Log Schema Versions
-
v1—For customers who have configured their own S3 bucket before November 2017.
To upgrade from v1 to a higher version of the Secure Access log format, you must remove your existing S3 bucket, disable the integration, and then recreate a new bucket. For all other versions, you can upgrade from the Log Management screen of the Secure Access dashboard by clicking Upgrade. -
v2—For customers who have configured their own S3 bucket after November 2017, or are using a Cisco-managed bucket. This version is inclusive of everything in version 1.
-
v3— The same as version 2, but adds two new fields: Most Granular Identity Type and Identity Types for DNS logs.
-
v4—The same as version 3, but adds the Blocked Categories field for DNS and Proxy logs.
-
v5—The same as version 4, but adds three new fields: all Identities, all Identity Types, and Request Method for Proxy logs.
-
v6—The same as version 5, but adds the following fields to Proxy logs: Certificate Errors, Destination Lists IDs, DLP Status, File Name, Rule ID, and Ruleset ID.
-
v7—The same as version 6, but adds the DLP file label field.
-
v8—The same as version 7, but adds fields to the Proxy, DLP, and Firewall logs.
- Proxy logs—Adds the Isolate Action, File Action, and Warn Status fields.
- DLP logs—Changes the Event Type field. The event type is either
Real TimeorSaaS API. - Firewall logs—Adds the FQDNs and Destination List IDs fields.
-
v9—The same fields as version 8, but the v9 log format adds fields to the IPS and Web logs.
- Adds new fields to the Intrusion Prevention System (IPS) logs: operation mode, policy resource ID, direction, firewall rule ID, IPS config type, AWS region.
- Adds new fields to the Web logs: forwarding method and producer.
- Adds File Events logs.
- Adds Remote Access Virtual Private Network logs.
- Adds Zero Trust Network Access logs.
-
v10—The same fields as version 9, but the v10 log format adds the following fields:
- Cloud Firewall logs: app id, private resource id, private app group id, private flow, posture id, casi category ids, traffic source, content category ids, content category list ids, organization id.
- Data Loss Prevention (DLP) logs: application category name, traffic direction, private resource name, private resource group name, destination protocol, destination ip, destination port, organization id.
- DNS logs: rule id, destination countries, organization id.
- IPS logs: application id, casi category ids, data center, organization id.
- Remote Access VPN logs: asa syslog id, device id, machine id, public ipv6, assigned ipv6, security group tag, dap record name, dap connection type, failed reasons.
- Web logs: msp organization id, geo location, blocked destination countries, application ids, hostname, data center, egress, server name, time based rule, security overridden, detected response file type, warn categories, organization id.
- Zero Trust Access logs: transaction id, block reason, application port, application protocol, tunnel type, secure client version, possible match ruleset id, possible match rule id, possible match posture, source process id, source process name, source process hash, source process user name, organization id, ad joined id.
- Adds Zero Trust Access Flow logs.
-
v11—The same fields as version 10, but the v11 log format adds two new fields : Application Entity Name, and Application Entity Category to Web logs.
-
v12—The same fields as version 11, but the v12 log format adds the following fields:
- Cloud Firewall logs: egress ip, egress.
- File Events logs: enforced by, ftd enforcement id, ftd enforcement name.
- IPS logs: egress ip, egress, enforced by, ftd enforcement id, ftd enforcement name.
- Remote Access VPN logs: log message, asa syslog severity, asa syslog class, asa syslog descriptor.
- Web logs: egress ip
- Zero Trust Access logs: enforced by, ftd enforcement id, ftd enforcement name, mdm source, mdm device id, mdm is managed, mdm is compliant, mdm last updated.
- Zero Trust Access Flow logs: enforced by, ftd enforcement id, ftd enforcement name.