I want to configure sawmill 7.3.2 for ironport S160. Does anybody have sample template to configure it and specially how to use log_format while creating profile, i tried many times but it always fails. Do i have to configure something on WSA as well ?
Please let me know the hardware requirement for installing sawmill for organization having 200 users.
Look forward to hearing from someone.
Thanks & Regards
If you already downloaded Sawmill from Cisco's website you already should have all you may need.
Install it in an suitable computer and determine whether you are pushing the logs from the appliance or you are pulling them from sawmill. I would recomend the first option as it is regular log rotation that forces the appliance to drop a the rotated and closed logs.
Read the included essential documentation on the package. Define the logs and the profile on the sawmill setup and you are done once you are able to have the files on the sawmill machine. Usually you shold do nothing beyond defining the way you are rotating and pushing the logs. Check WSA manuals as well as Sawmil.
Thanks you Jose..
I managed to integrate sawmill with ironport and its working very well. Actually i was little confuse while selecting LOG FORMAT (HR or SEC_OP), but now its working fine and even got license from ironport for 5 profiles.
Thinking about possibly using Sawmill in our office. Is this a free install if you already own Ironport web appliance?
The Sawmill for IronPort license is a separate purchase than the other licenses. If you already own Sawmill, you can likely get the WSA logs to import, but you will not have the Sawmill for IronPort specific reports.