The logging of your identities' activities is set per-policy when you first create a policy. By default, logging is on and set to log all requests an identity makes to reach destinations. At any time after you create a policy, you can change what level of identity activity Umbrella logs.
From the Policy wizard, log settings are:
- Log All Requests—For full logging, whether for content, security or otherwise.
- Log Only Security Events—For security logging only, which gives your users more privacy—a good setting for people with the roaming client installed on personal devices.
- Don't Log Any Requests—Disables all logging. If you select this option, most reporting for identities with this policy will not be helpful as nothing is logged to report on.
Umbrella logs are CSV formatted, compressed (gzip), and saved every ten minutes. For more information, see Log Formats and Versioning.
- Where are Logs Stored?
When you create a policy, activity logs are by default saved to the North America – California, US location of Umbrella's data warehouse. You can change the location of the data warehouse to Europe at any time.
You can also optionally configure logging so that logs are also stored to an Amazon S3 bucket—either your own or one managed by Cisco.
Cisco Umbrella's data warehouse is the virtual location where your instance of Umbrella stores its event data logs. By default, Umbrella saves your event data logs to Cisco's California location; however, you can change the location of the data warehouse from North America to Europe at any time. For more information, see Change the Location of Event Data Logs.
As well as storing logs to one of its data warehouses, Umbrella has the ability to store logs to an Amazon S3 bucket.
By having your logs uploaded to an S3 bucket, you can then automatically download logs so that you can keep them perpetually in backup storage outside of Umbrella's data warehouse storage system. Saving to an S3 bucket also gives you the ability to ingest logs through your SIEM or other security tool. This can help you determine if any security events in your Umbrella logs coincide with events in other security tools.
Umbrella Amazon S3 options:
- A self-managed bucket—You own the Amazon S3 bucket, including its configuration and management.
- A Cisco-managed bucket—Cisco Umbrella owns the bucket, and sets the configuration and management of it.
For more information, see Enable Logging to a Cisco-managed S3 Bucket.
- Easy to set up and manage.
- Included in your license cost with Umbrella, effectively making it free. Although having your own bucket is very inexpensive, the overhead of having to manage another bill to pay can be prohibitive.
- You cannot add anything to your bucket besides log files from Umbrella and the bucket cannot be used by another application.
- Some SIEM integration types (such as QRadar) may require advanced privileges for the user accessing the S3 bucket (beyond the basic Read permissions) and as such, may not work with this feature.
- You cannot get support from Amazon directly for advanced configuration assistance, such as automation or help with command line.
- Data can only be stored offline for a maximum of 30 days.
Note: Existing Umbrella Insights and Umbrella Platform customers can access Log Management with Amazon S3 through the dashboard. Log Management is not available in all packages.
Updated 3 months ago