Manage Your Logs

The logging of your identities' activities is set per-policy when you first create a policy. By default, logging is enabled and set to log all requests an identity makes to reach destinations. After you create a policy, you can change what level of identity activity Umbrella logs at any time.

From the Policy wizard, log settings are:

Log All Requests—For full logging, whether for content, security or otherwise.
Log Only Security Events—For security logging only, which gives your users more privacy—a good setting for people with the roaming client installed on personal devices.
Don't Log Any Requests—Disables all logging. If you select this option, most reporting for identities with this policy will not be helpful as nothing is logged to report on.

Umbrella logs are CSV formatted, compressed (gzip), and saved every ten minutes. For more information, see Log Format and Versioning.

Storing the Logs

The logs are stored in an Amazon S3 bucket provided and managed by your organization.

Note: The provided S3 bucket must be within the AWS GovCloud regions.

To specify the Amazon S3 bucket in which the logs are to be stored:

Go to Admin > Log Management.
Enter the name of the S3 bucket and click Verify.

Go to the S3 bucket and open README_FROM_UMBRELLA.txt file.
Copy the Token from README_FROM_UMBRELLA.txt
Paste the Token in the box and click Save.

Umbrella starts storing the logs in the specified S3 bucket.

By having your logs uploaded to an S3 bucket, you can then automatically download logs so that you can keep them in perpetuity in backup storage. Saving to an S3 bucket also gives you the ability to ingest logs through your SIEM or another security tool. Using a security tool helps you determine if any security events in your Umbrella logs coincide with events in other security tools.

Add KeyAdmin API Keys < Manage Your Logs > Upgrade Reports