Proxy Log Formats

Proxy logs show traffic that has passed through the Umbrella proxy.

Table of Contents


"2017-10-02 23:52:53","TheComputerName","","", "","","ALLOWED","","","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36","200","562","1489","","","Search Engines","","","","","","Roaming Computer","","TheComputerName, ADSite,Network","Roaming Computer, Site, Network","GET","","","the.js","","","","isolated","downloaded_original_file","warn-session","",""

The example entry is 490 bytes. To estimate the size of your S3 Logs, see Estimate the Size of Your Logs.

Note: Umbrella only shows proxied URLs in the proxy folder of your S3 bucket. Umbrella logs all other traffic, including any DNS requests, to the dnslogs folder with the action Proxied.

Order of Fields in Proxy Log

<timestamp><policy identity label><internal client ip><external client ip><destination ip><content type><action><url><referer><user agent><status code><request size><response size><response body size><sha—sha256><categories><av detections><PUAs><AMP disposition><AMP malware name><AMP score><policy identity type><blocked categories><identities><identity types><request method><DLP status><certificate errors><file name><ruleset ID><rule ID><destination list IDs><isolate action><file action><warn status><forwarding method><Producer>

Note: Not all fields listed are found in most or all requests. When a field does not have a value, Umbrella sets the field to the empty string ("").

  • Timestamp—The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
  • Policy Identity Label—The identity that made the request.
  • Internal Client IP—The internal IP address of the computer making the request.
  • External Client IP—The egress IP address of the network where the request originated.
  • Destination IP—The destination IP address of the request.
  • Content Type—The type of web content, typically text/html.
  • Action—Whether the request was allowed or blocked.
  • URL—The URL requested.
  • Referer—The referring domain or URL.
  • User Agent—The browser agent that made the request.
  • Status Code—The HTTP status code; should always be 200 or 201.
  • Request Size (bytes)—Request size in bytes.
  • Response Size (bytes)—Response size in bytes.
  • Response Body Size (bytes)—Response body size in bytes.
  • SHA—SHA256—The hex digest of the response content.
  • Categories—The security categories for this request, such as Malware.
  • AV Detections—The detection name according to the antivirus engine used in file inspection.
  • PUAs—A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
  • AMP Disposition—The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.
  • AMP Malware Name—If Malicious, the name of the malware according to AMP.
  • AMP Score—The score of the malware from AMP. This field returns blank unless the verdict is Unknown, in which the value will be 0.
  • Policy Identity Type—The first identity type that made the request. For example, Roaming Computer, Network, and so on.
  • Blocked Categories—The category that resulted in the destination being blocked. Available in version 4 and above.
  • Identities—All identities associated with this request.
  • Identity Types—The type of identities that were associated with the request. For example, Roaming Computer, Network, and so on. Available in version 5 and above.
  • Request Method—The request method (GET, POST, HEAD, etc.)
  • DLP Status—If the request was Blocked for DLP.
  • Certificate Errors—Any certificate or protocol errors in the request.
  • File Name—The name of the file.
  • Ruleset ID—The ID number assigned to the ruleset by Umbrella.
  • Rule ID—The ID number assigned to the rule by Umbrella.
  • Destination List IDs—The ID number umbrella assigns to a destination list.
  • Isolate Action—The remote browser isolation state associated with the request.
  • File Action—The action taken on a file in a remote browser isolation session.
  • Warn Status—The warn page state associated with the request.
  • Forwarding Method—The method used to forward the records, for example: Secure Web Appliance (SWA). (v9)
  • Producer—The producer that generated this log entry. (v9)

DNS Log Formats < Proxy Log Formats > Manage Authentication