DNS Log Formats
The Cisco Secure Access DNS logs show your organization's traffic through the Secure Access DNS resolvers. For information about the size of a log file, see Estimate the Size of a Log.
Table of Contents
Examples
Examples of DNS logs.
V8, V9 Log Samples
"2015-01-16 17:48:41","ActiveDirectoryUserName","ActiveDirectoryUserName,ADSite,Network","10.10.1.100","24.123.132.133","Allowed","1 (A)","NOERROR","domain-visited.com.","Chat,Photo Sharing,Social Networking,Allow List"
Example of DNS Log for Allowed Action:
"2015-01-16 17:48:41","ActiveDirectoryUserName","ActiveDirectoryUserName,ADSite,Network","10.10.1.100","24.123.132.133","Allowed","1 (A)","NOERROR","domain-visited.com.","Photo Sharing","AD User","AD User,Site,Network",""
Example of DNS Log for Blocked Action with Blocked Categories:
"2015-01-16 17:48:41","ActiveDirectoryUserName","ActiveDirectoryUserName,ADSite,Network","10.10.1.100","24.123.132.133","Blocked","1 (A)","NOERROR","domain-visited.com.","Chat,Photo Sharing,Social Networking","AD User","AD User,Site,Network","Chat,Social Networking"
Order of Fields in the DNS Log
Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string (""
) in the log.
V8, V9 Log Formats
The CSV fields in the header row of the DNS logs.
timestamp,most granular identity,identities,internal ip,external ip,action,query type,response code,domain,categories,most granular identity type,identity types,blocked categories
- timestamp—The date and time in the UTC format of the DNS query.
Note: Unlike the logs, Secure Access converts the timestamps in your reports to your specified time zone. - most granular identity—The first identity matched with this request in order of granularity.
- identities—All identities associated with this request.
- internal ip—The internal IP address that made the request.
- external ip—The external IP address that made the request.
- action—Whether the request was allowed or blocked.
- query type—The type of DNS request that was made. For more information, see Common DNS Request Types.
- response code—The DNS return code for this request. For more information, see Common DNS return codes for any DNS service.
- domain—The domain that was requested.
- categories—The security or content categories that the destination matches. For category definitions, see Understanding Security Categories and Understanding Content Categories.
- most granular identity type—The first identity type matched with this request in order of granularity. Available in version 3 and above.
- identity types—The type of identity that made the request, for example: Roaming Computer, Network. Available in version 3 and above.
- blocked categories—The categories that resulted in the destination being blocked. Available in version 4 and above.
Data Loss Prevention (DLP) Log Formats < DNS Log Formats > IPS Log Formats
Updated 8 months ago