Cisco Cisco Web Security Appliance S670 Guía Del Usuario
3-2
Cisco Advanced Web Security Reporting Installation, Setup, and User Guide
Chapter 3 Field Extractions
Traffic Monitor Logs
•
Verify the host extractions are correct. This is part of the inputs strategy discussed in the installation
guide. The folder structure should be appropriately established to allow proper host extractions
to occur.
guide. The folder structure should be appropriately established to allow proper host extractions
to occur.
•
Hosts may be renamed per the section of this guide that discusses the host look-up file
Traffic Monitor Logs
The L4TM reports are generated from L4TM data (not summary data). Field extractions will still need
to be operable for those reports to function. Though the format is not as versatile as access logs, they
may still be verified with the same technique.
to be operable for those reports to function. Though the format is not as versatile as access logs, they
may still be verified with the same technique.
Tip
Use this search to verify that there are few or no results:
sourcetype=wsa_trafmonlogs | head 1000 | fillnull value="!!!!" dvc_time log_level
action proto src_ip src_port dest_ip dest_host dest_port | stats count by dvc_time
log_level action proto src_ip src_port dest_ip dest_host dest_port | search
src_ip="!!!!"
AMP Logs
The AMP reports are generated from AMP logs. Field extractions will still need to be operable for these
reports to function.
reports to function.
Tip
Use these searches to verify that there are few or no results:
sourcetype=wsa_accesslogs x_sha_256 = "*" x_file_name = "*" x_threat_name = "*"
sourcetype=wsa_amplogs verdict_type="*" x_analysis_id="*" x_status="*" x_sha1="*"
x_sha256="*" x_md5="*" amp_score="*" x_start_time="*" amp_sha_value="*"
time_of_analysis="*" time_of_complete="*"