Gateway log contents
Event logs consist of a series of keys and values.
- The first several fields comprise the Log header—basic information about the event, including the timestamp and details about the gateway.
- The last section is the Log message, which may be a simple message describing the event, or a JavaScript Object Notation (JSON) object with more details about the session, user, device, and app. These log fields are described in the next sections.
Log header
Examples
BASH
Nov 11 2021 22:24:37 tilera3 Mocana: [INTFMGR], SubCls:999, EID: 658120114,
Type: General, Sev:Informational,
Removing tunnel interface vt1 with address 10.24.0.51
Nov 11 2021 22:24:37 tilera3 Mocana: [IKE], SubCls:050, EID: 0,
Type: General, Sev:Informational, 10.42.18.20
Nov 11 2021 22:24:37 tilera3 Mocana: [AAA] SubCls:ACCT, EID: 0,
Type: Acct, Sev:Informational,
Session STOP {"sessionId":{"username":"jlennon","duration":"7 minutes 17 seconds","durationSeconds":437,
"device":{"osType":"ios","deviceName":"JLennon’s iPhone", "hardware":"iPhone8,2","version":"9.1",
"carrierName":"T-Mobile","mobileCountryCode":"310","mobileNetworkCode":"260", "uniqueId":"06736CC0-E65A-4E9C-A139-4C5J5D1C1F87","jailbroken":false},
"app":{"assignedIp":"10.42.5.30","publicSrcIp": "108.99.99.25","federation":"", "appName":"","appPackageId":"com.sid.singleAPITester",
"appVersion":"1","appUuid":"4CDAB17F-D950-4750-A59A-25221D6E908B","appGsid":2109085776,"packetsRx":607,
"bytesRx":648674,"packetsTx":335,"bytesTx":21297}}}
Nov 11 2021 22:24:37 tilera3 Mocana: [AAA], SubCls:999, EID: 0,
Type: General, Sev:Warning,
Received unexpected accounting STOP signal for handle 0x295923e0b100| Field | Description |
|---|---|
| Timestamp | Timestamp of the log event, in format Mon D HH:MM:SS |
| Atlas name | Name of the gateway |
| Mocana: [component] | Which gateway subsystem generated the log. Possible values:
|
| SubCls:nnn | The gateway also provides subclasses for logging. Subclasses enable you to examine a subset of the log messages that you are interested in. A subclass uses the same target as the parent log class. For more information about using subclasses, contact Blue Cedar Technical Support |
| EID: | Generally not used (=0). When EID is non-zero, you can use EID to link a series of events to a particular session instance. |
| Type: |
|
| Sev:level | The severity level. Possible values, in order of decreasing severity:
|
Log message
Many of the log messages are short statements, such as an issue with a specific component or a login attempt from an unknown user. Blue Cedar Technical Support can help interpret and troubleshoot as necessary.
The following subsections describe log messages that include JSON objects:
- Link Update: Status of the ethernet port connection.
- Policy REJECT: The JSON object includes a rejection reason as well as session identification information.
- Session START: The session identification information includes details about the user, device, and app. Session START is logged when a tunnel session is connected and ready to pass traffic. See Tunnel sessions and federation sessions for more information about tunnel sessions.
- Session STOP: The session identification information includes details about the user, device, app, and session duration.
Link Update
BASH
"Link Update" {
"linkUpdate" : {
"name": "ethernet0",
"status": "up"
}
}| Name | Description |
|---|---|
| name | Name of the port:
|
| status | "up" if the link is connected, otherwise "down". |
Policy REJECT
BASH
Oct 22 2021 13:31:13.664259: [AAA]
Policy REJECT {"reason":"Attempting login with jailbroken device",
"sessionId":{"username":"jruser",
"device":{"osType":"android",
"hardware":"x86_64",
"version":"#1 SMP Tue Sep 15 15:05:51 UTC 2021",
"carrierName":"zeterminal",
"mobileCountryCode":"508",
"mobileNetworkCode":"805",
"uniqueId":"00:00:00:00:00:03",
"jailbroken":true},
"app":{"assignedIp":"",
"publicSrcIp": "", "federation":"com.mocana.map.federation.FEDDEFAULT",
"appName":"PromCLI",
"appPackageId":"com.mocana.promcli",
"appVersion":"1.0",
"appUuid":"58C4EFBE-DA93-4FD7-9E74-F0A568DDAAAA",
"appGsid":0}}}| Reason | Notes |
|---|---|
| Attempting login with a jailbroken device | A user is attempting to log in with a jailbroken device, but does not have privileges to do so. See Allowing compromised devices and apps to access the gateway to change the default behavior. |
| Invalid or malformed MAC address | The MAC address is zeroes or an otherwise malformed entry. |
| Device failed validation | The device can't be validated externally (with the MDM server). Alternately, the MDM server may send a different message which gets reported here. When failed external validation is the rejection reason, the JSON structure also includes a "remediation:" entry, which may be the default remediation message from the gateway, or a message from the MDM server. See Securing MDM-managed devices with the gateway for more details about external validation and remediation strings. |
| Disallowed due to post-auth policy | The post-auth policy rules don't allow a session to connect based on session attributes. See Managing dynamic app policies. |
Session START
BASH
Oct 2 13:45:35 tilera3 Mocana: [AAA], SubCls:ACCT, EID: 0, Type: Acct, Sev:Informational,
Session START {"sessionId":{"username":"jruser",
"device":{"osType":"ios",
"deviceName":"Platinum series I",
"hardware":"iWatch1,0",
"version":"1.0.0",
"carrierName":"Verizon Wireless",
"mobileCountryCode":"310",
"mobileNetworkCode":"012",
"uniqueId":"9226B414-93B5-451E-8440-086D715DIIII",
"jailbroken":false},
"app":{"assignedIp":"10.24.0.51",
"publicSrcIp": "108.99.99.25",
"federation":"com.mocana.map.federation.FED1",
"appName":"PromCLI",
"appPackageId":"com.mocana.promcli",
"appVersion":"1.0",
"appUuid":"58C4EFBE-DA93-4FD7-9E74-F0A568DDIIII",
"appGsid":2572815711}}}sessionId: The session identification object includes details for the user, device, and app.
- username
- device
Name Description osType iOS or Android hardware String identifier of the device hardware. On Android, typically of the form manufacturer plus phone name, for example, "HTC One m8." On iOS, an iOS hardware code. version Version of the operating system. securityPatchVersion Android only. The security update level of the Android release. carrierName Name of the carrier, for example, Verizon Wireless. mobileCountryCode Country code bound to the device's SIM/telephony info, for example, 310 for US. mobileNetworkCode Network operator code bound to the device's SIM/telephony info, for example, 030 for AT&T. See https://en.wikipedia.org/wiki/Mobile_country_code for both mobile country codes and mobile network codes. uniqueId A semi-opaque identifier. One of the device MAC or iOS Advertising ID, varying based on device and OS version jailbroken Boolean. Whether the device has been jailbroken or not.
app
Name Description assignedIp Private-side IP address assigned to the app by the gateway. publicSrcIp Public source IP address of the client when establishing an IKE connection. federation Identifier for a common federation ID, from a gateway policy server. appName Name of the app. appPackageId Cross-platform unique identifier for the app. For example, "com.company.appname". appVersion Version of the app. appUuid Unique ID for the app. Set only on iOS. appGsid Global Session ID (GSID) assigned to the app's current session by the gateway.
Session STOP
BASH
Oct 2 13:42:50 tilera3 Mocana: [AAA], SubCls:ACCT, EID: 0, Type: Acct, Sev:Informational,
Session STOP {"sessionId":{"username":"jruser",
"duration":"49 seconds",
"durationSeconds":49,
"device":{"osType":"android",
"hardware":"x86_64",
"version":"9",
"securityPatchVersion":"2019-06-05",
"carrierName":"zeterminal",
"mobileCountryCode":"508",
"mobileNetworkCode":"805",
"uniqueId":"00:00:00:00:00:03",
"jailbroken":false},
"app":{"assignedIp":"10.24.0.51",
"publicSrcIp": "108.99.99.25",
"federation":"com.mocana.map.federation.FEDDEFAULT",
"appName":"PromCLI",
"appPackageId":"com.mocana.promcli",
"appVersion":"1.0",
"appUuid":"58C4EFBE-DA93-4FD7-9E74-F0A568DDAAAA",
"appGsid":658120114,
"packetsRx":0,
"bytesRx":0,
"packetsTx":0,
"bytesTx":0}}}sessionId: The session identification object includes session duration details as well as details for the user, device, and app.
- username
- duration
- durationSeconds:
- device
Name Description osType iOS or Android hardware String identifier of the device hardware. On Android, typically of the form manufacturer plus phone name, for example, "HTC One m8." On iOS, an iOS hardware code. version Version of the operating system securityPatchVersion Android only. The security update level of the Android release. carrierName Name of the carrier, for example, Verizon Wireless. mobileCountryCode Country code bound to the device's SIM/telephony info, for example, 310 for US. mobileNetworkCode Network operator code bound to the device's SIM/telephony info, for example, 030 for AT&T. See https://en.wikipedia.org/wiki/Mobile_country_code for both mobile country codes and mobile network codes. uniqueId A semi-opaque identifier. One of the device MAC or iOS Advertising ID, varying based on device and OS version jailbroken Boolean. Whether the device has been jailbroken or not.
app
Name Description assignedIp Private-side IP address assigned to the app by the gateway. publicSrcIp Public source IP address of the client when establishing an IKE connection. federation Identifier for a common federation ID, from a gateway policy server. appName Name of the app. appPackageId Cross-platform unique identifier for the app. For example, "com.company.appname". appVersion Version of the app. appUuid Unique ID for the app. Set only on iOS. appGsid Global Session ID (GSID) assigned to the app's current session by the gateway. packetsRx Number of packets received by the gateway from the app bytesRx Number of bytes received by the gateway from the app packetsTx Number of packets sent by the gateway to the app bytesTx Number of bytes sent by the gateway to the app acceptedEula Whether the app user agreed to the End User License Agreement.