收集 Zscaler VPN 記錄
支援的國家/地區:
Google SecOps
SIEM
本文說明如何設定 Bindplane 代理程式來匯出 Zscaler VPN 記錄,以及記錄欄位如何對應至 Google SecOps Unified Data Model (UDM) 欄位。
詳情請參閱「將資料擷取至 Google SecOps 總覽」。
一般部署作業包含 Zscaler VPN 和 Bindplane 代理程式,後者會設定為將記錄傳送至 Google SecOps。每個客戶的部署作業可能有所不同,也可能更複雜。
部署作業包含下列元件:
Zscaler VPN:您從中收集記錄的平台。
Bindplane 代理程式:Bindplane 代理程式會從 Zscaler VPN 擷取記錄,並將記錄傳送至 Google SecOps。
Google SecOps:保留及分析記錄檔。
擷取標籤會識別剖析器,該剖析器會將原始記錄資料正規化為具結構性的 UDM 格式。本文件中的資訊適用於標示 ZSCALER_VPN 的剖析器。
事前準備
- 確認您可以存取 Zscaler Private Access 控制台。詳情請參閱安全私人存取 (ZPA) 說明。
- 請確認你使用的是 Zscaler VPN 2024 以上版本。
- 請確保部署架構中的所有系統都已設定為世界標準時間時區。
在 Zscaler Private Access 中設定記錄接收器
如要在 Zscaler Private Access 中設定及管理記錄接收器,請按照下列步驟操作:
新增記錄接收器
- 依序前往「設定與控制」>「私人基礎架構」>「記錄串流服務」>「記錄接收器」。
- 按一下「新增記錄接收者」。
- 在「記錄接收器」分頁中,執行下列操作:
- 在「Name」(名稱) 欄位中,輸入記錄接收器的名稱。
- 在「Description」(說明) 欄位中輸入說明。
- 在「網域或 IP 位址」欄位中,輸入記錄接收器的完整網域名稱 (FQDN) 或 IP 位址。
- 在「TCP Port」(TCP 通訊埠) 欄位中,輸入記錄接收器使用的 TCP 通訊埠編號。
- 在「TLS 加密」中選取加密類型,即可啟用或停用應用程式連接器與記錄接收器之間的流量加密功能。這項設定預設為停用。
- 從「App Connector groups」(應用程式連線群組) 清單中,選取可將記錄轉送至接收端的應用程式連線群組,然後按一下「Done」(完成)。
- 點選「下一步」。
在「記錄串流」分頁中,執行下列操作:
- 從選單中選取「記錄類型」。
- 從選單中選取「記錄範本」。
複製並貼上「記錄串流內容」,然後新增欄位。確認鍵名與實際欄位名稱相符。
以下是各記錄類型的預設「記錄串流內容」設定:
使用者活動:
{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"ConnectionID": %j{ConnectionID},"InternalReason": %j{InternalReason},"ConnectionStatus": %j{ConnectionStatus},"IPProtocol": %d{IPProtocol},"DoubleEncryption": %d{DoubleEncryption},"Username": %j{Username},"ServicePort": %d{ServicePort},"ClientPublicIP": %j{ClientPublicIP},"ClientPrivateIP": %j{ClientPrivateIP},"ClientLatitude": %f{ClientLatitude},"ClientLongitude": %f{ClientLongitude},"ClientCountryCode": %j{ClientCountryCode},"ClientZEN": %j{ClientZEN},"Policy": %j{Policy},"Connector": %j{Connector},"ConnectorZEN": %j{ConnectorZEN},"ConnectorIP": %j{ConnectorIP},"ConnectorPort": %d{ConnectorPort},"Host": %j{Host},"Application": %j{Application},"AppGroup": %j{AppGroup},"Server": %j{Server},"ServerIP": %j{ServerIP},"ServerPort": %d{ServerPort},"PolicyProcessingTime": %d{PolicyProcessingTime},"ServerSetupTime": %d{ServerSetupTime},"TimestampConnectionStart": %j{TimestampConnectionStart:iso8601},"TimestampConnectionEnd": %j{TimestampConnectionEnd:iso8601},"TimestampCATx": %j{TimestampCATx:iso8601},"TimestampCARx": %j{TimestampCARx:iso8601},"TimestampAppLearnStart": %j{TimestampAppLearnStart:iso8601},"TimestampZENFirstRxClient": %j{TimestampZENFirstRxClient:iso8601},"TimestampZENFirstTxClient": %j{TimestampZENFirstTxClient:iso8601},"TimestampZENLastRxClient": %j{TimestampZENLastRxClient:iso8601},"TimestampZENLastTxClient": %j{TimestampZENLastTxClient:iso8601},"TimestampConnectorZENSetupComplete": %j{TimestampConnectorZENSetupComplete:iso8601},"TimestampZENFirstRxConnector": %j{TimestampZENFirstRxConnector:iso8601},"TimestampZENFirstTxConnector": %j{TimestampZENFirstTxConnector:iso8601},"TimestampZENLastRxConnector": %j{TimestampZENLastRxConnector:iso8601},"TimestampZENLastTxConnector": %j{TimestampZENLastTxConnector:iso8601},"ZENTotalBytesRxClient": %d{ZENTotalBytesRxClient},"ZENBytesRxClient": %d{ZENBytesRxClient},"ZENTotalBytesTxClient": %d{ZENTotalBytesTxClient},"ZENBytesTxClient": %d{ZENBytesTxClient},"ZENTotalBytesRxConnector": %d{ZENTotalBytesRxConnector},"ZENBytesRxConnector": %d{ZENBytesRxConnector},"ZENTotalBytesTxConnector": %d{ZENTotalBytesTxConnector},"ZENBytesTxConnector": %d{ZENBytesTxConnector},"Idp": %j{Idp},"ClientToClient": %j{c2c},"ClientCity": %j{ClientCity},"MicroTenantID": %j{MicroTenantID},"AppMicroTenantID": %j{AppMicroTenantID}}\n使用者狀態:
{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"Username": %j{Username},"SessionID": %j{SessionID},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"ZEN": %j{ZEN},"CertificateCN": %j{CertificateCN},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx},"Idp": %j{Idp},"Hostname": %j{Hostname},"Platform": %j{Platform},"ClientType": %j{ClientType},"TrustedNetworks": [%j(,){TrustedNetworks}],"TrustedNetworksNames": [%j(,){TrustedNetworksNames}],"SAMLAttributes": %j{SAMLAttributes},"PosturesHit": [%j(,){PosturesHit}],"PosturesMiss": [%j(,){PosturesMiss}],"ZENLatitude": %f{ZENLatitude},"ZENLongitude": %f{ZENLongitude},"ZENCountryCode": %j{ZENCountryCode},"FQDNRegistered": %j{fqdn_registered},"FQDNRegisteredError": %j{fqdn_register_error},"City": %j{City},"MicroTenantID": %j{MicroTenantID}}\n瀏覽器存取權:
{"LogTimestamp":%j{LogTimestamp:time},"ConnectionID":%j{ConnectionID},"Exporter":%j{Exporter},"TimestampRequestReceiveStart":%j{TimestampRequestReceiveStart:iso8601},"TimestampRequestReceiveHeaderFinish":%j{TimestampRequestReceiveHeaderFinish:iso8601},"TimestampRequestReceiveFinish":%j{TimestampRequestReceiveFinish:iso8601},"TimestampRequestTransmitStart":%j{TimestampRequestTransmitStart:iso8601},"TimestampRequestTransmitFinish":%j{TimestampRequestTransmitFinish:iso8601},"TimestampResponseReceiveStart":%j{TimestampResponseReceiveStart:iso8601},"TimestampResponseReceiveFinish":%j{TimestampResponseReceiveFinish:iso8601},"TimestampResponseTransmitStart":%j{TimestampResponseTransmitStart:iso8601},"TimestampResponseTransmitFinish":%j{TimestampResponseTransmitFinish:iso8601},"TotalTimeRequestReceive":%d{TotalTimeRequestReceive},"TotalTimeRequestTransmit":%d{TotalTimeRequestTransmit},"TotalTimeResponseReceive":%d{TotalTimeResponseReceive},"TotalTimeResponseTransmit":%d{TotalTimeResponseTransmit},"TotalTimeConnectionSetup":%d{TotalTimeConnectionSetup},"TotalTimeServerResponse":%d{TotalTimeServerResponse},"Method":%j{Method},"Protocol":%j{Protocol},"Host":%j{Host},"URL":%j{URL},"UserAgent":%j{UserAgent},"XFF":%j{XFF},"NameID":%j{NameID},"StatusCode":%d{StatusCode},"RequestSize":%d{RequestSize},"ResponseSize":%d{ResponseSize},"ApplicationPort":%d{ApplicationPort},"ClientPublicIp":%j{ClientPublicIp},"ClientPublicPort":%d{ClientPublicPort},"ClientPrivateIp":%j{ClientPrivateIp},"Customer":%j{Customer},"ConnectionStatus":%j{ConnectionStatus},"ConnectionReason":%j{ConnectionReason},"Origin":%j{Origin},"CorsToken":%j{CorsToken}}\nPrivate Service Edge 狀態:
{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"SessionType": %j{SessionType},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"PackageVersion": %j{PackageVersion},"Platform": %j{Platform},"ZEN": %j{ZEN},"ServiceEdge": %j{ServiceEdge},"ServiceEdgeGroup": %j{ServiceEdgeGroup},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"CPUUtilization": %d{CPUUtilization},"MemUtilization": %d{MemUtilization},"InterfaceDefRoute": %j{InterfaceDefRoute},"DefRouteGW": %j{DefRouteGW},"PrimaryDNSResolver": %j{PrimaryDNSResolver},"HostUpTime": %j{HostUpTime},"ServiceEdgeStartTime": %j{ServiceEdgeStartTime},"NumOfInterfaces": %d{NumOfInterfaces},"BytesRxInterface": %d{BytesRxInterface},"PacketsRxInterface": %d{PacketsRxInterface},"ErrorsRxInterface": %d{ErrorsRxInterface},"DiscardsRxInterface": %d{DiscardsRxInterface},"BytesTxInterface": %d{BytesTxInterface},"PacketsTxInterface": %d{PacketsTxInterface},"ErrorsTxInterface": %d{ErrorsTxInterface},"DiscardsTxInterface": %d{DiscardsTxInterface},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx},"MicroTenantID": %j{MicroTenantID}}\n應用程式連接器狀態:
{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"SessionType": %j{SessionType},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"Platform": %j{Platform},"ZEN": %j{ZEN},"Connector": %j{Connector},"ConnectorGroup": %j{ConnectorGroup},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"CPUUtilization": %d{CPUUtilization},"MemUtilization": %d{MemUtilization},"ServiceCount": %d{ServiceCount},"InterfaceDefRoute": %j{InterfaceDefRoute},"DefRouteGW": %j{DefRouteGW},"PrimaryDNSResolver": %j{PrimaryDNSResolver},"HostStartTime": %j{HostStartTime},"ConnectorStartTime": %j{ConnectorStartTime},"NumOfInterfaces": %d{NumOfInterfaces},"BytesRxInterface": %d{BytesRxInterface},"PacketsRxInterface": %d{PacketsRxInterface},"ErrorsRxInterface": %d{ErrorsRxInterface},"DiscardsRxInterface": %d{DiscardsRxInterface},"BytesTxInterface": %d{BytesTxInterface},"PacketsTxInterface": %d{PacketsTxInterface},"ErrorsTxInterface": %d{ErrorsTxInterface},"DiscardsTxInterface": %d{DiscardsTxInterface},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx},"MicroTenantID": %j{MicroTenantID}}\n
在「SAML 屬性」中,按一下「選取 IdP」,然後選取要納入政策的 IdP 設定。
在「應用程式區隔」選單中,選取要加入的應用程式區隔,然後按一下「完成」。
在「區隔群組」選單中,選取要加入的區隔群組,然後按一下「完成」。
在「用戶端類型」選單中,選取要納入的用戶端類型,然後按一下「完成」。
在「工作階段狀態」選單中,選取要排除的工作階段狀態代碼,然後按一下「完成」。
點選「下一步」。
在「檢閱」分頁中,檢查記錄接收器設定,然後按一下「儲存」。
注意:ZSCALER_VPN Gold 剖析器僅支援 JSON 記錄格式,因此設定記錄串流時,請務必從選單中選取「JSON」做為「記錄範本」。
複製記錄接收器
- 依序前往「Control」>「Private Infrastructure」>「Log Streaming Service」>「Log Receivers」。
- 在表格中找出要修改的記錄接收者,然後按一下「複製」。
- 在「新增記錄接收器」視窗中,視需要修改欄位。如要進一步瞭解各個欄位,請參閱「新增記錄接收端」一節中的程序。
- 按一下 [儲存]。
編輯記錄接收器
- 依序前往「Control」>「Private Infrastructure」>「Log Streaming Service」>「Log Receivers」。
- 在表格中找出要修改的記錄接收器,然後按一下「編輯」。
- 在「編輯記錄接收器」視窗中,視需要修改欄位。如要進一步瞭解各個欄位,請參閱「新增記錄接收端」一節中的程序。
- 按一下 [儲存]。
刪除記錄接收器
- 依序前往「Control」>「Private Infrastructure」>「Log Streaming Service」>「Log Receivers」。
- 在表格中找出要修改的記錄接收者,然後按一下「刪除」。
- 在「確認」視窗中,按一下「刪除」。
使用 Bindplane 代理程式將記錄轉送至 Google SecOps
- 安裝並設定 Linux 虛擬機器。
- 在 Linux 上安裝及設定 Bindplane 代理程式,將記錄轉寄至 Google SecOps。如要進一步瞭解如何安裝及設定 Bindplane 代理程式,請參閱 Bindplane 代理程式安裝及設定操作說明。
如果在建立動態饋給時遇到問題,請與 Google SecOps 支援團隊聯絡。
支援的 Zscaler VPN 記錄格式
Zscaler VPN 剖析器支援 JSON 格式的記錄。
支援的 Zscaler VPN 記錄範例
JSON:
{ "LogTimestamp": "Thu Jan 18 10:31:01 2024", "Customer": "ABC Group", "SessionID": "session-id", "ConnectionID": "session-id,connection-id", "InternalReason": "OPEN_OR_ACTIVE_CONNECTION", "ConnectionStatus": "open", "IPProtocol": 6, "DoubleEncryption": 0, "Username": "bc@myownpersonaldomain.com", "ServicePort": 443, "ClientPublicIP": "198.51.100.0", "ClientPrivateIP": "198.51.100.0", "ClientLatitude": 51.000000, "ClientLongitude": 0.000000, "ClientCountryCode": "GB", "ClientZEN": "EU-GB-9900", "Policy": "RG-NAC-IT", "Connector": "abc.mc.local", "ConnectorZEN": "EU-GB-9900", "ConnectorIP": "198.51.100.0", "ConnectorPort": 51146, "Host": "xyz.io", "Application": "blabla", "AppGroup": "HB App Segments", "Server": "0", "ServerIP": "198.51.100.0", "ServerPort": 443, "PolicyProcessingTime": 63, "ServerSetupTime": 13069, "TimestampConnectionStart": "2024-01-18T10:31:01.152Z", "TimestampConnectionEnd": "", "TimestampCATx": "", "TimestampCARx": "2024-01-18T10:31:01.152Z", "TimestampAppLearnStart": "", "TimestampZENFirstRxClient": "", "TimestampZENFirstTxClient": "", "TimestampZENLastRxClient": "", "TimestampZENLastTxClient": "", "TimestampConnectorZENSetupComplete": "2024-01-18T10:31:01.172Z", "TimestampZENFirstRxConnector": "", "TimestampZENFirstTxConnector": "2024-01-18T10:31:01.172Z", "TimestampZENLastRxConnector": "", "TimestampZENLastTxConnector": "2024-01-18T10:31:01.172Z", "ZENTotalBytesRxClient": 710, "ZENBytesRxClient": 710, "ZENTotalBytesTxClient": 0, "ZENBytesTxClient": 0, "ZENTotalBytesRxConnector": 0, "ZENBytesRxConnector": 0, "ZENTotalBytesTxConnector": 0, "ZENBytesTxConnector": 0, "Idp": "Azure IdP Config", "ClientToClient": "0", "ClientCity": "Thamesmead", "MicroTenantID": "0", "AppMicroTenantID": "0" }
欄位對應參考資料
欄位對應參考資料:ZSCALER_VPN
下表列出 ZSCALER_VPN 記錄類型的記錄欄位,以及對應的 UDM 欄位。
| Log field | UDM mapping | Logic |
|---|---|---|
AppLearnTime |
additional.fields[app_learn_time] |
|
AppMicroTenantID |
additional.fields[app_micro_tenant_id] |
|
BytesRxInterface |
additional.fields[bytes_rx_interface] |
|
BytesTxInterface |
additional.fields[bytes_tx_interface] |
|
CAProcessingTime |
additional.fields[ca_processing_time] |
|
ClientToClient |
additional.fields[client_to_client] |
|
ClientZEN |
additional.fields[client_zen] |
|
ConnectionID |
additional.fields[connection_id] |
|
ConnectionReason |
additional.fields[connection_reason] |
|
ConnectionSetupTime |
additional.fields[connection_setup_time] |
|
ConnectorZEN |
additional.fields[connector_zen] |
|
ConnectorGroup |
additional.fields[connector_group] |
|
ConnectorStartTime |
additional.fields[connector_start_time] |
|
ConnectorZENSetupTime |
additional.fields[connector_zen_setup_time] |
|
Connector |
additional.fields[connector] |
|
CPUUtilization |
additional.fields[cpu_utilization] |
|
Customer |
additional.fields[customer] |
|
DefRouteGW |
additional.fields[def_route_gw] |
|
DiscardsRxInterface |
additional.fields[discards_rx_interface] |
|
DiscardsTxInterface |
additional.fields[discards_tx_interface] |
|
DoubleEncryption |
additional.fields[double_encryption] |
If the DoubleEncryption log field value is equal to 0 or the DoubleEncryption log field value is equal to "0", then the additional.fields.double_encryption UDM field is set to Off Else if the DoubleEncryption log field value is equal to 1 or the DoubleEncryption log field value is equal to "1", then the additional.fields.double_encryption UDM field is set to On Else the DoubleEncryption log field is mapped to the additional.fields.double_encryption UDM field. |
ErrorsRxInterface |
additional.fields[errors_rx_interface] |
|
ErrorsTxInterface |
additional.fields[errors_tx_interface] |
|
Exporter |
additional.fields[exporter] |
|
HostStartTime |
additional.fields[host_start_time] |
|
Idp |
additional.fields[idp] |
|
InterfaceDefRoute |
additional.fields[interface_def_route] |
|
MemUtilization |
additional.fields[mem_utilization] |
|
MicroTenantID |
additional.fields[micro_tenant_id] |
|
NumOfInterfaces |
additional.fields[num_of_interfaces] |
|
PackageVersion |
additional.fields[package_version] |
|
PacketsRxInterface |
additional.fields[packets_rx_interface] |
|
PacketsTxInterface |
additional.fields[packets_tx_interface] |
|
PolicyProcessingTime |
additional.fields[policy_processing_time] |
|
PRAApprovalID |
additional.fields[pra_approval_id] |
|
PRACapabilityPolicyID |
additional.fields[pra_capability_policy_id] |
|
PRAConnectionID |
additional.fields[pra_connection_id] |
|
PRAConsoleType |
additional.fields[pra_console_type] |
|
PRACredentialLoginType |
additional.fields[pra_credential_login_type] |
|
PRACredentialPolicyID |
additional.fields[pra_credential_policy_id] |
|
PRACredentialUserName |
additional.fields[pra_credential_user_name] |
|
PRAErrorStatus |
additional.fields[pra_error_status] |
|
PRAFileTransferList |
additional.fields[pra_file_transfer_list] |
|
PRARecordingStatus |
additional.fields[pra_recording_status] |
|
PRASessionType |
additional.fields[pra_session_type] |
|
PRASharedMode |
additional.fields[pra_shared_mode] |
|
PRASharedUserList |
additional.fields[pra_shared_user_list] |
|
PrimaryDNSResolver |
additional.fields[primary_dns_resolver] |
|
RequestSize |
additional.fields[request_size] |
|
ResponseSize |
additional.fields[response_size] |
|
SAMLAttributes |
additional.fields[saml_attributes] |
|
ServerSetupTime |
additional.fields[server_setup_time] |
|
ServiceCount |
additional.fields[service_count] |
|
ServiceEdgeGroup |
additional.fields[service_edge_group] |
|
ServiceEdgeStartTime |
additional.fields[service_edge_start_time] |
|
ServiceEdge |
additional.fields[service_edge] |
|
SessionType |
additional.fields[session_type] |
|
TimestampAppLearnStart |
additional.fields[timestamp_app_learn_start] |
|
TimestampCARx |
additional.fields[timestamp_ca_rx] |
|
TimestampCATx |
additional.fields[timestamp_ca_tx] |
|
TimestampConnectionEnd |
additional.fields[timestamp_connection_end] |
|
TimestampConnectorZENSetupComplete |
additional.fields[timestamp_connector_zen_setup_complete] |
|
TimestampRequestReceiveFinish |
additional.fields[timestamp_request_receive_finish] |
|
TimestampRequestReceiveHeaderFinish |
additional.fields[timestamp_request_receive_header_finish] |
|
TimestampRequestReceiveStart |
additional.fields[timestamp_request_receive_start] |
|
TimestampRequestTransmitFinish |
additional.fields[timestamp_request_transmit_finish] |
|
TimestampRequestTransmitStart |
additional.fields[timestamp_request_transmit_start] |
|
TimestampResponseReceiveFinish |
additional.fields[timestamp_response_receive_finish] |
|
TimestampResponseReceiveStart |
additional.fields[timestamp_response_receive_start] |
|
TimestampResponseTransmitFinish |
additional.fields[timestamp_response_transmit_finish] |
|
TimestampResponseTransmitStart |
additional.fields[timestamp_response_transmit_start] |
|
TimestampZENFirstRxClient |
additional.fields[timestamp_zen_first_rx_client] |
|
TimestampZENFirstRxConnector |
additional.fields[timestamp_zen_first_rx_connector] |
|
TimestampZENFirstTxClient |
additional.fields[timestamp_zen_first_tx_client] |
|
TimestampZENFirstTxConnector |
additional.fields[timestamp_zen_first_tx_connector] |
|
TimestampZENLastRxClient |
additional.fields[timestamp_zen_last_rx_client] |
|
TimestampZENLastRxConnector |
additional.fields[timestamp_zen_last_rx_connector] |
|
TimestampZENLastTxClient |
additional.fields[timestamp_zen_last_tx_client] |
|
TimestampZENLastTxConnector |
additional.fields[timestamp_zen_last_tx_connector] |
|
TotalTimeConnectionSetup |
additional.fields[total_time_connection_setup] |
|
TotalTimeRequestReceive |
additional.fields[total_time_request_receive] |
|
TotalTimeRequestTransmit |
additional.fields[total_time_request_transmit] |
|
TotalTimeResponseReceive |
additional.fields[total_time_response_receive] |
|
TotalTimeResponseTransmit |
additional.fields[total_time_response_transmit] |
|
TotalTimeServerResponse |
additional.fields[total_time_server_response] |
|
Version |
additional.fields[version] |
|
XFF |
additional.fields[xff] |
|
ZEN |
additional.fields[zen] |
|
Connector |
intermediary.application |
|
ConnectorIP |
intermediary.ip |
If the ConnectorIP log field value is not empty, then the ConnectorIP log field is mapped to the intermediary.ip UDM field. |
ZENCountryCode |
intermediary.location.country_or_region |
|
ZENLatitude |
intermediary.location.region_coordinates.latitude |
|
ZENLongitude |
intermediary.location.region_coordinates.longitude |
|
ZENTotalBytesRxClient |
intermediary.network.received_bytes |
|
ZENTotalBytesTxClient |
intermediary.network.sent_bytes |
|
ConnectorPort |
intermediary.port |
If the ConnectorPort log field value is not empty, then the ConnectorPort log field is mapped to the intermediary.port UDM field. |
ZENBytesTxClient |
intermediary.resource.attribute.labels[zen_bytes_tx_client] |
|
ZENTotalBytesTxConnector |
intermediary.resource.attribute.labels[zen_total_bytes_tx_connector] |
|
ZENBytesRxConnector |
intermediary.resource.attribute.labels[zen_bytes_rx_connector] |
|
ZENTotalBytesRxConnector |
intermediary.resource.attribute.labels[zen_total_bytes_rx_connector] |
|
ZENBytesRxClient |
intermediary.resource.attribute.labels[zen_bytes_rx_client] |
|
Policy |
metadata.description |
|
LogTimestamp |
metadata.event_timestamp |
If the LogTimestamp log field value is not empty, then the LogTimestamp log field is mapped to the metadata.event_timestamp UDM field. |
TimestampConnectionStart |
metadata.event_timestamp |
If the LogTimestamp log field value is not empty, then the LogTimestamp log field value is mapped to the metadata.event_timestamp UDM field.Else if the TimestampAuthentication log field value is not empty, then the TimestampAuthentication log field value is mapped to the metadata.event_timestamp UDM field.Else if the TimestampUnAuthentication log field value is not empty, then the TimestampUnAuthentication log field value is mapped to the metadata.event_timestamp UDM field.Else if the TimestampConnectionStart log field value is not empty, then the TimestampConnectionStart log field is mapped to the metadata.event_timestamp UDM field. |
InternalReason |
metadata.product_event_type |
|
SessionStatus |
metadata.product_event_type |
|
|
network.ip_protocol |
If the IPProtocol log field value contain one of the following values, then if the IPProtocol log field value is equal to 88, then the network.ip_protocol UDM field is set to EIGRP.Else, if the IPProtocol log field value is equal to 50, then the network.ip_protocol UDM field is set to ESP.Else, if the IPProtocol log field value is equal to 97, then the network.ip_protocol UDM field is set to ETHERIP.Else, if the IPProtocol log field value is equal to 47, then the network.ip_protocol UDM field is set to GRE.Else, if the IPProtocol log field value is equal to 1, then the network.ip_protocol UDM field is set to ICMP.Else, if the IPProtocol log field value is equal to 58, then the network.ip_protocol UDM field is set to ICMP6.Else, if the IPProtocol log field value is equal to 2, then the network.ip_protocol UDM field is set to IGMP.Else, if the IPProtocol log field value is equal to 41, then the network.ip_protocol UDM field is set to IP6IN4.Else, if the IPProtocol log field value is equal to 103, then the network.ip_protocol UDM field is set to PIM.Else, if the IPProtocol log field value is equal to 132, then the network.ip_protocol UDM field is set to SCTP.Else, if the IPProtocol log field value is equal to 6, then the network.ip_protocol UDM field is set to TCP.Else, if the IPProtocol log field value is equal to 17, then the network.ip_protocol UDM field is set to UDP.Else, if the IPProtocol log field value is equal to 0, then the network.ip_protocol UDM field is set to UNKNOWN_IP_PROTOCOL.Else, if the IPProtocol log field value is equal to 112, then the network.ip_protocol UDM field is set to VRRP.
|
|
additional.fields[protocol] |
If the IPProtocol log field value does not contain one of the following values, then the IPProtocol log field is mapped to the additional.fields.protocol UDM field.
|
SessionID |
network.session_id |
|
ClientType |
principal.application |
|
Hostname |
principal.hostname |
|
ClientPrivateIp |
principal.ip |
If the ClientPrivateIp log field value is not empty, then the ClientPrivateIp log field is mapped to the principal.ip UDM field. |
PrivateIP |
principal.ip |
Else, if the PrivateIP log field value is not empty, then the PrivateIP log field is mapped to the principal.ip UDM field. |
ClientPrivateIP |
principal.ip |
Else, if the ClientPrivateIP log field value is not empty, then the ClientPrivateIP log field is mapped to the principal.ip UDM field. |
ClientCity |
principal.location.city |
|
City |
principal.location.city |
|
ClientCountryCode |
principal.location.country_or_region |
|
CountryCode |
principal.location.country_or_region |
|
ClientLatitude |
principal.location.region_coordinates.latitude |
|
Latitude |
principal.location.region_coordinates.latitude |
|
ClientLongitude |
principal.location.region_coordinates.longitude |
|
Longitude |
principal.location.region_coordinates.longitude |
|
Protocol |
principal.network.application_protocol.ApplicationProtocol |
If the Protocol log field value contain one of the following values, then the Protocol log field is mapped to the principal.network.application_protocol UDM field.
|
ClientPublicIp |
principal.nat_ip |
If the ClientPrivateIp log field value is not empty or the PrivateIP log field value is not empty or the ClientPrivateIP log field value is not empty, then if the ClientPublicIp log field value is not empty, then the ClientPublicIp log field is mapped to the principal.nat_ip UDM field. |
PublicIP |
principal.nat_ip |
If the ClientPrivateIp log field value is not empty or the PrivateIP log field value is not empty or the ClientPrivateIP log field value is not empty, then if the PublicIP log field value is not empty, then the PublicIP log field is mapped to the principal.nat_ip UDM field. |
ClientPublicIP |
principal.nat_ip |
If the ClientPrivateIp log field value is not empty or the PrivateIP log field value is not empty or the ClientPrivateIP log field value is not empty, then if ClientPublicIP log field value is not empty, then the ClientPublicIP log field is mapped to the principal.nat_ip UDM field. |
ClientPublicPort |
principal.nat_port |
|
Method |
principal.network.http.method |
|
URL |
principal.network.http.referral_url |
|
StatusCode |
principal.network.http.response_code |
|
UserAgent |
principal.network.http.user_agent |
|
TotalBytesRx |
principal.network.received_bytes |
|
TotalBytesTx |
principal.network.sent_bytes |
|
|
principal.platform |
If the Platform log field value matches the regular expression pattern .*(Windows|windows|WINDOWS|Win|win), then the principal.platform UDM field is set to WINDOWS.Else, if the Platform log field value matches the regular expression pattern .*(MAC|mac|Mac), then the principal.platform UDM field is set to MAC.Else, if the Platform log field value matches the regular expression pattern .*(Linux|linux), then the principal.platform UDM field is set to LINUX. |
ServicePort |
principal.port |
|
ApplicationPort |
principal.port |
|
FQDNRegisteredError |
principal.security_result.about.labels[fqdn_registered_error] |
|
FQDNRegistered |
principal.security_result.about.labels[fqdn_registered] |
|
PosturesHit |
principal.security_result.detection_fields[postures_hit] |
The PosturesHit log field is mapped to the principal.security_result.detection_fields.postures_hit UDM field. |
PosturesMiss |
principal.security_result.detection_fields[postures_miss] |
The PosturesMiss log field is mapped to the principal.security_result.detection_fields.postures_miss UDM field. |
TrustedNetworksNames |
principal.security_result.detection_fields[trusted_networks_names] |
|
TrustedNetworks |
principal.security_result.detection_fields[trusted_networks] |
|
Username |
principal.user.email_addresses |
If the SessionStatus log field value does not contain one of the following values, then if the Username log field value matches the regular expression pattern (^.*@.*$), then the Username log field is mapped to the principal.user.email_addresses UDM field.
InternalReason log field value does not contain one of the following values, then if the Username log field value matches the regular expression pattern (^.*@.*$), then the Username log field is mapped to the principal.user.email_addresses UDM field.
|
Username |
principal.user.user_display_name |
If the SessionStatus log field value does not contain one of the following values, then if the Username log field value does not match the regular expression pattern (^.*@.*$), then the Username log field is mapped to the principal.user.user_display_name UDM field.
|
NameID |
principal.user.email_addresses |
If the SessionStatus log field value does not contain one of the following values, then if the NameID log field value matches the regular expression pattern (^.*@.*$), then the NameID log field is mapped to the principal.user.email_addresses UDM field.
InternalReason log field value does not contain one of the following values, then if the NameID log field value matches the regular expression pattern (^.*@.*$), then the NameID log field is mapped to the principal.user.email_addresses UDM field.
|
ConnectionStatus |
security_result.about.labels[connection_status] |
|
CorsToken |
security_result.detection_fields [cors_token] |
|
CertificateCN |
security_result.detection_fields[certificate_cn] |
|
Server |
security_result.detection_fields[server] |
|
Policy |
security_result.rule_name |
|
Application |
target.application |
|
Host |
target.hostname |
|
ServerIP |
target.ip |
|
ZENBytesTxConnector |
target.network.sent_bytes |
|
ServerPort |
target.port |
|
AppGroup |
target.user.group_identifiers |
|
UserID |
target.user.email_addresses |
If the SessionStatus log field value contain one of the following values, then if the UserID log field value matches the regular expression pattern (^.*@.*$), then the UserID log field is mapped to the target.user.email_addresses UDM field.
|
UserID |
target.user.userid |
If the SessionStatus log field value contain one of the following values, then if the UserID log field value matches the regular expression pattern (^.*@.*$), then the UserID log field is mapped to the target.user.userid UDM field.
|
UserID |
target.user.user_display_name |
If the SessionStatus log field value contain one of the following values, then if the UserID log field value is not empty and the UserID log field value does not match the regular expression pattern (^.*@.*$), then the UserID log field is mapped to the target.user.user_display_name UDM field.
|
Username |
target.user.user_display_name |
If the SessionStatus log field value contain one of the following values, then if the UserID log field value is not empty and the UserID log field value does not match the regular expression pattern (^.*@.*$), then else, if the Username log field value is not empty and the Username log field value does not match the regular expression pattern (^.*@.*$), then the Username log field is mapped to the target.user.user_display_name UDM field.
|
|
security_result.category |
If the InternalReason log field value is equal to BRK_MT_SETUP_FAIL_REJECTED_BY_POLICY, then the security_result.category UDM field is set to ACL_VIOLATION. |
|
security_result.summary |
If the InternalReason log field value is equal to ZPN_STATUS_AUTHENTICATED, then the security_result.summary UDM field is set to User connected to a ZPA Service Edge.Else, if the SessionStatus log field value is equal to ZPN_STATUS_AUTHENTICATED, then the security_result.summary UDM field is set to User connected to a ZPA Service Edge.Else, if the InternalReason log field value is equal to ZPN_STATUS_DISCONNECTED, then the security_result.summary UDM field is set to User disconnected from a ZPA Service Edge.Else, if the SessionStatus log field value is equal to ZPN_STATUS_DISCONNECTED, then the security_result.summary UDM field is set to User disconnected from a ZPA Service Edge.Else, if the InternalReason log field value is equal to BRK_MT_SETUP_FAIL_REJECTED_BY_POLICY, then the The user isn't allowed to access the requested application. log field is mapped to the security_result.summary UDM field.Else, if the SessionStatus log field value is equal to BRK_MT_SETUP_FAIL_REJECTED_BY_POLICY, then the The user isn't allowed to access the requested application. log field is mapped to the security_result.summary UDM field.Else, if the InternalReason log field value is equal to BRK_MT_TERMINATED, then the security_result.summary UDM field is set to Client closed app TLS connection.Else, if the SessionStatus log field value is equal to BRK_MT_TERMINATED, then the security_result.summary UDM field is set to Client closed app TLS connection.Else, if the InternalReason log field value is equal to INVALID_DOMAIN, then the DNS resolution or healthcheck failed. log field is mapped to the security_result.summary UDM field.Else, if the SessionStatus log field value is equal to INVALID_DOMAIN, then the DNS resolution or healthcheck failed. log field is mapped to the security_result.summary UDM field.Else, if the InternalReason log field value is equal to MT_CLOSED_TLS_CONN_GONE_CLIENT_CLOSED, then the security_result.summary UDM field is set to Client closed app TLS connection.Else, if the SessionStatus log field value is equal to MT_CLOSED_TLS_CONN_GONE_CLIENT_CLOSED, then the security_result.summary UDM field is set to Client closed app TLS connection. |
|
security_result.description |
If the InternalReason log field value is equal to ZPN_STATUS_AUTH_FAILED, then the security_result.description UDM field is set to User failed to authenticate in ZPA. Else, if the InternalReason log field value is equal to BRK_MT_SETUP_FAIL_SAML_EXPIRED, then the security_result.description UDM field is set to The ZPA service blocked the application request because the timeout policy requires the user to authenticate. Else, if the InternalReason log field value is equal to BRK_MT_SETUP_FAIL_SCIM_INACTIVE, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge has failed to set up the data connection due to the user being deactivated or not synced in SCIM. Else, if the InternalReason log field value is equal to BRK_MT_SETUP_FAIL_TOO_MANY_FAILED_ATTEMPTS, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge has received the exceeded limit of errors to accept any additional connection requests for this domain. New requests are not received until the preset waiting period has elapsed.Else, if the InternalReason log field value is equal to BRK_MT_SETUP_TIMEOUT, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge was waiting for a data connection request from an App Connector that could provide access to the application, but the request timed out while waiting. The request from an App Connector is triggered in response to the initial application request from the Zscaler Client Connector.Else, if the InternalReason log field value is equal to BRK_MT_TERMINATED_APPROVAL_TIMEOUT, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge terminated the session and caused a timeout due to approval time window expiration.Else, if the InternalReason log field value is equal to BRK_MT_TERMINATED_BRK_SWITCHED, then the security_result.description UDM field is set to The Zscaler Client Connector connection to a ZPA Public Service Edge was terminated due to a ZPA Public Service Edge initiated switch.Else, if the InternalReason log field value is equal to BRK_MT_TERMINATED_IDLE_TIMEOUT, then the security_result.description UDM field is set to If an idle timeout is configured, ZPA will keep the user's application session alive for the interval specified by the Idle Connection Timeout prior to terminating the session. This is not an error scenario, only a function of the service.Else, if the InternalReason log field value is equal to BRK_MT_TERMINATED, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge closed the application tunnel connection. This is part of the Service Edge's regular process at the end of an application request.Else, if the InternalReason log field value is equal to BROKER_NOT_ENABLED, then the security_result.description UDM field is set to Remote assistance communication is disabled for the ZPA Public Service Edge.Else, if the InternalReason log field value is equal to C2C_CLIENT_CONN_EXPIRED, then the security_result.description UDM field is set to The client connection expired during the initiation of a remote assistance session.Else, if the InternalReason log field value is equal to C2C_CLIENT_NOT_FOUND, then the security_result.description UDM field is set to The client connection is closed during the initiation of a remote assistance session.Else, if the InternalReason log field value is equal to C2C_MTUNNEL_BAD_STATE, then the security_result.description UDM field is set to The remote assistance connection expired due to inconsistencies in the connection.Else, if the InternalReason log field value is equal to C2C_MTUNNEL_FAILED_FORWARD, then the security_result.description UDM field is set to The remote assistance connection failed to initiate the connection to the destination client and expired.Else, if the InternalReason log field value is equal to C2C_MTUNNEL_NOT_FOUND, then the security_result.description UDM field is set to The remote assistance connection is not found.Else, if the InternalReason log field value is equal to C2C_NOT_AVAILABLE, then the security_result.description UDM field is set to The remote assistance connection is not available.Else, if the InternalReason log field value is equal to CLT_CONN_FAILED, then the security_result.description UDM field is set to The incoming TCP connection failed.Else, if the InternalReason log field value is equal to CLT_DOUBLEENCRYPT_NOT_SUPPORTED, then the security_result.description UDM field is set to The double encryption of the incoming Microtunnel request is not supported by the Zscaler Client Connector.Else, if the InternalReason log field value is equal to CLT_DUPLICATE_TAG, then the security_result.description UDM field is set to The tag ID is used in the Zscaler Client Connector.Else, if the InternalReason log field value is equal to CLT_INVALID_CLIENT, then the security_result.description UDM field is set to The receiving Zscaler Client Connector device doesn't match with the request.Else, if the InternalReason log field value is equal to CLT_INVALID_DOMAIN, then the security_result.description UDM field is set to The FQDN destination host doesn't match the receiving Zscaler Client Connector detected.Else, if the InternalReason log field value is equal to CLT_INVALID_TAG, then the security_result.description UDM field is set to The tag ID is not designed for the incoming Microtunnel flow.Else, if the InternalReason log field value is equal to CLT_PORT_UNREACHABLE, then the security_result.description UDM field is set to The port is not listening.Else, if the InternalReason log field value is equal to CLT_PROBE_FAILED, then the security_result.description UDM field is set to The port probe failed.Else, if the InternalReason log field value is equal to CLT_PROTOCOL_NOT_SUPPORTED, then the security_result.description UDM field is set to The IP protocol of the incoming Microtunnel request is not supported by the Zscaler Client Connector.Else, if the InternalReason log field value is equal to CLT_READ_FAILED, then the security_result.description UDM field is set to The Zscaler Client Connector local socket read failed.Else, if the InternalReason log field value is equal to CLT_WRONG_PORT, then the security_result.description UDM field is set to The incoming Microtunnel request asks for the listening ports of the Zscaler Client Connector itself.Else, if the InternalReason log field value is equal to CUSTOMER_NOT_ENABLED, then the security_result.description UDM field is set to Remote assistance communication is disabled for the current customer.Else, if the InternalReason log field value is equal to DSP_MT_SETUP_FAIL_CANNOT_SEND_TO_BROKER, then the security_result.description UDM field is set to The path selection service is unable to communicate with the ZPA Public Service Edge or ZPA Private Service Edge.Else, if the InternalReason log field value is equal to DSP_MT_SETUP_FAIL_DISCOVERY_TIMEOUT, then the security_result.description UDM field is set to The health information request timed out when attempting to reach the App Connector.Else, if the InternalReason log field value is equal to DSP_MT_SETUP_FAIL_MISSING_HEALTH, then the security_result.description UDM field is set to The App Connector was unable to process the continuous health report due to missing health information.Else, if the InternalReason log field value is equal to EXPTR_FCONN_GONE, then the security_result.description UDM field is set to User access fails due to a network error that caused the Browser Access service to remove the user's application sessions.Else, if the InternalReason log field value is equal to EXPTR_MT_TLS_SETUP_FAIL_CERT_CHAIN_ISSUE, then the security_result.description UDM field is set to ZPA is not able to validate the chain of trust for the server certificate configured for this application.Else, if the InternalReason log field value is equal to EXPTR_MT_TLS_SETUP_FAIL_NOT_TRUSTED_CA, then the security_result.description UDM field is set to The application server certificate is not signed by a trusted CA and ZPA is configured to verify that the web server certificate is signed by a trusted CA.Else, if the InternalReason log field value is equal to EXPTR_MT_TLS_SETUP_FAIL_PEER, then the security_result.description UDM field is set to Browser Access service cannot set up a HTTPS connection towards the web server due to an issue occurring during TLS setup.Else, if the InternalReason log field value is equal to EXPTR_MT_TLS_SETUP_FAIL_VERSION_MISMATCH, then the security_result.description UDM field is set to A TLS version mismatch between ZPA and the Browser Access-enabled application occurred. This happens when the web server is running TLS 1.0/1.1 or earlier versions.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_AST_DATA_CONN_FLOW_CONTROL, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge data connection was closed by App Connector because the connection was idle or blocked for more than 5 minutes.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_AST_PBRK_CTRL_CONN_CFG_CHG, then the security_result.description UDM field is set to The ZPA Private Service Edge connection was closed due to a change in the ZPA Private Service Edge configuration.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_AST_PBRK_DATA_DOWN, then the security_result.description UDM field is set to The ZPA Private Service Edge connection to the App Connector was disconnected.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_AST_PBRK_VERIFY_FAILED, then the security_result.description UDM field is set to The ZPA Private Service Edge connection was closed because the connection was made with a ZPA Private Service Edge different than the expected ZPA Private Service Edge.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_BRK_DATA_CONN_FLOW_CONTROL, then the security_result.description UDM field is set to The data connection was closed by the ZPA Public Service Edge or ZPA Private Service Edge because the connection was idle or blocked for more than 5 minutes.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_CALLBACK_ERR, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection callback returned an error.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_CERT_VERIFY, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection was unable to verify the server certificate.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_CONNECT_TIMEOUT, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge timed out while setting up a connection. This is not an error scenario, only a function of the service.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_DATA_CONN_FLOW_CONTROL, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection was closed because flow control was blocked for more than 5 minutes.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_HTTP_RESPONSE, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection was closed because the returned code was not 200. The returned code 200 means that a connection is OK.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_LOG_RECONN, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge reconnection to the log channels timed out because the reconnection timer expired.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_MEMORY, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection closed because of one of the following reasons: a memory error due to the read buffer on the connection not being allocated, or the SSL state from the SSL context is unavailable.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_OPS, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection was closed at the user's request.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_PROXY_DNS, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection closed because the address resolution for this destination is no longer available.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_PROXY_FAIL, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection was closed due to one of the following proxy connection issues received: a failed connection, unable to send a connection request, or an error from the proxy.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_PROXY_IDLE, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection closed because the connection through the proxy timed out.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_PROXY_NOT_200, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection through the proxy was closed because the returned code was not 200. The returned code 200 means that a connection is OK.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_PROXY_PARSE, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection through the proxy was closed because the proxy modified the HTTP fields which caused parsing issues.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_PROXY_TIMEOUT, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection was closed because the connection through the proxy exceeded the proxy timeout value.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_REDIRECT, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection was redirected to another ZPA Public Service Edge or ZPA Private Service Edge.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_REGISTRATION, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge was unable to register status callbacks.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_RX_TIMEOUT, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection timed out while waiting for a connection response from the server.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_SERIALIZE, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection was closed because the serializer was unable to serialize an internal control message.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_SETSOCKOPT, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection was closed because the status of the proxy connection was unavailable.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_SNI_MISSING, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection is closed because the Server Name Indication (SNI) is missing.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_SNI_SLOW, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection closed because the maximum number of Server Name Indication (SNI) callbacks was reached.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_SNI_TIMEOUT, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection is closed because the wait time for Server Name Indication (SNI) callbacks has expired.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_SOCKET_CLOSE, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection was closed because the end of file was received. This is not an error scenario, only a function of the service.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_SOCKET_ERR, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection was closed due to a socket error.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_SSL_CTX_NONE, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection closed because it was unable to identify the SSL context.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_TIMEOUT, then the security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge keeps the user's application session alive for the time interval specified by the Idle Connection Timeout prior to terminating the session. This is not an error scenario, only a function of the service.Else, if the InternalReason log field value is equal to FOHH_CLOSE_REASON_TLV_CALLBACK, then the security_result.description UDM field is set to security_result.description UDM field is set to The ZPA Public Service Edge or ZPA Private Service Edge connection was. closed due to a deserialization error.the security_result.description UDM field is set to User failed to authenticate in ZPA.Else, if the InternalReason log field value is equal to APP_NOT_AVAILABLE, then the security_result.description UDM field is set to The Application Segment is not configured for access.Else, if the InternalReason log field value is equal to APP_NOT_REACHABLE, then the security_result.description UDM field is set to None of the App Connectors configured for the application can reach the server.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_APP_NOT_FOUND, then the security_result.description UDM field is set to The App Connector cannot set up a connection to the server because it cannot find the application in the configuration database.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_AST_CFG_DISABLE, then the security_result.description UDM field is set to The Microtunnel setup has failed because the App Connector has been disabled in the ZPA Admin Portal.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_AST_IN_PAUSE_STATE_FOR_UPGRADE, then the security_result.description UDM field is set to The App Connector is in a paused state for upgrade. The App Connector will return to a normal state after the upgrade completes.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_BIND_ACK, then the security_result.description UDM field is set to The connection confirmation from the ZPA Public Service Edge or ZPA Private Service Edge has an error.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_BIND_GLOBAL_OWNER, then the security_result.description UDM field is set to The App Connector processing the data connection request encountered an error.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_BIND_TO_AST_LOCAL_OWNER, then the security_result.description UDM field is set to The App Connector processing the data connection request has encountered an error.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_BRK_HASH_TBL_FULL, then the security_result.description UDM field is set to The App Connector cannot set up a connection to the ZPA Public Service Edge or ZPA Private Service Edge because the connection database is full.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_BROKER_BIND_FAIL, then the security_result.description UDM field is set to The App Connector encountered an error when setting up a data connection to the ZPA Public Service Edge or ZPA Private Service Edge.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_CONN_PEER, then the security_result.description UDM field is set to The App Connector encountered an error when connecting the ZPA Public Service Edge or ZPA Private Service Edge and server connections.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_CPU_LIMIT_REACHED, then the security_result.description UDM field is set to The App Connector CPU limit is exceeded for a Privileged Remote Access (PRA) connection. No more PRA connections are allowed.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_DUP_MT_ID, then the security_result.description UDM field is set to The App Connector cannot set up a data connection because another data connection with the same tag ID already exists.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_HASH_TBL_FULL, then the security_result.description UDM field is set to The App Connector cannot set up a connection to the server because the connection database is full.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_INIT_FOHH_MCONN, then the security_result.description UDM field is set to The App Connector encountered an error when setting up a connection to the ZPA Public Service Edge or ZPA Private Service Edge.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_MAX_SESSIONS_REACHED, then the security_result.description UDM field is set to The maximum session limit is reached for Privileged Remote Access (PRA) connections on the App Connector.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_MEM_LIMIT_REACHED, then the security_result.description UDM field is set to The App Connector memory limit is exceeded for a Privileged Remote Access (PRA) connection. No more PRA connections are allowed.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_NO_DNS_TO_SERVER, then the security_result.description UDM field is set to The end host (not a proxy or a configured server group) is not resolvable. The code only comes up in a specific use case when there is all of the following:.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_NO_EPHEMERAL_PORT, then the security_result.description UDM field is set to The transaction failed as the operating system has run out of source ports.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_NO_PROCESS_FD, then the security_result.description UDM field is set to The transaction failed as the App Connector processing could not secure additional file descriptors from the operating system.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_NO_SYSTEM_FD, then the security_result.description UDM field is set to The transaction failed as the operating system has run out of file descriptors.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_OPEN_BROKER_CONN, then the security_result.description UDM field is set to The App Connector encountered an error when opening a connection to the ZPA Public Service Edge or ZPA Private Service Edge.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_OPEN_SERVER_CLOSE, then the security_result.description UDM field is set to During data connection setup, the connection from the server to the App Connector was closed.Else, if the InternalReason log field value is equal to AST_MT_SETUP_ERR_OPEN_SERVER_CONN</code |
|
security_result.action |
If the InternalReason log field value contain one of the following values, then the security_result.action UDM field is set to BLOCK.
|
|
metadata.event_type |
If the InternalReason log field value contain one of the following values, then the metadata.event_type UDM field is set to NETWORK_CONNECTION.
Else, if the SessionStatus log field value is equal to ZPN_STATUS_AUTHENTICATED and (the Application log field value is not empty or the Host log field value is not empty or the ServerIP log field value is not empty or the ZENBytesTxConnector log field value is not empty or the ServerPort log field value is not empty or the AppGroup log field value is not empty or the UserID log field value is not empty or the Username log field value is not empty or the NameID log field value is not empty), then the metadata.event_type UDM field is set to USER_LOGIN.Else, if the SessionStatus log field value is equal to ZPN_STATUS_DISCONNECTED and (the Application log field value is not empty or the Host log field value is not empty or the ServerIP log field value is not empty or the ZENBytesTxConnector log field value is not empty or the ServerPort log field value is not empty or the AppGroup log field value is not empty or the UserID log field value is not empty or the Username log field value is not empty or the NameID log field value is not empty), then the metadata.event_type UDM field is set to USER_LOGOUT. Else, if the principal.ip log field value is not empty or the principal.mac log field value is not empty or the principal.hostname log field value is not empty or the principal.asset_id log field value is not empty, then the metadata.event_type UDM field is set to STATUS_UPDATE.Else, the metadata.event_type UDM field is set to GENERIC_EVENT. |
|
metadata.product_name |
If the InternalReason log field value contain one of the following values, then if the Username log field value is not empty, then the extensions.auth.type UDM field is set to VPN.
SessionStatus log field value contain one of the following values, then if the Username log field value is not empty, then the extensions.auth.type UDM field is set to VPN.
|
NameID |
metadata.vendor_name |
If the SessionStatus log field value does not contain one of the following values, then if the NameID log field value does not match the regular expression pattern (^.*@.*$), then the NameID log field is mapped to the principal.user.userid UDM field.
InternalReason log field value does not contain one of the following values, then if the NameID log field value does not match the regular expression pattern (^.*@.*$), then the NameID log field is mapped to the principal.user.userid UDM field.
|
還有其他問題嗎?向社群成員和 Google SecOps 專業人員尋求答案。