Cisco Cisco Web Security Appliance S370 사용자 가이드
54
S A W M I L L F O R I R O N P O R T 7 . 3 . 3 U S E R G U I D E
others. The second filter is used if the first has no opinion on whether the entry should be
accepted or rejected.
accepted or rejected.
Note — The last log filter in Sawmill for IronPort is called “Mark as event.” This Log Filter
instructs Sawmill for IronPort to add the access log entry as a row of data in the database. Do
not delete, disable, or modify this log filter.
instructs Sawmill for IronPort to add the access log entry as a row of data in the database. Do
not delete, disable, or modify this log filter.
Hits vs. Page Views
Sawmill for IronPort distinguishes between “hits” and “page views” for Web Security
appliance access logs. A hit is one access to a web server, such as one request for a file which
may not actually result in the transfer of a file, as in the case of a redirect or an error. A page
view is an access to a page rather than to an image or a support file like a style sheet.
appliance access logs. A hit is one access to a web server, such as one request for a file which
may not actually result in the transfer of a file, as in the case of a redirect or an error. A page
view is an access to a page rather than to an image or a support file like a style sheet.
For some web sites and some types of analysis, image files, .class files, .css file, and other files
are not as important as HTML pages—the important number is how many pages were
accessed, not how many images were downloaded. For other sites and other types of analysis,
all accesses are important.
are not as important as HTML pages—the important number is how many pages were
accessed, not how many images were downloaded. For other sites and other types of analysis,
all accesses are important.
By default, Sawmill for IronPort only tracks page views. It determines whether or not an event
is a page view by the file type. To learn more about this log filter, go to Config page > Log
Data > Log Filters and read the filter expression for the “Detect page views” and “Strip
non-page-views” log filters.
is a page view by the file type. To learn more about this log filter, go to Config page > Log
Data > Log Filters and read the filter expression for the “Detect page views” and “Strip
non-page-views” log filters.
The Log Filter Editor
The easiest way to create log filters is in the Log Filter Editor, in the Log Filters section of the
Config. To access the Log Filters Editor, go to Config page > Log Data > Log Filters and then
click the Edit link for one of the log filters.
Config. To access the Log Filters Editor, go to Config page > Log Data > Log Filters and then
click the Edit link for one of the log filters.
Figure 4-5 shows the Log Filter Editor for the Rewrite URL log filter.
WSA_Sawmill.book Page 54 Tuesday, February 22, 2011 2:54 PM