Skip to content

Cisco Umbrella IP


Cisco Umbrella offers flexible, cloud-delivered security. It combines multiple security functions into one solution, so that protection can be extended to devices, remote users, and distributed locations anywhere. CISCO Umbrella is a leading provider of network security and recursive DNS services.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
Host network interface every packets are logged
Netflow/Enclave netflow Umbrella IP logs are Netflow-like
Network device logs packets logged by Umbrella IP
Network protocol analysis traffic analysis at levels 2/3/4

Event Samples

Find below few samples of events and how they are normalized by

    "message": " \"2020-06-12 14:31:52\",\"FR123\",\"\",\"54128\",\"\",\"443\",\"\",\"Roaming Computers\"",
    "event": {
        "outcome": "success"
    "@timestamp": "2020-06-12T14:31:52Z",
    "action": {
        "name": "block",
        "outcome": "success",
        "target": "network-traffic"
    "destination": {
        "address": "",
        "ip": "",
        "port": 443
    "host": {
        "hostname": "FR123",
        "name": "FR123"
    "related": {
        "hosts": [
        "ip": [
    "source": {
        "address": "",
        "ip": "",
        "port": 54128

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated. keyword Target of the action
destination.ip ip IP address of the destination.
destination.port long Port of the destination.
host.hostname keyword Hostname of the host.
source.ip ip IP address of the source.
source.port long Port of the source.


This setup guide will show you how to forward logs produced by CISCO Umbrella service to by means of an Rsyslog transport channel.

Collect proxylogs files and send them to rsyslog

After configuring Umbrella Log Management with AWS S3, the logs you download will be gzipped CSVs in appropriate subfolder with the following naming format:


To send these logs to, we suggest the use of the logger Unix command. For each unzipped file, use the following command line:

logger -t iplogs -f <YYYY>-<MM>-<DD>-<hh>-<mm>-<xxxx>.csv

Configure the Rsyslog server

Please consult the Rsyslog Transport documentation to forward these logs to

Further Readings