V12 Log Format
The CSV fields in the header row of the Zero Trust Access log.
timestamp,identity email,identity labels,identity type labels,hostname,verdict,client os,client browser,client geo location,client ip,ruleset id,rule id,private app group id,private app id,private resource id,private resource group id,step up auth type,step up auth result,step up auth token life,posture id,requested id fqdn,resolved ip,app connector group id,headend type,duo device id,duo device id string,system password,client firewall,disk encryption,anti malware agents,transaction id,block reason,application port,application protocol,tunnel type,secure client version,possible match ruleset id,possible match rule id,possible match posture,source process id,source process name,source process hash,source process user name,organization id,ad joined id,enforced by,ftd enforcement id,ftd enforcement name,mdm source,mdm device id,mdm is managed,mdm is compliant,mdm last updated
The description of each field and the log version in which each field was released, up to Version 12. For more information about log versions, see Find Your Log Schema Version.
| Field name | Description | Release version | ||
|---|---|---|---|---|
| timestamp | The date and time of the ZTA event, expressed as a UTC-formatted string (e.g., 2024-01-16 17:48:41).
|
v9 | ||
| identity email | The email address of the Active Directory user. | v9 | ||
| identity labels | The list of labels for the identity. | v9 | ||
| identity type labels | The label of the identity type. | v9 | ||
| hostname | The hostname of the user device. | v9 | ||
| verdict | Whether the user has access to a resource. | v9 | ||
| client os | The operating system of the user device. | v9 | ||
| client browser | The name of the browser on the user device. | v9 | ||
| client geo location | The regional location of the user device. | v9 | ||
| client ip | The IP address of the user device. | v9 | ||
| ruleset id | The ID of the ruleset. | v9 | ||
| rule id | The ID of the access rule. | v9 | ||
| private app group id | The ID of the private application group. | v9 | ||
| private app id | The ID of the private application. | v9 | ||
| private resource id | The ID that Secure Access assigns to the customer-defined private application. | v9 | ||
| private resource group id | The ID if the rule matched is based on the private application group. | v9 | ||
| step up auth type | The type of authentication. Valid values are: SAML_SSO, MFA, or NONE. |
v9 | ||
| step up auth result | The result of the authentication. Valid values are: SUCCESS or FAILURE. |
v9 | ||
| step up auth token life | The time in seconds between when you generated the token and used the token. | v9 | ||
| posture id | ID of the matching posture profile. | v9 | ||
| requested id fqdn | The IP or FQDN of the requested application. | v9 | ||
| resolved ip | The IP of the application returned by the proxy. | v9 | ||
| app connector group id | The group ID of the App Connector. | v9 | ||
| headend type | The type of the headend. Valid values are: CLAP or BAP. |
v9 | ||
| duo device id | The ID of the Duo App on the device. | v9 | ||
| duo device id string | The ID label of the Duo App on the device. | v9 | ||
| system password | Whether the system password is enabled with its timeout in seconds. | v9 | ||
| client firewall | The client system firewall. Valid values are SYS or NONE. |
v9 | ||
| disk encryption | The client Disk Encryption Type. Valid values are: SYS, NONE or THIRD PARTY. |
v9 | ||
| anti malware agents | The clients' anti malware agents. | v9 | ||
| transaction id | Unique transaction ID generated by the Secure Client. | v10 | ||
| block reason | The reason for the transaction being blocked. (e.g., Android OS not allowed) |
v10 | ||
| application port | The port of the destination application. | v10 | ||
| application protocol | The type of protocol used for transactions. (e.g., TCP) |
v10 | ||
| tunnel type | The type of tunnel used to connect to the ZTA proxy. Valid values are: HTTP2, HTTP3
|
v10 | ||
| secure client version | The version of the Cisco Secure Client on the endpoint device accessing a private resource. | v10 | ||
| possible match ruleset id | For a block event, the ID of the ruleset that could have allowed the transaction if not for the block reason. | v10 | ||
| possible match rule id | For a block event, the ID of the rule within the ruleset that could have allowed the transaction if not for the block reason. | v10 | ||
| possible match posture | For a block event, the posture that could have allowed the transaction if not for the block reason. | v10 | ||
| source process id | The ID of the source process that initiated the transaction from the client side. | v10 | ||
| source process name | The name of the source process that initiated the transaction from the client side (e.g., chrome.exe). |
v10 | ||
| source process hash | The hash of the source process that initiated the transaction from the client side. | v10 | ||
| source process user name | The user name associated with the source process that initiated the transaction from the client side. | v10 | ||
| organization id | The Secure Access organization ID. For more information, see Find Your Organization ID. | v10 | ||
| ad joined id | ID of the device if it is joined to an Active Directory domain. | v10 | ||
| enforced by |
The Secure Access component or service that enforced the policy or control related to this event (e.g., Firewall, Web Proxy). |
v12 | ||
| ftd enforcement id | The unique identifier of the enforcement action taken by a Firepower Threat Defense (FTD) device integrated with Secure Access. | v12 | ||
| ftd enforcement name | The name or type of enforcement action taken by a Cisco Secure Firewall Threat Defense device that is integrated with Secure Access, for example, Malware Block and URL Category Block. | v12 | ||
| mdm source | The specific Mobile Device Manager (MDM) platform integrated with Secure Access providing device management and compliance information (e.g. Cisco Meraki Systems Manager) | v12 | ||
| mdm device id | The unique identifier assigned to the device by the integrated MDM platform, enabling Secure Access to track and manage the device's access privileges. | v12 | ||
| mdm is managed | Indicates whether the device is currently under active management by the integrated MDM platform: TRUE or FALSE
|
v12 | ||
| mdm is compliant | Indicates whether the device meets the compliance policies defined within the integrated MDM platform: TRUE or FALSE
|
v12 | ||
| mdm last updated | The date and time that Secure Access last received updated device information from the integrated MDM platform. | v12 |
