Cisco
Login
Search
Software Secure Access
Activity Manage

Cisco Secure Access Help Manage Logging Log Formats and Versioning Web Log Formats Order of Fields in the Web Log V12 Log Format

Last updated: Aug 20, 2025

V12 Log Format

The CSV fields in the header row of the Web log.

timestamp,policy identity label,internal client ip,external client ip,destination ip,content type,action,url,referer,user agent,status code,request size,response size,response body size,sha—sha256,categories,av detections,puas,amp disposition,AMP malware name,amp score,policy identity type,blocked categories,identities,identity types,request method,dlp status,certificate errors,file name,ruleset id,rule ID,destination list ids,isolate action,file action,warn status,forwarding method,producer,msp organization id,geo location of blocked destination countries,application ids,hostname,data center,egress,server name,time based rule,security overridden,detected response file type,warn categories,organization id,application entity name,application entity category, egress ip

The description of each field and the log version in which each field was released, up to Version 12. For more information about log versions, see Find Your Log Schema Version.

Field name Description Release version
timestamp The date and time of the Web traffic event, expressed as a UTC-formatted string (e.g., 2024-01-16 17:48:41).

 
Unlike the Secure Access dashboard and reports, Secure Access logs do not convert the timestamp to your local timezone.
v1
policy identity label The identity that made the request. v1
internal client ip The internal IP address of the computer making the request. v1
external client ip The egress IP address of the network where the request originated. v1
destination ip The destination IP address of the request. v1
content type The type of web content, typically text/html. v1
action Whether the request was allowed or blocked. v1
url The URL requested. v1
referer The referring domain or URL. v1
user agent The browser agent that made the request. v1
status code The HTTP status code; should always be 200 or 201. v1
request size Request size in bytes. v1
response size Response size in bytes. v1
response body size Response body size in bytes. v1
sha—sha256 The hex digest of the response content. v1
categories The security categories for this request, such as Malware. v1
av detections The detection name according to the antivirus engine used in file inspection. v1
puas A list of all potentially unwanted application (PUA) results for the proxied file as returned by the antivirus scanner. v1
amp disposition The status of the files proxied and scanned by Cisco Advanced Malware Protection (AMP) as part of the File Inspection feature; can be Clean, Malicious or Unknown. v1
amp malware name If Malicious, the name of the malware according to AMP. v1
amp score The score of the malware from AMP. This field returns blank ("") unless the verdict is Unknown, in which the value will be 0. v1
policy identity type The first identity type that made the request. Examples: Roaming Computer, Network. v1
blocked categories The category that resulted in the destination being blocked. v4
identities All identities associated with this request. v5
identity types The type of identities that were associated with the request. Examples: Roaming Computer, Network. v5
request method The HTTP request method. Examples: GET, POST, HEAD, PUT, DELETE. v5
dlp status If the request was Blocked for DLP. v6
certificate errors Any certificate or protocol errors in the request. v6
file name The name of the file. v6
ruleset id The ID number assigned to the ruleset. v6
rule id The ID number assigned to the rule. v6
destination list ids The ID number assigned to a destination list. v6
isolate action The remote browser isolation state associated with the request. v8
file action The action taken on a file in a remote browser isolation session. Valid values are: UNKNOWN, DETECT, BLOCK, MALWARE_CLOUD_LOOKUP, MALWARE_WHITELIST, CLOUD_LOOKUP_TIMEOUT, CUSTOM_DETECTION, CUSTOM_DETECTION_BLOCK, ARCHIVE_BLOCK_DEPTH_EXCEEDED, ARCHIVE_BLOCK_ENCRYPTED, ARCHIVE_BLOCK_FAILED_TO_INSPECT, TID_BLOCK v8
warn status The Warn page's state associated with the request. v8
forwarding method The method used to forward the proxy events. Example: Secure Web Appliance. v9
producer The producer of the proxy events. v9
msp organization id The Secure Access parent organization ID. v10
geo location of blocked destination countries The ISO-3166 IDs of one or more countries where destination IPs blocked by policy are located. v10
application ids The ID of the destination application. v10
hostname The hostname of the user device. v10
data center The name of the data center that processed the user-generated traffic. v10
egress TRUE indicates that the egress IP was a reserved IP. v10
server name The name of the server according to the TLS protocol server name indication (SNI), if present, or from the server's SAN certificate common name (CN). v10
time based rule TRUE indicates that a the rule was applied due to a time condition. v10
security overridden TRUE indicates that security filtering was explicitly overridden and not applied during enforcement. v10
detected response file type The file type that resulted in a blocked response. Examples: exe, avi. v10
warn categories The ID of one or more content categories in lists matched for a Warn action by the rule. v10
organization id The Secure Access organization ID. For more information, see Find Your Organization ID . v10
application entity name It refers to the specific name of an application entity within a system. For example, the YouTube Channel "Cisco". v11
application entity category It represents the classification grouping of application entities based on shared characteristics or functions. For example, the YouTube Category "Networking". v11
egress ip The public IP address assigned to a session as it exits the Secure Access ZTA infrastructure en route to the destination application. v12
Previous topic Optional V12 Log Header Format Next topic Zero Trust Access Log Formats