Cisco Cisco Web Security Appliance S170 Guida Utente
4
S A W M I L L F O R I R O N P O R T 7 . 3 . 2 U S E R G U I D E
I R O N PO R T L O G FO R M A T P L U G - I N
Sawmill for IronPort includes configuration information, known as a log format plug-in, that
allows Sawmill to work with Web Security appliance access logs. The IronPort log format
plug-in defines the following:
allows Sawmill to work with Web Security appliance access logs. The IronPort log format
plug-in defines the following:
• How to recognize the access log format. The plug-in has the access log format defined so
it can recognize valid access logs to parse.
• Which log filters to use and apply to the access logs. The plug-in defines log filters to filter
some data that does not provide useful information and takes up too much space in the
database. For example, it filters out all rows with server responses in the 500 range which
are server errors. For more information on the log filter, see “Sawmill for IronPort Log
Filters” on page 7.
database. For example, it filters out all rows with server responses in the 500 range which
are server errors. For more information on the log filter, see “Sawmill for IronPort Log
Filters” on page 7.
• How to parse access logs. The plug-in parses the logs and applies the log filters to the data
before instructing Sawmill to load the data into the database.
• How to convert abbreviated URL categories to their full category names. Access logs
abbreviate all URL category names which can be difficult for humans to read and
understand. The plug-in uses a file that converts the abbreviated names to their full names.
understand. The plug-in uses a file that converts the abbreviated names to their full names.
Note — You can edit this file to include custom URL categories for conversion. For more
information on how to do this, see “Custom URL Categories” on page 77.
information on how to do this, see “Custom URL Categories” on page 77.
• Predefined reports. The plug-in defines different reports you can view to get a better
understanding of the web activity on your network. For a list of the different reports
available, see “Sawmill for IronPort Reports” on page 4.
available, see “Sawmill for IronPort Reports” on page 4.
The IronPort log format plug-ins allows you to create the following profile types:
• Security Operations (Sec Ops). The Sec Ops profile type creates a profile that contains the
most detail about web activity stored in the access logs. Profiles created from this profile
type include the most number of predefined reports. Use the Sec Ops profile type to
create analytical profiles for security related and operational requirements.
type include the most number of predefined reports. Use the Sec Ops profile type to
create analytical profiles for security related and operational requirements.
• Human Resources (HR). The HR profile type creates a profile that contains much less data
and fewer reports than the Sec Ops profile type. Because this profile type filters out more
data when parsing the access logs, most profile related actions, such as importing log files
and report generation, see greater performance than a Sec Ops profile. Use the HR profile
type to create tracking profiles if your organization wants to track and report on users web
activity.
data when parsing the access logs, most profile related actions, such as importing log files
and report generation, see greater performance than a Sec Ops profile. Use the HR profile
type to create tracking profiles if your organization wants to track and report on users web
activity.
Sawmill for IronPort Reports
When you create a profile, Sawmill for IronPort generates different types of reports depending
on the profile type used.
on the profile type used.
Figure 1-1 shows the types of reports displayed in the Sawmill for IronPort web interface for
the Sec Ops profile type.
the Sec Ops profile type.
WSA_Sawmill.book Page 4 Monday, March 15, 2010 10:31 AM