Cisco Cisco Web Security Appliance S160 User Guide

Log Compression

Retrieval Method

You can also manually archive (rollover) log files.

Choose System Administration > Log Subscriptions.

Check the checkbox in the Rollover column of the log subscriptions you wish to archive, or check the 
All checkbox to select all the subscriptions.

Click Rollover Now to archive the selected logs.

The appliance creates a directory for each log subscription based on the log subscription name. The name 
of the log file in the directory is composed of the following information:

Log file name specified in the log subscription

Timestamp when the log file was started

A single-character status code, either 

.c

 (signifying current) or 

.s

 (signifying saved)

The filename of logs are made using the following formula:

/LogSubscriptionName/LogFilename.@timestamp.statuscode

 

You should only transfer log files with the saved status.

You can read current log file activity as a means of monitoring and troubleshooting the Web Security 
appliance. This is done using the appliance interface. 

You can also read archived files for a record of past activity. This can be done using the appliance 
interface if the archived files are stored on the appliance; otherwise they must be read from their external 
storage location using an appropriate method.

Each item of information in a log file is represented by a field variable. By determining which fields 
represent which items of information, you can look up the field function and interpret the log file 
contents. For W3C compliant access logs, the file header lists field names in the order in which they 
appear in log entries. For standard Access logs, however, you must consult the documentation regarding 
this log type for information on its field order.

.

.