Guides
ProductDeveloperPartnerPersonal
ProductDeveloperPartnerPersonal

DNS Log Formats

Suggest Edits

DNS logs show traffic that has reached our DNS resolvers.

Table of Contents

Examples

Example of DNS Log for Allowed Action:

"2015-01-16 17:48:41","ActiveDirectoryUserName", "ActiveDirectoryUserName,ADSite,Network", "10.10.1.100","24.123.132.133","Allowed","1 (A)", "NOERROR","domain-visited.com.", "Photo Sharing","AD User","AD User,Site,Network",""

The example entry is 224 bytes. To estimate the size of your S3 Logs, see Estimate the Size of Your Logs.

Example of DNS Log for Blocked Action with Blocked Categories:

"2015-01-16 17:48:41","ActiveDirectoryUserName", "ActiveDirectoryUserName,ADSite,Network", "10.10.1.100","24.123.132.133","Blocked","1 (A)", "NOERROR","domain-visited.com.", "Chat,Photo Sharing,Social Networking","AD User","AD User,Site,Network","Chat,Social Networking"

Order of Fields in the DNS Log

<timestamp><most granular identity><identities><internal ip><external ip><action><query type><response code><domain><categories><most granular identity type><identity types><blocked categories>

  • Timestamp—When this request was made in UTC. This is different than the Umbrella dashboard, which converts the time to your specified time zone.
  • Most Granular Identity—The first identity matched with this request in order of granularity.
  • Identities—All identities associated with this request.
  • Internal IP—The internal IP address that made the request.
  • External IP—The external IP address that made the request.
  • Action—Whether the request was allowed or blocked.
  • Query Type—The type of DNS request that was made. For more information, see Common DNS Request Types.
  • Response Code—The DNS return code for this request. For more information, see Common DNS return codes for any DNS service (and Umbrella).
  • Domain—The domain that was requested.
  • Categories—The security or content categories that the destination matches. For category definitions, see Understanding Security Categories and Understanding Content Categories.
  • Most Granular Identity Type—The first identity type matched with this request in order of granularity. Available in version 3 and above.
  • Identity Types—The type of identity that made the request. For example, Roaming Computer, Network, and so on. Available in version 3 and above.
  • Blocked Categories—The categories that resulted in the destination being blocked. Available in version 4 and above.

Data Loss Prevention (DLP) Log Formats < DNS Log Formats > IPS Log Formats

Updated about 2 months ago