icon-zpa.svg
Secure Private Access (ZPA)

About Audit Log Fields

The Log Streaming Service can send audit log information to any third-party log analytics tool. By default, the audit log type includes the fields listed in the table below for each log template (i.e., CSV, JSON, TSV). While configuring your log receiver, you can edit the default log stream content to capture only specific fields, and create a Custom log template.

  • {"modifiedTime": "2020-07-13T20:53:10.000Z","creationTime":"2020-07-13T20:53:10.000Z","modifiedBy":11223344556677889,"requestID":"a12aa12a-1234-aab1-123ab123456a","auditOldValue":"","auditNewValue":"{\"id\":\"98765432100123456\",\"name\":\"app1.test.com\",\"applicationId\":\"12312312312312300\",\applicationPort\":\"443\",\"applicationProtocol\":\"HTTPS\",\"certificateId\":"10203040506070809\",\"domain\":\"app1.test.com\",\"enabled\":\"true\",\"hidden\":\"false\",\"path\":\"\\/\",\"portal\":\"false\",\"trustUntrustedCert\":\"true\"}","auditOperationType":"Create","objectType":"Browser Access","objectName":app1.test.com,"objectID":98765432100123456,"customerID":12345678901234567,"modifiedByUser":"zpaadmin@test.com", "clientAuditUpdate":"0"}
    Close

The following table includes descriptions and supported field format specifications for each field within the template. To learn more about the format specifications listed for each field, including examples, see Log Field Format Specifications.

Field Description Supported Field Format Specifications
modifiedTime Time when an object is created, deleted, or updated
  • %[OPT]s
  • %[OPT]j
  • %[OPT]J
creationTime Time when the log was generated
  • %[OPT]s
  • %[OPT]j
  • %[OPT]J
modifiedBy The user ID for the admin that made the change
  • %[OPT]s
  • %[OPT]j
  • %[OPT]J
  • %[OPT]o
requestID The ID for the associated configuration change, as related to the action that was made
  • %[OPT]s
  • %[OPT]j
  • %[OPT]J
  • %[OPT]o
auditOldValue

The previous value that was changed if the action type is delete, sign out, or update.

If the modified object is policy related, the value depends on the policy type. Then the expected values for this field are:

  • Allow: the policy type is Access Policy
  • Intercept: the policy type is Bypass Policy
  • Re_Auth: the policy type is Timeout Policy
  • %[OPT]s
  • %[OPT]j
  • %[OPT]J
  • %[OPT]o
auditNewValue

The new value that was changed if the action type is create, sign in, or update.

If the modified object is policy related, the value depends on the policy type. Then the expected values for this field are:

  • Allow: the policy type is Access Policy
  • Intercept: the policy type is Bypass Policy
  • Re_Auth: the policy type is Timeout Policy
  • %[OPT]s
  • %[OPT]j
  • %[OPT]J
  • %[OPT]o
auditOperationType

The action performed.

The expected values for this field:

  • Create
  • Client Session Revoked
  • Delete
  • Download
  • Sign In
  • Sign In Failure
  • Sign Out
  • Update
  • %[OPT]s
  • %[OPT]j
  • %[OPT]J
  • %[OPT]o
objectType

The location within the ZPA Admin Portal where the Action was performed. This corresponds to the Resource Type in the Audit Log page. To learn more, see About Audit Logs.

The expected values for this field are:

  • Administrator
  • App Connector
  • App Connector Group
  • App Connector Group to App Connector Association
  • App Connector Provisioning Key
  • Application Segment
  • Application Segment to Server Group Association
  • Audit
  • Authentication
  • Authentication Setting
  • Browser Access
  • Certificate
  • Certificate for Zscaler Client Connector Enrollment
  • Client Session
  • Company Logo
  • Constellation Association
  • CORS/SameSite
  • Customer Support URL
  • DNS Search Domain
  • Enrollment Certificate
  • Executive Insights Device
  • Executive Insights User
  • IdP Certificate
  • IdP Configuration
  • Log Receiver
  • Log Zone: (Indicates the log store location for a region. This is only specified during organization account creation and is never modified.)
  • Machine
  • Machine Group
  • Machine Group to Machine Association
  • Machine Provisioning Key
  • Policy
  • Policy to Connector Group Association
  • Policy to Server Group Association
  • Portal Link
  • Posture Profile
  • Role
  • SAML Attribute
  • SCIM Attribute
  • Segment Group
  • Segment Group to Application Segment Association
  • Server
  • Server Group
  • Server Group to Connector Group Association
  • Server Group to Server Association
  • Service Edge
  • Service Edge Group
  • Service Edge Group to Service Edge Association
  • Service Edge Group to Trusted Network Association
  • Service Edge Provisioning Key
  • Trusted Network
  • User Portal
  • User Portal to Portal Link Association
  • %[OPT]s
  • %[OPT]j
  • %[OPT]J
  • %[OPT]o
objectName The name of the object. This corresponds to the Resource Name in the Audit Log page. To learn more, see About Audit Logs.
  • %[OPT]s
  • %[OPT]j
  • %[OPT]J
  • %[OPT]o
objectID The ID associated with the object name
  • %[OPT]s
  • %[OPT]j
  • %[OPT]J
  • %[OPT]o
customerID The ZPA tenant ID of the customer. To learn more, see Configuring the Company Profile.
  • %[OPT]s
  • %[OPT]j
  • %[OPT]J
  • %[OPT]o
modifiedByUser The username of the admin associated with the audit action
  • %[OPT]s
  • %[OPT]j
  • %[OPT]J
  • %[OPT]o
clientAuditUpdate Indicates whether the logs are associated with admin or client credentials. The expected values for this field are 0 and 1. %[OPT]d
Related Articles
About the Log Streaming ServiceConfiguring a Log ReceiverAbout User Activity Log FieldsAbout User Status Log FieldsAbout App Connector Metrics Log FieldsAbout App Connector Status Log FieldsAbout Private Service Edge Metrics Log FieldsAbout Private Service Edge Status Log FieldsAbout Audit Log FieldsAbout Browser Access Log FieldsAbout AppProtection Log FieldsUnderstanding Private Cloud Controller Metrics Log FieldsUnderstanding Private Cloud Controller Status Log FieldsUnderstanding the Log Stream Content Format