EagleSafe ZTB logs every request and connection that passes through your reverse proxy services — both HTTP and L4 (TCP, UDP, TLS). Access logs provide visibility into who is accessing your services, from where, and whether requests were allowed or denied. Useful for auditing, debugging, and compliance.
View access logs
Go to Activity → Proxy Events in the dashboard. The table shows all HTTP requests and L4 connections with filters for time range, status, and other fields.
What access logs capture
| Field | Description | HTTP | L4 |
|---|---|---|---|
| Timestamp | When the request or connection occurred | ✅ | ✅ |
| Protocol | http, tcp, udp, or tls | ✅ | ✅ |
| Method / Protocol | HTTP method (GET, POST…) or protocol name for L4 | ✅ | ✅ |
| Host / URL | Domain and path for HTTP; host and port for L4 | ✅ | ✅ |
| Status Code | HTTP status code (200, 401, 403, 500…). Empty for L4. | ✅ | — |
| Duration | Request or connection duration in milliseconds | ✅ | ✅ |
| Bytes Uploaded | Bytes sent from client to backend | ✅ | ✅ |
| Bytes Downloaded | Bytes sent from backend to client | ✅ | ✅ |
| Source IP | The client's IP address | ✅ | ✅ |
| Location | Country, city, and region based on source IP geolocation | ✅ | ✅ |
| Auth Method | Authentication method used (SSO, password, PIN, header, or none) | ✅ | — |
| User | Authenticated user ID (SSO only) | ✅ | — |
| Reason | Reason for denial, if applicable | ✅ | ✅ |
Understanding log entries
HTTP entries
- Allowed: status
2xxwith the authentication method used. - Denied: status
401or403with a reason (e.g. invalid password, IP restricted, country restricted). - Errors: status
5xx— the backend is unreachable or returned an error.
L4 entries
Logged when the connection closes, recording total bytes and duration. No HTTP status codes. Denied connections (blocked by access restrictions) are logged immediately with a deny reason.
Deny reasons
| Reason | Description |
|---|---|
ip_restricted | Client IP blocked by a CIDR access restriction |
country_restricted | Client country blocked by a country access restriction |
geo_unavailable | Country restrictions configured but GeoIP database unavailable (fail-closed) |
crowdsec_ban | Client IP has a CrowdSec ban decision |
crowdsec_captcha | Client IP has a CrowdSec captcha decision |
crowdsec_throttle | Client IP has a CrowdSec throttle decision |
crowdsec_unavailable | CrowdSec enforce mode active but bouncer not yet synced (fail-closed) |
All CrowdSec decision types result in connection denial in enforce mode. In observe mode the connection is allowed but the verdict is recorded — shown in the dashboard with an observe-mode badge for auditing without impacting traffic.
Log retention
On EagleSafe's self-hosted deployment, retention is configurable in management.json:
{
"ReverseProxy": {
"AccessLogRetentionDays": 7,
"AccessLogCleanupIntervalHours": 24
}
}- AccessLogRetentionDays — how long logs are kept before automatic deletion.
- AccessLogCleanupIntervalHours — how often expired entries are purged.
