Lumu Traffic Logs is powered by Lumu’s retrospective threat analysis, which means that only the data of events not flagged as incidents is stored. As a result, searches for endpoints or destinations related to detected incidents will not return any results. Also, network metadata from popular domains such as Google, Microsoft, Facebook, etc. is not stored by Lumu.

1. If your Destination log query is successful, you will obtain the following message:
   

1. If your Endpoint log query is successful, you will obtain the following message:

4. Once you request your results, you will see the following message and loading screen. Due to the massive amount of logs stored, this may take some time.

   Once your results have loaded, you will see a list of all available files for download.

Recent Export Requests

The Lumu log Archive will store the results from export requests created in the last 2 weeks so you can access them at your leisure. Click on Show Files to see the logs you can download from that query. Once two weeks go by, these results will disappear; however, if you look for the same data and date range, you will be able to access the logs once again.

Lumu Traffic Logs Use Cases

Lumu Traffic Logs stores essential traffic logs for up to two years, which your organization can use for forensic analysis, proactive threat hunting, and streamlined compliance, all without having to invest in additional storage for your company’s logs. This logged network metadata is available on demand and can be queried by the organization so they can use it for their own internal procedures. Here are some examples:

• Forensic investigations: When carrying out forensic investigations, the cybersecurity team can query Lumu Traffic Logs for historical traffic from particular endpoints during specific time frames. This allows the team to drill down and investigate contacts made from affected devices during vulnerable periods, which can provide vital intelligence on the actual extent of the attack.
• Compliance: Log storage is essential for regulatory compliance, as frameworks like PCI, HIPAA, SOC2, NIST, and CIS mandate proper log collection, retention, and protection. Cyber insurers also require organizations to store and access critical logs, with non-compliance potentially leading to legal repercussions. However, organizations often struggle to send all required security logs to their SIEMs, particularly network data, leading to inefficiencies in cost and performance. In an effort to optimize resources, SecOps teams may reduce network data logging, unintentionally creating visibility gaps. With Lumu’s Log Archive, you have access to up to two years of essential network logs which you can download on demand and present for any sort of compliance audit or evaluation.

Lumu Traffic Logs Data Example

Any requested Lumu traffic logs will arrive in the form of a .CSV spreadsheet file. Below, you will find all the necessary information to read and interpret the data inside the file.

• Timestamp: when it happened, which collector it came from.
• Host: IP or domain the endpoint was connecting to.
• Endpoint and Endpoint IP: Name and IP of the Endpoint.
• Source: Lumu collector used to gather the metadata.
• SourceInfo: contains all of the raw metadata from various sources like roaming agents, firewalls, NetFlow, proxies, and cloud environments. This includes logged users, processes, packets, and destinations and more when available.
• Connection Enrichment: Lumu automatically enriches connections with geographic and Autonomous System (AS) information when available.
  

Full traffic log example

{
    "companyId": "00000000-0000-0000-0000-000000000000",
    "host": "192.0.2.10",
    "endPoint": "WORKSTATION-01",
    "endPointIp": "10.0.0.50",
    "timestamp": "2026-04-07T19:12:15Z",
    "source": "virtual_appliance",
    "sourceInfo": {
        "id": "abc-123-def-456",
        "data": "{\"FirewallEntryExtraInfo\":{\"source\":{\"ip\":\"10.0.0.50\",\"port\":55785},\"collectorIndex\":\"ghj-789-klm\",\"sent\":{\"bytes\":150,\"packets\":2},\"destination\":{\"ip\":\"192.0.2.10\",\"port\":443},\"action\":\"deny\",\"protocol\":\"udp\",\"received\":{\"bytes\":0,\"packets\":0}}}"
    },
    "hostRank": 9223372036854775807,
    "connectionEnrichment": {
        "destinationLocation": {
            "country": "US",
            "continent": "NA",
            "asNumber": 12345,
            "asOrganization": "Example Corp ISP",
            "connectionType": "hosting"
        }
    }
}

""sourceInfo": {
    "id": "win-agent-uuid-001",
    "data": "{\"WindowsAgentFlowActivityExtraInfo\":{\"clientIp\":\"203.0.113.5\",\"source\":{\"ip\":\"10.0.4.20\",\"port\":50067},\"process\":{\"image\":\"C:\\\\Windows\\\\System32\\\\svchost.exe\",\"id\":\"1234\",\"thread_id\":\"0\",\"unique_id\":\"0\"},\"version\":\"3.2.3.0\",\"systemInfo\":{\"name\":\"DESKTOP-JDOE\",\"id\":\"XXXXX-XXXXX-XXXXX-XXXXX\",\"logged_users\":[{\"name\":\"John Doe\",\"domain\":\"CORPORATE\",\"active\":true,\"console\":true}],\"local_addresses\":[]},\"sent\":{\"bytes\":1200,\"packets\":10},\"destination\":{\"ip\":\"198.51.100.25\",\"port\":443},\"user\":{\"name\":\"SYSTEM\",\"domain\":\"NT AUTHORITY\",\"active\":false,\"console\":true},\"protocol\":\"TCP\",\"received\":{\"bytes\":4500,\"packets\":12}}}"
}

"sourceInfo": {
    "id": "mac-agent-uuid-003",
    "data": "{\"MacAgentDNSActivityExtraInfo\":{\"version\":\"2.0.7.0\",\"clientIp\":\"192.168.1.15\",\"systemInfo\":{\"name\":\"MACBOOK-JSMITH\",\"logged_users\":[{\"name\":\"jsmith\",\"sessions\":[],\"full_name\":\"Jane Smith\"}],\"local_address\":[\"10.3.24.103\",\"127.0.0.1\"]},\"packet\":{\"id\":34743,\"queried_servers\":[\"8.8.8.8\",\"8.8.4.4\"],\"question\":{\"type\":\"A\",\"name\":\"api.example-service.com\",\"query_class\":\"IN\"},\"flags\":{\"authoritative\":false,\"recursion_available\":true,\"truncated_response\":false,\"checking_disabled\":false,\"recursion_desired\":true,\"authentic_data\":false},\"answers\":[{\"name\":\"api.example-service.com\",\"type\":\"A\",\"answer_class\":\"IN\",\"ttl\":112,\"data\":\"93.184.216.34\"}],\"op_code\":\"QUERY\",\"response_code\":\"NOERROR\"}}}"
}

"sourceInfo": {
    "id": "chrome-agent-uuid-999",
    "data": "{\"ChromeOSAgentNavigationEventExtraInfo\":{\"request\":{\"uri\":{\"host\":\"http://www.learning-portal.test\",\"port\":443,\"scheme\":\"https\",\"path\":\"/api/v1/submit_task\",\"query\":\"\"},\"method\":\"POST\",\"length\":-1,\"body_length\":-1,\"referrer\":\"https://www.learning-portal.test\",\"user_agent\":\"\"},\"system\":{\"user_id\":\"555444333222111000\",\"user_name\":\"student.user@example-edu.com\",\"ip\":\"10.59.20.15\",\"mac\":\"00:1A:2B:3C:4D:5E\"},\"remoteIp\":\"192.0.2.200\",\"publicIp\":\"203.0.113.88\",\"version\":\"1.0.5\",\"response\":{\"code\":200,\"phrase\":\"OK\",\"length\":-1,\"body_length\":-1}}}"
}