Cisco Cisco Web Security Appliance S690 Installation Guide

mime_type acl_tag user_id user_domain dest_domain | stats count by 

x_webcat_code_abbr x_wbrs_score x_webroot_scanverdict 

x_webroot_threat_name x_webroot_trr x_webroot_spyid 

x_webroot_trace_id x_mcaffe_scanverdict x_mcafee_filename 

x_mcafee_scan_error x_mcafee_detecttype x_mcafee_av_virustype 

x_mcafee_virus_name x_sophos_scanverdict x x_sophos_filename 

x_sophos_virus_name x_ids_verdict x_icap_verdict 

x_webcat_req_code_abbr x_webcat_resp_code_abbr 

x_resp_dvs_threat_name x_wbrs_threat_type x_avc_app x_avc_type 

x_avc_behavior x_request_rewrite x_avg_bw x_bw_throttled 

x_user_type 

x_resp_dvs_verdictnamex_req_dvs_threat_namex_suspect_user_agent 

x_wbrs_threat_reason dvc_time duration dvc_ip result http_status 

bytes_in http_method dest_url user_id_dom hierarchy hierarchy_domain 

mime_type acl_tag user_id user_domain dest_domain | convert 

ctime(dvc_time) | search user_id="!!!!" AND host="!!!!" AND 

src_ip="!!!!" AND cause="!!!!" AND action="!!!!" AND 

dest_domain="!!!!"

Verify the host extractions are correct.  This is part of the inputs strategy discussed in the installation 
guide.  The folder structure should be appropriately established to allow proper host extractions to 
occur. 

Hosts may be renamed per the section of this guide that discusses the host lookup file

The L4TM reports are generated from L4TM data (not summary data).  Field extractions will still need 
to be operable for those reports to function. Though the format is not as versatile as accesslogs, they may 
still be verified with the same technique.

Use this search to verify that there are few or no results:

sourcetype=wsa_trafmonlogs | head 1000 | fillnull value="!!!!" 

dvc_time log_level action proto src_ip src_port dest_ip dest_host 

dest_port | stats count by dvc_time log_level action proto src_ip 

src_port dest_ip dest_host dest_port | search src_ip="!!!!"