Experience Center

NSS Feed Output Format: Web Logs

The web Nanolog Streaming Service (NSS) feed specifies the data from the web logs that the NSS sends to the security information and event management (SIEM) system. You can configure an NSS feed by including one or more fields. The fields and their values display in the NSS feed output.

View a sample web log.

"Mon Jun 20 15:29:11 2022","new-gre","HTTP","ebay.com/","Blocked","Ebay","Consumer Apps","72","14061","0","0","Productivity Loss","Shopping and Auctions","Online Shopping","None","None","0","None","None","new-gre","Default Department","172.17.3.49","66.211.175.229","GET","403","curl/7.68.0","None","FwFilter","Firewall_1","Other","None","NA","NA","N/A"

The following tables display information about the web log fields and possible values for those fields.

Fields that support obfuscation are documented in the following tables with the prefix o (e.g., %s{ologin}). To obfuscate a field, manually add the prefix o before the field name in the Feed Output Format in the Admin Portal.

Date/Time

Field	Description	Example
%s{time}	The time and date of the transaction. This excludes the time zone.	Mon Oct 16 22:55:48 2023
%s{tz}	The time zone. This is the same as the time zone you specified when you configured the NSS feed.	GMT
%02d{ss}	Seconds (0–59)	48
%02d{mm}	Minutes (0–59)	55
%02d{hh}	Hours (0–23)	22
%02d{dd}	The day of the month (1–31)	16
%02d{mth}	The month of the year	10
%04d{yyyy}	Year	2023
%s{mon}	The name of the month	Oct
%s{day}	The day of the week	Mon
%d{epochtime}	The epoch time of the transaction	1578128400

User Information

Field	Description	Example
%s{dept}	The department of the user	Sales
%s{login}	The user's login name in email address format	jdoe@safemarch.com
%s{ologin}	The obfuscated version of the user's login name	4094304256
%s{cloudname}	The name of the Zscaler cloud	zscaler.net
%s{company}	The name of the company	Zscaler

Bandwidth Control

Field	Description	Example
%d{throttlereqsize}	The throttled transaction size in the Uplink direction (Upload) in bytes	5
%d{throttlerespsize}	The throttled transaction size in the Downlink direction (Download) in bytes	7
%s{bwthrottle}	Indicates whether the transaction was throttled due to a configured bandwidth policy	Yes
%s{bwclassname}	The name of the bandwidth class	Entertainment, General Surfing, Office Apps The full list is under the Bandwidth Classes field on the Bandwidth Control page.
%s{obwclassname}	The obfuscated version of the name of the bandwidth class	10831489
%s{bwrulename}	The name of the bandwidth rule	Office 365 Any name under the Rule Name column on the Bandwidth Control page.

Cloud Application

Field	Description	Example
%s{appname}	The name of the cloud application	Adobe Connect, Craigslist, Dropbox The full list is under the Cloud Application filter on the Web Insights page. Applications are listed under each category in Cloud App Categories.
%s{appclass}	The web application class of the application that was accessed. Equivalent to `%s{module}`.	Administration, Collaboration, Web Mail The full list is under the Cloud Application Class filter on the Web Insights page.
%s{module}	The web application class of the application that was accessed. Equivalent to `%s{appclass}`.	Administration, Collaboration, Web Mail The full list is under the Cloud Application Class filter on the Web Insights page.
%s{app_risk_score}	The computed or assigned risk index for the cloud application, with 1 being the lowest risk and 5 being the highest. If the risk index is not available, the field displays `None`.	1–5 None
%s{app_status}	The status of the cloud application	Sanctioned Unsanctioned N/A

Data Center

Field	Description	Example
%s{datacenter}	The name of the data center	CA Client Node DC
%s{datacentercity}	The city where the data center is located	Sa
%s{datacentercountry}	The country where the data center is located	US

DLP

Field	Description	Example
%s{dlpdict}	The DLP dictionaries that were matched, if any	Credit Cards\|Gambling\|MRN Numbers The full list is under the Name column on the DLP Dictionaries page.
%s{odlpdict}	The obfuscated version of the DLP dictionaries that were matched, if any	10831489\|2175092224
%s{dlpdicthitcount}	The number of hits for each of the dictionaries that were matched in the transaction. This displays a string field separated by a vertical line ("\|").	4\|5\|1\|2
%s{dlpeng}	The DLP engine that was matched, if any	HIPAA, PCI, Social Security Numbers The full list is under the Name column on the DLP Engines page.
%s{odlpeng}	The obfuscated version of the DLP engine that was matched, if any	4094304256
%d{dlpidentifier}	The unique identifier of the DLP incident	6646484838839025669
%s{dlpmd5}	The MD5 hash of the transaction	154f149b1443fbfa8c121d13e5c019a1
%s{dlprulename}	The name of the DLP rule applied to the transaction. Applies only to Allow rules, not Block. To enable logging for DLP Allowed Rule Name, contact Zscaler Support.	DLP_Rule_1 Any Rule Name with the Allow Action on the Data Loss Prevention page.
%s{odlprulename}	The obfuscated version of the name of the DLP rule that was applied	6857275752
%s{trig_dlprulename}	The name of the DLP rule that triggered a transaction, which can be either allowed or blocked.	DLP_Rule_1
%s{other_dlprulenames}	The names of all the DLP rules that were evaluated and passed, but no action was taken.	[DLP_Rule_4, DLP_Rule_5]
%s{all_dlprulenames}	The names of all DLP rules whether they were triggered or not. This field is a combination of `%s{other_dlprulenames}` and `%s{trig_dlprulename}`.	[DLP_Rule_1, DLP_Rule_4, DLP_Rule_5]

File Type Control

Field	Description	Example
%s{fileclass}	The class of file downloaded during the transaction	Active Web Contents, Archive Files, Audio The full list is under the File Type field on the File Type Control page.
%s{filetype}	The type of file downloaded during the transaction	RAR Files, ZIP, Windows Executables The full list is under the File Type field on the File Type Control page.
%s{filename}	The name of downloaded files during the transaction	nssfeed.txt
%s{filesubtype}	The subtype of the downloaded file (extension name)	rar, exe, ppt Subtypes are in parentheses under the File Types field on the File Type Control page.
%s{upload_fileclass}	The class of file uploaded during the transaction
%s{upload_filetype}	The type of file uploaded during the transaction	RAR Files, ZIP, Windows Executables The full list is under the File Type field on the File Type Control page.
%s{upload_filename}	The name of uploaded files during the transaction	nssfeed.exe
%s{upload_filesubtype}	The subtype of the uploaded file (extension name)	rar, exe, ppt Subtypes are in parentheses under the File Types field on the File Type Control page.
%s{upload_doctypename}	The type of document uploaded or downloaded during the transaction	Corporate Finance Court Form DMV Insurance Legal
%s{unscannabletype}	The unscannable file type: Encrypted or password-protected (e.g., GZIP, PDF) Unscannable (e.g., corrupt archive) Undetectable (unable to determine the file type, based on multiple methods)	Encrypted File Undetectable File Unscannable File

Forwarding Control

Field	Description	Example
%s{rdr_rulename}	The name of the redirect/forwarding policy	FWD_Rule_1 Any name under the Rule Name column on the Forwarding Control page.
%s{ordr_rulename}	The obfuscated version of the name of the redirect/forwarding policy	3399565100
%s{fwd_type}	The type of forwarding method used	Direct Drop Proxy Chaining ZPA
%s{fwd_gw_name}	The name of the gateway defined in a forwarding rule	FWD_1
%s{ofwd_gw_name}	The obfuscated version of the gateway defined in a forwarding rule	8794487099
%s{fwd_gw_ip}	The IP address of the gateway used	10.1.1.1 10.1.1.1-10.1.1.5 10.1.1.0/24
%s{zpa_app_seg_name}	The name of the application segment	test_app_segment
%s{ozpa_app_seg_name}	The obfuscated version of the application segment	7648246731

HTTP Transaction

Field	Description	Example
%d{reqdatasize}	The size of the HTTP request payload, excluding the headers, in bytes	1000
%d{reqhdrsize}	The size of the HTTP request header in bytes	300
%d{reqsize}	The request size in bytes	1300
%d{respdatasize}	The size of the HTTP response payload, excluding the headers, in bytes	10000
%d{resphdrsize}	The size of the HTTP response header in bytes	500
%d{respsize}	The total size of the HTTP response, including the header and payload, in bytes	10500
%d{totalsize}	The total size of the HTTP transaction in bytes. The sum of the total request size and total response size.	11800
%s{reqmethod}	The HTTP request method	invalid, get, connect
%s{reqversion}	The HTTP request version	1.1
%s{respcode}	The HTTP response code sent to the client. The service generates a `403-Forbidden` response for blocked transactions.	100 - Continue 202 - Accepted 305 - Use Proxy 403 - Forbidden 500 - Internal Server Error
%s{respversion}	The HTTP response version	1.0
%s{referer}	The HTTP referer URL	www.google.com
%s{uaclass}	The user agent class	Firefox, Chrome, Safari
%s{ua}	The full user agent string for both known and unknown agents. The user agent string contains browser and system information that the destination server can use to provide appropriate content.	Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0)
%s{ua_token}	The user agent token. This displays `None` if the user agent token doesn't exist.	Google Chrome (0.x) Mozilla (5.0)
%s{host}	The destination hostname. If present, the host value in the HTTP request line populates this field. If the host value in the HTTP request line is not present, the host header is used.	mail.google.com
%s{contenttype}	The name of the content type	application/vnd_apple_keynote image/gif text/x_python The full list is under the Content Type filter on the Web Insights page.
%s{refererhost}	The hostname of the referer URL	www.example.com for http://www.example.com/index.html
%s{url}	The destination URL. It excludes the protocol identifier (e.g., http:// or https://).	www.trythisencodeurl.com/index
%s{df_hostname}	An optional field that contains the TLS connection's Server Name Indication (SNI) in cases that the HTTPS request host header does not match the SNI. TLS Inspection must be enabled for this field to be populated. The field is present in the logs only if there is a mismatch.
%s{df_hosthead}	The field contains HTTP/S transactions that indicate domain fronting due to an FQDN mismatch between the request URL and the request's host header. The field is present in the logs only if there is a mismatch.

Mobile Application

Field	Description	Example
%s{mobappname}	The name of the mobile app, if any	Adobe Reader, Amazon, Dropbox The full list is under the Mobile Application filter on the Mobile Insights page.
%s{mobappcat}	The category of the mobile app, if any	Communication, Education, Games The full list is under the Mobile Application Category filter on the Mobile Insights page.
%s{mobdevtype}	The type of mobile device	iOS, Google Android, Apple iPhone The full list is under the Mobile Device Type filter on the Mobile Insights page.

Network

Field	Description	Example
%s{cip}	The IP address of the user. It can be the internal IP address if it's visible (e.g., traffic sent through a GRE tunnel or an internal IP address indicated using XFF). Otherwise, same as `%s{cintip}`.	192.168.2.200, 2a02:2e0:40c:102:1:2b:10:80, 2001:db8::2:1
%d{ocip}	The obfuscated version of the IP address of the user	6200694987
%s{cpubip}	The client public IP address	198.51.100.100
%d{ocpubip}	The obfuscated version of the client public IP address	0624054738
%s{cintip}	The client's internet (NATed Public) IP address. This is different from the `%s{cip}` value if the internal IP address is visible. Otherwise, it is the same as `%s{cip}`.	203.0.113.5, 2a02:2e0:40c:102:1:2b:10:80, 2001:db8::2:1
%d{clt_sport}	The client source port	12345
%s{srcip_country}	The country associated with the source IP address	Afghanistan
%s{dstip_country}	The country associated with the destination IP address	Portugal
%s{is_src_cntry_risky}	Indicates whether the country associated with the source IP address is risky or not	Yes
%s{is_dst_cntry_risky}	Indicates whether the country associated with the destination IP address is risky or not	No
%s{sip}	The destination server IP address. This displays `0.0.0.0` if the request was blocked.	1.1.1.1, 2a02:2e0:40c:102:1:2b:10:80, 2001:db8::2:1
%d{srv_dport}	The server destination port. To enable logging for Server Destination Port, contact Zscaler Support.	443
%s{proto}	The protocol type of the transaction	HTTP, FTP The full list is under the Protocol filter on the Web Insights page.
%s{alpnprotocol}	The Application-Layer Protocol Negotiation (ALPN) protocol	FTP, SMB The full list is under the ALPN Protocol filter on the Web Insights page.
%s{trafficredirectmethod}	The traffic forwarding method to ZIA Public Service Edges	DNAT (Destination Translation) GRE (GRE Tunnel) IPSEC (IPSec Tunnel) PBF (Policy Based Forwarding) PAC (PAC File) PAC_GRE (PAC File over GRE Tunnel) PAC_IPSEC (PAC File over IPSec Tunnel) Zscaler Client Connector (Zscaler App)
%s{location}	The gateway location or sub-location of the source. To learn more, see About Locations.	Headquarters
%s{userlocationname}	Applicable to the web traffic processed via Isolation. The field shows the actual traffic origination point, whereas the `%s{location}` field displays the Isolation Location. When the web traffic is not handled by Isolation, the field value is `None`.

Policy

Field	Description	Example
%s{rulelabel}	The name of the rule that was applied to the transaction. Applies only to Block rules, not Allow.	URL_Filtering_1, URL_Filtering_2
%s{ruletype}	The type of policy. Applies only to Block rules, not Allow.	File Type Control, Data Loss Prevention, Sandbox
%s{reason}	The action that the service took and the policy that was applied, if the transaction was blocked	Virus/Spyware/Malware Blocked Not allowed to browse this category File Attachment not allowed This page is unsafe (high PageRisk index) Denied due to SSL connection to the server failing or a firewall policy Destination contains potential phishing content File Attachment Cautioned Recipient is a redirect Spam UWL
%s{action}	The action that the service took on the transaction	Allowed, Blocked
%s{urlfilterrulelabel}	The name of the rule that was applied to the URL filter	URL_Filtering_1 Any name under the Rule Name column on the URL & Cloud App Control page.
%s{ourlfilterrulelabel}	The obfuscated version of the name of the rule that was applied to the URL filter	4951704103
%s{apprulelabel}	The name of the rule that was applied to the application	File_Sharing_1 Any name under the Rule Name column on the URL & Cloud App Control page.
%s{oapprulelabel}	The obfuscated version of the name of the rule that was applied to the application	5300295980

Sandbox

Field	Description	Example
%s{bamd5}	The MD5 hash of the malware file that was detected in the transaction, or the MD5 of the file that was sent for analysis to the Sandbox engine	196a3d797bfee07fe4596b69f4ce1141
%s{sha256}	The hash of identical files	81ec78bc8298568bb5ea66d3c2972b670d0f7459b6cdbbcaacce90ab417ab15c

SSL

Field	Description	Example
%s{ssldecrypted}	Indicates whether the transaction was SSL inspected or not	Yes No
%s{externalspr}	The SSL policy reasons	Blocked Inspected N/A Not inspected because of O365 bypass Not inspected because of SSL policy Not inspected because of UCaaS bypass Not inspected because of Zscaler best practices The full list is under the SSL Policy Reason filter on the Web Insights page.
%s{keyprotectiontype}	Indicates whether an HSM Protection or a Software Protection intermediate CA certificate is used for the TLS interception	HSM Protection Software Protection N/A

Client Connection

Field	Description	Example
%s{clientsslcipher}	The negotiated cipher suite for communication between the client and Zscaler	SSL3_CK_RSA_NULL_MD5, SSL3_CK_RSA_NULL_SHA
%s{clienttlsversion}	The TLS version used for communication between the client and Zscaler	SSL2 SSL3 TLS1_1
%s{clientsslsessreuse}	Client cipher reuse information	Unknown No Yes
%s{cltsslfailreason}	The reason for the client SSL handshake failure	Bad Record Mac, Certificate Unknown, Close Notify, etc. The full list is under the Client SSL Handshake Failure Reason filter on the Web Insights page.
%d{cltsslfailcount}	The number of failed client SSL handshake attempts

Server Connection

Field	Description	Example
%s{srvsslcipher}	The negotiated cipher suite for communication between Zscaler and the server	SSL3_CK_RSA_NULL_MD5, SSL3_CK_RSA_NULL_SHA
%s{srvtlsversion}	The TLS/SSL version used for communication between the Internet & SaaS Public Service Edge and the server	SSL2, SSL3, TLS1_1
%s{srvocspresult}	The OCSP result/certificate revocation result	Good Revoked Unknown
%s{srvcertchainvalpass}	The validation of the certificate chain	Unknown Fail Pass
%s{srvwildcardcert}	The server wildcard certificate	Unknown No Yes
%s{serversslsessreuse}	Server cipher reuse information	Unknown No Yes
%s{srvcertvalidationtype}	The validation method of the server certificate	EV (Extended Validation) OV (Organization Validation) DV (Domain Validation)
%s{srvcertvalidityperiod}	The expiration of the server certificate	Short Medium Long
%s{is_ssluntrustedca}	Indicates whether the server certificate is signed by a Zscaler-trusted certificate authority or not	Fail Pass None
%s{is_sslselfsigned}	Indicates whether the certificate presented by the server to the Internet & SaaS Public Service Edge was self-signed	No None Yes
%s{is_sslexpiredca}	Indicates whether the certificate presented by the server is expired or not	No None Yes

Threat Protection

Field	Description	Example
%d{riskscore}	The Page Risk Index score of the destination URL. The service computes risk for each page by weighing several factors, including page locations, reputation of destination, and content that may look suspicious. The range is 0–100, from the lowest to the highest risk.	10
%s{threatseverity}	The severity of the threat that was detected in the transaction, if any. The severity relates to the Page Risk Index score. For example, if the value of `%d{riskscore}` is between `90` and `100`, then the value of `%s{threatseverity}` is `Critical`.	Critical (90–100) High (75–89) Medium (46–74) Low (1–45) None (0)
%s{threatname}	The name of the threat that was detected in the transaction, if any	EICAR Test File
%s{malwarecat}	The category of malware that was detected in the transaction, if any. Also indicates if a file was submitted to the Sandbox engine for analysis and the result of the analysis.	Adware, Benign, Trojan Sandbox Adware, Sandbox Anonymizer, Sandbox Malware The full list is under the Threat Category filter on the Web Insights page. The Threat Category Sent for Analysis is equivalent to “Submitted to Sandbox” in the SIEM output. Additionally, Other Virus is equivalent to "Virus" for backward compatibility.
%s{malwareclass}	The class of malware that was detected in the transaction, if any	Sandbox

URL Categorization

Field	Description	Example
%s{urlclass}	The class of the destination URL	Bandwidth Loss, General Surfing, Privacy Risk URL classes are listed in About URL Categories.
%s{urlsupercat}	The super category of the destination URL	Entertainment/Recreation, Travel, Security URL super categories are listed in About URL Categories.
%s{urlcat}	The category of the destination URL	Entertainment, Adult Themes, Games Spyware Callback URL categories are listed in About URL Categories. Also includes the Advanced Threat Category. The full list is under the Advanced Threat Category filter on the Web Insights page.
%s{ourlcat}	The obfuscated version of the category of the destination URL	7956407282
%s{urlcatmethod}	Refers to the source of the URL's category. To learn more, see Web Insights Logs: Columns.	Database A Database B AI/ML-based content categorization User-Defined None

Zscaler Client Connector Device Information

Field	Description	Example
%s{devicehostname}	The hostname of the device	THINKPADSMITH
%s{odevicehostname}	The obfuscated version of the hostname of the device. This field must be changed manually.	2168890624
%s{devicemodel}	The model of the device	20L8S7WC08
%s{devicename}	The name of the device	PC11NLPA:5F08D97BBF43257A8FB4BBF4061A38AE324EF734
%s{odevicename}	The obfuscated version of the name of the device. This field must be changed manually.	2175092224
%s{devicetype}	The type of device	Zscaler Client Connector
%s{deviceostype}	The OS type of the device	iOS Android OS Windows OS MAC OS Other OS
%s{deviceosversion}	The OS version the device uses	Version 10.14.2 (Build 18C54)
%s{deviceowner}	The owner of the device	jsmith
%s{odeviceowner}	The obfuscated version of the owner of the device. This field must be changed manually.	10831489
%s{deviceappversion}	The app version the device uses	2.0.0.120
%s{ztunnelversion}	The Z-Tunnel version	ZTUNNEL_1_0
%s{external_devid}	The external device ID that associates a user’s device with the mobile device management (MDM) solution	1234
%d{bypassed_traffic}	Indicates whether the traffic bypassed the Zscaler Client Connector or not	1 indicates that the traffic bypassed Zscaler Client Connector 0 indicates that the traffic did not bypass Zscaler Client Connector
%s{bypassed_etime}	The date and time when the traffic bypassed the Zscaler Client Connector	Mon Oct 16 22:55:48 2023
%s{flow_type}	The flow type of the transaction	Direct Loopback VPN VPN Tunnel ZIA ZPA

Miscellaneous

Field	Description	Example
%d{recordid}	The unique record identifier for each log
%s{pcapid}	The path of the packet capture (PCAP) file that captured the transaction. The PCAP ID has the following format: `<Company ID>/<Directory>/<PCAP File Name>`. The company ID is the internal ID of an organization and can be found on the Company Profile page. The directory is the log type. To download the PCAP file, go to the Capture column on the Web Insights Logs page.	43139974/web/663ba8fd30b50001.pcap
%s{productversion}	The current version of the product. Useful for SIEMs whose format requires the product internal version to be sent in the log output.	5.0.902.95524_04
%s{nsssvcip}	The service IP address of the NSS. Useful for syslog-format logs that require the origin host IP address to be specified.	10.10.102.300
%s{eedone}	Indicates if the characters specified in the Feed Escape Character field of the NSS feed configuration page were hex encoded	Yes

b64 Fields

A SIEM can have parsing issues whenever a string field has non-printable or delimiter characters. For that reason, the Zscaler service has URL encoding for URL fields like URL, Referer, and Hostname. There are several other fields that have the same parsing issue, but URL encoding is not suitable. Such fields are encoded using b64.

Turning on b64 encoding for all supported fields may result in approximately a 20% drop in performance.

The following fields have been added as b64 fields:

b64ua
b64filename
b64upload_filename
b64threatname
b64mobappname
b64host
b64url
b64referer
b64login
b64location
b64dept
b64urlcat
b64rulelabel
b64urlfilterrulelabel
b64apprulelabel
b64dlprulename
b64rdr_rulename
b64fwd_gw_name
b64zpa_app_seg_name
b64userlocationname

Hex-Encoded Fields

The Zscaler service hex encodes all non-printable ASCII characters that are in URLs when it sends logs to the NSS. Any URL character that is less than or equal to 0x20, or greater than or equal to 0x7F, is encoded as %HH. This ensures that your SIEM can parse the URLs that contain control characters. For example, a \n character in a URL is encoded as %0A, and a space is encoded as %20.

The following fields have been added as hex-encoded fields:

eua
efilename
eupload_filename
emobappname
ehost
eurl
ereferer
erefererpath
eurlpath
erefererhost
elogin
elocation
edepartment
erulelabel
eurlfilterrulelabel
eapprulelabel
euserlocationname
edevicename
edevicehostname