V12 Log Format
The CSV fields in the header row of the Zero Trust Access flow log.
timestamp,identity email,identity labels,identity type labels,organization id,msp organization id,hostname,transaction ID,private resource id,private resource group id,app connector id,app connector group id,ruleset id,rule id,connection status,connection failure reason,headend type,event type,rxbytes,txbytes,egress ip,egress port,nt group id,zta source port,enforced by,ftd enforcement id,ftd enforcement name
The description of each field and the log version in which each field was released, up to Version 12. For more information about log versions, see Find Your Log Schema Version.
| Field name | Description | Release version | ||
|---|---|---|---|---|
| timestamp | The date and time of the ZTA event, expressed as a UTC-formatted string (e.g., 2025-01-16 17:48:41).
|
v10 | ||
| identity email | The email address of the Active Directory user. | v10 | ||
| identity labels | The list of labels for the identity. | v10 | ||
| identity type labels | The label of the identity type. | v10 | ||
| organization id | The Secure Access organization ID. For more information, see Find Your Organization ID. | v10 | ||
| msp organization id | The Secure Access organization ID of the parent managed service provider. | v10 | ||
| hostname | The hostname of the user device. | v10 | ||
| transaction id | Universally unique identifier (UUID) of the transaction associated with the event. | v10 | ||
| private resource id | The ID that Secure Access assigns to the customer-defined private application. | v10 | ||
| private resource group id | The ID if the rule matched is based on the private application group. | v10 | ||
| app connector id | The ID of the App Connector. | v10 | ||
| app connector group id | The group ID of the App Connector. | v10 | ||
| ruleset id | The ID of the ruleset. | v10 | ||
| rule id | The ID of the access rule. | v10 | ||
| connection status | The status of the request to connect to the private resource. Valid values are: Connected, Reset, Terminated, or Unknown. |
v10 | ||
| connection failure reason | The error codes for failed connection requests. | v10 | ||
| headend type | The type of the headend. Valid values are: CLAP or BAP. |
v10 | ||
| event type | The type of flow event. Valid values are: DNS_FAILURE_CONNECTIVITY, DNS_FAILURE_RESOLUTION, CONN_FAILURE, CONN_SUCCESS, APP_INVALID_DESTINATION, APP_PORT_MISMATCH, APP_PROTOCOL_MISMATCH | v10 | ||
| rxbytes | The number of bytes received during the session. | v10 | ||
| txbytes | The number of bytes transmitted or sent during the session. | v10 | ||
| egress ip | The egress IP address is not included in the flow logs and appears as empty. However, it can be found in the ZTA logs using the same transaction ID. | v10 | ||
| egress port | The egress port number of the network where the request originated. | v10 | ||
| nt group id | The tunnel ID associated with this request. | v10 | ||
| zta source port | The port number used by the Zero Trust proxy service to connect to an unmanaged device requesting a connection to a private resource. | v10 | ||
| enforced by |
The Secure Access component or service that enforced the policy or control related to this event (e.g., Firewall, Web Proxy). |
v12 | ||
| ftd enforcement id | The unique identifier of the enforcement action taken by a Firepower Threat Defense (FTD) device integrated with Secure Access. | v12 | ||
| ftd enforcement name | The name or type of enforcement action taken by a FTD device integrated with Secure Access (e.g., Malware Block, URL Category Block). | v12 |
