Detailed Network Event Schemas
Network Events Report
Network events downloaded from the Admin Console are exported in CSV format. Each network event is represented as a single line, regardless of the duration or amount of data transferred during the connection. Established connections are only reported once they have been completed.
CSV columns are below:
start_time
: the beginning of the network communicationend_time
: the end of the network communication, will be empty if an error occurreduser
: the email address of the user initiating the communicationuser_id
: a numerical unique ID for the userdevice_id
: a unique identifier for the device used to connectclient_ip
: the public IPv4 IP of the client initiating the connectionconnector
: the name of the Connector the communication went throughconnector_id
: a numerical unique ID for the Connectorresource_ip
: the IP of the Resource that the user connected to, will be empty if a DNS error occurredresource_port
: the port that is being connected to on the Resourceresource_domain
: the FQDN of the Resource, will be empty if connection was direct to IPresource_id
: a numerical unique ID of the Resource, as defined in Twingate (e.g., if*.twingate.com
is the defined Resource, any connections totwingate.com
domains will have the same Resource IDprotocol
: the protocol used for the connection, can betcp
,udp
, oricmp
status
: can beDNS_ERROR
if the domain can’t be resolved orCONNECTION_FAILED
if a connection could not be established, otherwise will beNORMAL
bytes_transferred
: cumulative number of bytes transferred during the connection, will be empty if an error occurredbytes_received
: cumulative number of bytes received during the connection, will be empty if an error occurredremote_network
: the name defined in Twingate of the Remote Network that the Resource belongs toremote_network_id
: a numerical unique ID for the Remote Networkapplied_rule
: the name of the Resource that Twingate used to connect, as defined in Twingate (e.g., if*.twingate.com
is a Resource and the connection is tofoo.twingate.com
, this field will be*.twingate.com
relays
: an identifier for the Relay that the connection flowed throughrelay_ips
: the IP of the Relay that was usedrelay_ports
: the port of the Relay that was used
Network Events Report
Network events synced to AWS S3 buckets are exported in JSON. Each network event is represented as a single line, regardless of the duration or amount of data transferred during the connection. They come in the following format:
{ "event_type": "network", "event": { "status":"closed_connection", // Other types: "denied_access", "established_connection", "failed_to_connect", "connection":{ "client_ip": "192.0.2.0", "protocol": "tcp", "bytes_received": 512, "bytes_transferred": 512, "error_message": "String message" // Optional: Only visible when the "status" is "denied_access" or "failed_to_connect" }, "connector":{ "id":"94014", "name":"nondescript-caterpillar" }, "device":{ "id":"200903", }, "relays":[ // If the network event doesn't pass through a relay, this returns an empty list { "ip":"35.236.82.204", "name":"relaybalancer+https:\/\/relays.twingate.com", "port":30015 }, { "ip":"34.236.21.109", "name":"relaybalancer+https:\/\/relays.twingate.com", "port":30005 } ], "remote_network":{ "id": "6938", "name":"AWS Network" }, "resource":{ "address":"info.microsoft.com", "applied_rule":"*microsoft*.com", "id":"2255492", "ip":"105.27.80.216", "port":443 }, "service_account": { // Optional: Network events will either have a User or Service Account "name": "id": "key": "key_id": } "time": "2021-08-15T14:30Z", // ISO compliant date-time string, always in UTC "user":{ // Optional: Network events will either have a User or Service Account "email": "user@twingate.com", "id": "113256" }}
Last updated 9 months ago