Document toolboxDocument toolbox

vpn.zscaler

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Mar 11, 2022 by Former user (Deleted)
4 min read

Introduction

The tags beginning with vpn.zscaler identify events generated by Zscaler Client Connector.

Tag structure

The full tag must have three levels. The first two are fixed as vpn.zscaler. The third level identifies the type of events sent.

Technology

Brand

Type

vpn

zscaler

  • access
  • activity
  • audit
  • status_user
  • status_connector

These are the valid tags and corresponding data tables that will receive the parsers' data:

Tag

Data table

vpn.zscaler.access

vpn.zscaler.access

vpn.zscaler.activityvpn.zscaler.activity

vpn.zscaler.status_user

vpn.zscaler.status_user

vpn.zscaler.status_connectorvpn.zscaler.status_connector
vpn.zscaler.auditvpn.zscaler.audit

Log samples

The following are sample logs sent to each of the vpn.zscaler tags. Find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

vpn.zscaler.access

2020-05-21 17:01:42.542 localhost=127.0.0.1 vpn.zscaler.access: {"LogTimestamp""Wed Jul 3 05:12:25 2019""ConnectionID""""Exporter""unset""TimestampRequestReceiveStart""2019-07-03T05:12:25.723Z""TimestampRequestReceiveHeaderFinish""2019-07-03T05:12:25.723Z""TimestampRequestReceiveFinish""2019-07-03T05:12:25.723Z""TimestampRequestTransmitStart""2019-07-03T05:12:25.790Z""TimestampRequestTransmitFinish""2019-07-03T05:12:25.790Z""TimestampResponseReceiveStart""2019-07-03T05:12:25.791Z""TimestampResponseReceiveFinish""2019-07-03T05:12:25.791Z""TimestampResponseTransmitStart""2019-07-03T05:12:25.791Z""TimestampResponseTransmitFinish""2019-07-03T05:12:25.791Z""TotalTimeRequestReceive"127"TotalTimeRequestTransmit"21"TotalTimeResponseReceive"73"TotalTimeResponseTransmit"13"TotalTimeConnectionSetup"66995"TotalTimeServerResponse"1349"Method""GET""Protocol""HTTPS""Host""srv-15.webster.com""URL""/bin/create/factor.txt-18.0.99-82-gd7ba322-dirty/opt/plan/floor.pptx-Regular.762cbf85.woff""UserAgent""audrey04""XFF""""NameID""john93@desktop-33.white.com""StatusCode"304"RequestSize"615"ResponseSize"331"ApplicationPort"443"ClientPublicIp""135.197.83.248""ClientPublicPort"50042"ClientPrivateIp""""Customer""ANZ Team/dev/argue/namibia/warrenlane/who/hair/rich.mp3 in beta""ConnectionStatus""""ConnectionReason"""}

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2020-05-21 17:01:43

str


hostname

localhost

str

 

LogTimestamp

2019-07-03 05:12:25

timestamp

 

ConnectionID

null

str


Exporter

unset

str


TimestampRequestReceiveStart

2019-07-03 5:12:26

timestamp

 

TimestampRequestReceiveHeaderFinish

2019-07-03 5:12:26

timestamp


TimestampRequestReceiveFinish

2019-07-03 5:12:26

timestamp


TimestampRequestTransmitStart

2019-07-03 5:12:26

timestamp


TimestampRequestTransmitFinish

2019-07-03 5:12:26

timestamp

 

TimestampResponseReceiveStart

2019-07-03 5:12:26

timestamp


TimestampResponseReceiveFinish

2019-07-03 5:12:26

timestamp

 

TimestampResponseTransmitStart

2019-07-03 5:12:26

timestamp


TimestampResponseTransmitFinish

2019-07-03 5:12:26

timestamp


TotalTimeRequestReceive

127

int4


TotalTimeRequestTransmit

21

int4


TotalTimeResponseReceive

73

int4


TotalTimeResponseTransmit

13

int4


TotalTimeConnectionSetup

66995

int4

 

TotalTimeServerResponse

1349

int4


Method

GET

str


Protocol

HTTPS

str


Host

srv-15.webster.com

str

 

URL

/bin/create/factor.txt-18.0.99-82-gd7ba322-dirty/opt/plan/floor.pptx-Regular.762cbf85.woff

str


UserAgent

audrey04

str


XFF

null

str


NameID

john93@desktop-33.white.com

str


StatusCode

304

int4


RequestSize

615

int4


ResponseSize

331

int4


ApplicationPort

443

int4


ClientPublicIp

135.197.83.248

ip4


ClientPublicPort

50042

int4


ClientPrivateIp

null

str


Customer

ANZ Team/dev/argue/namibia/warrenlane/who/hair/rich.mp3 in beta

str


ConnectionStatus

null

str


ConnectionReason

null

str


hostchain

localhost=127.0.0.1

str

tag

vpn.zscaler.access

str

raw

2020-05-21 17:01:42.542 localhost=127.0.0.1 vpn.zscaler.access: {"LogTimestamp": "Wed Jul 3 05:12:25 2019", "ConnectionID": "", "Exporter": "unset", "TimestampRequestReceiveStart": "2019-07-03T05:12:25.723Z", "TimestampRequestReceiveHeaderFinish": "2019-07-03T05:12:25.723Z", "TimestampRequestReceiveFinish": "2019-07-03T05:12:25.723Z", "TimestampRequestTransmitStart": "2019-07-03T05:12:25.790Z", "TimestampRequestTransmitFinish": "2019-07-03T05:12:25.790Z", "TimestampResponseReceiveStart": "2019-07-03T05:12:25.791Z", "TimestampResponseReceiveFinish": "2019-07-03T05:12:25.791Z", "TimestampResponseTransmitStart": "2019-07-03T05:12:25.791Z", "TimestampResponseTransmitFinish": "2019-07-03T05:12:25.791Z", "TotalTimeRequestReceive": 127, "TotalTimeRequestTransmit": 21, "TotalTimeResponseReceive": 73, "TotalTimeResponseTransmit": 13, "TotalTimeConnectionSetup": 66995, "TotalTimeServerResponse": 1349, "Method": "GET", "Protocol": "HTTPS", "Host": "srv-15.webster.com", "URL": "/bin/create/factor.txt-18.0.99-82-gd7ba322-dirty/opt/plan/floor.pptx-Regular.762cbf85.woff", "UserAgent": "audrey04", "XFF": "", "NameID": "john93@desktop-33.white.com", "StatusCode": 304, "RequestSize": 615, "ResponseSize": 331, "ApplicationPort": 443, "ClientPublicIp": "135.197.83.248", "ClientPublicPort": 50042, "ClientPrivateIp": "", "Customer": "ANZ Team/dev/argue/namibia/warrenlane/who/hair/rich.mp3 in beta", "ConnectionStatus": "", "ConnectionReason": ""}

str

rawMessage

{"LogTimestamp": "Wed Jul 3 05:12:25 2019", "ConnectionID": "", "Exporter": "unset", "TimestampRequestReceiveStart": "2019-07-03T05:12:25.723Z", "TimestampRequestReceiveHeaderFinish": "2019-07-03T05:12:25.723Z", "TimestampRequestReceiveFinish": "2019-07-03T05:12:25.723Z", "TimestampRequestTransmitStart": "2019-07-03T05:12:25.790Z", "TimestampRequestTransmitFinish": "2019-07-03T05:12:25.790Z", "TimestampResponseReceiveStart": "2019-07-03T05:12:25.791Z", "TimestampResponseReceiveFinish": "2019-07-03T05:12:25.791Z", "TimestampResponseTransmitStart": "2019-07-03T05:12:25.791Z", "TimestampResponseTransmitFinish": "2019-07-03T05:12:25.791Z", "TotalTimeRequestReceive": 127, "TotalTimeRequestTransmit": 21, "TotalTimeResponseReceive": 73, "TotalTimeResponseTransmit": 13, "TotalTimeConnectionSetup": 66995, "TotalTimeServerResponse": 1349, "Method": "GET", "Protocol": "HTTPS", "Host": "srv-15.webster.com", "URL": "/bin/create/factor.txt-18.0.99-82-gd7ba322-dirty/opt/plan/floor.pptx-Regular.762cbf85.woff", "UserAgent": "audrey04", "XFF": "", "NameID": "john93@desktop-33.white.com", "StatusCode": 304, "RequestSize": 615, "ResponseSize": 331, "ApplicationPort": 443, "ClientPublicIp": "135.197.83.248", "ClientPublicPort": 50042, "ClientPrivateIp": "", "Customer": "ANZ Team/dev/argue/namibia/warrenlane/who/hair/rich.mp3 in beta", "ConnectionStatus": "", "ConnectionReason": ""}

str

vpn.zscaler.activity

2020-05-21 16:58:13.248 localhost=127.0.0.1 vpn.zscaler.activity: {"LogTimestamp": "Fri May 31 17:35:42 2019", "Customer": "ANZ Team/var/pick/just/cost/early.docx in beta", "SessionID": "SqyZIMkg0JTj7EABsvwA", "ConnectionID": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm", "InternalReason": "", "ConnectionStatus": "active", "IPProtocol": 6, "DoubleEncryption": 0, "Username": "melissa97", "ServicePort": 10011, "ClientPublicIP": "113.13.30.33", "ClientPrivateIP": "", "ClientLatitude": 45.0, "ClientLongitude": -119.0, "ClientCountryCode": "US", "ClientZEN": "broker1b.pdx2", "Policy": "ANZ Lab Apps_1", "Connector": "ZDEMO ANZ Lab-1", "ConnectorZEN": "broker1b.pdx2", "ConnectorIP": "148.181.247.153", "ConnectorPort": 60266, "Host": "102.20.25.197", "Application": "ANZ Lab Apps", "AppGroup": "ANZ Lab Apps", "Server": "0", "ServerIP": "102.20.25.197", "ServerPort": 10011, "PolicyProcessingTime": 28, "CAProcessingTime": 1330, "ConnectorZENSetupTime": 191017, "ConnectionSetupTime": 192397, "ServerSetupTime": 465, "AppLearnTime": 0, "TimestampConnectionStart": "2019-05-30T08:20:42.230Z", "TimestampConnectionEnd": "", "TimestampCATx": "2019-05-30T08:20:42.230Z", "TimestampCARx": "2019-05-30T08:20:42.231Z", "TimestampAppLearnStart": "", "TimestampZENFirstRxClient": "2019-05-30T08:20:42.424Z", "TimestampZENFirstTxClient": "", "TimestampZENLastRxClient": "2019-05-31T17:34:27.348Z", "TimestampZENLastTxClient": "", "TimestampConnectorZENSetupComplete": "2019-05-30T08:20:42.422Z", "TimestampZENFirstRxConnector": "", "TimestampZENFirstTxConnector": "2019-05-30T08:20:42.424Z", "TimestampZENLastRxConnector": "", "TimestampZENLastTxConnector": "2019-05-31T17:34:27.348Z", "ZENTotalBytesRxClient": 2406926, "ZENBytesRxClient": 7115, "ZENTotalBytesTxClient": 0, "ZENBytesTxClient": 0, "ZENTotalBytesRxConnector": 0, "ZENBytesRxConnector": 0, "ZENTotalBytesTxConnector": 2406926, "ZENBytesTxConnector": 7115, "Idp": "Example IDP Config"}

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2020-05-21 16:58:13

str


hostname

localhost

str


LogTimestamp

2019-05-31 17:35:42

timestamp


Customer

ANZ Team/var/pick/just/cost/early.docx in beta

str


SessionID

SqyZIMkg0JTj7EABsvwA

str


ConnectionID

SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm

str


InternalReason

null

str


ConnectionStatus

active

str


IPProtocol

6

int4


DoubleEncryption

0

int4


Username

melissa97

str


ServicePort

10011

int4


ClientPublicIP

113.13.30.33

ip4


ClientPrivateIP

null

str


ClientLatitude

45.0D

float8


ClientLongitude

-119.0D

float8


ClientCountryCode

US

str


ClientZEN

broker1b.pdx2

str


Policy

ANZ Lab Apps_1

str


Connector

ZDEMO ANZ Lab-1

str


ConnectorZEN

broker1b.pdx2

str


ConnectorIP

148.181.247.153

ip4


ConnectorPort

60266

int4


Host

102.20.25.197

ip4


Application

ANZ Lab Apps

str


AppGroup

ANZ Lab Apps

str


Server

0

str


ServerIP

102.20.25.197

ip4


ServerPort

10011

int4


PolicyProcessingTime

28

int4


CAProcessingTime

1330

int4


ConnectorZENSetupTime

191017

int4


ConnectionSetupTime

192397

int4


ServerSetupTime

465

int4


AppLearnTime

0

int4


TimestampConnectionStart

2019-05-30 8:20:42

timestamp


TimestampConnectionEnd

null

str


TimestampCATx

2019-05-30 8:20:42

timestamp


TimestampCARx

2019-05-30 8:20:42

timestamp


TimestampAppLearnStart

null

str


TimestampZENFirstRxClient

2019-05-30 8:20:42

timestamp


TimestampZENFirstTxClient

null

str


TimestampZENLastRxClient

2019-05-31 17:34:27

timestamp


TimestampZENLastTxClient

null

str


TimestampConnectorZENSetupComplete

2019-05-30 8:20:42

timestamp


TimestampZENFirstRxConnector

null

str


TimestampZENFirstTxConnector

2019-05-30 8:20:42

timestamp


TimestampZENLastRxConnector

null

str


TimestampZENLastTxConnector

2019-05-31 17:34:27

timestamp


ZENTotalBytesRxClient

2406926L

int8


ZENBytesRxClient

7115

int4


ZENTotalBytesTxClient

0

int4


ZENBytesTxClient

0

int4


ZENTotalBytesRxConnector

0

int4


ZENBytesRxConnector

0

int4


ZENTotalBytesTxConnector

2406926L

int8


ZENBytesTxConnector

7115

int4


Idp

Example IDP Config

str


hostchain

localhost=127.0.0.1

str

 

rawMessage

{"LogTimestamp": "Fri May 31 17:35:42 2019", "Customer": "ANZ Team/var/pick/just/cost/early.docx in beta", "SessionID": "SqyZIMkg0JTj7EABsvwA", "ConnectionID": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm", "InternalReason": "", "ConnectionStatus": "active", "IPProtocol": 6, "DoubleEncryption": 0, "Username": "melissa97", "ServicePort": 10011, "ClientPublicIP": "113.13.30.33", "ClientPrivateIP": "", "ClientLatitude": 45.0, "ClientLongitude": -119.0, "ClientCountryCode": "US", "ClientZEN": "broker1b.pdx2", "Policy": "ANZ Lab Apps_1", "Connector": "ZDEMO ANZ Lab-1", "ConnectorZEN": "broker1b.pdx2", "ConnectorIP": "148.181.247.153", "ConnectorPort": 60266, "Host": "102.20.25.197", "Application": "ANZ Lab Apps", "AppGroup": "ANZ Lab Apps", "Server": "0", "ServerIP": "102.20.25.197", "ServerPort": 10011, "PolicyProcessingTime": 28, "CAProcessingTime": 1330, "ConnectorZENSetupTime": 191017, "ConnectionSetupTime": 192397, "ServerSetupTime": 465, "AppLearnTime": 0, "TimestampConnectionStart": "2019-05-30T08:20:42.230Z", "TimestampConnectionEnd": "", "TimestampCATx": "2019-05-30T08:20:42.230Z", "TimestampCARx": "2019-05-30T08:20:42.231Z", "TimestampAppLearnStart": "", "TimestampZENFirstRxClient": "2019-05-30T08:20:42.424Z", "TimestampZENFirstTxClient": "", "TimestampZENLastRxClient": "2019-05-31T17:34:27.348Z", "TimestampZENLastTxClient": "", "TimestampConnectorZENSetupComplete": "2019-05-30T08:20:42.422Z", "TimestampZENFirstRxConnector": "", "TimestampZENFirstTxConnector": "2019-05-30T08:20:42.424Z", "TimestampZENLastRxConnector": "", "TimestampZENLastTxConnector": "2019-05-31T17:34:27.348Z", "ZENTotalBytesRxClient": 2406926, "ZENBytesRxClient": 7115, "ZENTotalBytesTxClient": 0, "ZENBytesTxClient": 0, "ZENTotalBytesRxConnector": 0, "ZENBytesRxConnector": 0, "ZENTotalBytesTxConnector": 2406926, "ZENBytesTxConnector": 7115, "Idp": "Example IDP Config"}

str

tag

vpn.zscaler.activity

str

 

raw

2020-05-21 16:58:13.248 localhost=127.0.0.1 vpn.zscaler.activity: {"LogTimestamp": "Fri May 31 17:35:42 2019", "Customer": "ANZ Team/var/pick/just/cost/early.docx in beta", "SessionID": "SqyZIMkg0JTj7EABsvwA", "ConnectionID": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm", "InternalReason": "", "ConnectionStatus": "active", "IPProtocol": 6, "DoubleEncryption": 0, "Username": "melissa97", "ServicePort": 10011, "ClientPublicIP": "113.13.30.33", "ClientPrivateIP": "", "ClientLatitude": 45.0, "ClientLongitude": -119.0, "ClientCountryCode": "US", "ClientZEN": "broker1b.pdx2", "Policy": "ANZ Lab Apps_1", "Connector": "ZDEMO ANZ Lab-1", "ConnectorZEN": "broker1b.pdx2", "ConnectorIP": "148.181.247.153", "ConnectorPort": 60266, "Host": "102.20.25.197", "Application": "ANZ Lab Apps", "AppGroup": "ANZ Lab Apps", "Server": "0", "ServerIP": "102.20.25.197", "ServerPort": 10011, "PolicyProcessingTime": 28, "CAProcessingTime": 1330, "ConnectorZENSetupTime": 191017, "ConnectionSetupTime": 192397, "ServerSetupTime": 465, "AppLearnTime": 0, "TimestampConnectionStart": "2019-05-30T08:20:42.230Z", "TimestampConnectionEnd": "", "TimestampCATx": "2019-05-30T08:20:42.230Z", "TimestampCARx": "2019-05-30T08:20:42.231Z", "TimestampAppLearnStart": "", "TimestampZENFirstRxClient": "2019-05-30T08:20:42.424Z", "TimestampZENFirstTxClient": "", "TimestampZENLastRxClient": "2019-05-31T17:34:27.348Z", "TimestampZENLastTxClient": "", "TimestampConnectorZENSetupComplete": "2019-05-30T08:20:42.422Z", "TimestampZENFirstRxConnector": "", "TimestampZENFirstTxConnector": "2019-05-30T08:20:42.424Z", "TimestampZENLastRxConnector": "", "TimestampZENLastTxConnector": "2019-05-31T17:34:27.348Z", "ZENTotalBytesRxClient": 2406926, "ZENBytesRxClient": 7115, "ZENTotalBytesTxClient": 0, "ZENBytesTxClient": 0, "ZENTotalBytesRxConnector": 0, "ZENBytesRxConnector": 0, "ZENTotalBytesTxConnector": 2406926, "ZENBytesTxConnector": 7115, "Idp": "Example IDP Config"}

str

 

vpn.zscaler.status_user

2020-05-21 16:59:16.593 localhost=127.0.0.1 vpn.zscaler.status_user: {"LogTimestamp": "Fri May 31 17:34:48 2019", "Customer": "ANZ Team/opt/because/last/big.ppt in beta", "Username": "paigebullock", "SessionID": "cKgzUERSLl09Y+ytH8v5", "SessionStatus": "ZPN_STATUS_AUTHENTICATED", "Version": "19.12.0-36-g87dad18", "ZEN": "broker1b.pdx2", "CertificateCN": "desktop-44.hamilton.info", "PrivateIP": "", "PublicIP": "186.98.180.216", "Latitude": 45.0, "Longitude": -119.0, "CountryCode": "US", "TimestampAuthentication": "2019-05-29T21:18:38.000Z", "TimestampUnAuthentication": "", "TotalBytesRx": 31274866, "TotalBytesTx": 25424152, "Idp": "Example IDP Config", "Hostname": "DESKTOP-2K299HC", "Platform": "windows", "ClientType": "zpn_client_type_zapp", "TrustedNetworks": "TN1_stc1", "TrustedNetworksNames": "145248739466947538", "SAMLAttributes": "myname:jdoe,myemail:whitecarl@web-55.jackson.com", "PosturesHit": "sm-posture1,sm-posture2", "PosturesMisses": "sm-posture11,sm-posture12", "ZENLatitude": 47.0, "ZENLongitude": -122.0, "ZENCountryCode": ""}

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2020-05-21 16:59:17

str


hostname

localhost

str


LogTimestamp

2019-05-31 17:34:48

timestamp


Customer

ANZ Team/opt/because/last/big.ppt in beta

str


Username

paigebullock

str


SessionID

cKgzUERSLl09Y+ytH8v5

str


SessionStatus

ZPN_STATUS_AUTHENTICATED

str


Version

19.12.0-36-g87dad18

str


ZEN

broker1b.pdx2

str


CertificateCN

desktop-44.hamilton.info

str


PrivateIP

null

str


PublicIP

186.98.180.216

ip4


Latitude

45.0D

float8


Longitude

-119.0D

float8


CountryCode

US

str


TimestampAuthentication

2019-05-29 21:18:38

timestamp


TimestampUnAuthentication

null

str


TotalBytesRx

31274866L

int8


TotalBytesTx

25424152L

int8


Idp

Example IDP Config

str


Hostname

localhost

str


Platform

windows

str


ClientType

zpn_client_type_zapp

str


TrustedNetworks

TN1_stc1

str


TrustedNetworksNames

145248739466947538

str


SAMLAttributes

myname:jdoe,myemail:whitecarl@web-55.jackson.com

str


PosturesHit

sm-posture1,sm-posture2

str


PosturesMisses

sm-posture11,sm-posture12

str


ZENLatitude

47.0D

float8


ZENLongitude

-122.0D

float8


ZENCountryCode

null

str


hostchain

localhost=127.0.0.1

str

  

tag

vpn.zscaler.status_user

str

  

raw

2020-05-21 16:59:16.593 localhost=127.0.0.1 vpn.zscaler.status_user: {"LogTimestamp": "Fri May 31 17:34:48 2019", "Customer": "ANZ Team/opt/because/last/big.ppt in beta", "Username": "paigebullock", "SessionID": "cKgzUERSLl09Y+ytH8v5", "SessionStatus": "ZPN_STATUS_AUTHENTICATED", "Version": "19.12.0-36-g87dad18", "ZEN": "broker1b.pdx2", "CertificateCN": "desktop-44.hamilton.info", "PrivateIP": "", "PublicIP": "186.98.180.216", "Latitude": 45.0, "Longitude": -119.0, "CountryCode": "US", "TimestampAuthentication": "2019-05-29T21:18:38.000Z", "TimestampUnAuthentication": "", "TotalBytesRx": 31274866, "TotalBytesTx": 25424152, "Idp": "Example IDP Config", "Hostname": "DESKTOP-2K299HC", "Platform": "windows", "ClientType": "zpn_client_type_zapp", "TrustedNetworks": "TN1_stc1", "TrustedNetworksNames": "145248739466947538", "SAMLAttributes": "myname:jdoe,myemail:whitecarl@web-55.jackson.com", "PosturesHit": "sm-posture1,sm-posture2", "PosturesMisses": "sm-posture11,sm-posture12", "ZENLatitude": 47.0, "ZENLongitude": -122.0, "ZENCountryCode": ""}

str

  

rawMessage

{"LogTimestamp": "Fri May 31 17:34:48 2019", "Customer": "ANZ Team/opt/because/last/big.ppt in beta", "Username": "paigebullock", "SessionID": "cKgzUERSLl09Y+ytH8v5", "SessionStatus": "ZPN_STATUS_AUTHENTICATED", "Version": "19.12.0-36-g87dad18", "ZEN": "broker1b.pdx2", "CertificateCN": "desktop-44.hamilton.info", "PrivateIP": "", "PublicIP": "186.98.180.216", "Latitude": 45.0, "Longitude": -119.0, "CountryCode": "US", "TimestampAuthentication": "2019-05-29T21:18:38.000Z", "TimestampUnAuthentication": "", "TotalBytesRx": 31274866, "TotalBytesTx": 25424152, "Idp": "Example IDP Config", "Hostname": "DESKTOP-2K299HC", "Platform": "windows", "ClientType": "zpn_client_type_zapp", "TrustedNetworks": "TN1_stc1", "TrustedNetworksNames": "145248739466947538", "SAMLAttributes": "myname:jdoe,myemail:whitecarl@web-55.jackson.com", "PosturesHit": "sm-posture1,sm-posture2", "PosturesMisses": "sm-posture11,sm-posture12", "ZENLatitude": 47.0, "ZENLongitude": -122.0, "ZENCountryCode": ""}

str

 

vpn.zscaler.status_connector

2020-05-21 17:00:13.612 localhost=127.0.0.1 vpn.zscaler.status_connector: {"LogTimestamp": "Wed Jul 31 05:17:22 2019", "Customer": "Safe March", "SessionID": "8A64Qwj9zCkfYDGJVoUZ", "SessionType": "ZPN_ASSISTANT_BROKER_CONTROL", "SessionStatus": "ZPN_STATUS_AUTHENTICATED", "Version": "19.20.3", "Platform": "el7", "ZEN": "US-NY-8179", "Connector": "Seattle Connector 1", "ConnectorGroup": "Azure Connectors", "PrivateIP": "195.55.118.51", "PublicIP": "36.62.14.101", "Latitude": 47.0, "Longitude": -122.0, "CountryCode": "", "TimestampAuthentication": "2019-06-27T05:05:23.348Z", "TimestampUnAuthentication": "", "CPUUtilization": 1, "MemUtilization": 20, "ServiceCount": 2, "InterfaceDefRoute": "eth0", "DefRouteGW": "61.181.130.73", "PrimaryDNSResolver": "131.114.42.227", "HostUpTime": "1513229995", "ConnectorUpTime": "1555920005", "NumOfInterfaces": 2, "BytesRxInterface": 319831966346, "PacketsRxInterface": 1617569938, "ErrorsRxInterface": 0, "DiscardsRxInterface": 0, "BytesTxInterface": 192958782635, "PacketsTxInterface": 1797471190, "ErrorsTxInterface": 0, "DiscardsTxInterface": 0, "TotalBytesRx": 10902554, "TotalBytesTx": 48931771}

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2020-05-21 17:00:14

str


hostname

localhost

str


LogTimestamp

2019-07-31 05:17:22

timestamp


Customer

Safe March

str


SessionID

8A64Qwj9zCkfYDGJVoUZ

str


SessionType

ZPN_ASSISTANT_BROKER_CONTROL

str


SessionStatus

ZPN_STATUS_AUTHENTICATED

str


Version

19.20.3

str


Platform

el7

str


ZEN

US-NY-8179

str


Connector

Seattle Connector 1

str


ConnectorGroup

Azure Connectors

str


PrivateIP

195.55.118.51

ip4


PublicIP

36.62.14.101

ip4


Latitude

47.0D

float8


Longitude

-122.0D

float8


CountryCode

null

str


TimestampAuthentication

2019-06-27 5:05:23

timestamp


TimestampUnAuthentication

null

str


CPUUtilization

1

int4


MemUtilization

20

int4


ServiceCount

2

int4


InterfaceDefRoute

eth0

str


DefRouteGW

61.181.130.73

ip4


PrimaryDNSResolver

131.114.42.227

ip4


HostUpTime

1513229995

str


ConnectorUpTime

1555920005

str


NumOfInterfaces

2

int4


BytesRxInterface

319831966346L

int8


PacketsRxInterface

1617569938000

timestamp


ErrorsRxInterface

0

int4


DiscardsRxInterface

0

int4


BytesTxInterface

192958782635L

int8


PacketsTxInterface

1797471190000

timestamp


ErrorsTxInterface

0

int4


DiscardsTxInterface

0

int4


TotalBytesRx

10902554L

int8


TotalBytesTx

48931771L

int8


hostchain

localhost=127.0.0.1

str

  

tag

vpn.zscaler.status_connector

str

  

raw

2020-05-21 17:00:13.612 localhost=127.0.0.1 vpn.zscaler.status_connector: {"LogTimestamp": "Wed Jul 31 05:17:22 2019", "Customer": "Safe March", "SessionID": "8A64Qwj9zCkfYDGJVoUZ", "SessionType": "ZPN_ASSISTANT_BROKER_CONTROL", "SessionStatus": "ZPN_STATUS_AUTHENTICATED", "Version": "19.20.3", "Platform": "el7", "ZEN": "US-NY-8179", "Connector": "Seattle Connector 1", "ConnectorGroup": "Azure Connectors", "PrivateIP": "195.55.118.51", "PublicIP": "36.62.14.101", "Latitude": 47.0, "Longitude": -122.0, "CountryCode": "", "TimestampAuthentication": "2019-06-27T05:05:23.348Z", "TimestampUnAuthentication": "", "CPUUtilization": 1, "MemUtilization": 20, "ServiceCount": 2, "InterfaceDefRoute": "eth0", "DefRouteGW": "61.181.130.73", "PrimaryDNSResolver": "131.114.42.227", "HostUpTime": "1513229995", "ConnectorUpTime": "1555920005", "NumOfInterfaces": 2, "BytesRxInterface": 319831966346, "PacketsRxInterface": 1617569938, "ErrorsRxInterface": 0, "DiscardsRxInterface": 0, "BytesTxInterface": 192958782635, "PacketsTxInterface": 1797471190, "ErrorsTxInterface": 0, "DiscardsTxInterface": 0, "TotalBytesRx": 10902554, "TotalBytesTx": 48931771}

str

 

rawMessage

{"LogTimestamp": "Wed Jul 31 05:17:22 2019", "Customer": "Safe March", "SessionID": "8A64Qwj9zCkfYDGJVoUZ", "SessionType": "ZPN_ASSISTANT_BROKER_CONTROL", "SessionStatus": "ZPN_STATUS_AUTHENTICATED", "Version": "19.20.3", "Platform": "el7", "ZEN": "US-NY-8179", "Connector": "Seattle Connector 1", "ConnectorGroup": "Azure Connectors", "PrivateIP": "195.55.118.51", "PublicIP": "36.62.14.101", "Latitude": 47.0, "Longitude": -122.0, "CountryCode": "", "TimestampAuthentication": "2019-06-27T05:05:23.348Z", "TimestampUnAuthentication": "", "CPUUtilization": 1, "MemUtilization": 20, "ServiceCount": 2, "InterfaceDefRoute": "eth0", "DefRouteGW": "61.181.130.73", "PrimaryDNSResolver": "131.114.42.227", "HostUpTime": "1513229995", "ConnectorUpTime": "1555920005", "NumOfInterfaces": 2, "BytesRxInterface": 319831966346, "PacketsRxInterface": 1617569938, "ErrorsRxInterface": 0, "DiscardsRxInterface": 0, "BytesTxInterface": 192958782635, "PacketsTxInterface": 1797471190, "ErrorsTxInterface": 0, "DiscardsTxInterface": 0, "TotalBytesRx": 10902554, "TotalBytesTx": 48931771}

str

 

vpn.zscaler.audit

2022-03-08 16:25:04.275 localhost=127.0.0.1 vpn.zscaler.audit: {"ModifiedTime": "2020-07-13T20:53:10.000Z", "CreationTime": "2020-07-13T20:53:10.000Z", "ModifiedBy": 11223344556677889, "RequestID": "a12aa12a-1234-aab1-123ab123456a", "SessionID": "a123456789abc12a123456789a12a1a1a12345678ab12a12345a", "AuditOldValue": "", "AuditNewValue": "", "AuditOperationType": "Create", "ObjectType": "Browser Access", "ObjectName": "laptop-06.martinez.org", "ObjectID": 98765432100123456, "CustomerID": 12345678901234567, "User": "user123"}

And this is how the log would be parsed:

Field

Value

Type

Extra fields

eventdate

2022-03-08 16:25:04.275

timestamp


hostname

localhost

str


modified_time

2020-07-13 20:53:10.0

timestamp


creation_time

2020-07-13 20:53:10.0

timestamp


modified_by

11223344556677889

int8


request_id

a12aa12a-1234-aab1-123ab123456a

str


session_id

a123456789abc12a123456789a12a1a1a12345678ab12a12345a

str


audit_old_value


str


audit_new_value


str


audit_operation_type

Create

str


object_type

Browser Access

str


object_name

laptop-06.martinez.org

str


object_id

98765432100123456

int8


customer_id

12345678901234567

int8


user

user123

str


hostchain

localhost=127.0.0.1

str

tag

vpn.zscaler.audit

str

rawMessage

{"ModifiedTime": "2020-07-13T20:53:10.000Z", "CreationTime": "2020-07-13T20:53:10.000Z", "ModifiedBy": 11223344556677889, "RequestID": "a12aa12a-1234-aab1-123ab123456a", "SessionID": "a123456789abc12a123456789a12a1a1a12345678ab12a12345a", "AuditOldValue": "", "AuditNewValue": "", "AuditOperationType": "Create", "ObjectType": "Browser Access", "ObjectName": "laptop-06.martinez.org", "ObjectID": 98765432100123456, "CustomerID": 12345678901234567, "User": "user123"}

str