Guides
ProductDeveloperPartnerPersonal
Guides
ProductDeveloperPartnerPersonal

Web Log Formats

Suggest Edits

Web logs show traffic that has passed through the Umbrella secure web gateway (SWG) or the Selective Proxy.

Table of Contents

Examples

timestamp,policy identity label,internal client ip,external client ip,destination ip,content type,action,url,referer,user agent,status code,request size,response size,response body size,sha—sha256,categories,av detections,puas,amp disposition,AMP malware name,amp score,policy identity type,blocked categories,identities,identity types,request method,dlp status,certificate errors,file name,ruleset id,rule ID,destination list ids,isolate action,file action,warn status,forwarding method,producer,msp organization id,geo location of blocked destination countries,application ids,hostname,data center,egress,server name,time based rule,security overridden,detected response file type,warn categories,organization id,Application Entity Name,Application Entity Category
"2025-01-06 13:39:24","SIG2-Denver","10.X.X.X","10.X.X.X","10.X.X.X","","ALLOWED","https://example.com","","","200","1557","6441","","","Software/Technology,Allow List,Computers and Internet","","","","","","Network Tunnels","","SIG2-EX,RTO-XXXX-SIG","Network Tunnels,Internal Networks","CONNECT","","","","13368132","610352","9999583","not_isolated","","","","","","","","swg-nginx-proxy-https-4335ec07f282.signginx.den1","DEN1","true","winatp-gw-eus.microsoft.com","false","false","","","2204063","",""

The example entry is 674 bytes. To estimate the size of your S3 Logs, see Estimate the Size of Your Logs.

Order of Fields in the Web Log

timestamp,policy identity label,internal client ip,external client ip,destination ip,content type,action,url,referer,user agent,status code,request size,response size,response body size,sha—sha256,categories,av detections,puas,amp disposition,AMP malware name,amp score,policy identity type,blocked categories,identities,identity types,request method,dlp status,certificate errors,file name,ruleset id,rule ID,destination list ids,isolate action,file action,warn status,forwarding method,producer,msp organization id,geo location of blocked destination countries,application ids,hostname,data center,egress,server name,time based rule,security overridden,detected response file type,warn categories,organization id,Application Entity Name,Application Entity Category

Note: Not all fields listed are found in most or all requests. When a field does not have a value, Umbrella sets the field to the empty string ("") in the log.

Optional V11 Log Header Format

The CSV fields in the header row of the Optional Log Header.

"Timestamp","Policy Identity Label","Internal Client IP","External Client IP","Destination IP","Content Type","Action","URL","Referer","User Agent","Status Code","Request Size","Response Size","Response Body Size","SHA256 Hash","Categories","AV Detections","PUAs","AMP Disposition","AMP Malware Name","AMP Score","Policy Identity Type","Blocked Categories","Identities","Identity Types","Request Method","DLP Status","Certificate Errors","File Name","Ruleset ID","Rule ID","Destination List IDs","Isolate Action","File Action","Warn Status","Forwarding Method","Producer","MSP Organization ID","Geo Location Of Blocked Destination Countries","Application IDs","Host Name","Data Center","Egress","Server Name","Time Based Rule","Security Overridden","Detected Response File Type","Warn Categories","Organization ID","Application Entity Name","Application Entity Category"
  • Timestamp—The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
  • Policy Identity Label—The identity that made the request.
  • Internal Client IP—The internal IP address of the computer making the request.
  • External Client IP—The egress IP address of the network where the request originated.
  • Destination IP—The destination IP address of the request.
  • Content Type—The type of web content, typically text/html.
  • Action—Whether the request was allowed or blocked.
  • URL—The URL requested.
  • Referer—The referring domain or URL.
  • User Agent—The browser agent that made the request.
  • Status Code—The HTTP status code.
  • Request Size (bytes)—Request size in bytes.
  • Response Size (bytes)—Response size in bytes.
  • Response Body Size (bytes)—Response body size in bytes.
  • SHA—SHA256—The hex digest of the response content.
  • Categories—The security categories for this request, such as Malware.
  • AV Detections—The detection name according to the antivirus engine used in file inspection.
  • PUAs—A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
  • AMP Disposition—The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.
  • AMP Malware Name—If Malicious, the name of the malware according to AMP.
  • AMP Score—The score of the malware from AMP. This field returns blank unless the verdict is Unknown, in which the value will be 0.
  • Policy Identity Type—The first identity type that made the request. For example, Roaming Computer, Network, and so on.
  • Blocked Categories—The category that resulted in the destination being blocked. Available in version 4 and above.
  • Identities—All identities associated with this request.
  • Identity Types—The type of identities that were associated with the request. For example, Roaming Computer, Network, and so on. Available in version 5 and above.
  • Request Method—The request method, for example: GET, POST, HEAD, PUT, DELETE.
  • DLP Status—If the request was Blocked for DLP.
  • Certificate Errors—Any certificate or protocol errors in the request.
  • File Name—The name of the file.
  • Ruleset ID—The ID number assigned to the ruleset.
  • Rule ID—The ID number assigned to the rule.
  • Destination List IDs—The ID number assigned to a destination list.
  • Isolate Action—The remote browser isolation state associated with the request.
  • File Action—The action taken on a file in a remote browser isolation session.
  • Warn Status—The warn page state associated with the request.
  • Forwarding Method—The method used to forward the records, for example: Secure Web Appliance (SWA). (v9)
  • Producer—The producer that generated this log entry. (v9)
  • MSP Organization ID—The Umbrella parent organization ID. (v10)
  • Geo Location of Blocked Destination Countries—The ISO-3166 IDs of one or more countries where destination IPs blocked by policy are located. (v10)
  • Application IDs—The ID of the destination application. (v10)
  • Hostname—The hostname of the user device. (v10)
  • Data Center—The name of the data center that processed the user-generated traffic. (v10)
  • EgressTRUE indicates that the egress IP was a reserved IP. (v10)
  • Server Name—The name of the server according to the TLS protocol server name indication (SNI), if present, or from the server's SAN certificate common name (CN). (v10)
  • Time Based RuleTRUE indicates that a the rule was applied due to a time condition. (v10)
  • Security OverriddenTRUE indicates that security filtering was explicitly overridden and not applied during enforcement. (v10)
  • Detected Response File Type—The file type that resulted in a blocked response. Examples: exe, avi. (v10)
  • Warn Categories—The ID of one or more content categories in lists matched for a Warn action by the rule. (v10)
  • Organization ID—The Umbrella organization ID. For more information, see Find Your Organization ID. (v10)
  • Application Entity Name—It refers to the specific name of an application entity within a system. For example, the YouTube Channel "Cisco". (v11)
  • Application Entity Category—It represents the classification grouping of application entities based on shared characteristics or functions. For example, the YouTube Category "Networking".(v11)

IPS Log Formats < Web Log Formats > Manage Authentication

Updated about 6 hours ago