Analyzing Network Traffic
Twingate allows customers to view and export network activity on their remote networks. This can be useful for troubleshooting or investigatory purposes. Note that the only network activity that will be exported is traffic that flows through Connectors you have deployed. As Twingate is not a traditional VPN, it does not see other user traffic, which flows directly to the Internet.
Twingate provides two ways to view and export network traffic that flows through Connectors that you have deployed on your network:
- Manually exporting network traffic via the Admin console
- Real-time connection logging, output directly by the Connector process
-> Real-time connection logging configuration and output is described in Real-time Connection Logs
Network traffic can be viewed on either an individual User or Resource page.
This view will show recent network traffic associated with this User or Resource. When clicking into a specific event, customers can see more details about the event. These additional details include the Resource IP address, protocol, connection type, and duration.
To create an export:
The time range will use your local timezone, even though the export itself will have timestamps in UTC. The time used is the end time of the connection, regardless of when the connection began. Remote Networks will default to all.
Most exports will only take a few minutes, though very large ones could take a few hours.
-> View details about the schema we use to export events
How to view the export
Exports are created in GZIP format. You can use most free compression tools to decompress. After decompression,
we recommend you rename the file by adding
.csv to the filename, which will make it easier to open in a spreadsheet
If you are using Safari and the file appears to be empty, we recommend Safari’s automatic unpack feature. To do this, navigate to Safari > Preferences > General and uncheck the “Open ‘Safe’ files after downloading” option.
Where is the IP of the client? This is currently not shown and will be added in a future update.
Why don’t I see access denied events? Due to the zero trust method Twingate uses, there is no way to distinguish between being denied access to a Resource and said Resource not existing at all, because the client only knows about Resources it has permissions to access. We are looking into how to address this in the future.
How long are events retained for? Twingate retains analytics data for the life of the account.
Last updated 2 months ago