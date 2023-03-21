Zero Trust Network Session Logs
The descriptions below detail the fields available for
zero_trust_network_sessions.
|Field
|Value
|Type
|AccountID
|Cloudflare account ID.
|string
|BytesReceived
|The number of bytes sent from the origin to the client during the network session.
|int
|BytesSent
|The number of bytes sent from the client to the origin during the network session.
|int
|ClientTCPHandshakeDurationMs
|Duration of handshaking the TCP connection between the client and Cloudflare in milliseconds.
|int
|ClientTLSCipher
|TLS cipher suite used in the connection between the client and Cloudflare.
|string
|ClientTLSHandshakeDurationMs
|Duration of handshaking the TLS connection between the client and Cloudflare in milliseconds.
|int
|ClientTLSVersion
|TLS protocol version used in the connection between the client and Cloudflare.
|string
|ConnectionCloseReason
|The reason for closing the connection, only applicable for TCP.
Possible values are clientClosed | originClosed | timeout | clientTcpError | clientTlsError | originTcpError | originTlsError.
|string
|ConnectionReuse
|Whether the TCP connection was reused for multiple HTTP requests.
|bool
|DestinationTunnelID
|Identifier of the Cloudflare One connector to which the network session was routed to, if any, such as Cloudflare Tunnel or WARP device.
|string
|DeviceID
|Identifier of the client device which initiated the network session, if applicable, (for example, WARP Device ID).
|string
|DeviceName
|Name of the client device which initiated the network session, if applicable, (for example, WARP Device ID).
|string
|EgressColoName
|The name of the Cloudflare colo from which traffic egressed to the origin.
|string
|EgressIP
|Source IP used when egressing traffic from Cloudflare to the origin.
|string
|EgressPort
|Source port used when egressing traffic from Cloudflare to the origin.
|int
|EgressRuleID
|Identifier of the egress rule that was applied by the Secure Web Gateway, if any.
|string
|EgressRuleName
|The name of the egress rule that was applied by the Secure Web Gateway, if any.
|string
|Email address associated with the user identity which initiated the network session.
|string
|IngressColoName
|The name of the Cloudflare colo to which traffic ingressed.
|string
|InternalSourceIP
|The virtual source IP used within Cloudflare systems (for example, the WARP virtual IP address).
|string
|Offramp
|The type of destination to which the network session was routed.
Possible values are internet | magic | cfd_tunnel | WARP.
|string
|OriginIP
|The IP of the destination (“origin”) for the network session.
|string
|OriginPort
|The port of the destination origin for the network session.
|int
|OriginTLSCertificateIssuer
|The issuer of the origin TLS certificate.
|string
|OriginTLSCertificateValidationResult
|The result of validating the TLS certificate of the origin.
Possible values are valid | expired | revoked | hostnameMismatch.
|string
|OriginTLSCipher
|TLS cipher suite used in the connection between Cloudflare and the origin.
|string
|OriginTLSHandshakeDurationMs
|Duration of handshaking the TLS connection between Cloudflare and the origin in milliseconds.
|int
|OriginTLSVersion
|TLS protocol version used in the connection between Cloudflare and the origin.
|string
|Protocol
|Network protocol used for this network session.
Possible values are tcp | udp | icmp | icmpv6.
|string
|RuleEvaluationDurationMs
|The duration taken by Secure Web Gateway applying applicable Network, HTTP, and Egress rules to the network session in milliseconds.
|int
|SessionEndTime
|The network session end timestamp with nanosecond precision.
|int or string
|SessionID
|The identifier of this network session.
|string
|SessionStartTime
|The network session start timestamp with nanosecond precision.
|int or string
|SourceIP
|Source IP of the network session.
|string
|SourcePort
|Source port of the network session.
|int
|UserID
|User identity where the network session originated from. Only applicable for WARP device clients.
|string
|VirtualNetworkID
|Identifier of the virtual network configured for the client.
|string