Web Log Formats

Web logs show traffic that has passed through the Umbrella secure web gateway (SWG) or the Selective Proxy.

Examples
Order of Fields in the Web Log

Examples

"2017-10-02 23:52:53","TheComputerName","192.192.192.135","1.1.1.91", "3.4.5.6","","ALLOWED","<http://google.com/the.js","www.google.com","Mozilla/5.0> (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36","200","562","1489","","","Search Engines","","","","","","Roaming Computer","","TheComputerName, ADSite,Network","Roaming Computer, Site, Network","GET","","","the.js","","","","isolated","downloaded_original_file","warn-session","",""

The example entry is 490 bytes. To estimate the size of your S3 Logs, see Estimate the Size of Your Logs.

Order of Fields in the Web Log

Note: Not all fields listed are found in most or all requests. When a field does not have a value, Umbrella sets the field to the empty string ("") in the log.

Timestamp—The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
Policy Identity Label—The identity that made the request.
Internal Client IP—The internal IP address of the computer making the request.
External Client IP—The egress IP address of the network where the request originated.
Destination IP—The destination IP address of the request.
Content Type—The type of web content, typically text/html.
Action—Whether the request was allowed or blocked.
URL—The URL requested.
Referer—The referring domain or URL.
User Agent—The browser agent that made the request.
Status Code—The HTTP status code; should always be 200 or 201.
Request Size (bytes)—Request size in bytes.
Response Size (bytes)—Response size in bytes.
Response Body Size (bytes)—Response body size in bytes.
SHA—SHA256—The hex digest of the response content.
Categories—The security categories for this request, such as Malware.
AV Detections—The detection name according to the antivirus engine used in file inspection.
PUAs—A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
AMP Disposition—The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.
AMP Malware Name—If Malicious, the name of the malware according to AMP.
AMP Score—The score of the malware from AMP. This field returns blank unless the verdict is Unknown, in which the value will be 0.
Policy Identity Type—The first identity type that made the request. For example, Roaming Computer, Network, and so on.
Blocked Categories—The category that resulted in the destination being blocked. Available in version 4 and above.
Identities—All identities associated with this request.
Identity Types—The type of identities that were associated with the request. For example, Roaming Computer, Network, and so on. Available in version 5 and above.
Request Method—The request method, for example: GET, POST, HEAD, PUT, DELETE.
DLP Status—If the request was Blocked for DLP.
Certificate Errors—Any certificate or protocol errors in the request.
File Name—The name of the file.
Ruleset ID—The ID number assigned to the ruleset.
Rule ID—The ID number assigned to the rule.
Destination List IDs—The ID number assigned to a destination list.
Isolate Action—The remote browser isolation state associated with the request.
File Action—The action taken on a file in a remote browser isolation session.
Warn Status—The warn page state associated with the request.
Forwarding Method—The method used to forward the records, for example: Secure Web Appliance (SWA). (v9)
Producer—The producer that generated this log entry. (v9)

IPS Log Formats < Web Log Formats > Manage Authentication

Updated about 2 months ago

Table of Contents

Examples

Order of Fields in the Web Log