Audit Logs
Comprehensive activity logs to meet security compliance requirements and investigate incidents.
Log Types
VPN Session Logs
Recorded for every VPN connection:
- Connect time, disconnect time, and session duration
- User account, source IP address, device model
- Assigned virtual IP
- Bytes uploaded and downloaded
Application Access Logs
Recorded when users access web apps through Remok:
- Application name and URL accessed
- Access timestamp and source IP
- HTTP method and response status code
Admin Operation Logs
Recorded for all admin console activity:
- Administrator login and logout
- User create, update, and delete operations
- Application configuration changes
- Security policy modifications
Querying Logs
The admin console provides powerful log search:
- Filter by date range, user, IP address, or application
- Full-text search across all log fields
- Export results as CSV or JSON
Alert Rules (Enterprise)
| Alert | Trigger | Notification |
|---|---|---|
| Brute Force | 5+ failed logins in 5 minutes for the same account | Email / SMS |
| Concurrent Sessions | Same account logged in from different cities simultaneously | |
| Abnormal Traffic | Single user exceeds traffic threshold |
🔴 At minimum, configure the brute-force alert. It catches the most common attack vector against VPN gateways.
Retention Policy
- Community edition: 30 days of logs retained
- Pro edition: 180 days of logs retained
- Enterprise edition: Custom retention; supports export to Elasticsearch, Splunk, or syslog
Exporting to SIEM
Enterprise deployments can forward logs to external SIEM systems in real time:
# syslog forwarding (rsyslog example)
*.* @@siem.corp.example.com:514;RSYSLOG_ForwardFormat
# Elasticsearch output
output:
elasticsearch:
hosts: ["https://elastic.corp.example.com:9200"]
index: "remok-logs-%{+YYYY.MM.dd}"💡 Use structured JSON log format when forwarding to SIEM — it makes querying and alerting much easier.