Cisco Cisco Web Security Appliance S170 설치 가이드
C H A P T E R
3-1
Cisco Web Security Appliance Advanced Reporting Installation, Setup, and User Guide
3
Field Extractions
•
•
•
Overview of Field Extractions
This application relies heavily on field extractions. As most reports are generated from summary data,
it is important to ensure that fields are being extracted correctly to enable successful and accurate
reporting.
it is important to ensure that fields are being extracted correctly to enable successful and accurate
reporting.
Access Logs
Tip
•
Ensure timestamps are correctly being indexed
•
Search for “*” and ensure app-specific fields are populated in the field picker. The next bullet item
contains a more thorough examination of extracted fields
contains a more thorough examination of extracted fields
•
Copy and paste the below search. You should not see any results and especially not very many
results. If 1000 results are returned – the transforms.conf will need to be adjusted for the unique log
format being indexed…
results. If 1000 results are returned – the transforms.conf will need to be adjusted for the unique log
format being indexed…
sourcetype=wsa_accesslogs | head 1000 | fillnull value="!!!!"
x_webcat_code_abbr x_wbrs_score x_webroot_scanverdict
x_webroot_threat_name x_webroot_trr x_webroot_spyid
x_webroot_trace_id x_mcaffe_scanverdict x_mcafee_filename
x_mcafee_scan_error x_mcafee_detecttype x_mcafee_av_virustype
x_mcafee_virus_name x_sophos_scanverdict x x_sophos_filename
x_sophos_virus_name x_ids_verdict x_icap_verdict
x_webcat_req_code_abbr x_webcat_resp_code_abbr
x_resp_dvs_threat_name x_wbrs_threat_type x_avc_app x_avc_type
x_avc_behavior x_request_rewrite x_avg_bw x_bw_throttled
x_user_type
x_resp_dvs_verdictnamex_req_dvs_threat_namex_suspect_user_agent
x_wbrs_threat_reason dvc_time duration dvc_ip result http_status
bytes_in http_method dest_url user_id_dom hierarchy hierarchy_domain