Twingate exports network events in CSV format. Each network flow is represented as a single line, regardless of the duration or amount of data transferred during the connection. Only completed flows are reported. Details of the event columns are below:

• start_time: the beginning of the network communication
• end_time: the end of the network communication, will be empty if an error occurred
• user: the email address of the user initiating the communication
• user_id: a numerical unique ID for the user
• device_id: a unique identifier for the device used to connect
• client_ip: the public IPv4 IP of the client initiating the connection
• connector: the name of the Connector the communication went through
• connector_id: a numerical unique ID for the Connector
• resource_ip: the IP of the Resource that the user connected to, will be empty if a DNS error occurred
• resource_port: the port that is being connected to on the Resource
• resource_domain: the FQDN of the Resource, will be empty if connection was direct to IP
• resource_id: a numerical unique ID of the Resource, as defined in Twingate (e.g., if *.twingate.com is the defined Resource, any connections to twingate.com domains will have the same Resource ID
• protocol: the protocol used for the connection, can be tcp, udp, or icmp
• status: can be DNS_ERROR if the domain can’t be resolved or CONNECTION_FAILED if a connection could not be established, otherwise will be NORMAL
• bytes_transferred: cumulative number of bytes transferred during the connection, will be empty if an error occurred
• bytes_received: cumulative number of bytes received during the connection, will be empty if an error occurred
• remote_network: the name defined in Twingate of the Remote Network that the Resource belongs to
• remote_network_id: a numerical unique ID for the Remote Network
• applied_rule: the name of the Resource that Twingate used to connect, as defined in Twingate (e.g., if *.twingate.com is a Resource and the connection is to foo.twingate.com, this field will be *.twingate.com
• relays: an identifier for the Relay that the connection flowed through
• relay_ips: the IP of the Relay that was used
• relay_ports: the port of the Relay that was used