이 페이지는 Cloud Translation API를 통해 번역되었습니다.

Zscaler ZPA 로그 수집

다음에서 지원:

Google SecOps SIEM

이 문서에서는 Bindplane 에이전트를 설정하여 Zscaler ZPA 로그를 내보내는 방법과 로그 필드가 Google SecOps 통합 데이터 모델 (UDM) 필드에 매핑되는 방식을 설명합니다.

자세한 내용은 Google SecOps에 데이터 수집 개요를 참고하세요.

일반적인 배포는 Google SecOps에 로그를 전송하도록 구성된 Zscaler ZPA 및 Bindplane 에이전트로 구성됩니다. 고객 배포마다 다를 수 있으며 더 복잡할 수도 있습니다.

배포에는 다음 구성요소가 포함됩니다.

Zscaler ZPA: 로그를 수집하는 플랫폼입니다.
Bindplane 에이전트: Bindplane 에이전트는 Zscaler ZPA에서 로그를 가져오고 Google SecOps로 로그를 전송합니다.
Google SecOps: 로그를 보관하고 분석합니다.

수집 라벨은 원시 로그 데이터를 구조화된 UDM 형식으로 정규화하는 파서를 식별합니다. 이 문서의 정보는 ZSCALER_ZPA 라벨이 있는 파서에 적용됩니다.

시작하기 전에

Zscaler Private Access 콘솔에 액세스할 수 있는지 확인합니다. 자세한 내용은 Secure Private Access (ZPA) 도움말을 참고하세요.
Zscaler ZPA 2024 이상을 사용하고 있는지 확인합니다.
배포 아키텍처의 모든 시스템이 UTC 시간대로 구성되었는지 확인합니다.

Zscaler Private Access에서 로그 수신기 구성

다음 단계에 따라 Zscaler Private Access에서 로그 수신기를 구성하고 관리합니다.

로그 수신기 추가

구성 및 제어 > 비공개 인프라 > 로그 스트리밍 서비스 > 로그 수신기를 선택합니다.
로그 수신기 추가를 클릭합니다.
로그 수신기 탭에서 다음을 수행합니다.
1. 이름 필드에 로그 수신기의 이름을 입력합니다.
2. 설명 필드에 설명을 입력합니다.
3. 도메인 또는 IP 주소 필드에 로그 수신자의 정규화된 도메인 이름 (FQDN) 또는 IP 주소를 입력합니다.
4. TCP 포트 필드에 로그 수신기가 사용하는 TCP 포트 번호를 입력합니다.
5. TLS 암호화에서 암호화 유형을 선택하여 앱 커넥터와 로그 수신기 간 트래픽의 암호화를 사용 설정하거나 중지합니다. 기본적으로 이 설정은 사용 중지되어 있습니다.
6. 앱 커넥터 그룹 목록에서 수신기에 로그를 전달할 수 있는 그룹을 선택합니다.
7. 다음을 클릭합니다.

로그 스트림 탭에서 다음을 수행합니다.

메뉴에서 로그 유형을 선택합니다.
메뉴에서 로그 템플릿을 선택합니다.
로그 스트림 콘텐츠를 복사하여 붙여넣고 새 필드를 추가합니다. 키 이름이 실제 필드 이름과 일치하는지 확인합니다. 다음은 각 로그 유형의 기본 로그 스트림 콘텐츠 설정입니다.

사용자 활동:

{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"ConnectionID": %j{ConnectionID},"InternalReason": %j{InternalReason},"ConnectionStatus": %j{ConnectionStatus},"IPProtocol": %d{IPProtocol},"DoubleEncryption": %d{DoubleEncryption},"Username": %j{Username},"ServicePort": %d{ServicePort},"ClientPublicIP": %j{ClientPublicIP},"ClientPrivateIP": %j{ClientPrivateIP},"ClientLatitude": %f{ClientLatitude},"ClientLongitude": %f{ClientLongitude},"ClientCountryCode": %j{ClientCountryCode},"ClientZEN": %j{ClientZEN},"Policy": %j{Policy},"Connector": %j{Connector},"ConnectorZEN": %j{ConnectorZEN},"ConnectorIP": %j{ConnectorIP},"ConnectorPort": %d{ConnectorPort},"Host": %j{Host},"Application": %j{Application},"AppGroup": %j{AppGroup},"Server": %j{Server},"ServerIP": %j{ServerIP},"ServerPort": %d{ServerPort},"PolicyProcessingTime": %d{PolicyProcessingTime},"ServerSetupTime": %d{ServerSetupTime},"TimestampConnectionStart": %j{TimestampConnectionStart:iso8601},"TimestampConnectionEnd": %j{TimestampConnectionEnd:iso8601},"TimestampCATx": %j{TimestampCATx:iso8601},"TimestampCARx": %j{TimestampCARx:iso8601},"TimestampAppLearnStart": %j{TimestampAppLearnStart:iso8601},"TimestampZENFirstRxClient": %j{TimestampZENFirstRxClient:iso8601},"TimestampZENFirstTxClient": %j{TimestampZENFirstTxClient:iso8601},"TimestampZENLastRxClient": %j{TimestampZENLastRxClient:iso8601},"TimestampZENLastTxClient": %j{TimestampZENLastTxClient:iso8601},"TimestampConnectorZENSetupComplete": %j{TimestampConnectorZENSetupComplete:iso8601},"TimestampZENFirstRxConnector": %j{TimestampZENFirstRxConnector:iso8601},"TimestampZENFirstTxConnector": %j{TimestampZENFirstTxConnector:iso8601},"TimestampZENLastRxConnector": %j{TimestampZENLastRxConnector:iso8601},"TimestampZENLastTxConnector": %j{TimestampZENLastTxConnector:iso8601},"ZENTotalBytesRxClient": %d{ZENTotalBytesRxClient},"ZENBytesRxClient": %d{ZENBytesRxClient},"ZENTotalBytesTxClient": %d{ZENTotalBytesTxClient},"ZENBytesTxClient": %d{ZENBytesTxClient},"ZENTotalBytesRxConnector": %d{ZENTotalBytesRxConnector},"ZENBytesRxConnector": %d{ZENBytesRxConnector},"ZENTotalBytesTxConnector": %d{ZENTotalBytesTxConnector},"ZENBytesTxConnector": %d{ZENBytesTxConnector},"Idp": %j{Idp},"ClientToClient": %j{c2c},"ClientCity": %j{ClientCity},"MicroTenantID": %j{MicroTenantID},"AppMicroTenantID": %j{AppMicroTenantID}}\n

사용자 상태:

{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"Username": %j{Username},"SessionID": %j{SessionID},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"ZEN": %j{ZEN},"CertificateCN": %j{CertificateCN},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx},"Idp": %j{Idp},"Hostname": %j{Hostname},"Platform": %j{Platform},"ClientType": %j{ClientType},"TrustedNetworks": [%j(,){TrustedNetworks}],"TrustedNetworksNames": [%j(,){TrustedNetworksNames}],"SAMLAttributes": %j{SAMLAttributes},"PosturesHit": [%j(,){PosturesHit}],"PosturesMiss": [%j(,){PosturesMiss}],"ZENLatitude": %f{ZENLatitude},"ZENLongitude": %f{ZENLongitude},"ZENCountryCode": %j{ZENCountryCode},"FQDNRegistered": %j{fqdn_registered},"FQDNRegisteredError": %j{fqdn_register_error},"City": %j{City},"MicroTenantID": %j{MicroTenantID}}\n

브라우저 액세스

{"LogTimestamp":%j{LogTimestamp:time},"ConnectionID":%j{ConnectionID},"Exporter":%j{Exporter},"TimestampRequestReceiveStart":%j{TimestampRequestReceiveStart:iso8601},"TimestampRequestReceiveHeaderFinish":%j{TimestampRequestReceiveHeaderFinish:iso8601},"TimestampRequestReceiveFinish":%j{TimestampRequestReceiveFinish:iso8601},"TimestampRequestTransmitStart":%j{TimestampRequestTransmitStart:iso8601},"TimestampRequestTransmitFinish":%j{TimestampRequestTransmitFinish:iso8601},"TimestampResponseReceiveStart":%j{TimestampResponseReceiveStart:iso8601},"TimestampResponseReceiveFinish":%j{TimestampResponseReceiveFinish:iso8601},"TimestampResponseTransmitStart":%j{TimestampResponseTransmitStart:iso8601},"TimestampResponseTransmitFinish":%j{TimestampResponseTransmitFinish:iso8601},"TotalTimeRequestReceive":%d{TotalTimeRequestReceive},"TotalTimeRequestTransmit":%d{TotalTimeRequestTransmit},"TotalTimeResponseReceive":%d{TotalTimeResponseReceive},"TotalTimeResponseTransmit":%d{TotalTimeResponseTransmit},"TotalTimeConnectionSetup":%d{TotalTimeConnectionSetup},"TotalTimeServerResponse":%d{TotalTimeServerResponse},"Method":%j{Method},"Protocol":%j{Protocol},"Host":%j{Host},"URL":%j{URL},"UserAgent":%j{UserAgent},"XFF":%j{XFF},"NameID":%j{NameID},"StatusCode":%d{StatusCode},"RequestSize":%d{RequestSize},"ResponseSize":%d{ResponseSize},"ApplicationPort":%d{ApplicationPort},"ClientPublicIp":%j{ClientPublicIp},"ClientPublicPort":%d{ClientPublicPort},"ClientPrivateIp":%j{ClientPrivateIp},"Customer":%j{Customer},"ConnectionStatus":%j{ConnectionStatus},"ConnectionReason":%j{ConnectionReason},"Origin":%j{Origin},"CorsToken":%j{CorsToken}}\n

프라이빗 서비스 엣지 상태:

{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"SessionType": %j{SessionType},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"PackageVersion": %j{PackageVersion},"Platform": %j{Platform},"ZEN": %j{ZEN},"ServiceEdge": %j{ServiceEdge},"ServiceEdgeGroup": %j{ServiceEdgeGroup},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"CPUUtilization": %d{CPUUtilization},"MemUtilization": %d{MemUtilization},"InterfaceDefRoute": %j{InterfaceDefRoute},"DefRouteGW": %j{DefRouteGW},"PrimaryDNSResolver": %j{PrimaryDNSResolver},"HostUpTime": %j{HostUpTime},"ServiceEdgeStartTime": %j{ServiceEdgeStartTime},"NumOfInterfaces": %d{NumOfInterfaces},"BytesRxInterface": %d{BytesRxInterface},"PacketsRxInterface": %d{PacketsRxInterface},"ErrorsRxInterface": %d{ErrorsRxInterface},"DiscardsRxInterface": %d{DiscardsRxInterface},"BytesTxInterface": %d{BytesTxInterface},"PacketsTxInterface": %d{PacketsTxInterface},"ErrorsTxInterface": %d{ErrorsTxInterface},"DiscardsTxInterface": %d{DiscardsTxInterface},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx},"MicroTenantID": %j{MicroTenantID}}\n

앱 커넥터 상태:

{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"SessionID": %j{SessionID},"SessionType": %j{SessionType},"SessionStatus": %j{SessionStatus},"Version": %j{Version},"Platform": %j{Platform},"ZEN": %j{ZEN},"Connector": %j{Connector},"ConnectorGroup": %j{ConnectorGroup},"PrivateIP": %j{PrivateIP},"PublicIP": %j{PublicIP},"Latitude": %f{Latitude},"Longitude": %f{Longitude},"CountryCode": %j{CountryCode},"TimestampAuthentication": %j{TimestampAuthentication:iso8601},"TimestampUnAuthentication": %j{TimestampUnAuthentication:iso8601},"CPUUtilization": %d{CPUUtilization},"MemUtilization": %d{MemUtilization},"ServiceCount": %d{ServiceCount},"InterfaceDefRoute": %j{InterfaceDefRoute},"DefRouteGW": %j{DefRouteGW},"PrimaryDNSResolver": %j{PrimaryDNSResolver},"HostStartTime": %j{HostStartTime},"ConnectorStartTime": %j{ConnectorStartTime},"NumOfInterfaces": %d{NumOfInterfaces},"BytesRxInterface": %d{BytesRxInterface},"PacketsRxInterface": %d{PacketsRxInterface},"ErrorsRxInterface": %d{ErrorsRxInterface},"DiscardsRxInterface": %d{DiscardsRxInterface},"BytesTxInterface": %d{BytesTxInterface},"PacketsTxInterface": %d{PacketsTxInterface},"ErrorsTxInterface": %d{ErrorsTxInterface},"DiscardsTxInterface": %d{DiscardsTxInterface},"TotalBytesRx": %d{TotalBytesRx},"TotalBytesTx": %d{TotalBytesTx},"MicroTenantID": %j{MicroTenantID}}\n

앱 커넥터 측정항목:

{"LogTimestamp":%j{LogTimestamp:time},"Connector":%j{Connector},"CPUUtilization":%j{CPUUtilization},"SystemMemoryUtilization":%j{SystemMemoryUtilization},"ProcessMemoryUtilization":%j{ProcessMemoryUtilization},"AppCount":%j{AppCount},"ServiceCount":%j{ServiceCount},"TargetCount":%j{TargetCount},"AliveTargetCount":%j{AliveTargetCount},"ActiveConnectionsToPublicSE":%j{ActiveConnectionsToPublicSE},"DisconnectedConnectionsToPublicSE":%j{DisconnectedConnectionsToPublicSE},"ActiveConnectionsToPrivateSE":%j{ActiveConnectionsToPrivateSE},"DisconnectedConnectionsToPrivateSE":%j{DisconnectedConnectionsToPrivateSE},"TransmittedBytesToPublicSE":%j{TransmittedBytesToPublicSE},"ReceivedBytesFromPublicSE":%j{ReceivedBytesFromPublicSE},"TransmittedBytesToPrivateSE":%j{TransmittedBytesToPrivateSE},"ReceivedBytesFromPrivateSE":%j{ReceivedBytesFromPrivateSE},"AppConnectionsCreated":%j{AppConnectionsCreated},"AppConnectionsCleared":%j{AppConnectionsCleared},"AppConnectionsActive":%j{AppConnectionsActive},"UsedTCPPortsIPv4":%j{UsedTCPPortsIPv4},"UsedUDPPortsIPv4":%j{UsedUDPPortsIPv4},"UsedTCPPortsIPv6":%j{UsedTCPPortsIPv6},"UsedUDPPortsIPv6":%j{UsedUDPPortsIPv6},"AvailablePorts":%j{AvailablePorts},"SystemMaximumFileDescriptors":%j{SystemMaximumFileDescriptors},"SystemUsedFileDescriptors":%j{SystemUsedFileDescriptors},"ProcessMaximumFileDescriptors":%j{ProcessMaximumFileDescriptors},"ProcessUsedFileDescriptors":%j{ProcessUsedFileDescriptors},"AvailableDiskBytes":%j{AvailableDiskBytes},"MicroTenantID": %j{MicroTenantID}}\n

AppProtection:

{"LogTimestamp": %j{LogTimestamp:time},"Customer": %j{Customer},"ConnectionID": %j{ConnectionID},"UserID": %j{UserID},"AssistantID": %j{AssistantID},"ExchangeSequenceIndex": %d{ExchangeSequenceIndex},"TimestampRequestReceiveStart": %d{TimestampRequestReceiveStart},"TimestampRequestReceiveHeaderFinish": %d{TimestampRequestReceiveHeaderFinish},"TimestampRequestReceiveFinish": %d{TimestampRequestReceiveFinish},"TimestampRequestTransmitStart": %d{TimestampRequestTransmitStart},"TimestampRequestTransmitFinish": %d{TimestampRequestTransmitFinish},"TimestampResponseReceiveFinish": %d{TimestampResponseReceiveFinish},"TimestampResponseTransmitStart": %d{TimestampResponseTransmitStart},"TimestampResponseTransmitFinish": %d{TimestampResponseTransmitFinish},"TotalTimeRequestReceive": %d{TotalTimeRequestReceive},"TotalTimeRequestTransmit": %d{TotalTimeRequestTransmit},"TotalTimeResponseReceive": %d{TotalTimeResponseReceive},"TotalTimeResponseTransmit": %d{TotalTimeResponseTransmit},"Domain": %j{Domain},"Method": %j{Method},"Protocol": %j{Protocol},"ProtocolVersion": %j{ProtocolVersion},"ContentType": %j{ContentType},"ContentEncoding": %j{ContentEncoding},"TransferEncoding": %j{TransferEncoding},"Host": %j{Host},"Destination": %j{Destination},"OriginDomain": %j{OriginDomain},"URL": %j{URL},"UserAgent": %j{UserAgent},"HTTPError": %j{HTTPError},"ClientPublicIp": %j{ClientPublicIp},"ClientPort": %d{ClientPort},"UpgradeHeaderPresent": %d{UpgradeHeaderPresent},"StatusCode": %d{StatusCode},"RequestHdrSize": %d{RequestHdrSize},"ResponseHdrSize": %d{ResponseHdrSize},"RequestBodySize": %d{RequestBodySize},"ResponseBodySize": %d{ResponseBodySize},"Application": %d{Application},"ApplicationGroup": %d{ApplicationGroup},"InspectionPolicy": %d{InspectionPolicy},"InspectionProfile": %d{InspectionProfile},"ParanoiaLevel": %d{ParanoiaLevel},"InspectionControlsHitCount": %d{InspectionControlsHitCount},"InspectionRuleProcessingTime": %d{InspectionRuleProcessingTime},"InspectionReqHeadersProcessingTime": %d{InspectionReqHeadersProcessingTime},"InspectionReqBodyProcessingTime": %d{InspectionReqBodyProcessingTime},"InspectionRespHeadersProcessingTime": %d{InspectionRespHeadersProcessingTime},"InspectionRespBodyProcessingTime": %d{InspectionRespBodyProcessingTime},"CertificateId": %d{CertificateId},"DoubleEncryption": %d{DoubleEncryption},"SSLInspection": %d{SSLInspection},"TotalBytesProcessed": %d{TotalBytesProcessed},"InspectionControls": [%j(,){InspectionControlArray}],"InspectionControlTypes": [%j(,){ControlTypeArray}],"InspectionControlCategories": [%j(,){InspectionControlCategories}],"Actions": [%j(,){Actions}],"Severities": [%j(,){SeveritiesArray}],"Descriptions": [%j(,){DescriptiveExplanationsArray}]}\n

비공개 서비스 에지 측정항목:

{"LogTimestamp":%j{LogTimestamp:time},"PrivateSE":%j{PrivateSE},"CPUUtilization":%j{CPUUtilization},"SystemMemoryUtilization":%j{SystemMemoryUtilization},"ProcessMemoryUtilization":%j{ProcessMemoryUtilization},"UsedTCPPortsIPv4":%j{UsedTCPPortsIPv4},"UsedUDPPortsIPv4":%j{UsedUDPPortsIPv4},"UsedTCPPortsIPv6":%j{UsedTCPPortsIPv6},"UsedUDPPortsIPv6":%j{UsedUDPPortsIPv6},"AvailablePorts":%j{AvailablePorts},"SystemMaximumFileDescriptors":%j{SystemMaximumFileDescriptors},"SystemUsedFileDescriptors":%j{SystemUsedFileDescriptors},"ProcessMaximumFileDescriptors":%j{ProcessMaximumFileDescriptors},"ProcessUsedFileDescriptors":%j{ProcessUsedFileDescriptors},"AvailableDiskBytes":%j{AvailableDiskBytes}}\n

로그 스트림 콘텐츠에서 로그 스트림 콘텐츠를 수정하여 맞춤 로그 템플릿을 만듭니다.
SAML 속성에서 IdP 선택을 클릭하고 정책에 포함할 IdP 구성을 선택합니다.
애플리케이션 세그먼트 메뉴에서 포함할 애플리케이션 세그먼트를 선택하고 완료를 클릭합니다.
세그먼트 그룹 메뉴에서 포함할 세그먼트 그룹을 선택하고 완료를 클릭합니다.
클라이언트 유형 메뉴에서 포함할 클라이언트 유형을 선택하고 완료를 클릭합니다.
세션 상태 메뉴에서 제외할 세션 상태 코드를 선택하고 완료를 클릭합니다.
다음을 클릭합니다.

검토 탭에서 로그 수신기 구성을 검토하고 저장을 클릭합니다.

참고: ZSCALER_ZPA Gold 파서는 JSON 로그 형식만 지원하므로 로그 스트림을 구성할 때 메뉴에서 로그 템플릿으로 JSON을 선택해야 합니다.

로그 수신기 복사

제어 > 비공개 인프라 > 로그 스트리밍 서비스 > 로그 수신기를 선택합니다.
표에서 수정하려는 로그 수신기를 찾아 복사를 클릭합니다.
로그 수신기 추가 창에서 필요에 따라 필드를 수정합니다. 각 필드에 대해 자세히 알아보려면 로그 수신기 추가 섹션의 절차를 참고하세요.
저장을 클릭합니다.

로그 수신기 수정

제어 > 비공개 인프라 > 로그 스트리밍 서비스 > 로그 수신기를 선택합니다.
표에서 수정할 로그 수신기를 찾아 수정을 클릭합니다.
로그 수신기 수정 창에서 필요에 따라 필드를 수정합니다. 각 필드에 대해 자세히 알아보려면 로그 수신기 추가 섹션의 절차를 참고하세요.
저장을 클릭합니다.

로그 수신기 삭제

제어 > 비공개 인프라 > 로그 스트리밍 서비스 > 로그 수신기를 선택합니다.
표에서 수정하려는 로그 수신자를 찾아 삭제를 클릭합니다.
확인 창에서 삭제를 클릭합니다.

Bindplane 에이전트를 사용하여 Google SecOps로 로그 전달

Linux 가상 머신을 설치하고 설정합니다.
로그를 Google SecOps로 전달하도록 Linux에 Bindplane 에이전트를 설치하고 구성합니다. Bindplane 에이전트를 설치하고 구성하는 방법에 대한 자세한 내용은 Bindplane 에이전트 설치 및 구성 안내를 참고하세요.

피드를 만들 때 문제가 발생하면 Google SecOps 지원팀에 문의하세요.

지원되는 Zscaler ZPA 로그 형식

Zscaler ZPA 파서는 JSON 형식의 로그를 지원합니다.

지원되는 Zscaler ZPA 샘플 로그

JSON

{
  "LogTimestamp": "Wed Jun 12 23:54:04 2024",
  "Customer": "Dummy User",
  "SessionID": "oKbLDDwJQN8C0lNHtAkh",
  "ConnectionID": "oKbLDDwJQN8C0lNHtAkh,WkyDJqMGv8TzkHKsK7uq",
  "InternalReason": "APP_NOT_REACHABLE",
  "ConnectionStatus": "close",
  "IPProtocol": 6,
  "DoubleEncryption": 0,
  "Username": "ZPA LSS Client",
  "ServicePort": 30161,
  "ClientPublicIP": "198.51.100.0",
  "ClientPrivateIP": "",
  "ClientLatitude": 45.823400,
  "ClientLongitude": -119.725700,
  "ClientCountryCode": "US",
  "ClientZEN": "US-CA-9390",
  "Policy": "0",
  "Connector": "0",
  "ConnectorZEN": "0",
  "ConnectorIP": "",
  "ConnectorPort": 0,
  "Host": "198.51.100.1",
  "Application": "Pune COE Receiver Logs - User Logs",
  "AppGroup": "Pune COE Receiver Logs - User Logs",
  "Server": "0",
  "ServerIP": "",
  "ServerPort": 30161,
  "PolicyProcessingTime": 66,
  "ServerSetupTime": 0,
  "TimestampConnectionStart": "2024-06-12T23:54:04.733Z",
  "TimestampConnectionEnd": "2024-06-12T23:54:04.735Z",
  "TimestampCATx": "2024-06-12T23:54:04.733Z",
  "TimestampCARx": "",
  "TimestampAppLearnStart": "",
  "TimestampZENFirstRxClient": "",
  "TimestampZENFirstTxClient": "",
  "TimestampZENLastRxClient": "",
  "TimestampZENLastTxClient": "",
  "TimestampConnectorZENSetupComplete": "",
  "TimestampZENFirstRxConnector": "",
  "TimestampZENFirstTxConnector": "",
  "TimestampZENLastRxConnector": "",
  "TimestampZENLastTxConnector": "",
  "ZENTotalBytesRxClient": 0,
  "ZENBytesRxClient": 0,
  "ZENTotalBytesTxClient": 0,
  "ZENBytesTxClient": 0,
  "ZENTotalBytesRxConnector": 0,
  "ZENBytesRxConnector": 0,
  "ZENTotalBytesTxConnector": 0,
  "ZENBytesTxConnector": 0,
  "Idp": "0",
  "ClientToClient": "0",
  "ClientCity": "Boardman",
  "MicroTenantID": "0",
  "AppMicroTenantID": "0"
}

UDM 매핑 테이블

필드 매핑 참조: ZSCALER_ZPA

다음 표에는 ZSCALER_ZPA 로그 유형의 로그 필드와 해당 UDM 필드가 나와 있습니다.

Log field	UDM mapping	Logic
	`metadata.vendor_name`	The `metadata.vendor_name` UDM field is set to `Zscaler`.
	`metadata.product_name`	The `metadata.product_name` UDM field is set to `Private Access`.
	`metadata.event_type`	If the `InternalReason` log field value contain one of the following values, then the `metadata.event_type` UDM field is set to `NETWORK_CONNECTION`. `ZPN_STATUS_AUTH_FAILED` `APP_NOT_AVAILABLE` `APP_NOT_REACHABLE` `AST_MT_SETUP_ERR_APP_NOT_FOUND` `AST_MT_SETUP_ERR_AST_CFG_DISABLE` `AST_MT_SETUP_ERR_AST_IN_PAUSE_STATE_FOR_UPGRADE` `AST_MT_SETUP_ERR_BIND_ACK` `AST_MT_SETUP_ERR_BIND_GLOBAL_OWNER` `AST_MT_SETUP_ERR_BIND_TO_AST_LOCAL_OWNER` `AST_MT_SETUP_ERR_BRK_HASH_TBL_FULL` `AST_MT_SETUP_ERR_BROKER_BIND_FAIL` `AST_MT_SETUP_ERR_CONN_PEER` `AST_MT_SETUP_ERR_CPU_LIMIT_REACHED` `AST_MT_SETUP_ERR_DUP_MT_ID` `AST_MT_SETUP_ERR_HASH_TBL_FULL` `AST_MT_SETUP_ERR_INIT_FOHH_MCONN` `AST_MT_SETUP_ERR_MAX_SESSIONS_REACHED` `AST_MT_SETUP_ERR_MEM_LIMIT_REACHED` `AST_MT_SETUP_ERR_NO_DNS_TO_SERVER` `AST_MT_SETUP_ERR_NO_EPHEMERAL_PORT` `AST_MT_SETUP_ERR_NO_PROCESS_FD` `AST_MT_SETUP_ERR_NO_SYSTEM_FD` `AST_MT_SETUP_ERR_OPEN_BROKER_CONN` `AST_MT_SETUP_ERR_OPEN_SERVER_CLOSE` `AST_MT_SETUP_ERR_OPEN_SERVER_CONN` `AST_MT_SETUP_ERR_OPEN_SERVER_ERROR` `AST_MT_SETUP_ERR_OPEN_SERVER_TIMEOUT` `AST_MT_SETUP_ERR_PRA_UNAVAILABLE` `AST_MT_SETUP_TIMEOUT_CANNOT_CONN_TO_BROKER` `AST_MT_SETUP_TIMEOUT_CANNOT_CONN_TO_SERVER` `AST_MT_SETUP_TIMEOUT_NO_ACK_TO_BIND` `AST_MT_SETUP_TIMEOUT` `AST_MT_TERMINATED` `BRK_CONN_UPGRADE_REQUEST_FAILED` `BRK_CONN_UPGRADE_REQUEST_FORBIDDEN` `BRK_MT_AUTH_ALREADY_FAILED` `BRK_MT_AUTH_NO_SAML_ASSERTION_IN_MSG` `BRK_MT_AUTH_SAML_CANNOT_ADD_ATTR_TO_HASH` `BRK_MT_AUTH_SAML_CANNOT_ADD_ATTR_TO_HEAP` `BRK_MT_AUTH_SAML_DECODE_FAIL` `BRK_MT_AUTH_SAML_FAILURE` `BRK_MT_AUTH_SAML_FINGER_PRINT_FAIL` `BRK_MT_AUTH_SAML_NO_USER_ID` `BRK_MT_AUTH_TWO_SAML_ASSERTION_IN_MSG` `BRK_MT_CLOSED_FROM_ASSISTANT` `BRK_MT_CLOSED_FROM_CLIENT` `BRK_MT_CLOSED_ZIA_CONN_GONE_CLOSED` `BRK_MT_RESET_FROM_SERVER` `BRK_MT_SETUP_FAIL_APP_NOT_FOUND` `BRK_MT_SETUP_FAIL_BIND_RECV_IN_BAD_STATE` `BRK_MT_SETUP_FAIL_BIND_TO_AST_LOCAL_OWNER` `BRK_MT_SETUP_FAIL_BIND_TO_CLIENT_LOCAL_OWNER` `BRK_MT_SETUP_FAIL_CANNOT_PROMOTE` `BRK_MT_SETUP_FAIL_CANNOT_SEND_MT_COMPLETE` `BRK_MT_SETUP_FAIL_CANNOT_SEND_TO_DISPATCHER` `BRK_MT_SETUP_FAIL_CONNECTOR_GROUPS_MISSING` `BRK_MT_SETUP_FAIL_CTRL_BRK_CANNOT_FIND_CONNECTOR` `BRK_MT_SETUP_FAIL_DUPLICATE_TAG_ID` `BRK_MT_SETUP_FAIL_ICMP_RATE_LIMIT_EXCEEDED` `BRK_MT_SETUP_FAIL_ICMP_RATE_LIMIT_NUM_APP_EXCEEDED` `BRK_MT_SETUP_FAIL_NO_POLICY_FOUND` `BRK_MT_SETUP_FAIL_RATE_LIMIT_EXCEEDED` `BRK_MT_SETUP_FAIL_RATE_LIMIT_LOOP_DETECTED` `BRK_MT_SETUP_FAIL_RATE_LIMIT_NUM_APP_EXCEEDED` `BRK_MT_SETUP_FAIL_REJECTED_BY_POLICY_APPROVAL` `BRK_MT_SETUP_FAIL_REJECTED_BY_POLICY` `BRK_MT_SETUP_FAIL_REPEATED_DISPATCH` `BRK_MT_SETUP_FAIL_SAML_EXPIRED` `BRK_MT_SETUP_FAIL_SCIM_INACTIVE` `BRK_MT_SETUP_FAIL_TOO_MANY_FAILED_ATTEMPTS` `BRK_MT_SETUP_TIMEOUT` `BRK_MT_TERMINATED_APPROVAL_TIMEOUT` `BRK_MT_TERMINATED_BRK_SWITCHED` `BRK_MT_TERMINATED_IDLE_TIMEOUT` `BRK_MT_TERMINATED` `BROKER_NOT_ENABLED` `C2C_CLIENT_CONN_EXPIRED` `C2C_CLIENT_NOT_FOUND` `C2C_MTUNNEL_BAD_STATE` `C2C_MTUNNEL_FAILED_FORWARD` `C2C_MTUNNEL_NOT_FOUND` `C2C_NOT_AVAILABLE` `CLT_CONN_FAILED` `CLT_DOUBLEENCRYPT_NOT_SUPPORTED` `CLT_DUPLICATE_TAG` `CLT_INVALID_CLIENT` `CLT_INVALID_DOMAIN` `CLT_INVALID_TAG` `CLT_PORT_UNREACHABLE` `CLT_PROBE_FAILED` `CLT_PROTOCOL_NOT_SUPPORTED` `CLT_READ_FAILED` `CLT_WRONG_PORT` `CUSTOMER_NOT_ENABLED` `DSP_MT_SETUP_FAIL_CANNOT_SEND_TO_BROKER` `DSP_MT_SETUP_FAIL_DISCOVERY_TIMEOUT` `DSP_MT_SETUP_FAIL_MISSING_HEALTH` `EXPTR_FCONN_GONE` `EXPTR_MT_TLS_SETUP_FAIL_CERT_CHAIN_ISSUE` `EXPTR_MT_TLS_SETUP_FAIL_NOT_TRUSTED_CA` `EXPTR_MT_TLS_SETUP_FAIL_PEER` `EXPTR_MT_TLS_SETUP_FAIL_VERSION_MISMATCH` `FOHH_CLOSE_REASON_AST_DATA_CONN_FLOW_CONTROL` `FOHH_CLOSE_REASON_AST_PBRK_CTRL_CONN_CFG_CHG` `FOHH_CLOSE_REASON_AST_PBRK_DATA_DOWN` `FOHH_CLOSE_REASON_AST_PBRK_VERIFY_FAILED` `FOHH_CLOSE_REASON_BRK_DATA_CONN_FLOW_CONTROL` `FOHH_CLOSE_REASON_CALLBACK_ERR` `FOHH_CLOSE_REASON_CERT_VERIFY` `FOHH_CLOSE_REASON_CONNECT_TIMEOUT` `FOHH_CLOSE_REASON_DATA_CONN_FLOW_CONTROL` `FOHH_CLOSE_REASON_HTTP_RESPONSE` `FOHH_CLOSE_REASON_LOG_RECONN` `FOHH_CLOSE_REASON_MEMORY` `FOHH_CLOSE_REASON_OPS` `FOHH_CLOSE_REASON_PROXY_DNS` `FOHH_CLOSE_REASON_PROXY_FAIL` `FOHH_CLOSE_REASON_PROXY_IDLE` `FOHH_CLOSE_REASON_PROXY_NOT_200` `FOHH_CLOSE_REASON_PROXY_PARSE` `FOHH_CLOSE_REASON_PROXY_TIMEOUT` `FOHH_CLOSE_REASON_REDIRECT` `FOHH_CLOSE_REASON_REGISTRATION` `FOHH_CLOSE_REASON_RX_TIMEOUT` `FOHH_CLOSE_REASON_SERIALIZE` `FOHH_CLOSE_REASON_SETSOCKOPT` `FOHH_CLOSE_REASON_SNI_MISSING` `FOHH_CLOSE_REASON_SNI_SLOW` `FOHH_CLOSE_REASON_SNI_TIMEOUT` `FOHH_CLOSE_REASON_SOCKET_CLOSE` `FOHH_CLOSE_REASON_SOCKET_ERR` `FOHH_CLOSE_REASON_SSL_CTX_NONE` `FOHH_CLOSE_REASON_TIMEOUT` `FOHH_CLOSE_REASON_TLV_CALLBACK` `FOHH_CLOSE_REASON_TLV_DESERIALIZE` `FOHH_CLOSE_REASON_TLV_LEN` `FOHH_CLOSE_REASON_TLV_NO_CALLBACK` `FQDN_BAD_REGEX` `FQDN_BAD_SCHEMA` `FQDN_EMPTY` `FQDN_NO_ENTRIES` `FQDN_NO_MATCH` `FQDN_TOO_MANY_REGEX` `INVALID_DOMAIN` `MT_CLOSED_INTERNAL_ERROR` `MT_CLOSED_TERMINATED` `MT_CLOSED_TLS_CONN_GONE_AST_CLOSED` `MT_CLOSED_TLS_CONN_GONE_CLIENT_CLOSED` `MT_CLOSED_TLS_CONN_GONE_MANUAL_DRAIN` `MT_CLOSED_TLS_CONN_GONE_SCIM_USER_DISABLE` `MT_CLOSED_TLS_CONN_GONE` `NO_CONNECTOR_AVAILABLE` `OPEN_OR_ACTIVE_CONNECTION` `ZIA_MT_BLOCKED_BY_INSPECTION` `ZIA_MT_BLOCKED_BY_SYSTEM_ERROR` `ZPN_ERR_AUTH_APP_FAIL` `ZPN_ERR_AUTH_CUSTOMER_FAIL` `ZPN_ERR_AUTH_CUSTOMER_MISSING` `ZPN_ERR_AUTH_EXPIRED` `ZPN_ERR_AUTH_NOT_COMPLETE` `ZPN_ERR_AUTH_SAML_EXPIRED` `ZPN_ERR_AUTH_SERVICE_DISABLED` `ZPN_ERR_AUTH_TIMEOUT` `ZPN_ERR_CERT_EXPIRED` `ZPN_ERR_CUSTOMER_DISABLED` `ZPN_ERR_SCIM_INACTIVE` Else, if the `target` log field value is not empty and the `SessionStatus` log field value is equal to `ZPN_STATUS_AUTHENTICATED`, then the `metadata.event_type` UDM field is set to `USER_LOGIN`. Else, if the `target` log field value is not empty and the `SessionStatus` log field value is equal to `ZPN_STATUS_DISCONNECTED`, then the `metadata.event_type` UDM field is set to `USER_LOGOUT`. Else, if the `principal.ip` log field value is not empty or the `principal.mac` log field value is not empty or the `principal.hostname` log field value is not empty or the `principal.asset_id` log field value is not empty, then the `metadata.event_type` UDM field is set to `STATUS_UPDATE`.
`UserID`	`principal.user.email_addresses`	If the `UserID` log field value matches the regular expression pattern `(^.@.$)`, then the `UserID` log field is mapped to the `principal.user.email_addresses` UDM field.
`UserID`	`principal.user.userid`	If the `UserID` log field value matches the regular expression pattern `(^.@.$)`, then the `UserID` log field is mapped to the `principal.user.userid` UDM field.
`UserID`	`principal.user.user_display_name`	If the `UserID` log field value does not match the regular expression pattern `(^.@.$)`, then the `UserID` log field is mapped to the `principal.user.user_display_name` UDM field.
`UserID`	`target.user.email_addresses`	If the `InternalReason` log field value contain one of the following values, then if the `UserID` log field value matches the regular expression pattern `(^.@.$)`, then the `UserID` log field is mapped to the `target.user.email_addresses` UDM field. `ZPN_STATUS_AUTHENTICATED` `ZPN_STATUS_DISCONNECTED`
`UserID`	`target.user.userid`	If the `InternalReason` log field value contain one of the following values, then if the `UserID` log field value matches the regular expression pattern `(^.@.$)`, then the `UserID` log field is mapped to the `target.user.userid` UDM field. `ZPN_STATUS_AUTHENTICATED` `ZPN_STATUS_DISCONNECTED`
`UserID`	`target.user.user_display_name`	If the `InternalReason` log field value contain one of the following values, then if the `UserID` log field value does not match the regular expression pattern `(^.@.$)`, then the `UserID` log field is mapped to the `target.user.user_display_name` UDM field. `ZPN_STATUS_AUTHENTICATED` `ZPN_STATUS_DISCONNECTED`
`AssistantID`	`additional.fields[assistant_id]`
`ExchangeSequenceIndex`	`additional.fields[exchange_sequence_index]`
`TimestampRequestReceiveStart`	`additional.fields[timestamp_request_receive_start]`
`TimestampRequestReceiveHeaderFinish`	`additional.fields[timestamp_request_receive_header_finish]`
`TimestampRequestReceiveFinish`	`additional.fields[timestamp_request_receive_finish]`
`TimestampRequestTransmitStart`	`additional.fields[timestamp_request_transmit_start]`
`TimestampRequestTransmitFinish`	`additional.fields[timestamp_request_transmit_finish]`
`TimestampResponseReceiveStart`	`additional.fields[timestamp_response_receive_start]`
`TimestampResponseReceiveFinish`	`additional.fields[timestamp_response_receive_finish]`
`TimestampResponseTransmitStart`	`additional.fields[timestamp_response_transmit_start]`
`TimestampResponseTransmitFinish`	`additional.fields[timestamp_response_transmit_finish]`
`TotalTimeRequestReceive`	`additional.fields[total_time_request_receive]`
`TotalTimeRequestTransmit`	`additional.fields[total_time_request_transmit]`
`TotalTimeResponseReceive`	`additional.fields[total_time_response_receive]`
`TotalTimeResponseTransmit`	`additional.fields[total_time_response_transmit]`
`Method`	`principal.network.http.method`
`Domain`	`principal.network.dns_domain`
`Protocol`	`additional.fields[protocol]`	If the `Protocol` log field value does not contain one of the following values, then the `Protocol` log field is mapped to the `principal.network.application_protocol` UDM field. `AFP` `AMQP` `APPC` `ATOM` `BEEP` `BIT_TORRENT` `BITCOIN` `CFDP` `CIP` `COAP` `COTP` `DCERPC` `DDS` `DEVICE_NET` `DHCP` `DICOM` `DNP3` `DNS` `E_DONKEY` `ENRP` `FAST_TRACK` `FINGER` `FREENET` `FTAM` `GOOSE` `GOPHER` `GRPC` `H323` `HL7` `HTTP` `HTTPS` `IEC104` `IRCP` `KADEMLIA` `KRB5` `LDAP` `LPD` `MIME` `MMS` `MODBUS` `MQTT` `NETCONF` `NFS` `NIS` `NNTP` `NTCIP` `NTP` `OSCAR` `PNRP` `PTP` `QUIC` `RDP` `RELP` `RIP` `RLOGIN` `RPC` `RTMP` `RTP` `RTPS` `RTSP` `SAP` `SDP` `SIP` `SLP` `SMB` `SMTP` `SNMP` `SNTP` `SSH` `SSMS` `STYX` `SV` `TCAP` `TDS` `TOR` `TSP` `UNKNOWN_APPLICATION_PROTOCOL` `VTP` `WEB_DAV` `WHOIS` `X400` `X500` `XMPP`
`Protocol`	`principal.network.application_protocol`	If the `Protocol` log field value contain one of the following values, then the `Protocol` log field is mapped to the `principal.network.application_protocol` UDM field. `AFP` `AMQP` `APPC` `ATOM` `BEEP` `BIT_TORRENT` `BITCOIN` `CFDP` `CIP` `COAP` `COTP` `DCERPC` `DDS` `DEVICE_NET` `DHCP` `DICOM` `DNP3` `DNS` `E_DONKEY` `ENRP` `FAST_TRACK` `FINGER` `FREENET` `FTAM` `GOOSE` `GOPHER` `GRPC` `H323` `HL7` `HTTP` `HTTPS` `IEC104` `IRCP` `KADEMLIA` `KRB5` `LDAP` `LPD` `MIME` `MMS` `MODBUS` `MQTT` `NETCONF` `NFS` `NIS` `NNTP` `NTCIP` `NTP` `OSCAR` `PNRP` `PTP` `QUIC` `RDP` `RELP` `RIP` `RLOGIN` `RPC` `RTMP` `RTP` `RTPS` `RTSP` `SAP` `SDP` `SIP` `SLP` `SMB` `SMTP` `SNMP` `SNTP` `SSH` `SSMS` `STYX` `SV` `TCAP` `TDS` `TOR` `TSP` `UNKNOWN_APPLICATION_PROTOCOL` `VTP` `WEB_DAV` `WHOIS` `X400` `X500` `XMPP`
`ProtocolVersion`	`additional.fields[protocol_version]`
`ContentType`	`additional.fields[content_type]`
`ContentEncoding`	`additional.fields[content_encoding]`
`TransferEncoding`	`additional.fields[transfer_encoding]`
`OriginDomain`	`target.network.dns_domain`
`URL`	`principal.network.http.referral_url`
`UserAgent`	`principal.network.http.user_agent`
`HTTPError`	`additional.fields[http_status]`
`ClientPort`	`principal.port`
`UpgradeHeaderPresent`	`additional.fields[upgrade_header_present]`
`RequestHdrSize`	`additional.fields[request_hdr_size]`
`ResponseHdrSize`	`additional.fields[response_hdr_size]`
`RequestBodySize`	`additional.fields[request_body_size]`
`ResponseBodySize`	`additional.fields[response_body_size]`
`ApplicationGroup`	`target.group.group_display_name`
`InspectionPolicy`	`additional.fields[inspection_policy]`
`InspectionProfile`	`additional.fields[inspection_profile]`
`ParanoiaLevel`	`additional.fields[paranoia_level]`
`InspectionControlsHitCount`	`additional.fields[inspection_controls_hit_count]`
`InspectionRuleProcessingTime`	`additional.fields[inspection_rule_processing_time]`
`InspectionReqHeadersProcessingTime`	`additional.fields[inspection_req_headers_processing_time]`
`InspectionReqBodyProcessingTime`	`additional.fields[inspection_req_body_processing_time]`
`InspectionRespHeadersProcessingTime`	`additional.fields[inspection_resp_headers_processing_time]`
`InspectionRespBodyProcessingTime`	`additional.fields[inspection_resp_body_processing_time]`
`CertificateId`	`additional.fields[certificate_id]`
`SSLInspection`	`additional.fields[ssl_inspection]`
`TotalBytesProcessed`	`additional.fields[total_bytes_processed]`
`AppLearnTime`	`additional.fields[app_learn_time]`
`CAProcessingTime`	`additional.fields[ca_processing_time]`
`ConnectionSetupTime`	`additional.fields[connection_setup_time]`
`ConnectorZENSetupTime`	`additional.fields[connector_zen_setup_time]`
`PRAApprovalID`	`additional.fields[pra_approval_id]`
`PRACapabilityPolicyID`	`additional.fields[pra_capability_policy_id]`
`PRAConnectionID`	`additional.fields[pra_connection_id]`
`PRAConsoleType`	`additional.fields[pra_console_type]`
`PRACredentialLoginType`	`additional.fields[pra_credential_login_type]`
`PRACredentialPolicyID`	`additional.fields[pra_credential_policy_id]`
`PRACredentialUserName`	`additional.fields[pra_credential_user_name]`
`PRAErrorStatus`	`additional.fields[pra_error_status]`
`PRAFileTransferList`	`additional.fields[pra_file_transfer_list]`
`PRARecordingStatus`	`additional.fields[pra_recording_status]`
`PRASessionType`	`additional.fields[pra_session_type]`
`PRASharedMode`	`additional.fields[pra_shared_mode]`
`PRASharedUserList`	`additional.fields[pra_shared_user_list]`
`ZENBytesRxClient`	`intermediary.resource.attribute.labels[zen_bytes_rx_client]`
`ZENBytesRxConnector`	`intermediary.resource.attribute.labels[zen_bytes_rx_connector]`
`ZENBytesTxClient`	`intermediary.resource.attribute.labels[zen_bytes_tx_client]`
`ZENTotalBytesRxConnector`	`intermediary.resource.attribute.labels[zen_total_bytes_rx_connector]`
`ZENBytesTxConnector`	`target.network.sent_bytes`
`ZENTotalBytesTxConnector`	`intermediary.resource.attribute.labels[zen_total_bytes_tx_connector]`
`LogTimestamp`	`metadata.event_timestamp`	If the `LogTimestamp` log field value is not empty, then the `LogTimestamp` log field is mapped to the `metadata.event_timestamp` UDM field.
`TimestampConnectionStart`	`metadata.event_timestamp`	If the `LogTimestamp` log field value is not empty, then else, if the `TimestampAuthentication` log field value is not empty, then else, if the `TimestampUnAuthentication` log field value is not empty, then else, if the `TimestampConnectionStart` log field value is not empty, then the `TimestampConnectionStart` log field is mapped to the `metadata.event_timestamp` UDM field.
`Customer`	`additional.fields[customer]`
`SessionID`	`network.session_id`
`ConnectionID`	`additional.fields[connection_id]`
`InternalReason`	`metadata.product_event_type`	The `InternalReason` log field is mapped to the `metadata.product_event_type` UDM field.
`SessionStatus`	`metadata.product_event_type`	If the `InternalReason` log field value is empty, then the `SessionStatus` log field is mapped to the `metadata.product_event_type` UDM field.
`ConnectionStatus`	`security_result.about.labels[connection_status]`
	`network.ip_protocol`	If the `IPProtocol` log field value contain one of the following values, then if the `IPProtocol` log field value is equal to `88`, then the `network.ip_protocol` UDM field is set to `EIGRP`. Else, if the `IPProtocol` log field value is equal to `50`, then the `network.ip_protocol` UDM field is set to `ESP`. Else, if the `IPProtocol` log field value is equal to `97`, then the `network.ip_protocol` UDM field is set to `ETHERIP`. Else, if the `IPProtocol` log field value is equal to `47`, then the `network.ip_protocol` UDM field is set to `GRE`. Else, if the `IPProtocol` log field value is equal to `1`, then the `network.ip_protocol` UDM field is set to `ICMP`. Else, if the `IPProtocol` log field value is equal to `58`, then the `network.ip_protocol` UDM field is set to `ICMP6`. Else, if the `IPProtocol` log field value is equal to `2`, then the `network.ip_protocol` UDM field is set to `IGMP`. Else, if the `IPProtocol` log field value is equal to `41`, then the `network.ip_protocol` UDM field is set to `IP6IN4`. Else, if the `IPProtocol` log field value is equal to `103`, then the `network.ip_protocol` UDM field is set to `PIM`. Else, if the `IPProtocol` log field value is equal to `132`, then the `network.ip_protocol` UDM field is set to `SCTP`. Else, if the `IPProtocol` log field value is equal to `6`, then the `network.ip_protocol` UDM field is set to `TCP`. Else, if the `IPProtocol` log field value is equal to `17`, then the `network.ip_protocol` UDM field is set to `UDP`. Else, if the `IPProtocol` log field value is equal to `0`, then the `network.ip_protocol` UDM field is set to `UNKNOWN_IP_IPPROTOCOL`. Else, if the `IPProtocol` log field value is equal to `112`, then the `network.ip_protocol` UDM field is set to `VRRP`. `88` `50` `97` `47` `1` `58` `2` `41` `103` `132` `6` `17` `0` `112`
`DoubleEncryption`	`additional.fields[double_encryption]`	If the `DoubleEncryption` log field value is equal to `0` or the `DoubleEncryption` log field value is equal to `"0"`, then else, if the `DoubleEncryption` log field value is equal to `1` or the `DoubleEncryption` log field value is equal to `"1"`, then else, the `DoubleEncryption` log field is mapped to the `additional.fields.double_encryption` UDM field.
`Username`	`principal.user.email_addresses`	If the `InternalReason` log field value does not contain one of the following values, then if the `Username` log field value matches the regular expression pattern `(^.@.$)`, then the `Username` log field is mapped to the `principal.user.email_addresses` UDM field. `ZPN_STATUS_AUTHENTICATED` `ZPN_STATUS_DISCONNECTED`
`Username`	`principal.user.userid`	If the `InternalReason` log field value does not contain one of the following values, then if the `Username` log field value matches the regular expression pattern `(^.@.$)`, then the `Username` log field is mapped to the `principal.user.userid` UDM field. `ZPN_STATUS_AUTHENTICATED` `ZPN_STATUS_DISCONNECTED`
`Username`	`principal.user.user_display_name`	If the `InternalReason` log field value does not contain one of the following values, then if the `Username` log field value does not match the regular expression pattern `(^.@.$)`, then the `Username` log field is mapped to the `principal.user.user_display_name` UDM field. `ZPN_STATUS_AUTHENTICATED` `ZPN_STATUS_DISCONNECTED`
`Username`	`target.user.email_addresses`	If the `InternalReason` log field value contain one of the following values, then if the `Username` log field value matches the regular expression pattern `(^.@.$)`, then the `Username` log field is mapped to the `target.user.email_addresses` UDM field. `ZPN_STATUS_AUTHENTICATED` `ZPN_STATUS_DISCONNECTED`
`Username`	`target.user.userid`	If the `InternalReason` log field value contain one of the following values, then if the `Username` log field value matches the regular expression pattern `(^.@.$)`, then the `Username` log field is mapped to the `target.user.userid` UDM field. `ZPN_STATUS_AUTHENTICATED` `ZPN_STATUS_DISCONNECTED`
`Username`	`target.user.user_display_name`	If the `InternalReason` log field value contain one of the following values, then if the `Username` log field value does not match the regular expression pattern `(^.@.$)`, then the `Username` log field is mapped to the `target.user.user_display_name` UDM field. `ZPN_STATUS_AUTHENTICATED` `ZPN_STATUS_DISCONNECTED`
`ServicePort`	`principal.port`
`ClientPublicIp`	`principal.nat_ip`
`PublicIP`	`principal.nat_ip`
`ClientPublicIP`	`principal.nat_ip`
`ClientPrivateIp`	`principal.ip`
`PrivateIP`	`principal.ip`
`ClientPrivateIP`	`principal.ip`
`ClientLatitude`	`principal.location.region_coordinates.latitude`
`Latitude`	`principal.location.region_coordinates.latitude`
`ClientLongitude`	`principal.location.region_coordinates.longitude`
`Longitude`	`principal.location.region_coordinates.longitude`
`ClientCountryCode`	`principal.location.country_or_region`
`CountryCode`	`principal.location.country_or_region`
`ClientZEN`	`additional.fields[client_zen]`
`Policy`	`security_result.rule_name`
`Policy`	`metadata.description`
`Connector`	`intermediary.application`
`ConnectorZEN`	`additional.fields[connector_zen]`
`ConnectorIP`	`intermediary.ip`
`ConnectorPort`	`intermediary.port`
`Host`	`target.hostname`
`Application`	`target.application`	If the `Application` log field value is not empty, then the `Application` log field is mapped to the `target.application` UDM field.
`AppGroup`	`target.user.group_identifiers`	If the `AppGroup` log field value is not empty, then the `AppGroup` log field is mapped to the `target.user.group_identifiers` UDM field.
`Server`	`security_result.detection_fields[server]`
`ServerIP`	`target.ip`
`PolicyProcessingTime`	`additional.fields[policy_processing_time]`
`ServerSetupTime`	`additional.fields[server_setup_time]`
`TimestampConnectionEnd`	`additional.fields[timestamp_connection_end]`
`TimestampCATx`	`additional.fields[timestamp_ca_tx]`
`TimestampCARx`	`additional.fields[timestamp_ca_rx]`
`TimestampAppLearnStart`	`additional.fields[timestamp_app_learn_start]`
`TimestampZENFirstRxClient`	`additional.fields[timestamp_zen_first_rx_client]`
`TimestampZENFirstTxClient`	`additional.fields[timestamp_zen_first_tx_client]`
`TimestampZENLastRxClient`	`additional.fields[timestamp_zen_last_rx_client]`
`TimestampZENLastTxClient`	`additional.fields[timestamp_zen_last_tx_client]`
`TimestampConnectorZENSetupComplete`	`additional.fields[timestamp_connector_zen_setup_complete]`
`TimestampZENFirstRxConnector`	`additional.fields[timestamp_zen_first_rx_connector]`
`TimestampZENFirstTxConnector`	`additional.fields[timestamp_zen_first_tx_connector]`
`TimestampZENLastRxConnector`	`additional.fields[timestamp_zen_last_rx_connector]`
`TimestampZENLastTxConnector`	`additional.fields[timestamp_zen_last_tx_connector]`
`Idp`	`additional.fields[idp]`
`ClientToClient`	`additional.fields[client_to_client]`
`ClientCity`	`principal.location.city`
`City`	`principal.location.city`
`AppMicroTenantID`	`additional.fields[app_micro_tenant_id]`
`MicroTenantID`	`additional.fields[micro_tenant_id]`
`Version`	`additional.fields[version]`
`ZEN`	`additional.fields[zen]`
`CertificateCN`	`security_result.detection_fields[certificate_cn]`
`TotalBytesRx`	`principal.network.received_bytes`
`TotalBytesTx`	`principal.network.sent_bytes`
`Hostname`	`principal.hostname`
	`principal.platform`	If the `Platform` log field value matches the regular expression pattern `.(Windows\|windows\|WINDOWS\|Win\|win)`, then the `principal.platform` UDM field is set to `WINDOWS`. Else, if the `Platform` log field value matches the regular expression pattern `.(MAC\|mac\|Mac)`, then the `principal.platform` UDM field is set to `MAC`. Else, if the `Platform` log field value matches the regular expression pattern `.*(Linux\|linux\|LINUX)`, then the `principal.platform` UDM field is set to `LINUX`.
`ClientType`	`principal.application`
`TrustedNetworks`	`principal.security_result.detection_fields[trusted_networks]`
`TrustedNetworksNames`	`principal.security_result.detection_fields[trusted_networks_names]`
`SAMLAttributes`	`additional.fields[saml_attributes]`
`PosturesHit`	`principal.security_result.detection_fields[postures_hit]`
`PosturesMiss`	`principal.security_result.detection_fields[postures_miss]`
`ZENLatitude`	`intermediary.location.region_coordinates.latitude`
`ZENLongitude`	`intermediary.location.region_coordinates.longitude`
`ZENCountryCode`	`intermediary.location.country_or_region`
`FQDNRegistered`	`principal.security_result.about.labels[fqdn_registered]`
`FQDNRegisteredError`	`principal.security_result.about.labels[fqdn_registered_error]`
`StatusCode`	`principal.network.http.response_code`
`XFF`	`additional.fields[xff]`
`Exporter`	`additional.fields[exporter]`
`TotalTimeConnectionSetup`	`additional.fields[total_time_connection_setup]`
`TotalTimeServerResponse`	`additional.fields[total_time_server_response]`
`SessionType`	`additional.fields[session_type]`
`ConnectorGroup`	`additional.fields[connector_group]`
`MemUtilization`	`additional.fields[mem_utilization]`
`InterfaceDefRoute`	`additional.fields[interface_def_route]`
`HostStartTime`	`additional.fields[host_start_time]`
`ConnectorStartTime`	`additional.fields[connector_start_time]`
`NumOfInterfaces`	`additional.fields[num_of_interfaces]`
`ServiceEdge`	`additional.fields[service_edge]`
`ServiceEdgeStartTime`	`additional.fields[service_edge_start_time]`
`ServiceEdgeGroup`	`additional.fields[service_edge_group]`
`PackageVersion`	`additional.fields[package_version]`
`DefRouteGW`	`additional.fields[def_route_gw]`
`BytesRxInterface`	`additional.fields[bytes_rx_interface]`
`BytesTxInterface`	`additional.fields[bytes_tx_interface]`
`PacketsRxInterface`	`additional.fields[packets_rx_interface]`
`PacketsTxInterface`	`additional.fields[packets_tx_interface]`
`ErrorsRxInterface`	`additional.fields[errors_rx_interface]`
`ErrorsTxInterface`	`additional.fields[errors_tx_interface]`
`DiscardsRxInterface`	`additional.fields[discards_rx_interface]`
`DiscardsTxInterface`	`additional.fields[discards_tx_interface]`
`PrimaryDNSResolver`	`additional.fields[primary_dns_resolver]`
`CorsToken`	`security_result.detection_fields[cors_token]`
`Origin`	`additional.fields[origin]`
`ConnectionReason`	`additional.fields[connection_reason]`
`ApplicationPort`	`principal.port`
`ClientPublicPort`	`principal.nat_port`
`NameID`	`principal.user.email_addresses`
`RequestSize`	`additional.fields[request_size]`
`ResponseSize`	`additional.fields[response_size]`
`ProcessMemoryUtilization`	`additional.fields[process_memory_utilization]`
`SystemMemoryUtilization`	`additional.fields[system_memory_utilization]`
`CPUUtilization`	`additional.fields[cpu_utilization]`
`AppCount`	`additional.fields[app_count]`
`ServiceCount`	`additional.fields[service_count]`
`TargetCount`	`additional.fields[target_count]`
`AliveTargetCount`	`additional.fields[alive_target_count]`
`ActiveConnectionsToPublicSE`	`additional.fields[active_connections_to_public_se]`
`DisconnectedConnectionsToPublicSE`	`additional.fields[disconnected_connections_to_public_se]`
`ActiveConnectionsToPrivateSE`	`additional.fields[active_connections_to_private_se]`
`DisconnectedConnectionsToPrivateSE`	`additional.fields[disconnected_connections_to_private_se]`
`TransmittedBytesToPublicSE`	`additional.fields[transmitted_bytes_to_public_se]`
`ReceivedBytesFromPublicSE`	`additional.fields[received_bytes_from_public_se]`
`TransmittedBytesToPrivateSE`	`additional.fields[transmitted_bytes_to_private_se]`
`ReceivedBytesFromPrivateSE`	`additional.fields[received_bytes_from_private_se]`
`AppConnectionsCreated`	`additional.fields[app_connections_created]`
`AppConnectionsCleared`	`additional.fields[app_connections_cleared]`
`AppConnectionsActive`	`additional.fields[app_connections_active]`
`UsedTCPPortsIPv4`	`additional.fields[used_tcp_ports_ip_v4]`
`UsedUDPPortsIPv4`	`additional.fields[used_udp_ports_ip_v4]`
`UsedTCPPortsIPv6`	`additional.fields[used_tcp_ports_ip_v6]`
`UsedUDPPortsIPv6`	`additional.fields[used_udp_ports_ip_v6]`
`AvailablePorts`	`additional.fields[available_ports]`
`SystemMaximumFileDescriptors`	`additional.fields[system_maximum_file_descriptors]`
`SystemUsedFileDescriptors`	`additional.fields[system_used_file_descriptors]`
`ProcessMaximumFileDescriptors`	`additional.fields[process_maximum_file_descriptors]`
`ProcessUsedFileDescriptors`	`additional.fields[process_used_file_descriptors]`
`AvailableDiskBytes`	`additional.fields[available_disk_bytes]`
`PrivateSE`	`additional.fields[private_se]`
`ServerPort`	`target.port`	If the `ServerPort` log field value is not empty, then the `ServerPort` log field is mapped to the `target.port` UDM field.
`Connector`	`additional.fields[connector]`
`ZENTotalBytesTxClient`	`intermediary.network.sent_bytes`	If the `ZENTotalBytesTxClient` log field value is not empty, then the `ZENTotalBytesTxClient` log field is mapped to the `intermediary.network.sent_bytes` UDM field.
`ZENTotalBytesRxClient`	`intermediary.network.received_bytes`	If the `ZENTotalBytesRxClient` log field value is not empty, then the `ZENTotalBytesRxClient` log field is mapped to the `intermediary.network.received_bytes` UDM field.
	`security_result.description`	If the `metadata.product_event_type` log field value is equal to `ZPN_STATUS_AUTH_FAILED`, then the `security_result.description` UDM field is set to `User failed to authenticate in ZPA`. Else, if the `metadata.product_event_type` log field value is equal to `BRK_MT_SETUP_FAIL_SAML_EXPIRED`, then the `security_result.description` UDM field is set to `The ZPA service blocked the application request because the timeout policy requires the user to authenticate.`. Else, if the `metadata.product_event_type` log field value is equal to `BRK_MT_SETUP_FAIL_SCIM_INACTIVE`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge has failed to set up the data connection due to the user being deactivated or not synced in SCIM.`. Else, if the `metadata.product_event_type` log field value is equal to `BRK_MT_SETUP_FAIL_TOO_MANY_FAILED_ATTEMPTS`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge has received the exceeded limit of errors to accept any additional connection requests for this domain. New requests are not received until the preset waiting period has elapsed.`. Else, if the `metadata.product_event_type` log field value is equal to `BRK_MT_SETUP_TIMEOUT`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge was waiting for a data connection request from an App Connector that could provide access to the application, but the request timed out while waiting. The request from an App Connector is triggered in response to the initial application request from the Zscaler Client Connector.`. Else, if the `metadata.product_event_type` log field value is equal to `BRK_MT_TERMINATED_APPROVAL_TIMEOUT`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge terminated the session and caused a timeout due to approval time window expiration.`. Else, if the `metadata.product_event_type` log field value is equal to `BRK_MT_TERMINATED_BRK_SWITCHED`, then the `security_result.description` UDM field is set to `The Zscaler Client Connector connection to a ZPA Public Service Edge was terminated due to a ZPA Public Service Edge initiated switch.`. Else, if the `metadata.product_event_type` log field value is equal to `BRK_MT_TERMINATED_IDLE_TIMEOUT`, then the `security_result.description` UDM field is set to `If an idle timeout is configured, ZPA will keep the user's application session alive for the interval specified by the Idle Connection Timeout prior to terminating the session. This is not an error scenario, only a function of the service.`. Else, if the `metadata.product_event_type` log field value is equal to `BRK_MT_TERMINATED`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge closed the application tunnel connection. This is part of the Service Edge's regular process at the end of an application request.`. Else, if the `metadata.product_event_type` log field value is equal to `BROKER_NOT_ENABLED`, then the `security_result.description` UDM field is set to `Remote assistance communication is disabled for the ZPA Public Service Edge.`. Else, if the `metadata.product_event_type` log field value is equal to `C2C_CLIENT_CONN_EXPIRED`, then the `security_result.description` UDM field is set to `The client connection expired during the initiation of a remote assistance session.`. Else, if the `metadata.product_event_type` log field value is equal to `C2C_CLIENT_NOT_FOUND`, then the `security_result.description` UDM field is set to `The client connection is closed during the initiation of a remote assistance session.` Else, if the `metadata.product_event_type` log field value is equal to `C2C_MTUNNEL_BAD_STATE`, then the `security_result.description` UDM field is set to `The remote assistance connection expired due to inconsistencies in the connection.`. Else, if the `metadata.product_event_type` log field value is equal to `C2C_MTUNNEL_FAILED_FORWARD`, then the `security_result.description` UDM field is set to `The remote assistance connection failed to initiate the connection to the destination client and expired.`. Else, if the `metadata.product_event_type` log field value is equal to `C2C_MTUNNEL_NOT_FOUND`, then the `security_result.description` UDM field is set to `The remote assistance connection is not found.`. Else, if the `metadata.product_event_type` log field value is equal to `C2C_NOT_AVAILABLE`, then the `security_result.description` UDM field is set to `The remote assistance connection is not available.`. Else, if the `metadata.product_event_type` log field value is equal to `CLT_CONN_FAILED`, then the `security_result.description` UDM field is set to `The incoming TCP connection failed.`. Else, if the `metadata.product_event_type` log field value is equal to `CLT_DOUBLEENCRYPT_NOT_SUPPORTED`, then the `security_result.description` UDM field is set to `The double encryption of the incoming Microtunnel request is not supported by the Zscaler Client Connector.`. Else, if the `metadata.product_event_type` log field value is equal to `CLT_DUPLICATE_TAG`, then the `security_result.description` UDM field is set to `The tag ID is used in the Zscaler Client Connector.`. Else, if the `metadata.product_event_type` log field value is equal to `CLT_INVALID_CLIENT`, then the `security_result.description` UDM field is set to `The receiving Zscaler Client Connector device doesn't match with the request.`. Else, if the `metadata.product_event_type` log field value is equal to `CLT_INVALID_DOMAIN`, then the `security_result.description` UDM field is set to `The FQDN destination host doesn't match the receiving Zscaler Client Connector detected.`. Else, if the `metadata.product_event_type` log field value is equal to `CLT_INVALID_TAG`, then the `security_result.description` UDM field is set to `The tag ID is not designed for the incoming Microtunnel flow.`. Else, if the `metadata.product_event_type` log field value is equal to `CLT_PORT_UNREACHABLE`, then the `security_result.description` UDM field is set to `The port is not listening.`. Else, if the `metadata.product_event_type` log field value is equal to `CLT_PROBE_FAILED`, then the `security_result.description` UDM field is set to `The port probe failed.`. Else, if the `metadata.product_event_type` log field value is equal to `CLT_PROTOCOL_NOT_SUPPORTED`, then the `security_result.description` UDM field is set to `The IP protocol of the incoming Microtunnel request is not supported by the Zscaler Client Connector.`. Else, if the `metadata.product_event_type` log field value is equal to `CLT_READ_FAILED`, then the `security_result.description` UDM field is set to `The Zscaler Client Connector local socket read failed.`. Else, if the `metadata.product_event_type` log field value is equal to `CLT_WRONG_PORT`, then the `security_result.description` UDM field is set to `The incoming Microtunnel request asks for the listening ports of the Zscaler Client Connector itself.`. Else, if the `metadata.product_event_type` log field value is equal to `CUSTOMER_NOT_ENABLED`, then the `security_result.description` UDM field is set to `Remote assistance communication is disabled for the current customer.`. Else, if the `metadata.product_event_type` log field value is equal to `DSP_MT_SETUP_FAIL_CANNOT_SEND_TO_BROKER`, then the `security_result.description` UDM field is set to `The path selection service is unable to communicate with the ZPA Public Service Edge or ZPA Private Service Edge.`. Else, if the `metadata.product_event_type` log field value is equal to `DSP_MT_SETUP_FAIL_DISCOVERY_TIMEOUT`, then the `security_result.description` UDM field is set to `The health information request timed out when attempting to reach the App Connector.`. Else, if the `metadata.product_event_type` log field value is equal to `DSP_MT_SETUP_FAIL_MISSING_HEALTH`, then the `security_result.description` UDM field is set to `The App Connector was unable to process the continuous health report due to missing health information.`. Else, if the `metadata.product_event_type` log field value is equal to `EXPTR_FCONN_GONE`, then the `security_result.description` UDM field is set to `User access fails due to a network error that caused the Browser Access service to remove the user's application sessions.`. Else, if the `metadata.product_event_type` log field value is equal to `EXPTR_MT_TLS_SETUP_FAIL_CERT_CHAIN_ISSUE`, then the `security_result.description` UDM field is set to `ZPA is not able to validate the chain of trust for the server certificate configured for this application.`. Else, if the `metadata.product_event_type` log field value is equal to `EXPTR_MT_TLS_SETUP_FAIL_NOT_TRUSTED_CA`, then the `security_result.description` UDM field is set to `The application server certificate is not signed by a trusted CA and ZPA is configured to verify that the web server certificate is signed by a trusted CA.`. Else, if the `metadata.product_event_type` log field value is equal to `EXPTR_MT_TLS_SETUP_FAIL_PEER`, then the `security_result.description` UDM field is set to `Browser Access service cannot set up a HTTPS connection towards the web server due to an issue occurring during TLS setup.`. Else, if the `metadata.product_event_type` log field value is equal to `EXPTR_MT_TLS_SETUP_FAIL_VERSION_MISMATCH`, then the `security_result.description` UDM field is set to `A TLS version mismatch between ZPA and the Browser Access-enabled application occurred. This happens when the web server is running TLS 1.0/1.1 or earlier versions.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_AST_DATA_CONN_FLOW_CONTROL`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge data connection was closed by App Connector because the connection was idle or blocked for more than 5 minutes.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_AST_PBRK_CTRL_CONN_CFG_CHG`, then the `security_result.description` UDM field is set to `The ZPA Private Service Edge connection was closed due to a change in the ZPA Private Service Edge configuration.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_AST_PBRK_DATA_DOWN`, then the `security_result.description` UDM field is set to `The ZPA Private Service Edge connection to the App Connector was disconnected.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_AST_PBRK_VERIFY_FAILED`, then the `security_result.description` UDM field is set to `The ZPA Private Service Edge connection was closed because the connection was made with a ZPA Private Service Edge different than the expected ZPA Private Service Edge.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_BRK_DATA_CONN_FLOW_CONTROL`, then the `security_result.description` UDM field is set to `The data connection was closed by the ZPA Public Service Edge or ZPA Private Service Edge because the connection was idle or blocked for more than 5 minutes.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_CALLBACK_ERR`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection callback returned an error.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_CERT_VERIFY`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection was unable to verify the server certificate.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_CONNECT_TIMEOUT`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge timed out while setting up a connection. This is not an error scenario, only a function of the service.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_DATA_CONN_FLOW_CONTROL`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection was closed because flow control was blocked for more than 5 minutes.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_HTTP_RESPONSE`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection was closed because the returned code was not 200. The returned code 200 means that a connection is OK. If the code does not come back with 200, the connection is closed.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_LOG_RECONN`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge reconnection to the log channels timed out because the reconnection timer expired.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_MEMORY`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection closed because of one of the following reasons: a memory error due to the read buffer on the connection not being allocated, or the SSL state from the SSL context is unavailable.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_OPS`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection was closed at the user's request.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_PROXY_DNS`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection closed because the address resolution for this destination is no longer available.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_PROXY_FAIL`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection was closed due to one of the following proxy connection issues received: a failed connection, unable to send a connection request, or an error from the proxy.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_PROXY_IDLE`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection closed because the connection through the proxy timed out.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_PROXY_NOT_200`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection through the proxy was closed because the returned code was not 200. The returned code 200 means that a connection is OK. If the code does not come back with 200, the connection is closed.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_PROXY_PARSE`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection through the proxy was closed because the proxy modified the HTTP fields which caused parsing issues.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_PROXY_TIMEOUT`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection was closed because the connection through the proxy exceeded the proxy timeout value.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_REDIRECT`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection was redirected to another ZPA Public Service Edge or ZPA Private Service Edge.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_REGISTRATION`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge was unable to register status callbacks.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_RX_TIMEOUT`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection timed out while waiting for a connection response from the server.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_SERIALIZE`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection was closed because the serializer was unable to serialize an internal control message.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_SETSOCKOPT`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection was closed because the status of the proxy connection was unavailable.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_SNI_MISSING`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection is closed because the Server Name Indication (SNI) is missing.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_SNI_SLOW`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection closed because the maximum number of Server Name Indication (SNI) callbacks was reached.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_SNI_TIMEOUT`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection is closed because the wait time for Server Name Indication (SNI) callbacks has expired.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_SOCKET_CLOSE`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection was closed because the end of file was received. This is not an error scenario, only a function of the service.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_SOCKET_ERR`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection was closed due to a socket error.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_SSL_CTX_NONE`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection closed because it was unable to identify the SSL context.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_TIMEOUT`, then the `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge keeps the user's application session alive for the time interval specified by the Idle Connection Timeout prior to terminating the session. This is not an error scenario, only a function of the service.`. Else, if the `metadata.product_event_type` log field value is equal to `FOHH_CLOSE_REASON_TLV_CALLBACK`, then the `security_result.description` UDM field is set to `security_result.description` UDM field is set to `The ZPA Public Service Edge or ZPA Private Service Edge connection was`. closed due to a deserialization error.the `security_result.description` UDM field is set to `User failed to authenticate in ZPA`. Else, if the `metadata.product_event_type` log field value is equal to `APP_NOT_AVAILABLE`, then the `security_result.description` UDM field is set to `The Application Segment is not configured for access.`. Else, if the `metadata.product_event_type` log field value is equal to `APP_NOT_REACHABLE`, then the `security_result.description` UDM field is set to `None of the App Connectors configured for the application can reach the server.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_APP_NOT_FOUND`, then the `security_result.description` UDM field is set to `The App Connector cannot set up a connection to the server because it cannot find the application in the configuration database.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_AST_CFG_DISABLE`, then the `security_result.description` UDM field is set to `The Microtunnel setup has failed because the App Connector has been disabled in the ZPA Admin Portal.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_AST_IN_PAUSE_STATE_FOR_UPGRADE`, then the `security_result.description` UDM field is set to `The App Connector is in a paused state for upgrade. The App Connector will return to a normal state after the upgrade completes.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_BIND_ACK`, then the `security_result.description` UDM field is set to `The connection confirmation from the ZPA Public Service Edge or ZPA Private Service Edge has an error.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_BIND_GLOBAL_OWNER`, then the `security_result.description` UDM field is set to `The App Connector processing the data connection request encountered an error.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_BIND_TO_AST_LOCAL_OWNER`, then the `security_result.description` UDM field is set to `The App Connector processing the data connection request has encountered an error.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_BRK_HASH_TBL_FULL`, then the `security_result.description` UDM field is set to `The App Connector cannot set up a connection to the ZPA Public Service Edge or ZPA Private Service Edge because the connection database is full.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_BROKER_BIND_FAIL`, then the `security_result.description` UDM field is set to `The App Connector encountered an error when setting up a data connection to the ZPA Public Service Edge or ZPA Private Service Edge.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_CONN_PEER`, then the `security_result.description` UDM field is set to `The App Connector encountered an error when connecting the ZPA Public Service Edge or ZPA Private Service Edge and server connections.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_CPU_LIMIT_REACHED`, then the `security_result.description` UDM field is set to `The App Connector CPU limit is exceeded for a Privileged Remote Access (PRA) connection. No more PRA connections are allowed.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_DUP_MT_ID`, then the `security_result.description` UDM field is set to `The App Connector cannot set up a data connection because another data connection with the same tag ID already exists.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_HASH_TBL_FULL`, then the `security_result.description` UDM field is set to `The App Connector cannot set up a connection to the server because the connection database is full.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_INIT_FOHH_MCONN`, then the `security_result.description` UDM field is set to `The App Connector encountered an error when setting up a connection to the ZPA Public Service Edge or ZPA Private Service Edge.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_MAX_SESSIONS_REACHED`, then the `security_result.description` UDM field is set to `The maximum session limit is reached for Privileged Remote Access (PRA) connections on the App Connector.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_MEM_LIMIT_REACHED`, then the `security_result.description` UDM field is set to `The App Connector memory limit is exceeded for a Privileged Remote Access (PRA) connection. No more PRA connections are allowed.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_NO_DNS_TO_SERVER`, then the `security_result.description` UDM field is set to `The end host (not a proxy or a configured server group) is not resolvable. The code only comes up in a specific use case when there is all of the following:`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_NO_EPHEMERAL_PORT`, then the `security_result.description` UDM field is set to `The transaction failed as the operating system has run out of source ports`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_NO_PROCESS_FD`, then the `security_result.description` UDM field is set to `The transaction failed as the App Connector processing could not secure additional file descriptors from the operating system`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_NO_SYSTEM_FD`, then the `security_result.description` UDM field is set to `The transaction failed as the operating system has run out of file descriptors.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_OPEN_BROKER_CONN`, then the `security_result.description` UDM field is set to `The App Connector encountered an error when opening a connection to the ZPA Public Service Edge or ZPA Private Service Edge.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_OPEN_SERVER_CLOSE`, then the `security_result.description` UDM field is set to `During data connection setup, the connection from the server to the App Connector was closed.`. Else, if the `metadata.product_event_type` log field value is equal to `AST_MT_SETUP_ERR_OPEN_SERVER_CONN<`
	`security_result.summary`	If the `metadata.product_event_type` log field value is equal to `ZPN_STATUS_AUTHENTICATED`, then the `security_result.summary` UDM field is set to `User connected to a ZPA Service Edge`. Else, if the `metadata.product_event_type` log field value is equal to `ZPN_STATUS_DISCONNECTED`, then the `security_result.summary` UDM field is set to `User disconnected from a ZPA Service Edge`. Else, if the `metadata.product_event_type` log field value is equal to `BRK_MT_SETUP_FAIL_REJECTED_BY_POLICY`, then the `security_result.summary` UDM field is set to `The user isn't allowed to access the requested application.` Else, if the `metadata.product_event_type` log field value is equal to `BRK_MT_TERMINATED`, then the `security_result.summary` UDM field is set to `Client closed app TLS connection`. Else, if the `metadata.product_event_type` log field value is equal to `INVALID_DOMAIN`, then the `security_result.summary` UDM field is set to `DNS resolution or healthcheck failed.` Else, if the `metadata.product_event_type` log field value is equal to `MT_CLOSED_TLS_CONN_GONE_CLIENT_CLOSED`, then the `security_result.summary` UDM field is set to `Client closed app TLS connection`. Else, if the `metadata.product_event_type` log field value is equal to `ZPN_STATUS_AUTHENTICATED`, then the `security_result.summary` UDM field is set to `User connected to a ZPA Service Edge`. Else, if the `metadata.product_event_type` log field value is equal to `ZPN_STATUS_DISCONNECTED`, then the `security_result.summary` UDM field is set to `User connected to a ZPA Service Edge`.
	`security_result.action`	If the `metadata.product_event_type` log field value contain one of the following values, then the `security_result.action` UDM field is set to `BLOCK`. `BRK_MT_SETUP_FAIL_NO_POLICY_FOUND` `BRK_MT_SETUP_FAIL_REJECTED_BY_POLICY` `BRK_MT_SETUP_FAIL_SAML_EXPIRED`
	`security_result.category`	If the `metadata.product_event_type` log field value is equal to `BRK_MT_SETUP_FAIL_REJECTED_BY_POLICY`, then the `security_result.category` UDM field is set to `ACL_VIOLATION`.
	`extensions.auth.type`	If the `metadata.product_event_type` log field value contain one of the following values, then the `extensions.auth.type` UDM field is set to `VPN`. `ZPN_STATUS_AUTHENTICATED` `ZPN_STATUS_DISCONNECTED`

도움이 더 필요하신가요? 커뮤니티 회원 및 Google SecOps 전문가로부터 답변을 받으세요.