Zero Trust Network Session Logs
The descriptions below detail the fields available for zero_trust_network_sessions.
| Field | Value | Type |
|---|---|---|
| AccountID | Cloudflare account ID. | string |
| BytesReceived | The number of bytes sent from the origin to the client during the network session. | int |
| BytesSent | The number of bytes sent from the client to the origin during the network session. | int |
| ClientTCPHandshakeDurationMs | Duration of handshaking the TCP connection between the client and Cloudflare in milliseconds. | int |
| ClientTLSCipher | TLS cipher suite used in the connection between the client and Cloudflare. | string |
| ClientTLSHandshakeDurationMs | Duration of handshaking the TLS connection between the client and Cloudflare in milliseconds. | int |
| ClientTLSVersion | TLS protocol version used in the connection between the client and Cloudflare. | string |
| ConnectionCloseReason | The reason for closing the connection, only applicable for TCP. Possible values are CLIENT_CLOSED | CLIENT_IDLE_TIMEOUT | CLIENT_TLS_ERROR | CLIENT_ERROR | ORIGIN_CLOSED | ORIGIN_TLS_ERROR | ORIGIN_ERROR | ORIGIN_UNREACHABLE | PROXY_CONN_REFUSED | UNKNOWN | MISMATCHED_IP_VERSIONS. | string |
| ConnectionReuse | Whether the TCP connection was reused for multiple HTTP requests. | bool |
| DestinationTunnelID | Identifier of the Cloudflare One connector to which the network session was routed to, if any, such as Cloudflare Tunnel or WARP device. | string |
| DetectedProtocol | Detected traffic protocol of the network session. | string |
| DeviceID | Identifier of the client device which initiated the network session, if applicable, (for example, WARP Device ID). | string |
| DeviceName | Name of the client device which initiated the network session, if applicable, (for example, WARP Device ID). | string |
| EgressColoName | The name of the Cloudflare colo from which traffic egressed to the origin. | string |
| EgressIP | Source IP used when egressing traffic from Cloudflare to the origin. | string |
| EgressPort | Source port used when egressing traffic from Cloudflare to the origin. | int |
| EgressRuleID | Identifier of the egress rule that was applied by the Secure Web Gateway, if any. | string |
| EgressRuleName | The name of the egress rule that was applied by the Secure Web Gateway, if any. | string |
| Email address associated with the user identity which initiated the network session. | string | |
| IngressColoName | The name of the Cloudflare colo to which traffic ingressed. | string |
| Offramp | The type of destination to which the network session was routed. Possible values are INTERNET | MAGIC | CFD_TUNNEL | WARP. | string |
| OriginIP | The IP of the destination (“origin”) for the network session. | string |
| OriginPort | The port of the destination origin for the network session. | int |
| OriginTLSCertificateIssuer | The issuer of the origin TLS certificate. | string |
| OriginTLSCertificateValidationResult | The result of validating the TLS certificate of the origin. Possible values are VALID | EXPIRED | REVOKED | HOSTNAME_MISMATCH | NONE | UNKNOWN. | string |
| OriginTLSCipher | TLS cipher suite used in the connection between Cloudflare and the origin. | string |
| OriginTLSHandshakeDurationMs | Duration of handshaking the TLS connection between Cloudflare and the origin in milliseconds. | int |
| OriginTLSVersion | TLS protocol version used in the connection between Cloudflare and the origin. | string |
| Protocol | Network protocol used for this network session. Possible values are TCP | UDP | ICMP | ICMPV6. | string |
| RuleEvaluationDurationMs | The duration taken by Secure Web Gateway applying applicable Network, HTTP, and Egress rules to the network session in milliseconds. | int |
| SessionEndTime | The network session end timestamp with nanosecond precision. | int or string |
| SessionID | The identifier of this network session. | string |
| SessionStartTime | The network session start timestamp with nanosecond precision. | int or string |
| SourceIP | Source IP of the network session. | string |
| SourceInternalIP | Local LAN IP of the device. Only available when connected via a GRE/IPsec tunnel on-ramp. | string |
| SourcePort | Source port of the network session. | int |
| UserID | User identity where the network session originated from. Only applicable for WARP device clients. | string |
| VirtualNetworkID | Identifier of the virtual network configured for the client. | string |