Cisco Cisco Web Security Appliance S670 User Guide
68
S A W M I L L F O R I R O N P O R T 7 . 3 . 3 U S E R G U I D E
R E M OV I N G D A T A B E F O R E P R O C E S S I N G
To increase performance when building or updating the database, consider removing
unnecessary rows or unnecessary fields (columns) from the access logs before processing the
log data into Sawmill for IronPort. Delete rows and fields by creating or editing log filters.
Access the Log Filters page under the Log Data category from the Config page.
unnecessary rows or unnecessary fields (columns) from the access logs before processing the
log data into Sawmill for IronPort. Delete rows and fields by creating or editing log filters.
Access the Log Filters page under the Log Data category from the Config page.
By default, Sawmill for IronPort already removes some rows from the access logs using Log
Filters. For example, it removes all rows where the server responded with a 5xx response,
such as “504 Gateway Timeout.” It does this with the “Ignore Server Response 5xx” log filter.
Filters. For example, it removes all rows where the server responded with a 5xx response,
such as “504 Gateway Timeout.” It does this with the “Ignore Server Response 5xx” log filter.
Figure 5-3 shows the “Ignore Server Response 5xx” log filter.
Figure 5-3 Using Log Filters to Remove Unnecessary Data
You can create new log filters to remove entire access log entries, like the “Ignore Server
Response 5xx” log filter, or to remove a field from all access log entries. For example, if your
organization does not need to know which policy groups were assigned to a transaction, you
can create a log filter that removes that data before Sawmill for IronPort imports the data to
create the database.
Response 5xx” log filter, or to remove a field from all access log entries. For example, if your
organization does not need to know which policy groups were assigned to a transaction, you
can create a log filter that removes that data before Sawmill for IronPort imports the data to
create the database.
For more information on working with log filters, see “Using Log Filters” on page 53.
Note — Never delete, edit, or disable the Log Filter called “Mark as event.” This Log Filter
instructs Sawmill for IronPort to add the access log entry as a row of data in the database. If
you delete or disable this Log Filter, the database will contain no data.
instructs Sawmill for IronPort to add the access log entry as a row of data in the database. If
you delete or disable this Log Filter, the database will contain no data.
WSA_Sawmill.book Page 68 Tuesday, February 22, 2011 2:54 PM