankfurt.example.net`
6
7	String	`http_method`	HTTP method (also called a verb)	`GET`
8	- (hyphen)			`-`
9	String	`url_path`	URL path	`/`
10	- (hyphen)			`-`
11	String	`http_ver`	HTTP version	`HTTP/1.1`
12
13	String	`referer`	URL Referrer	`https://www.example.com/myapp`
14
15	Integer 0-999	`status_code`	HTTP Response code	`101`
16
17	Code	`idpinfo`	Event category `+ \| +` Note: The authentication status can be empty. See `idp.evty` and `idp.st` information in EAA authentication details table.	`SENTRY\|V`
18
19	IPAddr	`clientip`	Client IP address	`213.109.181.6`
20
21	HTTP Verb	`http_verb2`	HTTP method (explicit) Note: Same as field #7.	`GET, POST`
22
23	Float	`total_resp_time`	Total Response Time in seconds	`0.014`
24
25	Float	`connector_resp_time`	EAA Connector Response Time in seconds	`0.006`
26
27	Datetime	`datetime`	Datetime of the log line event	`2019-06-24T18:33:15+00:00`
28
29	Float	`origin_resp_time`	Origin Server Response Time in seconds	`0.006`
30
31	String	`origin_host`	Resolved IP in the datacenter	`172.31.200.65`
32
33	Integer	`req_size`	Request size in bytes
34
35	String	`content_type`	Content-type	`text/html`
36
37	String	`user_agent`	User agent	`Catchpoint`
38
39	String	`device_type`	Device type	`iPhone`
40
41	String	`device_os`	Device operating system	`iOS`
42
43	String	`geo_city`	City name	`Oakland`
44
45	String	`geo_state`	State name (North America), province, region or other sub-division. Note: Hyphen means not available.	`California`
46
47	String[2]	`geo_statecode`	Two-letter state code (North America) Note: Hyphen means not available.	`CA`
48
49	String[2]	`geo_countrycode`	Two-letter country code in ISO 3166-2 format	`GD`
50
51	String	`geo_country`	Country name Note: Spaces in the country names are replaced by a hyphen (-).	`United-States`
52
53	String	`internal_host`	Internal hostname:port	`clientapp.exampledemo.net:80`
54
55	String	`session_info`	Session information - `idp.einfo` . This field displays the following request/error messages: valid . The request information. For example: `Cookie valid<code>, </code> Bearer valid` and others. error . The error message. For example: `Method OPTIONS not supported<code>, </code> No valid auth token` and others. There is no finite list defining different options.	`bearer-valid`
56
57	String	`groups`	Group information	`Domain+Users,IT+Department`
58
59	String	`session_id`	User session ID	`e3fb292d-9e7a-4f1f-cf77-0998ecf8427e`
60
61	String	`client_id`	Client UUID - same ID reported in Device Posture reports, or in EAA Client UI > Diagnostic >Troubleshoot your Device	`5c98021e78e9c393b0714 5e388c20ace7733ca88e d63ba0790c09e7ed5c58cf7`
62
63	String	`deny_reason`	ACL deny reason	`ClientIP`
64
65	Integer	`bytes_out`	Bytes transferred from the connector to the user (via the EAA cloud). Available only for web applications.Value "-" is for Client-based application traffic.	`1234`
66
67	Integer	`bytes_in`	Bytes received from the user (via the EAA cloud) by the connector. Available only for web applications. Value "-" is for Client-based application traffic.	`1234`
68
69	String	`con_ip`	Connector IP. Note: This field is only present in classic apps and not client-based apps.	`192.168.100.123`
70
71	String	`con_srcport`	Connector source port. Note: This field is only present in classic apps and not client-based apps.	`:3456`
72
73	String	`conn_uuid`	Connector UUID	`3bea6515-e122-4a56-8236-6536addd0e6c`
74
75	String	`cloud_zone`	DPOP name	`alpha-west-2-cloudproxy-4`
76
77	String	`error_code**`	Code delivered in the error page.	`0`
78
79	String	`client_process`	Name of the software process consuming the Client-based app (TCP/UDP)	`svchost.exe`
80
81	String	`client_version`	Version of the EAA Client making the request	`2.8.1.22090201`

📘
Important Note
for error code**, EAA gives the main error code, and in some scenarios, it also gives a sub error code. Please refer to Application response codes, login events, and errors for the sub-error codes.

User access log examples

RAW format:

2022-09-22T15:28:31.450000 employee3 sjclientyahoo.stage.akamai-access.com GET-/-HTTP/1.1 - 101 SENTRY|V 147.92.90.233 GET 67.736 67.736 2022-09-22T22:28:31+00:00 67.736 66.218.87.15 6017 text/plain Chrome-105-0 Mac-OS-X-10-15 Mac Fremont California CA US United-States geo.yahoo.com:443 bearer-valid - 75cc22e0-fd34-4c85-cce2-8ef8ef6f2c66 ac7da8d27cbd38d3d9b765ba74d0054528c99091e509b44a40f3d2987f5b642d bearer-valid 6017 3000 10.22.2.232 e19afcd5-c12b-4198-8884-4b5b5b2ea2e2 DPOP-Alpha-East-U18 0 Google-Chrome-Helper 2.8.0.22060101

JSON format:


{
"local_datetime": "2022-09-22T15:28:31.450000", 
"username": "employee3", 
"apphost": "sjclientyahoo.stage.akamai-access.com", 
"http_method": "GET", "url_path": "/", 
"http_ver": "HTTP/1.1", 
"referer": "-", 
"status_code": 101, 
"idpinfo": "SENTRY|V", 
"clientip": "147.92.90.233", 
"http_verb2": "GET", 
"total_resp_time": 67.872, 
"connector_resp_time": 67.872, 
"datetime": "2022-09-22T22:28:31+00:00", 
"origin_resp_time": 67.872, 
"origin_host": "69.147.92.11", 
"req_size": 1602, 
"content_type": "text/plain", 
"user_agent": "Chrome-105-0", 
"device_type": "Mac-OS-X-10-15", 
"device_os": "Mac", 
"geo_city": "Fremont", 
"geo_state": "California", 
"geo_statecode": "CA", 
"geo_countrycode": "US", 
"geo_country": "United-States", 
"internal_host": "beap-bc.yahoo.com:443", 
"session_info": "bearer-valid", 
"groups": "-", 
"session_id": "75cc22e0-fd34-4c85-cce2-8ef8ef6f2c66", 
"client_id": "ac7da8d27cbd38d3d9b765ba74d0054528c99091e509b44a40f3d2987f5b642d", 
"deny_reason": "bearer-valid", 
"bytes_out": 1602, 
"bytes_in": 2780, 
"con_uuid": "e19afcd5-c12b-4198-8884-4b5b5b2ea2e2", 
"cloud_zone": "DPOP-Alpha-East-U18", 
"error_code": 0, 
"client_process": "Google-Chrome-Helper", 
"client_version": "2.8.0.22060101"
}

EAA authentication details in user access logs

Authentication details can be found in the following log lines: access proxy, login server, and directory server. The latest logs are JSON formatted at the source and composed of key value pairs, where the value is a string or a dictionary of key value pairs.

The following table describes JSON keys relevant for the authentication event logs.


Key	Purpose
`srvty`	The `srvty` key distinguishes the type of service that generated the log line. The application proxy, login service and directory services are all implemented in a proxy service.
`idp.uid`	The user identifier is determined by the authentication method. If it has not been set, its value is either a hyphen (-) or a space. A special value, `anon-user` , indicates that access was allowed for the request without authentication.
`idp.grps`	The `idp.grps` key is a comma-separated and URL-encoded list of group memberships. Group names can have commas so URL encoding of group values is required. Other rules include: Third-party SAML Identity Providers (IdPs) are set to the user's group membership determined by received SAML claims. Akamai IdPs are set to intersect with the user's real group membership in Active Directory (AD) and the groups configured for sync by the administrator into EAA. If the group membership cannot be determined, the value is set to a hyphen (-). If the log is generated on the application proxy, the value is always set to a hyphen (-) to reduce the size of the logs. Some older logs may still include group memberships in the log line.
`idp.app`	The `idp.app` event key application context for the request is: If the log is generated on the application proxy, the application context is always the application hostname itself. Since the data for this event is set by the sentry module, in cases where the sentry module does not process the request, the context is not set and default to either a space or hyphen (-). If the log is generated on the directory server, the application context is always the directory server hostname. If the log is generated on the login server, the application context can be: The application server name, if the request was logged while an authentication request from an application is in process. The login server name, if the request was logged and there is no application authentication context.
`idp.slogid`	The `idp.slogid` key is a unique session log identifier that binds application sessions to the session identifier in the login server log lines. When present, this can be used to associate an application access event to a specific login event in the IP logs.
`idp.evty`	You can determine the event category by looking at other properties in the log line such as `srvty` and `URL` . See below`idp.evty` key event categories table for details on event categories that appear in the log lines from the various edge services.
`idp.st`	The `idp.st` event key displays the authentication or API call status field. See below `idp.st` authentication status table for details on the authentication status results.
`idp.cinfo`	The `idp.cinfo` key provides customer visible text descriptions for some conditions. If this key is not set, its value defaults to a hyphen (-) or space. The following text messages appear when the `idp.cinfo` has been set: login success mfa complete account locked invalid user invalid creds access denied mfa failure service error pwd change ok pwd change error logout success
`idp.einfo`	This is a free-form field primarily used for debugging issues. The text provides detailed descriptions of issues and may include errors raised by upstream services such as Kerberos/LDAP broker.

**idp.evty key event categories**
Event	Service	Purpose
`SENTRY`	Application proxy	Indicates that the request was processed by the sentry module. Almost all requests received at the application proxy is processed by the sentry module, unless the request is rejected before the sentry module gets a chance to look at them.
`LOGIN`	Login server	Indicates login-related activity on the login server. Login activity includes: Submitting user credentials via login form or using Kerberos negotiation. Password change operations. Submitting credentials in the SAML ECP flow. Submitting credentials by access proxy in some authentication schemes where the authentication prompt is given by the application proxy itself (like, HTTP basic authentication) Any inbound authentication requests received via the user agent on the IdP from the application: OpenID apps SAML apps Access apps WS Federation apps
`LOGOUT`	Login server	The logout activity on the login server: An explicit logout from the IdP using the login UI. A single logout requests from apps that subscribe to single logout capability. A re-authentication request from the application proxy, e.g., if the NTLM credentials are not usable for an active session. A back-channel logout requests received from the application proxy in case the logout URL was configured for the application and a user clicked logout on the application.
`QUERY`	Login server	A default event type for requests received over the back-channel interface between the application proxy and the login server. Some of the back-channel requests are relabeled under a different event category based on the nature of the request (see `LOGOUT` and `LOGIN` event types). Logs with these event types are for authentication protocol debugging use only.
`PORTAL`	Login server	A default event type for API calls from the login server UI: auth status checks when switching between UI routes pwd policy API forget user API user apps list fetch API app navigation API config layout API
`MFA`	Login server	A default event type for 2-FA API calls from the login UI to the login server: Add/delete email address Add/delete phone number Create/remove TOTP secret Register/de-register duo Push email token Push SMS token Push TOTP token Verify email token Verify SMS token Verify TOTP token MFA help Fetch masked user MFA settings Fetch unmasked user MFA settings Change preferred MAF scheme
`CONNECTOR`	Directory server	All log lines generated from the directory server have this event type. The directory server relays the authentication API calls from the login server to the enterprise directory connector.

**idp.st authentication status**
Authentication status	Service	Description
`V` (Valid)	Application and login service	Indicates that session validation succeeded (cookie or bearer token validation): For an application proxy, this indicates that the request session is valid. The request may still be denied access to the origin due to other criteria such as application access control rules (ACL). For a login service, this status shows up in case of API calls received with a valid IdP session cookie.
`I` (Invalid)	Application and login service	Indicates that session validation failed. Either an expired cookie or token was presented to the service.
`-` (Undefined)	Application, login, and directory service	A cookie or token was not validated for the request. This can happen if the processing of a request exits before cookie or token validation, or intentionally in the case of some API calls that do not require user validation, e.g., config layout API on the login server or for the directory service case which receives requests only from the login service.
`S` (Success)	Login service	Indicates that the result of an authentication attempt was successful. MFA is not counted as an authentication attempt in the logs, so an `S` does not automatically imply that the logged-in user can access the application. A successful authentication results in a new session creation. A new session log identifier should be seen in the log lines.
`F` (Failure)	Login service	Indicates that the result of an authentication attempt was a failure. Authentication can fail under multiple scenarios: A user was not found in the synced user database in the EAA cloud Invalid user credentials Account locked Service failures: EAA cloud is not reachable EAA cloud sent unexpected response Directory is not reachable Directory connector sent unexpected response New session could not be recorded in session database Misconfiguration Received invalid protocol response from upstream Identification Provider Protocol processing micro service failure Generally, the service failures are also accompanied with free form information in the `idp.einfo` field to aid in troubleshooting.
`X` (Expired)	Login service	A current session has been marked as expired. The session gets marked for expiry when there is an explicit logout from the user of an app that participates in a single logout. The session is retained in cache to complete the logout, but the creation of a new SSO session is disabled by marking it as expired.
`E` (Error)	Login service	An error occurred during authentication protocol processing or there was a service failure. This was introduced along with SAML Identity Provider functionality. The goal is to identify cases where the peer entity in the authentication protocol is not behaving in accordance with the specification. You can move some of the authentication failure scenarios under this error code to simplify interpretation of the failure codes for customer logs.
`R` (Rejected	Login service	A user has a valid authentication session, however, request for access to a target application is rejected because the user does not have access to the app or the app is no longer available.
`D` (Disabled)	Application	The authentication is disabled for the request. The user is set as `anon-user` .
`MC` (MFA Challenge)	Login service	The MFA event API calls concerned with rendering of the MFA challenge page. This indicates that the user is prompted for an MFA challenge: Email token pushed. Phone token pushed. Masked token settings delivered to UI.
`MR` (MFA Register)	Login service	The MFA event API calls concerned with rendering of the MFA registration pages. This indicates the user is registering or modifying MFA settings.
`MF` (MFA Failure)	Login service	The MFA validation failed. This results in denial of access to applications that requires MFA, or denial of security-sensitive operations on the portal such as modifying the MFA settings itself or modifying users credentials. Multiple failed attempts also result in account lockout. For more information, see Set a temporary lockout for multiple failed login attempts.
`MD` (MFA Done)	Login service	The MFA validation succeeded or is not required. MFA validation can succeed if the user presented a valid MFA token in response to the MFA challenge, or if the user's device was trusted, for example the user clicked `Remember Me`
`MI` (MFA Invalid)	Login service	The MFA invalid is logged in case of a PCI DSS MFA scheme. The goal of PCI DSS MFA is to avoid disclosing user credentials or MFA failures to the user. To achieve this, declare user credentials as valid to the UI even when they are invalid (for example the logs indicate that the user credentials were invalid, but the UI moves on to display a fake MFA challenge). The response to the fake MFA challenge is ignored and instead of declaring it as MFA failure, it is declared as MFA invalid in the log lines.
`PCS` (Password Change Success)	Login service	A user successfully changed the password using the change password API call.
`PCF` (Password Change Failure)	Login service	A user failed to change the password. Password change can fail for many reasons such as poor password quality, violation of password history, etc. These reasons are displayed to the user on the UI and included as free form text in the `idp.einfo` field.

User authentication examples

RAW format:

2021-07-23T09:40:05.575000 - login.akamaidemo.net GET-/oidc/oauth?client_id=3cd24...-HTTP/1.1 - 302 LOGIN|I 123.123.123.123 GET 0.002 - 2021-07-23T16:40:05+00:00 - - 827 text/html My-User-Agent Other Other Ashburn Virginia VA US United-States - sso-cookie-no-cookie-value - -

JSON format:

{
    "username": "-",
    "apphost": "login.akamaidemo.net",
    "http_method": "GET",
    "url_path": "/oidc/oauth?client_id=3cd24...",
    "http_ver": "HTTP/1.1",
    "referer": "-",
    "status_code": 302,
    "idpinfo": "LOGIN|I",
    "clientip": "123.123.123.123",
    "http_verb2": "GET",
    "total_resp_time": 0.002,
    "connector_resp_time": "-",
    "datetime": "2021-07-23T16:40:05+00:00",
    "origin_resp_time": "-",
    "origin_host": "-",
    "req_size": 827,
    "content_type": "text/html",
    "user_agent": "My-User-Agent",
    "device_os": "Other",
    "device_type": "Other",
    "geo_city": "Ashburn",
    "geo_state": "Virginia",
    "geo_statecode": "VA",
    "geo_countrycode": "US",
    "geo_country": "United-States",
    "internal_host": "-",
    "session_info": "sso-cookie-no-cookie-value",
    "groups": "-",
    "session_id": "-"
}

Limitations

There are some limitations related to the use of IP Application Accelerator. If you are using the IPA acceleration service, the Client IP and related geo information (lines 43-51 in the above table) represents the closest IPA gateway, not the actual user location.

Go to IP Application Accelerator to learn more about the acceleration service.

👍
The data retention policy is 365 days.

Extract EAA Access Log fields

Set up RAW log field extraction with Splunk. EAA API delivers the access log event in a space separated text line (RAW format) and both CLI-EAA and ULS can deliver the same event also in a structured JSON format.
Most SIEM support extraction using regular expression. Please check your SIEM documentation for more details, or choose the JSON format instead. This is EAA extract regular expression for EAA log lines:

^([^\s]*)\s(?P<username>[\w\-]*)\s(?P<apphost>[\w\.\-]+)\s(?P<http_method>[A-Z]+)-(?P<url_path>.*)\-(?P<http_ver>HTTP/[0-9\.]*)\s(?P<referer>[^\s]*)\s(?P<status_code>[0-9]*)\s(?P<idpinfo>[^\s]*)\s(?P<clientip>[^\s]*)\s(?P<http_verb2>[^\s]*)\s(?P<total_resp_time>[^\s]*)\s(?P<connector_resp_time>[^\s]*)\s(?P<datetime>[^\s]*)\s(?P<origin_resp_time>[^\s]*)\s(?P<origin_host>[^\s]*)\s(?P<req_size>[^\s]*)\s(?P<content_type>[^\s]*)\s(?P<user_agent>[^\s]*)\s(?P<device_os>[^\s]*)\s(?P<device_type>[^\s]*)\s(?P<geo_city>[^\s]*)\s(?P<geo_state>[^\s]*)\s(?P<geo_statecode>[^\s]*)\s(?P<geo_countrycode>[^\s]*)\s(?P<geo_country>[^\s]*)\s(?P<internal_host>[^\s]*)\s(?P<session_info>[^\s]*)\s(?P<groups>[^\s]*)\s(?P<session_id>.*)[\s.*|]

Prerequisite:
An account in Splunk. To download Splunk, go to Splunk page. For more details on downloading and installation, see Splunk installation manual.

In your Splunk account, select Settings > Fields > Field Extractions.
Click New to create a new field extraction.
The Add new window appears.
In Extraction/Transform paste the extract.
Click Save.
After you save the changes, you can see how you can use the extracted regular expression in Splunk SIEM.

Admin logs

Fields definition and examples of Admin logs:


Field	JSON key	Description
Date	`datetime`	Date and time of the event formatted in ISO 8601, including timezone suffix
Username	`username`	Email address of the admin user performing the action. If the action is trigger by a condition of the tenant the user is `system`
ResourceType	`resource_type`	Type of the resource being audited
Resource	`resource`	Name of the resource
Event	`event`	Name of the event
EventType	`event_type`	Type of the event

RAW format:

% akamai eaa log admin --start $(( $(date +%s) - 30000 ))
#DatetimeUTC,AdminID,ResourceType,Resource,Event,EventType
2023-09-01T15:42:09+00:00,user1@akamai.com,users, user1@akamai.com,login,login
2023-09-01T09:17:29+00:00, user2@akamai.com,users, user2@akamai.com,login,login
2023-09-01T08:31:09+00:00, user3@akamai.com,users, user3@akamai.com,login,login
2023-09-01T07:43:03+00:00, user3@akamai.com,users, user3@akamai.com,login,login
# Start: 09/01/2023 07:39:14 UTC (EPOCH 1693553954)
# End: 09/01/2023 15:49:14 UTC (EPOCH 1693583354)
# Total: 4 event(s), 0 error(s), 395 bytes written

JSON format:

% akamai eaa --section akamaidemo log admin --start $(( $(date +%s) - 30000 )) --json
#DatetimeUTC,AdminID,ResourceType,Resource,Event,EventType
{
      "datetime": "2023-09-01T15:42:09+00:00", 
      "username": user1@akamai.com, 
      "resource_type": "users", 
      "resource": user1@akamai.com, 
      "event": "login", 
      "event_type": "login"
}

Connector health

Fields definition and examples illustrating the health of the connector:


Field	JSON key	Description
Connector ID	`connector_uuid`	ID of the connector
Connector Name	`name`	name of the connector
Reachable	`reachable`	1 indicates connector is reachable, 0 otherwise see API definition
Status	`status`	Status of the connector
Version	`version`	Version of the connector software
Private IP	`privateip`	IP address attached to the connector in the datacenter. If the connector is publicly exposed (not recommended) the field contains a public IP
Public IP	`publicip`	Public IP of the connector seen by EAA platform (NAT public IP)
Debug mode	`debugchan`	Debug mode 1 for enabled, 0 for disabled.
Last update	`ts`	Last time connector sent the performance metrics
CPU%	`cpu`	CPU utilization in %
Disk%	`disk`	Disk utilization in %
Memory %	`mem`	Memory utilization in %
Network traffic	`network`	Network usage in Mbps
Total Dialout Count	`dialout_total`	Number of dialout the connector is handling
Idle Dialout Count	`dialout_idle`	Number of idle dialout
Active Dialout Count	`dialout_active`	Number of actively used dialout

RAW format:

% akamai eaa connector list --perf
#Connector-id,name,reachable,status,version,privateip,publicip,debug,last_upd,CPU%,Mem%,Disk%,NetworkMbps,do_total,do_idle,do_active
con://cht3_GEjQWyMW9LEk7KQfg,demo-v2-con-1-amer,1,1,21.01.0-152,10.1.4.206,123.123.123.123,Y,2021-07-23T18:06:35.676Z,1.3,32.4,34.4,0.06,1304,1302,1

JSON format:

% akamai eaa connector list --perf --json | jq
{
    "connector_uuid": "cht3_GEjQWyMW9LEk7KQfg",
    "name": "demo-v2-con-1-amer",
    "reachable": 1,
    "status": 1,
    "version": "21.01.0-152",
    "privateip": "10.1.4.206",
    "publicip": "123.123.123.123",
    "debugchan": "Y",
    "ts": "2021-07-23T18:06:35.676Z",
    "cpu": 1.3,
    "disk": 34.4,
    "mem": 32.4,
    "network": 0.06,
    "dialout_total": 1304,
    "dialout_idle": 1302,
    "dialout_active": 1
}

EAA data feed adopted by SIEM solutions

Access logs

📘
Note

📘
Important Note

User access log examples

EAA authentication details in user access logs

User authentication examples

Limitations

👍

Extract EAA Access Log fields

Admin logs

Connector health

Access logs

📘Note

📘Important Note

User access log examples

EAA authentication details in user access logs

User authentication examples

Limitations

👍

Extract EAA Access Log fields

Admin logs

Connector health

📘
Note

📘
Important Note