Detailed Network Event Schemas

additional resources

Help Center ↗

Changelog

FAQ

Twingate Trust Center

GDPR Compliance

HIPAA Compliance

PCI Compliance

SOC 2 Report

Responsible Disclosure Policy

Network Events Report

Network events downloaded from the Admin Console are exported in CSV format. Each network event is represented as a single line, regardless of the duration or amount of data transferred during the connection. Established connections are only reported once they have been completed.

CSV columns are below:

start_time: the beginning of the network communication
end_time: the end of the network communication, will be empty if an error occurred
user: the email address of the user initiating the communication
user_id: a numerical unique ID for the user
device_id: a unique identifier for the device used to connect
client_ip: the public IPv4 IP of the client initiating the connection
connector: the name of the Connector the communication went through
connector_id: a numerical unique ID for the Connector
resource_ip: the IP of the Resource that the user connected to, will be empty if a DNS error occurred
resource_port: the port that is being connected to on the Resource
resource_domain: the FQDN of the Resource, will be empty if connection was direct to IP
resource_id: a numerical unique ID of the Resource, as defined in Twingate (e.g., if *.twingate.com is the defined Resource, any connections to twingate.com domains will have the same Resource ID
protocol: the protocol used for the connection, can be tcp, udp, or icmp
status: can be DNS_ERROR if the domain can’t be resolved or CONNECTION_FAILED if a connection could not be established, otherwise will be NORMAL
bytes_transferred: cumulative number of bytes transferred during the connection, will be empty if an error occurred
bytes_received: cumulative number of bytes received during the connection, will be empty if an error occurred
remote_network: the name defined in Twingate of the Remote Network that the Resource belongs to
remote_network_id: a numerical unique ID for the Remote Network
applied_rule: the name of the Resource that Twingate used to connect, as defined in Twingate (e.g., if *.twingate.com is a Resource and the connection is to foo.twingate.com, this field will be *.twingate.com
relays: an identifier for the Relay that the connection flowed through
relay_ips: the IP of the Relay that was used
relay_ports: the port of the Relay that was used

Network Events Report

Network events synced to AWS S3 buckets are exported in JSON. Each network event is represented as a single line, regardless of the duration or amount of data transferred during the connection. They come in the following format:

{
  "event_type": "network",
  "event": {
		 "status":"closed_connection", // Other types: "denied_access", "established_connection", "failed_to_connect",
	   "connection":{
	      "client_ip": "192.0.2.0",
	      "protocol": "tcp",
				"bytes_received": 512,
				"bytes_transferred": 512,
				"error_message": "String message" // Optional: Only visible when the "status" is "denied_access" or "failed_to_connect"
	   },
	   "connector":{
	      "id":"94014",
	      "name":"nondescript-caterpillar"
	   },
	   "device":{
	      "id":"200903",
	   },
	   "relays":[ // If the network event doesn't pass through a relay, this returns an empty list
	      {
	         "ip":"35.236.82.204",
	         "name":"relaybalancer+https:\/\/relays.twingate.com",
	         "port":30015
	      },
	      {
	         "ip":"34.236.21.109",
	         "name":"relaybalancer+https:\/\/relays.twingate.com",
	         "port":30005
	      }
	   ],
	   "remote_network":{
	      "id": "6938",
	      "name":"AWS Network"
	   },
	   "resource":{
	      "address":"info.microsoft.com",
	      "applied_rule":"*microsoft*.com",
	      "id":"2255492",
				"ip":"105.27.80.216",
	      "port":443
	   },
		"service_account": { // Optional: Network events will either have a User or Service Account
				"name":
				"id":
				"key":
				"key_id":
		}
	   "time": "2021-08-15T14:30Z", // ISO compliant date-time string, always in UTC
	   "user":{ // Optional: Network events will either have a User or Service Account
	      "email": "user@twingate.com",
	      "id": "113256"
	   }
}

Last updated 8 months ago

Home

Guides

Use Cases

VPN Replacement

Infrastructure Access

Device Security Controls

Application Gating

Homelab & Personal Use Cases

Internet Security

Compliance

Architecture

How Twingate Works

How DNS Works with Twingate

Twingate vs. VPNs

Twingate vs. Mesh VPNs

Peer-to-peer Communication

How NAT Traversal Works

Encryption in Twingate

API

Getting Started with the API

Schema

Twingate Labs ↗

managing twingate

Quick Start

Automated Deployment

Connectors

Understanding Connectors

Deploying Connectors

Best Practices

Updating Connectors

Advanced Connector Management

Resources

Remote Networks

Aliases

Usage-based Auto-lock

Ephemeral Access

Team

Users

Groups

Identity Providers

Security Policies

Policy Guides

Two-Factor Authentication

Devices

Client Application

Managed Devices

Device Administration

Services

Headless Clients

CI/CD Configuration

Analytics

Network Overview

Audit Logs

Network Traffic

User Activity

Syncing Data to AWS S3

Internet Security

DNS Filtering

DNS-over-HTTPS (DoH)

Internet Security Client Configuration

Exit Networks

Administration

Admin Console Security

Subscription Management

Managed Service Providers

Cancel Your Subscription