Cisco Cisco Web Security Appliance S170 Guía Del Usuario
62
S A W M I L L F O R I R O N P O R T 7 . 3 . 3 U S E R G U I D E
O P T I M I Z I N G S AW M I L L F O R I R O N PO R T
Most organizations using the Web Security appliance produce very large access logs. And if
the organization needs to analyze access logs from multiple Web Security appliances, the
amount of data is even greater. Most of the default configuration options that come with
Sawmill for IronPort are fine for relatively smaller data sets. However, if your organization
processes a lot of data, consider making the changes described in this section.
the organization needs to analyze access logs from multiple Web Security appliances, the
amount of data is even greater. Most of the default configuration options that come with
Sawmill for IronPort are fine for relatively smaller data sets. However, if your organization
processes a lot of data, consider making the changes described in this section.
Note — To increase performance during database creation, Sawmill for IronPort needs a lot of
RAM. How much RAM is required depends on the data being processed and the options you
configure on the Database Tuning and Log Processing pages.
RAM. How much RAM is required depends on the data being processed and the options you
configure on the Database Tuning and Log Processing pages.
Database Tuning Options
The Database Tuning page in Sawmill for IronPort includes a lot of features which can
improve performance when it builds the main database table. Sawmill for IronPort builds the
main database table during the following tasks:
improve performance when it builds the main database table. Sawmill for IronPort builds the
main database table during the following tasks:
• Profile creation
• Rebuild the database
• “Remove database data” scheduled task
• “Build database” scheduled task
This section includes the following subsections:
Database Tuning Options
Before describing some of the Database Tuning options, let us review how Sawmill for
IronPort builds and stores the database.
IronPort builds and stores the database.
Normally, when Sawmill for IronPort processes log data to build the main database table, it
performs the following steps:
performs the following steps:
1. Builds the main database table.
2. Builds the indices of the main database table.
3. Builds the cross reference tables of the main database table.
However, you can configure Sawmill for IronPort to perform some of these steps
simultaneously. Performing these steps simultaneously can increase performance during
database creation, but it also requires a lot of RAM to do so. If the machine does not have
enough RAM, do not configure Sawmill for IronPort to perform these steps simultaneously.
simultaneously. Performing these steps simultaneously can increase performance during
database creation, but it also requires a lot of RAM to do so. If the machine does not have
enough RAM, do not configure Sawmill for IronPort to perform these steps simultaneously.
The main database table is stored as separate segments on the dark disk. The size of each
segment is configurable in the Profile’s configuration. Each database table segment has its
own index. The larger the dataset to store in the database, the greater the number of database
segment is configurable in the Profile’s configuration. Each database table segment has its
own index. The larger the dataset to store in the database, the greater the number of database
WSA_Sawmill.book Page 62 Tuesday, February 22, 2011 2:54 PM