|
Sawmill is a CWAT log analyzer (it also supports 827 other log formats).
It can process log files
in CWAT format, and generate dynamic statistics from them,
analyzing and reporting events.
Sawmill can parse CWAT logs, import them into a SQL database (or its own built-in database),
aggregate them, and generate dynamically filtered reports, all through a web interface.
Sawmill can perform CWAT log analysis on any platform, including Window, Linux, FreeBSD, OpenBSD, Mac OS, Solaris, other UNIX, and others.
Sawmill stores the following non-numerical fields in its database for CWAT, generates reports for each field, and allows dynamic filtering on any combination of these fields:
| Field | | Internal Name |
|---|
| | date/time | | date_time |
| | day of week | | day_of_week |
| | hour of day | | hour_of_day |
| | site ID | | site_id |
| | site name | | site_name |
| | last alert time | | last_alert_time |
| | alert level | | alert_level |
| | power on | | power_on |
| | logon | | logon |
| | power off | | power_off |
| | high | | high |
| | medium | | medium |
| | low | | low |
| | pending | | pending |
| | checking | | checking |
| | processed | | processed |
| | no action | | no_action |
| | alert ID | | alert_id |
| | alert sequence | | alert_sequence |
| | alert date | | alert_date |
| | alert status code | | alert_status_code |
| | alert status | | alert_status |
| | process ID | | process_id |
| | thread ID | | thread_id |
| | machine time | | machine_time |
| | sequence number | | sequence_number |
| | CWAT node management ID | | cwat_node_management_id |
| | alert IP | | alert_ip |
| | alert location | | alert_location |
| | MAC address | | mac_address |
| | flag under OM management | | flag_under_om_management |
| | process name | | process_name |
| | log number | | log_number |
| | alert type | | alert_type |
| | policy ID | | policy_id |
| | policy category | | policy_category |
| | policy name | | policy_name |
| | operation | | operation |
| | suspicious event score | | suspicious_event_score |
| | suspicious event day | | suspicious_event_day |
| | suspicious event time | | suspicious_event_time |
| | suspicious event score statement | | suspicious_event_score_statement |
| | node usage type | | node_usage_type |
| | logon user | | logon_user |
| | domain | | domain |
| | bus discrimination ID | | bus_discrimination_id |
| | bus peculiar code | | bus_peculiar_code |
| | device discrimination ID | | device_discrimination_id |
| | device peculiar code | | device_peculiar_code |
| | bus status | | bus_status |
| | output file size | | output_file_size |
| | output file name | | output_file_name |
| | startup shutdown process name | | startup_shutdown_process_name |
| | window name | | window_name |
| | source file name | | source_file_name |
| | dest file name | | dest_file_name |
| | install app name | | install_app_name |
| | dest installation | | dest_installation |
| | book name | | book_name |
| | keyword | | keyword |
| | screenshot info | | screenshot_info |
| | protocol | | protocol |
| | source port | | source_port |
| | destination port | | dest_port |
| | source address | | source_address |
| | destination address | | dest_address |
| | sourcemac | | sourcemac |
| | destination MAC | | dest_mac |
| | communication type | | communication_type |
| | unregistered node IP | | unregistered_node_ip |
| | unregistered node mac | | unregistered_node_mac |
| | last shutdown | | last_shutdown |
| | packet data | | packet_data |
| | tampered log name | | tampered_log_name |
| | os time after tamper | | os_time_after_tamper |
| | hostname | | hostname |
| | machine alert ID | | machine_alert_id |
| | alert event type | | alert_event_type |
| | device name | | device_name |
| | media name | | media_name |
| | application ID | | application_id |
| | recipient | | recipient |
| | CC | | cc |
| | bcc | | bcc |
| | sender | | sender |
| | subject | | subject |
| | send time | | send_time |
| | mail size | | mail_size |
| | mail count | | mail_count |
| | mail body | | mail_body |
| | attachment presence | | attachment_presence |
| | attach name | | attach_name |
| | attach size | | attach_size |
| | user group | | cwat_location |
| | keyboard operation | | keyboard_operation |
| | clipboard type | | clipboard_type |
| | clipboard information | | clipboard_information |
| | alert status update time | | alert_status_update_time |
| | record update time | | record_update_time |
| | action date | | action_date |
| | operator | | operator |
| | action contents code | | action_contents_code |
| | action contents | | action_contents |
| | action result code | | action_result_code |
| | action result | | action_result |
| | auto mnl action code | | auto_mnl_action_code |
| | auto mnl action | | auto_mnl_action |
| | CWAT standard time action | | cwat_standard_time_action |
| | sequence number action | | sequence_number_action |
| | alert id action | | alert_id_action |
| | user name action | | user_name_action |
| | comment | | comment |
| | update time | | update_time |
| | policy version | | policy_version |
| | virus check result code | | virus_check_result_code |
| | virus check result | | virus_check_result |
| | virus check start time | | virus_check_start_time |
| | virus check complete time | | virus_check_complete_time |
| | alert month | | alert_month |
Sawmill stores the following numerical fields in its database for CWAT, aggregating them and including them as columns in most reports:
| Numerical Field | | Internal Name |
|---|
| | events | | events |
| | output file size | | output_file_size |
| | attach size | | attach_size |
| | alert count | | alert_count |
| | node count | | node_count |
| | high priority events | | high_priority_events |
| | medium priority events | | medium_priority_events |
| | low priority events | | low_priority_events |
Sawmill also supports 827 other log formats;
see Sawmill Features
for a list containing CWAT and all the other supported formats.
|
