DNS Log Formats

The Cisco Secure Access DNS logs show your organization's traffic through the Secure Access DNS resolvers. For information about the size of a log file, see Estimate the Size of a Log.

Table of Contents


Examples of DNS logs.

V8, V9 Log Samples

"2015-01-16 17:48:41","ActiveDirectoryUserName","ActiveDirectoryUserName,ADSite,Network","","","Allowed","1 (A)","NOERROR","domain-visited.com.","Chat,Photo Sharing,Social Networking,Allow List"

Example of DNS Log for Allowed Action:

"2015-01-16 17:48:41","ActiveDirectoryUserName","ActiveDirectoryUserName,ADSite,Network","","","Allowed","1 (A)","NOERROR","domain-visited.com.","Photo Sharing","AD User","AD User,Site,Network",""

Example of DNS Log for Blocked Action with Blocked Categories:

"2015-01-16 17:48:41","ActiveDirectoryUserName","ActiveDirectoryUserName,ADSite,Network","","","Blocked","1 (A)","NOERROR","domain-visited.com.","Chat,Photo Sharing,Social Networking","AD User","AD User,Site,Network","Chat,Social Networking"

Order of Fields in the DNS Log

Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.

V8, V9 Log Formats

The CSV fields in the header row of the DNS logs.

timestamp,most granular identity,identities,internal ip,external ip,action,query type,response code,domain,categories,most granular identity type,identity types,blocked categories
  • timestamp—The date and time in the UTC format of the DNS query.
    Note: Unlike the logs, Secure Access converts the timestamps in your reports to your specified time zone.
  • most granular identity—The first identity matched with this request in order of granularity.
  • identities—All identities associated with this request.
  • internal ip—The internal IP address that made the request.
  • external ip—The external IP address that made the request.
  • action—Whether the request was allowed or blocked.
  • query type—The type of DNS request that was made. For more information, see Common DNS Request Types.
  • response code—The DNS return code for this request. For more information, see Common DNS return codes for any DNS service.
  • domain—The domain that was requested.
  • categories—The security or content categories that the destination matches. For category definitions, see Understanding Security Categories and Understanding Content Categories.
  • most granular identity type—The first identity type matched with this request in order of granularity. Available in version 3 and above.
  • identity types—The type of identity that made the request, for example: Roaming Computer, Network. Available in version 3 and above.
  • blocked categories—The categories that resulted in the destination being blocked. Available in version 4 and above.

DLP Log Formats < DNS Log Formats > IPS Log Formats