Web Log Formats
The Cisco Secure Access Web logs show your organization's traffic through the Secure Access proxy. For information about the size of a log file, see Estimate the Size of a Log.
Table of Contents
Example
An example of a v10 Web log event.
timestamp,policy identity label,internal client ip,external client ip,destination ip,content type,action,url,referer,user agent,status code,request size,response size,response body size,sha—sha256,categories,av detections,puas,amp disposition,AMP malware name,amp score,policy identity type,blocked categories,identities,identity types,request method,dlp status,certificate errors,file name,ruleset id,rule ID,destination list ids,isolate action,file action,warn status,forwarding method,producer,msp organization id,geo location,blocked destination countries,application ids,hostname,data center,egress,server name,time based rule,security overridden,detected response file type,warn categories,organization id
"2024-09-11 11:48:11","TheComputerName","192.192.192.135","1.1.1.91", "3.4.5.6","","ALLOWED",""https://unitedstates.smartscreen.microsoft.com"","www.google.com","Mozilla/5.0> (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36","200","562","1489","","","Search Engines","","","","","","Roaming Computer","","TheComputerName, ADSite,Network","Roaming Computer, Site, Network","GET","","","the.js","","","","isolated","downloaded_original_file","warn-session","","SWA","","","","","swg-nginx-proxy-https-bd8cc1601841.signginx.atl1","ATL1","true","unitedstates.smartscreen.microsoft.com","false","false","","","2204063"
Order of Fields in the Web Log
Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.
V10 Log Format
The CSV fields in the header row of the Web log.
timestamp,policy identity label,internal client ip,external client ip,destination ip,content type,action,url,referer,user agent,status code,request size,response size,response body size,sha—sha256,categories,av detections,puas,amp disposition,AMP malware name,amp score,policy identity type,blocked categories,identities,identity types,request method,dlp status,certificate errors,file name,ruleset id,rule ID,destination list ids,isolate action,file action,warn status,forwarding method,producer,msp organization id,geo location,blocked destination countries,application ids,hostname,data center,egress,server name,time based rule,security overridden,detected response file type,warn categories,organization id
The description of each field and the log version in which each field was released, up to version 10. For more information about log versions, see Find Your Log Schema Version.
| Field name | Description | Release version |
|---|---|---|
| timestamp | The date and time of the Web traffic event, expressed as a UTC-formatted string (e.g., 2024-01-16 17:48:41).Note: Unlike the Secure Access dashboard and reports, Secure Access logs do not convert the timestamp to your local timezone. | v1 |
| policy identity label | The identity that made the request. | v1 |
| internal client ip | The internal IP address of the computer making the request. | v1 |
| external client ip | The egress IP address of the network where the request originated. | v1 |
| destination ip | The destination IP address of the request. | v1 |
| content type | The type of web content, typically text/html. | v1 |
| action | Whether the request was allowed or blocked. | v1 |
| url | The URL requested. | v1 |
| referer | The referring domain or URL. | v1 |
| user agent | The browser agent that made the request. | v1 |
| status code | The HTTP status code; should always be 200 or 201. | v1 |
| request size | Request size in bytes. | v1 |
| response size | Response size in bytes. | v1 |
| response body size | Response body size in bytes. | v1 |
| sha—sha256 | The hex digest of the response content. | v1 |
| categories | The security categories for this request, such as Malware. | v1 |
| av detections | The detection name according to the antivirus engine used in file inspection. | v1 |
| puas | A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. | v1 |
| amp disposition | The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the File Inspection feature; can be Clean, Malicious or Unknown. | v1 |
| amp malware name | If Malicious, the name of the malware according to AMP. | v1 |
| amp score | The score of the malware from AMP. This field returns blank ("") unless the verdict is Unknown, in which the value will be 0. | v1 |
| policy identity type | The first identity type that made the request. Examples: Roaming Computer, Network. | v1 |
| blocked categories | The category that resulted in the destination being blocked. | v4 |
| identities | All identities associated with this request. | v5 |
| identity types | The type of identities that were associated with the request. Examples: Roaming Computer, Network. | v5 |
| request method | The HTTP request method. Examples: GET, POST, HEAD, PUT, DELETE. | v5 |
| dlp status | If the request was Blocked for DLP. | v6 |
| certificate errors | Any certificate or protocol errors in the request. | v6 |
| file name | The name of the file. | v6 |
| ruleset id | The ID number assigned to the ruleset. | v6 |
| rule id | The ID number assigned to the rule. | v6 |
| destination list ids | The ID number assigned to a destination list. | v6 |
| isolate action | The remote browser isolation state associated with the request. | v8 |
| file action | The action taken on a file in a remote browser isolation session. Valid values are: UNKNOWN, DETECT, BLOCK, MALWARE_CLOUD_LOOKUP, MALWARE_WHITELIST, CLOUD_LOOKUP_TIMEOUT, CUSTOM_DETECTION, CUSTOM_DETECTION_BLOCK, ARCHIVE_BLOCK_DEPTH_EXCEEDED, ARCHIVE_BLOCK_ENCRYPTED, ARCHIVE_BLOCK_FAILED_TO_INSPECT, TID_BLOCK | v8 |
| warn status | The Warn page's state associated with the request. | v8 |
| forwarding method | The method used to forward the proxy events. Example: Secure Web Appliance. | v9 |
| producer | The producer of the proxy events. | v9 |
| msp organization id | The Secure Access parent organization ID. | v10 |
| geo location | The regional location of the user device. | v10 |
| blocked destination countries | The country of the blocked destination. | v10 |
| application ids | The ID of the destination application. | v10 |
| hostname | The hostname of the user device. | v10 |
| data center | The name of the data center that processed the user-generated traffic. | v10 |
| egress | v10 | |
| server name | v10 | |
| time based rule | v10 | |
| security overridden | v10 | |
| detected response file type | v10 | |
| warn categories | The ID of one or more content categories in lists matched for a Warn action by the rule. | v10 |
| organization id | The Secure Access organization ID. For more information, see Find Your Organization ID . | v10 |
Remote Access VPN Log Formats < Web Log Formats > Zero Trust Network Access Log Formats
Updated about 1 month ago