Cisco Cisco Web Security Appliance S690 User Guide
12
S A W M I L L F O R I R O N P O R T 7 . 3 . 3 U S E R G U I D E
S AW M I L L A R C H I T E C T U R E O V E R V I EW
This document provides a high-level overview of the internal architecture that is specific to
Sawmill.
Sawmill.
• Log Importer. A component which reads log data from a log source, and puts it into the
Sawmill database.
• Sawmill Database. A database which keeps a copy of the log data, and is queried to
generate reports.
• Reporting Interface. A web interface providing access to dynamic reports.
• Administrative Interface. A web interface for administrating profiles, users, tasks, and
more.
• Web Server. A built-in web server providing a graphical interface for administrating and
viewing reports.
• Command Line Interface. An extensive command-line interface that can be used to
manage profiles, generate reports, and more.
Log Importer
Sawmill is a log analyzer. It reads text log data from a log source (usually log files on the local
disk, a network mounted disk, or FTP), parses the data, and puts it in the Sawmill Database.
Log Filters can be used to convert or filter the data as it is read, or to pull in external metadata
for use in reports.
disk, a network mounted disk, or FTP), parses the data, and puts it in the Sawmill Database.
Log Filters can be used to convert or filter the data as it is read, or to pull in external metadata
for use in reports.
Sawmill Database
The Sawmill Database stores the data from the log source. The Log Importer feeds data into
the database, and the Reporting Interface queries the database to generate reports.
the database, and the Reporting Interface queries the database to generate reports.
Update Database vs. Rebuild Database
Update Database updates the database, by adding any new log data in the log source (data
which is in the log source but not in the database) versus Rebuild Database which rebuilds the
database from scratch. Needless to say, rebuilding the database should only be done under
rare circumstances.
which is in the log source but not in the database) versus Rebuild Database which rebuilds the
database from scratch. Needless to say, rebuilding the database should only be done under
rare circumstances.
Reporting Interface
The Reporting Interface is an HTML interface delivered through the Web Server, to any
compatible web browser. Reports are generated dynamically by querying the Sawmill
Database. The Reporting Interface allows arbitrary filters to be applied to any report,
including Boolean filters. Reports can be created or edited through the Administrative
Interface.
compatible web browser. Reports are generated dynamically by querying the Sawmill
Database. The Reporting Interface allows arbitrary filters to be applied to any report,
including Boolean filters. Reports can be created or edited through the Administrative
Interface.
WSA_Sawmill.book Page 12 Tuesday, February 22, 2011 2:54 PM