ZTNA admin enabled segment, Web, SSH and RDP application within ZTNA service for corporate users.

ZTNA access and audit logs are viewed successfully through the ZTNA Portal.

ZTNA admin is required to setup 'Log Shipping' for both the standard and audit ZTNA logs.  Based on our current infrastructure, the logs would be shipped to our AWS environment and then out to an internal SIEM can use that as a source.  

Clicking on the 'Integration' -> 'logs shipping' -> 'follow these steps' takes user to a broekn link in the documentation, and the ZTNA logging section does not seem to reference any help.

ZTNA log export.

AWS S3 Cloud bucket.

SIEM.

ZTNA logging updated in June 2025 to integrate with Cloud SWG, where the Cloud bucket integration is performed.

Make sure that the Cloud SWG event streaming is enabled and that ZTNA or ZTNA auditing data sources are used (ZTNA access logs and audit logs respectively).

When done, the logs will be streamed to the Cloud bucket, where they can then be ingested into the local SIEM if needed.

The audit logs CHANGES metadata is included with every event so that the most granular level of information is available.