vpn.zscaler
Introduction
The tags beginning with vpn.zscaler identify events generated by Zscaler Client Connector.
Tag structure
The full tag must have three levels. The first two are fixed as vpn.zscaler. The third level identifies the type of events sent.
Technology | Brand | Type |
---|---|---|
vpn | zscaler |
|
These are the valid tags and corresponding data tables that will receive the parsers' data:
Tag | Data table |
---|---|
vpn.zscaler.access | vpn.zscaler.access |
vpn.zscaler.activity | vpn.zscaler.activity |
vpn.zscaler.status_user | vpn.zscaler.status_user |
vpn.zscaler.status_connector | vpn.zscaler.status_connector |
vpn.zscaler.audit | vpn.zscaler.audit |
Log samples
The following are sample logs sent to each of the vpn.zscaler tags. Find how the information will be parsed in your data table under each sample log.
Extra columns
Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.
vpn.zscaler.access
2020 - 05 - 21 17 : 01 : 42.542 localhost= 127.0 . 0.1 vpn.zscaler.access: { "LogTimestamp" : "Wed Jul 3 05:12:25 2019" , "ConnectionID" : "" , "Exporter" : "unset" , "TimestampRequestReceiveStart" : "2019-07-03T05:12:25.723Z" , "TimestampRequestReceiveHeaderFinish" : "2019-07-03T05:12:25.723Z" , "TimestampRequestReceiveFinish" : "2019-07-03T05:12:25.723Z" , "TimestampRequestTransmitStart" : "2019-07-03T05:12:25.790Z" , "TimestampRequestTransmitFinish" : "2019-07-03T05:12:25.790Z" , "TimestampResponseReceiveStart" : "2019-07-03T05:12:25.791Z" , "TimestampResponseReceiveFinish" : "2019-07-03T05:12:25.791Z" , "TimestampResponseTransmitStart" : "2019-07-03T05:12:25.791Z" , "TimestampResponseTransmitFinish" : "2019-07-03T05:12:25.791Z" , "TotalTimeRequestReceive" : 127 , "TotalTimeRequestTransmit" : 21 , "TotalTimeResponseReceive" : 73 , "TotalTimeResponseTransmit" : 13 , "TotalTimeConnectionSetup" : 66995 , "TotalTimeServerResponse" : 1349 , "Method" : "GET" , "Protocol" : "HTTPS" , "Host" : "srv-15.webster.com" , "URL" : "/bin/create/factor.txt-18.0.99-82-gd7ba322-dirty/opt/plan/floor.pptx-Regular.762cbf85.woff" , "UserAgent" : "audrey04" , "XFF" : "" , "NameID" : "john93@desktop-33.white.com" , "StatusCode" : 304 , "RequestSize" : 615 , "ResponseSize" : 331 , "ApplicationPort" : 443 , "ClientPublicIp" : "135.197.83.248" , "ClientPublicPort" : 50042 , "ClientPrivateIp" : "" , "Customer" : "ANZ Team/dev/argue/namibia/warrenlane/who/hair/rich.mp3 in beta" , "ConnectionStatus" : "" , "ConnectionReason" : "" } |
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
hostname |
|
|
|
LogTimestamp |
|
|
|
ConnectionID |
|
| |
Exporter |
|
| |
TimestampRequestReceiveStart |
|
|
|
TimestampRequestReceiveHeaderFinish |
|
| |
TimestampRequestReceiveFinish |
|
| |
TimestampRequestTransmitStart |
|
| |
TimestampRequestTransmitFinish |
|
|
|
TimestampResponseReceiveStart |
|
| |
TimestampResponseReceiveFinish |
|
|
|
TimestampResponseTransmitStart |
|
| |
TimestampResponseTransmitFinish |
|
| |
TotalTimeRequestReceive |
|
| |
TotalTimeRequestTransmit |
|
| |
TotalTimeResponseReceive |
|
| |
TotalTimeResponseTransmit |
|
| |
TotalTimeConnectionSetup |
|
|
|
TotalTimeServerResponse |
|
| |
Method |
|
| |
Protocol |
|
| |
Host |
|
|
|
URL |
|
| |
UserAgent |
|
| |
XFF |
|
| |
NameID |
|
| |
StatusCode |
|
| |
RequestSize |
|
| |
ResponseSize |
|
| |
ApplicationPort |
|
| |
ClientPublicIp |
|
| |
ClientPublicPort |
|
| |
ClientPrivateIp |
|
| |
Customer |
|
| |
ConnectionStatus |
|
| |
ConnectionReason |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
raw |
|
| ✓ |
rawMessage |
|
| ✓ |
vpn.zscaler.activity
2020 - 05 - 21 16 : 58 : 13.248 localhost= 127.0 . 0.1 vpn.zscaler.activity: { "LogTimestamp" : "Fri May 31 17:35:42 2019" , "Customer" : "ANZ Team/var/pick/just/cost/early.docx in beta" , "SessionID" : "SqyZIMkg0JTj7EABsvwA" , "ConnectionID" : "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm" , "InternalReason" : "" , "ConnectionStatus" : "active" , "IPProtocol" : 6 , "DoubleEncryption" : 0 , "Username" : "melissa97" , "ServicePort" : 10011 , "ClientPublicIP" : "113.13.30.33" , "ClientPrivateIP" : "" , "ClientLatitude" : 45.0 , "ClientLongitude" : - 119.0 , "ClientCountryCode" : "US" , "ClientZEN" : "broker1b.pdx2" , "Policy" : "ANZ Lab Apps_1" , "Connector" : "ZDEMO ANZ Lab-1" , "ConnectorZEN" : "broker1b.pdx2" , "ConnectorIP" : "148.181.247.153" , "ConnectorPort" : 60266 , "Host" : "102.20.25.197" , "Application" : "ANZ Lab Apps" , "AppGroup" : "ANZ Lab Apps" , "Server" : "0" , "ServerIP" : "102.20.25.197" , "ServerPort" : 10011 , "PolicyProcessingTime" : 28 , "CAProcessingTime" : 1330 , "ConnectorZENSetupTime" : 191017 , "ConnectionSetupTime" : 192397 , "ServerSetupTime" : 465 , "AppLearnTime" : 0 , "TimestampConnectionStart" : "2019-05-30T08:20:42.230Z" , "TimestampConnectionEnd" : "" , "TimestampCATx" : "2019-05-30T08:20:42.230Z" , "TimestampCARx" : "2019-05-30T08:20:42.231Z" , "TimestampAppLearnStart" : "" , "TimestampZENFirstRxClient" : "2019-05-30T08:20:42.424Z" , "TimestampZENFirstTxClient" : "" , "TimestampZENLastRxClient" : "2019-05-31T17:34:27.348Z" , "TimestampZENLastTxClient" : "" , "TimestampConnectorZENSetupComplete" : "2019-05-30T08:20:42.422Z" , "TimestampZENFirstRxConnector" : "" , "TimestampZENFirstTxConnector" : "2019-05-30T08:20:42.424Z" , "TimestampZENLastRxConnector" : "" , "TimestampZENLastTxConnector" : "2019-05-31T17:34:27.348Z" , "ZENTotalBytesRxClient" : 2406926 , "ZENBytesRxClient" : 7115 , "ZENTotalBytesTxClient" : 0 , "ZENBytesTxClient" : 0 , "ZENTotalBytesRxConnector" : 0 , "ZENBytesRxConnector" : 0 , "ZENTotalBytesTxConnector" : 2406926 , "ZENBytesTxConnector" : 7115 , "Idp" : "Example IDP Config" } |
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
LogTimestamp |
|
| |
Customer |
|
| |
SessionID |
|
| |
ConnectionID |
|
| |
InternalReason |
|
| |
ConnectionStatus |
|
| |
IPProtocol |
|
| |
DoubleEncryption |
|
| |
Username |
|
| |
ServicePort |
|
| |
ClientPublicIP |
|
| |
ClientPrivateIP |
|
| |
ClientLatitude |
|
| |
ClientLongitude |
|
| |
ClientCountryCode |
|
| |
ClientZEN |
|
| |
Policy |
|
| |
Connector |
|
| |
ConnectorZEN |
|
| |
ConnectorIP |
|
| |
ConnectorPort |
|
| |
Host |
|
| |
Application |
|
| |
AppGroup |
|
| |
Server |
|
| |
ServerIP |
|
| |
ServerPort |
|
| |
PolicyProcessingTime |
|
| |
CAProcessingTime |
|
| |
ConnectorZENSetupTime |
|
| |
ConnectionSetupTime |
|
| |
ServerSetupTime |
|
| |
AppLearnTime |
|
| |
TimestampConnectionStart |
|
| |
TimestampConnectionEnd |
|
| |
TimestampCATx |
|
| |
TimestampCARx |
|
| |
TimestampAppLearnStart |
|
| |
TimestampZENFirstRxClient |
|
| |
TimestampZENFirstTxClient |
|
| |
TimestampZENLastRxClient |
|
| |
TimestampZENLastTxClient |
|
| |
TimestampConnectorZENSetupComplete |
|
| |
TimestampZENFirstRxConnector |
|
| |
TimestampZENFirstTxConnector |
|
| |
TimestampZENLastRxConnector |
|
| |
TimestampZENLastTxConnector |
|
| |
ZENTotalBytesRxClient |
|
| |
ZENBytesRxClient |
|
| |
ZENTotalBytesTxClient |
|
| |
ZENBytesTxClient |
|
| |
ZENTotalBytesRxConnector |
|
| |
ZENBytesRxConnector |
|
| |
ZENTotalBytesTxConnector |
|
| |
ZENBytesTxConnector |
|
| |
Idp |
|
| |
hostchain |
|
| ✓ |
rawMessage |
|
| ✓ |
tag |
|
| ✓ |
raw |
|
| ✓ |
vpn.zscaler.status_user
2020 - 05 - 21 16 : 59 : 16.593 localhost= 127.0 . 0.1 vpn.zscaler.status_user: { "LogTimestamp" : "Fri May 31 17:34:48 2019" , "Customer" : "ANZ Team/opt/because/last/big.ppt in beta" , "Username" : "paigebullock" , "SessionID" : "cKgzUERSLl09Y+ytH8v5" , "SessionStatus" : "ZPN_STATUS_AUTHENTICATED" , "Version" : "19.12.0-36-g87dad18" , "ZEN" : "broker1b.pdx2" , "CertificateCN" : "desktop-44.hamilton.info" , "PrivateIP" : "" , "PublicIP" : "186.98.180.216" , "Latitude" : 45.0 , "Longitude" : - 119.0 , "CountryCode" : "US" , "TimestampAuthentication" : "2019-05-29T21:18:38.000Z" , "TimestampUnAuthentication" : "" , "TotalBytesRx" : 31274866 , "TotalBytesTx" : 25424152 , "Idp" : "Example IDP Config" , "Hostname" : "DESKTOP-2K299HC" , "Platform" : "windows" , "ClientType" : "zpn_client_type_zapp" , "TrustedNetworks" : "TN1_stc1" , "TrustedNetworksNames" : "145248739466947538" , "SAMLAttributes" : "myname:jdoe,myemail:whitecarl@web-55.jackson.com" , "PosturesHit" : "sm-posture1,sm-posture2" , "PosturesMisses" : "sm-posture11,sm-posture12" , "ZENLatitude" : 47.0 , "ZENLongitude" : - 122.0 , "ZENCountryCode" : "" } |
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
LogTimestamp |
|
| |
Customer |
|
| |
Username |
|
| |
SessionID |
|
| |
SessionStatus |
|
| |
Version |
|
| |
ZEN |
|
| |
CertificateCN |
|
| |
PrivateIP |
|
| |
PublicIP |
|
| |
Latitude |
|
| |
Longitude |
|
| |
CountryCode |
|
| |
TimestampAuthentication |
|
| |
TimestampUnAuthentication |
|
| |
TotalBytesRx |
|
| |
TotalBytesTx |
|
| |
Idp |
|
| |
Hostname |
|
| |
Platform |
|
| |
ClientType |
|
| |
TrustedNetworks |
|
| |
TrustedNetworksNames |
|
| |
SAMLAttributes |
|
| |
PosturesHit |
|
| |
PosturesMisses |
|
| |
ZENLatitude |
|
| |
ZENLongitude |
|
| |
ZENCountryCode |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
raw |
|
| ✓ |
rawMessage |
|
| ✓ |
vpn.zscaler.status_connector
2020 - 05 - 21 17 : 00 : 13.612 localhost= 127.0 . 0.1 vpn.zscaler.status_connector: { "LogTimestamp" : "Wed Jul 31 05:17:22 2019" , "Customer" : "Safe March" , "SessionID" : "8A64Qwj9zCkfYDGJVoUZ" , "SessionType" : "ZPN_ASSISTANT_BROKER_CONTROL" , "SessionStatus" : "ZPN_STATUS_AUTHENTICATED" , "Version" : "19.20.3" , "Platform" : "el7" , "ZEN" : "US-NY-8179" , "Connector" : "Seattle Connector 1" , "ConnectorGroup" : "Azure Connectors" , "PrivateIP" : "195.55.118.51" , "PublicIP" : "36.62.14.101" , "Latitude" : 47.0 , "Longitude" : - 122.0 , "CountryCode" : "" , "TimestampAuthentication" : "2019-06-27T05:05:23.348Z" , "TimestampUnAuthentication" : "" , "CPUUtilization" : 1 , "MemUtilization" : 20 , "ServiceCount" : 2 , "InterfaceDefRoute" : "eth0" , "DefRouteGW" : "61.181.130.73" , "PrimaryDNSResolver" : "131.114.42.227" , "HostUpTime" : "1513229995" , "ConnectorUpTime" : "1555920005" , "NumOfInterfaces" : 2 , "BytesRxInterface" : 319831966346 , "PacketsRxInterface" : 1617569938 , "ErrorsRxInterface" : 0 , "DiscardsRxInterface" : 0 , "BytesTxInterface" : 192958782635 , "PacketsTxInterface" : 1797471190 , "ErrorsTxInterface" : 0 , "DiscardsTxInterface" : 0 , "TotalBytesRx" : 10902554 , "TotalBytesTx" : 48931771 } |
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
LogTimestamp |
|
| |
Customer |
|
| |
SessionID |
|
| |
SessionType |
|
| |
SessionStatus |
|
| |
Version |
|
| |
Platform |
|
| |
ZEN |
|
| |
Connector |
|
| |
ConnectorGroup |
|
| |
PrivateIP |
|
| |
PublicIP |
|
| |
Latitude |
|
| |
Longitude |
|
| |
CountryCode |
|
| |
TimestampAuthentication |
|
| |
TimestampUnAuthentication |
|
| |
CPUUtilization |
|
| |
MemUtilization |
|
| |
ServiceCount |
|
| |
InterfaceDefRoute |
|
| |
DefRouteGW |
|
| |
PrimaryDNSResolver |
|
| |
HostUpTime |
|
| |
ConnectorUpTime |
|
| |
NumOfInterfaces |
|
| |
BytesRxInterface |
|
| |
PacketsRxInterface |
|
| |
ErrorsRxInterface |
|
| |
DiscardsRxInterface |
|
| |
BytesTxInterface |
|
| |
PacketsTxInterface |
|
| |
ErrorsTxInterface |
|
| |
DiscardsTxInterface |
|
| |
TotalBytesRx |
|
| |
TotalBytesTx |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
raw |
|
| ✓ |
rawMessage |
|
| ✓ |
vpn.zscaler.audit
2022-03-08 16:25:04.275 localhost=127.0.0.1 vpn.zscaler.audit: {"ModifiedTime": "2020-07-13T20:53:10.000Z", "CreationTime": "2020-07-13T20:53:10.000Z", "ModifiedBy": 11223344556677889, "RequestID": "a12aa12a-1234-aab1-123ab123456a", "SessionID": "a123456789abc12a123456789a12a1a1a12345678ab12a12345a", "AuditOldValue": "", "AuditNewValue": "", "AuditOperationType": "Create", "ObjectType": "Browser Access", "ObjectName": "laptop-06.martinez.org", "ObjectID": 98765432100123456, "CustomerID": 12345678901234567, "User": "user123"}
And this is how the log would be parsed:
Field | Value | Type | Extra fields |
---|---|---|---|
eventdate |
|
| |
hostname |
|
| |
modified_time |
|
| |
creation_time |
|
| |
modified_by |
|
| |
request_id |
|
| |
session_id |
|
| |
audit_old_value |
| ||
audit_new_value |
| ||
audit_operation_type |
|
| |
object_type |
|
| |
object_name |
|
| |
object_id |
|
| |
customer_id |
|
| |
user |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |