Cisco Cisco Web Security Appliance S190 Mode D'Emploi
U S I N G L O G F I L T E R S
C H A P T E R 4 : R E A D I N G A C C E S S L O G S W I T H S A W M I L L F O R I R O N P O R T
53
U S I N G L O G F I L T E R S
Sawmill uses log filters to filter out data from your log source before populating the database.
You might want to use log filters to:
You might want to use log filters to:
• Selectively eliminate portions of your log data from the statistics.
• Convert values in log fields to a more meaningful value.
Log filters are written in Sawmill’s configuration language. Log filters should not be confused
with report filters that appear in reports. Log filters affect how the log data is processed, and
report filters affect which parts of the database data are displayed. There are many reasons you
might want to filter the log data, including:
with report filters that appear in reports. Log filters affect how the log data is processed, and
report filters affect which parts of the database data are displayed. There are many reasons you
might want to filter the log data, including:
• You may not be interested in seeing the hits on files of a particular type (for example,
image files in web logs).
• You may not be interested in seeing the events from a particular host or domain (for
example, web log hits from your own domain).
• You may not be interested in seeing hits which did not result in separate page views, such
as 404 errors (file not found) or redirects.
The log filters included with Sawmill for IronPort perform the most common filtering. You may
want to modify, disable, or remove those log filters. You may also want to create your own.
For more information about the log filters included in Sawmill for IronPort, see “Sawmill for
IronPort Log Filters” on page 7.
want to modify, disable, or remove those log filters. You may also want to create your own.
For more information about the log filters included in Sawmill for IronPort, see “Sawmill for
IronPort Log Filters” on page 7.
Note — Each profile type includes different log filters. For example, the Sec Ops profile type
include log filters that affect the different malware related fields, and the HR profile type
includes a log filter that only saves the server name into the database for each URL
include log filters that affect the different malware related fields, and the HR profile type
includes a log filter that only saves the server name into the database for each URL
How Log Filters Work
Log filters are arranged in a sequence, like a computer program, starting with the first filter
and continuing up through the last filter. Each time Sawmill processes a log entry, it runs the
filters in order, starting with the first one. Sawmill applies that filter to the log entry. The filter
may accept the log entry by returning “done,” in which case it is immediately selected for
inclusion in the statistics. If a filter accepts an entry, the other filters are not run. Once a filter
accepts, the acceptance is final. Alternately, the filter may reject the entry by returning
“reject,” in which case it is immediately discarded, without consulting any filters farther down
the line. Finally, the filter may neither accept nor reject, but instead pass the entry on to
another filter (by returning nothing). In this case, and only in this case, another filter is run.
and continuing up through the last filter. Each time Sawmill processes a log entry, it runs the
filters in order, starting with the first one. Sawmill applies that filter to the log entry. The filter
may accept the log entry by returning “done,” in which case it is immediately selected for
inclusion in the statistics. If a filter accepts an entry, the other filters are not run. Once a filter
accepts, the acceptance is final. Alternately, the filter may reject the entry by returning
“reject,” in which case it is immediately discarded, without consulting any filters farther down
the line. Finally, the filter may neither accept nor reject, but instead pass the entry on to
another filter (by returning nothing). In this case, and only in this case, another filter is run.
In other words, every filter has complete power to pass or reject entries, provided the entries
make their way to that filter. The first filter that accepts or rejects the entry ends the process,
and the filtering is done for that entry. A filter gets to see an entry only when every filter before
it in the sequence has neither accepted nor rejected that entry. So the first filter in the
sequence is the most powerful, in the sense that it can accept or reject without consulting the
make their way to that filter. The first filter that accepts or rejects the entry ends the process,
and the filtering is done for that entry. A filter gets to see an entry only when every filter before
it in the sequence has neither accepted nor rejected that entry. So the first filter in the
sequence is the most powerful, in the sense that it can accept or reject without consulting the
WSA_Sawmill.book Page 53 Tuesday, February 22, 2011 2:54 PM