Data Loss Prevention (DLP) Log Formats

The Cisco Secure Access DLP logs show information about DLP events where data identifiers were triggered and a violation occurred. DLP logs are available in all log format versions. For information about the size of a log file, see Estimate the Size of a Log.

Note: A single DLP event can present in multiple rows of the logs when different data identifiers and file labels are triggered for the same content. Rows related to the same content or event have the same Unique Event ID.

Table of Contents


Examples of DLP logs.

V8, V9 Log Samples

"2022-02-15 12:05:45","Real Time","f64dcc3f-50fa-410a-b8e1-589894276cee_17c81f85-34f7-4bc5-aa4c-155571f484f6","CRITICAL","Network1","","first.xlsx","Dropbox","<","BLOCK","rule-1","classification-2","classifier-2.1","text/html","48","abbd2352c3cfea8846871928bf99ca24dc3a6f162170926649381a6d968869ab", "Confidential"

Order of Fields in the DLP Log

Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.

V8, V9 Log Formats

The CSV fields in the header row of the DLP logs.

timestamp,event type,unique event id,severity,identity,owner,name,application,destination,action,rule,data classification,data identifier,content type,file size,SHA 256 hash,file label
  • Timestamp—The timestamp of the request transaction in UTC.
  • Event Type—The type of event that matched a data identifier. "Real Time" denotes a proxy-based DLP event triggered by a Real Time rule and "SaaS API" denotes a DLP event triggered by any of the SaaS API rules.
  • Unique Event ID—The unique identifier for the event. There can be multiple violation matches in one event.
  • Severity—The severity of the rule (Low, Medium, High, or Critical).
  • Identity—The source that triggered the violation.
  • Owner—The owner of the file.
  • Name—The name of the file.
  • Application—The application of the request.
  • Destination—The domain of the request.
  • Action—If the violation was Blocked or Monitored.
  • Rule—The DLP rule name.
  • Data Classification—The data classification whose data identifier matched on the violation.
  • Data Identifier—The data identifier that matched on the request.
  • Content Type—The mime type of the file that matches the data identifier.
  • File Size—The size of the file.
  • SHA256 Hash—The hex digest of the response content.
  • File Label—The file name label that matched on the file properties.

Estimate the Size of a Log

The size of your S3 logs depends on the number of events that occur and the volume of the traffic in your organization.

  1. Download one of your Secure Access log files. The Secure Access log file is a comma-separated values (CSV) file.
  2. Count the number of rows in the CSV file minus one for the header row.
    The number of rows is equivalent to the number of VPN events in the twenty-four hour period.
  3. Multiply the number of rows of data by the number of bytes of data listed in a single row in the file.
    The result is the estimate of the size of the event log recorded for one day.

Cloud Firewall Log Formats < Data Loss Prevention (DLP) Log Formats > DNS Log Formats