Cloudflare Docs
Logs
Cloudflare Docs
Logs
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)
  1. Products
  2. Logs
  3. ...
  4. ...
  5. Account-scoped datasets
  6. Zero Trust Network Session Logs

Zero Trust Network Session Logs

The descriptions below detail the fields available for zero_trust_network_sessions.

​​ AccountID

Type: string

Cloudflare account ID.

​​ BytesReceived

Type: int

The number of bytes sent from the origin to the client during the network session.

​​ BytesSent

Type: int

The number of bytes sent from the client to the origin during the network session.

​​ ClientTCPHandshakeDurationMs

Type: int

Duration of handshaking the TCP connection between the client and Cloudflare in milliseconds.

​​ ClientTLSCipher

Type: string

TLS cipher suite used in the connection between the client and Cloudflare.

​​ ClientTLSHandshakeDurationMs

Type: int

Duration of handshaking the TLS connection between the client and Cloudflare in milliseconds.

​​ ClientTLSVersion

Type: string

TLS protocol version used in the connection between the client and Cloudflare.

​​ ConnectionCloseReason

Type: string

The reason for closing the connection, only applicable for TCP.
Possible values are CLIENT_CLOSED | CLIENT_IDLE_TIMEOUT | CLIENT_TLS_ERROR | CLIENT_ERROR | ORIGIN_CLOSED | ORIGIN_TLS_ERROR | ORIGIN_ERROR | ORIGIN_UNREACHABLE | PROXY_CONN_REFUSED | UNKNOWN | MISMATCHED_IP_VERSIONS.

​​ ConnectionReuse

Type: bool

Whether the TCP connection was reused for multiple HTTP requests.

​​ DestinationTunnelID

Type: string

Identifier of the Cloudflare One connector to which the network session was routed to, if any, such as Cloudflare Tunnel or WARP device.

​​ DetectedProtocol

Type: string

Detected traffic protocol of the network session.

​​ DeviceID

Type: string

Identifier of the client device which initiated the network session, if applicable, (for example, WARP Device ID).

​​ DeviceName

Type: string

Name of the client device which initiated the network session, if applicable, (for example, WARP Device ID).

​​ EgressColoName

Type: string

The name of the Cloudflare colo from which traffic egressed to the origin.

​​ EgressIP

Type: string

Source IP used when egressing traffic from Cloudflare to the origin.

​​ EgressPort

Type: int

Source port used when egressing traffic from Cloudflare to the origin.

​​ EgressRuleID

Type: string

Identifier of the egress rule that was applied by the Secure Web Gateway, if any.

​​ EgressRuleName

Type: string

The name of the egress rule that was applied by the Secure Web Gateway, if any.

​​ Email

Type: string

Email address associated with the user identity which initiated the network session.

​​ IngressColoName

Type: string

The name of the Cloudflare colo to which traffic ingressed.

​​ Offramp

Type: string

The type of destination to which the network session was routed.
Possible values are INTERNET | MAGIC | CFD_TUNNEL | WARP.

​​ OriginIP

Type: string

The IP of the destination (“origin”) for the network session.

​​ OriginPort

Type: int

The port of the destination origin for the network session.

​​ OriginTLSCertificateIssuer

Type: string

The issuer of the origin TLS certificate.

​​ OriginTLSCertificateValidationResult

Type: string

The result of validating the TLS certificate of the origin.
Possible values are VALID | EXPIRED | REVOKED | HOSTNAME_MISMATCH | NONE | UNKNOWN.

​​ OriginTLSCipher

Type: string

TLS cipher suite used in the connection between Cloudflare and the origin.

​​ OriginTLSHandshakeDurationMs

Type: int

Duration of handshaking the TLS connection between Cloudflare and the origin in milliseconds.

​​ OriginTLSVersion

Type: string

TLS protocol version used in the connection between Cloudflare and the origin.

​​ Protocol

Type: string

Network protocol used for this network session.
Possible values are TCP | UDP | ICMP | ICMPV6.

​​ RuleEvaluationDurationMs

Type: int

The duration taken by Secure Web Gateway applying applicable Network, HTTP, and Egress rules to the network session in milliseconds.

​​ SessionEndTime

Type: int or string

The network session end timestamp with nanosecond precision.

​​ SessionID

Type: string

The identifier of this network session.

​​ SessionStartTime

Type: int or string

The network session start timestamp with nanosecond precision.

​​ SourceIP

Type: string

Source IP of the network session.

​​ SourceInternalIP

Type: string

Local LAN IP of the device. Only available when connected via a GRE/IPsec tunnel on-ramp.

​​ SourcePort

Type: int

Source port of the network session.

​​ UserID

Type: string

User identity where the network session originated from. Only applicable for WARP device clients.

​​ VirtualNetworkID

Type: string

Identifier of the virtual network configured for the client.