Proxy logging mode

In a policy configuration, you define the details that are logged in ETP for HTTP or HTTPS threat events. Different logging levels are available to report data such as the HTTP headers, hostname, URL path, and query string information.

Note: The Proxy Logging Mode setting is available in a policy only when you enable ETP Proxy.

To make sure that your enterprise can investigate security incidents and determine why traffic is blocked, do not change the default logging mode. Level 1 provides details that are best for troubleshooting and investigating events.

You can select from these levels:

Logging Mode Description
Level 1 (Recommended) Logs the HTTP headers in the request and response as well as the hostname, path, and query string in the URL.
Level 2 Logs the hostname, path, and query string in the URL.
Level 3 Logs the hostname and path in the URL.
Level 4 Logs the hostname.

By default, Level 1 is selected. This data is reported in the Threat Events report.

Clicking to view more information about an event opens the Event Details window where you can view general and specific traffic information. The Traffic General subtab contains the hostname and path of a URL, while the Traffic Details subtab contains the query string, request and response information. If you select a logging method that does not record some of this information, this data is not shown. For example, if you select level 4, the Traffic Details subtab is disabled. While the hostname is reported in the associated field, the URI field does not show any information.

If you change the logging mode of a policy, the new mode affects all future events. It does not modify logged data in existing events.
Important: Use Level 1 logging mode to ensure that detailed data is logged for threat events.