managing twingate

Quick Start

Automated Deployment

Connectors

Resources

Remote Networks

Best Practices

JIT Access Requests

Usage-based Auto-lock

Ephemeral Access

Resource Tags

Aliases

Kubernetes

Route Traffic from Kubernetes

Manage Kubernetes using kubectl

Private Resources in Kubernetes

Publicly Exposed Resources in Kubernetes

Privileged Access for Kubernetes

Team

Users

Admins

How to Offboard Users

Social Logins

Groups

Identity Providers

Entra ID Configuration

Google Workspace Configuration

JumpCloud Configuration

Keycloak Configuration

Okta Configuration

OneLogin Configuration

SCIM Provisioning API

Security Policies

Location requirements via geoblocking

Security Policies: Migration Guide

Policy Guides

Authentication

Device-only Resource Policies

Trusted Devices

Two-Factor Authentication

Devices

Client Application

Endpoint Requirements

Using Twingate

Managed Devices

Windows Client Migration to .NET 8

macOS & iOS

macOS standalone Client

Windows Managed Devices

Device Administration

1Password XAM Configuration

CrowdStrike Configuration

Device Security Posture Checks

Device Security Guide

Intune Configuration

Jamf Configuration

Kandji Configuration

Linux device ID migration

Manually Verified Devices

SentinelOne Configuration

Services

Headless Clients

Linux Headless Mode

Windows Headless Mode

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Admin Console Export

Audit Logs Schema

Network Traffic

Detailed Network Event Schemas

Network Events Admin Console Export

User Activity

Device Report

Syncing Data to AWS S3

Internet Security

Browser Security

NextDNS Integration

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Identity Firewall

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Customer Network

MSP Billing

Cancel Your Subscription

Notifications

Troubleshooting

Device Failures

DNS Failures

Connector Failures

Firewall Failures

Split Tunnel Failures

additional resources

Help Center ↗

Need help?

Troubleshooting

Changelog

FAQ

Twingate Trust Center

Twingate & Customer Data

DORA Compliance

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

Detailed Network Event Schemas

Network Events Report

Network events downloaded from the Admin Console are exported in CSV format. Each network event is represented as a single line, regardless of the duration or amount of data transferred during the connection. Established connections are only reported once they have been completed.

CSV columns are below:

start_time: the beginning of the network communication
end_time: the end of the network communication, will be empty if an error occurred
user: the email address of the user initiating the communication
user_id: a numerical unique ID for the user
device_id: a unique identifier for the device used to connect
client_ip: the public IPv4 IP of the client initiating the connection
connector: the name of the Connector the communication went through
connector_id: a numerical unique ID for the Connector
resource_ip: the IP of the Resource that the user connected to, will be empty if a DNS error occurred
resource_port: the port that is being connected to on the Resource
resource_domain: the FQDN of the Resource, will be empty if connection was direct to IP
resource_id: a numerical unique ID of the Resource, as defined in Twingate (e.g., if *.twingate.com is the defined Resource, any connections to twingate.com domains will have the same Resource ID
protocol: the protocol used for the connection, can be tcp, udp, or icmp
status: can be DNS_ERROR if the domain can’t be resolved or CONNECTION_FAILED if a connection could not be established, otherwise will be NORMAL
bytes_transferred: cumulative number of bytes transferred during the connection, will be empty if an error occurred
bytes_received: cumulative number of bytes received during the connection, will be empty if an error occurred
remote_network: the name defined in Twingate of the Remote Network that the Resource belongs to
remote_network_id: a numerical unique ID for the Remote Network
applied_rule: the name of the Resource that Twingate used to connect, as defined in Twingate (e.g., if *.twingate.com is a Resource and the connection is to foo.twingate.com, this field will be *.twingate.com
relays: an identifier for the Relay that the connection flowed through
relay_ips: the IP of the Relay that was used
relay_ports: the port of the Relay that was used

Network Events Report

Network events synced to AWS S3 buckets are exported in JSON. Each network event is represented as a single line, regardless of the duration or amount of data transferred during the connection. They come in the following format:

{
  "event_type": "network",
  "event": {
		 "status":"closed_connection", // Other types: "denied_access", "established_connection", "failed_to_connect",
	   "connection":{
	      "client_ip": "192.0.2.0",
	      "protocol": "tcp",
				"bytes_received": 512,
				"bytes_transferred": 512,
				"error_message": "String message" // Optional: Only visible when the "status" is "denied_access" or "failed_to_connect"
	   },
	   "connector":{
	      "id":"94014",
	      "name":"nondescript-caterpillar"
	   },
	   "device":{
	      "id":"200903",
	   },
	   "relays":[ // If the network event doesn't pass through a relay, this returns an empty list
	      {
	         "ip":"35.236.82.204",
	         "name":"relaybalancer+https:\/\/relays.twingate.com",
	         "port":30015
	      },
	      {
	         "ip":"34.236.21.109",
	         "name":"relaybalancer+https:\/\/relays.twingate.com",
	         "port":30005
	      }
	   ],
	   "remote_network":{
	      "id": "6938",
	      "name":"AWS Network"
	   },
	   "resource":{
	      "address":"info.microsoft.com",
	      "applied_rule":"*microsoft*.com",
	      "id":"2255492",
				"ip":"105.27.80.216",
	      "port":443
	   },
		"service_account": { // Optional: Network events will either have a User or Service Account
				"name":
				"id":
				"key":
				"key_id":
		}
	   "time": "2021-08-15T14:30Z", // ISO compliant date-time string, always in UTC
	   "user":{ // Optional: Network events will either have a User or Service Account
	      "email": "user@twingate.com",
	      "id": "113256"
	   }
}

Last updated 2 years ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

Introduction to DNS

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

How to troubleshoot peer-to-peer connections

Encryption in Twingate

API

Getting Started with the API

Exploring the APIs

Introduction to the Twingate Javascript CLI

Introduction to the Twingate Python CLI

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Aptible Deployment

AWS Deployment

Azure Deployment

Linux Deployment

GCP Deployment

K8s Helm Chart Deployment

Connector Best Practices

Updating Connectors

Docker Container Upgrades

K8s Helm Chart Upgrades

Systemd Service Upgrades

Advanced Connector Management

Connector Metrics Overview

Real-time Connection Logs

Connector Details

Connector Metadata

Supporting Unqualified Domain Names

Connector Health Checks

Deployment Automation