Zero Trust Network Session Logs
The descriptions below detail the fields available for zero_trust_network_sessions
.
Field | Value | Type |
---|---|---|
AccountID | Cloudflare account ID. | string |
BytesReceived | The number of bytes sent from the origin to the client during the network session. | int |
BytesSent | The number of bytes sent from the client to the origin during the network session. | int |
ClientTCPHandshakeDurationMs | Duration of handshaking the TCP connection between the client and Cloudflare in milliseconds. | int |
ClientTLSCipher | TLS cipher suite used in the connection between the client and Cloudflare. | string |
ClientTLSHandshakeDurationMs | Duration of handshaking the TLS connection between the client and Cloudflare in milliseconds. | int |
ClientTLSVersion | TLS protocol version used in the connection between the client and Cloudflare. | string |
ConnectionCloseReason | The reason for closing the connection, only applicable for TCP. Possible values are CLIENT_CLOSED | CLIENT_IDLE_TIMEOUT | CLIENT_TLS_ERROR | CLIENT_ERROR | ORIGIN_CLOSED | ORIGIN_TLS_ERROR | ORIGIN_ERROR | ORIGIN_UNREACHABLE | PROXY_CONN_REFUSED | UNKNOWN | MISMATCHED_IP_VERSIONS. | string |
ConnectionReuse | Whether the TCP connection was reused for multiple HTTP requests. | bool |
DestinationTunnelID | Identifier of the Cloudflare One connector to which the network session was routed to, if any, such as Cloudflare Tunnel or WARP device. | string |
DetectedProtocol | Detected traffic protocol of the network session. | string |
DeviceID | Identifier of the client device which initiated the network session, if applicable, (for example, WARP Device ID). | string |
DeviceName | Name of the client device which initiated the network session, if applicable, (for example, WARP Device ID). | string |
EgressColoName | The name of the Cloudflare colo from which traffic egressed to the origin. | string |
EgressIP | Source IP used when egressing traffic from Cloudflare to the origin. | string |
EgressPort | Source port used when egressing traffic from Cloudflare to the origin. | int |
EgressRuleID | Identifier of the egress rule that was applied by the Secure Web Gateway, if any. | string |
EgressRuleName | The name of the egress rule that was applied by the Secure Web Gateway, if any. | string |
Email address associated with the user identity which initiated the network session. | string | |
IngressColoName | The name of the Cloudflare colo to which traffic ingressed. | string |
Offramp | The type of destination to which the network session was routed. Possible values are INTERNET | MAGIC | CFD_TUNNEL | WARP. | string |
OriginIP | The IP of the destination (“origin”) for the network session. | string |
OriginPort | The port of the destination origin for the network session. | int |
OriginTLSCertificateIssuer | The issuer of the origin TLS certificate. | string |
OriginTLSCertificateValidationResult | The result of validating the TLS certificate of the origin. Possible values are VALID | EXPIRED | REVOKED | HOSTNAME_MISMATCH | NONE | UNKNOWN. | string |
OriginTLSCipher | TLS cipher suite used in the connection between Cloudflare and the origin. | string |
OriginTLSHandshakeDurationMs | Duration of handshaking the TLS connection between Cloudflare and the origin in milliseconds. | int |
OriginTLSVersion | TLS protocol version used in the connection between Cloudflare and the origin. | string |
Protocol | Network protocol used for this network session. Possible values are TCP | UDP | ICMP | ICMPV6. | string |
RuleEvaluationDurationMs | The duration taken by Secure Web Gateway applying applicable Network, HTTP, and Egress rules to the network session in milliseconds. | int |
SessionEndTime | The network session end timestamp with nanosecond precision. | int or string |
SessionID | The identifier of this network session. | string |
SessionStartTime | The network session start timestamp with nanosecond precision. | int or string |
SourceIP | Source IP of the network session. | string |
SourceInternalIP | Local LAN IP of the device. Only available when connected via a GRE/IPsec tunnel on-ramp. | string |
SourcePort | Source port of the network session. | int |
UserID | User identity where the network session originated from. Only applicable for WARP device clients. | string |
VirtualNetworkID | Identifier of the virtual network configured for the client. | string |