You can view and filter Application Protocol data for past AppProtection-enabled application segment events.

To view diagnostics for Application Protocol data:

1. Go to Logs > Insights > Diagnostics.
2. Under Log Type, choose Application Protocol.

By default, the detailed activity for all application protocols is displayed for events that occurred in the last 24 hours. To change the time range, click the Calendar menu and select a preset range or specify a custom start and end date. If you use a Custom Range, the start date must be within the last 14 days. To change the time zone, click the current Time Zone button.

Zscaler retains logs for rolling periods of at least 14 days during your subscription term. You can also view your logs or stream logs in real time using the Log Streaming Service (LSS). Data in the dashboard might be more recent than the data presented within Diagnostics for the same time range.

See image.

Viewing Logs

Log activity is automatically displayed after selecting the Application Protocol log type.

By default, the table displays the Total number of application protocol requests. You can change this by choosing one of the following filters:

• HTTP: The total number of application protocol logs associated with the application segments where the HTTP protocol traffic was auto-detected and inspected.
• HTTPS: The total number of application protocol logs associated with the application segments where the HTTPS protocol traffic was auto-detected and inspected.
• KRB: The total number of application protocol logs associated with the application segments where the Kerberos protocol traffic was auto-detected and inspected.
• LDAP: The total number of application protocol logs associated with the application segments where the LDAP protocol traffic was auto-detected and inspected.
• SMB: The total number of application protocol logs associated with the application segments where the SMB protocol traffic was auto-detected and inspected.
• TLS: The total number of application protocol logs associated with the application segments where the TLS protocol traffic was auto-detected and inspected.
• Unclassified: The total number of application protocol logs associated with the application segments where the protocol couldn't be classified.

See image.

Filtering Application Protocol Logs

On the Application Protocol page, you can apply filters or drill down further into the log data using the Query Builder. By default, no filters are applied.

To configure filters using the Query Builder:

1. Click Add Filters and select a filter from the drop-down menu:

View query builder filters:

2. Select an operator from the drop-down menu (e.g., Contains, Ends With, Equals, Not Equals, Starts With). The operators available are determined by the filter you are configuring.
3. Select the fields from the drop-down menu or enter the values required for the filter. The field or value required is determined by the filter you are configuring.

Filters using the Contains operator allow a maximum of 7 entries. All filters using operators that require text input must use a semicolon (;) to separate multiple entries (e.g., 137; 138; 139). When configuring multiple text entries and using the Less Than operator, the results show transactions starting from the largest entry provided. When configuring multiple text entries and using the Greater Than operator, the results show transactions starting from the smallest entry provided.

4. Click Apply.

To apply more filters, click Add Filters again or click on the Apply Filter icon () within the table. The filter query section within the page updates automatically to include the proper filter for the field name you selected, along with the applicable operator configuration for that field.

To remove an added filter, click the Close icon then Apply. To remove all filters, click Clear All.

If you have selected filters previously, the Recent Filters icon appears. You can click this icon to repopulate recent filters. You can also click the Copy icon to save the filter query details. If you or another admin access Diagnostics, you can paste the query into the field by clicking the Clipboard icon.

See image.

The table displays the following data for Application Protocol requests:

• App Connection
  • Log Start Time: The date, time, and time zone that the connection started.
  • Log End Time: The date, time, and time zone that the connection was completed.
  • Username: The user who requested the application. This is the NameID in the SAML assertion from the IdP and not the username entered in Zscaler Client Connector.
  • MTunnel Count: The total number of Microtunnels for which the data is captured in specific application protocol logs.
  • Total Request Bytes: The total number of bytes that were requested from the application protocol connection.
  • Total Response Bytes: The total number of bytes that responded to the request from the application protocol connection.
  • Errors: The number of Microtunnels that detected application protocol errors.
  • Connection Status Logs: View, download, and copy the raw JSON for the request:
    • Click the View icon to view details about the connection status log in JSON format.
    • Click the Download icon to download this JSON file.
    • Click the Copy icon to copy the raw JSON text for the request to your clipboard.

  Close
• Protocol
  • Protocol Class: The protocol type associated with the application segment domain and port that logged into Zscaler Client Connector.
  • Traffic Class: Displays Classified if the App Connector identified the protocol. It is displayed as Unclassified if the App Connector is unable to identify the protocol.
  • Transport: Displays the connection as either TCP or UDP transport.
  • Version: The version of the specific protocol for classified traffic.

  Close
• App Connector
  • App Connector Name: The name of the App Connector used to connect the application to the user. You can click on the name to open the Edit App Connector window.
  • App Connector ID: The internal ID (created by Private Applications) for the connection request to the application. You can click the Copy icon to copy the ID to your clipboard.
  • App Connector Group Name: The name of the group the App Connector is included in. You can click on the name to open the Edit App Connector Group window.
  • App Connector Group ID: The internal ID (created by Private Applications) for theApp Connector group. You can click the Copy icon to copy the ID to your clipboard.

  Close
• Application
  • Application: Port & Transport: Application domain of the end user who logged into Zscaler Client Connector.
  • Application Segment: The application segment name as configured in the Admin Portal. You can click on the name to open the Edit Application Segment window, which includes the defined application.
  • Application ID: The ID associated with the application. You can click the Copy icon to copy the ID to your clipboard.
  • App Protection Policy Name: See logs by the name of one or more specific AppProtection policies.
  • App Protection Policy ID: See requests by the ID associated with the AppProtection request.
  • App Protection Profile ID: The ID of the AppProtection profile. You can click the Copy icon to copy the ID to your clipboard.
  • App Protection Profile Name: The name of the AppProtection profile.

  Close

See image.

You can expand each row to see more details or click the Expand/Collapse icon to expand or collapse all rows within the table. By default, the table displays 20 transactions. You can scroll to load more transactions.