DNS log format

Field type

Field name

Description

Example value

CEF header

CEF:Version

CEF version.

CEF:0

Device Vendor

Product vendor.

UserGate

Device Product

Product type.

NGFW

Device Version

Product version.

7

Source

Log name.

dns

Name

Source type.

log

Threat level

Threat level.

Available values: from 1 to 10 (the set threat level multiplied by 2).

CEF [extension]

rt

Time when the event was received (in milliseconds since January 1, 1970).

1701085036026

deviceExternalId

The unique name of the device that generated the event.

utmcore@ntoorereaeda

act

Action taken by the device according to the configured policies.

block

reason

The reason why the event was created, e.g. the URL category on which the rule was triggered.

{"url_cats":[{"id":37,"name":"Search Engines & Portals","threat_level":1}]}

app

Application layer protocol

DNS

suser

The username.

user1 (Unknown, if the user is unknown)

cs1Label

Indicates the triggered rule.

Rule

cs1

Name of the rule triggered to cause the event.

Rule1

dhost

The destination host name, whose address is determined using the DNS server.

google.com

proto

Level 4 protocol used.

UDP

src

Traffic source IPv4 address.

10.10.0.11

spt

Source port

Values: 0-65535.

smac

Source MAC address.

FA:16:3E:65:1C:B4

cs2Label

Indicates the source zone.

Source Zone

cs2

Source zone name.

Trusted

cs3Label

Indicates the source country.

Source Country

cs3

Source country name.

AE (a two-letter country code is displayed)

dst

IPv4 address of the traffic destination.

194.226.127.130

dpt

Destination port

Values: 0-65535. Port 53 is normally used for DNS.

cs4Label

Indicates the destination zone.

Destination Zone

cs4

Destination zone name.

Untrusted

cs5Label

Indicates the destination country.

Destination Country

cs5

Destination country name.

AE (a two-letter country code is displayed)

cs6Label

Indicates the data being transmitted.

Data.

cs6

The transmitted data.

{"question":[{"domain":"google.com","type":"A","class":"IN"}],

"answer":[{"domain":"google.com","type":"TXT","class":"IN","ttl":5,"data":"Blocked"},{"domain":"google.com","type":"A","class":"IN","ttl":5,"data":"10.10.0.1"}]}

flexString1Label

Indicates the category of the requested URL.

URL Categories

flexString1

URL category.

Search Engines & Portals

Differences in the CEF Compact format:

  • The following fields are missing:

    • cs3Label=Source Country; cs3=$src_country;

    • cs5Label=Destination Country; cs5=$dst_country;

  • The following fields have been changed:

    • cs2Label=SrcZone;

    • cs3Label=DstZone; cs3=$dst_zone_name;

    • cs4Label=Data; cs4=$data;

    • flexString1Label=URLCats;

  • Some field values are truncated to 80 characters, this is a general rule for the compact format. For example, a list of URL categories, URL, username, rule name, zone name, etc.