Sawmill 7.3.1 DB rebuild fails due to corrupt date fields

fanheuser_ironport · ‎10-28-2009

Hi all,

anybody able to help? My new Sawmill 7.3.1 installation (Windows x86) fails to rebuild the database. It never worked, the "background process stopped unexpectedly". Logs are default standard Squid format access logs from a S160 (v5.6.6). Profile is standard "HR" with the log format automatically recognized by Sawmill. "Sec Ops" profile yields the same errors.

When performing a command-line rebuild with debug outputs, it looks like on none of the log entries the date/time can be recognized (same error for all records).

[t2]: [p]: Processing line: [t2]: 1255880992.122 0 10.70.10.18 TCP_DENIED/407 242 HEAD http://osce8-p.activeupdate.trendmicro.com/activeupdate/ini_xml.zip - NONE/- - OTHER-NONE <Comp,-,-,-,-,-,-,-,-,-,-,-,-> -
[t2]: [p]: Got log token[t2]: '1255880992.122' (index=1, subindex=1)
[t2]: [p]: Got normalized date from date field: {corrupt}
[t2]: [p]: Got normalized time from time field: {corrupt}

The log entry reads
1255880992.122 0 10.70.10.18 TCP_DENIED/407 242 HEAD http://osce8-p.activeupdate.trendmicro.com/activeupdate/ini_xml.zip - NONE/- - OTHER-NONE <Comp,-,-,-,-,-,-,-,-,-,-,-,-> -

How can the log data be imported successfully? Do I need to change the access log file format on the S160?

Any help will be appreciated.

Kind regards

Frederik

fanheuser_ironport · ‎10-28-2009

Hi all,

the problem has been solved: the log files got corrupted during transfer from the WSA to the Sawmill server. With uncorrupted logfiles, database rebuild worked as expected.

Hooray!

Frederik