Web Log Formats

Web logs show traffic that has passed through the Umbrella secure web gateway (SWG) or the Selective Proxy.

Table of Contents


"2017-10-02 23:52:53","TheComputerName","","", "","","ALLOWED","<","","Mozilla/5.0> (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36","200","562","1489","","","Search Engines","","","","","","Roaming Computer","","TheComputerName, ADSite,Network","Roaming Computer, Site, Network","GET","","","the.js","","","","isolated","downloaded_original_file","warn-session","",""

The example entry is 490 bytes. To estimate the size of your S3 Logs, see Estimate the Size of Your Logs.

Order of Fields in the Web Log

<timestamp><policy identity label><internal client ip><external client ip><destination ip><content type><action><url><referer><user agent><status code><request size><response size><response body size><sha—sha256><categories><av detections><PUAs><AMP disposition><AMP malware name><AMP score><policy identity type><blocked categories><identities><identity types><request method><DLP status><certificate errors><file name><ruleset ID><rule ID><destination list IDs><isolate action><file action><warn status><forwarding method><Producer>

Note: Not all fields listed are found in most or all requests. When a field does not have a value, Umbrella sets the field to the empty string ("") in the log.

  • Timestamp—The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
  • Policy Identity Label—The identity that made the request.
  • Internal Client IP—The internal IP address of the computer making the request.
  • External Client IP—The egress IP address of the network where the request originated.
  • Destination IP—The destination IP address of the request.
  • Content Type—The type of web content, typically text/html.
  • Action—Whether the request was allowed or blocked.
  • URL—The URL requested.
  • Referer—The referring domain or URL.
  • User Agent—The browser agent that made the request.
  • Status Code—The HTTP status code.
  • Request Size (bytes)—Request size in bytes.
  • Response Size (bytes)—Response size in bytes.
  • Response Body Size (bytes)—Response body size in bytes.
  • SHA—SHA256—The hex digest of the response content.
  • Categories—The security categories for this request, such as Malware.
  • AV Detections—The detection name according to the antivirus engine used in file inspection.
  • PUAs—A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
  • AMP Disposition—The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the Umbrella File Inspection feature; can be Clean, Malicious or Unknown.
  • AMP Malware Name—If Malicious, the name of the malware according to AMP.
  • AMP Score—The score of the malware from AMP. This field returns blank unless the verdict is Unknown, in which the value will be 0.
  • Policy Identity Type—The first identity type that made the request. For example, Roaming Computer, Network, and so on.
  • Blocked Categories—The category that resulted in the destination being blocked. Available in version 4 and above.
  • Identities—All identities associated with this request.
  • Identity Types—The type of identities that were associated with the request. For example, Roaming Computer, Network, and so on. Available in version 5 and above.
  • Request Method—The request method, for example: GET, POST, HEAD, PUT, DELETE.
  • DLP Status—If the request was Blocked for DLP.
  • Certificate Errors—Any certificate or protocol errors in the request.
  • File Name—The name of the file.
  • Ruleset ID—The ID number assigned to the ruleset.
  • Rule ID—The ID number assigned to the rule.
  • Destination List IDs—The ID number assigned to a destination list.
  • Isolate Action—The remote browser isolation state associated with the request.
  • File Action—The action taken on a file in a remote browser isolation session.
  • Warn Status—The warn page state associated with the request.
  • Forwarding Method—The method used to forward the records, for example: Secure Web Appliance (SWA). (v9)
  • Producer—The producer that generated this log entry. (v9)

IPS Log Formats < Web Log Formats > Manage Authentication