Zero Trust Network Session Logs

The descriptions below detail the fields available for zero_trust_network_sessions.

Field	Value	Type
AccountID	Cloudflare account ID.	string
BytesReceived	The number of bytes sent from the origin to the client during the network session.	int
BytesSent	The number of bytes sent from the client to the origin during the network session.	int
ClientTCPHandshakeDurationMs	Duration of handshaking the TCP connection between the client and Cloudflare in milliseconds.	int
ClientTLSCipher	TLS cipher suite used in the connection between the client and Cloudflare.	string
ClientTLSHandshakeDurationMs	Duration of handshaking the TLS connection between the client and Cloudflare in milliseconds.	int
ClientTLSVersion	TLS protocol version used in the connection between the client and Cloudflare.	string
ConnectionCloseReason	The reason for closing the connection, only applicable for TCP. Possible values are clientClosed \| originClosed \| timeout \| clientTcpError \| clientTlsError \| originTcpError \| originTlsError.	string
ConnectionReuse	Whether the TCP connection was reused for multiple HTTP requests.	bool
DestinationTunnelID	Identifier of the Cloudflare One connector to which the network session was routed to, if any, such as Cloudflare Tunnel or WARP device.	string
DeviceID	Identifier of the client device which initiated the network session, if applicable, (for example, WARP Device ID).	string
DeviceName	Name of the client device which initiated the network session, if applicable, (for example, WARP Device ID).	string
EgressColoName	The name of the Cloudflare colo from which traffic egressed to the origin.	string
EgressIP	Source IP used when egressing traffic from Cloudflare to the origin.	string
EgressPort	Source port used when egressing traffic from Cloudflare to the origin.	int
EgressRuleID	Identifier of the egress rule that was applied by the Secure Web Gateway, if any.	string
EgressRuleName	The name of the egress rule that was applied by the Secure Web Gateway, if any.	string
Email	Email address associated with the user identity which initiated the network session.	string
IngressColoName	The name of the Cloudflare colo to which traffic ingressed.	string
Offramp	The type of destination to which the network session was routed. Possible values are internet \| magic \| cfd_tunnel \| WARP.	string
OriginIP	The IP of the destination (“origin”) for the network session.	string
OriginPort	The port of the destination origin for the network session.	int
OriginTLSCertificateIssuer	The issuer of the origin TLS certificate.	string
OriginTLSCertificateValidationResult	The result of validating the TLS certificate of the origin. Possible values are valid \| expired \| revoked \| hostnameMismatch.	string
OriginTLSCipher	TLS cipher suite used in the connection between Cloudflare and the origin.	string
OriginTLSHandshakeDurationMs	Duration of handshaking the TLS connection between Cloudflare and the origin in milliseconds.	int
OriginTLSVersion	TLS protocol version used in the connection between Cloudflare and the origin.	string
Protocol	Network protocol used for this network session. Possible values are tcp \| udp \| icmp \| icmpv6.	string
RuleEvaluationDurationMs	The duration taken by Secure Web Gateway applying applicable Network, HTTP, and Egress rules to the network session in milliseconds.	int
SessionEndTime	The network session end timestamp with nanosecond precision.	int or string
SessionID	The identifier of this network session.	string
SessionStartTime	The network session start timestamp with nanosecond precision.	int or string
SourceIP	Source IP of the network session.	string
SourceInternalIP	Local LAN IP of the device. Only available when connected via a GRE/IPsec tunnel on-ramp.	string
SourcePort	Source port of the network session.	int
UserID	User identity where the network session originated from. Only applicable for WARP device clients.	string
VirtualNetworkID	Identifier of the virtual network configured for the client.	string