Analyzing Network Traffic


Note that the functionality described here is exclusive to the Enterprise product tier. Contact us if you'd like to change your product tier.

Twingate allows customers to view and export network activity on their remote networks. This can be useful for troubleshooting or investigatory purposes. Note that the only network activity that will be exported is traffic that flows through Connectors you have deployed. As Twingate is not a traditional VPN, it does not see other user traffic, which flows directly to the Internet.

Twingate provides two ways to view and export network traffic that flows through Connectors that you have deployed on your network:

  1. Manually exporting network traffic via the Admin console
  2. Real-time connection logging, output directly by the Connector process

Real-time connection logging configuration and output is described in Real-time Connection Logs.

Exporting Network Traffic

To create an export:

  1. Navigate to the Analytics page under Settings
  2. Click New Report to generate a new report
  3. Select the time range and the Remote Network that you want to export, or you can export all Remote Networks. The time range will use your local timezone, even though the export itself will have timestamps in UTC. The time used is the end time of the connection, regardless of when the connection began.
  1. The export will complete in the background and email you when it's ready. Most exports will only take a few minutes, though very large ones could take a few hours.
  2. Go back to the Analytics page to download completed reports.

View details about the schema we use to export events


How to view the export

Exports are created in GZIP format, which you can use most free compression tools to decompress. After decompression, we recommend you rename the file by adding .csv to the filename, which will make it easier to open in a spreadsheet editor.


Where is the IP of the client?
This is currently not shown and will be added in a future update.

Why don't I see access denied events?
Due to the zero trust method Twingate uses, there is no way to distinguish between being denied access to a Resource and said Resource not existing at all, because the client only knows about Resources it has permissions to access. We are looking into how to address this in the future.

How long are events retained for?
Twingate retains analytics data for one year.

Did this page help you?