Cisco Cisco Web Security Appliance S680 Guía Del Usuario
S A W M I L L F O R I R O N P O R T L O G F I L T E R S
C H A P T E R 1 : I N T R O D U C T I O N T O S A W M I L L F O R I R O N P O R T
7
Sawmill for IronPort Log Filters
The IronPort log format plug-in use log filters to specify how to process, categorize, and filter
data from the access logs before it populates the database. Using log filters to filter out data
before loading data into the database allows Sawmill to reduce storage and processing power
needs to analyze your log data.
data from the access logs before it populates the database. Using log filters to filter out data
before loading data into the database allows Sawmill to reduce storage and processing power
needs to analyze your log data.
By default, a profile enables all log filters specified in the IronPort log format plug-in (except
for the “Ignore log lines older than 45 days” filter, which is disabled by default). However, you
can choose to modify, disable, or delete some of the log filters. You can also add additional
log filters depending on the organization’s needs.
for the “Ignore log lines older than 45 days” filter, which is disabled by default). However, you
can choose to modify, disable, or delete some of the log filters. You can also add additional
log filters depending on the organization’s needs.
Each profile type includes different log filters. For example, the Sec Ops profile type include
log filters that affect the different malware related fields, and the HR profile type includes a
log filter that saves the server URL into the database.
log filters that affect the different malware related fields, and the HR profile type includes a
log filter that saves the server URL into the database.
To view the log filters in a profile, go to the Config page and then go to Log Data > Log Filters.
Sawmill for IronPort evaluates the log filters on the access log data in order, starting at the top
of the list of filters. Figure 1-3 shows the log filters included in the Sec Ops profile type.
of the list of filters. Figure 1-3 shows the log filters included in the Sec Ops profile type.
Individual Fields
The Individual Fields reports show web requests for different fields in the
access logs. These reports are useful for cross referencing from other reports so
you can easily zoom on particular fields. The HR profile type includes a subset
of the Individual Fields reports compared to the Sec Ops profile type.
access logs. These reports are useful for cross referencing from other reports so
you can easily zoom on particular fields. The HR profile type includes a subset
of the Individual Fields reports compared to the Sec Ops profile type.
Summarized Logs
The Summarized Logs report is a more human readable version of the access
logs that does not include all access log fields. You might want to use this
report to show executive level management a summary of the network traffic.
This report only includes rows for page views and not the images on a page.
logs that does not include all access log fields. You might want to use this
report to show executive level management a summary of the network traffic.
This report only includes rows for page views and not the images on a page.
Log Detail
The Log Detail report is a human readable version of the access logs that
includes more fields than the Summarized Logs report. It is geared toward a
technical audience that needs to see a lot of the data in the access logs in a
more readable format.
includes more fields than the Summarized Logs report. It is geared toward a
technical audience that needs to see a lot of the data in the access logs in a
more readable format.
Single Page
Summary
Summary
The Single Page Summary includes every report and combines them all onto
one page in the web interface. You might want to view the Single Page
Summary to print it out or email it to a manager. For example, if you zoom in
on data for a particular user in your organization, you can then view the Single
Page Summary and send that report to the person or his/her manager.
Note: The Single Page Summary can take a very long time to process
depending on the amount of data currently zoomed in on in Sawmill. IronPort
recommends only viewing the Single Page Summary when you are zoomed in
to a small subset of data, such as a single person, department, or particular
time range.
one page in the web interface. You might want to view the Single Page
Summary to print it out or email it to a manager. For example, if you zoom in
on data for a particular user in your organization, you can then view the Single
Page Summary and send that report to the person or his/her manager.
Note: The Single Page Summary can take a very long time to process
depending on the amount of data currently zoomed in on in Sawmill. IronPort
recommends only viewing the Single Page Summary when you are zoomed in
to a small subset of data, such as a single person, department, or particular
time range.
Table 1-2 Reports in the HR Profile Type (Continued)
Report Type
Description
WSA_Sawmill.book Page 7 Tuesday, February 22, 2011 2:54 PM