Cloudflare Docs
Logs
Visit Logs on GitHub
Set theme to dark (⇧+D)

Zero Trust Network Session Logs

The descriptions below detail the fields available for zero_trust_network_sessions.

FieldValueType
AccountIDCloudflare account ID.string
BytesReceivedThe number of bytes sent from the origin to the client during the network session.int
BytesSentThe number of bytes sent from the client to the origin during the network session.int
ClientTCPHandshakeDurationMsDuration of handshaking the TCP connection between the client and Cloudflare in milliseconds.int
ClientTLSCipherTLS cipher suite used in the connection between the client and Cloudflare.string
ClientTLSHandshakeDurationMsDuration of handshaking the TLS connection between the client and Cloudflare in milliseconds.int
ClientTLSVersionTLS protocol version used in the connection between the client and Cloudflare.string
ConnectionCloseReasonThe reason for closing the connection, only applicable for TCP.
Possible values are clientClosed | originClosed | timeout | clientTcpError | clientTlsError | originTcpError | originTlsError.
string
ConnectionReuseWhether the TCP connection was reused for multiple HTTP requests.bool
DestinationTunnelIDIdentifier of the Cloudflare One connector to which the network session was routed to, if any, such as Cloudflare Tunnel or WARP device.string
DeviceIDIdentifier of the client device which initiated the network session, if applicable, (for example, WARP Device ID).string
DeviceNameName of the client device which initiated the network session, if applicable, (for example, WARP Device ID).string
EgressColoNameThe name of the Cloudflare colo from which traffic egressed to the origin.string
EgressIPSource IP used when egressing traffic from Cloudflare to the origin.string
EgressPortSource port used when egressing traffic from Cloudflare to the origin.int
EgressRuleIDIdentifier of the egress rule that was applied by the Secure Web Gateway, if any.string
EgressRuleNameThe name of the egress rule that was applied by the Secure Web Gateway, if any.string
EmailEmail address associated with the user identity which initiated the network session.string
IngressColoNameThe name of the Cloudflare colo to which traffic ingressed.string
OfframpThe type of destination to which the network session was routed.
Possible values are internet | magic | cfd_tunnel | WARP.
string
OriginIPThe IP of the destination (“origin”) for the network session.string
OriginPortThe port of the destination origin for the network session.int
OriginTLSCertificateIssuerThe issuer of the origin TLS certificate.string
OriginTLSCertificateValidationResultThe result of validating the TLS certificate of the origin.
Possible values are valid | expired | revoked | hostnameMismatch.
string
OriginTLSCipherTLS cipher suite used in the connection between Cloudflare and the origin.string
OriginTLSHandshakeDurationMsDuration of handshaking the TLS connection between Cloudflare and the origin in milliseconds.int
OriginTLSVersionTLS protocol version used in the connection between Cloudflare and the origin.string
ProtocolNetwork protocol used for this network session.
Possible values are tcp | udp | icmp | icmpv6.
string
RuleEvaluationDurationMsThe duration taken by Secure Web Gateway applying applicable Network, HTTP, and Egress rules to the network session in milliseconds.int
SessionEndTimeThe network session end timestamp with nanosecond precision.int or string
SessionIDThe identifier of this network session.string
SessionStartTimeThe network session start timestamp with nanosecond precision.int or string
SourceIPSource IP of the network session.string
SourceInternalIPLocal LAN IP of the device. Only available when connected via a GRE/IPsec tunnel on-ramp.string
SourcePortSource port of the network session.int
UserIDUser identity where the network session originated from. Only applicable for WARP device clients.string
VirtualNetworkIDIdentifier of the virtual network configured for the client.string