SyncAPI used to download Cloud SWG access logs.

Cloud SWG access logs provide status on whether a request was denied or not, but without specifying what rule blocked access.

The CPL reference_id tag seems to provide an option to log information, but it does not work in a Cloud SWG environment.

reference_id() : Set a policy ID for a rule. The ID will be visible in all policy traces and access logs associated with requests matching the rule. To view the ID in access logs, include the x-bluecoat-reference-id field in the access log format.

Applying a sample policy as shown:

;Set a policy ID for a rule denying access to sites matching the specified regex.
<Proxy>
url.regex="example" Deny reference_id("Example_deny")

and then logging the x-bluecoat-reference-id field shows blank - seems like the reference_id is being stripped when we push it out to Cloud SWG.

Ref-- Content Policy Language Guild

Cloud SWG.

Reporting.

SyncAPI.

UPE policy push has the exception_id info stripped before being applied to Cloud Proxy.

Working as designed for now, and cannot use exception_id field with Cloud SWG.

The product team is working on a solution that will 

a) remove this limitation for Cloud SWG and

b) add the option to Cloud SWG Portal administrators so that configured rules can have a policy Id/name associated with it, which will eventually be logged.