Secure Access Logs
For supported software information, click here.
Secure access logs report information about connectivity, user registration, and global and user statistics. In addition, alarm logs can be parsed to find secure access user events such as IPSEC events, IKE connection and disconnect events, and authentication failures. This article describes secure access logs and alarm logs containing secure access event information.
Secure Access Connectivity Event Logs
For Releases 22.1.1 and later.
Secure Access Connectivity Event Log Message Format
2024-01-11T18:03:56+0000 secAccUserConnEventLog, applianceName=Bangalore-ECT-DC-Active,
tenantName=Corp-Inline-Customer1, vsnId=0, applianceId=1, tenantId=1,
userName=user123@versa-networks.com, deviceName=LAPTOP-123ABC, racTunnelIP=172.30.58.131,
racIP=152.58.208.86, racAccessType=ipsec, racEventType=create, secAccRuleName=ALLOW_MANAGED_DEVICES,
secAccRuleAction=allow, authProfile=unknown, vpnProfile=split-tunnel-RAS,
rInst=Corp-Inline-Customer-1LAN-VR, uptime=0, failureReason=
2024-01-11T18:08:10+0000 secAccUserConnEventLog, applianceName=Bangalore-ECT-DC-Active,
tenantName=Corp-Inline-Customer1, vsnId=0, applianceId=1, tenantId=1,
userName=user123@versa-networks.com, deviceName=LAPTOP-123ABC, racTunnelIP=172.30.58.131,
racIP=152.58.208.86, racAccessType=ipsec, racEventType=delete, secAccRuleName=,
secAccRuleAction=, authProfile=unknown, vpnProfile=, rInst=, uptime=252, failureReason=
2024-01-11T18:06:13+0000 secAccUserConnEventLog, applianceName=Bangalore-ECT-DC-Active,
tenantName=Corp-Inline-Customer1, vsnId=0, applianceId=1, tenantId=1,
userName=user124@versa-networks.com, deviceName=, racTunnelIP=, racIP=49.37.168.80,
racAccessType=unknown, racEventType=failure, secAccRuleName=, secAccRuleAction=,
authProfile=SAML-Authentication-Profile, vpnProfile=, rInst=, uptime=0, failureReason=forbidden
Secure Access Connectivity Event Message Fields
Field |
Description |
---|---|
applianceName |
Name of the Versa Operating SystemTM (VOSTM) device. This is the name displayed in the output of the show system identification CLI command on the VOS device. |
tenantName |
Name of the organization (tenant). |
applianceId |
VOS device identifier. This field is not used. |
tenantId |
Tenant or organization identifier. |
vsnId |
Virtual service node identifier. This field is not used. |
username |
Remote access user name. |
deviceName |
(For Releases 22.1.3 and later.) Remote access device name. |
racTunnelIP |
Remote access tunnel IP address. |
racIP |
Remote access WAN IP address. |
racAccessType |
Remote access type: IPsec, DTLS, TLS, or trusted-network. |
racEventType |
Remote access event type: create, delete or failure. |
secAccRuleName |
For create requests, the secure access rule that matches the user’s access request. |
authProfile |
For create requests, the authentication profile used for the user’s request. |
vpnProfile |
For create requests, the VPN profile used for the user’s request. |
rInst |
For create requests, the routing instance used for the client’s request. |
mdmDevType |
(For Releases 22.1.4 and later.) Mobile device management (MDM) type: managed or unmanaged. |
mdmComplState |
(For Releases 22.1.4 and later.) For a managed device, indicates the MDM compliance state, such as: compliant, noncompliant, or conflict. |
uptime |
For delete requests, how long the connection was up. |
failureReason |
For failure events, the reason for the connectivity failure. |
Secure Access Event Logs
This section provides examples of alarm logs that report secure access events. For a description of the fields in the alarm logs, see Alarm Logs.
Alarm Log Message Format for Alarm Type IPsec-IKE-Down with a Cleared Alarm
Alarm is cleared for the user user@versa-networks.com.
2021-01-21T19:20:14+0000 alarmLog, applianceName=HE-DC-Branch-1, tenantName=Corp-Inline-Customer-1, alarmType=ipsec-ike-down, alarmKey=73.158.203.189|10|abc@versa-networks.com, generateTime=1611256822, applianceId=1, vsnId=0, tenantId=1, alarmCause=causeOther, alarmClearable=yes, alarmClass=cleared, alarmKind=root, alarmEventType=communicationsAlarm, alarmSeverity=cleared, alarmOwner=provider, alarmSeqNo=50322, alarmText="IKE connection with peer 73.158.203.189 user user@versa-networks.com (routing-instance Internet-1-Transport-VR) is up", alarmKeyExt=, serialNum=HE-DC-Branch-1
Alarm Log Message Format for Alarm Type IPsec-Tunnel-Down with a Cleared Alarm
Alarm is cleared for the user user@versa-networks.com.
2021-01-21T19:20:14+0000 alarmLog, applianceName=HEDC-Branch-1, tenantName=Corp-Inline-Customer-1, alarmType=ipsec-tunneldown, alarmKey=73.158.203.189|10|abc@versa-networks.com, generateTime=1611256822, applianceId=1, vsnId=0, tenantId=1, alarmCause=causeOther, alarmClearable=yes, alarmClass=cleared, alarmKind=root, alarmEventType=communicationsAlarm, alarmSeverity=cleared, alarmOwner=provider, alarmSeqNo=50323, alarmText="IPSEC tunnel with peer 73.158.203.189 user user@versa-networks.com (routing-instance Internet-1-Transport-VR) is up", alarmKeyExt=, serialNum=HE-DC-Branch-1
Alarm Log Message Format for Alarm Type IPsec-Tunnel-Down with a New Alarm
Alarm is set alarm for the user user@versa-networks.com.
2021-01-21T19:20:44+0000 alarmLog, applianceName=HEDC-Branch-1, tenantName=Corp-Inline-Customer-1, alarmType=ipsec-tunneldown, alarmKey=73.158.203.189|10|abc@versa-networks.com, generateTime=1611256852, applianceId=1, vsnId=0, tenantId=1, alarmCause=causeOther, alarmClearable=yes, alarmClass=new, alarmKind=root, alarmEventType=communicationsAlarm, alarmSeverity=major, alarmOwner=provider, alarmSeqNo=50327, alarmText="IPSEC tunnel with peer 73.158.203.189 user user@versa-networks.com (routing-instance Internet-1-Transport-VR) is down", alarmKeyExt=, serialNum=HE-DC-Branch-1
Alarm Log Message Format for Alarm Type IPsec-IKE-Down with a New Alarm
Alarm is set for the user user@versa-networks.com.
2021-01-21T19:20:14+0000 alarmLog, applianceName=HE-DC-Branch-1, tenantName=Corp-Inline-Customer-1, alarmType=ipsec-ike-down, alarmKey=73.158.203.189|10|abc@versa-networks.com, generateTime=1611256822, applianceId=1, vsnId=0, tenantId=1, alarmCause=causeOther, alarmClearable=yes, alarmClass=new, alarmKind=root, alarmEventType=communicationsAlarm, alarmSeverity=cleared, alarmOwner=provider, alarmSeqNo=50322, alarmText="IKE connection with peer 73.158.203.189 user user@versa-networks.com (routing-instance Internet-1-Transport-VR) is down", alarmKeyExt=, serialNum=HE-DC-Branch-1
Alarm Log Message Format for Alarm Type IPsec-IKE-Auth-Failure with a New Alarm
Alarm is set, but the user is not known. You can use the public IP address to track the source.
2021-01-21T19:13:16+0000 alarmLog, applianceName=HE-DC-Branch-1, tenantName=Corp-Inline-Customer-1, alarmType=ipsec-ike-auth-failure, alarmKey=12.179.178.188|9, generateTime=1611256404, applianceId=1, vsnId=0, tenantId=1, alarmCause=causeOther, alarmClearable=yes, alarmClass=new, alarmKind=root, alarmEventType=communicationsAlarm, alarmSeverity=indeterminate, alarmOwner=provider, alarmSeqNo=50276, alarmText="IKE authentication with peer 12.179.178.188 (routing-instance Internet1-Transport-VR) failed", alarmKeyExt=, serialNum=HE-DC-Branch-1
Secure Access Global Statistics Logs
Secure Access Global Statistics Log Message Format
2021-01-21T16:54:52+0000 secAccGlobalStatsLog, applianceName=HE-DCBranch-1, tenantName=Corp-Inline-Customer-1, mstatsTimeBlock=1611248100, tenantId=1, applianceId=0, concurrentUsers=27, failedAttempts=14, successfulAttempts=0
Secure Access Global Statistics Message Fields
Field |
Description |
---|---|
applianceName |
Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device. |
tenantName |
Name of the organization (tenant). |
applianceId |
VOS device identifier. This field is not used. |
tenantId |
Tenant or organization identifier. |
mstatsTimeBlock |
Time since the log was generated, in UNIX epoch format. |
concurrentUsers |
Snapshot of the concurrent users on the gateway when the log was generated. |
failedAttempts |
Number of failed attempts in the last measurement interval. |
successfulAttempts |
Number of successful attempts in the last measurement interval. |
Secure Access User Registration Logs
For Releases 21.2.1 and later.
Secure Access User Registration Log Message Format
2021-01-20T12:00:34+0000 secAccUserRegEventLog, applianceName=SJC-GW, tenantName=Versa-Networks, vsnId=0, applianceId=1, tenantId=3, userName=user123@versa-networks.com, latitude=22.2, longitude=33.3, os=Windows 10 Enterprise, osVersion=v-1909 b-18363.1316, secAccClientVersion=7.2.4
Secure Access User Registration Message Fields
Field |
Description |
---|---|
applianceName |
Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device. |
tenantName |
Name of the organization (tenant). |
applianceId |
VOS device identifier. This field is not used. |
tenantId |
Tenant or organization identifier. |
vsnId |
Virtual service node identifier. This field is not used. |
username |
Remote access username. |
latitude |
Location of the user by latitude during the registration process. |
longitude |
Location of the user by longitude during the registration process. |
os |
Operating system of the device from which the user is registering. |
osVersion |
Operating system version of the device from which the user is registering. |
secAccClientVersion |
Secure access client version running on the device from which the user is registering. |
mdmDevType |
(For Releases 22.1.4 and later.) Mobile device management (MDM) type: managed or unmanaged. |
mdmComplState |
(For Releases 22.1.4 and later.) For a managed device, indicates the MDM compliance state such as, compliant, noncompliant, and conflict. |
Secure Access User Statistics Logs
Secure access user statistics logs provide per-user usage statistics, round-trip time, and location information. This log is sent every 5 minutes if there is user activity.
Secure Access User Statistics Log Message Format
2021-01-21T17:29:59+0000 secAccUserStatsLog, applianceName=SJC-GW, tenantName=Versa-Networks,
mstatsTimeBlock=1611250200, tenantId=3, applianceId=0, mstatsTotSessDuration=300000,
userName=user123@versa-networks.com, racIP=76.21.120.137, racRxBytes=575392, racTxBytes=919920,
roundTripTime=340, latitude=53.00, longitude=42.00, isp=COMCAST-7922
Secure Access User Statistics Message Fields
Field |
Description |
---|---|
applianceName |
Name of the VOS device. This is the name displayed in the output of the show system identification CLI command on the VOS device. |
tenantName |
Name of the organization (tenant). |
applianceId |
VOS device identifier. This field is not used. |
tenantId |
Tenant or organization identifier. |
mstatsTimeBlock |
Time since the log was generated, in UNIX epoch format. |
mstatsTotSessDuration |
Measurement interval in milliseconds. |
Username |
Remote access username. |
racIP |
Remote access client public IP address. |
racRxBytes |
Bytes received in the last measurement interval (5 minutes) from the remote access user. |
racTxBytes |
Bytes sent in the last measurement interval (5 minutes) to the remote access user. |
roundTripTime |
(For Releases 21.2.1 and later.) Round-trip time from the remote access user’s device to the secure access gateway. |
Latitude |
(For Releases 21.2.1 and later.) Location of the user by latitude. |
Longitude |
(For Releases 21.2.1 and later.) Location of the user by longitude. |
ISP |
(For Releases 21.2.1 and later.) Internet service provider of the WAN link used to connect to the secure access gateway. |
Supported Software Information
Releases 21.1.1 and later support all content described in this article, except:
- Release 21.2.1 adds support for log type secAccUserRegEventLog.
- Release 22.1.1 adds support for log type secAccUserConnEventLog.
- Release 22.1.2 adds support for fields roundTripTime, Latitude, Longitude, and ISP for log type secAccUserStatsLog.
- Release 22.1.3 adds support for field deviceName for log type secAccUserConnEventLog.
- Release 22.1.4 (Service Release dated 2024-11-10 or later) adds support for fields mdmDevType and mdmComplState.