Zero Trust Access Enrollment Log Format
The Cisco Secure Access Zero Trust Access (ZTA) flow logs provide a detailed account of events relating to ZTA services. From version 13, Secure Access introduces a new log format specifically designed for ZTA enrollment events. These logs capture the details of enrollment and unenrollment transactions, enabling administrators to monitor the enrollment process and troubleshoot potential issues effectively.
Table of Contents
Example
This is an example of a v13 ZTA enrollment log event:
timestamp,identity email,identity labels,identity type labels,organization id,msp organization id,enrollment id,event type,enrollment method,event detail,os type & version,zta client version,event status,device id,public ip
"2017-10-02 23:52:53","[email protected]","[email protected]", "Network". "AD Computer","Networks","ts-auto.com","1234567","1234567","Gd2o4Dr9PBERUpCvvAneaKbBqA6Di4Io","ENROLL","SAML","Failed to enroll","Mac OS 10.9.5","5.1.0.0","Successfully enrolled","12345","1.1.1.1"
Order of Fields in ZTA Enrollment Logs
Note: Not all the fields that are listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.
Optional V13 Log Header Format
The CSV fields in the header row of the Optional Log header are as follows:
"Timestamp","Identity Email","Identity Labels","Identity Type Labels","Organization ID","MSP Organization ID","Enrollment ID","Event Type","Enrollment Method","Event Detail","OS Type & Version","ZTA Client Version","Event Status","Device ID","Public IP"
V13 Log Format
The CSV fields in the header row of the ZTA enrollment log are as follows:
timestamp,identity email,identity labels,identity type labels,organization id,msp organization id,enrollment id,event type,enrollment method,event detail,os type & version,zta client version,event status,device id,public ip
The following table provides the description for each field and the log version in which it was introduced, up to Version 13. For more information about log versions, see Find Your Log Schema Version.
| Field name | Description | Release version |
|---|---|---|
| timestamp | The date and time of the ZTA enrollment event, displayed as a UTC-formatted string, for example, 2026-01-16 17:48:41.Note: Unlike the Secure Access dashboard and reports, Secure Access logs do not convert the timestamp to your local timezone. | v13 |
| identity email | The email address of the Active Directory user initiating the enrollment or unenrollment. | v13 |
| identity labels | The list of labels associated with the identity. | v13 |
| identity type labels | The label specifying the identity type. | v13 |
| organization id | The unique identifier for the Secure Access organization. For more information, see Find Your Organization ID. | v13 |
| msp organization id | The Secure Access organization ID of the parent-managed service provider. | v13 |
| enrollment id | The unique transaction ID for the enrollment or unenrollment process. | v13 |
| event type | The type of enrollment event. Valid values are: ENROLL or UNENROLL. | v13 |
| enrollment method | The authentication method used for enrollment. Valid values are:SAML, CERTIFICATE, orBOTH. | v13 |
| event detail | Additional context for the event, including reasons for enrollment failure. | v13 |
| os type & version | The operating system name and version of the client device. | v13 |
| zta client version | The version of the ZTA client installed in the device. | v13 |
| event status | The status of the enrollment event, for example, successfully enrolled or failure status details. | v13 |
| device id | The unique identifier assigned to the enrolled or unenrolled device. | v13 |
| public ip | The public IP address of the client device. | v13 |
Zero Trust Access Flow Log Formats < Zero Trust Access Enrollment Log Formats > Manage API Keys
Updated about 8 hours ago