Viewing Web Logs

The Zscaler service provides real-time log consolidation across the globe, so you can view every transaction performed by your users regardless of where they are in the world. From the web logs, you can see which URLs were requested, page risk for each, and the number of bytes sent and received, among other things.

Interactive reports support UTF-8 characters enabling the display of special characters.

To view web logs, do the following from a web dashboard or report.

  • To immediately view logs for a certain item or segment in a web dashboard or report:
    1. Click that item or segment in a web chart.
    2. Select View Logs.
  • To narrow down the scope of data and drill down to the logs:
    1. Click an item in a web chart.
    2. Select Analyze Chart.
      The chart appears in the Web Insights window where you can apply filters and other settings to get to specific transactions.  
    3. Click Logs from the left pane of the Web Insights window.

The Web Insights window displays the settings on the left pane and logs on the right pane. 

To learn how long Zscaler stores your logs, see How long does Zscaler stores my logs?

  1. Go back to a dashboard or report. 
  2. Go back to the Web Insights window.
  3. View web logs.
  4. Click, after changing the time frame or filters, to list the filtered list of transactions.
  5. Choose a predefined time frame or select Custom to use the calendar and time menus to define your own time frame. Note that you can set the time by hour, minutes, and seconds, if you need a more granular time frame. 
    If you change the time frame, you must always click Apply Filters to list the filtered list of transactions.
  6. Apply filters to narrow down the list or to find transactions, such as those associated with a specific user or URL.
    If you change the filters, you must always click Apply Filters to list the filtered list of transactions.
  7. View the transactions listed in the web log. The right pane lists up to 100 transactions at a time. Scroll down and click LOAD MORE at the bottom of the window to view the next group of up to 100 transactions.
  8. Export the list of transactions to a CSV file. The service exports only the columns that are visible. It exports up to 100,000 lines of data at a time. You can continue to use the service while the export is in progress.
  9. Print the list of transactions.
  10. Customize the logs as follows:
  • Click the icon on the top right of the logs to list the available fields for display. Tick a box to add a column or clear it to remove a column. Alternatively, click Select all or Deselect all to display or remove all columns.
  • Drag a column to another location.
  • Resize a column by positioning the cursor on its border and dragging it to the desired width.

The settings are stored as a web cookie on your computer. They are retained as long as the cookie is not deleted. The following table lists the fields that you can view in the logs: 

  1. View the Weblog time, which appears at the bottom of every window. The Nanolog servers collect the logs of all users worldwide, and then consolidates and correlates them. The Weblog time displays the date and time of the logs that are being processed by the Nanolog servers.

 Screenshot of the Zscaler Web Logs page and tasks

Column Description


The user-agent string that the browser included in its GET request. The user-agent string contains browser and system information that the destination server can use to provide appropriate content.

Bandwidth Class

The bandwidth class to which the URL belongs.

Bandwidth Rule

Specifies the Bandwidth Control policy rule that applies to this URL.

Client IP

The IP address from which the transaction originated. This is the IP address of the client device.

Client External IP

This is the Internet gateway location IP address.

Client Trans. Time (ms)

The sum of the values in the Proxy Latency and Server Time columns. This is the total time, in milliseconds, from when the browser made the first request to the cloud infrastructure and it returned all the content to the browser.

Cloud Application

The specific web application that was accessed.

Cloud Application Class

The specific web application class that was accessed.


The department to which the user belongs. As with the User field, if authentication is not required and the traffic comes from a location specified in the service, this field displays the name of the gateway location.

DLP Dictionaries

Indicates if data leakage was detected by a DLP dictionary.

DLP Engine

Indicates if data leakage was detected by a DLP (Data Loss Prevention) engine.

Event Time

The date and time of the transaction.

File Name

Only applicable to downloaded and uploaded files.


The Internet gateway location from which the transaction originated. If the transaction did not originate from a location that was defined in the service, then it is recorded as coming from a Road Warrior.

Logged Time

The date and time the transaction was logged.


Displays the hash of suspicious files. This is available only if your organization has a Cloud Sandbox subscription.


The item number.

Policy Action

Indicates if the service allowed or blocked the transaction, or cautioned the user about the transaction.

Policy Type

The type of the policy that took action during the transaction.
Following are the policy types that appear in this field:


Improve the visibility of protocols that traverse within Zscaler’s cloud. The following information is shown:

  • HTTP: HTTP protocol
  • FTP: Native FTP protocol
  • FTPOVERHTTP: FTP protocol over HTTP
  • FTPS: FTP protocol over secure HTTP
  • SSL: SSL traffic  not decrypted
  • TUNNEL: Clear text traffic with unknown protocol or non-SSL encrypted traffic

Proxy Latency (ms)

The time, in milliseconds, added to the transaction by the Zscaler Enforcement Node (ZEN).  

Received Bytes

Specifies how many bytes the destination web server returned for each HTTP request.

Referrer URL

The URL from which the HTTP request originated.

Response Code

The destination server’s response. For example, 200 OK means the request succeeded and 404 Not Found means the requested URL was not found.

Request Method

Indicates if the HTTP request was a GET, POST, or CONNECT request. A GET request is a request to retrieve data, a POST request is a request to submit data to be processed, and a CONNECT request converts the request to a transparent tunnel, usually to facilitate HTTPS.

Rule Name

The name of the rule that triggered on the session or aggregated sessions.

Sent Bytes

Specifies the size, in bytes, of the HTTP request that was sent to the destination web server.

Server IP

The IP address of the destination server.

Server Trans. Time (ms)

The time, in milliseconds, it took the destination server to accept the GET request and return all the content to the cloud infrastructure.

Suspicious Content

This field provides the “raw” Page Risk score of a URL. To learn more about the Suspicious Content Protection (Page RiskTM), see About Advanced Threat Protection.

Traffic Forwarding

Type of traffic forwarding mechanism for this session. For aggregated sessions, this is the traffic forwarding type of the last session in the aggregate. To learn more about traffic forwarding, see Best Practices for Traffic Forwarding.

Threat Category

If the service detected a threat in the transaction, it displays the virus or spyware type, if applicable.

Threat Name

If the service detected a threat in the transaction, it displays the name of the threat.

Threat Super Category

If the service detected a threat in the transaction, it displays the Virus and Spyware super category, if applicable.

Throttled request bytes

Specifies how many request bytes were throttled.

Throttled response bytes

Specifies how many response bytes were throttled.

Total Bytes

The sum of the values in the Received Bytes and Sent Bytes columns.


The entire URL of the transaction. Note that opening a single web page typically requires multiple GET requests in order to fetch all the objects of the page. Each GET request is logged as a transaction.

URL Categorization Method

Refers to the source of the URL's category. Database A refers to the proprietary URL database of the service; Database B refers to a third-party vendor’s URL database; Dynamic refers to the dynamic content classification engine that categorizes pages that are not in any of the databases. None indicates that the category was defined by an administrator.

URL Category

The specific URL category to which the URL belongs.

URL Class

The URL class to which the URL belongs.

URL Super Category

The URL super category to which the URL belongs.


The email address of the user who performed the transaction. If an Internet gateway location was specified and authentication is not required, this field displays the name of the gateway location.