Cisco Cisco Web Security Appliance S380 Guida Utente
F I L T E R I N G O U T O L D D A T A
C H A P T E R 5 : G U I D E L I N E S A N D T I P S
69
F I L T E R I N G O U T O L D D A T A
Sawmill for IronPort includes the “Ignore log lines older than 45 days” log filter, which filters
out data older than 45 days when enabled for both the HR and Sec Ops profile types. You can
also create a new filter specifying how many days to retain data.
out data older than 45 days when enabled for both the HR and Sec Ops profile types. You can
also create a new filter specifying how many days to retain data.
WARNING:
It is highly recommended that you use one of these log filters. Otherwise, the
database will quickly grow to an infinite size.
Creating a New Filter
A new filter that limits how long Sawmill for IronPort retains data must be configured for each
profile.
profile.
To create a new filter:
1. From the profile, navigate to Config > Log Data > Log Filters > New Log Filter.
2. Rename the filter to “Only the Last <number of days to retain data> Days.”
Note — Ensure that the number of days to retain data is within the sizing guidelines of
Sawmill for IronPort and your server’s hardware. Use the Sizing Calculator provided on
the Support Portal for basic guidelines.
Sawmill for IronPort and your server’s hardware. Use the Sizing Calculator provided on
the Support Portal for basic guidelines.
3. Select the Filter tab and click New Condition.
4. Edit the conditions as follows, and then click OK:
5. Click New Action.
6. Select “Reject log entry” as the action and click OK.
7. Select the Sort Filters tab.
8. Select the new filter “Only the Last <number of days to retain data> Days,” and click “Up
[+]” to move the filter to the top of the list.
9. Click Save and Close.
Field
Value
Log field
Date/time
Operator
is older than number of days
Value
<number of days to retain
data>
data>
WSA_Sawmill.book Page 69 Tuesday, February 22, 2011 2:54 PM