icon-unified.svg
Experience Center

NSS Feed Output Format: Session Logs

The Session NSS feed specifies the data from the Session logs that the Nanolog Streaming Service (NSS) sends to the security information and event management (SIEM) system. You can configure an NSS feed by including one or more fields. The fields and their values display in the NSS feed output.

The following tables display information about the Session fields and possible values for those fields.

Date/Time

FieldDescriptionExample
%s{time}The log time (i.e., when the NSS logs a transaction)Tue Nov 12 22:55:48 2024
%s{eventtime}The time and date of the transaction. This excludes the time zone.Tue Nov 12 22:55:48 2024
%s{tz}The time zone. This is the same as the time zone you specified when you configured the NSS feed.GMT
%02d{ss}Second of timestamp (0–59)48
%02d{mm}Minute of timestamp (0–59)55
%02d{hh}Hour of timestamp (0–23)22
%02d{dd}Day of timestamp (1–31)12
%02d{mth}Month of timestamp (1-12)11
%04d{yyyy}Year2024
%s{mon}The name of the monthNov
%s{day}The day of the weekTue

Client Information

Field in LogsDescriptionExample
%s{clt_dst_name}Client destination host nameHostname
%s{oclt_dest_name}Obfuscated client destination host name
%s{clt_src_ip}Client source IPv4 address. For aggregated sessions, this is the client source IP address of the last session in the aggregate.192.0.2.6
%d{clt_src_port}Client source port. For aggregated sessions, this is the client source port of the last session in the aggregate.22
%s{clt_dst_ip}Client destination IPv4 address. For aggregated sessions, this is the client destination IP address of the last session in the aggregate.192.0.2.184
%d{clt_dst_port}Client destination port. For aggregated sessions, this is the client destination port of the last session in the aggregate.80
%s{fwdtypename}Traffic forwarding method used to send the traffic to the firewallL2 tunnel
%s{zapptunname}Zscaler Client Connector tunnel name used to send the traffic to the firewall

Server Information

Field in LogsDescriptionExample
%d{srv_dst_port}Server destination port. For aggregated sessions, this is the server destination port of the last session in the aggregate.443
%d{gw_dst_port}Gateway destination port443
%d{zia_src_port}Internet & SaaS source port443
%s{srv_dst_ip}Server destination IPv4 address. For aggregated sessions, this is the server destination IP address of the last session in the aggregate.203.0.113.199
%s{gw_name}Gateway nameFWD_1
%s{ogw_name}Obfuscated gateway name
%s{gw_dst_ip}Gateway destination IPv4 address203.0.113.1
%s{zia_src_ip}Internet & SaaS source IPv4 address198.51.100.48
%s{srv_src_ip}Server source IPv4 address. For aggregated sessions, this is the server source IP address of the last session in the aggregate.203.0.113.64
%d{srv_src_port}Server source port. For aggregated sessions, this is the server source port of the last session in the aggregate.22
%s{srv_ip_country}Abbreviated code of the country of the server IP addressUSA

Session Information

FieldDescriptionExample
%ld{session_duration}Session duration in milliseconds600000
%d{num_sess}Number of sessions36
%d{num_aggr_sess}Number of sessions that were aggregated5
%s{aggrname}Type of aggregation

Forwarding Control

FieldDescriptionExample
%s{rdrrulename}Name of redirect rule that was applied to the transactionFWD_Rule_1
%s{ordrrulename}Obfuscated redirect rule name
%s{self_rulename}Cloud Connector or Branch Connector self-rule name that was applied to the transactionCONNECTOR_SELF
%s{oself_rulename}Obfuscated Cloud Connector or Branch Connector self rule nameAVG

Transaction Information

FieldDescriptionExample
%ld{clt_tx_bytes}Number of bytes sent from the server to the client10000
%ld{clt_rx_bytes}Number of bytes sent from the client to the server10000
%s{nw_service}The network service that was usedHTTP
%s{traffic_type}Traffic typeINTERNAL
%s{clt_nw_protocol}Client network protocolTCP
%s{srv_nw_protocol}Server network protocolTCP
%s{zia_gw_protocol}Internet & SaaS gateway protocol
%s{zpa_appseg}Private Applications application segmentAny

Cloud & Branch Connector Information

FieldDescriptionExample
%s{name}Cloud Connector or Branch Connector nameCC_304
%s{vm_name}Cloud Connector or Branch Connector virtual machine (VM) namezs-cc-vpc-xxxx
%s{group_name}Cloud Connector or Branch Connector group namezs-cc-vpc-xxxx-us-west-2x
%s{region_name}Cloud Connector or Branch Connector region name(US) West US 2
%s{location}Cloud Connector or Branch Connector locationHeadquarters
%s{platform_name}Cloud Connector or Branch Connector platform nameAzure
%s{platformgeo_name}Cloud Connector or Branch Connector platform geolocation name (availability zone)San Jose, United States
%s{account_id}Amazon Web Services (AWS) account ID, Microsoft Azure subscription ID, or Google Cloud Platform (GCP) project ID
  • 506xxx032xxx (AWS)
  • f60abxxx-bb7d-43xx-84xx-4axxxx7xxxxx (Azure)
  • gcs-xxx-cc-gcp-project (GCP)

Base64 Fields

A SIEM can have parsing issues whenever a string field has nonprintable or delimiter characters. For that reason, the Zscaler service has URL encoding for fields such as clt_dst_name. There are several other fields that have the same parsing issue, but URL encoding is not suitable. Such fields are encoded using Base64.

Turning on Base64 encoding for all supported fields may result in approximately a 20% drop in performance.

The following fields have been added as Base64 fields:

  • b64clt_dst_name
  • b64gw_name
  • b64rdrrulename
  • b64self_rulename

Hex-Encoded Fields

When the Zscaler service send logs to the NSS, it hex encodes all nonprintable ASCII characters that are in URLs. Any URL character that is less than or equal to 0x20, or greater than or equal to 0x7F, is encoded as %HH. This ensures that your SIEM can parse the URLs that contain control characters. For example, a \n character in a URL is encoded as %0A, and a space is encoded as %20.

  • eclt_dst_name
  • egw_name
  • erdrrulename
  • eself_rulename
Related Articles
General Guidelines for NSS Feeds and Feed FormatsNSS Feed Output Format: Session LogsNSS Feed Output Format: DNS LogsNSS Feed Output Format: Event LogsNSS Feed Output Format: Metrics Logs