Cisco Cisco Web Security Appliance S670 User Guide
24-8
Cisco IronPort AsyncOS 7.7 for Web User Guide
Chapter 24 Logging
Working with Log Subscriptions
•
Exclude entries based on HTTP status codes. You can configure the access log to not include
transactions based on particular HTTP status codes to filter out certain transactions. For example,
you might want to filter out authentication failure requests that have codes of 407 or 401.
transactions based on particular HTTP status codes to filter out certain transactions. For example,
you might want to filter out authentication failure requests that have codes of 407 or 401.
Log File Name and Appliance Directory Structure
The appliance creates a directory for each log subscription based on the log subscription name. The name
of the log file in the directory is composed of the following information:
of the log file in the directory is composed of the following information:
•
Log file name specified in the log subscription
•
Timestamp when the log file was started
•
A single-character status code, either
.c
(signifying current) or
.s
(signifying saved)
The filename of logs are made using the following formula:
/LogSubscriptionName/LogFilename.@timestamp.statuscode
Note
You should only transfer log files with the saved status.
Rolling Over Log Subscriptions
To prevent log files on the appliance from becoming too large, AsyncOS performs a “rollover” and
archives a log file when it reaches a user-specified maximum file size or time interval and creates a new
file for incoming log data. Based on the retrieval method defined for the log subscription, AsyncOS
stores the older log file on the appliance for retrieval or delivers it to an external computer. See
archives a log file when it reaches a user-specified maximum file size or time interval and creates a new
file for incoming log data. Based on the retrieval method defined for the log subscription, AsyncOS
stores the older log file on the appliance for retrieval or delivers it to an external computer. See
for more information on how to retrieve log files from the appliance.
When AsyncOS rolls over a log file, it performs the following actions:
•
Renames the current log file with the timestamp of the rollover and a letter
.s
extension signifying
saved.
•
Creates a new log file with the timestamp of the rollover and designates the file as current with the
letter
letter
.c
extension.
•
Transfers the newly saved log file to a remote host if the log retrieval method is push-based. For a
list of the log retrieval methods, see
list of the log retrieval methods, see
.
•
Transfers any existing log files from the same subscription that were not transferred successfully
during an earlier attempt (if using the push-based retrieval method).
during an earlier attempt (if using the push-based retrieval method).
•
Deletes the oldest file in the log subscription if the total number of files to keep on the appliance has
been exceeded if using the poll-based retrieval method.
been exceeded if using the poll-based retrieval method.
AsyncOS rolls over log subscriptions in the following ways:
•
Manually. The appliance administrator can manually roll over log subscriptions on demand from
either the web interface or the CLI. Use the Rollover Now button on the System Administration >
Log Subscriptions page, or the
either the web interface or the CLI. Use the Rollover Now button on the System Administration >
Log Subscriptions page, or the
rollovernow
CLI command. The
rollovernow
command allows you
to roll over all log files at once or select a specific log file from a list.
•
Automatically. AsyncOS rolls over log subscriptions based on the first user-specified limit reached:
maximum file size or maximum time. Log subscriptions based on the FTP poll retrieval method
create files and store them in the FTP directory on the appliance until they are retrieved from a
remote FTP client, or until the system needs to create more space for log files.
maximum file size or maximum time. Log subscriptions based on the FTP poll retrieval method
create files and store them in the FTP directory on the appliance until they are retrieved from a
remote FTP client, or until the system needs to create more space for log files.