Detailed Network Event Schema

Twingate exports network events in CSV format. Each network flow is represented as a single line, regardless of the duration or amount of data transferred during the connection. Only completed flows are reported. Details of the event columns are below:

  • start_time: the beginning of the network communication
  • end_time: the end of the network communication, will be empty if an error occurred
  • user: the email address of the user initiating the communication
  • user_id: a numerical unique ID for the user
  • device_id: a unique identifier for the device used to connect
  • client_ip: the public IPv4 IP of the client initiating the connection
  • connector: the name of the Connector the communication went through
  • connector_id: a numerical unique ID for the Connector
  • resource_ip: the IP of the Resource that the user connected to, will be empty if a DNS error occurred
  • resource_port: the port that is being connected to on the Resource
  • resource_domain: the FQDN of the Resource, will be empty if connection was direct to IP
  • resource_id: a numerical unique ID of the Resource, as defined in Twingate (e.g., if *.twingate.com is the defined Resource, any connections to twingate.com domains will have the same Resource ID
  • protocol: the protocol used for the connection, can be tcp, udp, or icmp
  • status: can be DNS_ERROR if the domain can’t be resolved or CONNECTION_FAILED if a connection could not be established, otherwise will be NORMAL
  • bytes_transferred: cumulative number of bytes transferred during the connection, will be empty if an error occurred
  • bytes_received: cumulative number of bytes received during the connection, will be empty if an error occurred
  • remote_network: the name defined in Twingate of the Remote Network that the Resource belongs to
  • remote_network_id: a numerical unique ID for the Remote Network
  • applied_rule: the name of the Resource that Twingate used to connect, as defined in Twingate (e.g., if *.twingate.com is a Resource and the connection is to foo.twingate.com, this field will be *.twingate.com
  • relays: an identifier for the Relay that the connection flowed through
  • relay_ips: the IP of the Relay that was used
  • relay_ports: the port of the Relay that was used

Last updated 8 hours ago