Export Event Logs

REV 1.1

Overview

Download the Event Log File

     Step 1 - Navigate to your organization page in the console

     Step 2 - Submit the Log File Request

Working with Event Log Files

Appendix - Data Elements

     Common Data Elements

     Event Types

     Log Data Elements

Overview

Cirrus offers two options for accessing product event logs:

• Export - On-demand download of event log information for products in your subscription.
• Stream - A subscription add-on (Cirrus Log API) for organizations who wish to stream Cirrus event log information to an enterprise log management system, such as a SIEM.

The base subscription of any Cirrus Identity service allows for self-service access to download up to 90 calendar days of logs using the Cirrus Console. This document outlines how to access those logs.

While there is some variation in the amount of time it takes for processing of logs, the processing will generally be completed and available for download within 10 minutes of the event occurring on any given Cirrus Identity Service.

The files are CSV formatted text files, with formatting options that include JSON, and can be imported into any number of applications for further analysis or reporting.

Download the Event Log File

Step 1 - Navigate to your organization page in the console

Event Logs can be downloaded by any Cirrus Console Organization Administrator. To access, first go to the “My Orgs” menu and select the appropriate organization.

Step 2 - Submit the Log File Request

Select the “Event Logs” page from the menu on the left. Before downloading, you need to provide:

1. The “Report Time Range” – this can be relative from the current date and time with a default of 1 hour. By selecting “Custom”, an absolute range can be selected. Times are in UTC and the maximum available history for download is 90 days from the current date.
2. The “Service” – this is the specific Cirrus Identity Service module to report on. Event logs are currently available for:
   1. Cirrus Proxy (proxy)
   2. Cirrus Bridge (bridge)
   3. Cirrus Gateway (gateway)
   4. Cirrus OrgBrandedID (idp)
3. The “Metric Data Format” - this indicates whether to automatically parse metric data in output CSV.
4. There is an option to include field headers in the download.

Once set, press “Submit” and you should receive feedback that the request was successfully submitted. 

The request will then show in the report requests listing at the bottom of the page. Requests are queued as part of a batch process and will show as RUNNING until it is complete and the download file is generated. To update the Request Status you will need to press the Refresh button.

Once the download is generated, you will receive an email sent to the mailbox address associated with the account you logged into the Cirrus Console with. The message will include a link to download the report. The link is only valid for 24 hours. Once the link expires, you must run the report again.

Clicking on the link or pasting the link  into a web browser will download the report. Reports are currently formatted as comma separated value (CSV) files. If there is no data in your report, then it typically indicates that there were no log events for the time selected. 

Working with Event Log Files 

The files are traditional CSV formatted text files, and can be imported into any number of applications for further analysis or reporting such as Google Sheets or Microsoft Excel.

Tips on working with the data: 

• Include column headers when importing data so that you can readily identify the fields. The appendix in this document provides a reference for the data elements.
• After importing, it would be good to name the sheet if you haven’t already done so.

Pivot Tables

One of the main ways to work with this data is by using a pivot table.

• Google: see https://support.google.com/docs/answer/1272900 for more information. To add a pivot table to the current sheet, go to the “Insert” menu and select “Pivot table”.
• Microsoft Excel: see https://support.microsoft.com/en-us/office/create-a-pivottable-to-analyze-worksheet-data-a9a84538-bfe9-40a9-a8e9-f99134456576 for more information. To add a pivot table to the current sheet, select all the data for the current sheet. Go to the “Insert” menu and select “Pivot Table” from the ribbon.

Summarizing Data with Pivot Tables

• To summarize by service providers, select the “saml_sp” field for the rows.
• To summarize by the individual Cirrus Proxy logical instances, select the “tenant” field for the columns
• To count the number of authentications, select the “user” field for the values and select “COUNTA” for the summation

Timestamps in Microsoft Excel 

The default import of Excel does not handle the formatting of the timestamp correctly. To correct, select the first column, from the “Home” ribbon, adjust the format and select “More Number Formats…”. Change the format to “Date” and “Type:” of date and 24 hour time as shown below. You should now see timestamps with both dates and times.

Appendix - Data Elements

Common Data Elements

Each downloaded log file will include the following data elements

Event Types

The following table is a current inventory of the logtype and logsubtype values you will find by service.

Log Data Elements

The following is a dictionary of additional data available. Not all combinations of service, type, and subtype will report all of these data elements. Please submit a support ticket if you have any questions on these data elements.

When the report format is “parsed”, these elements appear as as individual fields with corresponding headers in the csv file. When the report format is “raw”, these elements appear in JSON format within the logData field.