The activity overview shows what actions are being performed by Hackers while on the Gateway solution. It is possible to customize the results by using the filters available, such as **Date**, **Month**, **Year** and **start-end** time, or by using the search box.


The log page allows you to download verbose logs of your network activities for the selected date at UTC (Coordinated Universal Time).

It might take some time to generate logs depending on the hacker traffic volume on the given date.

You will be notified by email once the logs are ready to download.

The links to download logs are valid for 24 hours. When expired, you can request logs for the same date again and a new link will be generated quickly. You can request a maximum of 5 logs at the same time.

You can view all log requests that have been made for the given program. The table shows request details such as request time, status, requester, the date the log was requested for, expiration time of the download link and a download link if available.


To sync logs directly to your selected data storage, please reach out to your CSM. Logs are pushed in batches

as soon as possible. Usually it takes 3-4 minutes for the logs to be available in your data storage.

title: "Gateway Hacker Traffic Logs"

path: "/organizations/vpn-hacker-traffic-logs.html"

id: "organizations/vpn-hacker-traffic-logs"

This page describes hacker traffic logs that are available to download or sync to your data storage.

See [this page](/organizations/hackerone-vpn.html#download-hacker-traffic-logs) for instructions on how to obtain these logs.

Logs are provided in a newline-delimited JavaScript Object Notation (NDJSON) format.

Three types of logs are available that are described in detail below:

- [HTTP](#http)

- [Network](#network)

- [Network Session](#network-session)

Field | Description

--------|------------

HTTP Host | Hostname in the HTTP header for the HTTP request.

Email | Email address of the user who made the HTTP request. This is generated by the WARP client.

Action | The Gateway Action taken based on the first rule that matched (for example, Allow or Block).

Datetime | Date and time of the HTTP request.

URL | Full URL of the HTTP request.

Referer | Referer request header containing the address of the page making the request.

HTTP Version | HTTP version of the origin that Gateway connected to on behalf of the user.

HTTP Method | HTTP method used for the request (for example, GET or POST).

HTTP Status Code | HTTP status code returned in the response.

Destination IP | Public IP address of the destination requested.

Destination Port | Port of the destination requested.

User Agent | User agent header sent in the request by the originating device.

Untrusted Certificate Action | Action taken when an untrusted origin certificate error occurs (for example, expired certificate, mismatched common name, invalid certificate chain, signed by non-public CA). One of **none**, **block**, **error** or **passThrough**.

SessionID | The session identifier of this network session.

Field | Description

------|------------

Destination IP | IP address of the packet’s target.

Action | The Gateway Action taken based on the first rule that matched (for example, Allow or Block).

Session ID | ID of the unique session.

Datetime | Date and time of the session.

Source Port | Source port number for the packet.

SNI | Host whose Server Name Indication (SNI) header Gateway will filter traffic against.

Email | Email address of the user sending the packet.

OverrideIP | Overridden IP of the network session, if any.

OverridePort | Overridden port of the network session, if any.

Transport | Transport protocol used for this session. Possible values are **tcp**, **quic** and **udp**.

Field | Description

------|------------

BytesReceived | The number of bytes sent from the origin to the client during the network session.

BytesSent | The number of bytes sent from the client to the origin during the network session.

ClientTCPHandshakeDurationMs | Duration of handshaking the TCP connection between the client and Cloudflare in milliseconds.

ClientTLSCipher | TLS cipher suite used in the connection between the client and Cloudflare.

ClientTLSHandshakeDurationMs | Duration of handshaking the TLS connection between the client and Cloudflare in milliseconds.

ClientTLSVersion | TLS protocol version used in the connection between the client and Cloudflare.

ConnectionCloseReason | The reason for closing the connection, only applicable for TCP. Possible values are **clientClosed**, **originClosed**, **timeout**, **clientTcpError**, **clientTlsError**, **originTcpError** and **originTlsError**.

ConnectionReuse | Whether the TCP connection was reused for multiple HTTP requests.

EgressColoName | The name of the Cloudflare colocation from which traffic egressed to the origin.

EgressIP | Source IP used when egressing traffic from Cloudflare to the origin.

EgressPort | Source port used when egressing traffic from Cloudflare to the origin.

Email | [Email address alias](/hackers/hacker-email-alias.html) associated with the user identity which initiated the network session.

IngressColoName | The name of the Cloudflare colocation to which traffic ingressed.

Offramp | The type of destination to which the network session was routed. Possible values are **internet**, **magic**, **cfd_tunnel** and **WARP**.

OriginIP | The IP of the destination origin for the network session.

OriginPort | The port of the destination origin for the network session.

OriginTLSCertificateIssuer | The issuer of the origin TLS certificate.

OriginTLSCertificateValidationResult | The result of validating the TLS certificate of the origin. Possible values are **valid**, **expired**, **revoked** and **hostnameMismatch**.

OriginTLSCipher | TLS cipher suite used in the connection between Cloudflare and the origin.

OriginTLSHandshakeDurationMs | Duration of handshaking the TLS connection between Cloudflare and the origin in milliseconds.

OriginTLSVersion | TLS protocol version used in the connection between Cloudflare and the origin.

Protocol | Network protocol used for this network session. Possible values are **tcp**, **udp**, **icmp** and **icmpv6**.

SessionEndTime | The network session end timestamp with nanosecond precision.

SessionID | The identifier of this network session.

SessionStartTime | The network session start timestamp with nanosecond precision.

- title: Hacker Traffic Logs

path: /organizations/vpn-hacker-traffic-logs.html