Secure Access Help Center

Web Log Formats

The Cisco Secure Access Web logs show your organization's traffic through the Secure Access proxy. For information about the size of a log file, see Estimate the Size of a Log.

Table of Contents

Examples

Examples of Web logs.

V8, V9 Log Samples

"2017-10-02 23:52:53","TheComputerName","192.192.192.135","1.1.1.91", "3.4.5.6","","ALLOWED","<http://google.com/the.js","www.google.com","Mozilla/5.0> (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36","200","562","1489","","","Search Engines","","","","","","Roaming Computer","","TheComputerName, ADSite,Network","Roaming Computer, Site, Network","GET","","","the.js","","","","isolated","downloaded_original_file","warn-session","","SWA"

Order of Fields in the Web Log

Note: Not all fields listed are found in most or all requests. When a field does not have a value, Secure Access sets the field to the empty string ("") in the log.

V9 Log Format

The CSV fields in the header row of the Web v9 format logs.

timestamp,policy identity label,internal client ip,external client ip,destination ip,content type,action,url,referer,user agent,status code,request size,response size,response body size,sha—sha256,categories,av detections,PUAs,AMP disposition,AMP malware name,AMP score,policy identity type,blocked categories,identities,identity types,request method,DLP status,certificate errors,file name,ruleset ID,rule ID,destination list IDs,isolate action,file action,warn status,forwarding method,Producer

The v9 log format includes all fields in the v8 log format and adds the following fields:

  • forwarding method—The method used to forward the proxy events, for example: Secure Web Appliance.
  • Producer—The producer of the proxy events.

V8 Log Format

The CSV fields in the header row of the Web v8 format logs.

timestamp,policy identity label,internal client ip,external client ip,destination ip,content type,action,url,referer,user agent,status code,request size,response size,response body size,sha—sha256,categories,av detections,PUAs,AMP disposition,AMP malware name,AMP score,policy identity type,blocked categories,identities,identity types,request method,DLP status,certificate errors,file name,ruleset ID,rule ID,destination list IDs,isolate action,file action,warn status
  • timestamp—The timestamp of the request transaction in UTC (2015-01-16 17:48:41).
  • policy identity label—The identity that made the request.
  • internal client ip—The internal IP address of the computer making the request.
  • external client ip—The egress IP address of the network where the request originated.
  • destination ip—The destination IP address of the request.
  • content type—The type of web content, typically text/html.
  • action—Whether the request was allowed or blocked.
  • url—The URL requested.
  • referer—The referring domain or URL.
  • user agent—The browser agent that made the request.
  • status code—The HTTP status code; should always be 200 or 201.
  • request size (bytes)—Request size in bytes.
  • response size (bytes)—Response size in bytes.
  • response body xize (bytes)—Response body size in bytes.
  • sha—sha256—The hex digest of the response content.
  • categories—The security categories for this request, such as Malware.
  • av detections—The detection name according to the antivirus engine used in file inspection.
  • PUAs—A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner.
  • AMP disposition—The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the File Inspection feature; can be Clean, Malicious or Unknown.
  • AMP Malware Name—If Malicious, the name of the malware according to AMP.
  • AMP score—The score of the malware from AMP. This field returns blank unless the verdict is Unknown, in which the value will be 0.
  • policy identity type—The first identity type that made the request. For example, Roaming Computer, Network, and so on.
  • blocked categories—The category that resulted in the destination being blocked. Available in version 4 and above.
  • identities—All identities associated with this request.
  • identity types—The type of identities that were associated with the request. For example, Roaming Computer, Network, and so on. Available in version 5 and above.
  • request method—The request method, for example: GET, POST, HEAD, PUT, DELETE.
  • DLP Status—If the request was Blocked for DLP.
  • certificate errors—Any certificate or protocol errors in the request.
  • file name—The name of the file.
  • ruleset ID—The ID number assigned to the ruleset.
  • rule ID—The ID number assigned to the rule.
  • destination list IDs—The ID number assigned to a destination list.
  • isolate action—The remote browser isolation state associated with the request.
  • file action—The action taken on a file in a remote browser isolation session.
  • warn status—The Warn page's state associated with the request.

Remote Access VPN Log Formats < Web Log Formats > Zero Trust Network Access Log Formats

Updated 3 months ago