Silo Logs Reference Guide  

 
This guide provides details on each of the Authentic8 log types: URLDOWNLOADUPLOADSESSIONAUTH (summary details), ADMIN_AUDITENCPOST DATACOOKIESLOCATION CHANGEBLOCKED URLTRANSLATIONA8SS, & PRINT.
 
Refer to the Log Extraction section of the Authentic8 API Reference Guide for information on how to retrieve these logs. 
 

Log Type: URL

URL logs contain user web site navigation details.

Field Name Definition Sample Result
client_ip The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. 50.247.80.185
create_ts The floating point UNIX Epoch time the log entry was created 1411481216.764143
domain The domain name of the URL "example.com" in "https://example.com:81/path?p=v"
headers Components of the header section of request and response messages Host: login.example.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0 Authentic8/1.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://login.example.com/config/login_verify2?&.src=ym\r\nDNT: 1\r\nConnection: keep-alive\r\n"
method HTTP request method GET, POST
org_id The opaque string identifier of the Authentic8 org the user is in 64bb2da94d49648b75e3b3b82338086e
path The path of the URL "/path" in "https://example.com:81/path?p=v"
port The port of the URL "81" in "https://example.com:81/path?p=v". If port would have been 80 or 443, this is null.
response_code The HTTP response code from the website usually 200
response_headers Components of the header section of request and response messages Date: Tue, 23 Sep 2014 14:13:37 GMT\r\nP3P: policyref=\"http://info.example.com/w3c/p3p.xml\", CP=\"CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV\"\r\nX-Frame-Options: DENY\r\nCache-Control: private\r\nVary: Accept-Encoding\r\nContent-Encoding: gzip\r\nContent-Length: 32723\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Security-Policy-Report-Only: default-src https: 'unsafe-inline' 'unsafe-eval'; report-uri http://b.login.example.com/beacon/csp\r\nAge: 0\r\nConnection: close\r\nStrict-Transport-Security: max-age=15552000\r\nServer: ATS\r\n"
response_size If known, the size of the response in bytes. Otherwise, null. 3655
scheme The protocol specifier in a URL usually "http" or "https"
seq_id Sequence number of log entry 12627567
session_id An opaque string that identifies the user's Authentic8 session f1b3310c0422f847446fe7661d896c6a
primary_session_id Unique identifier of the Authentic8 session. If this is not null, the log entry was made in a subsession, so this identifies the primary session. This would typically be non-null in a Toolbox as an App subsession "primary_session_id": "bd1dfccc8b4c98c79085d78b0aab96e6" Toolbox as an App session "session_id": "bd1dfccc8b4c98c79085d78b0aab96e6:1"
type "URL" log entries record the information about the pages the user visits URL
url Web site address https://login.example.com/
user_id The opaque string identifier of the Authentic8 user c8cd4252f8b15bdbc9c3e7c53d73f562
username The login name of the user who initiated the session siloadminuser
query The query of the URL "p=v" in "https://example.com:81/path?p=v"

Log Type: DOWNLOAD

Download logs contain info of user file download activities and file info.
Field Name Definition Sample Result
client_ip The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. 50.247.80.185
bytes Downloaded file size in bytes 92108
target Destination path of downloaded file /tmp/download-0/Extract_Log_Samples.txt
contentType Data type of the downloaded file text/plain
hash SHA-256 hash of the file in hex d262d17ab180800703ad2a65a29643c72c7ebfeb1a6431d34e19561c0e50cc41
url Source of the downloaded file https://mail-attachment.googleusercontent.com/attachment/u/0/? ui=2&ik=9f0c44d8c2&view= att&th=1489b4c8d5929ac4&attid=0.1 &disp=safe&realattid= f_i0d86brx0&zw&saduie=AG9B_P_EV24vE6QEP8oX6jRL1kF -&sadet=1411404392213&sads=M8j4UFPeIEoD7EnKT_iP5IFQspk
username The login name of the user who initiated the session siloadminuser
create_ts The floating point UNIX Epoch time the log entry was created 1411408790.093198
org_id The opaque string identifier of the Authentic8 org the user is in 64bb2da94d49648b75e3b3b82338086e
seq_id Sequence number of log entry 12625480
session_id An opaque string that identifies the user's Authentic8 session 9d1d78fe0c999429fcce590358ec5ca5
type "DOWNLOAD" log entries record the information about the file downloaded DOWNLOAD
scheme The protocol specifier of the source site https
domain The domain of the source web site mail-attachment.googleusercontent.com
port Port of the source web site 443
path Source path of the web site /attachment/u/0/
query Source query of the downloaded file ui=2&ik=9f0c44d8c2&view=att&th=1489b4c8d5929ac4&attid=0.1 &disp=safe&realattid=f_i0d86brx0&zw&saduie=AG9B_ P_EV24vE6QEP8oX6jRL1kF-&sadet=1411404392213&sads=M8j4UFPeIEoD7EnKT_iP5IFQspk


Log Type: UPLOAD

Upload logs contain info of user file upload activities and file info.
Field Name Definition Sample Result
client_ip The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. 50.247.80.185
bytes Uploaded file size in bytes 4403457
target Path of the temporary transfer destination on Authentic8 server /tmp/upload-0/37a9be56c22de501a6fee0d6bd70cf26-Logs.txt"
contentType Data type of the uploaded file image/png
hash SHA-256 hash of the file in hex c7ebfeb1a6431d34e19561c0e50cc41d262d17ab180800703ad2a65a29643c72
url Destination of the uploaded file https://mail.google.com/mail/u/0/?ui=2&ik=9f0c44d8c2&view=up&fcid=i0d86bs2dkg5&rt=j&act= fup&oauth=AG9B_P_EV24vE6QEP8oX6jRL1kF-%7Cb54078f6cd20dc2a&attid=f_i0d86brx0
username The login name of the user who initiated the session siloadminuser
create_ts The floating point UNIX Epoch time the log entry was created 1411408790.093198
org_id The opaque string identifier of the Authentic8 org the user is in 64bb2da94d49648b75e3b3b82338086e
seq_id Sequence number of log entry 12625195
session_id An opaque string that identifies the user's Authentic8 session f9567c931b7dc6a4e5299e8c862011fe
type "UPLOAD" log entries record the information about the file uploadedd UPLOAD
scheme The protocol specifier of the destination site https
domain The domain of the web site file uploaded to mail.google.com
port Port of the source web site 443
path Source path of the web site /attachment/u/0/
query Source query of the uploaded file ui=2&ik=9f0c44d8c2&view=up&fcid=i0d86bs2dkg5&rt=j& act=fup&oauth=AG9B_P_EV24vE6QEP8oX6jRL1kF-%7Cb54078f6cd20dc2a&attid=f_i0d86brx0


Log Type: SESSION

Session logs contain detail info of user sessions for all product type (Silo and Toolbox)
Field Name Definition Sample Result
client_ip The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. 50.247.80.185
client_machine_name Name of user’s logon device retrieved from machine factors (if a user has obscured machine factors, the obscured name will be shown) MacBook Pro
create_ts The floating point UNIX Epoch time the log entry was created 1411568275.720287
egress_ip IP address of the egress 179.48.248.22
egress_location Region identifier for egress Costa Rica (cr)
execution_location Region identifier for the Toolbox as an App session Singapore (sg)
execution_server_ip IP address of the server hosting the session 119.81.23.187
execution_server_name Hostname of the server hosting the Toolbox as an App session app-sng-54.authentic8.com
org_id The opaque string identifier of the Authentic8 org the user is in 64bb2da94d49648b75e3b3b82338086e
seq_id Sequence number of log entry 12630308
session_end_time UNIX Epoch time of session end 1411568275
session_id An opaque string that identifies the user's Authentic8 session bd1dfccc8b4c98c79085d78b0aab96e6
session_start_time UNIX Epoch time of session start 1411567938
session_type Type of sessions logged Silo; Toolbox
type “SESSION” loentries record the information about the session SESSION
user_id The opaque string identifier of the Authentic8 user dbc9c3e7c5c8cd4252f8b15b3d73f562
user_type Indicator of standard user or administrator admin
username The login name of the user who initiated the session siloadminuser
primary_session_id Unique identifier of the Authentic8 session. If this is not null, the log entry was made in a subsession, so this identifies the primary session. This would typically be non-null in a Toolbox as an App subsession "primary_session_id": "bd1dfccc8b4c98c79085d78b0aab96e6" Toolbox as an App session "session_id": "bd1dfccc8b4c98c79085d78b0aab96e6:1"


Log Type: AUTH

Authentication logs contain entries of users’ authentication attempts such as PIN Authentication, OOB (out of band), Reset user login with temporary password.
Field Name Definition Sample Result
action Type of authentication actions PIN Auth; PIC Auth (grandfathered authentication method for users created prior since early 2013); SAML Auth
client_ip The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. 50.247.80.185
create_ts The floating point UNIX Epoch time the log entry was created 1411567747.400867
org_id The opaque string identifier of the Authentic8 org the user is in 4a6ca40fc47ab8655f85b4cc6d6139e0
reason Any available detail reason for authentication action results Incorrect credentials; "Signature data missing"
result Result of authentication actions success; failure
seq_id Sequence number of log entry 23686753
session_id An opaque string that identifies the user's Authentic8 session ec3d9b11ff7eb00d6f55f773ba057583
type “AUTH” log entries for various authentication attempts, results, reasons AUTH
user_id The opaque string identifier of the Authentic8 user a62f8860f76650380e09d366557e3751
username The login name of the user who initiated the session siloadminuser


Summary details of authentication actions and results:

Action Result Reason
PIN Auth success
failure Incorrect credentials
failure Booted after three failed attempts
failure Locked out after three login failures over two consecutive sessions
 SAML Auth
success
 
  failure
Signature expired
  failure
Signature invalid
  failure
Signature data missing
OOB (out of band) success
failure Incorrect OOB code
failure Phone modification disabled after three failed attempts
failure Unable to send code, incorrect phone number: 9999999999
Reset (user login using temporary password) success
failure Invalid reset code
failure Booting user after three failed attempts
failure Locked out after three reset code failures over two consecutive sessions
New User Create PIN success Created new pin code
User changed PIN success Changed pin code


Log Type: ADMIN_AUDIT

Admin Audit logs record all administrators’ change activities within Silo Admin Console.  
The data logged includes:
  • Who made the change (username) 
  • When the change was made (timestamp) 
  • What was changed (including before and after values)   

Notes:
  • Credential changes will be tracked and listed but actual data will NOT be logged. 
  • Admin Audit logs usually contain any of the 4 audit_type “USER”, “WEB_APP”, "POLICY" “ORG” for recorded changes of Admin made.
Field Name Definition Sample Result
Field Name Definition Sample Result
admin_fullname Full Name of Admin who made the changes Silo Admin
audit_type Type of changes made POLICY
create_ts The floating point UNIX Epoch time the log entry was created 1411623446.621668
message Any Admin executed action details Changed org name from \"Untitled Org\" to \"test\"
org_id The opaque string identifier of the Authentic8 org 4a6ca40fc47ab8655f85b4cc6d6139e0
org_name Name of the Org for Admin changes made Admin Org
seq_id Sequence number of log entry 23691402
source Source of Admin changes made Admin Console
type “ADMIN_AUDIT” log entries record of Admin actions ADMIN_AUDIT
username The login name of the Admin who made the changes siloadminuser
old_values Value before change "email": "user@email.com”
new_values Value after change "email": "user@new-email.com”

Log Type: ENC

Encrypted Logs policy setting and key(s) is managed within the Silo Admin Console. These will be asymmetric keys; Authentic8 holds the “public” part, while the customer retains the portion required to decrypt.
Field Name Definition Sample Result
enc Payload of encrypted logs base64 encoded encrypted serialized JSON object
key_name Name of Asymmetric Key used to encrypt symmetric key “My public key”
create_ts The floating point UNIX Epoch time the log entry was created 1411623446.621668
org_id The opaque string identifier of the Authentic8 org 4a6ca40fc47ab8655f85b4cc6d6139e0
org_name Name of the Org where users are in Admin Org
seq_id Sequence number of log entry 23691402
type “ENC” encrypted logs which can only decrypt by customer with private key ENC


Log Type: COOKIES

Cookie data is part of a normal URL request, but the data is considered sensitive. URLs are always logged, but the sensitive data is only logged when Encrypted Logs policy is Enabled and, therefore, is only present in decrypted logs.
Field Name Definition Sample Result
client_ip The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. 50.247.80.185
create_ts The floating point UNIX Epoch time the log entry was created 1411481216.764143
data Cookie data log entries actual data blog
domain The domain name of the URL "example.com" in "https://example.com:81/path?p=v"
method HTTP request method GET, POST
org_id The opaque string identifier of the Authentic8 org the user is in 64bb2da94d49648b75e3b3b82338086e
path The path of the URL "/path" in "https://example.com:81/path?p=v"
port The port of the URL "81" in "https://example.com:81/path?p=v". If port would have been 80 or 443, this is null.
response_code The HTTP response code from the website usually 200
scheme The protocol specifier in a URL usually "http" or "https"
seq_id Sequence number of log entry 12627567
session_id An opaque string that identifies the user's Authentic8 session f1b3310c0422f847446fe7661d896c6a
type "COOKIES" log entries record of cookie data COOKIES
url Web site address https://login.example.com/
username The login name of the user who initiated the session siloadminuser

Log Type: POST DATA

Post data (form posts only) is sensitive so only logged when Encrypted Logs is Enabled. It may or may not map to a URL entry. The post method specifies a destination, but the response page is usually different than the target of the post. Not all form posts result in a traditional post, and Silo does not gather all xhr posts because this would result in a large amount of useless data.
Field Name Definition Sample Result
client_ip The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. 50.247.80.185
create_ts The floating point UNIX Epoch time the log entry was created 1411481216.764143
data Post Data log entries actual data blog
domain The domain name of the URL "example.com" in "https://example.com:81/path?p=v"
org_id The opaque string identifier of the Authentic8 org the user is in 64bb2da94d49648b75e3b3b82338086e
path The path of the URL "/path" in "https://example.com:81/path?p=v"
port The port of the URL "81" in "https://example.com:81/path?p=v". If port would have been 80 or 443, this is null.
query The query of the URL "p=v" in "https://example.com:81/path?p=v"
scheme The protocol specifier in a URL usually "http" or "https"
seq_id Sequence number of log entry 12627567
session_id An opaque string that identifies the user's Authentic8 session f1b3310c0422f847446fe7661d896c6a
type "POST DATA" log entries record of form post details POST DATA
url Web site address https://login.example.com/
username The login name of the user who initiated the session siloadminuser


Log Type: LOCATION CHANGE

Location change data tracks the changes to the address in the location bar (URL bar). Sites accessed via Google search queries are tracked as well.
Field Name Definition Sample Result
client_ip The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. 50.247.80.185
create_ts The floating point UNIX Epoch time the log entry was created 1411481216.764143
user_id The opaque string identifier of the Authentic8 user db51b9038ddc66641381c4628bcb8ee1
domain The domain name of the URL www.google.com
org_id The opaque string identifier of the Authentic8 org the user is in 64bb2da94d49648b75e3b3b82338086e
path The path of the URL /maps/search/news/@34.736297,-84.007953,5z/data=!3m1!4b1
port The port of the URL 80 or 443
query The query of the URL gws_rd=ssl#q=cats
scheme The protocol specifier in a URL usually "http" or "https"
seq_id Sequence number of log entry 12988378
session_id An opaque string that identifies the user's Authentic8 session c516a4417c72673478dea4186ea6d35e
type "LOCATION CHANGE" log entries record of web address changes LOCATION CHANGE
url Web site address https://www.google.com/?gws_rd=ssl#q=cats
username The login name of the user who initiated the session siloadminuser


Log Type: BLOCKED URL

Blocked URL data tracks the access of sites/domains prevented from Category or Domain Filtering policies
Field Name Definition Sample Result
client_ip The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. 50.247.80.185
create_ts The floating point UNIX Epoch time the log entry was created 1411481216.764143
user_id The opaque string identifier of the Authentic8 user db51b9038ddc66641381c4628bcb8ee1
domain The domain name of the URL www.google.com
org_id The opaque string identifier of the Authentic8 org the user is in 64bb2da94d49648b75e3b3b82338086e
path The path of the URL /maps/search/news/@34.736297,-84.007953,5z/data=!3m1!4b1
port The port of the URL 80 or 443
scheme The protocol specifier in a URL usually "http" or "https"
seq_id Sequence number of log entry 12988378
session_id An opaque string that identifies the user's Authentic8 session c516a4417c72673478dea4186ea6d35e
type "BLOCKED URL" log entries record of access to sites/domains prevented from Category or Domain Filtering policies BLOCKED URL
url Web site address https://www.google.com/?gws_rd=ssl#q=cats
username The login name of the user who initiated the session siloadminuser
reject_type The policy reason access was prevented "url black list" or "category"
micro_category Specific filtering category reason Social Networking
macro_category General filtering category name Productivity Drains


Log Type: TRANSLATION

Translation logs tracks information about page/content translated within Silo & Toolbox sessions.
Field Name Definition Sample Result
client_ip The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine. 69.181.241.203
create_ts The floating point UNIX Epoch time the log entry was created 1427175692.787294
length Number of characters translated 28283
service Translation service/api used "GOOGLE"
org_id The opaque string identifier of the Authentic8 org the user is in 64bb2da94d49648b75e3b3b82338086e
source Source language translated from null or “English” etc
target Destination language translated to null or “Chinese (Traditional)” etc
translation_type Type of translation processed “selection", "ad hoc" or "full_page"
seq_id Sequence number of log entry 24744695
session_id An opaque string that identifies the user's Authentic8 session 20d33f188fe56351dd451d7819da2681
type "TRANSLATION" log entries records of contents translated TRANSLATION
url Web site address OR empty for text selection http://www.cnbc.com/id/102528156
username The login name of the user who initiated the session siloadminuser


Log Type: A8SS

A8SS logs contain information about activities and files in Secure Cloud Storage.
Field Name Definition Sample Result
action File Action Performed. Values can be: "create bucket", "create directory", "create file", "create file", "delete directory", "delete file", "download to client machine", "move directory", "move file", "rename file", "update file", "upload from client machine", "rename file"
bucket_id The internal bucket ID where the action was performed “5113d1da4e4d0c523b170310341b7415”
client_ip IP address of the Silo client which originated the request “98.138.253.109”
content_type the file type "image/tiff"
create_ts timestamp of the create time of the file 1436215447.527693
create_user The internal user ID who created the file “d0dd8b47b28057322925v428d9d07a58”
file_id the unique internal file ID "3b94ae0ebcdc7e926ddddcddfd8cf18c"
file_size Size of the file in bytes 1002365
name the regular name of the file "TestFile.tiff"
new_name Name file was renamed to "TestFile_renamed.tiff"
org_id The internal org ID "4ca51853dcfef8c08a4bbbf168af7f3e"
seq_id log entry sequence ID 13382766
session_id An opaque string that identifies the user's Authentic8 session “f1b3310c0422f847446fe7661d896c6a”
type log Type A8SS
uploading_until Indication of file save status. If a file save action is complete, this field will be 'Null' if the file is currently being written or is in some incomplete state, you will see a time stamp. "2015-07-06 21:00:26" or 'Null'
user_id The opaque string identifier of the Authentic8 user “c8cd4252f8b15bdbc9c3e7c53d73f562”
username The login name of the user who initiated the session siloadminuser


Log Type: PRINT

PRINT logs contain information about printing activities.
Field Name Definition Sample Result
client_ip IP address of the Silo client which originated the request “98.138.253.109”
mime_type the file mime type "text/html"
create_ts timestamp of the create time of the file 1436215447.527693
org_id The internal org ID "4ca51853dcfef8c08a4bbbf168af7f3e"
seq_id log entry sequence ID 13382766
session_id An opaque string that identifies the user's Authentic8 session “f1b3310c0422f847446fe7661d896c6a”
type log Type PRINT
username The login name of the user who initiated the session siloadminuser
url Web site address https://login.example.com/
domain The domain name of the URL "example.com" in "https://example.com:81/path?p=v"
path The path of the URL "/path" in "https://example.com:81/path?p=v"
path The operation performed "direct print"
scheme The protocol specifier in a URL usually "http" or "https"
port The port of the URL "81" in "https://example.com:81/path?p=v". If port would have been 80 or 443, this is null.