Data Elements Reference for Cirrus Logs


Overview

Common Data Elements

Bridge Data Elements

Proxy Data Elements

One-Time Code MFA Data Elements


Overview

The following is a dictionary of data available through the Data Export of Logs and the LogAPI. Not all combinations of service, type, and subtype will report all of these data elements. Please submit a support ticket if you have any questions on these data elements.

Using the Data Export feature, when the report format is “parsed”, these elements appear as individual fields with corresponding headers in the csv file. When the report format is “raw”, these elements appear in JSON format within the logData field. 

Common Data Elements

Each downloaded log file will include the following data elements.

Data Element

Description

timestamp

The date and time of the event in UTC. 

tenant

The logical instance of the service - for example if there is a production and a UAT proxy, there will be two different tenants.

orgdomain

The organization’s domain as configured in Cirrus Identity.

orgurl

The organization’s orgURL as configured in Cirrus Identity – this will usually match what is registered with InCommon for InCommon members.

orgid

Future attribute.

service

The Cirrus Service being reported on - Event Types section.

clientip

The IP address of the browser agent accessing the service.

correlationid

An internal identifier generated by the Cirrus Identity logging infrastructure used to correlate transitions across services.

logtype

The Cirrus Type being reported on - See Event Types section

logsubtype

The Cirrus Subtype being reported on - See Event Types section

logdata

Appears when the report format is “raw”. Contains additional data elements specific to each event  - see Log Data Elements section

Bridge Data Elements

The following table is a current inventory of the logtype and logsubtype values you will find for the Cirrus Bridge.

service

logtype

logsubtype

description

bridge

authentication

request

SAML authentication requests made through the Cirrus Bridge

bridge

authentication

success

Successful SAML authentications made through the Cirrus Bridge

bridge

cas

request

CAS authentication requests made through the Cirrus Bridge

bridge

cas

login

Successful CAS authentications made through the Cirrus Bridge using the ‘login’ method

bridge

cas

validate

Successful CAS ticket validations made through the Cirrus Bridge using the ‘validate’ method

bridge

cas

serviceValidate

Successful CAS ticket validations made through the Cirrus Bridge using the ‘serviceValidate’ method

bridge

cas

samlValidate

Successful CAS ticket validations made through the Cirrus Bridge using the ‘samlValidate’ method

Proxy Data Elements

The following table is a current inventory of the logtype and logsubtype values you may find for the Cirrus Proxy.

service

logtype

logsubtype

description

gateway

authentication

request

SAML authentication requests made through the Cirrus Gateway

gateway

authentication

success

Successful SAML authentications made through the Cirrus Gateway

idp

authentication

request

SAML authentication requests made through the Cirrus OrgBrandedID

idp

authentication

success

Successful SAML authentications made through the Cirrus OrgBrandedID

proxy

authentication

request

SAML authentication requests made through the Cirrus Proxy

proxy

authentication

success

Successful SAML authentications made through the Cirrus Proxy

proxy

cas

request

CAS authentication requests made through the Cirrus Bridge

proxy

cas

login

Successful CAS authentications made through the Cirrus Bridge using the ‘login’ method

proxy

cas

validate

Successful CAS  ticket validations made through the Cirrus Bridge using the ‘validate’ method

proxy

cas

serviceValidate

Successful CAS  ticket validations made through the Cirrus Bridge using the ‘serviceValidate’ method

proxy

cas

samlValidate

Successful CAS  ticket validations made through the Cirrus Bridge using the ‘samlValidate’ method

 

One-Time Code MFA Data Elements

The following is a dictionary of data available for One-Time Code MFA log events. At this time, these events are only available through the LogAPI.

logtype

logsubtype

description

notes

emailMFA

send

A code has been sent

In logData,

count: how many times has code been sent

email: the user’s email address

idpEntityId: authentication provider

emailMFA

authenticationSuccess

User entered a valid code

In logData,

count: how many attempts it took

email: the user’s email address

idpEntityId: authentication provider

emailMFA

invalidCode

Invalid code entered

In logData,

count: how many attempts have been made

email: the user’s email address

idpEntityId: authentication provider

emailMFA

excessiveFailures

Too many incorrect attempts

In logData,

count: how many attempts have been made

email: the user’s email address

idpEntityId: authentication provider

emailMFA

noEmail

The authentication provider did not send us an email.

In logData,

idpEntityId: indicates the authentication provider

emailMFA

expiredState

The user’s session has expired

 

 

Blog comments