Viewing Web and Mobile Logs

The Zscaler service provides real-time log consolidation across the globe, so you can view every transaction performed by your users regardless of where they are in the world. You can see which URLs were requested, page risk for each, and number of bytes sent and received, among other things.

NOTE: Interactive reports support UTF-8 characters enabling the display of special characters.

To view web or mobile logs, do the following from a dashboard or report.

  • To immediately view logs for a certain item or segment in a dashboard or report:
    1. Click that item or segment in a chart.
    2. Select View Logs.
  • To narrow down the scope of data and drill down to the logs:
    1. Click an item in chart.
    2. Select Analyze Chart.
      The chart appears in an Insights window where you can apply filters and other settings to get to specific transactions.  
    3. Click Logs from the left pane of the Web Insights or Mobile Insights window.

The Web Insights or Mobile Insights window displays the settings on the left pane and logs on the right pane. It lists up to 100 transactions at a time. Scroll down and click LOAD MORE at the bottom of the window to view the next group of up to 100 transactions.

To learn more about the web and mobile logs, expand a topic below.

Filtering and Finding Transactions

You can narrow down the list of transactions by doing the following on the left pane:

  • Choose a predefined time frame or select Custom to use the calendar and time menus to define your own time frame. Note that you can set the time by hour, minutes, and seconds, if you need a more granular time frame.
  • Apply filters to narrow down the list or to find transactions, such as those associated with a specific user or URL.

After you change the time frame or filters, you must always click Apply Filters to list the filtered list of transactions. You can also click Export to CSV to export the filtered list to a CSV file. The service exports only the columns that are visible. It exports up to 100,000 lines of data at a time. You can continue to use the service while the export is in progress.

Exporting to CSV

Click Export to CSV to export the data to a CSV file immediately. The service exports only the columns that are visible. It exports up to 100,000 lines of data at a time. You can continue to use the service while the export is in progress.

Customizing the Transaction View

You can customize the logs as follows:

  • Click the icon on the top right of the logs to list the available fields for display. Tick a box to add a column or clear it to remove a column. Alternatively, click Select all or Deselect all to display or remove all columns.
  • Drag a column to another location.
  • Resize a column by positioning the cursor on its border and dragging it to the desired width.

The settings are stored as a web cookie on your computer. They are retained as long as the cookie is not deleted.

Log Details

The table lists the fields that you can view in the logs.

 

Untitled Document

Column

Description

Action

Firewall filtering action that was performed on the session or aggregated sessions.

Aggregated Session

Indicates if sessions were aggregated into this log entry.

Client Destination IP

Client destination IP address. For aggregated sessions, this is the client destination IP address of the last session in the aggregate.

Client Destination Port

Client side destination IP address. For aggregated sessions, this is the Client destination port of the last session in the aggregate.

Client Source IP

Client source IP address. For aggregated sessions, this is the client source IP address of the last session in the aggregate

Client Source Port

Client side source port. For aggregated sessions, this is the Client source port of the last session in the aggregate.

Client Tunnel IP

Tunnel IP address of the client (source). For aggregated sessions, this is the client's tunnel IP address corresponding to the last session in the aggregate.

Client Tunnel Port

Tunnel port on the client side. For aggregated sessions, this is the client's tunnel port corresponding to the last session in the aggregate.

Department

Department of the user.

Inbound Bytes

Number of bytes sent from the server to the client. For aggregated sessions, this is the total bytes sent from the server across all sessions in the aggregate.

Location

Name of the location from which the session was initiated.

NAT Action

NAT action that was performed on this session.

Network Application

Network application associated with the session or aggregated sessions.

Network Protocol

IP Network Protocol

Network Service

Network service associated with the session or aggregated sessions.

Outbound Bytes

Number of bytes received by the server. For aggregated sessions, this is the total bytes received by the server across all sessions in the aggregate

Recorded Session Time

Number of sessions aggregated into this log entry.

Rule Name

Name of the rule that triggered on the session or aggregated sessions.

Server Country Code

Country code corresponding to the server IP.

Server Destination IP

Server destination IP address. For aggregated sessions, this is the server destination IP address of the last session in the aggregate.

Server Destination Port

Server side destination port. For aggregated sessions, this is the server destination port of the last session in the aggregate.

Server IP Category

URL category that corresponds to the server IP.

Server Source IP

Server source IP address. For aggregated sessions, this is the server source IP address of the last session in the aggregate.

Server Source Port

Server side source port. For aggregated sessions, this is the server source port of the last session in the aggregate.

Session Duration

Duration of the session in milliseconds. For aggregated sessions, this indicates the sum of individual session durations.

Traffic Forwarding

Type of traffic forwarding mechanism for this session. For aggregated sessions, this is the traffic forwarding type of the last session in the aggregate.

User

User name. If this is blank, then location based authentication is set.