Zero Trust Access Log Formats
The Cisco Secure Access Zero Trust Access logs show your organization's traffic through the Secure Access Zero Trust Access services. ZTA logs include security events for both client-based and client-less Zero Trust Access sessions. For information about the size of a log file, see Estimate the Size of a Log.
Table of Contents
Example
An example of a v10 Zero Trust Access log event.
timestamp,identity email,identity labels,identity type labels,hostname,verdict,client os,client browser,client geo location,client ip,ruleset id,rule id,private app group id,private app id,private resource id,private resource group id,step up auth type,step up auth result,step up auth token life,posture id,requested id fqdn,resolved ip,app connector group id,headend type,duo device id,duo device id string,system password,client firewall,disk encryption,anti malware agents,transaction id,block reason,application port,application protocol,tunnel type,secure client version,possible match ruleset id,possible match rule id,possible match posture,source process id,source process name,source process hash,source process user name,organization id,ad joined id
"2017-10-02 23:52:53","[email protected]","Network. AD Computer","Networks","ts-auto.com","ALLOW","Mac OS 10.9.5","Chrome 9.9","Canada","10.10.10.10","56","12","25","129","200","756","SAML_SSO","SUCCESS","6000","256","prod.example.com","1.1.1.1","45","CLAP",,"921c9ab4123456789aa5d6e814b90","enabled[1000]","SYS","THIRDPARTY","[cisco-amp 1.20.0.877, windows-defender 1.20.0.877]","ne2OJA4jNFM2J2LSVKJXvNguHW2bFqUd","","80","TCP","HTTP2","","[]","[]","[]","[]","[]","[]","[]","8151514",""
Order of Fields in Zero Trust Access Logs
Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.
V10 Log Format
The CSV fields in the header row of the Zero Trust Access log.
timestamp,identity email,identity labels,identity type labels,hostname,verdict,client os,client browser,client geo location,client ip,ruleset id,rule id,private app group id,private app id,private resource id,private resource group id,step up auth type,step up auth result,step up auth token life,posture id,requested id fqdn,resolved ip,app connector group id,headend type,duo device id,duo device id string,system password,client firewall,disk encryption,anti malware agents,transaction id,block reason,application port,application protocol,tunnel type,secure client version,possible match ruleset id,possible match rule id,possible match posture,source process id,source process name,source process hash,source process user name,organization id,ad joined id
The description of each field and the log version in which each field was released, up to version 10. For more information about log versions, see Find Your Log Schema Version.
| Field name | Description | Release version |
|---|---|---|
| timestamp | The date and time of the ZTA event, expressed as a UTC-formatted string (e.g., 2024-01-16 17:48:41).Note: Unlike the Secure Access dashboard and reports, Secure Access logs do not convert the timestamp to your local timezone. | v9 |
| identity email | The email address of the Active Directory user. | v9 |
| identity labels | The list of labels for the identity. | v9 |
| identity type labels | The label of the identity type. | v9 |
| hostname | The hostname of the user device. | v9 |
| verdict | Whether the user has access to a resource. | v9 |
| client os | The operating system of the user device. | v9 |
| client browser | The name of the browser on the user device. | v9 |
| client geo location | The regional location of the user device. | v9 |
| client ip | The IP address of the user device. | v9 |
| ruleset id | The ID of the ruleset. | v9 |
| rule id | The ID of the access rule. | v9 |
| private app group id | The ID of the private application group. | v9 |
| private app id | The ID of the private application. | v9 |
| private resource id | The ID that Secure Access assigns to the customer-defined private application. | v9 |
| private resource group id | The ID if the rule matched is based on the private application group. | v9 |
| step up auth type | The type of authentication. Valid values are: SAML_SSO, MFA, or NONE. | v9 |
| step up auth result | The result of the authentication. Valid values are: SUCCESS or FAILURE. | v9 |
| step up auth token life | The time in seconds between when you generated the token and used the token. | v9 |
| posture id | ID of the matching posture profile. | v9 |
| requested id fqdn | The IP or FQDN of the requested application. | v9 |
| resolved ip | The IP of the application returned by the proxy. | v9 |
| app connector group id | The group ID of the App Connector. | v9 |
| headend type | The type of the headend. Valid values are: CLAP or BAP. | v9 |
| duo device id | The ID of the Duo App on the device. | v9 |
| duo device id string | The ID label of the Duo App on the device. | v9 |
| system password | Whether the system password is enabled with its timeout in seconds. | v9 |
| client firewall | The client system firewall. Valid values are SYS or NONE. | v9 |
| disk encryption | The client Disk Encryption Type. Valid values are: SYS, NONE or THIRD PARTY. | v9 |
| anti malware agents | The clients' anti malware agents. | v9 |
| transaction id | Unique transaction ID generated by the Secure Client. | v10 |
| block reason | The reason for the transaction being blocked. (e.g., Android OS not allowed) | v10 |
| application port | The port of the destination application. | v10 |
| application protocol | The type of protocol used for transactions. (e.g., TCP) | v10 |
| tunnel type | The type of tunnel used to connect to the ZTA proxy. Valid values are: HTTP2, HTTP3 | v10 |
| secure client version | The version of the Cisco Secure Client on the endpoint device accessing a private resource. | v10 |
| possible match ruleset id | For a block event, the ID of the ruleset that could have allowed the transaction if not for the block reason. | v10 |
| possible match rule id | For a block event, the ID of the rule within the ruleset that could have allowed the transaction if not for the block reason. | v10 |
| possible match posture | For a block event, the posture that could have allowed the transaction if not for the block reason. | v10 |
| source process id | The ID of the source process that initiated the transaction from the client side. | v10 |
| source process name | The name of the source process that initiated the transaction from the client side (e.g., chrome.exe). | v10 |
| source process hash | The hash of the source process that initiated the transaction from the client side. | v10 |
| source process user name | The user name associated with the source process that initiated the transaction from the client side. | v10 |
| organization id | The Secure Access organization ID. For more information, see Find Your Organization ID . | v10 |
| ad joined id | ID of the device if it is joined to an Active Directory domain. | v10 |
Web Log Formats < Zero Trust Access Log Formats > Manage API Keys
Updated about 1 month ago