DNS Log Formats
The Cisco Secure Access DNS logs show your organization's traffic through the Secure Access DNS resolvers. For information about the size of a log file, see Estimate the Size of a Log.
Table of Contents
Examples
An example of a v10 DNS Log of an Allowed Action event.
timestamp,most granular identity,identities,internal ip,external ip,action,query type,response code,domain,categories,most granular identity type,identity types,blocked categories,rule id,destination countries,organization id
"2024-09-11 18:46:00","Active Directory User ([email protected])","Active Directory User ([email protected]),WIN11-SNG01-Example","10.10.1.100","24.123.132.133","Allowed","1 (A)","NOERROR","domain-visited.com.","Software/Technology,Business Services,Allow List,Infrastructure and Content Delivery Networks,SaaS and B2B,Application","AD Users","AD Users,Anyconnect Roaming Client","","506165","","8234970"
An example of a v10 DNS Log of a Blocked Action event with Blocked Categories.
timestamp,most granular identity,identities,internal ip,external ip,action,query type,response code,domain,categories,most granular identity type,identity types,blocked categories,rule id,destination countries,organization id
"2024-09-11 18:46:00","Active Directory User ([email protected])","Active Directory User ([email protected]),WIN11-SNG01-Example","10.10.1.100","24.123.132.133","Blocked","1 (A)","NOERROR","domain-visited.com.","Chat,Social Networking","AD Users","AD Users,Anyconnect Roaming Client","Social Networking","506165","","8234970"
Order of Fields in the DNS Log
Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.
V10 Log Formats
The CSV fields in the header row of the DNS logs.
timestamp,most granular identity,identities,internal ip,external ip,action,query type,response code,domain,categories,most granular identity type,identity types,blocked categories,rule id,destination countries,organization id
The description of each field and the log version in which each field was released, up to version 10. For more information about log versions, see Find Your Log Schema Version.
| Field name | Description | Release version |
|---|---|---|
| timestamp | The date and time of the DNS event, expressed as a UTC-formatted string (e.g., 2024-01-16 17:48:41).Note: Unlike the Secure Access dashboard and reports, Secure Access logs do not convert the timestamp to your local timezone. | v8 |
| most granular identity | The first identity matched with this request in order of granularity. | v8 |
| identities | All identities associated with this request. | v5 |
| internal ip | The internal IP address that made the request. | v8 |
| external ip | The external IP address that made the request. | v8 |
| action | Whether the request was allowed or blocked. | v8 |
| query type | The type of DNS request that was made. | v8 |
| response code | The DNS return code for this request. | v8 |
| domain | The domain that was requested. | v8 |
| categories | The security or content categories that the destination matches. For category definitions, see Manage Threat Categories and Manage Content Category Lists. | v8 |
| most granular identity type | The first identity type matched with this request in order of granularity. | v3 |
| identity types | The type of identity that made the request, for example: Roaming Computer, Network. | v3 |
| blocked categories | The categories that resulted in the destination being blocked. | v4 |
| rule id | The ID of the access rule when the DNS request is matched by a policy. | v10 |
| destination countries | The two-character country identifier of the domain that was requested. | v10 |
| organization id | The Secure Access organization ID. For more information, see Find Your Organization ID. | v10 |
DLP Log Formats < DNS Log Formats > File Events Log Formats
Updated about 1 month ago