Xiid Logs
Xiid maintains logs locally for every software component within the platform. Logs are stored in standard JSON log formats and can be easily consumed and analyzed by SIEM systems.
IM Agent
The IM Agent has three different log files available for use:
events.json
- The events.json logs contain information specifically related to the application. This is where the most useful log information is stored for isolating or troubleshooting issues.
log.json
- The log.json logs contain information regarding network communication.
saml.json
- The saml.json logs contain information related to SAML2.0, such as the SAML authentication process between the IM Agent (Identity Provider) and the Service Provider.
Enabling Debug Mode
WARNING
Enabling Debug Logs will incur additional disk space usage.
By default, the IM Agent only logs Info, Warn, and Error log statements. You can also enable Debug log statements for more visibility through the Agent Configuration Portal.
Sign into the Agent Configuration Portal and navigate to the Config tab dropdown and select Logs.
- Note: If you do not see the Config tab, ensure that the Advanced Mode switch in the top right is on.
On the Logs page, click the switch to turn on the Debug Logs. Ensure that the switch is colored Purple which indicates that debug logs are active.
Enabling SAML Mode
WARNING
Enabling SAML Logs will incur additional disk space usage.
By default, the IM Agent does not log SAML information information, other than high-level information in the events.json
file. You can also enable SAML log statements for more visibility into the SAML interactions that take place between the Service Provider and the Identity Provider. For more information on setting up SAML applications, see SAML Application Setup
To set up SAML debug logs, sign into the Agent Configuration Portal and navigate to the Config tab dropdown and select Logs.
- Note: If you do not see the Config tab, ensure that the Advanced Mode switch in the top right is on.
On the Logs page, click the switch to turn on the SAML Logs. Ensure that the switch is colored Purple which indicates that SAML logs are active.
Location
Operating System | Path |
---|---|
Windows | C:\ProgramData\Xiid\XIID-Agent\logs |
macOS | N/A |
Linux | /var/logs/Xiid/ |
BSD | N/A |
Common Log Statements
The following log statements are helpful in troubleshooting and understanding the IM Agent.
Event Logs
{"level":"debug","HandleConnectionAgentCmd":"example-STexit-14T94324KD","register":"stcollxxx","time":"2024-08-28T17:38:47.5371316Z"}
- Debug statement indicating that SealedTunnel applications were connected to a user's STLink via the SSO Portal
- Commonly printed when a user signs into the SSO portal and has the SealedTunnel available
{"level":"debug","getssoportal":"3ulkdydd [App Description]","time":"2024-08-28T17:39:51.413511Z"}
- Debug statement indicating that SSO Applications were retrieved by a user via the SSO Portal
3ulkdydd
indicates the Application ID that was shown to the user in the SSO Portal
{"level":"debug","RemoveListener":"example-STexit-DV19876GPN@2DMK4918Z0912345NNAAMN4F7S","time":"2024-08-28T17:41:28.7560322Z"}
- Debug statement indicating that the SealedTunnel connection was terminated by either the Entrypoint or Exitpoint
{"level":"debug","SAML":"GET SSO 3u123ydd","time":"2024-08-28T17:41:43.2679133Z"}
- Debug statement indicating that SAML authentication via a SAML Application in the SSO Portal has been initiated
{"level":"debug","getACSExitpoint":"[getACSExitpoint] search AssertionConsumerServiceURL: {https url}","time":"2024-08-28T17:41:43.2852762Z"}
- Debug statement indicating that the IM Agent is attempting to identify and authorize a SAML Application against the Service Provider
{"level":"debug","checkAuthenticator":"Ldap ok: {Authenticator} Conn username: user@example.com","time":"2025-01-08T18:57:26.1606987Z"}
- Indicates that the "Conn username" successfully signed into the SSO Portal
{"level":"error","WsMonitorST":"SendWSMsgWait err stcoll002","error":"timeout","time":"2025-01-22T05:04:09.9670507Z"}
- Indicates that there was a timeout when trying to connect to the SealedTunnel collector
{"level":"error","wsReader":"WS read error:","error":"read tcp 172.xx.xx.xx:50976->139.xx.xx.xx:443: use of closed network connection","time":"2025-01-22T05:04:09.980126Z"}
- Indicates that the connection was interrupted to the SealedTunnel collector
{"level":"error","StartStcollector":"cannot connect agentWS ","error":"stcollxxx.us.xiid.im not connected","time":"2025-01-22T05:05:38.9504161Z"}
- Unable to contact the SealedTunnel Collector
SAML Logs
{"time":"2024-08-28T17:41:43.285","level":"error","ServeSSO":"failed to validate request","error":"cannot find assertion consumer service: no ACS url found or specified"}
- Indicates that the Identity Provider could not locate an ACS url, either from the provided Service Provider Metadata or from the GET request to the Service Provider for the metadata
{"time":"2024-08-28T17:39:15.030","level":"error","manageSSO":"userhash empty","error":null}
- Indicates that the Identity Provider did not know who the user is that was requesting access to a Service Provider
RDP Agent
The RDP Agent has two different log files available for use:
events.json
- The events.json logs contain information specifically related to the application. This is where the most useful log information is stored for isolating or troubleshooting issues.
log.json
- The log.json logs contain information regarding network communication.
Location
Operating System | Path |
---|---|
Windows | C:\ProgramData\Xiid\XIID-RDPwrapper\logs |
macOS | N/A |
Linux | N/A |
BSD | N/A |
Common Log Statements
{"level":"debug","ChangePasswordAD-domain":"{domain}","time":"2023-11-06T18:02:44.9632494Z"}
- Indicates that a request to rotate a password was requested for the RDP agent along a specific domain
{"level":"debug","ChangePasswordAD-username":"rdp-%USER%","time":"2023-11-06T18:02:44.9632494Z"}
- Indicates that a request to rotate a password was requested for the RDP agent for the specified user
{"level":"debug","RWTimeout":"RWdelta: MAX","time":"2024-03-05T21:04:57.3331258Z"}
- Indicates that an existing RDP connection timed out via idle connection
{"level":"error","wsConnect":"dial ws: wss://example.us.xiid.im/v1/ws/rdp-example/example-rdp-6LHRRVV0","error":"websocket: bad handshake","time":"2024-03-05T21:04:57.6484859Z"}
- Indicates that the RDP Agent could not communicate with the IM Agent
- "bad handshake" indicates that there was an issue with key negotiation with the IM Agent
STLink
The STLink has two different log files available for use:
events.json
- The events.json logs contain information specifically related to the application. This is where the most useful log information is stored for isolating or troubleshooting issues.
log.json
- The log.json logs contain information regarding network communication.
Location
Operating System | Path |
---|---|
Windows | C:\ProgramData\Xiid\XIID-stlinkagent\logs |
macOS | /var/log/Xiid/XIID-stlinkagent/logs |
Linux | /var/log/Xiid/XIID-stlinkagent/logs |
BSD | /var/log/Xiid/XIID-stlinkagent/logs |
Common Log Statements
{"level":"info","getload":"stcollxxx","ok":"{\"load\":9}","time":"2025-01-13T11:37:59.5327352Z"}
- STLink responds to a request for the current "system load"
- In the above example this particular STLink is responding that the "load score" (which includes an estimate of CPU, RAM, etc) of the system on which it's running is 9.
- This score varies from 0 to 100.
{"level":"info","HandleWScmd":"example-STexit-DV11PI12PN@05DC86RXHR5432WMEB1VRE6HCW","unregistered":"stcoll002@05DC86RXHR5432WMEB1VRE6HCW","time":"2025-01-13T20:45:04.2053849Z"}
- Indicates that an end-to-end connection was terminated between the STLink entrypoint (in this case, this is from entrypoint logs) and a correspond exitpoint
- DV11PI12PN is the exitpoint ID, 05DC86RXHR5432WMEB1VRE6HCW is the connection ID
- There is a corresponding log statement on the other STLink (in this case, the exitpoint) with similar information referencing the same connection ID
{"level":"info","HandleWScmd":"example-STexit-EOLIDF3ZQU","registerd":"stcollxxx","time":"2025-01-13T20:46:53.6381715Z"}
- Indicates that the STLink (entrypoint) established a binding to the corresponding STLink Exitpoint
- This means that the binding is available, not that any connection was established between the two
{"level":"error","wsReader":"read error","error":"read tcp 172.xx.xx.xx:50048->139.xx.xx.xx:443: use of closed network connection","time":"2025-01-13T21:12:19.8548566Z"}
- Indicates that the STLink could not reach the STCollector
{"level":"error","wsReader":"read error","error":"websocket: close 1006 (abnormal closure): unexpected EOF","time":"2025-01-13T21:24:01.6671994Z"}
- Indicates that the STLink connection was terminated unexpectedly
- This can happen with some types of connections that do not have built-in stay-alive (i.e. RDP connections)