Cisco Cisco Web Security Appliance S360 Troubleshooting Guide

Contributed by Kei Ozaki and Siddharth Rajpathak, Cisco TAC
Engineers.

Jul 29, 2014

Why doesn't my test POST request get updated in "Data Security Logs" on the Cisco Web Security appliance
(WSA)?

Symptoms:
"Data Security Logs" aren't updating even though POST requests are being sent through the WSA.
"Access Log" are updating and showing the POST requests work properly.

Solution:
The size of the POST request, which essentially is the amount of data being uploaded, would determine if the
request gets scanned by the on−box data security filters or by external Data Loss prevention (DLP) policies

By default, WSA has a minimum byte size limit of 4096 bytes (4K) for DLP to trigger. This minimum byte
size is to avoid false positives from DLP scanning as it avoids uploads like website logins, which are small
POST requests.

So any POST request/upload below the 4K limit would not be recorded in "Data Security Logs". However
WSA will process the POST request and will record the transaction in "Access Log"

For on−box DLP (Data Security filters)
We can change the default scanning limit from WSA CLI using the command: datasecurityconfig

For off−box DLP (External DLP)

We can change the default scanning limit from WSA CLI using the command: externaldlpconfig

The default value for both the above commands is 4096 bytes.

Updated: Jul 29, 2014

Document ID: 118096