icon-unified.svg
Experience Center

About AppProtection Log Fields

The Log Streaming Service can send AppProtection log information to any third-party log analytics tool. By default, the AppProtection log type includes the fields listed in the table below for each log template (i.e., CSV, JSON, TSV). While configuring your log receiver, you can edit the default log stream content to capture only specific fields, and create a Custom log template.

  • {"LogTimestamp": "Fri Sep 16 16:34:18 2022","Customer": "SafemarchTestUser", "ConnectionID": "cg698XMrXoY9OfjUSURh,EUtFPDqC5AzvQpL+DjAV", "UserID": "testuser@safemarch.com", "AssistantID": "test-key-1650457413478", "ExchangeSequenceIndex": 0, "TimestampRequestReceiveStart": 1663346058860810, "TimestampRequestReceiveHeaderFinish": 1663346058860833, "TimestampRequestReceiveFinish": 1663346058861590, "TimestampRequestTransmitStart": 0, "TimestampRequestTransmitFinish": 0, "TimestampResponseReceiveFinish": 1663346058866909, "TimestampResponseTransmitStart": 0, "TimestampResponseTransmitFinish": 1663346058866941, "TotalTimeRequestReceive": 0, "TotalTimeRequestTransmit": 0, "TotalTimeResponseReceive": 58, "TotalTimeResponseTransmit": 0, "Domain": "safemarch.com", "Method": "GET", "Protocol": "1.1", "ProtocolVersion": "", "ContentType": "", "ContentEncoding": "", "TransferEncoding": "", "Host": "safemarch.com", "Destination": "safemarch.com", "OriginDomain": "", "URL": "/", "UserAgent": "curl/7.68.0", "HTTPError": "success", "ClientPublicIp": "199.168.150.161", "ClientPort": 0, "UpgradeHeaderPresent": 0, "StatusCode": 301, "RequestHdrSize": 42, "ResponseHdrSize": 210, "RequestBodySize", 0, "ResponseBodySize": 0, "Application": 145254438888544148, "ApplicationGroup": 145254438888544129, "InspectionPolicy": 145254438888543730, "InspectionProfile": 145254438888538683, "ParanoiaLevel": 4, "InspectionControlsHitCount": 0, "InspectionRuleProcessingTime": 0, "InspectionReqHeadersProcessingTime": 736, "InspectionReqBodyProcessingTime": 973, "InspectionRespHeadersProcessingTime": 29, "InspectionRespBodyProcessingTime": 2, "CertificateId": 145254438888538207, "DoubleEncryption": 1, "SSLInspection": 1, "TotalBytesProcessed": 0}
    Close

The following table includes descriptions and supported field format specifications for each field within the template. To learn more about the format specifications listed for each field, including examples, see Log Field Format Specifications.

FieldDescriptionSupported Field Format Specifications
LogTimestampTimestamp when the log was generated
  • %[OPT]s
  • %[OPT]j
CustomerThe customer name
  • %[OPT]s
  • %[OPT]j
ConnectionIDThe application connection ID
  • %[OPT]s
  • %[OPT]j
UserIDThe user ID
  • %[OPT]s
  • %[OPT]j
AssistantIDThe App Connector ID
  • %[OPT]s
  • %[OPT]j
ExchangeSequenceIndexHTTP exchange sequence index within the TCP connection%[OPT]d
TimestampRequestReceiveStartTimestamp in microseconds when the received request was started%[OPT]d
TimestampRequestReceiveHeaderFinishTimestamp in microseconds when the received request header was finished%[OPT]d
TimestampRequestReceiveFinishTimestamp in microseconds when the received request was finished%[OPT]d
TimestampRequestTransmitStartTimestamp in microseconds when the transmitted request was started%[OPT]d
TimestampRequestTransmitFinishTimestamp in microseconds when the transmitted request was finished%[OPT]d
TimestampResponseReceiveStartTimestamp in microseconds when the received response was started%[OPT]d
TimestampResponseReceiveFinishTimestamp in microseconds when the received response was finished%[OPT]d
TimestampResponseTransmitStartTimestamp in microseconds when the transmitted response was started%[OPT]d
TimestampResponseTransmitFinishTimestamp in microseconds when the transmitted response was finished%[OPT]d
TotalTimeRequestReceiveTotal time taken in microseconds for the request to be received%[OPT]d
TotalTimeRequestTransmitTotal time taken in microseconds for the request to be transmitted%[OPT]d
TotalTimeResponseReceiveTotal time taken in microseconds for the response to be received%[OPT]d
TotalTimeResponseTransmitTotal time taken in microseconds for the response to be transmitted%[OPT]d
DomainThe domain or IP address
  • %[OPT]s
  • %[OPT]j
MethodThe HTTP request method
  • %[OPT]s
  • %[OPT]j
ProtocolThe protocol (i.e., 1.0 or 1.1)
  • %[OPT]s
  • %[OPT]j
ProtocolVersionThe protocol version
  • %[OPT]s
  • %[OPT]j
ContentTypeThe content type
  • %[OPT]s
  • %[OPT]j
ContentEncodingThe value of the content encoding within the HTTP header
  • %[OPT]s
  • %[OPT]j
TransferEncodingThe value of the transfer encoding within the HTTP header
  • %[OPT]s
  • %[OPT]j
HostThe host domain or IP address
  • %[OPT]s
  • %[OPT]j
OriginDomainThe value of the origin header in the cross-origin HTTP header
  • %[OPT]s
  • %[OPT]j
URLThe URL field within the HTTP header
  • %[OPT]s
  • %[OPT]j
UserAgentThe user agent string as specified in the HTTP host request header
  • %[OPT]s
  • %[OPT]j
HTTPErrorThe HTTP error
  • %[OPT]s
  • %[OPT]j
ClientPublicIpThe public IP of the client
  • %[OPT]s
  • %[OPT]j
ClientPortThe port of the client%[OPT]d
UpgradeHeaderPresentIf the upgrade header is present or not%[OPT]d
StatusCodeHTTP status code of the response%[OPT]d
RequestHdrSizeThe size of the request header%[OPT]d
ResponseHdrSizeThe size of the response header%[OPT]d
RequestBodySizeThe size of the request body%[OPT]d
ResponseBodySizeThe size of the response body%[OPT]d
ApplicationThe application name%[OPT]d
ApplicationGroupThe application group name%[OPT]d
InspectionPolicyThe AppProtection policy%[OPT]d
InspectionProfileThe AppProtection profile%[OPT]d
ParanoiaLevelThe OWASP Predefined Paranoia Level%[OPT]d
InspectionControlsHitCountThe number of AppProtection control hits%[OPT]d
InspectionRuleProcessingTimeTime in microseconds taken for processing the AppProtection rule%[OPT]d
InspectionReqHeadersProcessingTimeTime in microseconds taken for processing the AppProtection request headers%[OPT]d
InspectionReqBodyProcessingTimeTime in microseconds taken for processing the AppProtection request body%[OPT]d
InspectionRespHeadersProcessingTimeTime in microseconds taken for processing the AppProtection response headers%[OPT]d
InspectionRespBodyProcessingTimeTime in microseconds taken for processing the AppProtection response body%[OPT]d
CertificateIdThe certificate ID%[OPT]d
DoubleEncryption

The double encryption status. The expected values for this field are:

  • On
  • Off
%[OPT]d
SSLInspectionIf the HTTPS traffic inspected was terminated%[OPT]d
TotalBytesProcessedThe total bytes processed%[OPT]d
Related Articles
About the Log Streaming ServiceConfiguring a Log ReceiverAbout User Activity Log FieldsAbout User Status Log FieldsAbout App Connector Metrics Log FieldsAbout App Connector Status Log FieldsAbout Private Service Edge Metrics Log FieldsAbout Private Service Edge Status Log FieldsAbout Audit Log FieldsAbout Browser Access Log FieldsAbout AppProtection Log FieldsUnderstanding the Log Stream Content Format