Zero Trust Network Access Log Formats

The Cisco Secure Access Zero Trust Network Access logs show your organization's traffic through the Secure Access Zero Trust Network Access services. ZTNA logs include security events for both client-based and client-less Zero Trust Access sessions. For information about the size of a log file, see Estimate the Size of a Log.

Table of Contents


Examples of Zero Trust Network Access logs.

V9 Log Samples

"2017-10-02 23:52:53","Network. AD Computer","Networks","","ALLOWED","Mac OS 10.9.5","Chrome 9.9","Canada","","56","12","25","129","200","756","SAML_SSO","SUCCESS","6000","256","","","45","CLAP","234","enabled[1000]","SYS","THIRDPARTY","["agent1, agent2"]"

Order of Fields in Zero Trust Network Access Logs

Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.

V9 Log Format

The CSV fields in the header row of the Zero Trust Network Access logs.

timestamp,identity labels,identity type labels,hostname,verdict,client os,client browser,client geo location,client ip,ruleset id,rule id,private app group id,private app id,private resource id,private resource group id,step up auth type,step up auth result,step up auth token life,posture id,requested id fqdn,resolved ip,app connector group id,headend type,duo device id,duo device id string,system password,client firewall,disk encryption,anti malware agents
  • timestamp—The timestamp of the request in UTC (2024-01-16 17:48:41).
  • identity labels—The list of labels for the identity.
  • identity type labels—The label of the identity type.
  • hostname—The hostname of the user device.
  • verdict—Whether the user has access to a resource.
  • client os—The operating system of the user device.
  • client browser—The name of the browser on the user device.
  • client geo location—The regional location of the user device.
  • client ip—The IP address of the user device.
  • ruleset id—The ID of the ruleset.
  • rule id—The ID of the access rule.
  • private app group id—The ID of the private application group.
  • private app id—The ID of the private application.
  • private resource id—The ID that Secure Access assigns to the customer-defined private application.
  • private resource group id—The ID if the rule matched is based on the private application group.
  • step up auth type—The type of authentication. Valid values are: SAML_SSO, MFA, or NONE.
  • step up auth result—The result of the authentication. Valid values are: SUCCESS or FAILURE.
  • step up auth token life—The time in seconds between when you generated the token and used the token.
  • posture id—ID of the matching posture profile.
  • requested id fqdn—The IP or FQDN of the requested application.
  • resolved ip—The IP of the application returned by proxy.
  • app Connector group id—The group ID of the App Connector.
  • headend type—The type of the headend. Valid values are: CLAP or BAP.
  • duo device id—The ID of the Duo App on the device.
  • duo device id string—The ID label of the Duo App on the device.
  • system password—Whether the system password is enabled with its timeout in seconds.
  • client firewall—The client system firewall. Valid values are SYS or NONE.
  • disk encryption—The client Disk Encryption Type. Valid values are: SYS, NONE or THIRD PARTY.
  • anti malware agents—The clients' anti malware agents.

Web Log Formats < Zero Trust Network Access Log Formats > Manage API Keys