Sawmill (7.3.1) and Ironport S160 (AsyncOS: Web 7.5.0-833)

david.paterson · ‎09-04-2013

Hi all,

we're running the above and I'm trying to use Sawmill to query a log file.

It's been a while since we've used Sawmill and while it used to work fine it no longer appears to actually populate a database with entries.

I've built a new profile, passed it a file with a single entry and run the build database from command line.

From what I can see it is complaining about the time stamps being corrupt:

[t2]: [f]: Rejected entry because the date/time field is corrupt.

A similar post on here seemed to imply that it was just a file transfer issue but I've tried it as binary, ascii and even repointed the S160 to send the file directly in real time without success.

Had a look for an updated version (there were a couple of point releases I believe) but Cisco seem to have removed it completely from the S160 download section...

Can anyone confirm if Sawmill 7.3.1 actually works with AsyncOS 7.5?

Anyone bumped into similar problems and what was the actual fix?

Thanks.

Message was edited by: David Paterson: S160 not C160...

Vance Kwan · ‎09-04-2013

Hi David,

I can attest to it that Sawmill will work with AsyncOS 7.5. However, I'm not familiar with Sawmill but I do know that Cisco is not longer supporting it as of August 2013. Splunk is the new supported reporting software.

If you're interested in looking for an update (if any), I believe you should have been looking in the section for the S160?

I'll search through out existing knowledge base articles to see if I can find anything for you.

-Vance

david.paterson · ‎09-05-2013

Thanks for the reply Vance.

Yes, that should indeed read S160 not C160. We've got both and I can never remember which is which...especially when I'm jumping between both while typing up a forum post! I've edited it to save any confusion.

I did a bit more digging in the task logs and the import definitely stopped working properly the day after we upgraded the Ironport to AsyncOS 7.5 so it does look like something has changed from the older releases.

Just not sure what though. The time stamps on the log lines look like perfectly valid Unix Epoch values which I think they have always been.

Thanks for the confirmation that Cisco have pulled support for Sawmill. I guessed that's what it was but didn't see an announcement for it and couldn't see anything in the EoL announcements for the S160 itself.

I did see the Splunk option as you mentioned but wasn't sure what the licensing around it was. Sawmill required a seperate license and I'm sure Splunk isn't free once you get to the data volumes required for our proxies. And it looks a far more complex option to set up too. Might just need to bite the bullet and go begging for time and budget to do it.

Anything further you can find would be appreciated.

Vance Kwan · ‎09-10-2013

Hi David,

This might not be of much help, but this may be the most relevant article.

https://techzone.cisco.com/t5/Web-Security-Appliance-WSA/Sawmill-Generic-troubleshooting-steps/ta-p/276560

Let me know if you are not able to access that.

-Vance

david.paterson · ‎09-11-2013

Thanks again Vance.

Unfortunately I can't access that page. There's a bit to request access but I'm not sure I qualify...

Vance Kwan · ‎09-11-2013

Hi David,

Here you go:

Sawmill: Generic troubleshooting steps

This post is a deleted article. This is retained to maintain consistency on references

Question:

How do I collect verbose output/log files from Sawmill?
How do I fix a corrupt Sawmill database?

Environment:

Sawmill for IronPort

Symptoms:

Sawmill is not importing Logs
Sawmill appfaults / crashes when generating a specific report

Solution:

When having issues building Sawmill reports, it's recommended to try the following CLI actions to fix any DB problems that may be happening:

Action	Info
rebuild_database_indices (or rdi)	Rebuilds the indices of the main table.
rebuild_cross_reference_tables (or rcrt)	Rebuilds the cross-reference tables of the database from the main table (without processing any log data). It is much faster than rebuilding the database. It can be useful if you have modified the cross-reference table settings and want to update the cross-reference tables to reflect the new settings.
rebuild_database_hierarchies (or rdh)	Rebuilds the hierarchy tables of the database.
build_database (or bd)	Re-builds the database from the log profile log source, erasing any data already in the database.

NOTE: It's recommended to run these in the order they are listed here.

Syntax example: sawmill.exe -p -a

david.paterson · ‎09-12-2013

Thanks Vance.

I'd tried the rebuilds previous to opening the thread but the underlying issue is that it doesn't import any data so there's nothing to fix/reindex!

Think I'm just going to need to bite the bullet on this one and go to Splunk.

Thanks for your input anyway. Appreciate your time and effort.