Zero Trust Access Flow Log Formats
The Cisco Secure Access Zero Trust Access (ZTA) flow logs show your organization's traffic through the Secure Access ZTA services. ZTA flow logs show traffic events in client-based and browser-based ZTA sessions that take place after successful authentication. For information about the size of a log file, see Estimate the Size of a Log.
Table of Contents
Example
An example of a v10 Zero Trust Access flow log event.
timestamp,identity email,identity labels,identity type labels,organization id,msp organization id,hostname,transaction ID,private resource id,private resource group id,app connector id,app connector group id,ruleset id,rule id,connection status,connection failure reason,headend type,event type,rxbytes,txbytes,egress ip,egress port,nt group id,zta source port
"2025-10-02 23:52:53","[email protected]","[email protected], Network. AD Computer","Networks","ts-auto.com","1234567","1254367","Gd2o4Dr9PBERUpCvvAneaKbBqA6Di4Io","45937","45873","147","56","TERMINATED","App did not respond","CLAP","129","CONN_FAILURE","453","7756","1.1.1.1","3000","256","4001"
Order of Fields in Zero Trust Access Flow Logs
Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.
V10 Log Format
The CSV fields in the header row of the Zero Trust Access flow log.
timestamp,identity email,identity labels,identity type labels,organization id,msp organization id,hostname,transaction ID,private resource id,private resource group id,app connector id,app connector group id,ruleset id,rule id,connection status,connection failure reason,headend type,event type,rxbytes,txbytes,egress ip,egress port,nt group id,zta source port
The description of each field and the log version in which each field was released, up to version 10. For more information about log versions, see Find Your Log Schema Version.
| Field name | Description | Release version |
|---|---|---|
| timestamp | The date and time of the ZTA event, expressed as a UTC-formatted string (e.g., 2025-01-16 17:48:41).Note: Unlike the Secure Access dashboard and reports, Secure Access logs do not convert the timestamp to your local timezone. | v10 |
| identity email | The email address of the Active Directory user. | v10 |
| identity labels | The list of labels for the identity. | v10 |
| identity type labels | The label of the identity type. | v10 |
| organization id | The Secure Access organization ID. For more information, see Find Your Organization ID. | v10 |
| msp organization id | The Secure Access organization ID of the parent managed service provider. | v10 |
| hostname | The hostname of the user device. | v10 |
| transaction id | Universally unique identifier (UUID) of the transaction associated with the event. | v10 |
| private resource id | The ID that Secure Access assigns to the customer-defined private application. | v10 |
| private resource group id | The ID if the rule matched is based on the private application group. | v10 |
| app connector id | The ID of the App Connector. | v10 |
| app connector group id | The group ID of the App Connector. | v10 |
| ruleset id | The ID of the ruleset. | v10 |
| rule id | The ID of the access rule. | v10 |
| connection status | The status of the request to connect to the private resource. Valid values are: Connected, Reset, Terminated, or Unknown. | v10 |
| connection failure reason | The error codes for failed connection requests. | v10 |
| headend type | The type of the headend. Valid values are: CLAP or BAP. | v10 |
| event type | The type of flow event. Valid values are: DNS_FAILURE_CONNECTIVITY, DNS_FAILURE_RESOLUTION, CONN_FAILURE, CONN_SUCCESS, APP_INVALID_DESTINATION, APP_PORT_MISMATCH, APP_PROTOCOL_MISMATCH | v10 |
| rxbytes | The number of bytes received during the session. | v10 |
| txbytes | The number of bytes transmitted or sent during the session. | v10 |
| egress ip | The egress IP address of the network where the request originated. | v10 |
| egress port | The egress port number of the network where the request originated. | v10 |
| nt group id | The tunnel ID associated with this request. | v10 |
| zta source port | The port number used by the Zero Trust proxy service to connect to an unmanaged device requesting a connection to a private resource. | v10 |
Web Log Formats < Zero Trust Access Log Formats > Manage API Keys
Updated 1 day ago