Secure Private Access (ZPA)
About User Activity Log Fields
The Log Streaming Service can send User Activity log information to any third-party log analytics tool. By default, the User Activity log type includes the fields listed in the following table for each log template (i.e., CSV, JSON, TSV). While configuring your log receiver, you can edit the default log stream content to capture only specific fields, and create a Custom log template.
- View an example User Activity log
{"LogTimestamp": "Fri May 31 17:35:42 2019","Customer": "ANZ Team/zdemo in beta","SessionID": "SqyZIMkg0JTj7EABsvwA","ConnectionID": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "ZPA LSS Client","ServicePort": 10011,"ClientPublicIP": "34.209.189.218","ClientPrivateIP": "","ClientLatitude": 45.000000,"ClientLongitude": -119.000000,"ClientCountryCode": "US","ClientZEN": "broker1b.pdx2","Policy": "ANZ Lab Apps_1","Connector": "ZDEMO ANZ Lab-1","ConnectorZEN": "broker1b.pdx2","ConnectorIP": "192.168.1.53","ConnectorPort": 60266,"Host": "192.168.1.57","Application": "ANZ Lab Apps","AppGroup": "ANZ Lab Apps","Server": "0","ServerIP": "192.168.1.57","ServerPort": 10011,"PolicyProcessingTime": 28,"CAProcessingTime": 1330,"ConnectorZENSetupTime": 191017,"ConnectionSetupTime": 192397,"ServerSetupTime": 465,"AppLearnTime": 0,"TimestampConnectionStart": "2019-05-30T08:20:42.230Z","TimestampConnectionEnd": "","TimestampCATx": "2019-05-30T08:20:42.230Z","TimestampCARx": "2019-05-30T08:20:42.231Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "2019-05-30T08:20:42.424Z","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "2019-05-31T17:34:27.348Z","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2019-05-30T08:20:42.422Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "2019-05-30T08:20:42.424Z","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "2019-05-31T17:34:27.348Z","ZENTotalBytesRxClient": 2406926,"ZENBytesRxClient": 7115,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 2406926,"ZENBytesTxConnector": 7115,"Idp": "Example IDP Config", "ClientToClient": "0", "ClientCity": "San Jose", "MicroTenantID": "145257480799129312", "AppMicrotenantID": "145257480799129312", "PRAApprovalID": "15787", "PRACapabilityPolicyID": "72057597259256663", "PRAConsoleType": "SSH", "PRACredentialUserName": "SafemarchUser", "PRACredentialLoginType": "Username-Password", "PRACredentialPolicyID": "72057597259256964", "PRAConnectionID": "$b381e220-fb0f-4dc5-9c2a-e3e0fb2e5efb", "PRAErrorStatus": "Upstream Error", "PRAFileTransferList": "{\"file_list\":[{\"name\":\"\\/d546509ab6670f9ff31783ed72875dfc0f37fa2b666bd5870eecaaed2ebea4a8.elf\",\"action\":\"Upload\",\"status\":\"Inspection denied upload\",\"start_ts\":1704225544,\"end_ts\":1704225547,\"inspected\":\"True\",\"file_type\":\"elf\",\"md5\":\"4DDE761681684D7EDAD4E5E1FFDB940B\",\"inspection_verdict\":\"{\\n\\t\\\"code\\\": 200,\\n\\t\\\"message\\\": \\\"response OK\\\",\\n\\t\\\"virusName\\\": \\\"iot.trojan.gafgyt.botnet\\\",\\n\\t\\\"virusType\\\": \\\"Virus\\\",\\n\\t\\\"fileType\\\": \\\"elf\\\",\\n\\t\\\"md5\\\": \\\"4DDE761681684D7EDAD4E5E1FFDB940B\\\",\\n\\t\\\"sandboxSubmission\\\": \\\"Virus\\\"\\n}\",\"inspection_time\":\"less than 1 second\"},{\"name\":\"\\/4ce39251817198bbec7b84782507394e7d68bfe3a79b89be363f0c1e05558ef1.zip\",\"action\":\"Upload\",\"status\":\"Inspection denied upload\",\"start_ts\":1704225552,\"end_ts\":1704225557,\"inspected\":\"True\",\"file_type\":\"zip\",\"md5\":\"F5F7995BACD88A4BCF2D69DF063184AB\",\"inspection_verdict\":\"{\\n\\t\\\"code\\\": 200,\\n\\t\\\"message\\\": \\\"File not submitted to Sandbox\\\",\\n\\t\\\"fileType\\\": \\\"zip\\\",\\n\\t\\\"md5\\\": \\\"F5F7995BACD88A4BCF2D69DF063184AB\\\",\\n\\t\\\"sandboxSubmission\\\": \\\"File not Submitted to Sandbox\\\"\\n}\",\"inspection_time\":\"less than 1 second\"},{\"name\":\"\\/4ce39251817198bbec7b84782507394e7d68bfe3a79b89be363f0c1e05558ef1.xlsx\",\"action\":\"Upload\",\"status\":\"Inspection denied upload\",\"start_ts\":1704225568,\"end_ts\":1704225573,\"inspected\":\"True\",\"file_type\":\"xlsx\",\"md5\":\"FF43FB09E69439FCD3DD8196F5BCE11F\",\"inspection_verdict\":\"{\\n\\t\\\"code\\\": 200,\\n\\t\\\"message\\\": \\\"response OK\\\",\\n\\t\\\"virusName\\\": \\\"xls.downloader.qakbot\\\",\\n\\t\\\"virusType\\\": \\\"Sandbox Malware\\\",\\n\\t\\\"fileType\\\": \\\"xlsx\\\",\\n\\t\\\"md5\\\": \\\"FF43FB09E69439FCD3DD8196F5BCE11F\\\",\\n\\t\\\"sandboxSubmission\\\": \\\"Sandbox Malware\\\"\\n}\",\"inspection_time\":\"less than 1 second\"},{\"name\":\"\\/Populate_Existing_Flags_And_Overrides.xlsx\",\"action\":\"Upload\",\"status\":\"Success\",\"start_ts\":1704225591,\"end_ts\":1704225593,\"inspected\":\"True\",\"file_type\":\"xlsx\",\"md5\":\"D1A0596352BE4A1260B0419C7046F8FA\",\"inspection_verdict\":\"{\\n\\t\\\"code\\\": 200,\\n\\t\\\"message\\\": \\\"No active content found. File not suspicious\\\",\\n\\t\\\"fileType\\\": \\\"xlsx\\\",\\n\\t\\\"md5\\\": \\\"D1A0596352BE4A1260B0419C7046F8FA\\\",\\n\\t\\\"sandboxSubmission\\\": \\\"File not Submitted to Sandbox\\\"\\n}\",\"inspection_time\":\"less than 1 second\"}]}", "PRARecordingStatus": "Available", "PRASharedUserList": "{\"shared_user_list\":[{\"name\":\"lisa@zerotrust.to\"}]}", "PRASessionType": "PRA", "PRASharedMode": "control"}
Close
The following table includes descriptions and supported field format specifications for each field within the template. To learn more about the format specifications listed for each field, including examples, see Log Field Format Specifications.
| Field | Description | Supported Field Format Specifications |
|---|---|---|
| AppGroup | The application group name |
|
| AppLearnTime | Time in microseconds taken for App Connectors to learn about the requested application and report the learned information to the central authority |
|
| Application | The application name |
|
| AppMicroTenantID | The Microtenant ID of the application |
|
| CAProcessingTime | Time in microseconds taken for processing in the central authority |
|
| ClientCountryCode | The country code of the Zscaler Client Connector location |
|
| ClientLatitude | The latitude coordinate of the Zscaler Client Connector location |
|
| ClientLongitude | The longitude coordinate of the Zscaler Client Connector location |
|
| ClientPrivateIP | The private IP address of the Zscaler Client Connector |
|
| ClientPublicIP | The public IP address of the Zscaler Client Connector |
|
| ClientCity | The city of the client |
|
| ClientToClient | The status of the client-to-client connection |
|
| ClientZEN | The ZPA Public Service Edge that received the request from the Zscaler Client Connector |
|
| ConnectionID | The application connection ID |
|
| ConnectionSetupTime | Time taken by the App Connector to process a notification from the App Connector selection microservice and set up the connection to the application server |
|
| ConnectionStatus | The status of the connection. The expected values for this field are:
|
|
| Connector | The App Connector name |
|
| ConnectorIP | The source IP address of the App Connector |
|
| ConnectorPort | The source port of the App Connector |
|
| ConnectorZEN | The ZPA Public Service Edge that sent the request from the App Connector |
|
| ConnectorZENSetupTime | Time in microseconds taken for setting up connection between App Connector and ZPA Public Service Edge |
|
| Customer | The customer name |
|
| DoubleEncryption | The double encryption status. The expected values for this field are:
|
|
| Host | The host domain or IP address |
|
| Idp | The name of the identity provider (IdP) as configured in the ZPA Admin Portal |
|
| InternalReason | The internal reason for the status of the transaction |
|
| IPProtocol | The IP protocol number |
|
| LogTimestamp | Timestamp when the log was generated |
|
| MicroTenantID | The Microtenant ID of the user accessing the application |
|
| Policy | The access policy rule name |
|
| PolicyProcessingTime | Time in microseconds taken for processing the access policy associated with the application |
|
| PRAApprovalID | The privileged approval ID |
|
| PRACapabilityPolicyID | The privileged capabilities policy ID |
|
| PRAConnectionID | The Privileged Remote Access (PRA) connection ID |
|
| PRAConsoleType | The privileged console type. The expected values for this field are:
|
|
| PRACredentialLoginType | The login type of the privileged credential. The expected values for this field are:
|
|
| PRACredentialPolicyID | The privileged credential policy ID |
|
| PRACredentialUserName | The name of the user that is logged in to the target privileged console |
|
| PRAErrorStatus | The PRA session error status, if available |
|
| PRAFileTransferList | The files transferred during the PRA session |
|
| PRARecordingStatus | The recording status of the PRA file transfer. The expected values for this field are:
|
|
| PRASessionType | The PRA session type. The expected value is PRA. |
|
| PRASharedMode | The PRA shared mode. The expected values for this field are:
|
|
| PRASharedUserList | The users that the PRA session was shared with |
|
| Server | The server ID name. The server ID must be set to zero if dynamic server discovery is enabled. |
|
| ServerIP | The destination IP address of the server |
|
| ServerPort | The destination port of the server |
|
| ServerSetupTime | Time in microseconds taken for setting up connection at server |
|
| ServicePort | The service port associated with the application request |
|
| SessionID | The TLS session ID |
|
| TimestampConnectionStart | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge received the initial request from Zscaler Client Connector to start the connection |
|
| TimestampConnectionEnd | Timestamp in microseconds when the ZPA Public Service Edge or ZPA Private Service Edge terminated the connection |
|
| TimestampCATx | Timestamp in microseconds when the central authority sent request to ZPA Public Service Edge or ZPA Private Service Edge |
|
| TimestampCARx | Timestamp in microseconds when the central authority received request from ZPA Public Service Edge or ZPA Private Service Edge |
|
| TimestampAppLearnStart | Timestamp in microseconds when ZPA services start the process to learn about an application |
|
| TimestampZENFirstRxClient | Timestamp in microseconds when the ZPA Public Service Edge received the first byte from the Zscaler Client Connector |
|
| TimestampZENFirstTxClient | Timestamp in microseconds when the ZPA Public Service Edge sent the first byte to the Zscaler Client Connector |
|
| TimestampZENLastRxClient | Timestamp in microseconds when the ZPA Public Service Edge received the last byte from the Zscaler Client Connector |
|
| TimestampZENLastTxClient | Timestamp in microseconds when the ZPA Public Service Edge sent the last byte to the Zscaler Client Connector |
|
| TimestampConnectorZENSetupComplete | Timestamp in microseconds when the ZPA Public Service Edge received request from App Connector to set up data connection. The request from the App Connector is triggered by the initial request for a specific application from the Zscaler Client Connector. |
|
| TimestampZENFirstRxConnector | Timestamp in microseconds when the ZPA Public Service Edge received the first byte from the App Connector |
|
| TimestampZENFirstTxConnector | Timestamp in microseconds when the ZPA Public Service Edge sent the first byte to the App Connector |
|
| TimestampZENLastRxConnector | Timestamp in microseconds when the ZPA Public Service Edge received the last byte from the App Connector |
|
| TimestampZENLastTxConnector | Timestamp in microseconds when the ZPA Public Service Edge sent the last byte to the App Connector |
|
| Username | The user name as entered into the Zscaler Client Connector |
|
| ZENBytesRxClient | The additional bytes received from the Zscaler Client Connector since the last transaction log |
|
| ZENBytesTxClient | The additional bytes transmitted to the Zscaler Client Connector since the last transaction log |
|
| ZENBytesRxConnector | The additional bytes received from the App Connector since the last transaction log |
|
| ZENBytesTxConnector | The additional bytes transmitted by the App Connector since the last transaction log |
|
| ZENTotalBytesRxClient | The total bytes received from the Zscaler Client Connector by the ZPA Public Service Edge |
|
| ZENTotalBytesTxClient | The total bytes transmitted to the Zscaler Client Connector from the ZPA Public Service Edge |
|
| ZENTotalBytesRxConnector | The total bytes received from the App Connector by the ZPA Public Service Edge |
|
| ZENTotalBytesTxConnector | The total bytes transmitted to the App Connector from the ZPA Public Service Edge |
|