Cisco Cisco Web Security Appliance S680 Guía Del Usuario
C U S T O M U R L C A T E G O R I E S
C H A P T E R 5 : G U I D E L I N E S A N D T I P S
77
C U S T O M U R L C A T E G O R I E S
The Web Security appliance truncates the custom URL category names in the access logs by
following this logic:
following this logic:
C_<first four letters of the custom URL category name>.
For example, the custom URL category “Allow list” is logged as “C_Allo.”
When you use custom URL categories, do the following:
1. Make sure that the first four letters of each custom URL category name is unique.
2. Modify the IronPort plug-in (
ironport_sseries_accesslog__XSQUID_sec-ops-
profile.cfg
for the Sec-Ops profile, and
ironport_sseries_accesslog__XSQUID_hr-profile.cfg
for the HR profile) as
follows. In the log filter named
logfilter_expand_url_category,
delete the
following phrase:
or starts_with(field_category, 'C_')
The code should now look as follows:
value = `if (contains(field_category, '.') or
starts_with(field_category, 'IW_')) then (
Note — You can apply this modification only to the new profile.
3. Edit the category mapping file that Sawmill for IronPort uses to convert the abbreviated
URL category names to the full name. Open the
<Sawmill_directory>\LogAnalysisInfo\ironport_unified_category_map.c
fg
file in a text editor and add an entry for each custom URL category. For example, if you
have a custom URL category called “Allow list,” add the following entry to the
ironport_unified_category_map.cfg
file:
C_Allo = {
full_name = "Allow list"
usage = "Unknown"
severity = "5-None"
}
Note — If a custom URL category has no mapping, Sawmill for IronPort may crash during
log parsing.
log parsing.
WSA_Sawmill.book Page 77 Monday, March 15, 2010 10:31 AM