The Umbrella Deployment Documentation Developer Hub

Welcome to the Umbrella Deployment Documentation developer hub. You'll find comprehensive guides and documentation to help you start working with Umbrella Deployment Documentation as quickly as possible, as well as support if you get stuck. Let's jump right in!

Get Started    

Manage Your Logs

The logging of your identities' activities is set per-policy when you first create a policy. By default, logging is on and set to log all requests an identity makes to reach destinations. At any time after you create a policy, you can change what level of identity activity Umbrella logs.

From the Policy wizard, log settings are:

  • Log All Requests—For full logging, whether for content, security or otherwise
  • Log Only Security Events—For security logging only, which gives your users more privacy—a good setting for people with the roaming client installed on personal devices
  • Don't Log Any Requests—Disables all logging. If you select this option, most reporting for identities with this policy will not be helpful as nothing is logged to report on.

Umbrella logs are CSV formatted, compressed (gzip), and saved every ten minutes. For more information, see Log Export Format and Versioning.

Where are Logs Stored?

When you create a policy, activity logs are by default saved to the North America – California, US location of Umbrella's data warehouse. You can change the location of the data warehouse to Europe at any time.

You can also optionally configure logging so that logs are also stored to an Amazon S3 bucket—either your own or one managed by Cisco.

Logging to Umbrella's Data Warehouse

Cisco Umbrella's data warehouse is the virtual location where your instance of Umbrella stores its event data logs. By default, Umbrella saves your event data logs to Cisco's California location; however, you can change the location of the data warehouse from North America to Europe at any time. For more information, see Change the Location of Your Activity Logs.

Logging to Amazon S3

As well as storing logs to one of its data warehouses, Umbrella has the ability to store logs to an Amazon S3 bucket.

By having your logs uploaded to an S3 bucket, you can then automatically download logs so that you can keep them in perpetuity in backup storage outside of Umbrella's data warehouse storage system. Saving to an S3 bucket also gives gives you the ability to ingest logs through your SIEM or other security tool to determine. This can help you determine if any security events in your Umbrella logs coincide with events in other security tools.

Umbrella Amazon S3 options:

Advantages and disadvantages to configuring a Cisco-managed bucket

  • Easy to setup and manage.
  • Included in your license cost with Umbrella, effectively making it free. Although having your own bucket is very inexpensive, the overhead of having to manage another bill to pay can be prohibitive.
  • You cannot add anything to your bucket besides log files from Umbrella and the bucket cannot be used by another application.
  • Some SIEM integration types (such as QRadar) may require advanced privileges for the user accessing the S3 bucket (beyond the basic Read permissions) and as such, may not work with this feature.
  • You cannot get support from Amazon directly for advanced configuration assistance, such as automation or help with command line.
  • Data can only be stored offline for a maximum of 30 days.

Note: Existing Umbrella Insights and Umbrella Platform customers can access Log Management with Amazon S3 through the dashboard. Log Management is not available in all packages. If you are interested in this feature, please contact your account manager or email our account management team at umbrella-renewals@cisco.com.


Customize Block Pages < Log Management > Enable Logging to Your Own S3 Bucket