Proxy Log Formats
Proxy logs show traffic that has passed through the Umbrella proxy.
Table of Contents
Examples
"2017-10-02 23:52:53","TheComputerName","192.192.192.135","1.1.1.91", "3.4.5.6","","ALLOWED","http://google.com/the.js","www.google.com","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36","200","562","1489","","","Search Engines","","","","","","Roaming Computer","","TheComputerName, ADSite,Network","Roaming Computer, Site, Network","GET","","","the.js","","","","isolated","downloaded_original_file","warn-session","",""
The example entry is 490 bytes. To estimate the size of your S3 Logs, see Estimate the Size of Your Logs.
Note: Umbrella only shows proxied URLs in the proxy folder of your S3 bucket. Umbrella logs all other traffic, including any DNS requests, to the dnslogs folder with the action Proxied
.
Order of Fields in Proxy Log
<timestamp><policy identity label><internal client ip><external client ip><destination ip><content type><action><url><referer><user agent><status code><request size><response size><response body size><sha—sha256><categories><av detections><PUAs><AMP disposition><AMP malware name><AMP score><policy identity type><blocked categories><identities><identity types><request method><DLP status><certificate errors><file name><ruleset ID><rule ID><destination list IDs><isolate action><file action><warn status><forwarding method><Producer>
Note: Not all fields listed are found in most or all requests. When a field does not have a value, Umbrella sets the field to the empty string (""
).
- Timestamp—The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
- Policy Identity Label—The identity that made the request.
- Internal Client IP—The internal IP address of the computer making the request.
- External Client IP—The egress IP address of the network where the request originated.
- Destination IP—The destination IP address of the request.
- Content Type—The type of web content, typically text/html.
- Action—Whether the request was allowed or blocked.
- URL—The URL requested.
- Referer—The referring domain or URL.
- User Agent—The browser agent that made the request.
- Status Code—The HTTP status code; should always be 200 or 201.
- Request Size (bytes)—Request size in bytes.
- Response Size (bytes)—Response size in bytes.
- Response Body Size (bytes)—Response body size in bytes.
- SHA—SHA256—The hex digest of the response content.
- Categories—The security categories for this request, such as Malware.
- AV Detections—The detection name according to the antivirus engine used in file inspection.
- PUAs—A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
- AMP Disposition—The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.
- AMP Malware Name—If Malicious, the name of the malware according to AMP.
- AMP Score—The score of the malware from AMP. This field returns blank unless the verdict is Unknown, in which the value will be 0.
- Policy Identity Type—The first identity type that made the request. For example, Roaming Computer, Network, and so on.
- Blocked Categories—The category that resulted in the destination being blocked. Available in version 4 and above.
- Identities—All identities associated with this request.
- Identity Types—The type of identities that were associated with the request. For example, Roaming Computer, Network, and so on. Available in version 5 and above.
- Request Method—The request method (GET, POST, HEAD, etc.)
- DLP Status—If the request was Blocked for DLP.
- Certificate Errors—Any certificate or protocol errors in the request.
- File Name—The name of the file.
- Ruleset ID—The ID number assigned to the ruleset by Umbrella.
- Rule ID—The ID number assigned to the rule by Umbrella.
- Destination List IDs—The ID number umbrella assigns to a destination list.
- Isolate Action—The remote browser isolation state associated with the request.
- File Action—The action taken on a file in a remote browser isolation session.
- Warn Status—The warn page state associated with the request.
- Forwarding Method—The method used to forward the records, for example: Secure Web Appliance (
SWA
). (v9) - Producer—The producer that generated this log entry. (v9)
DNS Log Formats < Proxy Log Formats > Manage Authentication
Updated 10 months ago