Cisco Cisco Web Security Appliance S390 Betriebsanweisung
C H A P T E R
3-1
Cisco Advanced Web Security Reporting Installation, Setup, and User Guide
3
Field Extractions
•
•
•
Access Logs
Tip
•
Ensure timestamps are correctly being indexed.
•
Search for “*” and ensure app-specific fields are populated in the field picker. The next bullet item
contains a more thorough examination of extracted fields.
contains a more thorough examination of extracted fields.
•
Copy and paste the below search. You should not see any results and especially not very many
results. If 1000 results are returned – the transforms.conf will need to be adjusted for the unique log
format being indexed.
results. If 1000 results are returned – the transforms.conf will need to be adjusted for the unique log
format being indexed.
sourcetype=wsa_accesslogs | head 1000 | fillnull value="!!!!" x_webcat_code_abbr
x_wbrs_score x_webroot_scanverdict x_webroot_threat_name x_webroot_trr x_webroot_spyid
x_webroot_trace_id x_mcaffe_scanverdict x_mcafee_filename x_mcafee_scan_error
x_mcafee_detecttype x_mcafee_av_virustype x_mcafee_virus_name x_sophos_scanverdict x
x_sophos_filename x_sophos_virus_name x_ids_verdict x_icap_verdict
x_webcat_req_code_abbr x_webcat_resp_code_abbr x_resp_dvs_threat_name
x_wbrs_threat_type x_avc_app x_avc_type x_avc_behavior x_request_rewrite x_avg_bw
x_bw_throttled x_user_type
x_resp_dvs_verdictnamex_req_dvs_threat_namex_suspect_user_agent x_wbrs_threat_reason
dvc_time duration dvc_ip result http_status bytes_in http_method dest_url user_id_dom
hierarchy hierarchy_domain mime_type acl_tag user_id user_domain dest_domain | stats
count by x_webcat_code_abbr x_wbrs_score x_webroot_scanverdict x_webroot_threat_name
x_webroot_trr x_webroot_spyid x_webroot_trace_id x_mcaffe_scanverdict
x_mcafee_filename x_mcafee_scan_error x_mcafee_detecttype x_mcafee_av_virustype
x_mcafee_virus_name x_sophos_scanverdict x x_sophos_filename x_sophos_virus_name
x_ids_verdict x_icap_verdict x_webcat_req_code_abbr x_webcat_resp_code_abbr
x_resp_dvs_threat_name x_wbrs_threat_type x_avc_app x_avc_type x_avc_behavior
x_request_rewrite x_avg_bw x_bw_throttled x_user_type
x_resp_dvs_verdictnamex_req_dvs_threat_namex_suspect_user_agent x_wbrs_threat_reason
dvc_time duration dvc_ip result http_status bytes_in http_method dest_url user_id_dom
hierarchy hierarchy_domain mime_type acl_tag user_id user_domain dest_domain | convert
ctime(dvc_time) | search user_id="!!!!" AND host="!!!!" AND src_ip="!!!!" AND
cause="!!!!" AND action="!!!!" AND dest_domain="!!!!"