SAWMILLFORUM

1) We use a SIEM for monitoring and alerting, but we are not actively reviewing all of the collected log data that goes to the Kiwi server. Can reporting be scheduled to review logs based on the type of log or program? I'd like to start looking for anomalies, plus be able to schedule and generate reports on a weekly, monthly and quarterly basis.
2) I think I understand how the "profile" works for reporting purposes. If I want Sawmill to review and report on the various SQL logs collected on the Kiwi server, would that be considered one profile or would a profile be required for each SQL server?

Thank you!

Sawmill has a built in scheduler that can send out periodic reports, daily, weekly, monthly, quarterly, and these reports can be filtered in many ways, by event types, or any field that's logged, or any combination of conditions.

If kiwi has logs for multiple SQL servers it's likely you can analyze the log file within one profile, however, in some cases it might be of interest from an organizational or unit point of view to have a profile for each of the SQL servers. As long as the resulting format from the SQL server is the same in the kiwi log, you could have one profile for all SQL servers.