Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1875
Views
5
Helpful
2
Replies

Cloud Web Security reports for traffic older than a month is only showing blocked traffic in the logs.

Go to solution
chrischurch
Level 1
Level 1

‎07-23-2019 03:13 AM

I have a user who needs a report of their web browsing traffic for the past 6 months and when I ran a report it appears that traffic was only being allowed from just over month ago and all logs prior to that show just blocked traffic.

We know the user has been browsing the web fine during the last 6 months but why do I only see blocked traffic in the logs for traffic from over a month ago.

 

I had to run a similar report a few months ago for access to certain web sites and I saw allowed traffic in the logs but now when the same report is ran I no longer see logs showing the allowed traffic which I know was allowed when I first ran the report.

 

It seems to me that logs for allowed traffic older than month or two are being removed from the platform so only blocked logs are retained for older traffic logs.

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎07-23-2019 03:22 AM

Hi,

Block requests (malware or policy) are retained for 1 year, however allowed data is only retained for 45 days. Reference here.

 

Certainly I know with Umbrella (which CWS is becoming) you can export logs to an AWS S3 bucket and retain data for longer and also export to a local SIEM. Not sure if that applies to existing CWS though.

 

HTH

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎07-23-2019 03:22 AM

Hi,

Block requests (malware or policy) are retained for 1 year, however allowed data is only retained for 45 days. Reference here.

 

Certainly I know with Umbrella (which CWS is becoming) you can export logs to an AWS S3 bucket and retain data for longer and also export to a local SIEM. Not sure if that applies to existing CWS though.

 

HTH

Go to solution
chrischurch
Level 1
Level 1
In response to Rob Ingram

‎07-23-2019 04:20 AM - edited ‎07-23-2019 04:21 AM

Thanks for the prompt response.
Looking at the link you have provided it does mention that customers can retain the data to match the terms of their subscription which I need to check, as I mentioned I am sure I have seen logs older than 45 days in the past showing allowed traffic.

Chris.

0 Helpful
Customers Also Viewed These Support Documents