Silo Logs Reference Guide  

 
This guide provides details on each of the Authentic8 log types: URL, DOWNLOAD, UPLOAD, SESSION, AUTH (summary details), ADMIN_AUDIT, ENC, POST DATA, COOKIES, LOCATION CHANGE, BLOCKED URL, TRANSLATION, A8SS, PRINT, & EXPLOIT.
 
Refer to the Log Extraction section of the Authentic8 API Reference Guide for information on how to retrieve these logs. 
 

Log Type: URL

URL logs contain user web site navigation details.

Field NameDefinitionSample Result
client_ipThe IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine.50.247.80.185
create_tsThe floating point UNIX Epoch time the log entry was created1411481216.764143
domainThe domain name of the URL"example.com" in "https://example.com:81/path?p=v"
headersComponents of the header section of request and response messagesHost: login.example.com\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:30.0) Gecko/20100101 Firefox/30.0 Authentic8/1.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: https://login.example.com/config/login_verify2?&.src=ym\r\nDNT: 1\r\nConnection: keep-alive\r\n"
methodHTTP request methodGET, POST
org_idThe opaque string identifier of the Authentic8 org the user is in64bb2da94d49648b75e3b3b82338086e
pathThe path of the URL"/path" in "https://example.com:81/path?p=v"
portThe port of the URL"81" in "https://example.com:81/path?p=v". If port would have been 80 or 443, this is null.
response_codeThe HTTP response code from the websiteusually 200
response_headersComponents of the header section of request and response messagesDate: Tue, 23 Sep 2014 14:13:37 GMT\r\nP3P: policyref=\"http://info.example.com/w3c/p3p.xml\", CP=\"CAO DSP COR CUR ADM DEV TAI PSA PSD IVAi IVDi CONi TELo OTPi OUR DELi SAMi OTRi UNRi PUBi IND PHY ONL UNI PUR FIN COM NAV INT DEM CNT STA POL HEA PRE LOC GOV\"\r\nX-Frame-Options: DENY\r\nCache-Control: private\r\nVary: Accept-Encoding\r\nContent-Encoding: gzip\r\nContent-Length: 32723\r\nContent-Type: text/html; charset=UTF-8\r\nContent-Security-Policy-Report-Only: default-src https: 'unsafe-inline' 'unsafe-eval'; report-uri http://b.login.example.com/beacon/csp\r\nAge: 0\r\nConnection: close\r\nStrict-Transport-Security: max-age=15552000\r\nServer: ATS\r\n"
response_sizeIf known, the size of the response in bytes. Otherwise, null.3655
schemeThe protocol specifier in a URLusually "http" or "https"
seq_idSequence number of log entry12627567
session_idAn opaque string that identifies the user's Authentic8 sessionf1b3310c0422f847446fe7661d896c6a
primary_session_idUnique identifier of the Authentic8 session. If this is not null, the log entry was made in a subsession, so this identifies the primary session. This would typically be non-null in a Toolbox as an App subsession"primary_session_id": "bd1dfccc8b4c98c79085d78b0aab96e6" Toolbox as an App session "session_id": "bd1dfccc8b4c98c79085d78b0aab96e6:1"
type"URL" log entries record the information about the pages the user visitsURL
urlWeb site addresshttps://login.example.com/
user_idThe opaque string identifier of the Authentic8 userc8cd4252f8b15bdbc9c3e7c53d73f562
usernameThe login name of the user who initiated the sessionsiloadminuser
queryThe query of the URL"p=v" in "https://example.com:81/path?p=v"

Log Type: DOWNLOAD

Download logs contain info of user file download activities and file info.
Field NameDefinitionSample Result
client_ipThe IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine.50.247.80.185
bytesDownloaded file size in bytes92108
targetDestination path of downloaded file/tmp/download-0/Extract_Log_Samples.txt
contentTypeData type of the downloaded filetext/plain
hashSHA-256 hash of the file in hexd262d17ab180800703ad2a65a29643c72c7ebfeb1a6431d34e19561c0e50cc41
urlSource of the downloaded filehttps://mail-attachment.googleusercontent.com/attachment/u/0/? ui=2&ik=9f0c44d8c2&view= att&th=1489b4c8d5929ac4&attid=0.1 &disp=safe&realattid= f_i0d86brx0&zw&saduie=AG9B_P_EV24vE6QEP8oX6jRL1kF -&sadet=1411404392213&sads=M8j4UFPeIEoD7EnKT_iP5IFQspk
usernameThe login name of the user who initiated the sessionsiloadminuser
create_tsThe floating point UNIX Epoch time the log entry was created1411408790.093198
org_idThe opaque string identifier of the Authentic8 org the user is in64bb2da94d49648b75e3b3b82338086e
seq_idSequence number of log entry12625480
session_idAn opaque string that identifies the user's Authentic8 session9d1d78fe0c999429fcce590358ec5ca5
type"DOWNLOAD" log entries record the information about the file downloadedDOWNLOAD
schemeThe protocol specifier of the source sitehttps
domainThe domain of the source web sitemail-attachment.googleusercontent.com
portPort of the source web site443
pathSource path of the web site/attachment/u/0/
querySource query of the downloaded fileui=2&ik=9f0c44d8c2&view=att&th=1489b4c8d5929ac4&attid=0.1 &disp=safe&realattid=f_i0d86brx0&zw&saduie=AG9B_ P_EV24vE6QEP8oX6jRL1kF-&sadet=1411404392213&sads=M8j4UFPeIEoD7EnKT_iP5IFQspk


Log Type: UPLOAD

Upload logs contain info of user file upload activities and file info.
Field NameDefinitionSample Result
client_ipThe IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine.50.247.80.185
bytesUploaded file size in bytes4403457
targetPath of the temporary transfer destination on Authentic8 server/tmp/upload-0/37a9be56c22de501a6fee0d6bd70cf26-Logs.txt"
contentTypeData type of the uploaded fileimage/png
hashSHA-256 hash of the file in hexc7ebfeb1a6431d34e19561c0e50cc41d262d17ab180800703ad2a65a29643c72
urlDestination of the uploaded filehttps://mail.google.com/mail/u/0/?ui=2&ik=9f0c44d8c2&view=up&fcid=i0d86bs2dkg5&rt=j&act= fup&oauth=AG9B_P_EV24vE6QEP8oX6jRL1kF-%7Cb54078f6cd20dc2a&attid=f_i0d86brx0
usernameThe login name of the user who initiated the sessionsiloadminuser
create_tsThe floating point UNIX Epoch time the log entry was created1411408790.093198
org_idThe opaque string identifier of the Authentic8 org the user is in64bb2da94d49648b75e3b3b82338086e
seq_idSequence number of log entry12625195
session_idAn opaque string that identifies the user's Authentic8 sessionf9567c931b7dc6a4e5299e8c862011fe
type"UPLOAD" log entries record the information about the file uploadeddUPLOAD
schemeThe protocol specifier of the destination sitehttps
domainThe domain of the web site file uploaded tomail.google.com
portPort of the source web site443
pathSource path of the web site/attachment/u/0/
querySource query of the uploaded fileui=2&ik=9f0c44d8c2&view=up&fcid=i0d86bs2dkg5&rt=j& act=fup&oauth=AG9B_P_EV24vE6QEP8oX6jRL1kF-%7Cb54078f6cd20dc2a&attid=f_i0d86brx0


Log Type: SESSION

Session logs contain detail info of user sessions for all product type (Silo and Toolbox)
Field NameDefinitionSample Result
client_ipThe IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine.50.247.80.185
client_machine_nameName of user’s logon device retrieved from machine factors (if a user has obscured machine factors, the obscured name will be shown)MacBook Pro
create_tsThe floating point UNIX Epoch time the log entry was created1411568275.720287
egress_ipIP address of the egress179.48.248.22
egress_locationRegion identifier for egressCosta Rica (cr)
execution_locationRegion identifier for the Toolbox as an App sessionSingapore (sg)
execution_server_ipIP address of the server hosting the session119.81.23.187
execution_server_nameHostname of the server hosting the Toolbox as an App sessionapp-sng-54.authentic8.com
org_idThe opaque string identifier of the Authentic8 org the user is in64bb2da94d49648b75e3b3b82338086e
seq_idSequence number of log entry12630308
session_end_timeUNIX Epoch time of session end1411568275
session_idAn opaque string that identifies the user's Authentic8 sessionbd1dfccc8b4c98c79085d78b0aab96e6
session_start_timeUNIX Epoch time of session start1411567938
session_typeType of sessions loggedSilo; Toolbox
type“SESSION” loentries record the information about the sessionSESSION
user_idThe opaque string identifier of the Authentic8 userdbc9c3e7c5c8cd4252f8b15b3d73f562
user_typeIndicator of standard user or administratoradmin
usernameThe login name of the user who initiated the sessionsiloadminuser
primary_session_idUnique identifier of the Authentic8 session. If this is not null, the log entry was made in a subsession, so this identifies the primary session. This would typically be non-null in a Toolbox as an App subsession"primary_session_id": "bd1dfccc8b4c98c79085d78b0aab96e6" Toolbox as an App session "session_id": "bd1dfccc8b4c98c79085d78b0aab96e6:1"


Log Type: AUTH

Authentication logs contain entries of users’ authentication attempts such as PIN Authentication, OOB (out of band), Reset user login with temporary password.
Field NameDefinitionSample Result
actionType of authentication actionsPIN Auth; PIC Auth (grandfathered authentication method for users created prior since early 2013); SAML Auth
client_ipThe IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine.50.247.80.185
create_tsThe floating point UNIX Epoch time the log entry was created1411567747.400867
org_idThe opaque string identifier of the Authentic8 org the user is in4a6ca40fc47ab8655f85b4cc6d6139e0
reasonAny available detail reason for authentication action resultsIncorrect credentials; "Signature data missing"
resultResult of authentication actionssuccess; failure
seq_idSequence number of log entry23686753
session_idAn opaque string that identifies the user's Authentic8 sessionec3d9b11ff7eb00d6f55f773ba057583
type“AUTH” log entries for various authentication attempts, results, reasonsAUTH
user_idThe opaque string identifier of the Authentic8 usera62f8860f76650380e09d366557e3751
usernameThe login name of the user who initiated the sessionsiloadminuser


Summary details of authentication actions and results:

ActionResultReason
PIN Authsuccess

failureIncorrect credentials

failureBooted after three failed attempts

failureLocked out after three login failures over two consecutive sessions
 SAML Auth
success
 
 failure
Signature expired
 failure
Signature invalid
 failure
Signature data missing
OOB (out of band)success

failureIncorrect OOB code

failurePhone modification disabled after three failed attempts

failureUnable to send code, incorrect phone number: 9999999999
Reset (user login using temporary password)success

failureInvalid reset code

failureBooting user after three failed attempts

failureLocked out after three reset code failures over two consecutive sessions
New User Create PINsuccessCreated new pin code
User changed PINsuccessChanged pin code


Log Type: ADMIN_AUDIT

Admin Audit logs record all administrators’ change activities within Silo Admin Console.  
The data logged includes:
  • Who made the change (username) 
  • When the change was made (timestamp) 
  • What was changed (including before and after values)   

Notes:
  • Credential changes will be tracked and listed but actual data will NOT be logged. 
  • Admin Audit logs usually contain any of the 4 audit_type “USER”, “WEB_APP”, "POLICY" “ORG” for recorded changes of Admin made.
Field NameDefinitionSample Result
Field NameDefinitionSample Result
admin_fullnameFull Name of Admin who made the changesSilo Admin
audit_typeType of changes madePOLICY
create_tsThe floating point UNIX Epoch time the log entry was created1411623446.621668
messageAny Admin executed action detailsChanged org name from \"Untitled Org\" to \"test\"
org_idThe opaque string identifier of the Authentic8 org4a6ca40fc47ab8655f85b4cc6d6139e0
org_nameName of the Org for Admin changes madeAdmin Org
seq_idSequence number of log entry23691402
sourceSource of Admin changes madeAdmin Console
type“ADMIN_AUDIT” log entries record of Admin actionsADMIN_AUDIT
usernameThe login name of the Admin who made the changessiloadminuser
old_valuesValue before change"email": "user@email.com”
new_valuesValue after change"email": "user@new-email.com”

Log Type: ENC

Encrypted Logs policy setting and key(s) is managed within the Silo Admin Console. These will be asymmetric keys; Authentic8 holds the “public” part, while the customer retains the portion required to decrypt.
Field NameDefinitionSample Result
encPayload of encrypted logsbase64 encoded encrypted serialized JSON object
key_nameName of Asymmetric Key used to encrypt symmetric key“My public key”
create_tsThe floating point UNIX Epoch time the log entry was created1411623446.621668
org_idThe opaque string identifier of the Authentic8 org4a6ca40fc47ab8655f85b4cc6d6139e0
org_nameName of the Org where users are inAdmin Org
seq_idSequence number of log entry23691402
type“ENC” encrypted logs which can only decrypt by customer with private keyENC


Log Type: COOKIES

Cookie data is part of a normal URL request, but the data is considered sensitive. URLs are always logged, but the sensitive data is only logged when Encrypted Logs policy is Enabled and, therefore, is only present in decrypted logs.
Field NameDefinitionSample Result
client_ipThe IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine.50.247.80.185
create_tsThe floating point UNIX Epoch time the log entry was created1411481216.764143
dataCookie data log entriesactual data blog
domainThe domain name of the URL"example.com" in "https://example.com:81/path?p=v"
methodHTTP request methodGET, POST
org_idThe opaque string identifier of the Authentic8 org the user is in64bb2da94d49648b75e3b3b82338086e
pathThe path of the URL"/path" in "https://example.com:81/path?p=v"
portThe port of the URL"81" in "https://example.com:81/path?p=v". If port would have been 80 or 443, this is null.
response_codeThe HTTP response code from the websiteusually 200
schemeThe protocol specifier in a URLusually "http" or "https"
seq_idSequence number of log entry12627567
session_idAn opaque string that identifies the user's Authentic8 sessionf1b3310c0422f847446fe7661d896c6a
type"COOKIES" log entries record of cookie dataCOOKIES
urlWeb site addresshttps://login.example.com/
usernameThe login name of the user who initiated the sessionsiloadminuser

Log Type: POST DATA

Post data (form posts only) is sensitive so only logged when Encrypted Logs is Enabled. It may or may not map to a URL entry. The post method specifies a destination, but the response page is usually different than the target of the post. Not all form posts result in a traditional post, and Silo does not gather all xhr posts because this would result in a large amount of useless data.
Field NameDefinitionSample Result
client_ipThe IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine.50.247.80.185
create_tsThe floating point UNIX Epoch time the log entry was created1411481216.764143
dataPost Data log entriesactual data blog
domainThe domain name of the URL"example.com" in "https://example.com:81/path?p=v"
org_idThe opaque string identifier of the Authentic8 org the user is in64bb2da94d49648b75e3b3b82338086e
pathThe path of the URL"/path" in "https://example.com:81/path?p=v"
portThe port of the URL"81" in "https://example.com:81/path?p=v". If port would have been 80 or 443, this is null.
queryThe query of the URL"p=v" in "https://example.com:81/path?p=v"
schemeThe protocol specifier in a URLusually "http" or "https"
seq_idSequence number of log entry12627567
session_idAn opaque string that identifies the user's Authentic8 sessionf1b3310c0422f847446fe7661d896c6a
type"POST DATA" log entries record of form post detailsPOST DATA
urlWeb site addresshttps://login.example.com/
usernameThe login name of the user who initiated the sessionsiloadminuser


Log Type: LOCATION CHANGE

Location change data tracks the changes to the address in the location bar (URL bar). Sites accessed via Google search queries are tracked as well.
Field NameDefinitionSample Result
client_ipThe IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine.50.247.80.185
create_tsThe floating point UNIX Epoch time the log entry was created1411481216.764143
user_idThe opaque string identifier of the Authentic8 userdb51b9038ddc66641381c4628bcb8ee1
domainThe domain name of the URLwww.google.com
org_idThe opaque string identifier of the Authentic8 org the user is in64bb2da94d49648b75e3b3b82338086e
pathThe path of the URL/maps/search/news/@34.736297,-84.007953,5z/data=!3m1!4b1
portThe port of the URL80 or 443
queryThe query of the URLgws_rd=ssl#q=cats
schemeThe protocol specifier in a URLusually "http" or "https"
seq_idSequence number of log entry12988378
session_idAn opaque string that identifies the user's Authentic8 sessionc516a4417c72673478dea4186ea6d35e
type"LOCATION CHANGE" log entries record of web address changesLOCATION CHANGE
urlWeb site addresshttps://www.google.com/?gws_rd=ssl#q=cats
usernameThe login name of the user who initiated the sessionsiloadminuser


Log Type: BLOCKED URL

Blocked URL data tracks the access of sites/domains prevented from Category or Domain Filtering policies
Field NameDefinitionSample Result
client_ipThe IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine.50.247.80.185
create_tsThe floating point UNIX Epoch time the log entry was created1411481216.764143
user_idThe opaque string identifier of the Authentic8 userdb51b9038ddc66641381c4628bcb8ee1
domainThe domain name of the URLwww.google.com
org_idThe opaque string identifier of the Authentic8 org the user is in64bb2da94d49648b75e3b3b82338086e
pathThe path of the URL/maps/search/news/@34.736297,-84.007953,5z/data=!3m1!4b1
portThe port of the URL80 or 443
schemeThe protocol specifier in a URLusually "http" or "https"
seq_idSequence number of log entry12988378
session_idAn opaque string that identifies the user's Authentic8 sessionc516a4417c72673478dea4186ea6d35e
type"BLOCKED URL" log entries record of access to sites/domains prevented from Category or Domain Filtering policiesBLOCKED URL
urlWeb site addresshttps://www.google.com/?gws_rd=ssl#q=cats
usernameThe login name of the user who initiated the sessionsiloadminuser
reject_typeThe policy reason access was prevented"url black list" or "category"
micro_categorySpecific filtering category reasonSocial Networking
macro_categoryGeneral filtering category nameProductivity Drains


Log Type: TRANSLATION

Translation logs tracks information about page/content translated within Silo & Toolbox sessions.
Field NameDefinitionSample Result
client_ipThe IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine.69.181.241.203
create_tsThe floating point UNIX Epoch time the log entry was created1427175692.787294
lengthNumber of characters translated28283
serviceTranslation service/api used"GOOGLE"
org_idThe opaque string identifier of the Authentic8 org the user is in64bb2da94d49648b75e3b3b82338086e
sourceSource language translated fromnull or “English” etc
targetDestination language translated tonull or “Chinese (Traditional)” etc
translation_typeType of translation processed“selection", "ad hoc" or "full_page"
seq_idSequence number of log entry24744695
session_idAn opaque string that identifies the user's Authentic8 session20d33f188fe56351dd451d7819da2681
type"TRANSLATION" log entries records of contents translatedTRANSLATION
urlWeb site address OR empty for text selectionhttp://www.cnbc.com/id/102528156
usernameThe login name of the user who initiated the sessionsiloadminuser


Log Type: A8SS

A8SS logs contain information about activities and files in Secure Cloud Storage.
Field NameDefinitionSample Result
actionFile Action Performed. Values can be: "create bucket", "create directory", "create file", "create file", "delete directory", "delete file", "download to client machine", "move directory", "move file", "rename file", "update file", "upload from client machine","rename file"
bucket_idThe internal bucket ID where the action was performed“5113d1da4e4d0c523b170310341b7415”
client_ipIP address of the Silo client which originated the request“98.138.253.109”
content_typethe file type"image/tiff"
create_tstimestamp of the create time of the file1436215447.527693
create_userThe internal user ID who created the file“d0dd8b47b28057322925v428d9d07a58”
file_idthe unique internal file ID"3b94ae0ebcdc7e926ddddcddfd8cf18c"
file_sizeSize of the file in bytes1002365
namethe regular name of the file"TestFile.tiff"
new_nameName file was renamed to"TestFile_renamed.tiff"
org_idThe internal org ID"4ca51853dcfef8c08a4bbbf168af7f3e"
seq_idlog entry sequence ID13382766
session_idAn opaque string that identifies the user's Authentic8 session“f1b3310c0422f847446fe7661d896c6a”
typelog TypeA8SS
uploading_untilIndication of file save status. If a file save action is complete, this field will be 'Null' if the file is currently being written or is in some incomplete state, you will see a time stamp."2015-07-06 21:00:26" or 'Null'
user_idThe opaque string identifier of the Authentic8 user“c8cd4252f8b15bdbc9c3e7c53d73f562”
usernameThe login name of the user who initiated the sessionsiloadminuser


Log Type: PRINT

PRINT logs contain information about printing activities.
Field NameDefinitionSample Result
client_ipIP address of the Silo client which originated the request“98.138.253.109”
mime_typethe file mime type"text/html"
create_tstimestamp of the create time of the file1436215447.527693
org_idThe internal org ID"4ca51853dcfef8c08a4bbbf168af7f3e"
seq_idlog entry sequence ID13382766
session_idAn opaque string that identifies the user's Authentic8 session“f1b3310c0422f847446fe7661d896c6a”
typelog TypePRINT
usernameThe login name of the user who initiated the sessionsiloadminuser
urlWeb site addresshttps://login.example.com/
domainThe domain name of the URL"example.com" in "https://example.com:81/path?p=v"
pathThe path of the URL"/path" in "https://example.com:81/path?p=v"
pathThe operation performed"direct print"
schemeThe protocol specifier in a URLusually "http" or "https"
portThe port of the URL"81" in "https://example.com:81/path?p=v". If port would have been 80 or 443, this is null.

Log Type: EXPLOIT

Exploit log contains information about malicious files scanned before files are downloaded to user's device.


Field Name        
Definition
Sample Result
origin
Unused at this time.
N/A
delivered    
The file delivered to user    
false
client_ip    
The IP address of the user's machine as seen as by Authentic8's servers. This is frequently the NAT address of the network rather than the actual IP of the user's machine.
“98.138.253.089”


user_id    
User's unique identification (alpha-numeric)
dbc9c3e7c5c8cd4252f8b15b3d73f562
seq_id        
Sequence number of log entry
"40f33f186fe56351dd451d7819db2681"
filetype
The type of file
"CL_TYPE_TEXT_ASCII"
org_id
The internal org ID
"5db51853edgff8c08a4bbbf168af7f3e"
exploit_name
The name of the malicious file
"Eicar-Test-Signature"
session_id    
An opaque string that identifies the user's Authentic8 session
20c33d188fd56351cc451d7819cb2681  
filename
The name of the file to download
"eicar.com test"
username
The login name of the user who initiated the session
"siloadminuser"
create_ts

The floating point UNIX Epoch time the log entry was created
1427175692.787294


type:
Type of log
EXPLOIT