Zscaler ZPA
编辑Zscaler ZPA
编辑此集成用于 Zscaler Private Access 日志。它可以用来接收由 LSS 日志接收器在相应的 TCP 端口上发送的日志。
日志消息应为 JSON 格式。数据将映射到适用的 ECS 字段,其余字段写入 zscaler_zpa.<data-stream-name>.* 下。
设置步骤
编辑- 启用具有 TCP 输入的集成。
- 配置 Zscaler LSS 日志接收器,以将日志发送到正在运行此集成的 Elastic Agent。请参阅 设置日志接收器。使用 Elastic Agent 的 IP 地址/主机名作为日志接收器域名或 IP 地址,并在添加日志接收器配置屏幕上使用 Elastic Agent 的监听端口作为TCP 端口。
- 请确保使用给定的响应格式。
ZPA 日志接收器设置
编辑有关设置 ZPA 日志接收器的详细文档,请参阅 Zscaler 文档:
域名或 IP:使用 Elastic Agent 的 IP 地址/主机名
TCP 端口:使用 Elastic Agent 的监听端口
兼容性
编辑此软件包已针对 Zscaler Private Access Client Connector version 3.7.1.44 进行过测试
文档和配置
编辑App Connector 状态日志
编辑默认端口:9015
供应商文档:https://help.zscaler.com/zpa/about-connector-status-log-fields
Zscaler 响应格式
{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"SessionType": %j{SessionType},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"Platform": %j{Platform},"ZEN": %j{ZEN},"Connector": %j{Connector},"ConnectorGroup": %j{ConnectorGroup},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"CPUUtilization": %d{CPUUtilization},"MemUtilization": %d{MemUtilization},"ServiceCount": %d{ServiceCount},"InterfaceDefRoute": %j{InterfaceDefRoute},"DefRouteGW": %j{DefRouteGW},"PrimaryDNSResolver": %j{PrimaryDNSResolver},"HostUpTime": %j{HostUpTime},"ConnectorUpTime": %j{ConnectorUpTime},"NumOfInterfaces": %d{NumOfInterfaces},"BytesRxInterface": %d{BytesRxInterface},"PacketsRxInterface": %d{PacketsRxInterface},"ErrorsRxInterface": %d{ErrorsRxInterface},"DiscardsRxInterface": %d{DiscardsRxInterface},"BytesTxInterface": %d{BytesTxInterface},"PacketsTxInterface": %d{PacketsTxInterface},"ErrorsTxInterface": %d{ErrorsTxInterface},"DiscardsTxInterface": %d{DiscardsTxInterface},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx}}\n
示例响应
{"LogTimestamp":"Wed Jul 3 05:17:22 2019","Customer":"Safe March","SessionID":"8A64Qwj9zCkfYDGJVoUZ","SessionType":"ZPN_ASSISTANT_BROKER_CONTROL","SessionStatus":"ZPN_STATUS_AUTHENTICATED","Version":"19.20.3","Platform":"el7","ZEN":"US-NY-8179","Connector":"Seattle App Connector 1","ConnectorGroup":"Azure App Connectors","PrivateIP":"10.0.0.4","PublicIP":"0.0.0.0","Latitude":47,"Longitude":-122,"CountryCode":"","TimestampAuthentication":"2019-06-27T05:05:23.348Z","TimestampUnAuthentication":"","CPUUtilization":1,"MemUtilization":20,"ServiceCount":2,"InterfaceDefRoute":"eth0","DefRouteGW":"10.0.0.1","PrimaryDNSResolver":"168.63.129.16","HostStartTime":"1513229995","ConnectorStartTime":"1555920005","NumOfInterfaces":2,"BytesRxInterface":319831966346,"PacketsRxInterface":1617569938,"ErrorsRxInterface":0,"DiscardsRxInterface":0,"BytesTxInterface":192958782635,"PacketsTxInterface":1797471190,"ErrorsTxInterface":0,"DiscardsTxInterface":0,"TotalBytesRx":10902554,"TotalBytesTx":48931771}
审计日志
编辑默认端口:9016
供应商文档:https://help.zscaler.com/zpa/about-audit-log-fields
Zscaler 响应格式
{"ModifiedTime":%j{modifiedTime:iso8601},"CreationTime":%j{creationTime:iso8601},"ModifiedBy":%d{modifiedBy},"RequestID":%j{requestId},"SessionID":%j{sessionId},"AuditOldValue":%j{auditOldValue},"AuditNewValue":%j{auditNewValue},"AuditOperationType":%j{auditOperationType},"ObjectType":%j{objectType},"ObjectName":%j{objectName},"ObjectID":%d{objectId},"CustomerID":%d{customerId},"User":%j{modifiedByUser},"ClientAuditUpdate":%d{isClientAudit}}\n
示例响应
{"ModifiedTime":"2021-11-17T04:29:38.000Z","CreationTime":"2021-11-17T04:29:38.000Z","ModifiedBy":12345678901234567,"RequestID":"11111111-1111-1111-1111-111111111111","SessionID":"1idn23nlfm2q1txa5h3r4mep6","AuditOldValue":"","AuditNewValue":"{\"id\":\"72058340288495701\",\"name\":\"Some-Name\",\"domainOrIpAddress\":\"1.0.0.1\",\"description\":\"This is a description field\",\"enabled\":\"true\"}","AuditOperationType":"Create","ObjectType":"Server","ObjectName":"Some-Name","ObjectID":12345678901234567,"CustomerID":98765432109876543,"User":"[email protected]","ClientAuditUpdate":0}
浏览器访问日志
编辑默认端口:9017
供应商文档:https://help.zscaler.com/zpa/about-browser-access-log-fields
Zscaler 响应格式
{"LogTimestamp":%j{LogTimestamp:time},"ConnectionID":%j{ConnectionID},"Exporter":%j{Exporter},"TimestampRequestReceiveStart":%j{TimestampRequestReceiveStart:iso8601},"TimestampRequestReceiveHeaderFinish":%j{TimestampRequestReceiveHeaderFinish:iso8601},"TimestampRequestReceiveFinish":%j{TimestampRequestReceiveFinish:iso8601},"TimestampRequestTransmitStart":%j{TimestampRequestTransmitStart:iso8601},"TimestampRequestTransmitFinish":%j{TimestampRequestTransmitFinish:iso8601},"TimestampResponseReceiveStart":%j{TimestampResponseReceiveStart:iso8601},"TimestampResponseReceiveFinish":%j{TimestampResponseReceiveFinish:iso8601},"TimestampResponseTransmitStart":%j{TimestampResponseTransmitStart:iso8601},"TimestampResponseTransmitFinish":%j{TimestampResponseTransmitFinish:iso8601},"TotalTimeRequestReceive":%d{TotalTimeRequestReceive},"TotalTimeRequestTransmit":%d{TotalTimeRequestTransmit},"TotalTimeResponseReceive":%d{TotalTimeResponseReceive},"TotalTimeResponseTransmit":%d{TotalTimeResponseTransmit},"TotalTimeConnectionSetup":%d{TotalTimeConnectionSetup},"TotalTimeServerResponse":%d{TotalTimeServerResponse},"Method":%j{Method},"Protocol":%j{Protocol},"Host":%j{Host},"URL":%j{URL},"UserAgent":%j{UserAgent},"XFF":%j{XFF},"NameID":%j{NameID},"StatusCode":%d{StatusCode},"RequestSize":%d{RequestSize},"ResponseSize":%d{ResponseSize},"ApplicationPort":%d{ApplicationPort},"ClientPublicIp":%j{ClientPublicIp},"ClientPublicPort":%d{ClientPublicPort},"ClientPrivateIp":%j{ClientPrivateIp},"Customer":%j{Customer},"ConnectionStatus":%j{ConnectionStatus},"ConnectionReason":%j{ConnectionReason},"Origin":%j{Origin},"CorsToken":%j{CorsToken}}\n
示例响应
{"LogTimestamp":"Wed Jul 3 05:12:25 2019","ConnectionID":"","Exporter":"unset","TimestampRequestReceiveStart":"2019-07-03T05:12:25.723Z","TimestampRequestReceiveHeaderFinish":"2019-07-03T05:12:25.723Z","TimestampRequestReceiveFinish":"2019-07-03T05:12:25.723Z","TimestampRequestTransmitStart":"2019-07-03T05:12:25.790Z","TimestampRequestTransmitFinish":"2019-07-03T05:12:25.790Z","TimestampResponseReceiveStart":"2019-07-03T05:12:25.791Z","TimestampResponseReceiveFinish":"2019-07-03T05:12:25.791Z","TimestampResponseTransmitStart":"2019-07-03T05:12:25.791Z","TimestampResponseTransmitFinish":"2019-07-03T05:12:25.791Z","TotalTimeRequestReceive":127,"TotalTimeRequestTransmit":21,"TotalTimeResponseReceive":73,"TotalTimeResponseTransmit":13,"TotalTimeConnectionSetup":66995,"TotalTimeServerResponse":1349,"Method":"GET","Protocol":"HTTPS","Host":"portal.beta.zdemo.net","URL":"/media/Regular.woff","UserAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15","XFF":"","NameID":"[email protected]","StatusCode":304,"RequestSize":615,"ResponseSize":331,"ApplicationPort":443,"ClientPublicIp":"175.16.199.1","ClientPublicPort":60006,"ClientPrivateIp":"","Customer":"ANZ Team/zdemo in beta","ConnectionStatus":"","ConnectionReason":""}
用户活动日志
编辑默认端口:9018
供应商文档:https://help.zscaler.com/zpa/about-user-activity-log-fields
Zscaler 响应格式
{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"ConnectionID": %j{ConnectionID},"InternalReason": %j{InternalReason},"ConnectionStatus": %j{ConnectionStatus},"IPProtocol": %d{IPProtocol},"DoubleEncryption": %d{DoubleEncryption},"Username": %j{Username},"ServicePort": %d{ServicePort},"ClientPublicIP": %j{ClientPublicIP},"ClientPrivateIP": %j{ClientPrivateIP},"ClientLatitude": %f{ClientLatitude},"ClientLongitude": %f{ClientLongitude},"ClientCountryCode": %j{ClientCountryCode},"ClientZEN": %j{ClientZEN},"Policy": %j{Policy},"Connector": %j{Connector},"ConnectorZEN": %j{ConnectorZEN},"ConnectorIP": %j{ConnectorIP},"ConnectorPort": %d{ConnectorPort},"Host": %j{Host},"Application": %j{Application},"AppGroup": %j{AppGroup},"Server": %j{Server},"ServerIP": %j{ServerIP},"ServerPort": %d{ServerPort},"PolicyProcessingTime": %d{PolicyProcessingTime},"ServerSetupTime": %d{ServerSetupTime},"TimestampConnectionStart": %j{TimestampConnectionStart:iso8601},"TimestampConnectionEnd": %j{TimestampConnectionEnd:iso8601},"TimestampCATx": %j{TimestampCATx:iso8601},"TimestampCARx": %j{TimestampCARx:iso8601},"TimestampAppLearnStart": %j{TimestampAppLearnStart:iso8601},"TimestampZENFirstRxClient": %j{TimestampZENFirstRxClient:iso8601},"TimestampZENFirstTxClient": %j{TimestampZENFirstTxClient:iso8601},"TimestampZENLastRxClient": %j{TimestampZENLastRxClient:iso8601},"TimestampZENLastTxClient": %j{TimestampZENLastTxClient:iso8601},"TimestampConnectorZENSetupComplete": %j{TimestampConnectorZENSetupComplete:iso8601},"TimestampZENFirstRxConnector": %j{TimestampZENFirstRxConnector:iso8601},"TimestampZENFirstTxConnector": %j{TimestampZENFirstTxConnector:iso8601},"TimestampZENLastRxConnector": %j{TimestampZENLastRxConnector:iso8601},"TimestampZENLastTxConnector": %j{TimestampZENLastTxConnector:iso8601},"ZENTotalBytesRxClient": %d{ZENTotalBytesRxClient},"ZENBytesRxClient": %d{ZENBytesRxClient},"ZENTotalBytesTxClient": %d{ZENTotalBytesTxClient},"ZENBytesTxClient": %d{ZENBytesTxClient},"ZENTotalBytesRxConnector": %d{ZENTotalBytesRxConnector},"ZENBytesRxConnector": %d{ZENBytesRxConnector},"ZENTotalBytesTxConnector": %d{ZENTotalBytesTxConnector},"ZENBytesTxConnector": %d{ZENBytesTxConnector},"Idp": %j{Idp},"ClientToClient": %j{c2c},"ConnectorZENSetupTime":%d{ConnectorZENSetupTime},"ConnectionSetupTime":%d{ConnectionSetupTime}}\n
示例响应
{"LogTimestamp": "Fri May 31 17:35:42 2019","Customer": "Customer XYZ","SessionID": "LHJdkjmNDf12nclBsvwA","ConnectionID": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm","InternalReason": "","ConnectionStatus": "active","IPProtocol": 6,"DoubleEncryption": 0,"Username": "ZPA LSS Client","ServicePort": 10011,"ClientPublicIP": "81.2.69.193","ClientPrivateIP": "","ClientLatitude": 45.000000,"ClientLongitude": -119.000000,"ClientCountryCode": "US","ClientZEN": "broker2b.pdx","Policy": "ANZ Lab Apps","Connector": "ZDEMO ANZ","ConnectorZEN": "broker2b.pdx","ConnectorIP": "67.43.156.12","ConnectorPort": 60266,"Host": "175.16.199.1","Application": "ANZ Lab Apps","AppGroup": "ANZ Lab Apps","Server": "0","ServerIP": "175.16.199.1","ServerPort": 10011,"PolicyProcessingTime": 28,"CAProcessingTime": 1330,"ServerSetupTime": 465,"AppLearnTime": 0,"TimestampConnectionStart": "2019-05-30T08:20:42.230Z","TimestampConnectionEnd": "","TimestampCATx": "2019-05-30T08:20:42.230Z","TimestampCARx": "2019-05-30T08:20:42.231Z","TimestampAppLearnStart": "","TimestampZENFirstRxClient": "2019-05-30T08:20:42.424Z","TimestampZENFirstTxClient": "","TimestampZENLastRxClient": "2019-05-31T17:34:27.348Z","TimestampZENLastTxClient": "","TimestampConnectorZENSetupComplete": "2019-05-30T08:20:42.422Z","TimestampZENFirstRxConnector": "","TimestampZENFirstTxConnector": "2019-05-30T08:20:42.424Z","TimestampZENLastRxConnector": "","TimestampZENLastTxConnector": "2019-05-31T17:34:27.348Z","ZENTotalBytesRxClient": 2406926,"ZENBytesRxClient": 7115,"ZENTotalBytesTxClient": 0,"ZENBytesTxClient": 0,"ZENTotalBytesRxConnector": 0,"ZENBytesRxConnector": 0,"ZENTotalBytesTxConnector": 2406926,"ZENBytesTxConnector": 7115,"Idp": "Example IDP Config","ConnectorZENSetupTime":1640674274,"ConnectionSetupTime":1640675274}
为了填充最慢的应用程序(可视化);"ConnectorZENSetupTime" 和 "ConnectionSetupTime" 字段将添加到上述 Zscaler 用户活动日志的默认响应格式中。
用户状态日志
编辑默认端口:9019
供应商文档:https://help.zscaler.com/zpa/about-user-status-log-fields
Zscaler 响应格式
{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"Username": %j{Username},"SessionID": %j{SessionID},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"ZEN": %j{ZEN},"CertificateCN": %j{CertificateCN},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx},"Idp": %j{Idp},"Hostname": %j{Hostname},"Platform": %j{Platform},"ClientType": %j{ClientType},"TrustedNetworks": [%j(,){TrustedNetworks}],"TrustedNetworksNames": [%j(,){TrustedNetworksNames}],"SAMLAttributes": %j{SAMLAttributes},"PosturesHit": [%j(,){PosturesHit}],"PosturesMiss": [%j(,){PosturesMiss}],"ZENLatitude": %f{ZENLatitude},"ZENLongitude": %f{ZENLongitude},"ZENCountryCode": %j{ZENCountryCode},"FQDNRegistered": %j{fqdn_registered},"FQDNRegisteredError": %j{fqdn_register_error}}\n
示例响应
{"LogTimestamp":"Fri May 31 17:34:48 2019","Customer":"Customer XYZ","Username":"ZPA LSS Client","SessionID":"vkczUERSLl88Y+ytH8v5","SessionStatus":"ZPN_STATUS_AUTHENTICATED","Version":"19.12.0-36-g87dad18","ZEN":"broker2b.pdx","CertificateCN":"loggerz2x.pde.zpabeta.net","PrivateIP":"","PublicIP":"81.2.69.144","Latitude":45,"Longitude":-119,"CountryCode":"US","TimestampAuthentication":"2019-05-29T21:18:38.000Z","TimestampUnAuthentication":"","TotalBytesRx":31274866,"TotalBytesTx":25424152,"Idp":"IDP Config","Hostname":"DESKTOP-99HCSJ1","Platform":"windows","ClientType":"zpn_client_type_zapp","TrustedNetworks":"TN1_stc1","TrustedNetworksNames":"145248739466696953","SAMLAttributes":"myname:user,myemail:[email protected]","PosturesHit":"sm-posture1,sm-posture2","PosturesMiss":"sm-posture11,sm-posture12","ZENLatitude":47,"ZENLongitude":-122,"ZENCountryCode":""}
字段和示例事件
编辑App Connector 状态日志
编辑导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
日期 |
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
event.dataset |
事件数据集 |
constant_keyword |
event.module |
事件模块 |
constant_keyword |
input.type |
filebeat 输入的类型。 |
关键字 |
log.offset |
日志偏移量。 |
长整型 |
log.source.address |
读取/发送日志事件的源地址。 |
关键字 |
zscaler_zpa.app_connector_status.connector.group |
App Connector 组名称。 |
关键字 |
zscaler_zpa.app_connector_status.connector.name |
App Connector 名称。 |
关键字 |
zscaler_zpa.app_connector_status.connector_start_time |
App Connector 启动时的秒数。 |
日期 |
zscaler_zpa.app_connector_status.connector_up_time |
App Connector 启动时的秒数。 |
日期 |
zscaler_zpa.app_connector_status.host_start_time |
主机启动时的秒数。 |
日期 |
zscaler_zpa.app_connector_status.host_up_time |
主机启动时的秒数。 |
日期 |
zscaler_zpa.app_connector_status.interface.name |
默认路由的接口名称。 |
关键字 |
zscaler_zpa.app_connector_status.interface.received.bytes |
接口上接收的字节数。 |
双精度浮点数 |
zscaler_zpa.app_connector_status.interface.received.discards |
接口上接收的丢弃的数据包数。 |
双精度浮点数 |
zscaler_zpa.app_connector_status.interface.received.errors |
接口上接收的错误数。 |
双精度浮点数 |
zscaler_zpa.app_connector_status.interface.received.packets |
接口上接收的数据包数。 |
双精度浮点数 |
zscaler_zpa.app_connector_status.interface.transmitted.bytes |
接口上发送的字节数。 |
双精度浮点数 |
zscaler_zpa.app_connector_status.interface.transmitted.discards |
接口上发送的丢弃的数据包数。 |
双精度浮点数 |
zscaler_zpa.app_connector_status.interface.transmitted.errors |
接口上发送的错误数。 |
双精度浮点数 |
zscaler_zpa.app_connector_status.interface.transmitted.packets |
接口上发送的数据包数。 |
双精度浮点数 |
zscaler_zpa.app_connector_status.memory.utilization |
内存利用率(%)。 |
双精度浮点数 |
zscaler_zpa.app_connector_status.num_of_interfaces |
App Connector 主机上的接口数。 |
双精度浮点数 |
zscaler_zpa.app_connector_status.primary_dns_resolver |
主 DNS 解析器的 IP 地址。 |
ip |
zscaler_zpa.app_connector_status.private_ip |
App Connector 的私有 IP 地址。 |
ip |
zscaler_zpa.app_connector_status.service.count |
App Connector 正在监视的服务数量(域/IP 地址和 TCP/UDP 端口的组合)。 |
双精度浮点数 |
zscaler_zpa.app_connector_status.session.id |
TLS 会话 ID。 |
关键字 |
zscaler_zpa.app_connector_status.session.status |
会话状态。 |
关键字 |
zscaler_zpa.app_connector_status.session.type |
会话类型。 |
关键字 |
zscaler_zpa.app_connector_status.timestamp.authentication |
App Connector 经过身份验证时的微秒级时间戳。 |
日期 |
zscaler_zpa.app_connector_status.timestamp.unauthentication |
App Connector 未经过身份验证时的微秒级时间戳。 |
日期 |
zscaler_zpa.app_connector_status.zen |
TLS 会话 ID。 |
关键字 |
示例
app_connector_status 的示例事件如下所示:
{
"@timestamp": "2019-07-03T05:17:22.000Z",
"agent": {
"ephemeral_id": "5d064a52-4363-49de-a8f9-2d063c2aad0c",
"hostname": "docker-fleet-agent",
"id": "8b86614c-cda7-40f1-9823-ea2294fa4abf",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "7.16.2"
},
"client": {
"nat": {
"ip": "10.0.0.1"
}
},
"data_stream": {
"dataset": "zscaler_zpa.app_connector_status",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "8b86614c-cda7-40f1-9823-ea2294fa4abf",
"snapshot": false,
"version": "7.16.2"
},
"event": {
"agent_id_status": "verified",
"category": [
"package"
],
"dataset": "zscaler_zpa.app_connector_status",
"ingested": "2023-02-22T12:08:34Z",
"kind": "event",
"original": "{\"LogTimestamp\":\"Wed Jul 3 05:17:22 2019\",\"Customer\":\"Customer Name\",\"SessionID\":\"8A64Qwj9zCkfYDGJVoUZ\",\"SessionType\":\"ZPN_ASSISTANT_BROKER_CONTROL\",\"SessionStatus\":\"ZPN_STATUS_AUTHENTICATED\",\"Version\":\"19.20.3\",\"Platform\":\"el7\",\"ZEN\":\"US-NY-8179\",\"Connector\":\"Some App Connector\",\"ConnectorGroup\":\"Some App Connector Group\",\"PrivateIP\":\"10.0.0.4\",\"PublicIP\":\"0.0.0.0\",\"Latitude\":47,\"Longitude\":-122,\"CountryCode\":\"\",\"TimestampAuthentication\":\"2019-06-27T05:05:23.348Z\",\"TimestampUnAuthentication\":\"\",\"CPUUtilization\":1,\"MemUtilization\":20,\"ServiceCount\":2,\"InterfaceDefRoute\":\"eth0\",\"DefRouteGW\":\"10.0.0.1\",\"PrimaryDNSResolver\":\"168.63.129.16\",\"HostStartTime\":\"1513229995\",\"HostUpTime\":\"1513229995\",\"ConnectorUpTime\":\"1555920005\",\"ConnectorStartTime\":\"1555920005\",\"NumOfInterfaces\":2,\"BytesRxInterface\":319831966346,\"PacketsRxInterface\":1617569938,\"ErrorsRxInterface\":0,\"DiscardsRxInterface\":0,\"BytesTxInterface\":192958782635,\"PacketsTxInterface\":1797471190,\"ErrorsTxInterface\":0,\"DiscardsTxInterface\":0,\"TotalBytesRx\":10902554,\"TotalBytesTx\":48931771}",
"type": [
"info"
]
},
"host": {
"cpu": {
"usage": 1
},
"network": {
"egress": {
"bytes": 48931771
},
"ingress": {
"bytes": 10902554
}
}
},
"input": {
"type": "tcp"
},
"log": {
"source": {
"address": "192.168.64.5:59424"
}
},
"observer": {
"geo": {
"location": {
"lat": 47,
"lon": -122
}
},
"ip": [
"0.0.0.0"
],
"os": {
"platform": "el7"
},
"type": "forwarder",
"version": "19.20.3"
},
"organization": {
"name": "Customer Name"
},
"related": {
"ip": [
"10.0.0.1",
"0.0.0.0",
"10.0.0.4",
"168.63.129.16"
]
},
"tags": [
"preserve_original_event",
"forwarded",
"zscaler_zpa-app_connectors_status"
],
"zscaler_zpa": {
"app_connector_status": {
"connector": {
"group": "Some App Connector Group",
"name": "Some App Connector"
},
"connector_start_time": "2019-04-22T08:00:05.000Z",
"connector_up_time": "2019-04-22T08:00:05.000Z",
"host_start_time": "2017-12-14T05:39:55.000Z",
"host_up_time": "2017-12-14T05:39:55.000Z",
"interface": {
"name": "eth0",
"received": {
"bytes": 319831966346,
"discards": 0,
"errors": 0,
"packets": 1617569938
},
"transmitted": {
"bytes": 192958782635,
"discards": 0,
"errors": 0,
"packets": 1797471190
}
},
"memory": {
"utilization": 20
},
"num_of_interfaces": 2,
"primary_dns_resolver": "168.63.129.16",
"private_ip": "10.0.0.4",
"service": {
"count": 2
},
"session": {
"id": "8A64Qwj9zCkfYDGJVoUZ",
"status": "ZPN_STATUS_AUTHENTICATED",
"type": "ZPN_ASSISTANT_BROKER_CONTROL"
},
"timestamp": {
"authentication": "2019-06-27T05:05:23.348Z"
},
"zen": "US-NY-8179"
}
}
}
审计日志
编辑导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
日期 |
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
event.dataset |
事件数据集 |
constant_keyword |
event.module |
事件模块 |
constant_keyword |
input.type |
filebeat 输入的类型。 |
关键字 |
log.offset |
日志偏移量。 |
长整型 |
log.source.address |
读取/发送日志事件的源地址。 |
关键字 |
zscaler_zpa.audit.client_audit_update |
表示事件是否为客户端审计日志的标志。 |
长整型 |
zscaler_zpa.audit.object.id |
与对象名称关联的 ID。 |
关键字 |
zscaler_zpa.audit.object.name |
对象的名称。这对应于“审计日志”页面中的资源名称。 |
关键字 |
zscaler_zpa.audit.object.type |
执行操作的 ZPA 管理门户中的位置。 |
关键字 |
zscaler_zpa.audit.operation_type |
执行的操作类型。 |
关键字 |
zscaler_zpa.audit.session.id |
ZPA 管理门户中管理员会话的 ID。这对应于发生的成功登录操作。 |
关键字 |
zscaler_zpa.audit.value.new |
如果操作类型为创建、登录或更新,则更改后的新值。 |
扁平化 |
zscaler_zpa.audit.value.old |
如果操作类型为删除、注销或更新,则更改的先前值。 |
扁平化 |
示例
audit 的示例事件如下所示:
{
"@timestamp": "2021-11-17T04:29:38.000Z",
"agent": {
"ephemeral_id": "f7eff07b-58ba-49bf-a364-5df94e1adfb6",
"hostname": "docker-fleet-agent",
"id": "8b86614c-cda7-40f1-9823-ea2294fa4abf",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "7.16.2"
},
"data_stream": {
"dataset": "zscaler_zpa.audit",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "8b86614c-cda7-40f1-9823-ea2294fa4abf",
"snapshot": false,
"version": "7.16.2"
},
"event": {
"agent_id_status": "verified",
"category": [
"iam"
],
"created": "2021-11-17T04:29:38.000Z",
"dataset": "zscaler_zpa.audit",
"id": "11111111-1111-1111-1111-111111111111",
"ingested": "2023-02-22T12:09:19Z",
"kind": "event",
"original": "{\"ModifiedTime\":\"2021-11-17T04:29:38.000Z\",\"CreationTime\":\"2021-11-17T04:29:38.000Z\",\"ModifiedBy\":12345678901234567,\"RequestID\":\"11111111-1111-1111-1111-111111111111\",\"SessionID\":\"1idn23nlfm2q1txa5h3r4mep6\",\"AuditOldValue\":\"\",\"AuditNewValue\":\"{\\\"id\\\":\\\"72058340288495701\\\",\\\"name\\\":\\\"Some-Name\\\",\\\"domainOrIpAddress\\\":\\\"1.0.0.1\\\",\\\"description\\\":\\\"This is a description field\\\",\\\"enabled\\\":\\\"true\\\"}\",\"AuditOperationType\":\"Create\",\"ObjectType\":\"Server\",\"ObjectName\":\"Some-Name\",\"ObjectID\":12345678901234567,\"CustomerID\":98765432109876543,\"User\":\"[email protected]\",\"ClientAuditUpdate\":0}",
"type": [
"creation"
]
},
"input": {
"type": "tcp"
},
"log": {
"source": {
"address": "192.168.64.5:55180"
}
},
"organization": {
"id": "98765432109876543"
},
"related": {
"ip": [
"1.0.0.1"
],
"user": [
"12345678901234567",
"[email protected]"
]
},
"server": {
"address": "1.0.0.1",
"ip": "1.0.0.1"
},
"tags": [
"preserve_original_event",
"forwarded",
"zscaler_zpa-audit"
],
"user": {
"id": "12345678901234567",
"name": "[email protected]"
},
"zscaler_zpa": {
"audit": {
"client_audit_update": 0,
"object": {
"id": "12345678901234567",
"name": "Some-Name",
"type": "Server"
},
"operation_type": "Create",
"session": {
"id": "1idn23nlfm2q1txa5h3r4mep6"
},
"value": {
"new": {
"description": "This is a description field",
"domainOrIpAddress": "1.0.0.1",
"enabled": "true",
"id": "72058340288495701",
"name": "Some-Name"
}
}
}
}
}
浏览器访问日志
编辑导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
日期 |
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
event.dataset |
事件数据集 |
constant_keyword |
event.module |
事件模块 |
constant_keyword |
input.type |
filebeat 输入的类型。 |
关键字 |
log.offset |
日志偏移量。 |
长整型 |
log.source.address |
读取/发送日志事件的源地址。 |
关键字 |
zscaler_zpa.browser_access.client_private_ip |
用户设备的私有 IP 地址。 |
ip |
zscaler_zpa.browser_access.connection.id |
应用程序连接 ID。 |
关键字 |
zscaler_zpa.browser_access.connection.status |
连接状态。 |
关键字 |
zscaler_zpa.browser_access.cors_token |
来自 CORS 请求的令牌。 |
关键字 |
zscaler_zpa.browser_access.exporter |
浏览器访问服务实例到 ZPA 公共服务边缘或 ZPA 私有服务边缘实例。 |
关键字 |
zscaler_zpa.browser_access.origin |
导致 CORS 请求来源的浏览器访问域。 |
关键字 |
zscaler_zpa.browser_access.timestamp.request.receive.finish |
浏览器访问服务从 Web 浏览器接收 HTTP 请求的最后一个字节时的微秒级时间戳。 |
日期 |
zscaler_zpa.browser_access.timestamp.request.receive.header_finish |
浏览器访问服务接收与来自 Web 浏览器的请求对应的 HTTP 标头的最后一个字节时的微秒级时间戳。 |
日期 |
zscaler_zpa.browser_access.timestamp.request.receive.start |
浏览器访问服务从 Web 浏览器接收 HTTP 请求的第一个字节时的微秒级时间戳。 |
日期 |
zscaler_zpa.browser_access.timestamp.request.transmit.finish |
浏览器访问服务将 HTTP 请求的最后一个字节发送到 Web 服务器时的微秒级时间戳。 |
日期 |
zscaler_zpa.browser_access.timestamp.request.transmit.start |
浏览器访问服务将 HTTP 请求的第一个字节发送到 Web 服务器时的微秒级时间戳。 |
日期 |
zscaler_zpa.browser_access.timestamp.response.receive.finish |
浏览器访问服务从 Web 服务器接收 HTTP 响应的最后一个字节时的微秒级时间戳。 |
日期 |
zscaler_zpa.browser_access.timestamp.response.receive.start |
浏览器访问服务从 Web 服务器接收 HTTP 响应的第一个字节时的微秒级时间戳。 |
日期 |
zscaler_zpa.browser_access.timestamp.response.transmit.finish |
浏览器访问服务将 HTTP 响应的最后一个字节发送到 Web 浏览器时的微秒级时间戳。 |
日期 |
zscaler_zpa.browser_access.timestamp.response.transmit.start |
浏览器访问服务将 HTTP 响应的第一个字节发送到 Web 浏览器时的微秒级时间戳。 |
日期 |
zscaler_zpa.browser_access.total_time.connection.setup |
浏览器访问服务所见的从 Web 浏览器接收 HTTP 请求的第一个字节到向 Web 服务器传输第一个字节的时间差。 |
长整型 |
zscaler_zpa.browser_access.total_time.request.receive |
浏览器访问服务所见的从 Web 浏览器接收 HTTP 请求的第一个和最后一个字节之间的时间差。 |
长整型 |
zscaler_zpa.browser_access.total_time.request.transmit |
浏览器访问服务所见的向 Web 服务器传输 HTTP 请求的第一个和最后一个字节之间的时间差。 |
长整型 |
zscaler_zpa.browser_access.total_time.response.receive |
浏览器访问服务所见的从 Web 服务器接收 HTTP 响应的第一个和最后一个字节之间的时间差。 |
长整型 |
zscaler_zpa.browser_access.total_time.response.transmit |
浏览器访问服务所见的向 Web 服务器传输 HTTP 请求的第一个和最后一个字节之间的时间差。 |
长整型 |
zscaler_zpa.browser_access.total_time.server.response |
浏览器访问服务所见的向 Web 服务器传输 HTTP 请求的最后一个字节到从 Web 服务器接收 HTTP 响应的第一个字节之间的时间差。 |
长整型 |
zscaler_zpa.browser_access.xff |
X-Forwarded-For (XFF) HTTP 标头。 |
关键字 |
示例
以下是 browser_access 的示例事件:
{
"@timestamp": "2019-07-03T05:12:25.000Z",
"agent": {
"ephemeral_id": "2f27e7da-84b0-4fdf-b066-880015949dda",
"hostname": "docker-fleet-agent",
"id": "8b86614c-cda7-40f1-9823-ea2294fa4abf",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "7.16.2"
},
"client": {
"geo": {
"city_name": "London",
"continent_name": "Europe",
"country_iso_code": "GB",
"country_name": "United Kingdom",
"location": {
"lat": 51.5142,
"lon": -0.0931
},
"region_iso_code": "GB-ENG",
"region_name": "England"
},
"ip": "81.2.69.144",
"port": 60006
},
"data_stream": {
"dataset": "zscaler_zpa.browser_access",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "8b86614c-cda7-40f1-9823-ea2294fa4abf",
"snapshot": false,
"version": "7.16.2"
},
"event": {
"agent_id_status": "verified",
"category": [
"network",
"session"
],
"dataset": "zscaler_zpa.browser_access",
"ingested": "2023-02-22T12:10:03Z",
"kind": "event",
"original": "{\"LogTimestamp\":\"Wed Jul 3 05:12:25 2019\",\"ConnectionID\":\"\",\"Exporter\":\"unset\",\"TimestampRequestReceiveStart\":\"2019-07-03T05:12:25.723Z\",\"TimestampRequestReceiveHeaderFinish\":\"2019-07-03T05:12:25.723Z\",\"TimestampRequestReceiveFinish\":\"2019-07-03T05:12:25.723Z\",\"TimestampRequestTransmitStart\":\"2019-07-03T05:12:25.790Z\",\"TimestampRequestTransmitFinish\":\"2019-07-03T05:12:25.790Z\",\"TimestampResponseReceiveStart\":\"2019-07-03T05:12:25.791Z\",\"TimestampResponseReceiveFinish\":\"2019-07-03T05:12:25.791Z\",\"TimestampResponseTransmitStart\":\"2019-07-03T05:12:25.791Z\",\"TimestampResponseTransmitFinish\":\"2019-07-03T05:12:25.791Z\",\"TotalTimeRequestReceive\":127,\"TotalTimeRequestTransmit\":21,\"TotalTimeResponseReceive\":73,\"TotalTimeResponseTransmit\":13,\"TotalTimeConnectionSetup\":66995,\"TotalTimeServerResponse\":1349,\"Method\":\"GET\",\"Protocol\":\"HTTPS\",\"Host\":\"portal.beta.zdemo.net\",\"URL\":\"/media/Regular.woff\",\"UserAgent\":\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15\",\"XFF\":\"\",\"NameID\":\"[email protected]\",\"StatusCode\":304,\"RequestSize\":615,\"ResponseSize\":331,\"ApplicationPort\":443,\"ClientPublicIp\":\"81.2.69.144\",\"ClientPublicPort\":60006,\"ClientPrivateIp\":\"81.2.69.193\",\"Customer\":\"ANZ Team/zdemo in beta\",\"ConnectionStatus\":\"\",\"ConnectionReason\":\"\"}",
"type": [
"connection"
]
},
"http": {
"request": {
"body": {
"bytes": 615
},
"method": "GET"
},
"response": {
"body": {
"bytes": 331
},
"status_code": 304
}
},
"input": {
"type": "tcp"
},
"log": {
"source": {
"address": "192.168.64.5:50860"
}
},
"organization": {
"name": "ANZ Team/zdemo in beta"
},
"related": {
"ip": [
"81.2.69.144",
"81.2.69.193"
],
"user": [
"[email protected]"
]
},
"server": {
"address": "portal.beta.zdemo.net",
"port": 443
},
"tags": [
"preserve_original_event",
"forwarded",
"zscaler_zpa-browser_access"
],
"url": {
"domain": "portal.beta.zdemo.net",
"extension": "woff",
"original": "https://portal.beta.zdemo.net/media/regular.woff",
"path": "/media/regular.woff",
"scheme": "https"
},
"user": {
"name": "[email protected]"
},
"user_agent": {
"device": {
"name": "Mac"
},
"name": "Safari",
"original": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15",
"os": {
"full": "Mac OS X 10.14.5",
"name": "Mac OS X",
"version": "10.14.5"
},
"version": "12.1.1"
},
"zscaler_zpa": {
"browser_access": {
"client_private_ip": "81.2.69.193",
"exporter": "unset",
"timestamp": {
"request": {
"receive": {
"finish": "2019-07-03T05:12:25.723Z",
"header_finish": "2019-07-03T05:12:25.723Z",
"start": "2019-07-03T05:12:25.723Z"
},
"transmit": {
"finish": "2019-07-03T05:12:25.790Z",
"start": "2019-07-03T05:12:25.790Z"
}
},
"response": {
"receive": {
"finish": "2019-07-03T05:12:25.791Z",
"start": "2019-07-03T05:12:25.791Z"
},
"transmit": {
"finish": "2019-07-03T05:12:25.791Z",
"start": "2019-07-03T05:12:25.791Z"
}
}
},
"total_time": {
"connection": {
"setup": 66995
},
"request": {
"receive": 127,
"transmit": 21
},
"response": {
"receive": 73,
"transmit": 13
},
"server": {
"response": 1349
}
}
}
}
}
用户活动日志
编辑导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
日期 |
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
event.dataset |
事件数据集 |
constant_keyword |
event.module |
事件模块 |
constant_keyword |
input.type |
filebeat 输入的类型。 |
关键字 |
log.offset |
日志偏移量。 |
长整型 |
log.source.address |
读取/发送日志事件的源地址。 |
关键字 |
zscaler_zpa.user_activity.app_group |
应用程序组名称。 |
关键字 |
zscaler_zpa.user_activity.app_learn_time |
应用连接器了解所请求的应用程序并向中央机构报告学习信息所用的时间(以微秒为单位)。 |
长整型 |
zscaler_zpa.user_activity.application |
应用程序名称。 |
关键字 |
zscaler_zpa.user_activity.ca_processing_time |
中央机构处理所用的时间(以微秒为单位)。 |
长整型 |
zscaler_zpa.user_activity.client_private_ip |
Zscaler Client Connector 的私有 IP 地址。 |
ip |
zscaler_zpa.user_activity.client_to_client |
客户端到客户端连接的状态。 |
关键字 |
zscaler_zpa.user_activity.connection.id |
应用程序连接 ID。 |
关键字 |
zscaler_zpa.user_activity.connection.setup_time |
应用连接器处理来自应用连接器选择微服务的通知并建立到应用服务器的连接所用的时间。 |
长整型 |
zscaler_zpa.user_activity.connection.status |
连接的状态。此字段的预期值为:[Open、Close、Active]。 |
关键字 |
zscaler_zpa.user_activity.connector.ip |
应用连接器的源 IP 地址。 |
ip |
zscaler_zpa.user_activity.connector.name |
App Connector 名称。 |
关键字 |
zscaler_zpa.user_activity.connector.port |
应用连接器的源端口。 |
整数 |
zscaler_zpa.user_activity.connector_zen_setup_time |
应用连接器和 ZPA 公共服务边缘或 ZPA 私有服务边缘之间建立连接所用的时间(以微秒为单位)。 |
长整型 |
zscaler_zpa.user_activity.double_encryption |
双重加密状态。 |
整数 |
zscaler_zpa.user_activity.idp |
在 ZPA 管理门户中配置的身份提供商 (IdP) 的名称。 |
关键字 |
zscaler_zpa.user_activity.internal_reason |
事务状态的内部原因。 |
关键字 |
zscaler_zpa.user_activity.policy.name |
访问策略或超时策略规则名称。 |
关键字 |
zscaler_zpa.user_activity.policy.processing_time |
处理与应用程序关联的访问策略所用的时间(以微秒为单位)。 |
长整型 |
zscaler_zpa.user_activity.server |
服务器 ID 名称。如果启用了动态服务器发现,则服务器 ID 必须设置为零。 |
关键字 |
zscaler_zpa.user_activity.server_setup_time |
在服务器端建立连接所用的时间(以微秒为单位)。 |
长整型 |
zscaler_zpa.user_activity.service_port |
服务器的目标端口。 |
整数 |
zscaler_zpa.user_activity.session_id |
TLS 会话 ID。 |
关键字 |
zscaler_zpa.user_activity.timestamp.app_learn_start |
应用连接器了解所请求的应用程序并向中央机构报告学习信息所用的时间(以微秒为单位)。 |
关键字 |
zscaler_zpa.user_activity.timestamp.ca.rx |
中央机构从 ZPA 公共服务边缘或 ZPA 私有服务边缘接收请求的时间戳(以微秒为单位)。 |
日期 |
zscaler_zpa.user_activity.timestamp.ca.tx |
中央机构向 ZPA 公共服务边缘或 ZPA 私有服务边缘发送请求的时间戳(以微秒为单位)。 |
日期 |
zscaler_zpa.user_activity.timestamp.connection.end |
ZPA 公共服务边缘或 ZPA 私有服务边缘终止连接的时间戳(以微秒为单位)。 |
日期 |
zscaler_zpa.user_activity.timestamp.connection.start |
ZPA 公共服务边缘或 ZPA 私有服务边缘从 Zscaler Client Connector 接收到启动连接的初始请求的时间戳(以微秒为单位)。 |
日期 |
zscaler_zpa.user_activity.timestamp.connector_zen.setup_complete |
ZPA 公共服务边缘或 ZPA 私有服务边缘从应用连接器接收到设置数据连接的请求的时间戳(以微秒为单位)。应用连接器的请求由 Zscaler Client Connector 对特定应用程序的初始请求触发。 |
日期 |
zscaler_zpa.user_activity.timestamp.zen.client.rx.first |
ZPA 公共服务边缘或 ZPA 私有服务边缘从 Zscaler Client Connector 接收到第一个字节的时间戳(以微秒为单位)。 |
日期 |
zscaler_zpa.user_activity.timestamp.zen.client.rx.last |
ZPA 公共服务边缘或 ZPA 私有服务边缘从 Zscaler Client Connector 接收到最后一个字节的时间戳(以微秒为单位)。 |
日期 |
zscaler_zpa.user_activity.timestamp.zen.client.tx.first |
ZPA 公共服务边缘或 ZPA 私有服务边缘向 Zscaler Client Connector 发送第一个字节的时间戳(以微秒为单位)。 |
日期 |
zscaler_zpa.user_activity.timestamp.zen.client.tx.last |
ZPA 公共服务边缘或 ZPA 私有服务边缘向 Zscaler Client Connector 发送最后一个字节的时间戳(以微秒为单位)。 |
日期 |
zscaler_zpa.user_activity.timestamp.zen.connector.rx.first |
ZPA 公共服务边缘或 ZPA 私有服务边缘从应用连接器接收到第一个字节的时间戳(以微秒为单位)。 |
日期 |
zscaler_zpa.user_activity.timestamp.zen.connector.rx.last |
ZPA 公共服务边缘或 ZPA 私有服务边缘从应用连接器接收到最后一个字节的时间戳(以微秒为单位)。 |
日期 |
zscaler_zpa.user_activity.timestamp.zen.connector.tx.first |
ZPA 公共服务边缘或 ZPA 私有服务边缘向应用连接器发送第一个字节的时间戳(以微秒为单位)。 |
日期 |
zscaler_zpa.user_activity.timestamp.zen.connector.tx.last |
ZPA 公共服务边缘或 ZPA 私有服务边缘向应用连接器发送最后一个字节的时间戳(以微秒为单位)。 |
日期 |
zscaler_zpa.user_activity.zen.client.bytes_rx |
自上次事务日志以来从 Zscaler Client Connector 接收的额外字节数。 |
长整型 |
zscaler_zpa.user_activity.zen.client.bytes_tx |
自上次事务日志以来传输到 Zscaler Client Connector 的额外字节数。 |
长整型 |
zscaler_zpa.user_activity.zen.client.domain |
从 Zscaler Client Connector 接收请求的 ZPA 公共服务边缘(以前称为 Zscaler Enforcement Node 或 ZEN)或 ZPA 私有服务边缘。 |
关键字 |
zscaler_zpa.user_activity.zen.client.total.bytes_rx |
ZPA 公共服务边缘或 ZPA 私有服务边缘从 Zscaler Client Connector 接收的总字节数。 |
长整型 |
zscaler_zpa.user_activity.zen.client.total.bytes_tx |
ZPA 公共服务边缘或 ZPA 私有服务边缘从 Zscaler Client Connector 传输的总字节数。 |
长整型 |
zscaler_zpa.user_activity.zen.connector.bytes_rx |
自上次事务日志以来从应用连接器接收的额外字节数。 |
长整型 |
zscaler_zpa.user_activity.zen.connector.bytes_tx |
自上次事务日志以来由应用连接器传输的额外字节数。 |
长整型 |
zscaler_zpa.user_activity.zen.connector.domain |
发送来自应用连接器请求的 ZPA 公共服务边缘或 ZPA 私有服务边缘。 |
关键字 |
zscaler_zpa.user_activity.zen.connector.total.bytes_rx |
ZPA 公共服务边缘或 ZPA 私有服务边缘从应用连接器接收的总字节数。 |
长整型 |
zscaler_zpa.user_activity.zen.connector.total.bytes_tx |
ZPA 公共服务边缘或 ZPA 私有服务边缘传输到应用连接器的总字节数。 |
长整型 |
示例
以下是 user_activity 的示例事件:
{
"@timestamp": "2019-05-31T17:35:42.000Z",
"agent": {
"ephemeral_id": "47a2e053-f9d2-4244-b6bd-9acf12361804",
"hostname": "docker-fleet-agent",
"id": "8b86614c-cda7-40f1-9823-ea2294fa4abf",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "7.16.2"
},
"client": {
"geo": {
"country_iso_code": "US",
"location": {
"lat": 45,
"lon": -119
}
},
"ip": "81.2.69.193"
},
"data_stream": {
"dataset": "zscaler_zpa.user_activity",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "8b86614c-cda7-40f1-9823-ea2294fa4abf",
"snapshot": false,
"version": "7.16.2"
},
"event": {
"agent_id_status": "verified",
"category": [
"iam"
],
"dataset": "zscaler_zpa.user_activity",
"ingested": "2023-02-22T12:10:47Z",
"kind": "event",
"original": "{\"LogTimestamp\": \"Fri May 31 17:35:42 2019\",\"Customer\": \"Customer XYZ\",\"SessionID\": \"LHJdkjmNDf12nclBsvwA\",\"ConnectionID\": \"SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm\",\"InternalReason\": \"\",\"ConnectionStatus\": \"active\",\"IPProtocol\": 6,\"DoubleEncryption\": 0,\"Username\": \"ZPA LSS Client\",\"ServicePort\": 10011,\"ClientPublicIP\": \"81.2.69.193\",\"ClientLatitude\": 45.000000,\"ClientLongitude\": -119.000000,\"ClientCountryCode\": \"US\",\"ClientZEN\": \"broker2b.pdx\",\"Policy\": \"ABC Lab Apps\",\"Connector\": \"ZDEMO ABC\",\"ConnectorZEN\": \"broker2b.pdx\",\"ConnectorIP\": \"67.43.156.12\",\"ConnectorPort\": 60266,\"Host\": \"175.16.199.1\",\"Application\": \"ABC Lab Apps\",\"AppGroup\": \"ABC Lab Apps\",\"Server\": \"0\",\"ServerIP\": \"175.16.199.1\",\"ServerPort\": 10011,\"PolicyProcessingTime\": 28,\"CAProcessingTime\": 1330,\"ConnectorZENSetupTime\": 191017,\"ConnectionSetupTime\": 192397,\"ServerSetupTime\": 465,\"AppLearnTime\": 0,\"TimestampConnectionStart\": \"2019-05-30T08:20:42.230Z\",\"TimestampConnectionEnd\": \"\",\"TimestampCATx\": \"2019-05-30T08:20:42.230Z\",\"TimestampCARx\": \"2019-05-30T08:20:42.231Z\",\"TimestampAppLearnStart\": \"\",\"TimestampZENFirstRxClient\": \"2019-05-30T08:20:42.424Z\",\"TimestampZENFirstTxClient\": \"\",\"TimestampZENLastRxClient\": \"2019-05-31T17:34:27.348Z\",\"TimestampZENLastTxClient\": \"\",\"TimestampConnectorZENSetupComplete\": \"2019-05-30T08:20:42.422Z\",\"TimestampZENFirstRxConnector\": \"\",\"TimestampZENFirstTxConnector\": \"2019-05-30T08:20:42.424Z\",\"TimestampZENLastRxConnector\": \"\",\"TimestampZENLastTxConnector\": \"2019-05-31T17:34:27.348Z\",\"ZENTotalBytesRxClient\": 2406926,\"ZENBytesRxClient\": 7115,\"ZENTotalBytesTxClient\": 0,\"ZENBytesTxClient\": 0,\"ZENTotalBytesRxConnector\": 0,\"ZENBytesRxConnector\": 0,\"ZENTotalBytesTxConnector\": 2406926,\"ZENBytesTxConnector\": 7115,\"Idp\": \"Example IDP Config\",\"ClientToClient\": \"0\"}",
"type": [
"info",
"user"
]
},
"host": {
"ip": [
"175.16.199.1"
]
},
"input": {
"type": "tcp"
},
"log": {
"source": {
"address": "192.168.64.5:60604"
}
},
"network": {
"type": "ipv6"
},
"organization": {
"name": "Customer XYZ"
},
"related": {
"hosts": [
"broker2b.pdx"
],
"ip": [
"81.2.69.193",
"175.16.199.1",
"67.43.156.12"
],
"user": [
"ZPA LSS Client"
]
},
"server": {
"ip": "175.16.199.1",
"port": 10011
},
"tags": [
"preserve_original_event",
"forwarded",
"zscaler_zpa-user_activity"
],
"user": {
"name": "ZPA LSS Client"
},
"zscaler_zpa": {
"user_activity": {
"app_group": "ABC Lab Apps",
"app_learn_time": 0,
"application": "ABC Lab Apps",
"ca_processing_time": 1330,
"client_to_client": "0",
"connection": {
"id": "SqyZIMkg0JTj7EABsvwA,Q+EjXGdrvbF2lPiBbedm",
"setup_time": 192397,
"status": "active"
},
"connector": {
"ip": "67.43.156.12",
"name": "ZDEMO ABC",
"port": 60266
},
"connector_zen_setup_time": 191017,
"double_encryption": 0,
"idp": "Example IDP Config",
"policy": {
"name": "ABC Lab Apps",
"processing_time": 28
},
"server": "0",
"server_setup_time": 465,
"service_port": 10011,
"session_id": "LHJdkjmNDf12nclBsvwA",
"timestamp": {
"ca": {
"rx": "2019-05-30T08:20:42.231Z",
"tx": "2019-05-30T08:20:42.230Z"
},
"connection": {
"start": "2019-05-30T08:20:42.230Z"
},
"connector_zen": {
"setup_complete": "2019-05-30T08:20:42.422Z"
},
"zen": {
"client": {
"rx": {
"first": "2019-05-30T08:20:42.424Z",
"last": "2019-05-31T17:34:27.348Z"
}
},
"connector": {
"tx": {
"first": "2019-05-30T08:20:42.424Z",
"last": "2019-05-31T17:34:27.348Z"
}
}
}
},
"zen": {
"client": {
"bytes_rx": 7115,
"bytes_tx": 0,
"domain": "broker2b.pdx",
"total": {
"bytes_rx": 2406926,
"bytes_tx": 0
}
},
"connector": {
"bytes_rx": 0,
"bytes_tx": 7115,
"domain": "broker2b.pdx",
"total": {
"bytes_rx": 0,
"bytes_tx": 2406926
}
}
}
}
}
}
用户状态日志
编辑导出的字段
| 字段 | 描述 | 类型 |
|---|---|---|
@timestamp |
事件时间戳。 |
日期 |
data_stream.dataset |
数据流数据集。 |
constant_keyword |
data_stream.namespace |
数据流命名空间。 |
constant_keyword |
data_stream.type |
数据流类型。 |
constant_keyword |
event.dataset |
事件数据集 |
constant_keyword |
event.module |
事件模块 |
constant_keyword |
input.type |
filebeat 输入的类型。 |
关键字 |
log.offset |
日志偏移量。 |
长整型 |
log.source.address |
读取/发送日志事件的源地址。 |
关键字 |
zscaler_zpa.user_status.client.type |
请求的客户端类型(即 Zscaler Client Connector、ZPA LSS 或 Web 浏览器)。 |
关键字 |
zscaler_zpa.user_status.fqdn.registered |
客户端到客户端连接的主机名状态。此字段的预期值为 true 或 false。 |
布尔值 |
zscaler_zpa.user_status.fqdn.registered_error |
已注册主机名的状态。 |
关键字 |
zscaler_zpa.user_status.idp |
在 ZPA 管理门户中配置的身份提供商 (IdP) 的名称。 |
关键字 |
zscaler_zpa.user_status.postures.hit |
Zscaler Client Connector 为此设备验证的姿势配置文件。 |
关键字 |
zscaler_zpa.user_status.postures.miss |
Zscaler Client Connector 未为此设备验证的姿势配置文件。 |
关键字 |
zscaler_zpa.user_status.private_ip |
Zscaler Client Connector 的私有 IP 地址。 |
ip |
zscaler_zpa.user_status.saml_attributes |
IdP 报告的 SAML 属性列表。 |
关键字 |
zscaler_zpa.user_status.session.id |
TLS 会话 ID。 |
关键字 |
zscaler_zpa.user_status.session.status |
会话状态。 |
关键字 |
zscaler_zpa.user_status.timestamp.authentication |
Zscaler Client Connector 进行身份验证的时间戳(以微秒为单位)。 |
日期 |
zscaler_zpa.user_status.timestamp.unauthentication |
Zscaler Client Connector 取消身份验证的时间戳(以微秒为单位)。 |
日期 |
zscaler_zpa.user_status.total.bytes_rx |
接收的总字节数。 |
长整型 |
zscaler_zpa.user_status.total.bytes_tx |
传输的总字节数。 |
长整型 |
zscaler_zpa.user_status.trusted_networks |
Zscaler Client Connector 为此设备确定的可信网络的唯一 ID。 |
关键字 |
zscaler_zpa.user_status.trusted_networks_names |
Zscaler Client Connector 为此设备确定的可信网络的名称。 |
关键字 |
zscaler_zpa.user_status.version |
Zscaler Client Connector 版本。 |
关键字 |
zscaler_zpa.user_status.zen.domain |
为连接选择的公共服务边缘(以前称为 Zscaler Enforcement Node 或 ZEN)或 ZPA 私有服务边缘 |
关键字 |
示例
以下是 user_status 的示例事件:
{
"@timestamp": "2019-05-31T17:34:48.000Z",
"agent": {
"ephemeral_id": "1c72d03d-9ca7-4487-a23b-3447b96a818b",
"hostname": "docker-fleet-agent",
"id": "8b86614c-cda7-40f1-9823-ea2294fa4abf",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "7.16.2"
},
"client": {
"geo": {
"country_iso_code": "US",
"location": {
"lat": 45,
"lon": -119
}
},
"ip": "81.2.69.144"
},
"data_stream": {
"dataset": "zscaler_zpa.user_status",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "8b86614c-cda7-40f1-9823-ea2294fa4abf",
"snapshot": false,
"version": "7.16.2"
},
"event": {
"agent_id_status": "verified",
"category": [
"iam"
],
"dataset": "zscaler_zpa.user_status",
"ingested": "2023-02-22T12:11:31Z",
"kind": "state",
"original": "{\"LogTimestamp\":\"Fri May 31 17:34:48 2019\",\"Customer\":\"Customer XYZ\",\"Username\":\"ZPA LSS Client\",\"SessionID\":\"vkczUERSLl88Y+ytH8v5\",\"SessionStatus\":\"ZPN_STATUS_AUTHENTICATED\",\"Version\":\"19.12.0-36-g87dad18\",\"ZEN\":\"broker2b.pdx\",\"CertificateCN\":\"loggerz2x.pde.zpabeta.net\",\"PublicIP\":\"81.2.69.144\",\"Latitude\":45,\"Longitude\":-119,\"CountryCode\":\"US\",\"TimestampAuthentication\":\"2019-05-29T21:18:38.000Z\",\"TimestampUnAuthentication\":\"\",\"TotalBytesRx\":31274866,\"TotalBytesTx\":25424152,\"Idp\":\"IDP Config\",\"Hostname\":\"DESKTOP-99HCSJ1\",\"Platform\":\"windows\",\"ClientType\":\"zpn_client_type_zapp\",\"TrustedNetworks\":\"TN1_stc1\",\"TrustedNetworksNames\":\"145248739466696953\",\"SAMLAttributes\":\"myname:user,myemail:[email protected]\",\"PosturesHit\":\"sm-posture1,sm-posture2\",\"PosturesMiss\":\"sm-posture11,sm-posture12\",\"ZENLatitude\":47,\"ZENLongitude\":-122,\"ZENCountryCode\":\"\",\"FQDNRegistered\": \"0\",\"FQDNRegisteredError\": \"CUSTOMER_NOT_ENABLED\"}",
"type": [
"info",
"user"
]
},
"host": {
"hostname": "DESKTOP-99HCSJ1",
"os": {
"platform": "windows"
}
},
"input": {
"type": "tcp"
},
"log": {
"source": {
"address": "192.168.64.5:37104"
}
},
"organization": {
"name": "Customer XYZ"
},
"related": {
"ip": [
"81.2.69.144"
],
"user": [
"ZPA LSS Client"
]
},
"server": {
"geo": {
"location": {
"lat": 47,
"lon": -122
}
}
},
"tags": [
"preserve_original_event",
"forwarded",
"zscaler_zpa-user_status"
],
"user": {
"name": "ZPA LSS Client"
},
"x509": {
"issuer": {
"common_name": [
"loggerz2x.pde.zpabeta.net"
]
}
},
"zscaler_zpa": {
"user_status": {
"client": {
"type": "zpn_client_type_zapp"
},
"fqdn": {
"registered": false,
"registered_error": "CUSTOMER_NOT_ENABLED"
},
"idp": "IDP Config",
"postures": {
"hit": [
"sm-posture1",
"sm-posture2"
],
"miss": [
"sm-posture11",
"sm-posture12"
]
},
"saml_attributes": [
"myname:user",
"myemail:[email protected]"
],
"session": {
"id": "vkczUERSLl88Y+ytH8v5",
"status": "ZPN_STATUS_AUTHENTICATED"
},
"timestamp": {
"authentication": "2019-05-29T21:18:38.000Z"
},
"total": {
"bytes_rx": 31274866,
"bytes_tx": 25424152
},
"trusted_networks": "TN1_stc1",
"trusted_networks_names": "145248739466696953",
"version": "19.12.0-36-g87dad18",
"zen": {
"domain": "broker2b.pdx"
}
}
}
}
更新日志
编辑更新日志
| 版本 | 详细信息 | Kibana 版本 |
|---|---|---|
1.20.0 |
增强 (查看拉取请求) |
8.13.0 或更高版本 |
1.19.0 |
增强 (查看拉取请求) |
8.13.0 或更高版本 |
1.18.0 |
增强 (查看拉取请求) |
8.13.0 或更高版本 |
1.17.0 |
增强 (查看拉取请求) |
8.7.1 或更高版本 |
1.16.1 |
增强 (查看拉取请求) |
8.7.1 或更高版本 |
1.16.0 |
增强 (查看拉取请求) |
8.7.1 或更高版本 |
1.15.1 |
增强 (查看拉取请求) |
8.7.1 或更高版本 |
1.15.0 |
增强 (查看拉取请求) |
8.7.1 或更高版本 |
1.14.0 |
增强 (查看拉取请求) |
8.7.1 或更高版本 |
1.13.0 |
增强 (查看拉取请求) |
8.7.1 或更高版本 |
1.12.0 |
增强 (查看拉取请求) |
8.7.1 或更高版本 |
1.11.0 |
增强 (查看拉取请求) |
8.7.1 或更高版本 |
1.10.0 |
增强 (查看拉取请求) |
8.7.1 或更高版本 |
1.9.0 |
增强 (查看拉取请求) |
7.16.2 或更高版本 |
1.8.0 |
增强 (查看拉取请求) |
7.16.2 或更高版本 |
1.7.0 |
增强 (查看拉取请求) |
7.16.2 或更高版本 |
1.6.1 |
错误修复 (查看拉取请求) |
7.16.2 或更高版本 |
1.6.0 |
增强 (查看拉取请求) |
7.16.2 或更高版本 |
1.5.2 |
增强 (查看拉取请求) |
7.16.2 或更高版本 |
1.5.1 |
增强 (查看拉取请求) 错误修复 (查看拉取请求) |
7.16.2 或更高版本 |
1.5.0 |
增强 (查看拉取请求) |
7.16.2 或更高版本 |
1.4.1 |
错误修复 (查看拉取请求) 错误修复 (查看拉取请求) |
7.16.2 或更高版本 |
1.4.0 |
增强 (查看拉取请求) |
7.16.2 或更高版本 |
1.3.0 |
增强 (查看拉取请求) |
7.16.2 或更高版本 |
1.2.1 |
增强 (查看拉取请求) |
7.16.2 或更高版本 |
1.2.0 |
增强 (查看拉取请求) |
7.16.2 或更高版本 |
1.1.0 |
增强 (查看拉取请求) |
7.16.2 或更高版本 |
1.0.0 |
增强 (查看拉取请求) |
7.16.2 或更高版本 |
0.2.0 |
增强 (查看拉取请求) |
— |
0.1.2 |
增强 (查看拉取请求) |
— |
0.1.1 |
增强 (查看拉取请求) |
— |
0.1.0 |
增强 (查看拉取请求) |
— |