EAA data feed adopted by SIEM solutions

Use EAA data feeds in SIEM solutions. Here you can find examples in RAW and in JSON formats and descriptions of the different log fields for EAA user access logs, EAA authentication logs, Admin audit logs, and Connector health logs. See how to use these logs with the SIEM solution you choose.

Access logs

In the table below you can find fields of RAW log lines definitions from EAA user access logs, authentication details, limitations, examples, and extraction for Splunk environment.

There are two levels of separators used in these files: blank space and - (a hyphen). A hyphen replaces any space in a country name or date (for example in United-States). A space separates each field in the log line. For example, 2019-06-24T18:33:08<space>username.

ūüďė

Note

Blank rows like 2, 4, 6, 12, 14, and so on, indicate a space.

Type of contentJSON keyField descriptionExample
1datetimelocal_datetime ISO 8601 date and time when the log was fetch, no specified timezone, local to the host fetching the data.2022-09-22T15:15:06.153000
2
3String or emptyusername Username

Note: If this field is empty, it means that no user is authenticated yet.

username
4
5Stringapphost Public-facing EAA endpoint hostname that is available in two versions:
  • user URL hostname for a web application

  • upstream endpoint for a client application

tunnel-app.frankfurt.example.net
6
7Stringhttp_method HTTP method (also called a verb)GET
8- (hyphen)-
9Stringurl_path URL path/
10- (hyphen)-
11Stringhttp_ver HTTP versionHTTP/1.1
12
13Stringreferer URL Referrerhttps://www.example.com/myapp
14
15Integer 0-999status_code HTTP Response code101
16
17Codeidpinfo Event category + | + Note: The authentication status can be empty. See idp.evty and idp.st information in EAA authentication details table.SENTRY|V
18
19IPAddrclientip Client IP address213.109.181.6
20
21HTTP Verbhttp_verb2 HTTP method (explicit)

Note: Same as field #7.

GET, POST
22
23Floattotal_resp_time Total Response Time in seconds0.014
24
25Floatconnector_resp_time EAA Connector Response Time in seconds0.006
26
27Datetimedatetime Datetime of the log line event2019-06-24T18:33:15+00:00
28
29Floatorigin_resp_time Origin Server Response Time in seconds0.006
30
31Stringorigin_host Resolved IP in the datacenter172.31.200.65
32
33Integerreq_size Request size in bytes
34
35Stringcontent_type Content-typetext/html
36
37Stringuser_agent User agentCatchpoint
38
39Stringdevice_type Device typeiPhone
40
41Stringdevice_os Device operating systemiOS
42
43Stringgeo_city City nameOakland
44
45Stringgeo_state State name (North America), province, region or other sub-division.

Note: Hyphen means not available.

California
46
47String[2]geo_statecode Two-letter state code (North America)

Note: Hyphen means not available.

CA
48
49String[2]geo_countrycode Two-letter country code in ISO 3166-2 formatGD
50
51Stringgeo_country Country name

Note: Spaces in the country names are replaced by a hyphen (-).

United-States
52
53Stringinternal_host Internal hostname:portclientapp.exampledemo.net:80
54
55Stringsession_info Session information - idp.einfo . This field displays the following request/error messages:
  • valid . The request information. For example:
    Cookie valid<code>, </code> Bearer valid and others.

  • error . The error message. For example: Method OPTIONS not supported<code>, </code> No valid auth token and others.

There is no finite list defining different options.

bearer-valid
56
57Stringgroups Group informationDomain+Users,IT+Department
58
59Stringsession_id User session IDe3fb292d-9e7a-4f1f-cf77-0998ecf8427e
60
61Stringclient_id Client UUID - same ID reported in Device Posture reports, or in EAA Client UI > Diagnostic >Troubleshoot your Device5c98021e78e9c393b0714 5e388c20ace7733ca88e d63ba0790c09e7ed5c58cf7
62
63Stringdeny_reason ACL deny reasonClientIP
64
65Integerbytes_out Bytes transferred from the connector to the user (via the EAA cloud). Available only for web applications.Value "-" is for Client-based application traffic.1234
66
67Integerbytes_in Bytes received from the user (via the EAA cloud) by the connector. Available only for web applications. Value "-" is for Client-based application traffic.1234
68
69Stringcon_ip Connector IP. Note: This field is only present in classic apps and not client-based apps.192.168.100.123
70
71Stringcon_srcport Connector source port. Note: This field is only present in classic apps and not client-based apps.:3456
72
73Stringconn_uuid Connector UUID 3bea6515-e122-4a56-8236-6536addd0e6c
74
75Stringcloud_zone DPOP name alpha-west-2-cloudproxy-4
76
77Stringerror_code** Code delivered in the error page. 0
78
79Stringclient_process Name of the software process consuming the Client-based app (TCP/UDP) svchost.exe
80
81Stringclient_version Version of the EAA Client making the request 2.8.1.22090201

ūüďė

Important Note

for error code**, EAA gives the main error code, and in some scenarios, it also gives a sub error code. Please refer to Application response codes, login events, and errors for the sub-error codes.

User access log examples

RAW format:

2022-09-22T15:28:31.450000 employee3 sjclientyahoo.stage.akamai-access.com GET-/-HTTP/1.1 - 101 SENTRY|V 147.92.90.233 GET 67.736 67.736 2022-09-22T22:28:31+00:00 67.736 66.218.87.15 6017 text/plain Chrome-105-0 Mac-OS-X-10-15 Mac Fremont California CA US United-States geo.yahoo.com:443 bearer-valid - 75cc22e0-fd34-4c85-cce2-8ef8ef6f2c66 ac7da8d27cbd38d3d9b765ba74d0054528c99091e509b44a40f3d2987f5b642d bearer-valid 6017 3000 10.22.2.232 e19afcd5-c12b-4198-8884-4b5b5b2ea2e2 DPOP-Alpha-East-U18 0 Google-Chrome-Helper 2.8.0.22060101

JSON format:


{
"local_datetime": "2022-09-22T15:28:31.450000", 
"username": "employee3", 
"apphost": "sjclientyahoo.stage.akamai-access.com", 
"http_method": "GET", "url_path": "/", 
"http_ver": "HTTP/1.1", 
"referer": "-", 
"status_code": 101, 
"idpinfo": "SENTRY|V", 
"clientip": "147.92.90.233", 
"http_verb2": "GET", 
"total_resp_time": 67.872, 
"connector_resp_time": 67.872, 
"datetime": "2022-09-22T22:28:31+00:00", 
"origin_resp_time": 67.872, 
"origin_host": "69.147.92.11", 
"req_size": 1602, 
"content_type": "text/plain", 
"user_agent": "Chrome-105-0", 
"device_type": "Mac-OS-X-10-15", 
"device_os": "Mac", 
"geo_city": "Fremont", 
"geo_state": "California", 
"geo_statecode": "CA", 
"geo_countrycode": "US", 
"geo_country": "United-States", 
"internal_host": "beap-bc.yahoo.com:443", 
"session_info": "bearer-valid", 
"groups": "-", 
"session_id": "75cc22e0-fd34-4c85-cce2-8ef8ef6f2c66", 
"client_id": "ac7da8d27cbd38d3d9b765ba74d0054528c99091e509b44a40f3d2987f5b642d", 
"deny_reason": "bearer-valid", 
"bytes_out": 1602, 
"bytes_in": 2780, 
"con_uuid": "e19afcd5-c12b-4198-8884-4b5b5b2ea2e2", 
"cloud_zone": "DPOP-Alpha-East-U18", 
"error_code": 0, 
"client_process": "Google-Chrome-Helper", 
"client_version": "2.8.0.22060101"
}

EAA authentication details in user access logs

Authentication details can be found in the following log lines: access proxy, login server, and directory server. The latest logs are JSON formatted at the source and composed of key value pairs, where the value is a string or a dictionary of key value pairs.

The following table describes JSON keys relevant for the authentication event logs.

KeyPurpose
srvty The srvty key distinguishes the type of service that generated the log line. The application proxy, login service and directory services are all implemented in a proxy service.
idp.uid The user identifier is determined by the authentication method.
  • If it has not been set, its value is either a hyphen (-) or a space.

  • A special value, anon-user , indicates that access was allowed for the request without authentication.

idp.grps The idp.grps key is a comma-separated and URL-encoded list of group memberships. Group names can have commas so URL encoding of group values is required. Other rules include:
  • Third-party SAML Identity Providers (IdPs) are set to the user's group membership determined by received SAML claims.

  • ‚ÄčAkamai‚Äč IdPs are set to intersect with the user's real group membership in Active Directory (AD) and the groups configured for sync by the administrator into EAA.

  • If the group membership cannot be determined, the value is set to a hyphen (-).

  • If the log is generated on the application proxy, the value is always set to a hyphen (-) to reduce the size of the logs. Some older logs may still include group memberships in the log line.

idp.app The idp.app event key application context for the request is:
  • If the log is generated on the application proxy, the application context is always the application hostname itself.

Since the data for this event is set by the sentry module, in cases where the sentry module does not process the request, the context is not set and default to either a space or hyphen (-).

  • If the log is generated on the directory server, the application context is always the directory server hostname.

  • If the log is generated on the login server, the application context can be:

  • The application server name, if the request was logged while an authentication request from an application is in process.

  • The login server name, if the request was logged and there is no application authentication context.

idp.slogid The idp.slogid key is a unique session log identifier that binds application sessions to the session identifier in the login server log lines. When present, this can be used to associate an application access event to a specific login event in the IP logs.
idp.evty You can determine the event category by looking at other properties in the log line such as srvty and URL .

See belowidp.evty key event categories table for details on event categories that appear in the log lines from the various edge services.

idp.st The idp.st event key displays the authentication or API call status field.

See below idp.st authentication status table for details on the authentication status results.

idp.cinfo The idp.cinfo key provides customer visible text descriptions for some conditions. If this key is not set, its value defaults to a hyphen (-) or space. The following text messages appear when the idp.cinfo has been set:
  • login success
  • mfa complete
  • account locked
  • invalid user
  • invalid creds
  • access denied
  • mfa failure
  • service error
  • pwd change ok
  • pwd change error
  • logout success
idp.einfo This is a free-form field primarily used for debugging issues. The text provides detailed descriptions of issues and may include errors raised by upstream services such as Kerberos/LDAP broker.

idp.evty key event categories

EventServicePurpose
SENTRY Application proxyIndicates that the request was processed by the sentry module.

Almost all requests received at the application proxy is processed by the sentry module, unless the request is rejected before the sentry module gets a chance to look at them.

LOGIN Login serverIndicates login-related activity on the login server. Login activity includes:
  • Submitting user credentials via login form or using Kerberos negotiation.

  • Password change operations.

  • Submitting credentials in the SAML ECP flow.

  • Submitting credentials by access proxy in some authentication schemes where the authentication prompt is given by the application proxy itself (like, HTTP basic authentication)

  • Any inbound authentication requests received via the user agent on the IdP from the application:

  • OpenID apps

  • SAML apps

  • Access apps

  • WS Federation apps

LOGOUT Login serverThe logout activity on the login server:
  • An explicit logout from the IdP using the login UI.

  • A single logout requests from apps that subscribe to single logout capability.

  • A re-authentication request from the application proxy, e.g., if the NTLM credentials are not usable for an active session.

  • A back-channel logout requests received from the application proxy in case the logout URL was configured for the application and a user clicked logout on the application.

QUERY Login serverA default event type for requests received over the back-channel interface between the application proxy and the login server.

Some of the back-channel requests are relabeled under a different event category based on the nature of the request (see LOGOUT and LOGIN event types).

Logs with these event types are for authentication protocol debugging use only.

PORTAL Login serverA default event type for API calls from the login server UI:
  • auth status checks when switching between UI routes
  • pwd policy API
  • forget user API
  • user apps list fetch API
  • app navigation API
  • config layout API
MFA Login serverA default event type for 2-FA API calls from the login UI to the login server:
  • Add/delete email address
  • Add/delete phone number
  • Create/remove TOTP secret
  • Register/de-register duo
  • Push email token
  • Push SMS token
  • Push TOTP token
  • Verify email token
  • Verify SMS token
  • Verify TOTP token
  • MFA help
  • Fetch masked user MFA settings
  • Fetch unmasked user MFA settings
  • Change preferred MAF scheme
CONNECTOR Directory serverAll log lines generated from the directory server have this event type. The directory server relays the authentication API calls from the login server to the enterprise directory connector.

idp.st authentication status

Authentication statusServiceDescription
V (Valid)Application and login serviceIndicates that session validation succeeded (cookie or bearer token validation):
  • For an application proxy, this indicates that the request session is valid. The request may still be denied access to the origin due to other criteria such as application access control rules (ACL).

  • For a login service, this status shows up in case of API calls received with a valid IdP session cookie.

I (Invalid)Application and login serviceIndicates that session validation failed. Either an expired cookie or token was presented to the service.
- (Undefined)Application, login, and directory serviceA cookie or token was not validated for the request. This can happen if the processing of a request exits before cookie or token validation, or intentionally in the case of some API calls that do not require user validation, e.g., config layout API on the login server or for the directory service case which receives requests only from the login service.
S (Success)Login serviceIndicates that the result of an authentication attempt was successful. MFA is not counted as an authentication attempt in the logs, so an S does not automatically imply that the logged-in user can access the application.

A successful authentication results in a new session creation. A new session log identifier should be seen in the log lines.

F (Failure)Login serviceIndicates that the result of an authentication attempt was a failure. Authentication can fail under multiple scenarios:
  • A user was not found in the synced user database in the EAA cloud

  • Invalid user credentials

  • Account locked

  • Service failures:

  • EAA cloud is not reachable

  • EAA cloud sent unexpected response

  • Directory is not reachable

  • Directory connector sent unexpected response

  • New session could not be recorded in session database

  • Misconfiguration

  • Received invalid protocol response from upstream Identification Provider

  • Protocol processing micro service failure

Generally, the service failures are also accompanied with free form information in the idp.einfo field to aid in troubleshooting.

X (Expired)Login serviceA current session has been marked as expired. The session gets marked for expiry when there is an explicit logout from the user of an app that participates in a single logout. The session is retained in cache to complete the logout, but the creation of a new SSO session is disabled by marking it as expired.
E (Error)Login serviceAn error occurred during authentication protocol processing or there was a service failure.

This was introduced along with SAML Identity Provider functionality. The goal is to identify cases where the peer entity in the authentication protocol is not behaving in accordance with the specification.

You can move some of the authentication failure scenarios under this error code to simplify interpretation of the failure codes for customer logs.

R (RejectedLogin serviceA user has a valid authentication session, however, request for access to a target application is rejected because the user does not have access to the app or the app is no longer available.
D (Disabled)ApplicationThe authentication is disabled for the request. The user is set as anon-user .
MC (MFA Challenge)Login serviceThe MFA event API calls concerned with rendering of the MFA challenge page. This indicates that the user is prompted for an MFA challenge:
  • Email token pushed.
  • Phone token pushed.
  • Masked token settings delivered to UI.
MR (MFA Register)Login serviceThe MFA event API calls concerned with rendering of the MFA registration pages. This indicates the user is registering or modifying MFA settings.
MF (MFA Failure)Login serviceThe MFA validation failed. This results in denial of access to applications that requires MFA, or denial of security-sensitive operations on the portal such as modifying the MFA settings itself or modifying users credentials.

Multiple failed attempts also result in account lockout. For more information, see Set a temporary lockout for multiple failed login attempts.

MD (MFA Done)Login serviceThe MFA validation succeeded or is not required. MFA validation can succeed if the user presented a valid MFA token in response to the MFA challenge, or if the user's device was trusted, for example the user clicked Remember Me
MI (MFA Invalid)Login serviceThe MFA invalid is logged in case of a PCI DSS MFA scheme. The goal of PCI DSS MFA is to avoid disclosing user credentials or MFA failures to the user. To achieve this, declare user credentials as valid to the UI even when they are invalid (for example the logs indicate that the user credentials were invalid, but the UI moves on to display a fake MFA challenge).

The response to the fake MFA challenge is ignored and instead of declaring it as MFA failure, it is declared as MFA invalid in the log lines.

PCS (Password Change Success)Login serviceA user successfully changed the password using the change password API call.
PCF (Password Change Failure)Login serviceA user failed to change the password. Password change can fail for many reasons such as poor password quality, violation of password history, etc. These reasons are displayed to the user on the UI and included as free form text in the idp.einfo field.

User authentication examples

RAW format

2021-07-23T09:40:05.575000 - login.akamaidemo.net GET-/oidc/oauth?client_id=3cd24...-HTTP/1.1 - 302 LOGIN|I 123.123.123.123 GET 0.002 - 2021-07-23T16:40:05+00:00 - - 827 text/html My-User-Agent Other Other Ashburn Virginia VA US United-States - sso-cookie-no-cookie-value - -

JSON format

{
    "username": "-",
    "apphost": "login.akamaidemo.net",
    "http_method": "GET",
    "url_path": "/oidc/oauth?client_id=3cd24...",
    "http_ver": "HTTP/1.1",
    "referer": "-",
    "status_code": 302,
    "idpinfo": "LOGIN|I",
    "clientip": "123.123.123.123",
    "http_verb2": "GET",
    "total_resp_time": 0.002,
    "connector_resp_time": "-",
    "datetime": "2021-07-23T16:40:05+00:00",
    "origin_resp_time": "-",
    "origin_host": "-",
    "req_size": 827,
    "content_type": "text/html",
    "user_agent": "My-User-Agent",
    "device_os": "Other",
    "device_type": "Other",
    "geo_city": "Ashburn",
    "geo_state": "Virginia",
    "geo_statecode": "VA",
    "geo_countrycode": "US",
    "geo_country": "United-States",
    "internal_host": "-",
    "session_info": "sso-cookie-no-cookie-value",
    "groups": "-",
    "session_id": "-"
}

Limitations

There are some limitations related to the use of IP Application Accelerator. If you are using the IPA acceleration service, the Client IP and related geo information (lines 43-51 in the above table) represents the closest IPA gateway, not the actual user location.

Go to IP Application Accelerator to learn more about the acceleration service.

ūüĎć

The data retention policy is 365 days.

Extract EAA Access Log fields

Set up RAW log field extraction with Splunk. EAA API delivers the access log event in a space separated text line (RAW format) and both CLI-EAA and ULS can deliver the same event also in a structured JSON format.
Most SIEM support extraction using regular expression. Please check your SIEM documentation for more details, or choose the JSON format instead. This is EAA extract regular expression for EAA log lines:

^([^\s]*)\s(?P<username>[\w\-]*)\s(?P<apphost>[\w\.\-]+)\s(?P<http_method>[A-Z]+)-(?P<url_path>.*)\-(?P<http_ver>HTTP/[0-9\.]*)\s(?P<referer>[^\s]*)\s(?P<status_code>[0-9]*)\s(?P<idpinfo>[^\s]*)\s(?P<clientip>[^\s]*)\s(?P<http_verb2>[^\s]*)\s(?P<total_resp_time>[^\s]*)\s(?P<connector_resp_time>[^\s]*)\s(?P<datetime>[^\s]*)\s(?P<origin_resp_time>[^\s]*)\s(?P<origin_host>[^\s]*)\s(?P<req_size>[^\s]*)\s(?P<content_type>[^\s]*)\s(?P<user_agent>[^\s]*)\s(?P<device_os>[^\s]*)\s(?P<device_type>[^\s]*)\s(?P<geo_city>[^\s]*)\s(?P<geo_state>[^\s]*)\s(?P<geo_statecode>[^\s]*)\s(?P<geo_countrycode>[^\s]*)\s(?P<geo_country>[^\s]*)\s(?P<internal_host>[^\s]*)\s(?P<session_info>[^\s]*)\s(?P<groups>[^\s]*)\s(?P<session_id>.*)[\s.*|]

Prerequisite:
An account in Splunk. To download Splunk, go to Splunk page. For more details on downloading and installation, see Splunk installation manual.

  1. In your Splunk account, select Settings > Fields > Field Extractions.

  2. Click New to create a new field extraction.
    The Add new window appears.

  3. In Extraction/Transform paste the extract.

  4. Click Save.
    After you save the changes, you can see how you can use the extracted regular expression in Splunk SIEM.

Admin logs

Fields definition and examples of Admin logs:

FieldJSON keyDescription
Datedatetime Date and time of the event in UTC format
Usernameusername Email address of the admin user performing the action.

If the action is trigger by a condition of the tenant the user is system

ResourceTyperesource_type Type of the resource being audited
Resourceresource Name of the resource
Eventevent Name of the event
EventTypeevent_type Type of the event

RAW format:

% akamai eaa log admin --start $(( $(date +%s) - 30000 ))
#DatetimeUTC,AdminID,ResourceType,Resource,Event,EventType
2021-07-23T07:59:43,y@akamai.com,users,y@akamai.com,login,login
2021-07-23T07:04:26,x@akamai.com,users,x@akamai.com,login,login
2021-07-23T06:27:52,z@akamai.com,users,z@akamai.com,login,login
2021-07-23T06:27:50,a@akamai.com,users,a@akamai.com,login,login
2021-07-23T06:08:24,b@akamai.com,users,b@akamai.com,login,login
2021-07-23T05:54:40,system,connectors,tmelab-bos,unreachable,system
# Start: 07/23/2021 09:28:46 UTC (EPOCH 1627032526)
# End: 07/23/2021 17:47:46 UTC (EPOCH 1627062466)
# Total: 6 event(s), 0 error(s), 503 bytes written

JSON format:

{
    "datetime": "2021-07-23T05:54:40",
    "username": "system",
    "resource_type": "connectors",
    "resource": "tmelab-bos",
    "event": "unreachable",
    "event_type": "system"
}

Connector health

Fields definition and examples illustrating the health of the connector:

FieldJSON keyDescription
Connector IDconnector_uuid Datetime of the event in UTC format
Connector Namename name of the connector
Reachablereachable 1 indicates connector is reachable, 0 otherwise see API definition
Statusstatus Status of the connector
Versionversion Version of the connector software
Private IPprivateip IP address attached to the connector in the datacenter. If the connector is publicly exposed (not recommended) the field contains a public IP
Public IPpublicip Public IP of the connector seen by EAA platform (NAT public IP)
Debug modedebugchan Debug mode 1 for enabled, 0 for disabled.
Last updatets Last time connector sent the performance metrics
CPU%cpu CPU utilization in %
Disk%disk Disk utilization in %
Memory %mem Memory utilization in %
Network trafficnetwork Network usage in Mbps
Total Dialout Countdialout_total Number of dialout the connector is handling
Idle Dialout Countdialout_idle Number of idle dialout
Active Dialout Countdialout_active Number of actively used dialout

RAW format:

% akamai eaa connector list --perf
#Connector-id,name,reachable,status,version,privateip,publicip,debug,last_upd,CPU%,Mem%,Disk%,NetworkMbps,do_total,do_idle,do_active
con://cht3_GEjQWyMW9LEk7KQfg,demo-v2-con-1-amer,1,1,21.01.0-152,10.1.4.206,123.123.123.123,Y,2021-07-23T18:06:35.676Z,1.3,32.4,34.4,0.06,1304,1302,1

JSON format:

% akamai eaa connector list --perf --json | jq
{
    "connector_uuid": "cht3_GEjQWyMW9LEk7KQfg",
    "name": "demo-v2-con-1-amer",
    "reachable": 1,
    "status": 1,
    "version": "21.01.0-152",
    "privateip": "10.1.4.206",
    "publicip": "123.123.123.123",
    "debugchan": "Y",
    "ts": "2021-07-23T18:06:35.676Z",
    "cpu": 1.3,
    "disk": 34.4,
    "mem": 32.4,
    "network": 0.06,
    "dialout_total": 1304,
    "dialout_idle": 1302,
    "dialout_active": 1
}